* @warning This file was automatically generated in Python.
* Please do not edit it.
*/
-#define _XOPEN_SOURCE 600 /* for posix_memalign */
#include <openssl/crypto.h>
#include "word.h"
#include "field.h"
#include "curve448_lcl.h"
/* Template stuff */
-#define API_NS(_id) decaf_448_##_id
#define SCALAR_BITS DECAF_448_SCALAR_BITS
#define SCALAR_SER_BYTES DECAF_448_SCALAR_BYTES
#define SCALAR_LIMBS DECAF_448_SCALAR_LIMBS
-#define scalar_t API_NS(scalar_t)
-#define point_t API_NS(point_t)
-#define precomputed_s API_NS(precomputed_s)
-#define IMAGINE_TWIST 0
+#define scalar_t curve448_scalar_t
+#define point_t curve448_point_t
+#define precomputed_s curve448_precomputed_s
#define COFACTOR 4
/* Comb config: number of combs, n, t, s. */
#define DECAF_WNAF_FIXED_TABLE_BITS 5
#define DECAF_WNAF_VAR_TABLE_BITS 3
-#define EDDSA_USE_SIGMA_ISOGENY 0
-
static const int EDWARDS_D = -39081;
static const scalar_t precomputed_scalarmul_adjustment = {{{
SC_LIMB(0xc873d6d54a7bb0cf), SC_LIMB(0xe933d8d723a70aad), SC_LIMB(0xbb124b65129c96fd), SC_LIMB(0x00000008335dc163)
0x42ef0f45572736, 0x7bf6aa20ce5296, 0xf4fd6eded26033, 0x968c14ba839a66, 0xb8d54b64a2d780, 0x6aa0a1f1a7b8a5, 0x683bf68d722fa2, 0x22d962fbeb24f7
}}};
-#if IMAGINE_TWIST
-#define TWISTED_D (-(EDWARDS_D))
-#else
+
#define TWISTED_D ((EDWARDS_D)-1)
-#endif
-#if TWISTED_D < 0
#define EFF_D (-(TWISTED_D))
#define NEG_D 1
-#else
-#define EFF_D TWISTED_D
-#define NEG_D 0
-#endif
/* End of template stuff */
-/* Sanity */
-#if (COFACTOR == 8) && !IMAGINE_TWIST && !UNSAFE_CURVE_HAS_POINTS_AT_INFINITY
-/* FUTURE MAGIC: Curve41417 doesn't have these properties. */
-#error "Currently require IMAGINE_TWIST (and thus p=5 mod 8) for cofactor 8"
- /* OK, but why?
- * Two reasons: #1: There are bugs when COFACTOR == && IMAGINE_TWIST
- # #2:
- */
-#endif
-
-#if IMAGINE_TWIST && (P_MOD_8 != 5)
- #error "Cannot use IMAGINE_TWIST except for p == 5 mod 8"
-#endif
-
-#if (COFACTOR != 8) && (COFACTOR != 4)
- #error "COFACTOR must be 4 or 8"
-#endif
-
-#if IMAGINE_TWIST
- extern const gf SQRT_MINUS_ONE;
-#endif
-
#define WBITS DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */
/* Projective Niels coordinates */
/* Precomputed base */
struct precomputed_s { niels_t table [COMBS_N<<(COMBS_T-1)]; };
-extern const gf API_NS(precomputed_base_as_fe)[];
-const precomputed_s *API_NS(precomputed_base) =
- (const precomputed_s *) &API_NS(precomputed_base_as_fe);
+extern const gf curve448_precomputed_base_as_fe[];
+const precomputed_s *curve448_precomputed_base =
+ (const precomputed_s *) &curve448_precomputed_base_as_fe;
/** Inverse. */
static void
}
/** identity = (0,1) */
-const point_t API_NS(point_identity) = {{{{{0}}},{{{1}}},{{{1}}},{{{0}}}}};
+const point_t curve448_point_identity = {{{{{0}}},{{{1}}},{{{1}}},{{{0}}}}};
static DECAF_NOINLINE void
point_double_internal (
if (!before_double) gf_mul ( p->t, b, d );
}
-void API_NS(point_double)(point_t p, const point_t q) {
+void curve448_point_double(point_t p, const point_t q) {
point_double_internal(p,q,0);
}
sub_niels_from_pt( p, pn->n, before_double );
}
-decaf_bool_t API_NS(point_eq) ( const point_t p, const point_t q ) {
+decaf_bool_t curve448_point_eq ( const point_t p, const point_t q ) {
/* equality mod 2-torsion compares x/y */
gf a, b;
gf_mul ( a, p->y, q->x );
gf_mul ( b, q->y, p->x );
mask_t succ = gf_eq(a,b);
-
- #if (COFACTOR == 8) && IMAGINE_TWIST
- gf_mul ( a, p->y, q->y );
- gf_mul ( b, q->x, p->x );
- #if !(IMAGINE_TWIST)
- gf_sub ( a, ZERO, a );
- #else
- /* Interesting note: the 4tor would normally be rotation.
