Unverified Commit c5e11baf authored by Sofia Celi's avatar Sofia Celi

Get rid of EDDSA_USE_SIGMA_ISOGENY cases

parent 41d94646
......@@ -952,56 +952,23 @@ void API_NS(point_mul_by_ratio_and_encode_like_eddsa) (
gf x, y, z, t;
point_t q;
API_NS(point_copy)(q,p);
/* 4-isogeny: 2xy/(y^+x^2), (y^2-x^2)/(2z^2-y^2+x^2) */
gf u;
gf_sqr ( x, q->x );
gf_sqr ( t, q->y );
gf_add( u, x, t );
gf_add( z, q->y, q->x );
gf_sqr ( y, z);
gf_sub ( y, y, u );
gf_sub ( z, t, x );
gf_sqr ( x, q->z );
gf_add ( t, x, x);
gf_sub ( t, t, z);
gf_mul ( x, t, y );
gf_mul ( y, z, u );
gf_mul ( z, u, t );
decaf_bzero(u,sizeof(u));
#if EDDSA_USE_SIGMA_ISOGENY
{
/* Use 4-isogeny like ed25519:
* 2*x*y*sqrt(d/a-1)/(ax^2 + y^2 - 2)
* (y^2 - ax^2)/(y^2 + ax^2)
* with a = -1, d = -EDWARDS_D:
* -2xysqrt(EDWARDS_D-1)/(2z^2-y^2+x^2)
* (y^2+x^2)/(y^2-x^2)
*/
gf u;
gf_sqr ( x, q->x ); // x^2
gf_sqr ( t, q->y ); // y^2
gf_add( u, x, t ); // x^2 + y^2
gf_add( z, q->y, q->x );
gf_sqr ( y, z);
gf_sub ( y, u, y ); // -2xy
gf_sub ( z, t, x ); // y^2 - x^2
gf_sqr ( x, q->z );
gf_add ( t, x, x);
gf_sub ( t, t, z); // 2z^2 - y^2 + x^2
gf_mul ( x, y, z ); // 2xy(y^2-x^2)
gf_mul ( y, u, t ); // (x^2+y^2)(2z^2-y^2+x^2)
gf_mul ( u, z, t );
gf_copy( z, u );
gf_mul ( u, x, RISTRETTO_FACTOR );
#error "... probably wrong"
gf_copy( x, u );
decaf_bzero(u,sizeof(u));
}
#else
{
/* 4-isogeny: 2xy/(y^+x^2), (y^2-x^2)/(2z^2-y^2+x^2) */
gf u;
gf_sqr ( x, q->x );
gf_sqr ( t, q->y );
gf_add( u, x, t );
gf_add( z, q->y, q->x );
gf_sqr ( y, z);
gf_sub ( y, y, u );
gf_sub ( z, t, x );
gf_sqr ( x, q->z );
gf_add ( t, x, x);
gf_sub ( t, t, z);
gf_mul ( x, t, y );
gf_mul ( y, z, u );
gf_mul ( z, u, t );
decaf_bzero(u,sizeof(u));
}
#endif
/* Affinize */
gf_invert(z,z,1);
gf_mul(t,x,z);
......@@ -1031,19 +998,14 @@ decaf_error_t API_NS(point_decode_like_eddsa_and_mul_by_ratio) (
enc2[DECAF_EDDSA_448_PRIVATE_BYTES-1] &= ~0x80;
mask_t succ = gf_deserialize(p->y, enc2, 1, 0);
/* actually the case on 448 */
#if 0 == 0
succ &= word_is_zero(enc2[DECAF_EDDSA_448_PRIVATE_BYTES-1]);
#endif
gf_sqr(p->x,p->y);
gf_sub(p->z,ONE,p->x); /* num = 1-y^2 */
#if EDDSA_USE_SIGMA_ISOGENY
gf_mulw(p->t,p->z,EDWARDS_D); /* d-dy^2 */
gf_mulw(p->x,p->z,EDWARDS_D-1); /* num = (1-y^2)(d-1) */
gf_copy(p->z,p->x);
#else
gf_mulw(p->t,p->x,EDWARDS_D); /* dy^2 */
#endif
gf_mulw(p->t,p->x,EDWARDS_D); /* dy^2 */
