#include "f_field.h"
#if (defined(__OPTIMIZE__) && !defined(__OPTIMIZE_SIZE__) && !I_HATE_UNROLLED_LOOPS) \
- || defined(DECAF_FORCE_UNROLL)
+ || defined(C448_FORCE_UNROLL)
# define REPEAT8(_x) _x _x _x _x _x _x _x _x
# define FOR_LIMB(_i,_start,_end,_x) do { _i=_start; REPEAT8( if (_i<_end) { _x; } _i++;) } while (0)
#else
#define COMBS_N 5
#define COMBS_T 5
#define COMBS_S 18
-#define DECAF_WNAF_FIXED_TABLE_BITS 5
-#define DECAF_WNAF_VAR_TABLE_BITS 3
+#define C448_WNAF_FIXED_TABLE_BITS 5
+#define C448_WNAF_VAR_TABLE_BITS 3
static const int EDWARDS_D = -39081;
static const curve448_scalar_t precomputed_scalarmul_adjustment = {
#define TWISTED_D ((EDWARDS_D)-1)
-#define WBITS DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */
+#define WBITS C448_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */
/* Projective Niels coordinates */
typedef struct {
sub_niels_from_pt(p, pn->n, before_double);
}
-decaf_bool_t curve448_point_eq(const curve448_point_t p,
- const curve448_point_t q)
+c448_bool_t curve448_point_eq(const curve448_point_t p,
+ const curve448_point_t q)
{
mask_t succ;
return mask_to_bool(succ);
}
-decaf_bool_t curve448_point_valid(const curve448_point_t p)
+c448_bool_t curve448_point_valid(const curve448_point_t p)
{
mask_t out;
for (k = 0; k < t; k++) {
unsigned int bit = i + s * (k + j * t);
- if (bit < DECAF_448_SCALAR_BITS) {
+ if (bit < C448_448_SCALAR_BITS) {
tab |=
(scalar1x->limb[bit / WBITS] >> (bit % WBITS) & 1) << k;
}
}
void curve448_point_mul_by_ratio_and_encode_like_eddsa(
- uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES],
+ uint8_t enc[C448_EDDSA_448_PUBLIC_BYTES],
const curve448_point_t p)
{
gf_mul(x, y, z);
/* Encode */
- enc[DECAF_EDDSA_448_PRIVATE_BYTES - 1] = 0;
+ enc[C448_EDDSA_448_PRIVATE_BYTES - 1] = 0;
gf_serialize(enc, x, 1);
- enc[DECAF_EDDSA_448_PRIVATE_BYTES - 1] |= 0x80 & gf_lobit(t);
+ enc[C448_EDDSA_448_PRIVATE_BYTES - 1] |= 0x80 & gf_lobit(t);
OPENSSL_cleanse(x, sizeof(x));
OPENSSL_cleanse(y, sizeof(y));
curve448_point_destroy(q);
}
-decaf_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio(
+c448_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio(
curve448_point_t p,
- const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES])
+ const uint8_t enc[C448_EDDSA_448_PUBLIC_BYTES])
{
- uint8_t enc2[DECAF_EDDSA_448_PUBLIC_BYTES];
+ uint8_t enc2[C448_EDDSA_448_PUBLIC_BYTES];
mask_t low;
mask_t succ;
memcpy(enc2, enc, sizeof(enc2));
- low = ~word_is_zero(enc2[DECAF_EDDSA_448_PRIVATE_BYTES - 1] & 0x80);
- enc2[DECAF_EDDSA_448_PRIVATE_BYTES - 1] &= ~0x80;
+ low = ~word_is_zero(enc2[C448_EDDSA_448_PRIVATE_BYTES - 1] & 0x80);
+ enc2[C448_EDDSA_448_PRIVATE_BYTES - 1] &= ~0x80;
succ = gf_deserialize(p->y, enc2, 1, 0);
#if 0 == 0
- succ &= word_is_zero(enc2[DECAF_EDDSA_448_PRIVATE_BYTES - 1]);
+ succ &= word_is_zero(enc2[C448_EDDSA_448_PRIVATE_BYTES - 1]);
#endif
gf_sqr(p->x, p->y);
OPENSSL_cleanse(enc2, sizeof(enc2));
assert(curve448_point_valid(p) || ~succ);
- return decaf_succeed_if(mask_to_bool(succ));
+ return c448_succeed_if(mask_to_bool(succ));
}
-decaf_error_t decaf_x448(uint8_t out[X_PUBLIC_BYTES],
- const uint8_t base[X_PUBLIC_BYTES],
- const uint8_t scalar[X_PRIVATE_BYTES])
+c448_error_t c448_x448(uint8_t out[X_PUBLIC_BYTES],
+ const uint8_t base[X_PUBLIC_BYTES],
+ const uint8_t scalar[X_PRIVATE_BYTES])
{
gf x1, x2, z2, x3, z3, t1, t2;
int t;
OPENSSL_cleanse(t1, sizeof(t1));
OPENSSL_cleanse(t2, sizeof(t2));
- return decaf_succeed_if(mask_to_bool(nz));
+ return c448_succeed_if(mask_to_bool(nz));
}
void curve448_point_mul_by_ratio_and_encode_like_x448(uint8_t
curve448_point_destroy(q);
}
-void decaf_x448_derive_public_key(uint8_t out[X_PUBLIC_BYTES],
- const uint8_t scalar[X_PRIVATE_BYTES])
+void c448_x448_derive_public_key(uint8_t out[X_PUBLIC_BYTES],
+ const uint8_t scalar[X_PRIVATE_BYTES])
{
/* Scalar conditioning */
uint8_t scalar2[X_PRIVATE_BYTES];
curve448_scalar_decode_long(the_scalar, scalar2, sizeof(scalar2));
/* Compensate for the encoding ratio */
- for (i = 1; i < DECAF_X448_ENCODE_RATIO; i <<= 1) {
+ for (i = 1; i < C448_X448_ENCODE_RATIO; i <<= 1) {
curve448_scalar_halve(the_scalar, the_scalar);
}
curve448_precomputed_scalarmul(p, curve448_precomputed_base, the_scalar);
const curve448_scalar_t scalar,
unsigned int table_bits)
{
- unsigned int table_size = DECAF_448_SCALAR_BITS / (table_bits + 1) + 3;
+ unsigned int table_size = C448_448_SCALAR_BITS / (table_bits + 1) + 3;
int position = table_size - 1; /* at the end */
uint64_t current = scalar->limb[0] & 0xFFFF;
uint32_t mask = (1 << (table_bits + 1)) - 1;
* 1/5 op. Probably not worth it.