- * But because of the *i twist, it's actually
- * (x,y) <-> (iy,ix)
- */
-
- /* No code, just a comment. */
- #endif
- succ |= gf_eq(a,b);
- #endif
-
+
return mask_to_bool(succ);
}
-decaf_bool_t API_NS(point_valid) (
+decaf_bool_t curve448_point_valid (
const point_t p
) {
gf a,b,c;
constant_time_lookup(ni, table, sizeof(niels_s), nelts, idx);
}
-void API_NS(precomputed_scalarmul) (
+void curve448_precomputed_scalarmul (
point_t out,
const precomputed_s *table,
const scalar_t scalar
const unsigned int n = COMBS_N, t = COMBS_T, s = COMBS_S;
scalar_t scalar1x;
- API_NS(scalar_add)(scalar1x, scalar, precomputed_scalarmul_adjustment);
- API_NS(scalar_halve)(scalar1x,scalar1x);
+ curve448_scalar_add(scalar1x, scalar, precomputed_scalarmul_adjustment);
+ curve448_scalar_halve(scalar1x,scalar1x);
niels_t ni;
OPENSSL_cleanse(scalar1x,sizeof(scalar1x));
}
-void API_NS(point_mul_by_ratio_and_encode_like_eddsa) (
+void curve448_point_mul_by_ratio_and_encode_like_eddsa (
uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES],
const point_t p
) {
/* The point is now on the twisted curve. Move it to untwisted. */
gf x, y, z, t;
point_t q;
-#if COFACTOR == 8
- API_NS(point_double)(q,p);
-#else
- API_NS(point_copy)(q,p);
-#endif
-
-#if EDDSA_USE_SIGMA_ISOGENY
- {
- /* Use 4-isogeny like ed25519:
- * 2*x*y*sqrt(d/a-1)/(ax^2 + y^2 - 2)
- * (y^2 - ax^2)/(y^2 + ax^2)
- * with a = -1, d = -EDWARDS_D:
- * -2xysqrt(EDWARDS_D-1)/(2z^2-y^2+x^2)
- * (y^2+x^2)/(y^2-x^2)
- */
- gf u;
- gf_sqr ( x, q->x ); // x^2
- gf_sqr ( t, q->y ); // y^2
- gf_add( u, x, t ); // x^2 + y^2
- gf_add( z, q->y, q->x );
- gf_sqr ( y, z);
- gf_sub ( y, u, y ); // -2xy
- gf_sub ( z, t, x ); // y^2 - x^2
- gf_sqr ( x, q->z );
- gf_add ( t, x, x);
- gf_sub ( t, t, z); // 2z^2 - y^2 + x^2
- gf_mul ( x, y, z ); // 2xy(y^2-x^2)
- gf_mul ( y, u, t ); // (x^2+y^2)(2z^2-y^2+x^2)
- gf_mul ( u, z, t );
- gf_copy( z, u );
- gf_mul ( u, x, RISTRETTO_FACTOR );
-#if IMAGINE_TWIST
- gf_mul_i( x, u );
-#else
-#error "... probably wrong"
- gf_copy( x, u );
-#endif
- OPENSSL_cleanse(u,sizeof(u));
- }
-#elif IMAGINE_TWIST
- {
- API_NS(point_double)(q,q);
- API_NS(point_double)(q,q);
- gf_mul_i(x, q->x);
- gf_copy(y, q->y);
- gf_copy(z, q->z);
- }
-#else
+ curve448_point_copy(q,p);
+
{
/* 4-isogeny: 2xy/(y^+x^2), (y^2-x^2)/(2z^2-y^2+x^2) */
gf u;
gf_mul ( z, u, t );
OPENSSL_cleanse(u,sizeof(u));
}
-#endif
+
/* Affinize */
gf_invert(z,z,1);
gf_mul(t,x,z);
OPENSSL_cleanse(y,sizeof(y));
OPENSSL_cleanse(z,sizeof(z));
OPENSSL_cleanse(t,sizeof(t));
- API_NS(point_destroy)(q);
+ curve448_point_destroy(q);
}
-decaf_error_t API_NS(point_decode_like_eddsa_and_mul_by_ratio) (
+decaf_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio (
point_t p,
const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES]
) {
gf_sqr(p->x,p->y);
gf_sub(p->z,ONE,p->x); /* num = 1-y^2 */
- #if EDDSA_USE_SIGMA_ISOGENY