gf_sub(p->t,ONE,p->t); /* denom = 1-dy^2 or 1-d + dy^2 */
gf_mul(p->x,p->z,p->t);
......@@ -1053,64 +1015,26 @@ decaf_error_t API_NS(point_decode_like_eddsa_and_mul_by_ratio) (
gf_cond_neg(p->x,gf_lobit(p->x)^low);
gf_copy(p->z,ONE);
#if EDDSA_USE_SIGMA_ISOGENY
{
/* Use 4-isogeny like ed25519:
* 2*x*y/sqrt(1-d/a)/(ax^2 + y^2 - 2)
* (y^2 - ax^2)/(y^2 + ax^2)
* (MAGIC: above formula may be off by a factor of -a
* or something somewhere; check it for other a)
*
* with a = -1, d = -EDWARDS_D:
* -2xy/sqrt(1-EDWARDS_D)/(2z^2-y^2+x^2)
* (y^2+x^2)/(y^2-x^2)
*/
gf a, b, c, d;
gf_sqr ( c, p->x );
gf_sqr ( a, p->y );
gf_add ( d, c, a ); // x^2 + y^2
gf_add ( p->t, p->y, p->x );
gf_sqr ( b, p->t );
gf_sub ( b, b, d ); // 2xy
gf_sub ( p->t, a, c ); // y^2 - x^2
gf_sqr ( p->x, p->z );
gf_add ( p->z, p->x, p->x );
gf_sub ( c, p->z, p->t ); // 2z^2 - y^2 + x^2
gf_div_i ( a, c );
gf_mul ( c, a, RISTRETTO_FACTOR );
gf_mul ( p->x, b, p->t); // (2xy)(y^2-x^2)
gf_mul ( p->z, p->t, c ); // (y^2-x^2)sd(2z^2 - y^2 + x^2)
gf_mul ( p->y, d, c ); // (y^2+x^2)sd(2z^2 - y^2 + x^2)
gf_mul ( p->t, d, b );
decaf_bzero(a,sizeof(a));
decaf_bzero(b,sizeof(b));
decaf_bzero(c,sizeof(c));
decaf_bzero(d,sizeof(d));
}
#else
{
/* 4-isogeny 2xy/(y^2-ax^2), (y^2+ax^2)/(2-y^2-ax^2) */
gf a, b, c, d;
gf_sqr ( c, p->x );
gf_sqr ( a, p->y );
gf_add ( d, c, a );
gf_add ( p->t, p->y, p->x );
gf_sqr ( b, p->t );
gf_sub ( b, b, d );
gf_sub ( p->t, a, c );
gf_sqr ( p->x, p->z );
gf_add ( p->z, p->x, p->x );
gf_sub ( a, p->z, d );
gf_mul ( p->x, a, b );
gf_mul ( p->z, p->t, a );
gf_mul ( p->y, p->t, d );
gf_mul ( p->t, b, d );
decaf_bzero(a,sizeof(a));
decaf_bzero(b,sizeof(b));
decaf_bzero(c,sizeof(c));
decaf_bzero(d,sizeof(d));
}
#endif
/* 4-isogeny 2xy/(y^2-ax^2), (y^2+ax^2)/(2-y^2-ax^2) */
gf a, b, c, d;
gf_sqr ( c, p->x );
gf_sqr ( a, p->y );
gf_add ( d, c, a );
gf_add ( p->t, p->y, p->x );
gf_sqr ( b, p->t );
gf_sub ( b, b, d );
gf_sub ( p->t, a, c );
gf_sqr ( p->x, p->z );
gf_add ( p->z, p->x, p->x );
gf_sub ( a, p->z, d );
gf_mul ( p->x, a, b );
gf_mul ( p->z, p->t, a );
gf_mul ( p->y, p->t, d );
gf_mul ( p->t, b, d );
decaf_bzero(a,sizeof(a));
decaf_bzero(b,sizeof(b));
decaf_bzero(c,sizeof(c));
decaf_bzero(d,sizeof(d));
decaf_bzero(enc2,sizeof(enc2));
assert(API_NS(point_valid)(p) || ~succ);
......@@ -1198,32 +1122,21 @@ void decaf_ed448_convert_public_key_to_x448 (