*/
- for (w = 1; w < (DECAF_448_SCALAR_BITS - 1) / 16 + 3; w++) {
- if (w < (DECAF_448_SCALAR_BITS - 1) / 16 + 1) {
+ for (w = 1; w < (C448_448_SCALAR_BITS - 1) / 16 + 3; w++) {
+ if (w < (C448_448_SCALAR_BITS - 1) / 16 + 1) {
/* Refill the 16 high bits of current */
current += (uint32_t)((scalar->limb[w / B_OVER_16]
>> (16 * (w % B_OVER_16))) << 16);
const curve448_point_t base2,
const curve448_scalar_t scalar2)
{
- const int table_bits_var = DECAF_WNAF_VAR_TABLE_BITS,
- table_bits_pre = DECAF_WNAF_FIXED_TABLE_BITS;
- struct smvt_control control_var[DECAF_448_SCALAR_BITS /
- (DECAF_WNAF_VAR_TABLE_BITS + 1) + 3];
- struct smvt_control control_pre[DECAF_448_SCALAR_BITS /
- (DECAF_WNAF_FIXED_TABLE_BITS + 1) + 3];
+ const int table_bits_var = C448_WNAF_VAR_TABLE_BITS,
+ table_bits_pre = C448_WNAF_FIXED_TABLE_BITS;
+ struct smvt_control control_var[C448_448_SCALAR_BITS /
+ (C448_WNAF_VAR_TABLE_BITS + 1) + 3];
+ struct smvt_control control_pre[C448_448_SCALAR_BITS /
+ (C448_WNAF_FIXED_TABLE_BITS + 1) + 3];
int ncb_pre = recode_wnaf(control_pre, scalar1, table_bits_pre);
int ncb_var = recode_wnaf(control_var, scalar2, table_bits_var);
- pniels_t precmp_var[1 << DECAF_WNAF_VAR_TABLE_BITS];
+ pniels_t precmp_var[1 << C448_WNAF_VAR_TABLE_BITS];
int contp = 0, contv = 0, i;
prepare_wnaf_table(precmp_var, base2, table_bits_var);
int X448(uint8_t out_shared_key[56], const uint8_t private_key[56],
const uint8_t peer_public_value[56])
{
- return decaf_x448(out_shared_key, peer_public_value, private_key)
- == DECAF_SUCCESS;
+ return c448_x448(out_shared_key, peer_public_value, private_key)
+ == C448_SUCCESS;
}
void X448_public_from_private(uint8_t out_public_value[56],
const uint8_t private_key[56])
{
- decaf_x448_derive_public_key(out_public_value, private_key);
+ c448_x448_derive_public_key(out_public_value, private_key);
}
* Originally written by Mike Hamburg
*/
-#ifndef __DECAF_COMMON_H__
-# define __DECAF_COMMON_H__ 1
+#ifndef __C448_COMMON_H__
+# define __C448_COMMON_H__ 1
# include <openssl/e_os2.h>
* header was built with eg arch_neon, you might end up linking a library built
* with arch_arm32.
*/
-# ifndef DECAF_WORD_BITS
+# ifndef C448_WORD_BITS
# if (defined(__ILP64__) || defined(__amd64__) || defined(__x86_64__) \
|| (((__UINT_FAST32_MAX__)>>30)>>30))
-# define DECAF_WORD_BITS 64 /* The number of bits in a word */
+# define C448_WORD_BITS 64 /* The number of bits in a word */
# else
-# define DECAF_WORD_BITS 32 /* The number of bits in a word */
+# define C448_WORD_BITS 32 /* The number of bits in a word */
# endif
# endif
-# if DECAF_WORD_BITS == 64
+# if C448_WORD_BITS == 64
/* Word size for internal computations */
-typedef uint64_t decaf_word_t;
+typedef uint64_t c448_word_t;
/* Signed word size for internal computations */
-typedef int64_t decaf_sword_t;
+typedef int64_t c448_sword_t;
/* "Boolean" type, will be set to all-zero or all-one (i.e. -1u) */
-typedef uint64_t decaf_bool_t;
+typedef uint64_t c448_bool_t;
/* Double-word size for internal computations */
-typedef __uint128_t decaf_dword_t;
+typedef __uint128_t c448_dword_t;
/* Signed double-word size for internal computations */
-typedef __int128_t decaf_dsword_t;
-# elif DECAF_WORD_BITS == 32
+typedef __int128_t c448_dsword_t;
+# elif C448_WORD_BITS == 32
/* Word size for internal computations */
-typedef uint32_t decaf_word_t;
+typedef uint32_t c448_word_t;
/* Signed word size for internal computations */
-typedef int32_t decaf_sword_t;
+typedef int32_t c448_sword_t;
/* "Boolean" type, will be set to all-zero or all-one (i.e. -1u) */
-typedef uint32_t decaf_bool_t;
+typedef uint32_t c448_bool_t;
/* Double-word size for internal computations */
-typedef uint64_t decaf_dword_t;
+typedef uint64_t c448_dword_t;
/* Signed double-word size for internal computations */
-typedef int64_t decaf_dsword_t;
+typedef int64_t c448_dsword_t;
# else
-# error "Only supporting DECAF_WORD_BITS = 32 or 64 for now"
+# error "Only supporting C448_WORD_BITS = 32 or 64 for now"
# endif
-/* DECAF_TRUE = -1 so that DECAF_TRUE & x = x */
-static const decaf_bool_t DECAF_TRUE = -(decaf_bool_t) 1;
+/* C448_TRUE = -1 so that C448_TRUE & x = x */
+static const c448_bool_t C448_TRUE = -(c448_bool_t) 1;
-/* DECAF_FALSE = 0 so that DECAF_FALSE & x = 0 */
-static const decaf_bool_t DECAF_FALSE = 0;
+/* C448_FALSE = 0 so that C448_FALSE & x = 0 */
+static const c448_bool_t C448_FALSE = 0;
/* Another boolean type used to indicate success or failure. */
typedef enum {
- DECAF_SUCCESS = -1, /**< The operation succeeded. */
- DECAF_FAILURE = 0 /**< The operation failed. */
-} decaf_error_t;
+ C448_SUCCESS = -1, /**< The operation succeeded. */
+ C448_FAILURE = 0 /**< The operation failed. */
+} c448_error_t;
/* Return success if x is true */
-static ossl_inline decaf_error_t decaf_succeed_if(decaf_bool_t x)
+static ossl_inline c448_error_t c448_succeed_if(c448_bool_t x)
{
- return (decaf_error_t) x;
+ return (c448_error_t) x;
}
#ifdef __cplusplus
} /* extern "C" */
#endif
-#endif /* __DECAF_COMMON_H__ */
+#endif /* __C448_COMMON_H__ */
* Originally written by Mike Hamburg
*/
-#ifndef __DECAF_ED448_H__
-# define __DECAF_ED448_H__ 1
+#ifndef __C448_ED448_H__
+# define __C448_ED448_H__ 1
# include "point_448.h"
#endif
/* Number of bytes in an EdDSA public key. */
-# define DECAF_EDDSA_448_PUBLIC_BYTES 57
+# define C448_EDDSA_448_PUBLIC_BYTES 57
/* Number of bytes in an EdDSA private key. */
-# define DECAF_EDDSA_448_PRIVATE_BYTES DECAF_EDDSA_448_PUBLIC_BYTES
+# define C448_EDDSA_448_PRIVATE_BYTES C448_EDDSA_448_PUBLIC_BYTES
/* Number of bytes in an EdDSA private key. */
-# define DECAF_EDDSA_448_SIGNATURE_BYTES (DECAF_EDDSA_448_PUBLIC_BYTES + \
- DECAF_EDDSA_448_PRIVATE_BYTES)
+# define C448_EDDSA_448_SIGNATURE_BYTES (C448_EDDSA_448_PUBLIC_BYTES + \
+ C448_EDDSA_448_PRIVATE_BYTES)
/* EdDSA encoding ratio. */
-# define DECAF_448_EDDSA_ENCODE_RATIO 4
+# define C448_448_EDDSA_ENCODE_RATIO 4
/* EdDSA decoding ratio. */
-# define DECAF_448_EDDSA_DECODE_RATIO (4 / 4)
+# define C448_448_EDDSA_DECODE_RATIO (4 / 4)
/*
* EdDSA key generation. This function uses a different (non-Decaf) encoding.
* pubkey (out): The public key.
* privkey (in): The private key.
*/
-decaf_error_t decaf_ed448_derive_public_key(
- uint8_t pubkey [DECAF_EDDSA_448_PUBLIC_BYTES],
- const uint8_t privkey [DECAF_EDDSA_448_PRIVATE_BYTES]);
+c448_error_t c448_ed448_derive_public_key(
+ uint8_t pubkey [C448_EDDSA_448_PUBLIC_BYTES],
+ const uint8_t privkey [C448_EDDSA_448_PRIVATE_BYTES]);
/*
* EdDSA signing.
* disambiguation. For Ed448 it is safe. The C++ wrapper is designed to make
* it harder to screw this up, but this C code gives you no seat belt.
*/
-decaf_error_t decaf_ed448_sign(
- uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
- const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
- const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
+c448_error_t c448_ed448_sign(
+ uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],
+ const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES],
+ const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
const uint8_t *message, size_t message_len,
uint8_t prehashed, const uint8_t *context,
size_t context_len)
* disambiguation. For Ed448 it is safe. The C++ wrapper is designed to make
* it harder to screw this up, but this C code gives you no seat belt.
*/
-decaf_error_t decaf_ed448_sign_prehash(
- uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
- const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
- const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
+c448_error_t c448_ed448_sign_prehash(
+ uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],
+ const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES],
+ const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
const uint8_t hash[64],
const uint8_t *context,
size_t context_len)
* disambiguation. For Ed448 it is safe. The C++ wrapper is designed to make
* it harder to screw this up, but this C code gives you no seat belt.
*/
-decaf_error_t decaf_ed448_verify(const uint8_t
- signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
+c448_error_t c448_ed448_verify(const uint8_t
+ signature[C448_EDDSA_448_SIGNATURE_BYTES],
const uint8_t
- pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
+ pubkey[C448_EDDSA_448_PUBLIC_BYTES],
const uint8_t *message, size_t message_len,
uint8_t prehashed, const uint8_t *context,
uint8_t context_len)
* disambiguation. For Ed448 it is safe. The C++ wrapper is designed to make
* it harder to screw this up, but this C code gives you no seat belt.
*/
-decaf_error_t decaf_ed448_verify_prehash(
- const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
- const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
+c448_error_t c448_ed448_verify_prehash(
+ const uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],
+ const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
const uint8_t hash[64],
const uint8_t *context,
uint8_t context_len)
/*
* EdDSA point encoding. Used internally, exposed externally.
- * Multiplies by DECAF_448_EDDSA_ENCODE_RATIO first.
+ * Multiplies by C448_448_EDDSA_ENCODE_RATIO first.
*
* The multiplication is required because the EdDSA encoding represents
* the cofactor information, but the Decaf encoding ignores it (which
* EdDSA, the cofactor info must get cleared, because the intermediate
* representation doesn't track it.
*
- * The way libdecaf handles this is to multiply by
- * DECAF_448_EDDSA_DECODE_RATIO when decoding, and by
- * DECAF_448_EDDSA_ENCODE_RATIO when encoding. The product of these
- * ratios is always exactly the cofactor 4, so the cofactor
- * ends up cleared one way or another. But exactly how that shakes
- * out depends on the base points specified in RFC 8032.
+ * The way we handle this is to multiply by C448_448_EDDSA_DECODE_RATIO when
+ * decoding, and by C448_448_EDDSA_ENCODE_RATIO when encoding. The product of
+ * these ratios is always exactly the cofactor 4, so the cofactor ends up
+ * cleared one way or another. But exactly how that shakes out depends on the
+ * base points specified in RFC 8032.
*
* The upshot is that if you pass the Decaf/Ristretto base point to
- * this function, you will get DECAF_448_EDDSA_ENCODE_RATIO times the
+ * this function, you will get C448_448_EDDSA_ENCODE_RATIO times the
* EdDSA base point.
*
* enc (out): The encoded point.
* p (in): The point.
*/
void curve448_point_mul_by_ratio_and_encode_like_eddsa(
- uint8_t enc [DECAF_EDDSA_448_PUBLIC_BYTES],
+ uint8_t enc [C448_EDDSA_448_PUBLIC_BYTES],
const curve448_point_t p);
/*
- * EdDSA point decoding. Multiplies by DECAF_448_EDDSA_DECODE_RATIO, and
+ * EdDSA point decoding. Multiplies by C448_448_EDDSA_DECODE_RATIO, and
* ignores cofactor information.
*
* See notes on curve448_point_mul_by_ratio_and_encode_like_eddsa
* enc (out): The encoded point.
* p (in): The point.
*/
-decaf_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio(
+c448_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio(
curve448_point_t p,
- const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES]);
+ const uint8_t enc[C448_EDDSA_448_PUBLIC_BYTES]);
/*
* EdDSA to ECDH private key conversion
* x (out): The ECDH private key as in RFC7748
* ed (in): The EdDSA private key
*/
-decaf_error_t decaf_ed448_convert_private_key_to_x448(
- uint8_t x[DECAF_X448_PRIVATE_BYTES],
- const uint8_t ed[DECAF_EDDSA_448_PRIVATE_BYTES]);
+c448_error_t c448_ed448_convert_private_key_to_x448(
+ uint8_t x[C448_X448_PRIVATE_BYTES],
+ const uint8_t ed[C448_EDDSA_448_PRIVATE_BYTES]);
#ifdef __cplusplus
} /* extern "C" */
#endif
-#endif /* __DECAF_ED448_H__ */
+#endif /* __C448_ED448_H__ */
#define COFACTOR 4
-static decaf_error_t oneshot_hash(uint8_t *out, size_t outlen,
- const uint8_t *in, size_t inlen)
+static c448_error_t oneshot_hash(uint8_t *out, size_t outlen,
+ const uint8_t *in, size_t inlen)
{
EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
if (hashctx == NULL)
- return DECAF_FAILURE;
+ return C448_FAILURE;
if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL)
|| !EVP_DigestUpdate(hashctx, in, inlen)
|| !EVP_DigestFinalXOF(hashctx, out, outlen)) {
EVP_MD_CTX_free(hashctx);
- return DECAF_FAILURE;
+ return C448_FAILURE;
}
EVP_MD_CTX_free(hashctx);
- return DECAF_SUCCESS;
+ return C448_SUCCESS;
}
-static void clamp(uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES])
+static void clamp(uint8_t secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES])
{
uint8_t hibit = (1 << 0) >> 1;
/* Blarg */
secret_scalar_ser[0] &= -COFACTOR;
if (hibit == 0) {
- secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] = 0;
- secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 2] |= 0x80;
+ secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 1] = 0;
+ secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 2] |= 0x80;
} else {
- secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] &= hibit - 1;
- secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] |= hibit;
+ secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 1] &= hibit - 1;
+ secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 1] |= hibit;
}
}
-static decaf_error_t hash_init_with_dom(EVP_MD_CTX *hashctx,
- uint8_t prehashed,
- uint8_t for_prehash,
- const uint8_t *context,
- size_t context_len)
+static c448_error_t hash_init_with_dom(EVP_MD_CTX *hashctx, uint8_t prehashed,
+ uint8_t for_prehash,
+ const uint8_t *context,
+ size_t context_len)
{
const char *dom_s = "SigEd448";
uint8_t dom[2];
dom[1] = (uint8_t)context_len;
if (context_len > UINT8_MAX)
- return DECAF_FAILURE;
+ return C448_FAILURE;
if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL)
|| !EVP_DigestUpdate(hashctx, dom_s, strlen(dom_s))
|| !EVP_DigestUpdate(hashctx, dom, sizeof(dom))
|| !EVP_DigestUpdate(hashctx, context, context_len))
- return DECAF_FAILURE;
+ return C448_FAILURE;
- return DECAF_SUCCESS;
+ return C448_SUCCESS;
}
/* In this file because it uses the hash */
-decaf_error_t decaf_ed448_convert_private_key_to_x448(
- uint8_t x[DECAF_X448_PRIVATE_BYTES],
- const uint8_t ed [DECAF_EDDSA_448_PRIVATE_BYTES])
+c448_error_t c448_ed448_convert_private_key_to_x448(
+ uint8_t x[C448_X448_PRIVATE_BYTES],
+ const uint8_t ed [C448_EDDSA_448_PRIVATE_BYTES])
{
/* pass the private key through oneshot_hash function */
- /* and keep the first DECAF_X448_PRIVATE_BYTES bytes */
- return oneshot_hash(x,
- DECAF_X448_PRIVATE_BYTES,
- ed, DECAF_EDDSA_448_PRIVATE_BYTES);
+ /* and keep the first C448_X448_PRIVATE_BYTES bytes */
+ return oneshot_hash(x, C448_X448_PRIVATE_BYTES, ed,
+ C448_EDDSA_448_PRIVATE_BYTES);
}
-decaf_error_t decaf_ed448_derive_public_key(
- uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
- const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES])
+c448_error_t c448_ed448_derive_public_key(
+ uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
+ const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES])
{
/* only this much used for keygen */
- uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES];
+ uint8_t secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES];
curve448_scalar_t secret_scalar;
unsigned int c;
curve448_point_t p;
if (!oneshot_hash(secret_scalar_ser, sizeof(secret_scalar_ser), privkey,
- DECAF_EDDSA_448_PRIVATE_BYTES))
- return DECAF_FAILURE;
+ C448_EDDSA_448_PRIVATE_BYTES))
+ return C448_FAILURE;
clamp(secret_scalar_ser);
* converted it effectively picks up a factor of 2 from the isogenies. So
* we might start at 2 instead of 1.
*/
- for (c = 1; c < DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1)
+ for (c = 1; c < C448_448_EDDSA_ENCODE_RATIO; c <<= 1)
curve448_scalar_halve(secret_scalar, secret_scalar);
curve448_precomputed_scalarmul(p, curve448_precomputed_base, secret_scalar);
curve448_point_destroy(p);
OPENSSL_cleanse(secret_scalar_ser, sizeof(secret_scalar_ser));
- return DECAF_SUCCESS;
+ return C448_SUCCESS;
}
-decaf_error_t decaf_ed448_sign(
- uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
- const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
- const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
+c448_error_t c448_ed448_sign(
+ uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],
+ const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES],
+ const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
const uint8_t *message, size_t message_len,
uint8_t prehashed, const uint8_t *context,
size_t context_len)
{
curve448_scalar_t secret_scalar;
EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
- decaf_error_t ret = DECAF_FAILURE;
+ c448_error_t ret = C448_FAILURE;
curve448_scalar_t nonce_scalar;
- uint8_t nonce_point[DECAF_EDDSA_448_PUBLIC_BYTES] = { 0 };
+ uint8_t nonce_point[C448_EDDSA_448_PUBLIC_BYTES] = { 0 };
unsigned int c;
curve448_scalar_t challenge_scalar;
if (hashctx == NULL)
- return DECAF_FAILURE;
+ return C448_FAILURE;
{
/* Schedule the secret key */
struct {
- uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES];
- uint8_t seed[DECAF_EDDSA_448_PRIVATE_BYTES];
+ uint8_t secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES];
+ uint8_t seed[C448_EDDSA_448_PRIVATE_BYTES];
} __attribute__ ((packed)) expanded;
if (!oneshot_hash((uint8_t *)&expanded, sizeof(expanded), privkey,
- DECAF_EDDSA_448_PRIVATE_BYTES))
+ C448_EDDSA_448_PRIVATE_BYTES))
goto err;
clamp(expanded.secret_scalar_ser);
curve448_scalar_decode_long(secret_scalar, expanded.secret_scalar_ser,
/* Decode the nonce */
{
- uint8_t nonce[2 * DECAF_EDDSA_448_PRIVATE_BYTES];
+ uint8_t nonce[2 * C448_EDDSA_448_PRIVATE_BYTES];
if (!EVP_DigestFinalXOF(hashctx, nonce, sizeof(nonce)))
goto err;
curve448_point_t p;
curve448_scalar_halve(nonce_scalar_2, nonce_scalar);
- for (c = 2; c < DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) {
+ for (c = 2; c < C448_448_EDDSA_ENCODE_RATIO; c <<= 1) {
curve448_scalar_halve(nonce_scalar_2, nonce_scalar_2);
}
}
{
- uint8_t challenge[2 * DECAF_EDDSA_448_PRIVATE_BYTES];
+ uint8_t challenge[2 * C448_EDDSA_448_PRIVATE_BYTES];
/* Compute the challenge */
if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len)
|| !EVP_DigestUpdate(hashctx, nonce_point, sizeof(nonce_point))
- || !EVP_DigestUpdate(hashctx, pubkey, DECAF_EDDSA_448_PUBLIC_BYTES)
+ || !EVP_DigestUpdate(hashctx, pubkey, C448_EDDSA_448_PUBLIC_BYTES)
|| !EVP_DigestUpdate(hashctx, message, message_len)
|| !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge)))
goto err;
curve448_scalar_mul(challenge_scalar, challenge_scalar, secret_scalar);
curve448_scalar_add(challenge_scalar, challenge_scalar, nonce_scalar);
- OPENSSL_cleanse(signature, DECAF_EDDSA_448_SIGNATURE_BYTES);
+ OPENSSL_cleanse(signature, C448_EDDSA_448_SIGNATURE_BYTES);
memcpy(signature, nonce_point, sizeof(nonce_point));
- curve448_scalar_encode(&signature[DECAF_EDDSA_448_PUBLIC_BYTES],
+ curve448_scalar_encode(&signature[C448_EDDSA_448_PUBLIC_BYTES],
challenge_scalar);
curve448_scalar_destroy(secret_scalar);
curve448_scalar_destroy(nonce_scalar);
curve448_scalar_destroy(challenge_scalar);
- ret = DECAF_SUCCESS;
+ ret = C448_SUCCESS;
err:
EVP_MD_CTX_free(hashctx);
return ret;
}
-decaf_error_t decaf_ed448_sign_prehash(uint8_t
- signature
- [DECAF_EDDSA_448_SIGNATURE_BYTES],
- const uint8_t
- privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
- const uint8_t
- pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
- const uint8_t hash[64],
- const uint8_t *context,
- size_t context_len)
+c448_error_t c448_ed448_sign_prehash(
+ uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],
+ const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES],
+ const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
+ const uint8_t hash[64], const uint8_t *context,
+ size_t context_len)
{
- return decaf_ed448_sign(signature, privkey, pubkey, hash, 64, 1, context,
- context_len);
+ return c448_ed448_sign(signature, privkey, pubkey, hash, 64, 1, context,
+ context_len);
}
-decaf_error_t decaf_ed448_verify(const uint8_t
- signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
- const uint8_t
- pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
- const uint8_t *message, size_t message_len,
- uint8_t prehashed, const uint8_t *context,
- uint8_t context_len)
+c448_error_t c448_ed448_verify(
+ const uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],
+ const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
+ const uint8_t *message, size_t message_len,
+ uint8_t prehashed, const uint8_t *context,
+ uint8_t context_len)
{
curve448_point_t pk_point, r_point;
- decaf_error_t error =
+ c448_error_t error =
curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey);
curve448_scalar_t challenge_scalar;
curve448_scalar_t response_scalar;
unsigned int c;
- if (DECAF_SUCCESS != error)
+ if (C448_SUCCESS != error)
return error;
error =
curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point, signature);
- if (DECAF_SUCCESS != error)
+ if (C448_SUCCESS != error)
return error;
{
/* Compute the challenge */
EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
- uint8_t challenge[2 * DECAF_EDDSA_448_PRIVATE_BYTES];
+ uint8_t challenge[2 * C448_EDDSA_448_PRIVATE_BYTES];
if (hashctx == NULL
|| !hash_init_with_dom(hashctx, prehashed, 0, context, context_len)
|| !EVP_DigestUpdate(hashctx, signature,
- DECAF_EDDSA_448_PUBLIC_BYTES)
- || !EVP_DigestUpdate(hashctx, pubkey, DECAF_EDDSA_448_PUBLIC_BYTES)
+ C448_EDDSA_448_PUBLIC_BYTES)
+ || !EVP_DigestUpdate(hashctx, pubkey, C448_EDDSA_448_PUBLIC_BYTES)
|| !EVP_DigestUpdate(hashctx, message, message_len)
|| !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) {
EVP_MD_CTX_free(hashctx);
- return DECAF_FAILURE;
+ return C448_FAILURE;
}
EVP_MD_CTX_free(hashctx);
challenge_scalar);
curve448_scalar_decode_long(response_scalar,
- &signature[DECAF_EDDSA_448_PUBLIC_BYTES],
- DECAF_EDDSA_448_PRIVATE_BYTES);
+ &signature[C448_EDDSA_448_PUBLIC_BYTES],
+ C448_EDDSA_448_PRIVATE_BYTES);
- for (c = 1; c < DECAF_448_EDDSA_DECODE_RATIO; c <<= 1)
+ for (c = 1; c < C448_448_EDDSA_DECODE_RATIO; c <<= 1)
curve448_scalar_add(response_scalar, response_scalar, response_scalar);
/* pk_point = -c(x(P)) + (cx + k)G = kG */
curve448_base_double_scalarmul_non_secret(pk_point,
response_scalar,
pk_point, challenge_scalar);
- return decaf_succeed_if(curve448_point_eq(pk_point, r_point));
+ return c448_succeed_if(curve448_point_eq(pk_point, r_point));
}
-decaf_error_t decaf_ed448_verify_prehash(
- const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
- const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
+c448_error_t c448_ed448_verify_prehash(
+ const uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],
+ const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
const uint8_t hash[64], const uint8_t *context,
uint8_t context_len)
{
- decaf_error_t ret;
+ c448_error_t ret;
- ret = decaf_ed448_verify(signature, pubkey, hash, 64, 1, context,
- context_len);
+ ret = c448_ed448_verify(signature, pubkey, hash, 64, 1, context,
+ context_len);
return ret;
}
const uint8_t *context, size_t context_len)
{
- return decaf_ed448_sign(out_sig, private_key, public_key, message,
- message_len, 0, context, context_len)
- == DECAF_SUCCESS;
+ return c448_ed448_sign(out_sig, private_key, public_key, message,
+ message_len, 0, context, context_len)
+ == C448_SUCCESS;
}
int ED448_verify(const uint8_t *message, size_t message_len,
const uint8_t signature[114], const uint8_t public_key[57],
const uint8_t *context, size_t context_len)
{
- return decaf_ed448_verify(signature, public_key, message, message_len, 0,
- context, context_len) == DECAF_SUCCESS;
+ return c448_ed448_verify(signature, public_key, message, message_len, 0,
+ context, context_len) == C448_SUCCESS;
}
int ED448ph_sign(uint8_t *out_sig, const uint8_t hash[64],
const uint8_t public_key[57], const uint8_t private_key[57],
const uint8_t *context, size_t context_len)
{
- return decaf_ed448_sign_prehash(out_sig, private_key, public_key, hash,
- context, context_len) == DECAF_SUCCESS;
+ return c448_ed448_sign_prehash(out_sig, private_key, public_key, hash,
+ context, context_len) == C448_SUCCESS;
}
const uint8_t public_key[57], const uint8_t *context,
size_t context_len)
{
- return decaf_ed448_verify_prehash(signature, public_key, hash, context,
- context_len) == DECAF_SUCCESS;
+ return c448_ed448_verify_prehash(signature, public_key, hash, context,
+ context_len) == C448_SUCCESS;
}
int ED448_public_from_private(uint8_t out_public_key[57],
const uint8_t private_key[57])
{
- return decaf_ed448_derive_public_key(out_public_key, private_key)
- == DECAF_SUCCESS;
+ return c448_ed448_derive_public_key(out_public_key, private_key)
+ == C448_SUCCESS;
}
* Originally written by Mike Hamburg
*/
-#ifndef __DECAF_POINT_448_H__
-# define __DECAF_POINT_448_H__ 1
+#ifndef __C448_POINT_448_H__
+# define __C448_POINT_448_H__ 1
# include "curve448utils.h"
# include "field.h"
extern "C" {
#endif
-# define DECAF_448_SCALAR_LIMBS ((446-1)/DECAF_WORD_BITS+1)
+# define C448_448_SCALAR_LIMBS ((446-1)/C448_WORD_BITS+1)
/* The number of bits in a scalar */
-# define DECAF_448_SCALAR_BITS 446
+# define C448_448_SCALAR_BITS 446
/* Number of bytes in a serialized scalar. */
-# define DECAF_448_SCALAR_BYTES 56
+# define C448_448_SCALAR_BYTES 56
/* X448 encoding ratio. */
-# define DECAF_X448_ENCODE_RATIO 2
+# define C448_X448_ENCODE_RATIO 2
/* Number of bytes in an x448 public key */
-# define DECAF_X448_PUBLIC_BYTES 56
+# define C448_X448_PUBLIC_BYTES 56
/* Number of bytes in an x448 private key */
-# define DECAF_X448_PRIVATE_BYTES 56
+# define C448_X448_PRIVATE_BYTES 56
/* Twisted Edwards extended homogeneous coordinates */
typedef struct curve448_point_s {
/* Scalar is stored packed, because we don't need the speed. */
typedef struct curve448_scalar_s {
- decaf_word_t limb[DECAF_448_SCALAR_LIMBS];
+ c448_word_t limb[C448_448_SCALAR_LIMBS];
} curve448_scalar_t[1];
/* A scalar equal to 1. */
* out (out): Deserialized form.
*
* Returns:
- * DECAF_SUCCESS: The scalar was correctly encoded.
- * DECAF_FAILURE: The scalar was greater than the modulus, and has been reduced
+ * C448_SUCCESS: The scalar was correctly encoded.
+ * C448_FAILURE: The scalar was greater than the modulus, and has been reduced
* modulo that modulus.
*/
-__owur decaf_error_t curve448_scalar_decode(
+__owur c448_error_t curve448_scalar_decode(
curve448_scalar_t out,
- const unsigned char ser[DECAF_448_SCALAR_BYTES]);
+ const unsigned char ser[C448_448_SCALAR_BYTES]);
/*
* Read a scalar from wire format or from bytes. Reduces mod scalar prime.
* ser (out): Serialized form of a scalar.
* s (in): Deserialized scalar.
*/
-void curve448_scalar_encode(unsigned char ser[DECAF_448_SCALAR_BYTES],
+void curve448_scalar_encode(unsigned char ser[C448_448_SCALAR_BYTES],
const curve448_scalar_t s);
/*
}
/*
- * Test whether two points are equal. If yes, return DECAF_TRUE, else return
- * DECAF_FALSE.
+ * Test whether two points are equal. If yes, return C448_TRUE, else return
+ * C448_FALSE.
*
* a (in): A point.
* b (in): Another point.
*
* Returns:
- * DECAF_TRUE: The points are equal.
- * DECAF_FALSE: The points are not equal.
+ * C448_TRUE: The points are equal.
+ * C448_FALSE: The points are not equal.
*/
-__owur decaf_bool_t curve448_point_eq(const curve448_point_t a,
- const curve448_point_t b);
+__owur c448_bool_t curve448_point_eq(const curve448_point_t a,
+ const curve448_point_t b);
/*
* Double a point. Equivalent to curve448_point_add(two_a,a,a), but potentially
* scalar (in): The scalar to multiply by.
*
* Returns:
- * DECAF_SUCCESS: The scalarmul succeeded.
- * DECAF_FAILURE: The scalarmul didn't succeed, because the base point is in a
+ * C448_SUCCESS: The scalarmul succeeded.
+ * C448_FAILURE: The scalarmul didn't succeed, because the base point is in a
* small subgroup.
*/
-__owur decaf_error_t decaf_x448(uint8_t out[DECAF_X448_PUBLIC_BYTES],
- const uint8_t base[DECAF_X448_PUBLIC_BYTES],
- const uint8_t scalar[DECAF_X448_PRIVATE_BYTES]);
+__owur c448_error_t c448_x448(uint8_t out[C448_X448_PUBLIC_BYTES],
+ const uint8_t base[C448_X448_PUBLIC_BYTES],
+ const uint8_t scalar[C448_X448_PRIVATE_BYTES]);
/*
- * Multiply a point by DECAF_X448_ENCODE_RATIO, then encode it like RFC 7748.
+ * Multiply a point by C448_X448_ENCODE_RATIO, then encode it like RFC 7748.
*
* This function is mainly used internally, but is exported in case
* it will be useful.
*
* The ratio is necessary because the internal representation doesn't
* track the cofactor information, so on output we must clear the cofactor.
- * This would multiply by the cofactor, but in fact internally libdecaf's
- * points are always even, so it multiplies by half the cofactor instead.
+ * This would multiply by the cofactor, but in fact internally points are always
+ * even, so it multiplies by half the cofactor instead.
*
* As it happens, this aligns with the base point definitions; that is,
* if you pass the Decaf/Ristretto base point to this function, the result
- * will be DECAF_X448_ENCODE_RATIO times the X448
+ * will be C448_X448_ENCODE_RATIO times the X448
* base point.
*
* out (out): The scaled and encoded point.
* p (in): The point to be scaled and encoded.
*/
void curve448_point_mul_by_ratio_and_encode_like_x448(
- uint8_t out[DECAF_X448_PUBLIC_BYTES],
+ uint8_t out[C448_X448_PUBLIC_BYTES],
const curve448_point_t p);
/*
* out (out): The scaled point base*scalar
* scalar (in): The scalar to multiply by.
*/
-void decaf_x448_derive_public_key(
- uint8_t out[DECAF_X448_PUBLIC_BYTES],
- const uint8_t scalar[DECAF_X448_PRIVATE_BYTES]);
+void c448_x448_derive_public_key(
+ uint8_t out[C448_X448_PUBLIC_BYTES],
+ const uint8_t scalar[C448_X448_PRIVATE_BYTES]);
/*
* Multiply a precomputed base point by a scalar: out = scalar*base.
* to_test (in): The point to test.
*
* Returns:
- * DECAF_TRUE The point is valid.
- * DECAF_FALSE The point is invalid.
+ * C448_TRUE The point is valid.
+ * C448_FALSE The point is invalid.
*/
-__owur decaf_bool_t curve448_point_valid(const curve448_point_t to_test);
+__owur c448_bool_t curve448_point_valid(const curve448_point_t to_test);
/* Overwrite scalar with zeros. */
void curve448_scalar_destroy(curve448_scalar_t scalar);
} /* extern "C" */
#endif
-#endif /* __DECAF_POINT_448_H__ */
+#endif /* __C448_POINT_448_H__ */
#include "constant_time.h"
#include "point_448.h"
-static const decaf_word_t MONTGOMERY_FACTOR = (decaf_word_t) 0x3bd440fae918bc5;
+static const c448_word_t MONTGOMERY_FACTOR = (c448_word_t) 0x3bd440fae918bc5;
static const curve448_scalar_t sc_p = {
{
{
}
};
-#define WBITS DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */
+#define WBITS C448_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */
const curve448_scalar_t curve448_scalar_one = {{{1}}};
const curve448_scalar_t curve448_scalar_zero = {{{0}}};
* Must have extra <= 1
*/
static void sc_subx(curve448_scalar_t out,
- const decaf_word_t accum[DECAF_448_SCALAR_LIMBS],
+ const c448_word_t accum[C448_448_SCALAR_LIMBS],
const curve448_scalar_t sub,
- const curve448_scalar_t p, decaf_word_t extra)
+ const curve448_scalar_t p, c448_word_t extra)
{
- decaf_dsword_t chain = 0;
+ c448_dsword_t chain = 0;
unsigned int i;
- decaf_word_t borrow;
+ c448_word_t borrow;
- for (i = 0; i < DECAF_448_SCALAR_LIMBS; i++) {
+ for (i = 0; i < C448_448_SCALAR_LIMBS; i++) {
chain = (chain + accum[i]) - sub->limb[i];
out->limb[i] = chain;
chain >>= WBITS;
borrow = chain + extra; /* = 0 or -1 */
chain = 0;
- for (i = 0; i < DECAF_448_SCALAR_LIMBS; i++) {
+ for (i = 0; i < C448_448_SCALAR_LIMBS; i++) {
chain = (chain + out->limb[i]) + (p->limb[i] & borrow);
out->limb[i] = chain;
chain >>= WBITS;
const curve448_scalar_t b)
{
unsigned int i, j;
- decaf_word_t accum[DECAF_448_SCALAR_LIMBS + 1] = { 0 };
- decaf_word_t hi_carry = 0;
+ c448_word_t accum[C448_448_SCALAR_LIMBS + 1] = { 0 };
+ c448_word_t hi_carry = 0;
- for (i = 0; i < DECAF_448_SCALAR_LIMBS; i++) {
- decaf_word_t mand = a->limb[i];
- const decaf_word_t *mier = b->limb;
+ for (i = 0; i < C448_448_SCALAR_LIMBS; i++) {
+ c448_word_t mand = a->limb[i];
+ const c448_word_t *mier = b->limb;
- decaf_dword_t chain = 0;
- for (j = 0; j < DECAF_448_SCALAR_LIMBS; j++) {
- chain += ((decaf_dword_t) mand) * mier[j] + accum[j];
+ c448_dword_t chain = 0;
+ for (j = 0; j < C448_448_SCALAR_LIMBS; j++) {
+ chain += ((c448_dword_t) mand) * mier[j] + accum[j];
accum[j] = chain;
chain >>= WBITS;
}
mand = accum[0] * MONTGOMERY_FACTOR;
chain = 0;
mier = sc_p->limb;
- for (j = 0; j < DECAF_448_SCALAR_LIMBS; j++) {
- chain += (decaf_dword_t) mand *mier[j] + accum[j];
+ for (j = 0; j < C448_448_SCALAR_LIMBS; j++) {
+ chain += (c448_dword_t) mand *mier[j] + accum[j];
if (j)
accum[j - 1] = chain;
chain >>= WBITS;
void curve448_scalar_add(curve448_scalar_t out, const curve448_scalar_t a,
const curve448_scalar_t b)
{
- decaf_dword_t chain = 0;
+ c448_dword_t chain = 0;
unsigned int i;
- for (i = 0; i < DECAF_448_SCALAR_LIMBS; i++) {
+ for (i = 0; i < C448_448_SCALAR_LIMBS; i++) {
chain = (chain + a->limb[i]) + b->limb[i];
out->limb[i] = chain;
chain >>= WBITS;
{
unsigned int i, j, k = 0;
- for (i = 0; i < DECAF_448_SCALAR_LIMBS; i++) {
- decaf_word_t out = 0;
+ for (i = 0; i < C448_448_SCALAR_LIMBS; i++) {
+ c448_word_t out = 0;
- for (j = 0; j < sizeof(decaf_word_t) && k < nbytes; j++, k++)
- out |= ((decaf_word_t) ser[k]) << (8 * j);
+ for (j = 0; j < sizeof(c448_word_t) && k < nbytes; j++, k++)
+ out |= ((c448_word_t) ser[k]) << (8 * j);
s->limb[i] = out;
}
}
-decaf_error_t curve448_scalar_decode(
+c448_error_t curve448_scalar_decode(
curve448_scalar_t s,
- const unsigned char ser[DECAF_448_SCALAR_BYTES])
+ const unsigned char ser[C448_448_SCALAR_BYTES])
{
unsigned int i;
- decaf_dsword_t accum = 0;
+ c448_dsword_t accum = 0;
- scalar_decode_short(s, ser, DECAF_448_SCALAR_BYTES);
- for (i = 0; i < DECAF_448_SCALAR_LIMBS; i++)
+ scalar_decode_short(s, ser, C448_448_SCALAR_BYTES);
+ for (i = 0; i < C448_448_SCALAR_LIMBS; i++)
accum = (accum + s->limb[i] - sc_p->limb[i]) >> WBITS;
/* Here accum == 0 or -1 */
curve448_scalar_mul(s, s, curve448_scalar_one); /* ham-handed reduce */
- return decaf_succeed_if(~word_is_zero(accum));
+ return c448_succeed_if(~word_is_zero(accum));
}
void curve448_scalar_destroy(curve448_scalar_t scalar)
return;
}
- i = ser_len - (ser_len % DECAF_448_SCALAR_BYTES);
+ i = ser_len - (ser_len % C448_448_SCALAR_BYTES);
if (i == ser_len)
- i -= DECAF_448_SCALAR_BYTES;
+ i -= C448_448_SCALAR_BYTES;
scalar_decode_short(t1, &ser[i], ser_len - i);
}
while (i) {
- i -= DECAF_448_SCALAR_BYTES;
+ i -= C448_448_SCALAR_BYTES;
sc_montmul(t1, t1, sc_r2);
ignore_result(curve448_scalar_decode(t2, ser + i));
curve448_scalar_add(t1, t1, t2);
curve448_scalar_destroy(t2);
}
-void curve448_scalar_encode(unsigned char ser[DECAF_448_SCALAR_BYTES],
+void curve448_scalar_encode(unsigned char ser[C448_448_SCALAR_BYTES],
const curve448_scalar_t s)
{
unsigned int i, j, k = 0;
- for (i = 0; i < DECAF_448_SCALAR_LIMBS; i++) {
- for (j = 0; j < sizeof(decaf_word_t); j++, k++)
+ for (i = 0; i < C448_448_SCALAR_LIMBS; i++) {
+ for (j = 0; j < sizeof(c448_word_t); j++, k++)
ser[k] = s->limb[i] >> (8 * j);
}
}
void curve448_scalar_halve(curve448_scalar_t out, const curve448_scalar_t a)
{
- decaf_word_t mask = -(a->limb[0] & 1);
- decaf_dword_t chain = 0;
+ c448_word_t mask = -(a->limb[0] & 1);
+ c448_dword_t chain = 0;
unsigned int i;
- for (i = 0; i < DECAF_448_SCALAR_LIMBS; i++) {
+ for (i = 0; i < C448_448_SCALAR_LIMBS; i++) {
chain = (chain + a->limb[i]) + (sc_p->limb[i] & mask);
out->limb[i] = chain;
- chain >>= DECAF_WORD_BITS;
+ chain >>= C448_WORD_BITS;
}
- for (i = 0; i < DECAF_448_SCALAR_LIMBS - 1; i++)
+ for (i = 0; i < C448_448_SCALAR_LIMBS - 1; i++)
out->limb[i] = out->limb[i] >> 1 | out->limb[i + 1] << (WBITS - 1);
out->limb[i] = out->limb[i] >> 1 | chain << (WBITS - 1);
}
typedef int32_t sword_t;
typedef int64_t dsword_t;
# else
-# error "For now, libdecaf only supports 32- and 64-bit architectures."
+# error "For now, we only support 32- and 64-bit architectures."
# endif
/*
* Scalar limbs are keyed off of the API word size instead of the arch word
* size.
*/
-# if DECAF_WORD_BITS == 64
+# if C448_WORD_BITS == 64
# define SC_LIMB(x) (x)
-# elif DECAF_WORD_BITS == 32
+# elif C448_WORD_BITS == 32
# define SC_LIMB(x) ((uint32_t)x),(x>>32)
# else
-# error "For now, libdecaf only supports 32- and 64-bit architectures."
+# error "For now we only support 32- and 64-bit architectures."
# endif
# ifdef __ARM_NEON__
# endif
/*
- * The plan on booleans: The external interface uses decaf_bool_t, but this
+ * The plan on booleans: The external interface uses c448_bool_t, but this
* might be a different size than our particular arch's word_t (and thus
* mask_t). Also, the caller isn't guaranteed to pass it as nonzero. So
* bool_to_mask converts word sizes and checks nonzero. On the flip side,
* mask_t is always -1 or 0, but it might be a different size than
- * decaf_bool_t. On the third hand, we have success vs boolean types, but
- * that's handled in common.h: it converts between decaf_bool_t and
- * decaf_error_t.
+ * c448_bool_t. On the third hand, we have success vs boolean types, but
+ * that's handled in common.h: it converts between c448_bool_t and
+ * c448_error_t.
*/
-static ossl_inline decaf_bool_t mask_to_bool(mask_t m)
+static ossl_inline c448_bool_t mask_to_bool(mask_t m)
{
- return (decaf_sword_t)(sword_t)m;
+ return (c448_sword_t)(sword_t)m;
}
-static ossl_inline mask_t bool_to_mask(decaf_bool_t m)
+static ossl_inline mask_t bool_to_mask(c448_bool_t m)
{
/* On most arches this will be optimized to a simple cast. */
mask_t ret = 0;
unsigned int i;
- unsigned int limit = sizeof(decaf_bool_t) / sizeof(mask_t);
+ unsigned int limit = sizeof(c448_bool_t) / sizeof(mask_t);
if (limit < 1)
limit = 1;
return ret;
}
-static ossl_inline void ignore_result(decaf_bool_t boo)
+static ossl_inline void ignore_result(c448_bool_t boo)
{
(void)boo;
}
projects / oweals / openssl.git / commitdiff