- gf_mulw(p->t,p->z,EDWARDS_D); /* d-dy^2 */
- gf_mulw(p->x,p->z,EDWARDS_D-1); /* num = (1-y^2)(d-1) */
- gf_copy(p->z,p->x);
- #else
- gf_mulw(p->t,p->x,EDWARDS_D); /* dy^2 */
- #endif
+ gf_mulw(p->t,p->x,EDWARDS_D); /* dy^2 */
gf_sub(p->t,ONE,p->t); /* denom = 1-dy^2 or 1-d + dy^2 */
gf_mul(p->x,p->z,p->t);
gf_cond_neg(p->x,gf_lobit(p->x)^low);
gf_copy(p->z,ONE);
- #if EDDSA_USE_SIGMA_ISOGENY
- {
- /* Use 4-isogeny like ed25519:
- * 2*x*y/sqrt(1-d/a)/(ax^2 + y^2 - 2)
- * (y^2 - ax^2)/(y^2 + ax^2)
- * (MAGIC: above formula may be off by a factor of -a
- * or something somewhere; check it for other a)
- *
- * with a = -1, d = -EDWARDS_D:
- * -2xy/sqrt(1-EDWARDS_D)/(2z^2-y^2+x^2)
- * (y^2+x^2)/(y^2-x^2)
- */
- gf a, b, c, d;
- gf_sqr ( c, p->x );
- gf_sqr ( a, p->y );
- gf_add ( d, c, a ); // x^2 + y^2
- gf_add ( p->t, p->y, p->x );
- gf_sqr ( b, p->t );
- gf_sub ( b, b, d ); // 2xy
- gf_sub ( p->t, a, c ); // y^2 - x^2
- gf_sqr ( p->x, p->z );
- gf_add ( p->z, p->x, p->x );
- gf_sub ( c, p->z, p->t ); // 2z^2 - y^2 + x^2
- gf_div_i ( a, c );
- gf_mul ( c, a, RISTRETTO_FACTOR );
- gf_mul ( p->x, b, p->t); // (2xy)(y^2-x^2)
- gf_mul ( p->z, p->t, c ); // (y^2-x^2)sd(2z^2 - y^2 + x^2)
- gf_mul ( p->y, d, c ); // (y^2+x^2)sd(2z^2 - y^2 + x^2)
- gf_mul ( p->t, d, b );
- OPENSSL_cleanse(a,sizeof(a));
- OPENSSL_cleanse(b,sizeof(b));
- OPENSSL_cleanse(c,sizeof(c));
- OPENSSL_cleanse(d,sizeof(d));
- }
- #elif IMAGINE_TWIST
- {
- gf_mul(p->t,p->x,SQRT_MINUS_ONE);
- gf_copy(p->x,p->t);
- gf_mul(p->t,p->x,p->y);
- }
- #else
{
/* 4-isogeny 2xy/(y^2-ax^2), (y^2+ax^2)/(2-y^2-ax^2) */
gf a, b, c, d;
OPENSSL_cleanse(c,sizeof(c));
OPENSSL_cleanse(d,sizeof(d));
}
- #endif
OPENSSL_cleanse(enc2,sizeof(enc2));
- assert(API_NS(point_valid)(p) || ~succ);
+ assert(curve448_point_valid(p) || ~succ);
return decaf_succeed_if(mask_to_bool(succ));
}
{
gf n,d;
-#if EDDSA_USE_SIGMA_ISOGENY
- /* u = (1+y)/(1-y)*/
- gf_add(n, y, ONE); /* n = y+1 */
- gf_sub(d, ONE, y); /* d = 1-y */
- gf_invert(d, d, 0); /* d = 1/(1-y) */
- gf_mul(y, n, d); /* u = (y+1)/(1-y) */
- gf_serialize(x,y,1);
-#else /* EDDSA_USE_SIGMA_ISOGENY */
/* u = y^2 * (1-dy^2) / (1-y^2) */
gf_sqr(n,y); /* y^2*/
gf_sub(d,ONE,n); /* 1-y^2*/
gf_sub(d, ONE, d); /* 1-dy^2*/
gf_mul(n, y, d); /* y^2 * (1-dy^2) / (1-y^2) */
gf_serialize(x,n,1);
-#endif /* EDDSA_USE_SIGMA_ISOGENY */
OPENSSL_cleanse(y,sizeof(y));
OPENSSL_cleanse(n,sizeof(n));
}
}
-void API_NS(point_mul_by_ratio_and_encode_like_x448) (
+void curve448_point_mul_by_ratio_and_encode_like_x448 (
uint8_t out[X_PUBLIC_BYTES],
const point_t p
) {
point_t q;
-#if COFACTOR == 8
- point_double_internal(q,p,1);
-#else
- API_NS(point_copy)(q,p);
-#endif
+ curve448_point_copy(q,p);
gf_invert(q->t,q->x,0); /* 1/x */
gf_mul(q->z,q->t,q->y); /* y/x */
gf_sqr(q->y,q->z); /* (y/x)^2 */
-#if IMAGINE_TWIST
- gf_sub(q->y,ZERO,q->y);
-#endif
gf_serialize(out,q->y,1);
- API_NS(point_destroy(q));
+ curve448_point_destroy(q);
}
void decaf_x448_derive_public_key (
scalar2[X_PRIVATE_BYTES-1] |= 1<<((X_PRIVATE_BITS+7)%8);
scalar_t the_scalar;
- API_NS(scalar_decode_long)(the_scalar,scalar2,sizeof(scalar2));
+ curve448_scalar_decode_long(the_scalar,scalar2,sizeof(scalar2));
/* Compensate for the encoding ratio */
for (unsigned i=1; i<DECAF_X448_ENCODE_RATIO; i<<=1) {
- API_NS(scalar_halve)(the_scalar,the_scalar);
+ curve448_scalar_halve(the_scalar,the_scalar);
}
point_t p;
- API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),the_scalar);
- API_NS(point_mul_by_ratio_and_encode_like_x448)(out,p);
- API_NS(point_destroy)(p);
+ curve448_precomputed_scalarmul(p,curve448_precomputed_base,the_scalar);
+ curve448_point_mul_by_ratio_and_encode_like_x448(out,p);
+ curve448_point_destroy(p);
}
/**
if (tbits == 0) return;
- API_NS(point_double)(tmp,working);
+ curve448_point_double(tmp,working);
pniels_t twop;
pt_to_pniels(twop, tmp);
pt_to_pniels(output[i], tmp);
}
- API_NS(point_destroy)(tmp);
+ curve448_point_destroy(tmp);
OPENSSL_cleanse(twop,sizeof(twop));
}
-extern const gf API_NS(precomputed_wnaf_as_fe)[];
-static const niels_t *API_NS(wnaf_base) = (const niels_t *)API_NS(precomputed_wnaf_as_fe);
+extern const gf curve448_precomputed_wnaf_as_fe[];
+static const niels_t *curve448_wnaf_base = (const niels_t *)curve448_precomputed_wnaf_as_fe;
-void API_NS(base_double_scalarmul_non_secret) (
+void curve448_base_double_scalarmul_non_secret (
point_t combo,
const scalar_t scalar1,
const point_t base2,
int contp=0, contv=0, i = control_var[0].power;
if (i < 0) {
- API_NS(point_copy)(combo, API_NS(point_identity));
+ curve448_point_copy(combo, curve448_point_identity);
return;
} else if (i > control_pre[0].power) {
pniels_to_pt(combo, precmp_var[control_var[0].addend >> 1]);
contv++;
} else if (i == control_pre[0].power && i >=0 ) {
pniels_to_pt(combo, precmp_var[control_var[0].addend >> 1]);
- add_niels_to_pt(combo, API_NS(wnaf_base)[control_pre[0].addend >> 1], i);
+ add_niels_to_pt(combo, curve448_wnaf_base[control_pre[0].addend >> 1], i);
contv++; contp++;
} else {
i = control_pre[0].power;
- niels_to_pt(combo, API_NS(wnaf_base)[control_pre[0].addend >> 1]);
+ niels_to_pt(combo, curve448_wnaf_base[control_pre[0].addend >> 1]);
contp++;
}
assert(control_pre[contp].addend);
if (control_pre[contp].addend > 0) {
- add_niels_to_pt(combo, API_NS(wnaf_base)[control_pre[contp].addend >> 1], i);
+ add_niels_to_pt(combo, curve448_wnaf_base[control_pre[contp].addend >> 1], i);
} else {
- sub_niels_from_pt(combo, API_NS(wnaf_base)[(-control_pre[contp].addend) >> 1], i);
+ sub_niels_from_pt(combo, curve448_wnaf_base[(-control_pre[contp].addend) >> 1], i);
}
contp++;
}
assert(contp == ncb_pre); (void)ncb_pre;
}
-void API_NS(point_destroy) (
+void curve448_point_destroy (
point_t point
) {
OPENSSL_cleanse(point, sizeof(point_t));
projects / oweals / openssl.git / blobdiff