const uint8_t mask = (uint8_t)(0xFE<<(7));
ignore_result(gf_deserialize(y, ed, 1, mask));
{
gf n,d;
#if EDDSA_USE_SIGMA_ISOGENY
/* u = (1+y)/(1-y)*/
gf_add(n, y, ONE); /* n = y+1 */
gf_sub(d, ONE, y); /* d = 1-y */
gf_invert(d, d, 0); /* d = 1/(1-y) */
gf_mul(y, n, d); /* u = (y+1)/(1-y) */
gf_serialize(x,y,1);
#else /* EDDSA_USE_SIGMA_ISOGENY */
/* u = y^2 * (1-dy^2) / (1-y^2) */
gf_sqr(n,y); /* y^2*/
gf_sub(d,ONE,n); /* 1-y^2*/
gf_invert(d,d,0); /* 1/(1-y^2)*/
gf_mul(y,n,d); /* y^2 / (1-y^2) */
gf_mulw(d,n,EDWARDS_D); /* dy^2*/
gf_sub(d, ONE, d); /* 1-dy^2*/
gf_mul(n, y, d); /* y^2 * (1-dy^2) / (1-y^2) */
gf_serialize(x,n,1);
#endif /* EDDSA_USE_SIGMA_ISOGENY */
decaf_bzero(y,sizeof(y));
decaf_bzero(n,sizeof(n));
decaf_bzero(d,sizeof(d));
}
gf n,d;
/* u = y^2 * (1-dy^2) / (1-y^2) */
gf_sqr(n,y); /* y^2*/
gf_sub(d,ONE,n); /* 1-y^2*/
gf_invert(d,d,0); /* 1/(1-y^2)*/
gf_mul(y,n,d); /* y^2 / (1-y^2) */
gf_mulw(d,n,EDWARDS_D); /* dy^2*/
gf_sub(d, ONE, d); /* 1-dy^2*/
gf_mul(n, y, d); /* y^2 * (1-dy^2) / (1-y^2) */
gf_serialize(x,n,1);
decaf_bzero(y,sizeof(y));
decaf_bzero(n,sizeof(n));
decaf_bzero(d,sizeof(d));
}
void decaf_x448_generate_key (
......
......@@ -941,56 +941,23 @@ void API_NS(point_mul_by_ratio_and_encode_like_eddsa) (
gf x, y, z, t;
point_t q;
API_NS(point_copy)(q,p);
/* 4-isogeny: 2xy/(y^+x^2), (y^2-x^2)/(2z^2-y^2+x^2) */
gf u;
gf_sqr ( x, q->x );
gf_sqr ( t, q->y );
gf_add( u, x, t );
gf_add( z, q->y, q->x );
gf_sqr ( y, z);
gf_sub ( y, y, u );
gf_sub ( z, t, x );
gf_sqr ( x, q->z );
gf_add ( t, x, x);
gf_sub ( t, t, z);
gf_mul ( x, t, y );
gf_mul ( y, z, u );
gf_mul ( z, u, t );
decaf_bzero(u,sizeof(u));
#if EDDSA_USE_SIGMA_ISOGENY
{
/* Use 4-isogeny like ed25519:
* 2*x*y*sqrt(d/a-1)/(ax^2 + y^2 - 2)
* (y^2 - ax^2)/(y^2 + ax^2)
* with a = -1, d = -EDWARDS_D:
* -2xysqrt(EDWARDS_D-1)/(2z^2-y^2+x^2)
* (y^2+x^2)/(y^2-x^2)
*/
gf u;
gf_sqr ( x, q->x ); // x^2
gf_sqr ( t, q->y ); // y^2
gf_add( u, x, t ); // x^2 + y^2
gf_add( z, q->y, q->x );
gf_sqr ( y, z);
gf_sub ( y, u, y ); // -2xy
gf_sub ( z, t, x ); // y^2 - x^2
gf_sqr ( x, q->z );
gf_add ( t, x, x);
gf_sub ( t, t, z); // 2z^2 - y^2 + x^2
gf_mul ( x, y, z ); // 2xy(y^2-x^2)
gf_mul ( y, u, t ); // (x^2+y^2)(2z^2-y^2+x^2)
gf_mul ( u, z, t );
gf_copy( z, u );
gf_mul ( u, x, RISTRETTO_FACTOR );
#error "... probably wrong"
gf_copy( x, u );
decaf_bzero(u,sizeof(u));
}
#else
{
/* 4-isogeny: 2xy/(y^+x^2), (y^2-x^2)/(2z^2-y^2+x^2) */
gf u;
gf_sqr ( x, q->x );
gf_sqr ( t, q->y );
gf_add( u, x, t );
gf_add( z, q->y, q->x );
gf_sqr ( y, z);
gf_sub ( y, y, u );
gf_sub ( z, t, x );
gf_sqr ( x, q->z );
gf_add ( t, x, x);
gf_sub ( t, t, z);
gf_mul ( x, t, y );
gf_mul ( y, z, u );
gf_mul ( z, u, t );
decaf_bzero(u,sizeof(u));
}
#endif
/* Affinize */
gf_invert(z,z,1);
gf_mul(t,x,z);
......@@ -1020,19 +987,14 @@ decaf_error_t API_NS(point_decode_like_eddsa_and_mul_by_ratio) (
enc2[DECAF_EDDSA_448_PRIVATE_BYTES-1] &= ~0x80;
mask_t succ = gf_deserialize(p->y, enc2, 1, 0);
/* actually the case on 448 */
#if $(gf_bits % 8) == 0
succ &= word_is_zero(enc2[DECAF_EDDSA_448_PRIVATE_BYTES-1]);
#endif
gf_sqr(p->x,p->y);
gf_sub(p->z,ONE,p->x); /* num = 1-y^2 */
#if EDDSA_USE_SIGMA_ISOGENY
gf_mulw(p->t,p->z,EDWARDS_D); /* d-dy^2 */
gf_mulw(p->x,p->z,EDWARDS_D-1); /* num = (1-y^2)(d-1) */
gf_copy(p->z,p->x);
#else
gf_mulw(p->t,p->x,EDWARDS_D); /* dy^2 */
#endif
gf_mulw(p->t,p->x,EDWARDS_D); /* dy^2 */
gf_sub(p->t,ONE,p->t); /* denom = 1-dy^2 or 1-d + dy^2 */
gf_mul(p->x,p->z,p->t);
......@@ -1042,64 +1004,26 @@ decaf_error_t API_NS(point_decode_like_eddsa_and_mul_by_ratio) (
gf_cond_neg(p->x,gf_lobit(p->x)^low);
gf_copy(p->z,ONE);
#if EDDSA_USE_SIGMA_ISOGENY
{
/* Use 4-isogeny like ed25519:
* 2*x*y/sqrt(1-d/a)/(ax^2 + y^2 - 2)
* (y^2 - ax^2)/(y^2 + ax^2)
* (MAGIC: above formula may be off by a factor of -a
* or something somewhere; check it for other a)
*
* with a = -1, d = -EDWARDS_D:
* -2xy/sqrt(1-EDWARDS_D)/(2z^2-y^2+x^2)
* (y^2+x^2)/(y^2-x^2)
*/
gf a, b, c, d;
gf_sqr ( c, p->x );
gf_sqr ( a, p->y );
gf_add ( d, c, a ); // x^2 + y^2
gf_add ( p->t, p->y, p->x );
gf_sqr ( b, p->t );
gf_sub ( b, b, d ); // 2xy
gf_sub ( p->t, a, c ); // y^2 - x^2
gf_sqr ( p->x, p->z );
gf_add ( p->z, p->x, p->x );
gf_sub ( c, p->z, p->t ); // 2z^2 - y^2 + x^2
gf_div_i ( a, c );
gf_mul ( c, a, RISTRETTO_FACTOR );
gf_mul ( p->x, b, p->t); // (2xy)(y^2-x^2)
gf_mul ( p->z, p->t, c ); // (y^2-x^2)sd(2z^2 - y^2 + x^2)
gf_mul ( p->y, d, c ); // (y^2+x^2)sd(2z^2 - y^2 + x^2)
gf_mul ( p->t, d, b );
decaf_bzero(a,sizeof(a));
decaf_bzero(b,sizeof(b));
decaf_bzero(c,sizeof(c));
decaf_bzero(d,sizeof(d));
}
#else
{
/* 4-isogeny 2xy/(y^2-ax^2), (y^2+ax^2)/(2-y^2-ax^2) */
gf a, b, c, d;
gf_sqr ( c, p->x );
gf_sqr ( a, p->y );
gf_add ( d, c, a );
gf_add ( p->t, p->y, p->x );
gf_sqr ( b, p->t );
gf_sub ( b, b, d );
gf_sub ( p->t, a, c );
gf_sqr ( p->x, p->z );
gf_add ( p->z, p->x, p->x );
gf_sub ( a, p->z, d );
gf_mul ( p->x, a, b );
gf_mul ( p->z, p->t, a );
gf_mul ( p->y, p->t, d );
gf_mul ( p->t, b, d );
decaf_bzero(a,sizeof(a));
decaf_bzero(b,sizeof(b));
decaf_bzero(c,sizeof(c));
decaf_bzero(d,sizeof(d));
}
#endif
/* 4-isogeny 2xy/(y^2-ax^2), (y^2+ax^2)/(2-y^2-ax^2) */
gf a, b, c, d;
gf_sqr ( c, p->x );
gf_sqr ( a, p->y );
gf_add ( d, c, a );
gf_add ( p->t, p->y, p->x );
gf_sqr ( b, p->t );
gf_sub ( b, b, d );
gf_sub ( p->t, a, c );
gf_sqr ( p->x, p->z );
gf_add ( p->z, p->x, p->x );
gf_sub ( a, p->z, d );
gf_mul ( p->x, a, b );
gf_mul ( p->z, p->t, a );
gf_mul ( p->y, p->t, d );
gf_mul ( p->t, b, d );
decaf_bzero(a,sizeof(a));
decaf_bzero(b,sizeof(b));
decaf_bzero(c,sizeof(c));
decaf_bzero(d,sizeof(d));
decaf_bzero(enc2,sizeof(enc2));
assert(API_NS(point_valid)(p) || ~succ);
......@@ -1187,32 +1111,21 @@ void decaf_ed448_convert_public_key_to_x448 (
const uint8_t mask = (uint8_t)(0xFE<<($((gf_bits-1)%8)));
ignore_result(gf_deserialize(y, ed, 1, mask));
{
gf n,d;
#if EDDSA_USE_SIGMA_ISOGENY
/* u = (1+y)/(1-y)*/
gf_add(n, y, ONE); /* n = y+1 */
gf_sub(d, ONE, y); /* d = 1-y */
gf_invert(d, d, 0); /* d = 1/(1-y) */
gf_mul(y, n, d); /* u = (y+1)/(1-y) */
gf_serialize(x,y,1);
#else /* EDDSA_USE_SIGMA_ISOGENY */
/* u = y^2 * (1-dy^2) / (1-y^2) */
gf_sqr(n,y); /* y^2*/
gf_sub(d,ONE,n); /* 1-y^2*/
gf_invert(d,d,0); /* 1/(1-y^2)*/
gf_mul(y,n,d); /* y^2 / (1-y^2) */
gf_mulw(d,n,EDWARDS_D); /* dy^2*/
gf_sub(d, ONE, d); /* 1-dy^2*/
gf_mul(n, y, d); /* y^2 * (1-dy^2) / (1-y^2) */
gf_serialize(x,n,1);
#endif /* EDDSA_USE_SIGMA_ISOGENY */
decaf_bzero(y,sizeof(y));
decaf_bzero(n,sizeof(n));
decaf_bzero(d,sizeof(d));
}
gf n,d;
/* u = y^2 * (1-dy^2) / (1-y^2) */
gf_sqr(n,y); /* y^2*/
gf_sub(d,ONE,n); /* 1-y^2*/
gf_invert(d,d,0); /* 1/(1-y^2)*/
gf_mul(y,n,d); /* y^2 / (1-y^2) */
gf_mulw(d,n,EDWARDS_D); /* dy^2*/
gf_sub(d, ONE, d); /* 1-dy^2*/
gf_mul(n, y, d); /* y^2 * (1-dy^2) / (1-y^2) */
gf_serialize(x,n,1);
decaf_bzero(y,sizeof(y));
decaf_bzero(n,sizeof(n));
decaf_bzero(d,sizeof(d));
}
void decaf_x448_generate_key (
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment