#include "curve448_lcl.h"
/* Template stuff */
-#define API_NS(_id) decaf_448_##_id
#define SCALAR_BITS DECAF_448_SCALAR_BITS
#define SCALAR_SER_BYTES DECAF_448_SCALAR_BYTES
#define SCALAR_LIMBS DECAF_448_SCALAR_LIMBS
-#define scalar_t API_NS(scalar_t)
-#define point_t API_NS(point_t)
-#define precomputed_s API_NS(precomputed_s)
+#define scalar_t curve448_scalar_t
+#define point_t curve448_point_t
+#define precomputed_s curve448_precomputed_s
#define COFACTOR 4
/* Comb config: number of combs, n, t, s. */
/* Precomputed base */
struct precomputed_s { niels_t table [COMBS_N<<(COMBS_T-1)]; };
-extern const gf API_NS(precomputed_base_as_fe)[];
-const precomputed_s *API_NS(precomputed_base) =
- (const precomputed_s *) &API_NS(precomputed_base_as_fe);
+extern const gf curve448_precomputed_base_as_fe[];
+const precomputed_s *curve448_precomputed_base =
+ (const precomputed_s *) &curve448_precomputed_base_as_fe;
/** Inverse. */
static void
}
/** identity = (0,1) */
-const point_t API_NS(point_identity) = {{{{{0}}},{{{1}}},{{{1}}},{{{0}}}}};
+const point_t curve448_point_identity = {{{{{0}}},{{{1}}},{{{1}}},{{{0}}}}};
static DECAF_NOINLINE void
point_double_internal (
if (!before_double) gf_mul ( p->t, b, d );
}
-void API_NS(point_double)(point_t p, const point_t q) {
+void curve448_point_double(point_t p, const point_t q) {
point_double_internal(p,q,0);
}
sub_niels_from_pt( p, pn->n, before_double );
}
-decaf_bool_t API_NS(point_eq) ( const point_t p, const point_t q ) {
+decaf_bool_t curve448_point_eq ( const point_t p, const point_t q ) {
/* equality mod 2-torsion compares x/y */
gf a, b;
gf_mul ( a, p->y, q->x );
return mask_to_bool(succ);
}
-decaf_bool_t API_NS(point_valid) (
+decaf_bool_t curve448_point_valid (
const point_t p
) {
gf a,b,c;
constant_time_lookup(ni, table, sizeof(niels_s), nelts, idx);
}
-void API_NS(precomputed_scalarmul) (
+void curve448_precomputed_scalarmul (
point_t out,
const precomputed_s *table,
const scalar_t scalar
const unsigned int n = COMBS_N, t = COMBS_T, s = COMBS_S;
scalar_t scalar1x;
- API_NS(scalar_add)(scalar1x, scalar, precomputed_scalarmul_adjustment);
- API_NS(scalar_halve)(scalar1x,scalar1x);
+ curve448_scalar_add(scalar1x, scalar, precomputed_scalarmul_adjustment);
+ curve448_scalar_halve(scalar1x,scalar1x);
niels_t ni;
OPENSSL_cleanse(scalar1x,sizeof(scalar1x));
}
-void API_NS(point_mul_by_ratio_and_encode_like_eddsa) (
+void curve448_point_mul_by_ratio_and_encode_like_eddsa (
uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES],
const point_t p
) {
/* The point is now on the twisted curve. Move it to untwisted. */
gf x, y, z, t;
point_t q;
- API_NS(point_copy)(q,p);
+ curve448_point_copy(q,p);
{
/* 4-isogeny: 2xy/(y^+x^2), (y^2-x^2)/(2z^2-y^2+x^2) */
OPENSSL_cleanse(y,sizeof(y));
OPENSSL_cleanse(z,sizeof(z));
OPENSSL_cleanse(t,sizeof(t));
- API_NS(point_destroy)(q);
+ curve448_point_destroy(q);
}
-decaf_error_t API_NS(point_decode_like_eddsa_and_mul_by_ratio) (
+decaf_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio (
point_t p,
const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES]
) {
}
OPENSSL_cleanse(enc2,sizeof(enc2));
- assert(API_NS(point_valid)(p) || ~succ);
+ assert(curve448_point_valid(p) || ~succ);
return decaf_succeed_if(mask_to_bool(succ));
}
}
}
-void API_NS(point_mul_by_ratio_and_encode_like_x448) (
+void curve448_point_mul_by_ratio_and_encode_like_x448 (
uint8_t out[X_PUBLIC_BYTES],
const point_t p
) {
point_t q;
- API_NS(point_copy)(q,p);
+ curve448_point_copy(q,p);
gf_invert(q->t,q->x,0); /* 1/x */
gf_mul(q->z,q->t,q->y); /* y/x */
gf_sqr(q->y,q->z); /* (y/x)^2 */
gf_serialize(out,q->y,1);
- API_NS(point_destroy(q));
+ curve448_point_destroy(q);
}
void decaf_x448_derive_public_key (
scalar2[X_PRIVATE_BYTES-1] |= 1<<((X_PRIVATE_BITS+7)%8);
scalar_t the_scalar;
- API_NS(scalar_decode_long)(the_scalar,scalar2,sizeof(scalar2));
+ curve448_scalar_decode_long(the_scalar,scalar2,sizeof(scalar2));
/* Compensate for the encoding ratio */
for (unsigned i=1; i<DECAF_X448_ENCODE_RATIO; i<<=1) {
- API_NS(scalar_halve)(the_scalar,the_scalar);
+ curve448_scalar_halve(the_scalar,the_scalar);
}
point_t p;
- API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),the_scalar);
- API_NS(point_mul_by_ratio_and_encode_like_x448)(out,p);
- API_NS(point_destroy)(p);
+ curve448_precomputed_scalarmul(p,curve448_precomputed_base,the_scalar);
+ curve448_point_mul_by_ratio_and_encode_like_x448(out,p);
+ curve448_point_destroy(p);
}
/**
if (tbits == 0) return;
- API_NS(point_double)(tmp,working);
+ curve448_point_double(tmp,working);
pniels_t twop;
pt_to_pniels(twop, tmp);
pt_to_pniels(output[i], tmp);
}
- API_NS(point_destroy)(tmp);
+ curve448_point_destroy(tmp);
OPENSSL_cleanse(twop,sizeof(twop));
}
-extern const gf API_NS(precomputed_wnaf_as_fe)[];
-static const niels_t *API_NS(wnaf_base) = (const niels_t *)API_NS(precomputed_wnaf_as_fe);
+extern const gf curve448_precomputed_wnaf_as_fe[];
+static const niels_t *curve448_wnaf_base = (const niels_t *)curve448_precomputed_wnaf_as_fe;
-void API_NS(base_double_scalarmul_non_secret) (
+void curve448_base_double_scalarmul_non_secret (
point_t combo,
const scalar_t scalar1,
const point_t base2,
int contp=0, contv=0, i = control_var[0].power;
if (i < 0) {
- API_NS(point_copy)(combo, API_NS(point_identity));
+ curve448_point_copy(combo, curve448_point_identity);
return;
} else if (i > control_pre[0].power) {
pniels_to_pt(combo, precmp_var[control_var[0].addend >> 1]);
contv++;
} else if (i == control_pre[0].power && i >=0 ) {
pniels_to_pt(combo, precmp_var[control_var[0].addend >> 1]);
- add_niels_to_pt(combo, API_NS(wnaf_base)[control_pre[0].addend >> 1], i);
+ add_niels_to_pt(combo, curve448_wnaf_base[control_pre[0].addend >> 1], i);
contv++; contp++;
} else {
i = control_pre[0].power;
- niels_to_pt(combo, API_NS(wnaf_base)[control_pre[0].addend >> 1]);
+ niels_to_pt(combo, curve448_wnaf_base[control_pre[0].addend >> 1]);
contp++;
}
assert(control_pre[contp].addend);
if (control_pre[contp].addend > 0) {
- add_niels_to_pt(combo, API_NS(wnaf_base)[control_pre[contp].addend >> 1], i);
+ add_niels_to_pt(combo, curve448_wnaf_base[control_pre[contp].addend >> 1], i);
} else {
- sub_niels_from_pt(combo, API_NS(wnaf_base)[(-control_pre[contp].addend) >> 1], i);
+ sub_niels_from_pt(combo, curve448_wnaf_base[(-control_pre[contp].addend) >> 1], i);
}
contp++;
}
assert(contp == ncb_pre); (void)ncb_pre;
}
-void API_NS(point_destroy) (
+void curve448_point_destroy (
point_t point
) {
OPENSSL_cleanse(point, sizeof(point_t));
#include "point_448.h"
-#define API_NS(_id) decaf_448_##_id
-const gf API_NS(precomputed_base_as_fe)[240]
+const gf curve448_precomputed_base_as_fe[240]
VECTOR_ALIGNED __attribute__((visibility("hidden"))) = {
{FIELD_LITERAL(0x00cc3b062366f4cc,0x003d6e34e314aa3c,0x00d51c0a7521774d,0x0094e060eec6ab8b,0x00d21291b4d80082,0x00befed12b55ef1e,0x00c3dd2df5c94518,0x00e0a7b112b8d4e6)},
{FIELD_LITERAL(0x0019eb5608d8723a,0x00d1bab52fb3aedb,0x00270a7311ebc90c,0x0037c12b91be7f13,0x005be16cd8b5c704,0x003e181acda888e1,0x00bc1f00fc3fc6d0,0x00d3839bfa319e20)},
{FIELD_LITERAL(0x004a2902926f8d3f,0x00ad79b42637ab75,0x0088f60b90f2d4e8,0x0030f54ef0e398c4,0x00021dc9bf99681e,0x007ebf66fde74ee3,0x004ade654386e9a4,0x00e7485066be4c27)},
{FIELD_LITERAL(0x00445f1263983be0,0x004cf371dda45e6a,0x00744a89d5a310e7,0x001f20ce4f904833,0x00e746edebe66e29,0x000912ab1f6c153d,0x00f61d77d9b2444c,0x0001499cd6647610)}
};
-const gf API_NS(precomputed_wnaf_as_fe)[96]
+const gf curve448_precomputed_wnaf_as_fe[96]
VECTOR_ALIGNED __attribute__((visibility("hidden"))) = {
{FIELD_LITERAL(0x00303cda6feea532,0x00860f1d5a3850e4,0x00226b9fa4728ccd,0x00e822938a0a0c0c,0x00263a61c9ea9216,0x001204029321b828,0x006a468360983c65,0x0002846f0a782143)},
{FIELD_LITERAL(0x00303cda6feea532,0x00860f1d5a3850e4,0x00226b9fa4728ccd,0x006822938a0a0c0c,0x00263a61c9ea9215,0x001204029321b828,0x006a468360983c65,0x0082846f0a782143)},
* @param [out] enc The encoded point.
* @param [in] p The point.
*/
-void decaf_448_point_mul_by_ratio_and_encode_like_eddsa (
+void curve448_point_mul_by_ratio_and_encode_like_eddsa (
uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES],
- const decaf_448_point_t p
+ const curve448_point_t p
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
/**
* @brief EdDSA point decoding. Multiplies by DECAF_448_EDDSA_DECODE_RATIO,
* and ignores cofactor information.
*
- * See notes on decaf_448_point_mul_by_ratio_and_encode_like_eddsa
+ * See notes on curve448_point_mul_by_ratio_and_encode_like_eddsa
*
* @param [out] enc The encoded point.
* @param [in] p The point.
*/
-decaf_error_t decaf_448_point_decode_like_eddsa_and_mul_by_ratio (
- decaf_448_point_t p,
+decaf_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio (
+ curve448_point_t p,
const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES]
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
#include <string.h>
#define API_NAME "decaf_448"
-#define API_NS(_id) decaf_448_##_id
#define hash_ctx_t decaf_shake256_ctx_t
#define hash_init decaf_shake256_init
);
clamp(secret_scalar_ser);
- API_NS(scalar_t) secret_scalar;
- API_NS(scalar_decode_long)(secret_scalar, secret_scalar_ser, sizeof(secret_scalar_ser));
+ curve448_scalar_t secret_scalar;
+ curve448_scalar_decode_long(secret_scalar, secret_scalar_ser, sizeof(secret_scalar_ser));
/* Since we are going to mul_by_cofactor during encoding, divide by it here.
* However, the EdDSA base point is not the same as the decaf base point if
* picks up a factor of 2 from the isogenies. So we might start at 2 instead of 1.
*/
for (unsigned int c=1; c<DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) {
- API_NS(scalar_halve)(secret_scalar,secret_scalar);
+ curve448_scalar_halve(secret_scalar,secret_scalar);
}
- API_NS(point_t) p;
- API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),secret_scalar);
+ curve448_point_t p;
+ curve448_precomputed_scalarmul(p,curve448_precomputed_base,secret_scalar);
- API_NS(point_mul_by_ratio_and_encode_like_eddsa)(pubkey, p);
+ curve448_point_mul_by_ratio_and_encode_like_eddsa(pubkey, p);
/* Cleanup */
- API_NS(scalar_destroy)(secret_scalar);
- API_NS(point_destroy)(p);
+ curve448_scalar_destroy(secret_scalar);
+ curve448_point_destroy(p);
OPENSSL_cleanse(secret_scalar_ser, sizeof(secret_scalar_ser));
}
const uint8_t *context,
uint8_t context_len
) {
- API_NS(scalar_t) secret_scalar;
+ curve448_scalar_t secret_scalar;
hash_ctx_t hash;
{
/* Schedule the secret key */
DECAF_EDDSA_448_PRIVATE_BYTES
);
clamp(expanded.secret_scalar_ser);
- API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser));
+ curve448_scalar_decode_long(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser));
/* Hash to create the nonce */
hash_init_with_dom(hash,prehashed,0,context,context_len);
}
/* Decode the nonce */
- API_NS(scalar_t) nonce_scalar;
+ curve448_scalar_t nonce_scalar;
{
uint8_t nonce[2*DECAF_EDDSA_448_PRIVATE_BYTES];
hash_final(hash,nonce,sizeof(nonce));
- API_NS(scalar_decode_long)(nonce_scalar, nonce, sizeof(nonce));
+ curve448_scalar_decode_long(nonce_scalar, nonce, sizeof(nonce));
OPENSSL_cleanse(nonce, sizeof(nonce));
}
uint8_t nonce_point[DECAF_EDDSA_448_PUBLIC_BYTES] = {0};
{
/* Scalarmul to create the nonce-point */
- API_NS(scalar_t) nonce_scalar_2;
- API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar);
+ curve448_scalar_t nonce_scalar_2;
+ curve448_scalar_halve(nonce_scalar_2,nonce_scalar);
for (unsigned int c = 2; c < DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) {
- API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar_2);
+ curve448_scalar_halve(nonce_scalar_2,nonce_scalar_2);
}
- API_NS(point_t) p;
- API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),nonce_scalar_2);
- API_NS(point_mul_by_ratio_and_encode_like_eddsa)(nonce_point, p);
- API_NS(point_destroy)(p);
- API_NS(scalar_destroy)(nonce_scalar_2);
+ curve448_point_t p;
+ curve448_precomputed_scalarmul(p,curve448_precomputed_base,nonce_scalar_2);
+ curve448_point_mul_by_ratio_and_encode_like_eddsa(nonce_point, p);
+ curve448_point_destroy(p);
+ curve448_scalar_destroy(nonce_scalar_2);
}
- API_NS(scalar_t) challenge_scalar;
+ curve448_scalar_t challenge_scalar;
{
/* Compute the challenge */
hash_init_with_dom(hash,prehashed,0,context,context_len);
uint8_t challenge[2*DECAF_EDDSA_448_PRIVATE_BYTES];
hash_final(hash,challenge,sizeof(challenge));
hash_destroy(hash);
- API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));
+ curve448_scalar_decode_long(challenge_scalar,challenge,sizeof(challenge));
OPENSSL_cleanse(challenge,sizeof(challenge));
}
- API_NS(scalar_mul)(challenge_scalar,challenge_scalar,secret_scalar);
- API_NS(scalar_add)(challenge_scalar,challenge_scalar,nonce_scalar);
+ curve448_scalar_mul(challenge_scalar,challenge_scalar,secret_scalar);
+ curve448_scalar_add(challenge_scalar,challenge_scalar,nonce_scalar);
OPENSSL_cleanse(signature,DECAF_EDDSA_448_SIGNATURE_BYTES);
memcpy(signature,nonce_point,sizeof(nonce_point));
- API_NS(scalar_encode)(&signature[DECAF_EDDSA_448_PUBLIC_BYTES],challenge_scalar);
+ curve448_scalar_encode(&signature[DECAF_EDDSA_448_PUBLIC_BYTES],challenge_scalar);
- API_NS(scalar_destroy)(secret_scalar);
- API_NS(scalar_destroy)(nonce_scalar);
- API_NS(scalar_destroy)(challenge_scalar);
+ curve448_scalar_destroy(secret_scalar);
+ curve448_scalar_destroy(nonce_scalar);
+ curve448_scalar_destroy(challenge_scalar);
}
const uint8_t *context,
uint8_t context_len
) {
- API_NS(point_t) pk_point, r_point;
- decaf_error_t error = API_NS(point_decode_like_eddsa_and_mul_by_ratio)(pk_point,pubkey);
+ curve448_point_t pk_point, r_point;
+ decaf_error_t error = curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point,pubkey);
if (DECAF_SUCCESS != error) { return error; }
- error = API_NS(point_decode_like_eddsa_and_mul_by_ratio)(r_point,signature);
+ error = curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point,signature);
if (DECAF_SUCCESS != error) { return error; }
- API_NS(scalar_t) challenge_scalar;
+ curve448_scalar_t challenge_scalar;
{
/* Compute the challenge */
hash_ctx_t hash;
uint8_t challenge[2*DECAF_EDDSA_448_PRIVATE_BYTES];
hash_final(hash,challenge,sizeof(challenge));
hash_destroy(hash);
- API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));
+ curve448_scalar_decode_long(challenge_scalar,challenge,sizeof(challenge));
OPENSSL_cleanse(challenge,sizeof(challenge));
}
- API_NS(scalar_sub)(challenge_scalar, API_NS(scalar_zero), challenge_scalar);
+ curve448_scalar_sub(challenge_scalar, curve448_scalar_zero, challenge_scalar);
- API_NS(scalar_t) response_scalar;
- API_NS(scalar_decode_long)(
+ curve448_scalar_t response_scalar;
+ curve448_scalar_decode_long(
response_scalar,
&signature[DECAF_EDDSA_448_PUBLIC_BYTES],
DECAF_EDDSA_448_PRIVATE_BYTES
);
for (unsigned c=1; c<DECAF_448_EDDSA_DECODE_RATIO; c<<=1) {
- API_NS(scalar_add)(response_scalar,response_scalar,response_scalar);
+ curve448_scalar_add(response_scalar,response_scalar,response_scalar);
}
/* pk_point = -c(x(P)) + (cx + k)G = kG */
- API_NS(base_double_scalarmul_non_secret)(
+ curve448_base_double_scalarmul_non_secret(
pk_point,
response_scalar,
pk_point,
challenge_scalar
);
- return decaf_succeed_if(API_NS(point_eq(pk_point,r_point)));
+ return decaf_succeed_if(curve448_point_eq(pk_point,r_point));
}
#define DECAF_X448_PRIVATE_BYTES 56
/** Twisted Edwards extended homogeneous coordinates */
-typedef struct decaf_448_point_s {
+typedef struct curve448_point_s {
/** @cond internal */
gf_448_t x,y,z,t;
/** @endcond */
-} decaf_448_point_t[1];
+} curve448_point_t[1];
/** Precomputed table based on a point. Can be trivial implementation. */
-struct decaf_448_precomputed_s;
+struct curve448_precomputed_s;
/** Precomputed table based on a point. Can be trivial implementation. */
-typedef struct decaf_448_precomputed_s decaf_448_precomputed_s;
+typedef struct curve448_precomputed_s curve448_precomputed_s;
/** Scalar is stored packed, because we don't need the speed. */
-typedef struct decaf_448_scalar_s {
+typedef struct curve448_scalar_s {
/** @cond internal */
decaf_word_t limb[DECAF_448_SCALAR_LIMBS];
/** @endcond */
-} decaf_448_scalar_t[1];
+} curve448_scalar_t[1];
/** A scalar equal to 1. */
-extern const decaf_448_scalar_t decaf_448_scalar_one DECAF_API_VIS;
+extern const curve448_scalar_t curve448_scalar_one DECAF_API_VIS;
/** A scalar equal to 0. */
-extern const decaf_448_scalar_t decaf_448_scalar_zero DECAF_API_VIS;
+extern const curve448_scalar_t curve448_scalar_zero DECAF_API_VIS;
/** The identity point on the curve. */
-extern const decaf_448_point_t decaf_448_point_identity DECAF_API_VIS;
+extern const curve448_point_t curve448_point_identity DECAF_API_VIS;
/** An arbitrarily chosen base point on the curve. */
-extern const decaf_448_point_t decaf_448_point_base DECAF_API_VIS;
+extern const curve448_point_t curve448_point_base DECAF_API_VIS;
/** Precomputed table for the base point on the curve. */
-extern const struct decaf_448_precomputed_s *decaf_448_precomputed_base DECAF_API_VIS;
+extern const struct curve448_precomputed_s *curve448_precomputed_base DECAF_API_VIS;
/**
* @brief Read a scalar from wire format or from bytes.
* @retval DECAF_FAILURE The scalar was greater than the modulus,
* and has been reduced modulo that modulus.
*/
-decaf_error_t decaf_448_scalar_decode (
- decaf_448_scalar_t out,
+decaf_error_t curve448_scalar_decode (
+ curve448_scalar_t out,
const unsigned char ser[DECAF_448_SCALAR_BYTES]
) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;
* @param [in] ser_len Length of serialized form.
* @param [out] out Deserialized form.
*/
-void decaf_448_scalar_decode_long (
- decaf_448_scalar_t out,
+void curve448_scalar_decode_long (
+ curve448_scalar_t out,
const unsigned char *ser,
size_t ser_len
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
* @param [out] ser Serialized form of a scalar.
* @param [in] s Deserialized scalar.
*/
-void decaf_448_scalar_encode (
+void curve448_scalar_encode (
unsigned char ser[DECAF_448_SCALAR_BYTES],
- const decaf_448_scalar_t s
+ const curve448_scalar_t s
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_NOINLINE;
/**
* @param [in] b Another scalar.
* @param [out] out a+b.
*/
-void decaf_448_scalar_add (
- decaf_448_scalar_t out,
- const decaf_448_scalar_t a,
- const decaf_448_scalar_t b
+void curve448_scalar_add (
+ curve448_scalar_t out,
+ const curve448_scalar_t a,
+ const curve448_scalar_t b
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
/**
* @retval DECAF_TRUE The scalars are equal.
* @retval DECAF_FALSE The scalars are not equal.
*/
-decaf_bool_t decaf_448_scalar_eq (
- const decaf_448_scalar_t a,
- const decaf_448_scalar_t b
+decaf_bool_t curve448_scalar_eq (
+ const curve448_scalar_t a,
+ const curve448_scalar_t b
) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;
/**
* @param [in] b Another scalar.
* @param [out] out a-b.
*/
-void decaf_448_scalar_sub (
- decaf_448_scalar_t out,
- const decaf_448_scalar_t a,
- const decaf_448_scalar_t b
+void curve448_scalar_sub (
+ curve448_scalar_t out,
+ const curve448_scalar_t a,
+ const curve448_scalar_t b
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
/**
* @param [in] b Another scalar.
* @param [out] out a*b.
*/
-void decaf_448_scalar_mul (
- decaf_448_scalar_t out,
- const decaf_448_scalar_t a,
- const decaf_448_scalar_t b
+void curve448_scalar_mul (
+ curve448_scalar_t out,
+ const curve448_scalar_t a,
+ const curve448_scalar_t b
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
/**
* @param [in] a A scalar.
* @param [out] out a/2.
*/
-void decaf_448_scalar_halve (
- decaf_448_scalar_t out,
- const decaf_448_scalar_t a
+void curve448_scalar_halve (
+ curve448_scalar_t out,
+ const curve448_scalar_t a
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
/**
* @param [out] out 1/a.
* @return DECAF_SUCCESS The input is nonzero.
*/
-decaf_error_t decaf_448_scalar_invert (
- decaf_448_scalar_t out,
- const decaf_448_scalar_t a
+decaf_error_t curve448_scalar_invert (
+ curve448_scalar_t out,
+ const curve448_scalar_t a
) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;
/**
* @param [in] a A scalar.
* @param [out] out Will become a copy of a.
*/
-static inline void DECAF_NONNULL decaf_448_scalar_copy (
- decaf_448_scalar_t out,
- const decaf_448_scalar_t a
+static inline void DECAF_NONNULL curve448_scalar_copy (
+ curve448_scalar_t out,
+ const curve448_scalar_t a
) {
*out = *a;
}
* @param [in] a An integer.
* @param [out] out Will become equal to a.
*/
-void decaf_448_scalar_set_unsigned (
- decaf_448_scalar_t out,
+void curve448_scalar_set_unsigned (
+ curve448_scalar_t out,
uint64_t a
) DECAF_API_VIS DECAF_NONNULL;
* @param [out] a A copy of the point.
* @param [in] b Any point.
*/
-static inline void DECAF_NONNULL decaf_448_point_copy (
- decaf_448_point_t a,
- const decaf_448_point_t b
+static inline void DECAF_NONNULL curve448_point_copy (
+ curve448_point_t a,
+ const curve448_point_t b
) {
*a=*b;
}
* @retval DECAF_TRUE The points are equal.
* @retval DECAF_FALSE The points are not equal.
*/
-decaf_bool_t decaf_448_point_eq (
- const decaf_448_point_t a,
- const decaf_448_point_t b
+decaf_bool_t curve448_point_eq (
+ const curve448_point_t a,
+ const curve448_point_t b
) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;
/**
* @brief Double a point. Equivalent to
- * decaf_448_point_add(two_a,a,a), but potentially faster.
+ * curve448_point_add(two_a,a,a), but potentially faster.
*
* @param [out] two_a The sum a+a.
* @param [in] a A point.
*/
-void decaf_448_point_double (
- decaf_448_point_t two_a,
- const decaf_448_point_t a
+void curve448_point_double (
+ curve448_point_t two_a,
+ const curve448_point_t a
) DECAF_API_VIS DECAF_NONNULL;
/**
* @param [out] out The scaled and encoded point.
* @param [in] p The point to be scaled and encoded.
*/
-void decaf_448_point_mul_by_ratio_and_encode_like_x448 (
+void curve448_point_mul_by_ratio_and_encode_like_x448 (
uint8_t out[DECAF_X448_PUBLIC_BYTES],
- const decaf_448_point_t p
+ const curve448_point_t p
) DECAF_API_VIS DECAF_NONNULL;
/** The base point for X448 Diffie-Hellman */
const uint8_t scalar[DECAF_X448_PRIVATE_BYTES]
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
-/* FUTURE: uint8_t decaf_448_encode_like_curve448) */
+/* FUTURE: uint8_t curve448_encode_like_curve448) */
/**
* @brief Precompute a table for fast scalar multiplication.
* @param [out] a A precomputed table of multiples of the point.
* @param [in] b Any point.
*/
-void decaf_448_precompute (
- decaf_448_precomputed_s *a,
- const decaf_448_point_t b
+void curve448_precompute (
+ curve448_precomputed_s *a,
+ const curve448_point_t b
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
/**
* scaled = scalar*base.
* Some implementations do not include precomputed points; for
* those implementations, this function is the same as
- * decaf_448_point_scalarmul
+ * curve448_point_scalarmul
*
* @param [out] scaled The scaled point base*scalar
* @param [in] base The point to be scaled.
* @param [in] scalar The scalar to multiply by.
*/
-void decaf_448_precomputed_scalarmul (
- decaf_448_point_t scaled,
- const decaf_448_precomputed_s *base,
- const decaf_448_scalar_t scalar
+void curve448_precomputed_scalarmul (
+ curve448_point_t scaled,
+ const curve448_precomputed_s *base,
+ const curve448_scalar_t scalar
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
/**
* @brief Multiply two base points by two scalars:
- * scaled = scalar1*decaf_448_point_base + scalar2*base2.
+ * scaled = scalar1*curve448_point_base + scalar2*base2.
*
- * Otherwise equivalent to decaf_448_point_double_scalarmul, but may be
+ * Otherwise equivalent to curve448_point_double_scalarmul, but may be
* faster at the expense of being variable time.
*
* @param [out] combo The linear combination scalar1*base + scalar2*base2.
* @warning: This function takes variable time, and may leak the scalars
* used. It is designed for signature verification.
*/
-void decaf_448_base_double_scalarmul_non_secret (
- decaf_448_point_t combo,
- const decaf_448_scalar_t scalar1,
- const decaf_448_point_t base2,
- const decaf_448_scalar_t scalar2
+void curve448_base_double_scalarmul_non_secret (
+ curve448_point_t combo,
+ const curve448_scalar_t scalar1,
+ const curve448_point_t base2,
+ const curve448_scalar_t scalar2
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
/**
* @param [in] b Any scalar.
* @param [in] pick_b If nonzero, choose scalar b.
*/
-void decaf_448_scalar_cond_sel (
- decaf_448_scalar_t out,
- const decaf_448_scalar_t a,
- const decaf_448_scalar_t b,
+void curve448_scalar_cond_sel (
+ curve448_scalar_t out,
+ const curve448_scalar_t a,
+ const curve448_scalar_t b,
decaf_word_t pick_b
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
* @retval DECAF_TRUE The point is valid.
* @retval DECAF_FALSE The point is invalid.
*/
-decaf_bool_t decaf_448_point_valid (
- const decaf_448_point_t to_test
+decaf_bool_t curve448_point_valid (
+ const curve448_point_t to_test
) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;
*
* Call this function with the output of a hash to make a hash to the curve.
*
- * This function runs Elligator2 on the decaf_448 Jacobi quartic model. It then
+ * This function runs Elligator2 on the curve448 Jacobi quartic model. It then
* uses the isogeny to put the result in twisted Edwards form. As a result,
* it is safe (cannot produce points of order 4), and would be compatible with
* hypothetical other implementations of Decaf using a Montgomery or untwisted
* @param [out] pt The data hashed to the curve.
*/
void
-decaf_448_point_from_hash_nonuniform (
- decaf_448_point_t pt,
+curve448_point_from_hash_nonuniform (
+ curve448_point_t pt,
const unsigned char hashed_data[DECAF_448_HASH_BYTES]
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
/**
* @brief Indifferentiable hash function encoding to curve.
*
- * Equivalent to calling decaf_448_point_from_hash_nonuniform twice and adding.
+ * Equivalent to calling curve448_point_from_hash_nonuniform twice and adding.
*
* @param [in] hashed_data Output of some hash function.
* @param [out] pt The data hashed to the curve.
*/
-void decaf_448_point_from_hash_uniform (
- decaf_448_point_t pt,
+void curve448_point_from_hash_uniform (
+ curve448_point_t pt,
const unsigned char hashed_data[2*DECAF_448_HASH_BYTES]
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
* @brief Inverse of elligator-like hash to curve.
*
* This function writes to the buffer, to make it so that
- * decaf_448_point_from_hash_nonuniform(buffer) = pt if
+ * curve448_point_from_hash_nonuniform(buffer) = pt if
* possible. Since there may be multiple preimages, the
* "which" parameter chooses between them. To ensure uniform
* inverse sampling, this function succeeds or fails
* @retval DECAF_FAILURE The inverse failed.
*/
decaf_error_t
-decaf_448_invert_elligator_nonuniform (
+curve448_invert_elligator_nonuniform (
unsigned char recovered_hash[DECAF_448_HASH_BYTES],
- const decaf_448_point_t pt,
+ const curve448_point_t pt,
uint32_t which
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_WARN_UNUSED;
* @brief Inverse of elligator-like hash to curve.
*
* This function writes to the buffer, to make it so that
- * decaf_448_point_from_hash_uniform(buffer) = pt if
+ * curve448_point_from_hash_uniform(buffer) = pt if
* possible. Since there may be multiple preimages, the
* "which" parameter chooses between them. To ensure uniform
* inverse sampling, this function succeeds or fails
* @retval DECAF_FAILURE The inverse failed.
*/
decaf_error_t
-decaf_448_invert_elligator_uniform (
+curve448_invert_elligator_uniform (
unsigned char recovered_hash[2*DECAF_448_HASH_BYTES],
- const decaf_448_point_t pt,
+ const curve448_point_t pt,
uint32_t which
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_WARN_UNUSED;
/**
* @brief Overwrite scalar with zeros.
*/
-void decaf_448_scalar_destroy (
- decaf_448_scalar_t scalar
+void curve448_scalar_destroy (
+ curve448_scalar_t scalar
) DECAF_NONNULL DECAF_API_VIS;
/**
* @brief Overwrite point with zeros.
*/
-void decaf_448_point_destroy (
- decaf_448_point_t point
+void curve448_point_destroy (
+ curve448_point_t point
) DECAF_NONNULL DECAF_API_VIS;
#ifdef __cplusplus
#include "point_448.h"
/* Template stuff */
-#define API_NS(_id) decaf_448_##_id
#define SCALAR_BITS DECAF_448_SCALAR_BITS
#define SCALAR_SER_BYTES DECAF_448_SCALAR_BYTES
#define SCALAR_LIMBS DECAF_448_SCALAR_LIMBS
-#define scalar_t API_NS(scalar_t)
+#define scalar_t curve448_scalar_t
static const decaf_word_t MONTGOMERY_FACTOR = (decaf_word_t)0x3bd440fae918bc5ull;
static const scalar_t sc_p = {{{
#define WBITS DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */
-const scalar_t API_NS(scalar_one) = {{{1}}}, API_NS(scalar_zero) = {{{0}}};
+const scalar_t curve448_scalar_one = {{{1}}}, curve448_scalar_zero = {{{0}}};
/** {extra,accum} - sub +? p
* Must have extra <= 1
sc_subx(out, accum, sc_p, sc_p, hi_carry);
}
-void API_NS(scalar_mul) (
+void curve448_scalar_mul (
scalar_t out,
const scalar_t a,
const scalar_t b
sc_montmul(out,out,sc_r2);
}
-void API_NS(scalar_sub) (
+void curve448_scalar_sub (
scalar_t out,
const scalar_t a,
const scalar_t b
sc_subx(out, a->limb, b, sc_p, 0);
}
-void API_NS(scalar_add) (
+void curve448_scalar_add (
scalar_t out,
const scalar_t a,
const scalar_t b
}
}
-decaf_error_t API_NS(scalar_decode)(
+decaf_error_t curve448_scalar_decode(
scalar_t s,
const unsigned char ser[SCALAR_SER_BYTES]
) {
}
/* Here accum == 0 or -1 */
- API_NS(scalar_mul)(s,s,API_NS(scalar_one)); /* ham-handed reduce */
+ curve448_scalar_mul(s,s,curve448_scalar_one); /* ham-handed reduce */
return decaf_succeed_if(~word_is_zero(accum));
}
-void API_NS(scalar_destroy) (
+void curve448_scalar_destroy (
scalar_t scalar
) {
OPENSSL_cleanse(scalar, sizeof(scalar_t));
}
-void API_NS(scalar_decode_long)(
+void curve448_scalar_decode_long(
scalar_t s,
const unsigned char *ser,
size_t ser_len
) {
if (ser_len == 0) {
- API_NS(scalar_copy)(s, API_NS(scalar_zero));
+ curve448_scalar_copy(s, curve448_scalar_zero);
return;
}
if (ser_len == sizeof(scalar_t)) {
assert(i==0);
/* ham-handed reduce */
- API_NS(scalar_mul)(s,t1,API_NS(scalar_one));
- API_NS(scalar_destroy)(t1);
+ curve448_scalar_mul(s,t1,curve448_scalar_one);
+ curve448_scalar_destroy(t1);
return;
}
while (i) {
i -= SCALAR_SER_BYTES;
sc_montmul(t1,t1,sc_r2);
- ignore_result( API_NS(scalar_decode)(t2, ser+i) );
- API_NS(scalar_add)(t1, t1, t2);
+ ignore_result( curve448_scalar_decode(t2, ser+i) );
+ curve448_scalar_add(t1, t1, t2);
}
- API_NS(scalar_copy)(s, t1);
- API_NS(scalar_destroy)(t1);
- API_NS(scalar_destroy)(t2);
+ curve448_scalar_copy(s, t1);
+ curve448_scalar_destroy(t1);
+ curve448_scalar_destroy(t2);
}
-void API_NS(scalar_encode)(
+void curve448_scalar_encode(
unsigned char ser[SCALAR_SER_BYTES],
const scalar_t s
) {
}
}
-void API_NS(scalar_halve) (
+void curve448_scalar_halve (
scalar_t out,
const scalar_t a
) {
projects / oweals / openssl.git / commitdiff