Skip to content

GitLab

Unverified Commit e70034e6 authored by Sofia Celi's avatar Sofia Celi
Browse files
Options

Stripping away some definitions actually on the template as they seem to be working

parent f94244b0
Hide whitespace changes
Inline Side-by-side
Showing with 66 additions and 118 deletions
src/GENERATED/c/ed448goldilocks/decaf.c
View file @ e70034e6
......@@ -53,9 +53,10 @@ const gf RISTRETTO_FACTOR = {{{
0x42ef0f45572736, 0x7bf6aa20ce5296, 0xf4fd6eded26033, 0x968c14ba839a66, 0xb8d54b64a2d780, 0x6aa0a1f1a7b8a5, 0x683bf68d722fa2, 0x22d962fbeb24f7
}}};
/* probably the imagine twist is also not needed */
#define TWISTED_D ((EDWARDS_D)-1)
/* TODO: probably refactor this */
/* check this too */
#if TWISTED_D < 0
#define EFF_D (-(TWISTED_D))
#define NEG_D 1
......@@ -124,7 +125,7 @@ void API_NS(deisogenize) (
mask_t toggle_altx,
mask_t toggle_rotation
) {
#if COFACTOR == 4
#if COFACTOR == 4 && !IMAGINE_TWIST
(void)toggle_rotation; /* Only applies to cofactor 8 */
gf t1;
gf_s *t2 = s, *t3=inv_el_sum, *t4=inv_el_m1;
......@@ -151,7 +152,7 @@ void API_NS(deisogenize) (
gf_cond_neg(inv_el_m1,~lobs^negx^toggle_s);
gf_add(inv_el_m1,inv_el_m1,p->t);
#else
#error "Cofactor must be 4"
#error "Cofactor must be 4 (with no IMAGINE_TWIST)"
#endif
}
......@@ -679,7 +680,7 @@ decaf_bool_t API_NS(point_eq) ( const point_t p, const point_t q ) {
#if (COFACTOR == 8) && IMAGINE_TWIST
gf_mul ( a, p->y, q->y );
gf_mul ( b, q->x, p->x );
/* TODO: check this with Hamburg as it seems unreachable */
/* this is a very odd case to check */
#if !(IMAGINE_TWIST)
gf_sub ( a, ZERO, a );
#else
......@@ -731,7 +732,6 @@ void API_NS(point_debugging_pscale) (
const uint8_t factor[SER_BYTES]
) {
gf gfac,tmp;
/* NB this means you'll never pscale by negative numbers for p521 */
ignore_result(gf_deserialize(gfac,factor,0,0));
gf_cond_sel(gfac,gfac,ONE,gf_eq(gfac,ZERO));
gf_mul(tmp,p->x,gfac);
......@@ -979,12 +979,8 @@ void API_NS(point_mul_by_ratio_and_encode_like_eddsa) (
gf_mul ( u, z, t );
gf_copy( z, u );
gf_mul ( u, x, RISTRETTO_FACTOR );
#if IMAGINE_TWIST
gf_mul_i( x, u );
#else
#error "... probably wrong"
gf_copy( x, u );
#endif
decaf_bzero(u,sizeof(u));
}
#else
......
src/GENERATED/c/ed448goldilocks/decaf_gen_tables.c
View file @ e70034e6
......@@ -60,14 +60,14 @@ static void field_print(const gf f) {
int main(int argc, char **argv) {
(void)argc; (void)argv;
API_NS(point_t) real_point_base;
int ret = API_NS(point_decode)(real_point_base,base_point_ser_for_pregen,0);
if (ret != DECAF_SUCCESS) {
fprintf(stderr, "Can't decode base point!\n");
return 1;
}
API_NS(precomputed_s) *pre;
ret = posix_memalign((void**)&pre, API_NS(alignof_precomputed_s), API_NS(sizeof_precomputed_s));
if (ret || !pre) {
......@@ -75,7 +75,7 @@ int main(int argc, char **argv) {
return 1;
}
API_NS(precompute)(pre, real_point_base);
struct niels_s *pre_wnaf;
ret = posix_memalign((void**)&pre_wnaf, API_NS(alignof_precomputed_s), API_NS(sizeof_precomputed_wnafs));
if (ret || !pre_wnaf) {
......@@ -86,12 +86,12 @@ int main(int argc, char **argv) {
const gf_s *output;
unsigned i;
printf("/** @warning: this file was automatically generated. */\n");
printf("#include \"field.h\"\n\n");
printf("#include <decaf.h>\n\n");
printf("#define API_NS(_id) decaf_448_##_id\n");
output = (const gf_s *)real_point_base;
printf("const API_NS(point_t) API_NS(point_base) = {{\n");
for (i=0; i < sizeof(API_NS(point_t)); i+=sizeof(gf)) {
......@@ -99,20 +99,20 @@ int main(int argc, char **argv) {
field_print(output++);
}
printf("\n}};\n");
output = (const gf_s *)pre;
printf("const gf API_NS(precomputed_base_as_fe)[%d]\n",
printf("const gf API_NS(precomputed_base_as_fe)[%d]\n",
(int)(API_NS(sizeof_precomputed_s) / sizeof(gf)));
printf("VECTOR_ALIGNED __attribute__((visibility(\"hidden\"))) = {\n ");
for (i=0; i < API_NS(sizeof_precomputed_s); i+=sizeof(gf)) {
if (i) printf(",\n ");
field_print(output++);
}
printf("\n};\n");
output = (const gf_s *)pre_wnaf;
printf("const gf API_NS(precomputed_wnaf_as_fe)[%d]\n",
printf("const gf API_NS(precomputed_wnaf_as_fe)[%d]\n",
(int)(API_NS(sizeof_precomputed_wnafs) / sizeof(gf)));
printf("VECTOR_ALIGNED __attribute__((visibility(\"hidden\"))) = {\n ");
for (i=0; i < API_NS(sizeof_precomputed_wnafs); i+=sizeof(gf)) {
......@@ -120,6 +120,6 @@ int main(int argc, char **argv) {
field_print(output++);
}
printf("\n};\n");
return 0;
}
src/GENERATED/c/ed448goldilocks/elligator.c
View file @ e70034e6
......@@ -18,9 +18,10 @@
/* Template stuff */
#define API_NS(_id) decaf_448_##_id
#define point_t API_NS(point_t)
#define IMAGINE_TWIST 0
#define COFACTOR 4
static const int EDWARDS_D = -39081;
/* This is prob also not needed */
#define RISTRETTO_FACTOR DECAF_448_RISTRETTO_FACTOR
extern const gf RISTRETTO_FACTOR;
......@@ -75,6 +76,7 @@ void API_NS(point_from_hash_nonuniform) (
gf_mul(b,c,N);
gf_cond_neg(b,square);
gf_sub(b,b,ONE);
gf_sqr(c,a); /* s^2 */
gf_add(a,a,a); /* 2s */
gf_add(e,c,ONE);
......@@ -123,8 +125,13 @@ API_NS(invert_elligator_nonuniform) (
API_NS(deisogenize)(a,b,c,p,sgn_s,sgn_altx,sgn_ed_T);
mask_t is_identity = gf_eq(p->t,ZERO);
#if COFACTOR==4
gf_cond_sel(b,b,ONE,is_identity & sgn_altx);
gf_cond_sel(c,c,ONE,is_identity & sgn_s &~ sgn_altx);
#else
#error "Different special-casing goes here!"
#endif
gf_mulw(a,b,EDWARDS_D-1);
gf_add(b,a,b);
gf_sub(a,a,c);
......@@ -135,10 +142,19 @@ API_NS(invert_elligator_nonuniform) (
mask_t succ = gf_isr(c,b);
succ |= gf_eq(b,ZERO);
gf_mul(b,c,a);
gf_cond_neg(b, sgn_r0^gf_lobit(b));
/* Eliminate duplicate values for identity ... */
succ &= ~(gf_eq(b,ZERO) & (sgn_r0 | sgn_s));
gf_serialize(recovered_hash,b,1);
// #if COFACTOR == 8
// succ &= ~(is_identity & sgn_ed_T); /* NB: there are no preimages of rotated identity. */
// #endif
#if 448 == 8*SER_BYTES + 1 /* p521 */
gf_serialize(recovered_hash,b,0);
#else
gf_serialize(recovered_hash,b,1);
#endif
#if 0
recovered_hash[SER_BYTES-1] ^= (hint>>3)<<0;
#endif
......
src/GENERATED/c/p448/f_field.h
View file @ e70034e6
......@@ -96,6 +96,9 @@ mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES],int with_hibit,uint
#include "f_impl.h" /* Bring in the inline implementations */
#define P_MOD_8 7
#if P_MOD_8 == 5
extern const gf SQRT_MINUS_ONE;
#endif
#ifndef LIMBPERM
#define LIMBPERM(i) (i)
......
src/per_curve/decaf.tmpl.c
View file @ e70034e6
......@@ -43,12 +43,9 @@ const gf RISTRETTO_FACTOR = {{{
}}};
/* probably the imagine twist is also not needed */
#if IMAGINE_TWIST
#define TWISTED_D (-(EDWARDS_D))
#else
#define TWISTED_D ((EDWARDS_D)-1)
#endif
/* check this too */
#if TWISTED_D < 0
#define EFF_D (-(TWISTED_D))
#define NEG_D 1
......@@ -59,28 +56,10 @@ const gf RISTRETTO_FACTOR = {{{
/* End of template stuff */
/* Sanity */
#if (COFACTOR == 8) && !IMAGINE_TWIST && !UNSAFE_CURVE_HAS_POINTS_AT_INFINITY
/* FUTURE MAGIC: Curve41417 doesn't have these properties. */
#error "Currently require IMAGINE_TWIST (and thus p=5 mod 8) for cofactor 8"
/* OK, but why?
* Two reasons: #1: There are bugs when COFACTOR == && IMAGINE_TWIST
# #2:
*/
#endif
#if IMAGINE_TWIST && (P_MOD_8 != 5)
#error "Cannot use IMAGINE_TWIST except for p == 5 mod 8"
#endif
#if (COFACTOR != 4)
#error "COFACTOR must be 4"
#endif
#if IMAGINE_TWIST
extern const gf SQRT_MINUS_ONE;
#endif
#define WBITS DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */
extern const point_t API_NS(point_base);
......@@ -185,9 +164,6 @@ decaf_error_t API_NS(point_decode) (
succ &= ~gf_lobit(s);
gf_sqr(s2,s); /* s^2 = -as^2 */
#if IMAGINE_TWIST
gf_sub(s2,ZERO,s2); /* -as^2 */
#endif
gf_sub(den,ONE,s2); /* 1+as^2 */
gf_add(ynum,ONE,s2); /* 1-as^2 */
gf_mulw(num,s2,-4*TWISTED_D);
......@@ -203,12 +179,6 @@ decaf_error_t API_NS(point_decode) (
gf_mul(p->x,tmp,num); /* 2*s*isr^2*den*num */
gf_mul(tmp,tmp2,RISTRETTO_FACTOR); /* 2*s*isr*den*magic */
gf_cond_neg(p->x,gf_lobit(tmp)); /* flip x */
#if IMAGINE_TWIST
gf_copy(tmp,p->x);
gf_mul_i(p->x,tmp);
#endif
/* Fill in z and t */
gf_copy(p->z,ONE);
gf_mul(p->t,p->x,p->y);
......@@ -699,6 +669,7 @@ decaf_bool_t API_NS(point_eq) ( const point_t p, const point_t q ) {
#if (COFACTOR == 8) && IMAGINE_TWIST
gf_mul ( a, p->y, q->y );
gf_mul ( b, q->x, p->x );
/* this is a very odd case to check */
#if !(IMAGINE_TWIST)
gf_sub ( a, ZERO, a );
#else
......@@ -750,7 +721,6 @@ void API_NS(point_debugging_pscale) (
const uint8_t factor[SER_BYTES]
) {
gf gfac,tmp;
/* NB this means you'll never pscale by negative numbers for p521 */
ignore_result(gf_deserialize(gfac,factor,0,0));
gf_cond_sel(gfac,gfac,ONE,gf_eq(gfac,ZERO));
gf_mul(tmp,p->x,gfac);
......@@ -998,22 +968,10 @@ void API_NS(point_mul_by_ratio_and_encode_like_eddsa) (
gf_mul ( u, z, t );
gf_copy( z, u );
gf_mul ( u, x, RISTRETTO_FACTOR );
#if IMAGINE_TWIST
gf_mul_i( x, u );
#else
#error "... probably wrong"
gf_copy( x, u );
#endif
decaf_bzero(u,sizeof(u));
}
#elif IMAGINE_TWIST
{
API_NS(point_double)(q,q);
API_NS(point_double)(q,q);
gf_mul_i(x, q->x);
gf_copy(y, q->y);
gf_copy(z, q->z);
}
#else
{
/* 4-isogeny: 2xy/(y^+x^2), (y^2-x^2)/(2z^2-y^2+x^2) */
......@@ -1119,12 +1077,6 @@ decaf_error_t API_NS(point_decode_like_eddsa_and_mul_by_ratio) (
decaf_bzero(c,sizeof(c));
decaf_bzero(d,sizeof(d));
}
#elif IMAGINE_TWIST
{
gf_mul(p->t,p->x,SQRT_MINUS_ONE);
gf_copy(p->x,p->t);
gf_mul(p->t,p->x,p->y);
}
#else
{
/* 4-isogeny 2xy/(y^2-ax^2), (y^2+ax^2)/(2-y^2-ax^2) */
......@@ -1280,9 +1232,6 @@ void API_NS(point_mul_by_ratio_and_encode_like_x448) (
gf_invert(q->t,q->x,0); /* 1/x */
gf_mul(q->z,q->t,q->y); /* y/x */
gf_sqr(q->y,q->z); /* (y/x)^2 */
#if IMAGINE_TWIST
gf_sub(q->y,ZERO,q->y);
#endif
gf_serialize(out,q->y,1);
API_NS(point_destroy(q));
}
......
src/per_curve/decaf_gen_tables.tmpl.c
View file @ e70034e6
......@@ -49,14 +49,14 @@ static void field_print(const gf f) {
int main(int argc, char **argv) {
(void)argc; (void)argv;
API_NS(point_t) real_point_base;
int ret = API_NS(point_decode)(real_point_base,base_point_ser_for_pregen,0);
if (ret != DECAF_SUCCESS) {
fprintf(stderr, "Can't decode base point!\n");
return 1;
}
API_NS(precomputed_s) *pre;
ret = posix_memalign((void**)&pre, API_NS(alignof_precomputed_s), API_NS(sizeof_precomputed_s));
if (ret || !pre) {
......@@ -64,7 +64,7 @@ int main(int argc, char **argv) {
return 1;
}
API_NS(precompute)(pre, real_point_base);
struct niels_s *pre_wnaf;
ret = posix_memalign((void**)&pre_wnaf, API_NS(alignof_precomputed_s), API_NS(sizeof_precomputed_wnafs));
if (ret || !pre_wnaf) {
......@@ -75,12 +75,12 @@ int main(int argc, char **argv) {
const gf_s *output;
unsigned i;
printf("/** @warning: this file was automatically generated. */\n");
printf("#include \"field.h\"\n\n");
printf("#include <decaf.h>\n\n");
printf("#define API_NS(_id) $(c_ns)_##_id\n");
output = (const gf_s *)real_point_base;
printf("const API_NS(point_t) API_NS(point_base) = {{\n");
for (i=0; i < sizeof(API_NS(point_t)); i+=sizeof(gf)) {
......@@ -88,20 +88,20 @@ int main(int argc, char **argv) {
field_print(output++);
}
printf("\n}};\n");
output = (const gf_s *)pre;
printf("const gf API_NS(precomputed_base_as_fe)[%d]\n",
printf("const gf API_NS(precomputed_base_as_fe)[%d]\n",
(int)(API_NS(sizeof_precomputed_s) / sizeof(gf)));
printf("VECTOR_ALIGNED __attribute__((visibility(\"hidden\"))) = {\n ");
for (i=0; i < API_NS(sizeof_precomputed_s); i+=sizeof(gf)) {
if (i) printf(",\n ");
field_print(output++);
}
printf("\n};\n");
output = (const gf_s *)pre_wnaf;
printf("const gf API_NS(precomputed_wnaf_as_fe)[%d]\n",
printf("const gf API_NS(precomputed_wnaf_as_fe)[%d]\n",
(int)(API_NS(sizeof_precomputed_wnafs) / sizeof(gf)));
printf("VECTOR_ALIGNED __attribute__((visibility(\"hidden\"))) = {\n ");
for (i=0; i < API_NS(sizeof_precomputed_wnafs); i+=sizeof(gf)) {
......@@ -109,6 +109,6 @@ int main(int argc, char **argv) {
field_print(output++);
}
printf("\n};\n");
return 0;
}
src/per_curve/eddsa.tmpl.c
View file @ e70034e6
......@@ -19,7 +19,6 @@
#define hash_hash decaf_$(eddsa_hash)_hash
#define NO_CONTEXT DECAF_EDDSA_448_SUPPORTS_CONTEXTLESS_SIGS
#define EDDSA_USE_SIGMA_ISOGENY $(eddsa_sigma_iso)
#define COFACTOR $(cofactor)
#define EDDSA_PREHASH_BYTES 64
......
src/per_curve/elligator.tmpl.c
View file @ e70034e6
......@@ -66,12 +66,6 @@ void API_NS(point_from_hash_nonuniform) (
gf_cond_neg(b,square);
gf_sub(b,b,ONE);
/* isogenize */
#if IMAGINE_TWIST
gf_mul(c,a,SQRT_MINUS_ONE);
gf_copy(a,c);
#endif
gf_sqr(c,a); /* s^2 */
gf_add(a,a,a); /* 2s */
gf_add(e,c,ONE);
......@@ -127,11 +121,7 @@ API_NS(invert_elligator_nonuniform) (
#error "Different special-casing goes here!"
#endif
#if IMAGINE_TWIST
gf_mulw(a,b,-EDWARDS_D);
#else
gf_mulw(a,b,EDWARDS_D-1);
#endif
gf_add(b,a,b);
gf_sub(a,a,c);
gf_add(b,b,c);
......@@ -142,11 +132,6 @@ API_NS(invert_elligator_nonuniform) (
succ |= gf_eq(b,ZERO);
gf_mul(b,c,a);
#if $(gf_bits) == 8*SER_BYTES + 1 /* p521. */
#error "this won't work because it needs to adjust high bit, not low bit"
sgn_r0 = 0;
#endif
gf_cond_neg(b, sgn_r0^gf_lobit(b));
/* Eliminate duplicate values for identity ... */
succ &= ~(gf_eq(b,ZERO) & (sgn_r0 | sgn_s));
......
src/per_curve/scalar.tmpl.c
View file @ e70034e6
......@@ -41,7 +41,7 @@ static DECAF_NOINLINE void sc_subx(
chain >>= WBITS;
}
decaf_word_t borrow = chain+extra; /* = 0 or -1 */
chain = 0;
for (i=0; i<SCALAR_LIMBS; i++) {
chain = (chain + out->limb[i]) + (p->limb[i] & borrow);
......@@ -58,11 +58,11 @@ static DECAF_NOINLINE void sc_montmul (
unsigned int i,j;
decaf_word_t accum[SCALAR_LIMBS+1] = {0};
decaf_word_t hi_carry = 0;
for (i=0; i<SCALAR_LIMBS; i++) {
decaf_word_t mand = a->limb[i];
const decaf_word_t *mier = b->limb;
decaf_dword_t chain = 0;
for (j=0; j<SCALAR_LIMBS; j++) {
chain += ((decaf_dword_t)mand)*mier[j] + accum[j];
......@@ -70,7 +70,7 @@ static DECAF_NOINLINE void sc_montmul (
chain >>= WBITS;
}
accum[j] = chain;
mand = accum[0] * MONTGOMERY_FACTOR;
chain = 0;
mier = sc_p->limb;
......@@ -84,7 +84,7 @@ static DECAF_NOINLINE void sc_montmul (
accum[j-1] = chain;
hi_carry = chain >> WBITS;
}
sc_subx(out, accum, sc_p, sc_p, hi_carry);
}
......@@ -121,26 +121,26 @@ decaf_error_t API_NS(scalar_invert) (
for (i=1; i<=LAST; i++) {
sc_montmul(precmp[i],precmp[i-1],precmp[LAST]);
}
/* Sliding window */
unsigned residue = 0, trailing = 0, started = 0;
for (i=SCALAR_BITS-1; i>=-SCALAR_WINDOW_BITS; i--) {
if (started) sc_montsqr(out,out);
decaf_word_t w = (i>=0) ? sc_p->limb[i/WBITS] : 0;
if (i >= 0 && i<WBITS) {
assert(w >= 2);
w-=2;
}
residue = (residue<<1) | ((w>>(i%WBITS))&1);
if (residue>>SCALAR_WINDOW_BITS != 0) {
assert(trailing == 0);
trailing = residue;
residue = 0;
}
if (trailing > 0 && (trailing & ((1<<SCALAR_WINDOW_BITS)-1)) == 0) {
if (started) {
sc_montmul(out,out,precmp[trailing>>(SCALAR_WINDOW_BITS+1)]);
......@@ -151,11 +151,11 @@ decaf_error_t API_NS(scalar_invert) (
trailing = 0;
}
trailing <<= 1;
}
assert(residue==0);
assert(trailing==0);
/* Demontgomerize */
sc_montmul(out,out,API_NS(scalar_one));
decaf_bzero(precmp, sizeof(precmp));
......@@ -239,9 +239,9 @@ decaf_error_t API_NS(scalar_decode)(
accum = (accum + s->limb[i] - sc_p->limb[i]) >> WBITS;
}
/* Here accum == 0 or -1 */
API_NS(scalar_mul)(s,s,API_NS(scalar_one)); /* ham-handed reduce */
return decaf_succeed_if(~word_is_zero(accum));
}
......@@ -260,13 +260,13 @@ void API_NS(scalar_decode_long)(
API_NS(scalar_copy)(s, API_NS(scalar_zero));
return;
}
size_t i;
scalar_t t1, t2;
i = ser_len - (ser_len%SCALAR_SER_BYTES);
if (i==ser_len) i -= SCALAR_SER_BYTES;
scalar_decode_short(t1, &ser[i], ser_len-i);
if (ser_len == sizeof(scalar_t)) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment