From: Matt Caswell Date: Wed, 15 Nov 2017 16:15:18 +0000 (+0000) Subject: Remove some unneeded files and further flatten the curve 448 structure X-Git-Tag: OpenSSL_1_1_1-pre2~125 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=a2039c87f5923b10f148dea8fb725df03b90011b;p=oweals%2Fopenssl.git Remove some unneeded files and further flatten the curve 448 structure Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/5105) --- diff --git a/crypto/ec/curve448/decaf.c b/crypto/ec/curve448/decaf.c index 3fdc491db6..9f01454b40 100644 --- a/crypto/ec/curve448/decaf.c +++ b/crypto/ec/curve448/decaf.c @@ -15,8 +15,8 @@ #include "word.h" #include "field.h" -#include -#include +#include "point_448.h" +#include "ed448.h" /* Template stuff */ #define API_NS(_id) decaf_448_##_id diff --git a/crypto/ec/curve448/decaf.h b/crypto/ec/curve448/decaf.h deleted file mode 100644 index d3cb60ce3d..0000000000 --- a/crypto/ec/curve448/decaf.h +++ /dev/null @@ -1,32 +0,0 @@ -/** - * @file decaf.h - * @author Mike Hamburg - * - * @copyright - * Copyright (c) 2015-2016 Cryptography Research, Inc. \n - * Released under the MIT License. See LICENSE.txt for license information. - * - * Master header for Decaf library. - * - * The Decaf library implements cryptographic operations on a elliptic curve - * groups of prime order p. It accomplishes this by using a twisted Edwards - * curve (isogenous to Ed448-Goldilocks or Ed25519) and wiping out the cofactor. - * - * The formulas are all complete and have no special cases. However, some - * functions can fail. For example, decoding functions can fail because not - * every string is the encoding of a valid group element. - * - * The formulas contain no data-dependent branches, timing or memory accesses, - * except for decaf_XXX_base_double_scalarmul_non_secret. - * - * @warning This file was automatically generated in Python. - * Please do not edit it. - */ - -#ifndef __DECAF_H__ -#define __DECAF_H__ 1 - -#include -#include - -#endif /* __DECAF_H__ */ diff --git a/crypto/ec/curve448/decaf/ed448.h b/crypto/ec/curve448/decaf/ed448.h deleted file mode 100644 index eeed619adf..0000000000 --- a/crypto/ec/curve448/decaf/ed448.h +++ /dev/null @@ -1,251 +0,0 @@ -/** - * @file decaf/ed448.h - * @author Mike Hamburg - * - * @copyright - * Copyright (c) 2015-2016 Cryptography Research, Inc. \n - * Released under the MIT License. See LICENSE.txt for license information. - * - * @brief A group of prime order p, based on Ed448-Goldilocks. - * - * @warning This file was automatically generated in Python. - * Please do not edit it. - */ - -#ifndef __DECAF_ED448_H__ -#define __DECAF_ED448_H__ 1 - -#include -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/** Number of bytes in an EdDSA public key. */ -#define DECAF_EDDSA_448_PUBLIC_BYTES 57 - -/** Number of bytes in an EdDSA private key. */ -#define DECAF_EDDSA_448_PRIVATE_BYTES DECAF_EDDSA_448_PUBLIC_BYTES - -/** Number of bytes in an EdDSA private key. */ -#define DECAF_EDDSA_448_SIGNATURE_BYTES (DECAF_EDDSA_448_PUBLIC_BYTES + DECAF_EDDSA_448_PRIVATE_BYTES) - -/** Does EdDSA support non-contextual signatures? */ -#define DECAF_EDDSA_448_SUPPORTS_CONTEXTLESS_SIGS 0 - -/** Prehash context renaming macros. */ -#define decaf_ed448_prehash_ctx_s decaf_shake256_ctx_s -#define decaf_ed448_prehash_ctx_t decaf_shake256_ctx_t -#define decaf_ed448_prehash_update decaf_shake256_update -#define decaf_ed448_prehash_destroy decaf_shake256_destroy - -/** EdDSA encoding ratio. */ -#define DECAF_448_EDDSA_ENCODE_RATIO 4 - -/** EdDSA decoding ratio. */ -#define DECAF_448_EDDSA_DECODE_RATIO (4 / 4) - -/** - * @brief EdDSA key generation. This function uses a different (non-Decaf) - * encoding. - * - * @param [out] pubkey The public key. - * @param [in] privkey The private key. - */ -void decaf_ed448_derive_public_key ( - uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], - const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES] -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief EdDSA signing. - * - * @param [out] signature The signature. - * @param [in] privkey The private key. - * @param [in] pubkey The public key. - * @param [in] message The message to sign. - * @param [in] message_len The length of the message. - * @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign. - * @param [in] context A "context" for this signature of up to 255 bytes. - * @param [in] context_len Length of the context. - * - * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed - * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is - * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives - * you no seat belt. - */ -void decaf_ed448_sign ( - uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES], - const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES], - const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], - const uint8_t *message, - size_t message_len, - uint8_t prehashed, - const uint8_t *context, - uint8_t context_len -) DECAF_API_VIS __attribute__((nonnull(1,2,3))) DECAF_NOINLINE; - -/** - * @brief EdDSA signing with prehash. - * - * @param [out] signature The signature. - * @param [in] privkey The private key. - * @param [in] pubkey The public key. - * @param [in] hash The hash of the message. This object will not be modified by the call. - * @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash. - * @param [in] context_len Length of the context. - * - * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed - * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is - * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives - * you no seat belt. - */ -void decaf_ed448_sign_prehash ( - uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES], - const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES], - const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], - const decaf_ed448_prehash_ctx_t hash, - const uint8_t *context, - uint8_t context_len -) DECAF_API_VIS __attribute__((nonnull(1,2,3,4))) DECAF_NOINLINE; - -/** - * @brief Prehash initialization, with contexts if supported. - * - * @param [out] hash The hash object to be initialized. - */ -void decaf_ed448_prehash_init ( - decaf_ed448_prehash_ctx_t hash -) DECAF_API_VIS __attribute__((nonnull(1))) DECAF_NOINLINE; - -/** - * @brief EdDSA signature verification. - * - * Uses the standard (i.e. less-strict) verification formula. - * - * @param [in] signature The signature. - * @param [in] pubkey The public key. - * @param [in] message The message to verify. - * @param [in] message_len The length of the message. - * @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify. - * @param [in] context A "context" for this signature of up to 255 bytes. - * @param [in] context_len Length of the context. - * - * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed - * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is - * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives - * you no seat belt. - */ -decaf_error_t decaf_ed448_verify ( - const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES], - const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], - const uint8_t *message, - size_t message_len, - uint8_t prehashed, - const uint8_t *context, - uint8_t context_len -) DECAF_API_VIS __attribute__((nonnull(1,2))) DECAF_NOINLINE; - -/** - * @brief EdDSA signature verification. - * - * Uses the standard (i.e. less-strict) verification formula. - * - * @param [in] signature The signature. - * @param [in] pubkey The public key. - * @param [in] hash The hash of the message. This object will not be modified by the call. - * @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash. - * @param [in] context_len Length of the context. - * - * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed - * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is - * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives - * you no seat belt. - */ -decaf_error_t decaf_ed448_verify_prehash ( - const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES], - const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], - const decaf_ed448_prehash_ctx_t hash, - const uint8_t *context, - uint8_t context_len -) DECAF_API_VIS __attribute__((nonnull(1,2))) DECAF_NOINLINE; - -/** - * @brief EdDSA point encoding. Used internally, exposed externally. - * Multiplies by DECAF_448_EDDSA_ENCODE_RATIO first. - * - * The multiplication is required because the EdDSA encoding represents - * the cofactor information, but the Decaf encoding ignores it (which - * is the whole point). So if you decode from EdDSA and re-encode to - * EdDSA, the cofactor info must get cleared, because the intermediate - * representation doesn't track it. - * - * The way libdecaf handles this is to multiply by - * DECAF_448_EDDSA_DECODE_RATIO when decoding, and by - * DECAF_448_EDDSA_ENCODE_RATIO when encoding. The product of these - * ratios is always exactly the cofactor 4, so the cofactor - * ends up cleared one way or another. But exactly how that shakes - * out depends on the base points specified in RFC 8032. - * - * The upshot is that if you pass the Decaf/Ristretto base point to - * this function, you will get DECAF_448_EDDSA_ENCODE_RATIO times the - * EdDSA base point. - * - * @param [out] enc The encoded point. - * @param [in] p The point. - */ -void decaf_448_point_mul_by_ratio_and_encode_like_eddsa ( - uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES], - const decaf_448_point_t p -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief EdDSA point decoding. Multiplies by DECAF_448_EDDSA_DECODE_RATIO, - * and ignores cofactor information. - * - * See notes on decaf_448_point_mul_by_ratio_and_encode_like_eddsa - * - * @param [out] enc The encoded point. - * @param [in] p The point. - */ -decaf_error_t decaf_448_point_decode_like_eddsa_and_mul_by_ratio ( - decaf_448_point_t p, - const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES] -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief EdDSA to ECDH public key conversion - * Deserialize the point to get y on Edwards curve, - * Convert it to u coordinate on Montgomery curve. - * - * @warning This function does not check that the public key being converted - * is a valid EdDSA public key (FUTURE?) - * - * @param[out] x The ECDH public key as in RFC7748(point on Montgomery curve) - * @param[in] ed The EdDSA public key(point on Edwards curve) - */ -void decaf_ed448_convert_public_key_to_x448 ( - uint8_t x[DECAF_X448_PUBLIC_BYTES], - const uint8_t ed[DECAF_EDDSA_448_PUBLIC_BYTES] -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief EdDSA to ECDH private key conversion - * Using the appropriate hash function, hash the EdDSA private key - * and keep only the lower bytes to get the ECDH private key - * - * @param[out] x The ECDH private key as in RFC7748 - * @param[in] ed The EdDSA private key - */ -void decaf_ed448_convert_private_key_to_x448 ( - uint8_t x[DECAF_X448_PRIVATE_BYTES], - const uint8_t ed[DECAF_EDDSA_448_PRIVATE_BYTES] -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -#ifdef __cplusplus -} /* extern "C" */ -#endif - -#endif /* __DECAF_ED448_H__ */ diff --git a/crypto/ec/curve448/decaf/point_255.h b/crypto/ec/curve448/decaf/point_255.h deleted file mode 100644 index 94e30a5b89..0000000000 --- a/crypto/ec/curve448/decaf/point_255.h +++ /dev/null @@ -1,765 +0,0 @@ -/** - * @file decaf/point_255.h - * @author Mike Hamburg - * - * @copyright - * Copyright (c) 2015-2016 Cryptography Research, Inc. \n - * Released under the MIT License. See LICENSE.txt for license information. - * - * @brief A group of prime order p, based on Curve25519. - * - * @warning This file was automatically generated in Python. - * Please do not edit it. - */ - -#ifndef __DECAF_POINT_255_H__ -#define __DECAF_POINT_255_H__ 1 - -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/** @cond internal */ -#define DECAF_255_SCALAR_LIMBS ((253-1)/DECAF_WORD_BITS+1) -/** @endcond */ - -/** The number of bits in a scalar */ -#define DECAF_255_SCALAR_BITS 253 - -/** @cond internal */ -#ifndef __DECAF_25519_GF_DEFINED__ -#define __DECAF_25519_GF_DEFINED__ 1 -/** @brief Galois field element internal structure */ -typedef struct gf_25519_s { - decaf_word_t limb[320/DECAF_WORD_BITS]; -} __attribute__((aligned(32))) gf_25519_s, gf_25519_t[1]; -#endif /* __DECAF_25519_GF_DEFINED__ */ -/** @endcond */ - -/** Number of bytes in a serialized point. */ -#define DECAF_255_SER_BYTES 32 - -/** Number of bytes in an elligated point. For now set the same as SER_BYTES - * but could be different for other curves. - */ -#define DECAF_255_HASH_BYTES 32 - -/** Number of bytes in a serialized scalar. */ -#define DECAF_255_SCALAR_BYTES 32 - -/** Number of bits in the "which" field of an elligator inverse */ -#define DECAF_255_INVERT_ELLIGATOR_WHICH_BITS 5 - -/** The cofactor the curve would have, if we hadn't removed it */ -#define DECAF_255_REMOVED_COFACTOR 8 - -/** X25519 encoding ratio. */ -#define DECAF_X25519_ENCODE_RATIO 4 - -/** Number of bytes in an x25519 public key */ -#define DECAF_X25519_PUBLIC_BYTES 32 - -/** Number of bytes in an x25519 private key */ -#define DECAF_X25519_PRIVATE_BYTES 32 - -/** Twisted Edwards extended homogeneous coordinates */ -typedef struct decaf_255_point_s { - /** @cond internal */ - gf_25519_t x,y,z,t; - /** @endcond */ -} decaf_255_point_t[1]; - -/** Precomputed table based on a point. Can be trivial implementation. */ -struct decaf_255_precomputed_s; - -/** Precomputed table based on a point. Can be trivial implementation. */ -typedef struct decaf_255_precomputed_s decaf_255_precomputed_s; - -/** Size and alignment of precomputed point tables. */ -extern const size_t decaf_255_sizeof_precomputed_s DECAF_API_VIS, decaf_255_alignof_precomputed_s DECAF_API_VIS; - -/** Scalar is stored packed, because we don't need the speed. */ -typedef struct decaf_255_scalar_s { - /** @cond internal */ - decaf_word_t limb[DECAF_255_SCALAR_LIMBS]; - /** @endcond */ -} decaf_255_scalar_t[1]; - -/** A scalar equal to 1. */ -extern const decaf_255_scalar_t decaf_255_scalar_one DECAF_API_VIS; - -/** A scalar equal to 0. */ -extern const decaf_255_scalar_t decaf_255_scalar_zero DECAF_API_VIS; - -/** The identity point on the curve. */ -extern const decaf_255_point_t decaf_255_point_identity DECAF_API_VIS; - -/** An arbitrarily chosen base point on the curve. */ -extern const decaf_255_point_t decaf_255_point_base DECAF_API_VIS; - -/** Precomputed table for the base point on the curve. */ -extern const struct decaf_255_precomputed_s *decaf_255_precomputed_base DECAF_API_VIS; - -/** - * @brief Read a scalar from wire format or from bytes. - * - * @param [in] ser Serialized form of a scalar. - * @param [out] out Deserialized form. - * - * @retval DECAF_SUCCESS The scalar was correctly encoded. - * @retval DECAF_FAILURE The scalar was greater than the modulus, - * and has been reduced modulo that modulus. - */ -decaf_error_t decaf_255_scalar_decode ( - decaf_255_scalar_t out, - const unsigned char ser[DECAF_255_SCALAR_BYTES] -) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Read a scalar from wire format or from bytes. Reduces mod - * scalar prime. - * - * @param [in] ser Serialized form of a scalar. - * @param [in] ser_len Length of serialized form. - * @param [out] out Deserialized form. - */ -void decaf_255_scalar_decode_long ( - decaf_255_scalar_t out, - const unsigned char *ser, - size_t ser_len -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Serialize a scalar to wire format. - * - * @param [out] ser Serialized form of a scalar. - * @param [in] s Deserialized scalar. - */ -void decaf_255_scalar_encode ( - unsigned char ser[DECAF_255_SCALAR_BYTES], - const decaf_255_scalar_t s -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_NOINLINE; - -/** - * @brief Add two scalars. The scalars may use the same memory. - * @param [in] a One scalar. - * @param [in] b Another scalar. - * @param [out] out a+b. - */ -void decaf_255_scalar_add ( - decaf_255_scalar_t out, - const decaf_255_scalar_t a, - const decaf_255_scalar_t b -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Compare two scalars. - * @param [in] a One scalar. - * @param [in] b Another scalar. - * @retval DECAF_TRUE The scalars are equal. - * @retval DECAF_FALSE The scalars are not equal. - */ -decaf_bool_t decaf_255_scalar_eq ( - const decaf_255_scalar_t a, - const decaf_255_scalar_t b -) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Subtract two scalars. The scalars may use the same memory. - * @param [in] a One scalar. - * @param [in] b Another scalar. - * @param [out] out a-b. - */ -void decaf_255_scalar_sub ( - decaf_255_scalar_t out, - const decaf_255_scalar_t a, - const decaf_255_scalar_t b -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Multiply two scalars. The scalars may use the same memory. - * @param [in] a One scalar. - * @param [in] b Another scalar. - * @param [out] out a*b. - */ -void decaf_255_scalar_mul ( - decaf_255_scalar_t out, - const decaf_255_scalar_t a, - const decaf_255_scalar_t b -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** -* @brief Halve a scalar. The scalars may use the same memory. -* @param [in] a A scalar. -* @param [out] out a/2. -*/ -void decaf_255_scalar_halve ( - decaf_255_scalar_t out, - const decaf_255_scalar_t a -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Invert a scalar. When passed zero, return 0. The input and output may alias. - * @param [in] a A scalar. - * @param [out] out 1/a. - * @return DECAF_SUCCESS The input is nonzero. - */ -decaf_error_t decaf_255_scalar_invert ( - decaf_255_scalar_t out, - const decaf_255_scalar_t a -) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Copy a scalar. The scalars may use the same memory, in which - * case this function does nothing. - * @param [in] a A scalar. - * @param [out] out Will become a copy of a. - */ -static inline void DECAF_NONNULL decaf_255_scalar_copy ( - decaf_255_scalar_t out, - const decaf_255_scalar_t a -) { - *out = *a; -} - -/** - * @brief Set a scalar to an unsigned 64-bit integer. - * @param [in] a An integer. - * @param [out] out Will become equal to a. - */ -void decaf_255_scalar_set_unsigned ( - decaf_255_scalar_t out, - uint64_t a -) DECAF_API_VIS DECAF_NONNULL; - -/** - * @brief Encode a point as a sequence of bytes. - * - * @param [out] ser The byte representation of the point. - * @param [in] pt The point to encode. - */ -void decaf_255_point_encode ( - uint8_t ser[DECAF_255_SER_BYTES], - const decaf_255_point_t pt -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Decode a point from a sequence of bytes. - * - * Every point has a unique encoding, so not every - * sequence of bytes is a valid encoding. If an invalid - * encoding is given, the output is undefined. - * - * @param [out] pt The decoded point. - * @param [in] ser The serialized version of the point. - * @param [in] allow_identity DECAF_TRUE if the identity is a legal input. - * @retval DECAF_SUCCESS The decoding succeeded. - * @retval DECAF_FAILURE The decoding didn't succeed, because - * ser does not represent a point. - */ -decaf_error_t decaf_255_point_decode ( - decaf_255_point_t pt, - const uint8_t ser[DECAF_255_SER_BYTES], - decaf_bool_t allow_identity -) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Copy a point. The input and output may alias, - * in which case this function does nothing. - * - * @param [out] a A copy of the point. - * @param [in] b Any point. - */ -static inline void DECAF_NONNULL decaf_255_point_copy ( - decaf_255_point_t a, - const decaf_255_point_t b -) { - *a=*b; -} - -/** - * @brief Test whether two points are equal. If yes, return - * DECAF_TRUE, else return DECAF_FALSE. - * - * @param [in] a A point. - * @param [in] b Another point. - * @retval DECAF_TRUE The points are equal. - * @retval DECAF_FALSE The points are not equal. - */ -decaf_bool_t decaf_255_point_eq ( - const decaf_255_point_t a, - const decaf_255_point_t b -) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Add two points to produce a third point. The - * input points and output point can be pointers to the same - * memory. - * - * @param [out] sum The sum a+b. - * @param [in] a An addend. - * @param [in] b An addend. - */ -void decaf_255_point_add ( - decaf_255_point_t sum, - const decaf_255_point_t a, - const decaf_255_point_t b -) DECAF_API_VIS DECAF_NONNULL; - -/** - * @brief Double a point. Equivalent to - * decaf_255_point_add(two_a,a,a), but potentially faster. - * - * @param [out] two_a The sum a+a. - * @param [in] a A point. - */ -void decaf_255_point_double ( - decaf_255_point_t two_a, - const decaf_255_point_t a -) DECAF_API_VIS DECAF_NONNULL; - -/** - * @brief Subtract two points to produce a third point. The - * input points and output point can be pointers to the same - * memory. - * - * @param [out] diff The difference a-b. - * @param [in] a The minuend. - * @param [in] b The subtrahend. - */ -void decaf_255_point_sub ( - decaf_255_point_t diff, - const decaf_255_point_t a, - const decaf_255_point_t b -) DECAF_API_VIS DECAF_NONNULL; - -/** - * @brief Negate a point to produce another point. The input - * and output points can use the same memory. - * - * @param [out] nega The negated input point - * @param [in] a The input point. - */ -void decaf_255_point_negate ( - decaf_255_point_t nega, - const decaf_255_point_t a -) DECAF_API_VIS DECAF_NONNULL; - -/** - * @brief Multiply a base point by a scalar: scaled = scalar*base. - * - * @param [out] scaled The scaled point base*scalar - * @param [in] base The point to be scaled. - * @param [in] scalar The scalar to multiply by. - */ -void decaf_255_point_scalarmul ( - decaf_255_point_t scaled, - const decaf_255_point_t base, - const decaf_255_scalar_t scalar -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Multiply a base point by a scalar: scaled = scalar*base. - * This function operates directly on serialized forms. - * - * @warning This function is experimental. It may not be supported - * long-term. - * - * @param [out] scaled The scaled point base*scalar - * @param [in] base The point to be scaled. - * @param [in] scalar The scalar to multiply by. - * @param [in] allow_identity Allow the input to be the identity. - * @param [in] short_circuit Allow a fast return if the input is illegal. - * - * @retval DECAF_SUCCESS The scalarmul succeeded. - * @retval DECAF_FAILURE The scalarmul didn't succeed, because - * base does not represent a point. - */ -decaf_error_t decaf_255_direct_scalarmul ( - uint8_t scaled[DECAF_255_SER_BYTES], - const uint8_t base[DECAF_255_SER_BYTES], - const decaf_255_scalar_t scalar, - decaf_bool_t allow_identity, - decaf_bool_t short_circuit -) DECAF_API_VIS DECAF_NONNULL DECAF_WARN_UNUSED DECAF_NOINLINE; - -/** - * @brief RFC 7748 Diffie-Hellman scalarmul. This function uses a different - * (non-Decaf) encoding. - * - * @param [out] scaled The scaled point base*scalar - * @param [in] base The point to be scaled. - * @param [in] scalar The scalar to multiply by. - * - * @retval DECAF_SUCCESS The scalarmul succeeded. - * @retval DECAF_FAILURE The scalarmul didn't succeed, because the base - * point is in a small subgroup. - */ -decaf_error_t decaf_x25519 ( - uint8_t out[DECAF_X25519_PUBLIC_BYTES], - const uint8_t base[DECAF_X25519_PUBLIC_BYTES], - const uint8_t scalar[DECAF_X25519_PRIVATE_BYTES] -) DECAF_API_VIS DECAF_NONNULL DECAF_WARN_UNUSED DECAF_NOINLINE; - -/** - * @brief Multiply a point by DECAF_X25519_ENCODE_RATIO, - * then encode it like RFC 7748. - * - * This function is mainly used internally, but is exported in case - * it will be useful. - * - * The ratio is necessary because the internal representation doesn't - * track the cofactor information, so on output we must clear the cofactor. - * This would multiply by the cofactor, but in fact internally libdecaf's - * points are always even, so it multiplies by half the cofactor instead. - * - * As it happens, this aligns with the base point definitions; that is, - * if you pass the Decaf/Ristretto base point to this function, the result - * will be DECAF_X25519_ENCODE_RATIO times the X25519 - * base point. - * - * @param [out] out The scaled and encoded point. - * @param [in] p The point to be scaled and encoded. - */ -void decaf_255_point_mul_by_ratio_and_encode_like_x25519 ( - uint8_t out[DECAF_X25519_PUBLIC_BYTES], - const decaf_255_point_t p -) DECAF_API_VIS DECAF_NONNULL; - -/** The base point for X25519 Diffie-Hellman */ -extern const uint8_t decaf_x25519_base_point[DECAF_X25519_PUBLIC_BYTES] DECAF_API_VIS; - -/** - * @brief RFC 7748 Diffie-Hellman base point scalarmul. This function uses - * a different (non-Decaf) encoding. - * - * @deprecated Renamed to decaf_x25519_derive_public_key. - * I have no particular timeline for removing this name. - * - * @param [out] scaled The scaled point base*scalar - * @param [in] scalar The scalar to multiply by. - */ -void decaf_x25519_generate_key ( - uint8_t out[DECAF_X25519_PUBLIC_BYTES], - const uint8_t scalar[DECAF_X25519_PRIVATE_BYTES] -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_DEPRECATED("Renamed to decaf_x25519_derive_public_key"); - -/** - * @brief RFC 7748 Diffie-Hellman base point scalarmul. This function uses - * a different (non-Decaf) encoding. - * - * Does exactly the same thing as decaf_x25519_generate_key, - * but has a better name. - * - * @param [out] scaled The scaled point base*scalar - * @param [in] scalar The scalar to multiply by. - */ -void decaf_x25519_derive_public_key ( - uint8_t out[DECAF_X25519_PUBLIC_BYTES], - const uint8_t scalar[DECAF_X25519_PRIVATE_BYTES] -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/* FUTURE: uint8_t decaf_255_encode_like_curve25519) */ - -/** - * @brief Precompute a table for fast scalar multiplication. - * Some implementations do not include precomputed points; for - * those implementations, this implementation simply copies the - * point. - * - * @param [out] a A precomputed table of multiples of the point. - * @param [in] b Any point. - */ -void decaf_255_precompute ( - decaf_255_precomputed_s *a, - const decaf_255_point_t b -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Multiply a precomputed base point by a scalar: - * scaled = scalar*base. - * Some implementations do not include precomputed points; for - * those implementations, this function is the same as - * decaf_255_point_scalarmul - * - * @param [out] scaled The scaled point base*scalar - * @param [in] base The point to be scaled. - * @param [in] scalar The scalar to multiply by. - */ -void decaf_255_precomputed_scalarmul ( - decaf_255_point_t scaled, - const decaf_255_precomputed_s *base, - const decaf_255_scalar_t scalar -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Multiply two base points by two scalars: - * scaled = scalar1*base1 + scalar2*base2. - * - * Equivalent to two calls to decaf_255_point_scalarmul, but may be - * faster. - * - * @param [out] combo The linear combination scalar1*base1 + scalar2*base2. - * @param [in] base1 A first point to be scaled. - * @param [in] scalar1 A first scalar to multiply by. - * @param [in] base2 A second point to be scaled. - * @param [in] scalar2 A second scalar to multiply by. - */ -void decaf_255_point_double_scalarmul ( - decaf_255_point_t combo, - const decaf_255_point_t base1, - const decaf_255_scalar_t scalar1, - const decaf_255_point_t base2, - const decaf_255_scalar_t scalar2 -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * Multiply one base point by two scalars: - * - * a1 = scalar1 * base - * a2 = scalar2 * base - * - * Equivalent to two calls to decaf_255_point_scalarmul, but may be - * faster. - * - * @param [out] a1 The first multiple. It may be the same as the input point. - * @param [out] a2 The second multiple. It may be the same as the input point. - * @param [in] base1 A point to be scaled. - * @param [in] scalar1 A first scalar to multiply by. - * @param [in] scalar2 A second scalar to multiply by. - */ -void decaf_255_point_dual_scalarmul ( - decaf_255_point_t a1, - decaf_255_point_t a2, - const decaf_255_point_t base1, - const decaf_255_scalar_t scalar1, - const decaf_255_scalar_t scalar2 -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Multiply two base points by two scalars: - * scaled = scalar1*decaf_255_point_base + scalar2*base2. - * - * Otherwise equivalent to decaf_255_point_double_scalarmul, but may be - * faster at the expense of being variable time. - * - * @param [out] combo The linear combination scalar1*base + scalar2*base2. - * @param [in] scalar1 A first scalar to multiply by. - * @param [in] base2 A second point to be scaled. - * @param [in] scalar2 A second scalar to multiply by. - * - * @warning: This function takes variable time, and may leak the scalars - * used. It is designed for signature verification. - */ -void decaf_255_base_double_scalarmul_non_secret ( - decaf_255_point_t combo, - const decaf_255_scalar_t scalar1, - const decaf_255_point_t base2, - const decaf_255_scalar_t scalar2 -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Constant-time decision between two points. If pick_b - * is zero, out = a; else out = b. - * - * @param [out] out The output. It may be the same as either input. - * @param [in] a Any point. - * @param [in] b Any point. - * @param [in] pick_b If nonzero, choose point b. - */ -void decaf_255_point_cond_sel ( - decaf_255_point_t out, - const decaf_255_point_t a, - const decaf_255_point_t b, - decaf_word_t pick_b -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Constant-time decision between two scalars. If pick_b - * is zero, out = a; else out = b. - * - * @param [out] out The output. It may be the same as either input. - * @param [in] a Any scalar. - * @param [in] b Any scalar. - * @param [in] pick_b If nonzero, choose scalar b. - */ -void decaf_255_scalar_cond_sel ( - decaf_255_scalar_t out, - const decaf_255_scalar_t a, - const decaf_255_scalar_t b, - decaf_word_t pick_b -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Test that a point is valid, for debugging purposes. - * - * @param [in] to_test The point to test. - * @retval DECAF_TRUE The point is valid. - * @retval DECAF_FALSE The point is invalid. - */ -decaf_bool_t decaf_255_point_valid ( - const decaf_255_point_t to_test -) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Torque a point, for debugging purposes. The output - * will be equal to the input. - * - * @param [out] q The point to torque. - * @param [in] p The point to torque. - */ -void decaf_255_point_debugging_torque ( - decaf_255_point_t q, - const decaf_255_point_t p -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Projectively scale a point, for debugging purposes. - * The output will be equal to the input, and will be valid - * even if the factor is zero. - * - * @param [out] q The point to scale. - * @param [in] p The point to scale. - * @param [in] factor Serialized GF factor to scale. - */ -void decaf_255_point_debugging_pscale ( - decaf_255_point_t q, - const decaf_255_point_t p, - const unsigned char factor[DECAF_255_SER_BYTES] -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Almost-Elligator-like hash to curve. - * - * Call this function with the output of a hash to make a hash to the curve. - * - * This function runs Elligator2 on the decaf_255 Jacobi quartic model. It then - * uses the isogeny to put the result in twisted Edwards form. As a result, - * it is safe (cannot produce points of order 4), and would be compatible with - * hypothetical other implementations of Decaf using a Montgomery or untwisted - * Edwards model. - * - * Unlike Elligator, this function may be up to 4:1 on [0,(p-1)/2]: - * A factor of 2 due to the isogeny. - * A factor of 2 because we quotient out the 2-torsion. - * - * This makes it about 8:1 overall, or 16:1 overall on curves with cofactor 8. - * - * Negating the input (mod q) results in the same point. Inverting the input - * (mod q) results in the negative point. This is the same as Elligator. - * - * This function isn't quite indifferentiable from a random oracle. - * However, it is suitable for many protocols, including SPEKE and SPAKE2 EE. - * Furthermore, calling it twice with independent seeds and adding the results - * is indifferentiable from a random oracle. - * - * @param [in] hashed_data Output of some hash function. - * @param [out] pt The data hashed to the curve. - */ -void -decaf_255_point_from_hash_nonuniform ( - decaf_255_point_t pt, - const unsigned char hashed_data[DECAF_255_HASH_BYTES] -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Indifferentiable hash function encoding to curve. - * - * Equivalent to calling decaf_255_point_from_hash_nonuniform twice and adding. - * - * @param [in] hashed_data Output of some hash function. - * @param [out] pt The data hashed to the curve. - */ -void decaf_255_point_from_hash_uniform ( - decaf_255_point_t pt, - const unsigned char hashed_data[2*DECAF_255_HASH_BYTES] -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Inverse of elligator-like hash to curve. - * - * This function writes to the buffer, to make it so that - * decaf_255_point_from_hash_nonuniform(buffer) = pt if - * possible. Since there may be multiple preimages, the - * "which" parameter chooses between them. To ensure uniform - * inverse sampling, this function succeeds or fails - * independently for different "which" values. - * - * This function isn't guaranteed to find every possible - * preimage, but it finds all except a small finite number. - * In particular, when the number of bits in the modulus isn't - * a multiple of 8 (i.e. for curve25519), it sets the high bits - * independently, which enables the generated data to be uniform. - * But it doesn't add p, so you'll never get exactly p from this - * function. This might change in the future, especially if - * we ever support eg Brainpool curves, where this could cause - * real nonuniformity. - * - * @param [out] recovered_hash Encoded data. - * @param [in] pt The point to encode. - * @param [in] which A value determining which inverse point - * to return. - * - * @retval DECAF_SUCCESS The inverse succeeded. - * @retval DECAF_FAILURE The inverse failed. - */ -decaf_error_t -decaf_255_invert_elligator_nonuniform ( - unsigned char recovered_hash[DECAF_255_HASH_BYTES], - const decaf_255_point_t pt, - uint32_t which -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_WARN_UNUSED; - -/** - * @brief Inverse of elligator-like hash to curve. - * - * This function writes to the buffer, to make it so that - * decaf_255_point_from_hash_uniform(buffer) = pt if - * possible. Since there may be multiple preimages, the - * "which" parameter chooses between them. To ensure uniform - * inverse sampling, this function succeeds or fails - * independently for different "which" values. - * - * @param [out] recovered_hash Encoded data. - * @param [in] pt The point to encode. - * @param [in] which A value determining which inverse point - * to return. - * - * @retval DECAF_SUCCESS The inverse succeeded. - * @retval DECAF_FAILURE The inverse failed. - */ -decaf_error_t -decaf_255_invert_elligator_uniform ( - unsigned char recovered_hash[2*DECAF_255_HASH_BYTES], - const decaf_255_point_t pt, - uint32_t which -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_WARN_UNUSED; - -/** - * @brief Overwrite scalar with zeros. - */ -void decaf_255_scalar_destroy ( - decaf_255_scalar_t scalar -) DECAF_NONNULL DECAF_API_VIS; - -/** - * @brief Overwrite point with zeros. - */ -void decaf_255_point_destroy ( - decaf_255_point_t point -) DECAF_NONNULL DECAF_API_VIS; - -/** - * @brief Overwrite precomputed table with zeros. - */ -void decaf_255_precomputed_destroy ( - decaf_255_precomputed_s *pre -) DECAF_NONNULL DECAF_API_VIS; - -#ifdef __cplusplus -} /* extern "C" */ -#endif - -#endif /* __DECAF_POINT_255_H__ */ diff --git a/crypto/ec/curve448/decaf/point_448.h b/crypto/ec/curve448/decaf/point_448.h deleted file mode 100644 index bc1cb43a00..0000000000 --- a/crypto/ec/curve448/decaf/point_448.h +++ /dev/null @@ -1,765 +0,0 @@ -/** - * @file decaf/point_448.h - * @author Mike Hamburg - * - * @copyright - * Copyright (c) 2015-2016 Cryptography Research, Inc. \n - * Released under the MIT License. See LICENSE.txt for license information. - * - * @brief A group of prime order p, based on Ed448-Goldilocks. - * - * @warning This file was automatically generated in Python. - * Please do not edit it. - */ - -#ifndef __DECAF_POINT_448_H__ -#define __DECAF_POINT_448_H__ 1 - -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/** @cond internal */ -#define DECAF_448_SCALAR_LIMBS ((446-1)/DECAF_WORD_BITS+1) -/** @endcond */ - -/** The number of bits in a scalar */ -#define DECAF_448_SCALAR_BITS 446 - -/** @cond internal */ -#ifndef __DECAF_448_GF_DEFINED__ -#define __DECAF_448_GF_DEFINED__ 1 -/** @brief Galois field element internal structure */ -typedef struct gf_448_s { - decaf_word_t limb[512/DECAF_WORD_BITS]; -} __attribute__((aligned(32))) gf_448_s, gf_448_t[1]; -#endif /* __DECAF_448_GF_DEFINED__ */ -/** @endcond */ - -/** Number of bytes in a serialized point. */ -#define DECAF_448_SER_BYTES 56 - -/** Number of bytes in an elligated point. For now set the same as SER_BYTES - * but could be different for other curves. - */ -#define DECAF_448_HASH_BYTES 56 - -/** Number of bytes in a serialized scalar. */ -#define DECAF_448_SCALAR_BYTES 56 - -/** Number of bits in the "which" field of an elligator inverse */ -#define DECAF_448_INVERT_ELLIGATOR_WHICH_BITS 3 - -/** The cofactor the curve would have, if we hadn't removed it */ -#define DECAF_448_REMOVED_COFACTOR 4 - -/** X448 encoding ratio. */ -#define DECAF_X448_ENCODE_RATIO 2 - -/** Number of bytes in an x448 public key */ -#define DECAF_X448_PUBLIC_BYTES 56 - -/** Number of bytes in an x448 private key */ -#define DECAF_X448_PRIVATE_BYTES 56 - -/** Twisted Edwards extended homogeneous coordinates */ -typedef struct decaf_448_point_s { - /** @cond internal */ - gf_448_t x,y,z,t; - /** @endcond */ -} decaf_448_point_t[1]; - -/** Precomputed table based on a point. Can be trivial implementation. */ -struct decaf_448_precomputed_s; - -/** Precomputed table based on a point. Can be trivial implementation. */ -typedef struct decaf_448_precomputed_s decaf_448_precomputed_s; - -/** Size and alignment of precomputed point tables. */ -extern const size_t decaf_448_sizeof_precomputed_s DECAF_API_VIS, decaf_448_alignof_precomputed_s DECAF_API_VIS; - -/** Scalar is stored packed, because we don't need the speed. */ -typedef struct decaf_448_scalar_s { - /** @cond internal */ - decaf_word_t limb[DECAF_448_SCALAR_LIMBS]; - /** @endcond */ -} decaf_448_scalar_t[1]; - -/** A scalar equal to 1. */ -extern const decaf_448_scalar_t decaf_448_scalar_one DECAF_API_VIS; - -/** A scalar equal to 0. */ -extern const decaf_448_scalar_t decaf_448_scalar_zero DECAF_API_VIS; - -/** The identity point on the curve. */ -extern const decaf_448_point_t decaf_448_point_identity DECAF_API_VIS; - -/** An arbitrarily chosen base point on the curve. */ -extern const decaf_448_point_t decaf_448_point_base DECAF_API_VIS; - -/** Precomputed table for the base point on the curve. */ -extern const struct decaf_448_precomputed_s *decaf_448_precomputed_base DECAF_API_VIS; - -/** - * @brief Read a scalar from wire format or from bytes. - * - * @param [in] ser Serialized form of a scalar. - * @param [out] out Deserialized form. - * - * @retval DECAF_SUCCESS The scalar was correctly encoded. - * @retval DECAF_FAILURE The scalar was greater than the modulus, - * and has been reduced modulo that modulus. - */ -decaf_error_t decaf_448_scalar_decode ( - decaf_448_scalar_t out, - const unsigned char ser[DECAF_448_SCALAR_BYTES] -) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Read a scalar from wire format or from bytes. Reduces mod - * scalar prime. - * - * @param [in] ser Serialized form of a scalar. - * @param [in] ser_len Length of serialized form. - * @param [out] out Deserialized form. - */ -void decaf_448_scalar_decode_long ( - decaf_448_scalar_t out, - const unsigned char *ser, - size_t ser_len -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Serialize a scalar to wire format. - * - * @param [out] ser Serialized form of a scalar. - * @param [in] s Deserialized scalar. - */ -void decaf_448_scalar_encode ( - unsigned char ser[DECAF_448_SCALAR_BYTES], - const decaf_448_scalar_t s -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_NOINLINE; - -/** - * @brief Add two scalars. The scalars may use the same memory. - * @param [in] a One scalar. - * @param [in] b Another scalar. - * @param [out] out a+b. - */ -void decaf_448_scalar_add ( - decaf_448_scalar_t out, - const decaf_448_scalar_t a, - const decaf_448_scalar_t b -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Compare two scalars. - * @param [in] a One scalar. - * @param [in] b Another scalar. - * @retval DECAF_TRUE The scalars are equal. - * @retval DECAF_FALSE The scalars are not equal. - */ -decaf_bool_t decaf_448_scalar_eq ( - const decaf_448_scalar_t a, - const decaf_448_scalar_t b -) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Subtract two scalars. The scalars may use the same memory. - * @param [in] a One scalar. - * @param [in] b Another scalar. - * @param [out] out a-b. - */ -void decaf_448_scalar_sub ( - decaf_448_scalar_t out, - const decaf_448_scalar_t a, - const decaf_448_scalar_t b -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Multiply two scalars. The scalars may use the same memory. - * @param [in] a One scalar. - * @param [in] b Another scalar. - * @param [out] out a*b. - */ -void decaf_448_scalar_mul ( - decaf_448_scalar_t out, - const decaf_448_scalar_t a, - const decaf_448_scalar_t b -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** -* @brief Halve a scalar. The scalars may use the same memory. -* @param [in] a A scalar. -* @param [out] out a/2. -*/ -void decaf_448_scalar_halve ( - decaf_448_scalar_t out, - const decaf_448_scalar_t a -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Invert a scalar. When passed zero, return 0. The input and output may alias. - * @param [in] a A scalar. - * @param [out] out 1/a. - * @return DECAF_SUCCESS The input is nonzero. - */ -decaf_error_t decaf_448_scalar_invert ( - decaf_448_scalar_t out, - const decaf_448_scalar_t a -) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Copy a scalar. The scalars may use the same memory, in which - * case this function does nothing. - * @param [in] a A scalar. - * @param [out] out Will become a copy of a. - */ -static inline void DECAF_NONNULL decaf_448_scalar_copy ( - decaf_448_scalar_t out, - const decaf_448_scalar_t a -) { - *out = *a; -} - -/** - * @brief Set a scalar to an unsigned 64-bit integer. - * @param [in] a An integer. - * @param [out] out Will become equal to a. - */ -void decaf_448_scalar_set_unsigned ( - decaf_448_scalar_t out, - uint64_t a -) DECAF_API_VIS DECAF_NONNULL; - -/** - * @brief Encode a point as a sequence of bytes. - * - * @param [out] ser The byte representation of the point. - * @param [in] pt The point to encode. - */ -void decaf_448_point_encode ( - uint8_t ser[DECAF_448_SER_BYTES], - const decaf_448_point_t pt -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Decode a point from a sequence of bytes. - * - * Every point has a unique encoding, so not every - * sequence of bytes is a valid encoding. If an invalid - * encoding is given, the output is undefined. - * - * @param [out] pt The decoded point. - * @param [in] ser The serialized version of the point. - * @param [in] allow_identity DECAF_TRUE if the identity is a legal input. - * @retval DECAF_SUCCESS The decoding succeeded. - * @retval DECAF_FAILURE The decoding didn't succeed, because - * ser does not represent a point. - */ -decaf_error_t decaf_448_point_decode ( - decaf_448_point_t pt, - const uint8_t ser[DECAF_448_SER_BYTES], - decaf_bool_t allow_identity -) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Copy a point. The input and output may alias, - * in which case this function does nothing. - * - * @param [out] a A copy of the point. - * @param [in] b Any point. - */ -static inline void DECAF_NONNULL decaf_448_point_copy ( - decaf_448_point_t a, - const decaf_448_point_t b -) { - *a=*b; -} - -/** - * @brief Test whether two points are equal. If yes, return - * DECAF_TRUE, else return DECAF_FALSE. - * - * @param [in] a A point. - * @param [in] b Another point. - * @retval DECAF_TRUE The points are equal. - * @retval DECAF_FALSE The points are not equal. - */ -decaf_bool_t decaf_448_point_eq ( - const decaf_448_point_t a, - const decaf_448_point_t b -) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Add two points to produce a third point. The - * input points and output point can be pointers to the same - * memory. - * - * @param [out] sum The sum a+b. - * @param [in] a An addend. - * @param [in] b An addend. - */ -void decaf_448_point_add ( - decaf_448_point_t sum, - const decaf_448_point_t a, - const decaf_448_point_t b -) DECAF_API_VIS DECAF_NONNULL; - -/** - * @brief Double a point. Equivalent to - * decaf_448_point_add(two_a,a,a), but potentially faster. - * - * @param [out] two_a The sum a+a. - * @param [in] a A point. - */ -void decaf_448_point_double ( - decaf_448_point_t two_a, - const decaf_448_point_t a -) DECAF_API_VIS DECAF_NONNULL; - -/** - * @brief Subtract two points to produce a third point. The - * input points and output point can be pointers to the same - * memory. - * - * @param [out] diff The difference a-b. - * @param [in] a The minuend. - * @param [in] b The subtrahend. - */ -void decaf_448_point_sub ( - decaf_448_point_t diff, - const decaf_448_point_t a, - const decaf_448_point_t b -) DECAF_API_VIS DECAF_NONNULL; - -/** - * @brief Negate a point to produce another point. The input - * and output points can use the same memory. - * - * @param [out] nega The negated input point - * @param [in] a The input point. - */ -void decaf_448_point_negate ( - decaf_448_point_t nega, - const decaf_448_point_t a -) DECAF_API_VIS DECAF_NONNULL; - -/** - * @brief Multiply a base point by a scalar: scaled = scalar*base. - * - * @param [out] scaled The scaled point base*scalar - * @param [in] base The point to be scaled. - * @param [in] scalar The scalar to multiply by. - */ -void decaf_448_point_scalarmul ( - decaf_448_point_t scaled, - const decaf_448_point_t base, - const decaf_448_scalar_t scalar -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Multiply a base point by a scalar: scaled = scalar*base. - * This function operates directly on serialized forms. - * - * @warning This function is experimental. It may not be supported - * long-term. - * - * @param [out] scaled The scaled point base*scalar - * @param [in] base The point to be scaled. - * @param [in] scalar The scalar to multiply by. - * @param [in] allow_identity Allow the input to be the identity. - * @param [in] short_circuit Allow a fast return if the input is illegal. - * - * @retval DECAF_SUCCESS The scalarmul succeeded. - * @retval DECAF_FAILURE The scalarmul didn't succeed, because - * base does not represent a point. - */ -decaf_error_t decaf_448_direct_scalarmul ( - uint8_t scaled[DECAF_448_SER_BYTES], - const uint8_t base[DECAF_448_SER_BYTES], - const decaf_448_scalar_t scalar, - decaf_bool_t allow_identity, - decaf_bool_t short_circuit -) DECAF_API_VIS DECAF_NONNULL DECAF_WARN_UNUSED DECAF_NOINLINE; - -/** - * @brief RFC 7748 Diffie-Hellman scalarmul. This function uses a different - * (non-Decaf) encoding. - * - * @param [out] scaled The scaled point base*scalar - * @param [in] base The point to be scaled. - * @param [in] scalar The scalar to multiply by. - * - * @retval DECAF_SUCCESS The scalarmul succeeded. - * @retval DECAF_FAILURE The scalarmul didn't succeed, because the base - * point is in a small subgroup. - */ -decaf_error_t decaf_x448 ( - uint8_t out[DECAF_X448_PUBLIC_BYTES], - const uint8_t base[DECAF_X448_PUBLIC_BYTES], - const uint8_t scalar[DECAF_X448_PRIVATE_BYTES] -) DECAF_API_VIS DECAF_NONNULL DECAF_WARN_UNUSED DECAF_NOINLINE; - -/** - * @brief Multiply a point by DECAF_X448_ENCODE_RATIO, - * then encode it like RFC 7748. - * - * This function is mainly used internally, but is exported in case - * it will be useful. - * - * The ratio is necessary because the internal representation doesn't - * track the cofactor information, so on output we must clear the cofactor. - * This would multiply by the cofactor, but in fact internally libdecaf's - * points are always even, so it multiplies by half the cofactor instead. - * - * As it happens, this aligns with the base point definitions; that is, - * if you pass the Decaf/Ristretto base point to this function, the result - * will be DECAF_X448_ENCODE_RATIO times the X448 - * base point. - * - * @param [out] out The scaled and encoded point. - * @param [in] p The point to be scaled and encoded. - */ -void decaf_448_point_mul_by_ratio_and_encode_like_x448 ( - uint8_t out[DECAF_X448_PUBLIC_BYTES], - const decaf_448_point_t p -) DECAF_API_VIS DECAF_NONNULL; - -/** The base point for X448 Diffie-Hellman */ -extern const uint8_t decaf_x448_base_point[DECAF_X448_PUBLIC_BYTES] DECAF_API_VIS; - -/** - * @brief RFC 7748 Diffie-Hellman base point scalarmul. This function uses - * a different (non-Decaf) encoding. - * - * @deprecated Renamed to decaf_x448_derive_public_key. - * I have no particular timeline for removing this name. - * - * @param [out] scaled The scaled point base*scalar - * @param [in] scalar The scalar to multiply by. - */ -void decaf_x448_generate_key ( - uint8_t out[DECAF_X448_PUBLIC_BYTES], - const uint8_t scalar[DECAF_X448_PRIVATE_BYTES] -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_DEPRECATED("Renamed to decaf_x448_derive_public_key"); - -/** - * @brief RFC 7748 Diffie-Hellman base point scalarmul. This function uses - * a different (non-Decaf) encoding. - * - * Does exactly the same thing as decaf_x448_generate_key, - * but has a better name. - * - * @param [out] scaled The scaled point base*scalar - * @param [in] scalar The scalar to multiply by. - */ -void decaf_x448_derive_public_key ( - uint8_t out[DECAF_X448_PUBLIC_BYTES], - const uint8_t scalar[DECAF_X448_PRIVATE_BYTES] -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/* FUTURE: uint8_t decaf_448_encode_like_curve448) */ - -/** - * @brief Precompute a table for fast scalar multiplication. - * Some implementations do not include precomputed points; for - * those implementations, this implementation simply copies the - * point. - * - * @param [out] a A precomputed table of multiples of the point. - * @param [in] b Any point. - */ -void decaf_448_precompute ( - decaf_448_precomputed_s *a, - const decaf_448_point_t b -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Multiply a precomputed base point by a scalar: - * scaled = scalar*base. - * Some implementations do not include precomputed points; for - * those implementations, this function is the same as - * decaf_448_point_scalarmul - * - * @param [out] scaled The scaled point base*scalar - * @param [in] base The point to be scaled. - * @param [in] scalar The scalar to multiply by. - */ -void decaf_448_precomputed_scalarmul ( - decaf_448_point_t scaled, - const decaf_448_precomputed_s *base, - const decaf_448_scalar_t scalar -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Multiply two base points by two scalars: - * scaled = scalar1*base1 + scalar2*base2. - * - * Equivalent to two calls to decaf_448_point_scalarmul, but may be - * faster. - * - * @param [out] combo The linear combination scalar1*base1 + scalar2*base2. - * @param [in] base1 A first point to be scaled. - * @param [in] scalar1 A first scalar to multiply by. - * @param [in] base2 A second point to be scaled. - * @param [in] scalar2 A second scalar to multiply by. - */ -void decaf_448_point_double_scalarmul ( - decaf_448_point_t combo, - const decaf_448_point_t base1, - const decaf_448_scalar_t scalar1, - const decaf_448_point_t base2, - const decaf_448_scalar_t scalar2 -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * Multiply one base point by two scalars: - * - * a1 = scalar1 * base - * a2 = scalar2 * base - * - * Equivalent to two calls to decaf_448_point_scalarmul, but may be - * faster. - * - * @param [out] a1 The first multiple. It may be the same as the input point. - * @param [out] a2 The second multiple. It may be the same as the input point. - * @param [in] base1 A point to be scaled. - * @param [in] scalar1 A first scalar to multiply by. - * @param [in] scalar2 A second scalar to multiply by. - */ -void decaf_448_point_dual_scalarmul ( - decaf_448_point_t a1, - decaf_448_point_t a2, - const decaf_448_point_t base1, - const decaf_448_scalar_t scalar1, - const decaf_448_scalar_t scalar2 -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Multiply two base points by two scalars: - * scaled = scalar1*decaf_448_point_base + scalar2*base2. - * - * Otherwise equivalent to decaf_448_point_double_scalarmul, but may be - * faster at the expense of being variable time. - * - * @param [out] combo The linear combination scalar1*base + scalar2*base2. - * @param [in] scalar1 A first scalar to multiply by. - * @param [in] base2 A second point to be scaled. - * @param [in] scalar2 A second scalar to multiply by. - * - * @warning: This function takes variable time, and may leak the scalars - * used. It is designed for signature verification. - */ -void decaf_448_base_double_scalarmul_non_secret ( - decaf_448_point_t combo, - const decaf_448_scalar_t scalar1, - const decaf_448_point_t base2, - const decaf_448_scalar_t scalar2 -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Constant-time decision between two points. If pick_b - * is zero, out = a; else out = b. - * - * @param [out] out The output. It may be the same as either input. - * @param [in] a Any point. - * @param [in] b Any point. - * @param [in] pick_b If nonzero, choose point b. - */ -void decaf_448_point_cond_sel ( - decaf_448_point_t out, - const decaf_448_point_t a, - const decaf_448_point_t b, - decaf_word_t pick_b -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Constant-time decision between two scalars. If pick_b - * is zero, out = a; else out = b. - * - * @param [out] out The output. It may be the same as either input. - * @param [in] a Any scalar. - * @param [in] b Any scalar. - * @param [in] pick_b If nonzero, choose scalar b. - */ -void decaf_448_scalar_cond_sel ( - decaf_448_scalar_t out, - const decaf_448_scalar_t a, - const decaf_448_scalar_t b, - decaf_word_t pick_b -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Test that a point is valid, for debugging purposes. - * - * @param [in] to_test The point to test. - * @retval DECAF_TRUE The point is valid. - * @retval DECAF_FALSE The point is invalid. - */ -decaf_bool_t decaf_448_point_valid ( - const decaf_448_point_t to_test -) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Torque a point, for debugging purposes. The output - * will be equal to the input. - * - * @param [out] q The point to torque. - * @param [in] p The point to torque. - */ -void decaf_448_point_debugging_torque ( - decaf_448_point_t q, - const decaf_448_point_t p -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Projectively scale a point, for debugging purposes. - * The output will be equal to the input, and will be valid - * even if the factor is zero. - * - * @param [out] q The point to scale. - * @param [in] p The point to scale. - * @param [in] factor Serialized GF factor to scale. - */ -void decaf_448_point_debugging_pscale ( - decaf_448_point_t q, - const decaf_448_point_t p, - const unsigned char factor[DECAF_448_SER_BYTES] -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Almost-Elligator-like hash to curve. - * - * Call this function with the output of a hash to make a hash to the curve. - * - * This function runs Elligator2 on the decaf_448 Jacobi quartic model. It then - * uses the isogeny to put the result in twisted Edwards form. As a result, - * it is safe (cannot produce points of order 4), and would be compatible with - * hypothetical other implementations of Decaf using a Montgomery or untwisted - * Edwards model. - * - * Unlike Elligator, this function may be up to 4:1 on [0,(p-1)/2]: - * A factor of 2 due to the isogeny. - * A factor of 2 because we quotient out the 2-torsion. - * - * This makes it about 8:1 overall, or 16:1 overall on curves with cofactor 8. - * - * Negating the input (mod q) results in the same point. Inverting the input - * (mod q) results in the negative point. This is the same as Elligator. - * - * This function isn't quite indifferentiable from a random oracle. - * However, it is suitable for many protocols, including SPEKE and SPAKE2 EE. - * Furthermore, calling it twice with independent seeds and adding the results - * is indifferentiable from a random oracle. - * - * @param [in] hashed_data Output of some hash function. - * @param [out] pt The data hashed to the curve. - */ -void -decaf_448_point_from_hash_nonuniform ( - decaf_448_point_t pt, - const unsigned char hashed_data[DECAF_448_HASH_BYTES] -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Indifferentiable hash function encoding to curve. - * - * Equivalent to calling decaf_448_point_from_hash_nonuniform twice and adding. - * - * @param [in] hashed_data Output of some hash function. - * @param [out] pt The data hashed to the curve. - */ -void decaf_448_point_from_hash_uniform ( - decaf_448_point_t pt, - const unsigned char hashed_data[2*DECAF_448_HASH_BYTES] -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; - -/** - * @brief Inverse of elligator-like hash to curve. - * - * This function writes to the buffer, to make it so that - * decaf_448_point_from_hash_nonuniform(buffer) = pt if - * possible. Since there may be multiple preimages, the - * "which" parameter chooses between them. To ensure uniform - * inverse sampling, this function succeeds or fails - * independently for different "which" values. - * - * This function isn't guaranteed to find every possible - * preimage, but it finds all except a small finite number. - * In particular, when the number of bits in the modulus isn't - * a multiple of 8 (i.e. for curve25519), it sets the high bits - * independently, which enables the generated data to be uniform. - * But it doesn't add p, so you'll never get exactly p from this - * function. This might change in the future, especially if - * we ever support eg Brainpool curves, where this could cause - * real nonuniformity. - * - * @param [out] recovered_hash Encoded data. - * @param [in] pt The point to encode. - * @param [in] which A value determining which inverse point - * to return. - * - * @retval DECAF_SUCCESS The inverse succeeded. - * @retval DECAF_FAILURE The inverse failed. - */ -decaf_error_t -decaf_448_invert_elligator_nonuniform ( - unsigned char recovered_hash[DECAF_448_HASH_BYTES], - const decaf_448_point_t pt, - uint32_t which -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_WARN_UNUSED; - -/** - * @brief Inverse of elligator-like hash to curve. - * - * This function writes to the buffer, to make it so that - * decaf_448_point_from_hash_uniform(buffer) = pt if - * possible. Since there may be multiple preimages, the - * "which" parameter chooses between them. To ensure uniform - * inverse sampling, this function succeeds or fails - * independently for different "which" values. - * - * @param [out] recovered_hash Encoded data. - * @param [in] pt The point to encode. - * @param [in] which A value determining which inverse point - * to return. - * - * @retval DECAF_SUCCESS The inverse succeeded. - * @retval DECAF_FAILURE The inverse failed. - */ -decaf_error_t -decaf_448_invert_elligator_uniform ( - unsigned char recovered_hash[2*DECAF_448_HASH_BYTES], - const decaf_448_point_t pt, - uint32_t which -) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_WARN_UNUSED; - -/** - * @brief Overwrite scalar with zeros. - */ -void decaf_448_scalar_destroy ( - decaf_448_scalar_t scalar -) DECAF_NONNULL DECAF_API_VIS; - -/** - * @brief Overwrite point with zeros. - */ -void decaf_448_point_destroy ( - decaf_448_point_t point -) DECAF_NONNULL DECAF_API_VIS; - -/** - * @brief Overwrite precomputed table with zeros. - */ -void decaf_448_precomputed_destroy ( - decaf_448_precomputed_s *pre -) DECAF_NONNULL DECAF_API_VIS; - -#ifdef __cplusplus -} /* extern "C" */ -#endif - -#endif /* __DECAF_POINT_448_H__ */ diff --git a/crypto/ec/curve448/decaf/sha512.h b/crypto/ec/curve448/decaf/sha512.h deleted file mode 100644 index 3c8ec70e93..0000000000 --- a/crypto/ec/curve448/decaf/sha512.h +++ /dev/null @@ -1,53 +0,0 @@ -/** - * @file decaf/shake.h - * @copyright Public domain. - * @author Mike Hamburg - * @brief SHA2-512 - */ - -#ifndef __DECAF_SHA512_H__ -#define __DECAF_SHA512_H__ - -#include -#include -#include /* for NULL */ - -#include - -#ifdef __cplusplus -extern "C" { -#endif - - -typedef struct decaf_sha512_ctx_s { - uint64_t state[8]; - uint8_t block[128]; - uint64_t bytes_processed; -} decaf_sha512_ctx_s, decaf_sha512_ctx_t[1]; - -void decaf_sha512_init(decaf_sha512_ctx_t ctx) DECAF_NONNULL DECAF_API_VIS; -void decaf_sha512_update(decaf_sha512_ctx_t ctx, const uint8_t *message, size_t length) DECAF_NONNULL DECAF_API_VIS; -void decaf_sha512_final(decaf_sha512_ctx_t ctx, uint8_t *out, size_t length) DECAF_NONNULL DECAF_API_VIS; - -static inline void decaf_sha512_destroy(decaf_sha512_ctx_t ctx) { - decaf_bzero(ctx,sizeof(*ctx)); -} - -static inline void decaf_sha512_hash( - uint8_t *output, - size_t output_len, - const uint8_t *message, - size_t message_len -) { - decaf_sha512_ctx_t ctx; - decaf_sha512_init(ctx); - decaf_sha512_update(ctx,message,message_len); - decaf_sha512_final(ctx,output,output_len); - decaf_sha512_destroy(ctx); -} - -#ifdef __cplusplus -} /* extern "C" */ -#endif - -#endif /* __DECAF_SHA512_H__ */ diff --git a/crypto/ec/curve448/decaf/shake.h b/crypto/ec/curve448/decaf/shake.h deleted file mode 100644 index ae125b923a..0000000000 --- a/crypto/ec/curve448/decaf/shake.h +++ /dev/null @@ -1,219 +0,0 @@ -/** - * @file decaf/shake.h - * @copyright - * Based on CC0 code by David Leon Gil, 2015 \n - * Copyright (c) 2015 Cryptography Research, Inc. \n - * Released under the MIT License. See LICENSE.txt for license information. - * @author Mike Hamburg - * @brief SHA-3-n and DECAF_SHAKE-n instances. - */ - -#ifndef __DECAF_SHAKE_H__ -#define __DECAF_SHAKE_H__ - -#include -#include -#include /* for NULL */ - -#include - -#ifdef __cplusplus -extern "C" { -#endif - -#ifndef INTERNAL_SPONGE_STRUCT - /** Sponge container object for the various primitives. */ - typedef struct decaf_keccak_sponge_s { - /** @cond internal */ - uint64_t opaque[26]; - /** @endcond */ - } decaf_keccak_sponge_s; - - /** Convenience GMP-style one-element array version */ - typedef struct decaf_keccak_sponge_s decaf_keccak_sponge_t[1]; - - /** Parameters for sponge construction, distinguishing DECAF_SHA3 and - * DECAF_SHAKE instances. - */ - struct decaf_kparams_s; -#endif - -/** - * @brief Initialize a sponge context object. - * @param [out] sponge The object to initialize. - * @param [in] params The sponge's parameter description. - */ -void decaf_sha3_init ( - decaf_keccak_sponge_t sponge, - const struct decaf_kparams_s *params -) DECAF_API_VIS; - -/** - * @brief Absorb data into a DECAF_SHA3 or DECAF_SHAKE hash context. - * @param [inout] sponge The context. - * @param [in] in The input data. - * @param [in] len The input data's length in bytes. - * @return DECAF_FAILURE if the sponge has already been used for output. - * @return DECAF_SUCCESS otherwise. - */ -decaf_error_t decaf_sha3_update ( - struct decaf_keccak_sponge_s * __restrict__ sponge, - const uint8_t *in, - size_t len -) DECAF_API_VIS; - -/** - * @brief Squeeze output data from a DECAF_SHA3 or DECAF_SHAKE hash context. - * This does not destroy or re-initialize the hash context, and - * decaf_sha3 output can be called more times. - * - * @param [inout] sponge The context. - * @param [out] out The output data. - * @param [in] len The requested output data length in bytes. - * @return DECAF_FAILURE if the sponge has exhausted its output capacity. - * @return DECAF_SUCCESS otherwise. - */ -decaf_error_t decaf_sha3_output ( - decaf_keccak_sponge_t sponge, - uint8_t * __restrict__ out, - size_t len -) DECAF_API_VIS; - -/** - * @brief Squeeze output data from a DECAF_SHA3 or DECAF_SHAKE hash context. - * This re-initializes the context to its starting parameters. - * - * @param [inout] sponge The context. - * @param [out] out The output data. - * @param [in] len The requested output data length in bytes. - */ -decaf_error_t decaf_sha3_final ( - decaf_keccak_sponge_t sponge, - uint8_t * __restrict__ out, - size_t len -) DECAF_API_VIS; - -/** - * @brief Reset the sponge to the empty string. - * - * @param [inout] sponge The context. - */ -void decaf_sha3_reset ( - decaf_keccak_sponge_t sponge -) DECAF_API_VIS; - -/** - * @brief Return the default output length of the sponge construction, - * for the purpose of C++ default operators. - * - * Returns n/8 for DECAF_SHA3-n and 2n/8 for DECAF_SHAKE-n. - */ -size_t decaf_sha3_default_output_bytes ( - const decaf_keccak_sponge_t sponge /**< [inout] The context. */ -) DECAF_API_VIS; - -/** - * @brief Return the default output length of the sponge construction, - * for the purpose of C++ default operators. - * - * Returns n/8 for DECAF_SHA3-n and SIZE_MAX for DECAF_SHAKE-n. - */ -size_t decaf_sha3_max_output_bytes ( - const decaf_keccak_sponge_t sponge /**< [inout] The context. */ -) DECAF_API_VIS; - -/** - * @brief Destroy a DECAF_SHA3 or DECAF_SHAKE sponge context by overwriting it with 0. - * @param [out] sponge The context. - */ -void decaf_sha3_destroy ( - decaf_keccak_sponge_t sponge -) DECAF_API_VIS; - -/** - * @brief Hash (in) to (out) - * @param [in] in The input data. - * @param [in] inlen The length of the input data. - * @param [out] out A buffer for the output data. - * @param [in] outlen The length of the output data. - * @param [in] params The parameters of the sponge hash. - */ -decaf_error_t decaf_sha3_hash ( - uint8_t *out, - size_t outlen, - const uint8_t *in, - size_t inlen, - const struct decaf_kparams_s *params -) DECAF_API_VIS; - -/* FUTURE: expand/doxygenate individual DECAF_SHAKE/DECAF_SHA3 instances? */ - -/** @cond internal */ -#define DECAF_DEC_SHAKE(n) \ - extern const struct decaf_kparams_s DECAF_SHAKE##n##_params_s DECAF_API_VIS; \ - typedef struct decaf_shake##n##_ctx_s { decaf_keccak_sponge_t s; } decaf_shake##n##_ctx_t[1]; \ - static inline void DECAF_NONNULL decaf_shake##n##_init(decaf_shake##n##_ctx_t sponge) { \ - decaf_sha3_init(sponge->s, &DECAF_SHAKE##n##_params_s); \ - } \ - static inline void DECAF_NONNULL decaf_shake##n##_gen_init(decaf_keccak_sponge_t sponge) { \ - decaf_sha3_init(sponge, &DECAF_SHAKE##n##_params_s); \ - } \ - static inline decaf_error_t DECAF_NONNULL decaf_shake##n##_update(decaf_shake##n##_ctx_t sponge, const uint8_t *in, size_t inlen ) { \ - return decaf_sha3_update(sponge->s, in, inlen); \ - } \ - static inline void DECAF_NONNULL decaf_shake##n##_final(decaf_shake##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \ - decaf_sha3_output(sponge->s, out, outlen); \ - decaf_sha3_init(sponge->s, &DECAF_SHAKE##n##_params_s); \ - } \ - static inline void DECAF_NONNULL decaf_shake##n##_output(decaf_shake##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \ - decaf_sha3_output(sponge->s, out, outlen); \ - } \ - static inline void DECAF_NONNULL decaf_shake##n##_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) { \ - decaf_sha3_hash(out,outlen,in,inlen,&DECAF_SHAKE##n##_params_s); \ - } \ - static inline void DECAF_NONNULL decaf_shake##n##_destroy( decaf_shake##n##_ctx_t sponge ) { \ - decaf_sha3_destroy(sponge->s); \ - } - -#define DECAF_DEC_SHA3(n) \ - extern const struct decaf_kparams_s DECAF_SHA3_##n##_params_s DECAF_API_VIS; \ - typedef struct decaf_sha3_##n##_ctx_s { decaf_keccak_sponge_t s; } decaf_sha3_##n##_ctx_t[1]; \ - static inline void DECAF_NONNULL decaf_sha3_##n##_init(decaf_sha3_##n##_ctx_t sponge) { \ - decaf_sha3_init(sponge->s, &DECAF_SHA3_##n##_params_s); \ - } \ - static inline void DECAF_NONNULL decaf_sha3_##n##_gen_init(decaf_keccak_sponge_t sponge) { \ - decaf_sha3_init(sponge, &DECAF_SHA3_##n##_params_s); \ - } \ - static inline decaf_error_t DECAF_NONNULL decaf_sha3_##n##_update(decaf_sha3_##n##_ctx_t sponge, const uint8_t *in, size_t inlen ) { \ - return decaf_sha3_update(sponge->s, in, inlen); \ - } \ - static inline decaf_error_t DECAF_NONNULL decaf_sha3_##n##_final(decaf_sha3_##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \ - decaf_error_t ret = decaf_sha3_output(sponge->s, out, outlen); \ - decaf_sha3_init(sponge->s, &DECAF_SHA3_##n##_params_s); \ - return ret; \ - } \ - static inline decaf_error_t DECAF_NONNULL decaf_sha3_##n##_output(decaf_sha3_##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \ - return decaf_sha3_output(sponge->s, out, outlen); \ - } \ - static inline decaf_error_t DECAF_NONNULL decaf_sha3_##n##_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) { \ - return decaf_sha3_hash(out,outlen,in,inlen,&DECAF_SHA3_##n##_params_s); \ - } \ - static inline void DECAF_NONNULL decaf_sha3_##n##_destroy(decaf_sha3_##n##_ctx_t sponge) { \ - decaf_sha3_destroy(sponge->s); \ - } -/** @endcond */ - -DECAF_DEC_SHAKE(128) -DECAF_DEC_SHAKE(256) -DECAF_DEC_SHA3(224) -DECAF_DEC_SHA3(256) -DECAF_DEC_SHA3(384) -DECAF_DEC_SHA3(512) -#undef DECAF_DEC_SHAKE -#undef DECAF_DEC_SHA3 - -#ifdef __cplusplus -} /* extern "C" */ -#endif - -#endif /* __DECAF_SHAKE_H__ */ diff --git a/crypto/ec/curve448/decaf_tables.c b/crypto/ec/curve448/decaf_tables.c index ab4e6d79c4..d7637f7cd8 100644 --- a/crypto/ec/curve448/decaf_tables.c +++ b/crypto/ec/curve448/decaf_tables.c @@ -1,7 +1,7 @@ /** @warning: this file was automatically generated. */ #include "field.h" -#include +#include "point_448.h" #define API_NS(_id) decaf_448_##_id const API_NS(point_t) API_NS(point_base) = {{ diff --git a/crypto/ec/curve448/ed448.h b/crypto/ec/curve448/ed448.h new file mode 100644 index 0000000000..72e94d5807 --- /dev/null +++ b/crypto/ec/curve448/ed448.h @@ -0,0 +1,250 @@ +/** + * @file decaf/ed448.h + * @author Mike Hamburg + * + * @copyright + * Copyright (c) 2015-2016 Cryptography Research, Inc. \n + * Released under the MIT License. See LICENSE.txt for license information. + * + * @brief A group of prime order p, based on Ed448-Goldilocks. + * + * @warning This file was automatically generated in Python. + * Please do not edit it. + */ + +#ifndef __DECAF_ED448_H__ +#define __DECAF_ED448_H__ 1 + +#include "point_448.h" +#include "shake.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** Number of bytes in an EdDSA public key. */ +#define DECAF_EDDSA_448_PUBLIC_BYTES 57 + +/** Number of bytes in an EdDSA private key. */ +#define DECAF_EDDSA_448_PRIVATE_BYTES DECAF_EDDSA_448_PUBLIC_BYTES + +/** Number of bytes in an EdDSA private key. */ +#define DECAF_EDDSA_448_SIGNATURE_BYTES (DECAF_EDDSA_448_PUBLIC_BYTES + DECAF_EDDSA_448_PRIVATE_BYTES) + +/** Does EdDSA support non-contextual signatures? */ +#define DECAF_EDDSA_448_SUPPORTS_CONTEXTLESS_SIGS 0 + +/** Prehash context renaming macros. */ +#define decaf_ed448_prehash_ctx_s decaf_shake256_ctx_s +#define decaf_ed448_prehash_ctx_t decaf_shake256_ctx_t +#define decaf_ed448_prehash_update decaf_shake256_update +#define decaf_ed448_prehash_destroy decaf_shake256_destroy + +/** EdDSA encoding ratio. */ +#define DECAF_448_EDDSA_ENCODE_RATIO 4 + +/** EdDSA decoding ratio. */ +#define DECAF_448_EDDSA_DECODE_RATIO (4 / 4) + +/** + * @brief EdDSA key generation. This function uses a different (non-Decaf) + * encoding. + * + * @param [out] pubkey The public key. + * @param [in] privkey The private key. + */ +void decaf_ed448_derive_public_key ( + uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], + const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES] +) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; + +/** + * @brief EdDSA signing. + * + * @param [out] signature The signature. + * @param [in] privkey The private key. + * @param [in] pubkey The public key. + * @param [in] message The message to sign. + * @param [in] message_len The length of the message. + * @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign. + * @param [in] context A "context" for this signature of up to 255 bytes. + * @param [in] context_len Length of the context. + * + * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed + * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is + * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives + * you no seat belt. + */ +void decaf_ed448_sign ( + uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES], + const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES], + const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], + const uint8_t *message, + size_t message_len, + uint8_t prehashed, + const uint8_t *context, + uint8_t context_len +) DECAF_API_VIS __attribute__((nonnull(1,2,3))) DECAF_NOINLINE; + +/** + * @brief EdDSA signing with prehash. + * + * @param [out] signature The signature. + * @param [in] privkey The private key. + * @param [in] pubkey The public key. + * @param [in] hash The hash of the message. This object will not be modified by the call. + * @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash. + * @param [in] context_len Length of the context. + * + * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed + * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is + * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives + * you no seat belt. + */ +void decaf_ed448_sign_prehash ( + uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES], + const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES], + const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], + const decaf_ed448_prehash_ctx_t hash, + const uint8_t *context, + uint8_t context_len +) DECAF_API_VIS __attribute__((nonnull(1,2,3,4))) DECAF_NOINLINE; + +/** + * @brief Prehash initialization, with contexts if supported. + * + * @param [out] hash The hash object to be initialized. + */ +void decaf_ed448_prehash_init ( + decaf_ed448_prehash_ctx_t hash +) DECAF_API_VIS __attribute__((nonnull(1))) DECAF_NOINLINE; + +/** + * @brief EdDSA signature verification. + * + * Uses the standard (i.e. less-strict) verification formula. + * + * @param [in] signature The signature. + * @param [in] pubkey The public key. + * @param [in] message The message to verify. + * @param [in] message_len The length of the message. + * @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify. + * @param [in] context A "context" for this signature of up to 255 bytes. + * @param [in] context_len Length of the context. + * + * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed + * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is + * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives + * you no seat belt. + */ +decaf_error_t decaf_ed448_verify ( + const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES], + const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], + const uint8_t *message, + size_t message_len, + uint8_t prehashed, + const uint8_t *context, + uint8_t context_len +) DECAF_API_VIS __attribute__((nonnull(1,2))) DECAF_NOINLINE; + +/** + * @brief EdDSA signature verification. + * + * Uses the standard (i.e. less-strict) verification formula. + * + * @param [in] signature The signature. + * @param [in] pubkey The public key. + * @param [in] hash The hash of the message. This object will not be modified by the call. + * @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash. + * @param [in] context_len Length of the context. + * + * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed + * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is + * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives + * you no seat belt. + */ +decaf_error_t decaf_ed448_verify_prehash ( + const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES], + const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], + const decaf_ed448_prehash_ctx_t hash, + const uint8_t *context, + uint8_t context_len +) DECAF_API_VIS __attribute__((nonnull(1,2))) DECAF_NOINLINE; + +/** + * @brief EdDSA point encoding. Used internally, exposed externally. + * Multiplies by DECAF_448_EDDSA_ENCODE_RATIO first. + * + * The multiplication is required because the EdDSA encoding represents + * the cofactor information, but the Decaf encoding ignores it (which + * is the whole point). So if you decode from EdDSA and re-encode to + * EdDSA, the cofactor info must get cleared, because the intermediate + * representation doesn't track it. + * + * The way libdecaf handles this is to multiply by + * DECAF_448_EDDSA_DECODE_RATIO when decoding, and by + * DECAF_448_EDDSA_ENCODE_RATIO when encoding. The product of these + * ratios is always exactly the cofactor 4, so the cofactor + * ends up cleared one way or another. But exactly how that shakes + * out depends on the base points specified in RFC 8032. + * + * The upshot is that if you pass the Decaf/Ristretto base point to + * this function, you will get DECAF_448_EDDSA_ENCODE_RATIO times the + * EdDSA base point. + * + * @param [out] enc The encoded point. + * @param [in] p The point. + */ +void decaf_448_point_mul_by_ratio_and_encode_like_eddsa ( + uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES], + const decaf_448_point_t p +) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; + +/** + * @brief EdDSA point decoding. Multiplies by DECAF_448_EDDSA_DECODE_RATIO, + * and ignores cofactor information. + * + * See notes on decaf_448_point_mul_by_ratio_and_encode_like_eddsa + * + * @param [out] enc The encoded point. + * @param [in] p The point. + */ +decaf_error_t decaf_448_point_decode_like_eddsa_and_mul_by_ratio ( + decaf_448_point_t p, + const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES] +) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; + +/** + * @brief EdDSA to ECDH public key conversion + * Deserialize the point to get y on Edwards curve, + * Convert it to u coordinate on Montgomery curve. + * + * @warning This function does not check that the public key being converted + * is a valid EdDSA public key (FUTURE?) + * + * @param[out] x The ECDH public key as in RFC7748(point on Montgomery curve) + * @param[in] ed The EdDSA public key(point on Edwards curve) + */ +void decaf_ed448_convert_public_key_to_x448 ( + uint8_t x[DECAF_X448_PUBLIC_BYTES], + const uint8_t ed[DECAF_EDDSA_448_PUBLIC_BYTES] +) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; + +/** + * @brief EdDSA to ECDH private key conversion + * Using the appropriate hash function, hash the EdDSA private key + * and keep only the lower bytes to get the ECDH private key + * + * @param[out] x The ECDH private key as in RFC7748 + * @param[in] ed The EdDSA private key + */ +void decaf_ed448_convert_private_key_to_x448 ( + uint8_t x[DECAF_X448_PRIVATE_BYTES], + const uint8_t ed[DECAF_EDDSA_448_PRIVATE_BYTES] +) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; + +#ifdef __cplusplus +} /* extern "C" */ +#endif + +#endif /* __DECAF_ED448_H__ */ diff --git a/crypto/ec/curve448/eddsa.c b/crypto/ec/curve448/eddsa.c index f6c1836658..9f68e31177 100644 --- a/crypto/ec/curve448/eddsa.c +++ b/crypto/ec/curve448/eddsa.c @@ -13,9 +13,8 @@ * Please do not edit it. */ #include "word.h" -#include -#include -#include +#include "ed448.h" +#include "shake.h" #include #define API_NAME "decaf_448" diff --git a/crypto/ec/curve448/point_448.h b/crypto/ec/curve448/point_448.h new file mode 100644 index 0000000000..bc1cb43a00 --- /dev/null +++ b/crypto/ec/curve448/point_448.h @@ -0,0 +1,765 @@ +/** + * @file decaf/point_448.h + * @author Mike Hamburg + * + * @copyright + * Copyright (c) 2015-2016 Cryptography Research, Inc. \n + * Released under the MIT License. See LICENSE.txt for license information. + * + * @brief A group of prime order p, based on Ed448-Goldilocks. + * + * @warning This file was automatically generated in Python. + * Please do not edit it. + */ + +#ifndef __DECAF_POINT_448_H__ +#define __DECAF_POINT_448_H__ 1 + +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/** @cond internal */ +#define DECAF_448_SCALAR_LIMBS ((446-1)/DECAF_WORD_BITS+1) +/** @endcond */ + +/** The number of bits in a scalar */ +#define DECAF_448_SCALAR_BITS 446 + +/** @cond internal */ +#ifndef __DECAF_448_GF_DEFINED__ +#define __DECAF_448_GF_DEFINED__ 1 +/** @brief Galois field element internal structure */ +typedef struct gf_448_s { + decaf_word_t limb[512/DECAF_WORD_BITS]; +} __attribute__((aligned(32))) gf_448_s, gf_448_t[1]; +#endif /* __DECAF_448_GF_DEFINED__ */ +/** @endcond */ + +/** Number of bytes in a serialized point. */ +#define DECAF_448_SER_BYTES 56 + +/** Number of bytes in an elligated point. For now set the same as SER_BYTES + * but could be different for other curves. + */ +#define DECAF_448_HASH_BYTES 56 + +/** Number of bytes in a serialized scalar. */ +#define DECAF_448_SCALAR_BYTES 56 + +/** Number of bits in the "which" field of an elligator inverse */ +#define DECAF_448_INVERT_ELLIGATOR_WHICH_BITS 3 + +/** The cofactor the curve would have, if we hadn't removed it */ +#define DECAF_448_REMOVED_COFACTOR 4 + +/** X448 encoding ratio. */ +#define DECAF_X448_ENCODE_RATIO 2 + +/** Number of bytes in an x448 public key */ +#define DECAF_X448_PUBLIC_BYTES 56 + +/** Number of bytes in an x448 private key */ +#define DECAF_X448_PRIVATE_BYTES 56 + +/** Twisted Edwards extended homogeneous coordinates */ +typedef struct decaf_448_point_s { + /** @cond internal */ + gf_448_t x,y,z,t; + /** @endcond */ +} decaf_448_point_t[1]; + +/** Precomputed table based on a point. Can be trivial implementation. */ +struct decaf_448_precomputed_s; + +/** Precomputed table based on a point. Can be trivial implementation. */ +typedef struct decaf_448_precomputed_s decaf_448_precomputed_s; + +/** Size and alignment of precomputed point tables. */ +extern const size_t decaf_448_sizeof_precomputed_s DECAF_API_VIS, decaf_448_alignof_precomputed_s DECAF_API_VIS; + +/** Scalar is stored packed, because we don't need the speed. */ +typedef struct decaf_448_scalar_s { + /** @cond internal */ + decaf_word_t limb[DECAF_448_SCALAR_LIMBS]; + /** @endcond */ +} decaf_448_scalar_t[1]; + +/** A scalar equal to 1. */ +extern const decaf_448_scalar_t decaf_448_scalar_one DECAF_API_VIS; + +/** A scalar equal to 0. */ +extern const decaf_448_scalar_t decaf_448_scalar_zero DECAF_API_VIS; + +/** The identity point on the curve. */ +extern const decaf_448_point_t decaf_448_point_identity DECAF_API_VIS; + +/** An arbitrarily chosen base point on the curve. */ +extern const decaf_448_point_t decaf_448_point_base DECAF_API_VIS; + +/** Precomputed table for the base point on the curve. */ +extern const struct decaf_448_precomputed_s *decaf_448_precomputed_base DECAF_API_VIS; + +/** + * @brief Read a scalar from wire format or from bytes. + * + * @param [in] ser Serialized form of a scalar. + * @param [out] out Deserialized form. + * + * @retval DECAF_SUCCESS The scalar was correctly encoded. + * @retval DECAF_FAILURE The scalar was greater than the modulus, + * and has been reduced modulo that modulus. + */ +decaf_error_t decaf_448_scalar_decode ( + decaf_448_scalar_t out, + const unsigned char ser[DECAF_448_SCALAR_BYTES] +) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE; + +/** + * @brief Read a scalar from wire format or from bytes. Reduces mod + * scalar prime. + * + * @param [in] ser Serialized form of a scalar. + * @param [in] ser_len Length of serialized form. + * @param [out] out Deserialized form. + */ +void decaf_448_scalar_decode_long ( + decaf_448_scalar_t out, + const unsigned char *ser, + size_t ser_len +) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; + +/** + * @brief Serialize a scalar to wire format. + * + * @param [out] ser Serialized form of a scalar. + * @param [in] s Deserialized scalar. + */ +void decaf_448_scalar_encode ( + unsigned char ser[DECAF_448_SCALAR_BYTES], + const decaf_448_scalar_t s +) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_NOINLINE; + +/** + * @brief Add two scalars. The scalars may use the same memory. + * @param [in] a One scalar. + * @param [in] b Another scalar. + * @param [out] out a+b. + */ +void decaf_448_scalar_add ( + decaf_448_scalar_t out, + const decaf_448_scalar_t a, + const decaf_448_scalar_t b +) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; + +/** + * @brief Compare two scalars. + * @param [in] a One scalar. + * @param [in] b Another scalar. + * @retval DECAF_TRUE The scalars are equal. + * @retval DECAF_FALSE The scalars are not equal. + */ +decaf_bool_t decaf_448_scalar_eq ( + const decaf_448_scalar_t a, + const decaf_448_scalar_t b +) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE; + +/** + * @brief Subtract two scalars. The scalars may use the same memory. + * @param [in] a One scalar. + * @param [in] b Another scalar. + * @param [out] out a-b. + */ +void decaf_448_scalar_sub ( + decaf_448_scalar_t out, + const decaf_448_scalar_t a, + const decaf_448_scalar_t b +) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; + +/** + * @brief Multiply two scalars. The scalars may use the same memory. + * @param [in] a One scalar. + * @param [in] b Another scalar. + * @param [out] out a*b. + */ +void decaf_448_scalar_mul ( + decaf_448_scalar_t out, + const decaf_448_scalar_t a, + const decaf_448_scalar_t b +) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; + +/** +* @brief Halve a scalar. The scalars may use the same memory. +* @param [in] a A scalar. +* @param [out] out a/2. +*/ +void decaf_448_scalar_halve ( + decaf_448_scalar_t out, + const decaf_448_scalar_t a +) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; + +/** + * @brief Invert a scalar. When passed zero, return 0. The input and output may alias. + * @param [in] a A scalar. + * @param [out] out 1/a. + * @return DECAF_SUCCESS The input is nonzero. + */ +decaf_error_t decaf_448_scalar_invert ( + decaf_448_scalar_t out, + const decaf_448_scalar_t a +) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE; + +/** + * @brief Copy a scalar. The scalars may use the same memory, in which + * case this function does nothing. + * @param [in] a A scalar. + * @param [out] out Will become a copy of a. + */ +static inline void DECAF_NONNULL decaf_448_scalar_copy ( + decaf_448_scalar_t out, + const decaf_448_scalar_t a +) { + *out = *a; +} + +/** + * @brief Set a scalar to an unsigned 64-bit integer. + * @param [in] a An integer. + * @param [out] out Will become equal to a. + */ +void decaf_448_scalar_set_unsigned ( + decaf_448_scalar_t out, + uint64_t a +) DECAF_API_VIS DECAF_NONNULL; + +/** + * @brief Encode a point as a sequence of bytes. + * + * @param [out] ser The byte representation of the point. + * @param [in] pt The point to encode. + */ +void decaf_448_point_encode ( + uint8_t ser[DECAF_448_SER_BYTES], + const decaf_448_point_t pt +) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; + +/** + * @brief Decode a point from a sequence of bytes. + * + * Every point has a unique encoding, so not every + * sequence of bytes is a valid encoding. If an invalid + * encoding is given, the output is undefined. + * + * @param [out] pt The decoded point. + * @param [in] ser The serialized version of the point. + * @param [in] allow_identity DECAF_TRUE if the identity is a legal input. + * @retval DECAF_SUCCESS The decoding succeeded. + * @retval DECAF_FAILURE The decoding didn't succeed, because + * ser does not represent a point. + */ +decaf_error_t decaf_448_point_decode ( + decaf_448_point_t pt, + const uint8_t ser[DECAF_448_SER_BYTES], + decaf_bool_t allow_identity +) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE; + +/** + * @brief Copy a point. The input and output may alias, + * in which case this function does nothing. + * + * @param [out] a A copy of the point. + * @param [in] b Any point. + */ +static inline void DECAF_NONNULL decaf_448_point_copy ( + decaf_448_point_t a, + const decaf_448_point_t b +) { + *a=*b; +} + +/** + * @brief Test whether two points are equal. If yes, return + * DECAF_TRUE, else return DECAF_FALSE. + * + * @param [in] a A point. + * @param [in] b Another point. + * @retval DECAF_TRUE The points are equal. + * @retval DECAF_FALSE The points are not equal. + */ +decaf_bool_t decaf_448_point_eq ( + const decaf_448_point_t a, + const decaf_448_point_t b +) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE; + +/** + * @brief Add two points to produce a third point. The + * input points and output point can be pointers to the same + * memory. + * + * @param [out] sum The sum a+b. + * @param [in] a An addend. + * @param [in] b An addend. + */ +void decaf_448_point_add ( + decaf_448_point_t sum, + const decaf_448_point_t a, + const decaf_448_point_t b +) DECAF_API_VIS DECAF_NONNULL; + +/** + * @brief Double a point. Equivalent to + * decaf_448_point_add(two_a,a,a), but potentially faster. + * + * @param [out] two_a The sum a+a. + * @param [in] a A point. + */ +void decaf_448_point_double ( + decaf_448_point_t two_a, + const decaf_448_point_t a +) DECAF_API_VIS DECAF_NONNULL; + +/** + * @brief Subtract two points to produce a third point. The + * input points and output point can be pointers to the same + * memory. + * + * @param [out] diff The difference a-b. + * @param [in] a The minuend. + * @param [in] b The subtrahend. + */ +void decaf_448_point_sub ( + decaf_448_point_t diff, + const decaf_448_point_t a, + const decaf_448_point_t b +) DECAF_API_VIS DECAF_NONNULL; + +/** + * @brief Negate a point to produce another point. The input + * and output points can use the same memory. + * + * @param [out] nega The negated input point + * @param [in] a The input point. + */ +void decaf_448_point_negate ( + decaf_448_point_t nega, + const decaf_448_point_t a +) DECAF_API_VIS DECAF_NONNULL; + +/** + * @brief Multiply a base point by a scalar: scaled = scalar*base. + * + * @param [out] scaled The scaled point base*scalar + * @param [in] base The point to be scaled. + * @param [in] scalar The scalar to multiply by. + */ +void decaf_448_point_scalarmul ( + decaf_448_point_t scaled, + const decaf_448_point_t base, + const decaf_448_scalar_t scalar +) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; + +/** + * @brief Multiply a base point by a scalar: scaled = scalar*base. + * This function operates directly on serialized forms. + * + * @warning This function is experimental. It may not be supported + * long-term. + * + * @param [out] scaled The scaled point base*scalar + * @param [in] base The point to be scaled. + * @param [in] scalar The scalar to multiply by. + * @param [in] allow_identity Allow the input to be the identity. + * @param [in] short_circuit Allow a fast return if the input is illegal. + * + * @retval DECAF_SUCCESS The scalarmul succeeded. + * @retval DECAF_FAILURE The scalarmul didn't succeed, because + * base does not represent a point. + */ +decaf_error_t decaf_448_direct_scalarmul ( + uint8_t scaled[DECAF_448_SER_BYTES], + const uint8_t base[DECAF_448_SER_BYTES], + const decaf_448_scalar_t scalar, + decaf_bool_t allow_identity, + decaf_bool_t short_circuit +) DECAF_API_VIS DECAF_NONNULL DECAF_WARN_UNUSED DECAF_NOINLINE; + +/** + * @brief RFC 7748 Diffie-Hellman scalarmul. This function uses a different + * (non-Decaf) encoding. + * + * @param [out] scaled The scaled point base*scalar + * @param [in] base The point to be scaled. + * @param [in] scalar The scalar to multiply by. + * + * @retval DECAF_SUCCESS The scalarmul succeeded. + * @retval DECAF_FAILURE The scalarmul didn't succeed, because the base + * point is in a small subgroup. + */ +decaf_error_t decaf_x448 ( + uint8_t out[DECAF_X448_PUBLIC_BYTES], + const uint8_t base[DECAF_X448_PUBLIC_BYTES], + const uint8_t scalar[DECAF_X448_PRIVATE_BYTES] +) DECAF_API_VIS DECAF_NONNULL DECAF_WARN_UNUSED DECAF_NOINLINE; + +/** + * @brief Multiply a point by DECAF_X448_ENCODE_RATIO, + * then encode it like RFC 7748. + * + * This function is mainly used internally, but is exported in case + * it will be useful. + * + * The ratio is necessary because the internal representation doesn't + * track the cofactor information, so on output we must clear the cofactor. + * This would multiply by the cofactor, but in fact internally libdecaf's + * points are always even, so it multiplies by half the cofactor instead. + * + * As it happens, this aligns with the base point definitions; that is, + * if you pass the Decaf/Ristretto base point to this function, the result + * will be DECAF_X448_ENCODE_RATIO times the X448 + * base point. + * + * @param [out] out The scaled and encoded point. + * @param [in] p The point to be scaled and encoded. + */ +void decaf_448_point_mul_by_ratio_and_encode_like_x448 ( + uint8_t out[DECAF_X448_PUBLIC_BYTES], + const decaf_448_point_t p +) DECAF_API_VIS DECAF_NONNULL; + +/** The base point for X448 Diffie-Hellman */ +extern const uint8_t decaf_x448_base_point[DECAF_X448_PUBLIC_BYTES] DECAF_API_VIS; + +/** + * @brief RFC 7748 Diffie-Hellman base point scalarmul. This function uses + * a different (non-Decaf) encoding. + * + * @deprecated Renamed to decaf_x448_derive_public_key. + * I have no particular timeline for removing this name. + * + * @param [out] scaled The scaled point base*scalar + * @param [in] scalar The scalar to multiply by. + */ +void decaf_x448_generate_key ( + uint8_t out[DECAF_X448_PUBLIC_BYTES], + const uint8_t scalar[DECAF_X448_PRIVATE_BYTES] +) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_DEPRECATED("Renamed to decaf_x448_derive_public_key"); + +/** + * @brief RFC 7748 Diffie-Hellman base point scalarmul. This function uses + * a different (non-Decaf) encoding. + * + * Does exactly the same thing as decaf_x448_generate_key, + * but has a better name. + * + * @param [out] scaled The scaled point base*scalar + * @param [in] scalar The scalar to multiply by. + */ +void decaf_x448_derive_public_key ( + uint8_t out[DECAF_X448_PUBLIC_BYTES], + const uint8_t scalar[DECAF_X448_PRIVATE_BYTES] +) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; + +/* FUTURE: uint8_t decaf_448_encode_like_curve448) */ + +/** + * @brief Precompute a table for fast scalar multiplication. + * Some implementations do not include precomputed points; for + * those implementations, this implementation simply copies the + * point. + * + * @param [out] a A precomputed table of multiples of the point. + * @param [in] b Any point. + */ +void decaf_448_precompute ( + decaf_448_precomputed_s *a, + const decaf_448_point_t b +) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; + +/** + * @brief Multiply a precomputed base point by a scalar: + * scaled = scalar*base. + * Some implementations do not include precomputed points; for + * those implementations, this function is the same as + * decaf_448_point_scalarmul + * + * @param [out] scaled The scaled point base*scalar + * @param [in] base The point to be scaled. + * @param [in] scalar The scalar to multiply by. + */ +void decaf_448_precomputed_scalarmul ( + decaf_448_point_t scaled, + const decaf_448_precomputed_s *base, + const decaf_448_scalar_t scalar +) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; + +/** + * @brief Multiply two base points by two scalars: + * scaled = scalar1*base1 + scalar2*base2. + * + * Equivalent to two calls to decaf_448_point_scalarmul, but may be + * faster. + * + * @param [out] combo The linear combination scalar1*base1 + scalar2*base2. + * @param [in] base1 A first point to be scaled. + * @param [in] scalar1 A first scalar to multiply by. + * @param [in] base2 A second point to be scaled. + * @param [in] scalar2 A second scalar to multiply by. + */ +void decaf_448_point_double_scalarmul ( + decaf_448_point_t combo, + const decaf_448_point_t base1, + const decaf_448_scalar_t scalar1, + const decaf_448_point_t base2, + const decaf_448_scalar_t scalar2 +) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; + +/** + * Multiply one base point by two scalars: + * + * a1 = scalar1 * base + * a2 = scalar2 * base + * + * Equivalent to two calls to decaf_448_point_scalarmul, but may be + * faster. + * + * @param [out] a1 The first multiple. It may be the same as the input point. + * @param [out] a2 The second multiple. It may be the same as the input point. + * @param [in] base1 A point to be scaled. + * @param [in] scalar1 A first scalar to multiply by. + * @param [in] scalar2 A second scalar to multiply by. + */ +void decaf_448_point_dual_scalarmul ( + decaf_448_point_t a1, + decaf_448_point_t a2, + const decaf_448_point_t base1, + const decaf_448_scalar_t scalar1, + const decaf_448_scalar_t scalar2 +) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; + +/** + * @brief Multiply two base points by two scalars: + * scaled = scalar1*decaf_448_point_base + scalar2*base2. + * + * Otherwise equivalent to decaf_448_point_double_scalarmul, but may be + * faster at the expense of being variable time. + * + * @param [out] combo The linear combination scalar1*base + scalar2*base2. + * @param [in] scalar1 A first scalar to multiply by. + * @param [in] base2 A second point to be scaled. + * @param [in] scalar2 A second scalar to multiply by. + * + * @warning: This function takes variable time, and may leak the scalars + * used. It is designed for signature verification. + */ +void decaf_448_base_double_scalarmul_non_secret ( + decaf_448_point_t combo, + const decaf_448_scalar_t scalar1, + const decaf_448_point_t base2, + const decaf_448_scalar_t scalar2 +) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; + +/** + * @brief Constant-time decision between two points. If pick_b + * is zero, out = a; else out = b. + * + * @param [out] out The output. It may be the same as either input. + * @param [in] a Any point. + * @param [in] b Any point. + * @param [in] pick_b If nonzero, choose point b. + */ +void decaf_448_point_cond_sel ( + decaf_448_point_t out, + const decaf_448_point_t a, + const decaf_448_point_t b, + decaf_word_t pick_b +) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; + +/** + * @brief Constant-time decision between two scalars. If pick_b + * is zero, out = a; else out = b. + * + * @param [out] out The output. It may be the same as either input. + * @param [in] a Any scalar. + * @param [in] b Any scalar. + * @param [in] pick_b If nonzero, choose scalar b. + */ +void decaf_448_scalar_cond_sel ( + decaf_448_scalar_t out, + const decaf_448_scalar_t a, + const decaf_448_scalar_t b, + decaf_word_t pick_b +) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; + +/** + * @brief Test that a point is valid, for debugging purposes. + * + * @param [in] to_test The point to test. + * @retval DECAF_TRUE The point is valid. + * @retval DECAF_FALSE The point is invalid. + */ +decaf_bool_t decaf_448_point_valid ( + const decaf_448_point_t to_test +) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE; + +/** + * @brief Torque a point, for debugging purposes. The output + * will be equal to the input. + * + * @param [out] q The point to torque. + * @param [in] p The point to torque. + */ +void decaf_448_point_debugging_torque ( + decaf_448_point_t q, + const decaf_448_point_t p +) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; + +/** + * @brief Projectively scale a point, for debugging purposes. + * The output will be equal to the input, and will be valid + * even if the factor is zero. + * + * @param [out] q The point to scale. + * @param [in] p The point to scale. + * @param [in] factor Serialized GF factor to scale. + */ +void decaf_448_point_debugging_pscale ( + decaf_448_point_t q, + const decaf_448_point_t p, + const unsigned char factor[DECAF_448_SER_BYTES] +) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; + +/** + * @brief Almost-Elligator-like hash to curve. + * + * Call this function with the output of a hash to make a hash to the curve. + * + * This function runs Elligator2 on the decaf_448 Jacobi quartic model. It then + * uses the isogeny to put the result in twisted Edwards form. As a result, + * it is safe (cannot produce points of order 4), and would be compatible with + * hypothetical other implementations of Decaf using a Montgomery or untwisted + * Edwards model. + * + * Unlike Elligator, this function may be up to 4:1 on [0,(p-1)/2]: + * A factor of 2 due to the isogeny. + * A factor of 2 because we quotient out the 2-torsion. + * + * This makes it about 8:1 overall, or 16:1 overall on curves with cofactor 8. + * + * Negating the input (mod q) results in the same point. Inverting the input + * (mod q) results in the negative point. This is the same as Elligator. + * + * This function isn't quite indifferentiable from a random oracle. + * However, it is suitable for many protocols, including SPEKE and SPAKE2 EE. + * Furthermore, calling it twice with independent seeds and adding the results + * is indifferentiable from a random oracle. + * + * @param [in] hashed_data Output of some hash function. + * @param [out] pt The data hashed to the curve. + */ +void +decaf_448_point_from_hash_nonuniform ( + decaf_448_point_t pt, + const unsigned char hashed_data[DECAF_448_HASH_BYTES] +) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; + +/** + * @brief Indifferentiable hash function encoding to curve. + * + * Equivalent to calling decaf_448_point_from_hash_nonuniform twice and adding. + * + * @param [in] hashed_data Output of some hash function. + * @param [out] pt The data hashed to the curve. + */ +void decaf_448_point_from_hash_uniform ( + decaf_448_point_t pt, + const unsigned char hashed_data[2*DECAF_448_HASH_BYTES] +) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE; + +/** + * @brief Inverse of elligator-like hash to curve. + * + * This function writes to the buffer, to make it so that + * decaf_448_point_from_hash_nonuniform(buffer) = pt if + * possible. Since there may be multiple preimages, the + * "which" parameter chooses between them. To ensure uniform + * inverse sampling, this function succeeds or fails + * independently for different "which" values. + * + * This function isn't guaranteed to find every possible + * preimage, but it finds all except a small finite number. + * In particular, when the number of bits in the modulus isn't + * a multiple of 8 (i.e. for curve25519), it sets the high bits + * independently, which enables the generated data to be uniform. + * But it doesn't add p, so you'll never get exactly p from this + * function. This might change in the future, especially if + * we ever support eg Brainpool curves, where this could cause + * real nonuniformity. + * + * @param [out] recovered_hash Encoded data. + * @param [in] pt The point to encode. + * @param [in] which A value determining which inverse point + * to return. + * + * @retval DECAF_SUCCESS The inverse succeeded. + * @retval DECAF_FAILURE The inverse failed. + */ +decaf_error_t +decaf_448_invert_elligator_nonuniform ( + unsigned char recovered_hash[DECAF_448_HASH_BYTES], + const decaf_448_point_t pt, + uint32_t which +) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_WARN_UNUSED; + +/** + * @brief Inverse of elligator-like hash to curve. + * + * This function writes to the buffer, to make it so that + * decaf_448_point_from_hash_uniform(buffer) = pt if + * possible. Since there may be multiple preimages, the + * "which" parameter chooses between them. To ensure uniform + * inverse sampling, this function succeeds or fails + * independently for different "which" values. + * + * @param [out] recovered_hash Encoded data. + * @param [in] pt The point to encode. + * @param [in] which A value determining which inverse point + * to return. + * + * @retval DECAF_SUCCESS The inverse succeeded. + * @retval DECAF_FAILURE The inverse failed. + */ +decaf_error_t +decaf_448_invert_elligator_uniform ( + unsigned char recovered_hash[2*DECAF_448_HASH_BYTES], + const decaf_448_point_t pt, + uint32_t which +) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_WARN_UNUSED; + +/** + * @brief Overwrite scalar with zeros. + */ +void decaf_448_scalar_destroy ( + decaf_448_scalar_t scalar +) DECAF_NONNULL DECAF_API_VIS; + +/** + * @brief Overwrite point with zeros. + */ +void decaf_448_point_destroy ( + decaf_448_point_t point +) DECAF_NONNULL DECAF_API_VIS; + +/** + * @brief Overwrite precomputed table with zeros. + */ +void decaf_448_precomputed_destroy ( + decaf_448_precomputed_s *pre +) DECAF_NONNULL DECAF_API_VIS; + +#ifdef __cplusplus +} /* extern "C" */ +#endif + +#endif /* __DECAF_POINT_448_H__ */ diff --git a/crypto/ec/curve448/scalar.c b/crypto/ec/curve448/scalar.c index 1c98ac91d4..6f9c371e79 100644 --- a/crypto/ec/curve448/scalar.c +++ b/crypto/ec/curve448/scalar.c @@ -13,7 +13,7 @@ */ #include "word.h" #include "constant_time.h" -#include +#include "point_448.h" /* Template stuff */ #define API_NS(_id) decaf_448_##_id diff --git a/crypto/ec/curve448/shake.c b/crypto/ec/curve448/shake.c index 7cd3a5b173..aab044691f 100644 --- a/crypto/ec/curve448/shake.c +++ b/crypto/ec/curve448/shake.c @@ -20,7 +20,7 @@ #include "portable_endian.h" #include "keccak_internal.h" -#include +#include "shake.h" #define FLAG_ABSORBING 'A' #define FLAG_SQUEEZING 'Z' diff --git a/crypto/ec/curve448/shake.h b/crypto/ec/curve448/shake.h new file mode 100644 index 0000000000..ae125b923a --- /dev/null +++ b/crypto/ec/curve448/shake.h @@ -0,0 +1,219 @@ +/** + * @file decaf/shake.h + * @copyright + * Based on CC0 code by David Leon Gil, 2015 \n + * Copyright (c) 2015 Cryptography Research, Inc. \n + * Released under the MIT License. See LICENSE.txt for license information. + * @author Mike Hamburg + * @brief SHA-3-n and DECAF_SHAKE-n instances. + */ + +#ifndef __DECAF_SHAKE_H__ +#define __DECAF_SHAKE_H__ + +#include +#include +#include /* for NULL */ + +#include + +#ifdef __cplusplus +extern "C" { +#endif + +#ifndef INTERNAL_SPONGE_STRUCT + /** Sponge container object for the various primitives. */ + typedef struct decaf_keccak_sponge_s { + /** @cond internal */ + uint64_t opaque[26]; + /** @endcond */ + } decaf_keccak_sponge_s; + + /** Convenience GMP-style one-element array version */ + typedef struct decaf_keccak_sponge_s decaf_keccak_sponge_t[1]; + + /** Parameters for sponge construction, distinguishing DECAF_SHA3 and + * DECAF_SHAKE instances. + */ + struct decaf_kparams_s; +#endif + +/** + * @brief Initialize a sponge context object. + * @param [out] sponge The object to initialize. + * @param [in] params The sponge's parameter description. + */ +void decaf_sha3_init ( + decaf_keccak_sponge_t sponge, + const struct decaf_kparams_s *params +) DECAF_API_VIS; + +/** + * @brief Absorb data into a DECAF_SHA3 or DECAF_SHAKE hash context. + * @param [inout] sponge The context. + * @param [in] in The input data. + * @param [in] len The input data's length in bytes. + * @return DECAF_FAILURE if the sponge has already been used for output. + * @return DECAF_SUCCESS otherwise. + */ +decaf_error_t decaf_sha3_update ( + struct decaf_keccak_sponge_s * __restrict__ sponge, + const uint8_t *in, + size_t len +) DECAF_API_VIS; + +/** + * @brief Squeeze output data from a DECAF_SHA3 or DECAF_SHAKE hash context. + * This does not destroy or re-initialize the hash context, and + * decaf_sha3 output can be called more times. + * + * @param [inout] sponge The context. + * @param [out] out The output data. + * @param [in] len The requested output data length in bytes. + * @return DECAF_FAILURE if the sponge has exhausted its output capacity. + * @return DECAF_SUCCESS otherwise. + */ +decaf_error_t decaf_sha3_output ( + decaf_keccak_sponge_t sponge, + uint8_t * __restrict__ out, + size_t len +) DECAF_API_VIS; + +/** + * @brief Squeeze output data from a DECAF_SHA3 or DECAF_SHAKE hash context. + * This re-initializes the context to its starting parameters. + * + * @param [inout] sponge The context. + * @param [out] out The output data. + * @param [in] len The requested output data length in bytes. + */ +decaf_error_t decaf_sha3_final ( + decaf_keccak_sponge_t sponge, + uint8_t * __restrict__ out, + size_t len +) DECAF_API_VIS; + +/** + * @brief Reset the sponge to the empty string. + * + * @param [inout] sponge The context. + */ +void decaf_sha3_reset ( + decaf_keccak_sponge_t sponge +) DECAF_API_VIS; + +/** + * @brief Return the default output length of the sponge construction, + * for the purpose of C++ default operators. + * + * Returns n/8 for DECAF_SHA3-n and 2n/8 for DECAF_SHAKE-n. + */ +size_t decaf_sha3_default_output_bytes ( + const decaf_keccak_sponge_t sponge /**< [inout] The context. */ +) DECAF_API_VIS; + +/** + * @brief Return the default output length of the sponge construction, + * for the purpose of C++ default operators. + * + * Returns n/8 for DECAF_SHA3-n and SIZE_MAX for DECAF_SHAKE-n. + */ +size_t decaf_sha3_max_output_bytes ( + const decaf_keccak_sponge_t sponge /**< [inout] The context. */ +) DECAF_API_VIS; + +/** + * @brief Destroy a DECAF_SHA3 or DECAF_SHAKE sponge context by overwriting it with 0. + * @param [out] sponge The context. + */ +void decaf_sha3_destroy ( + decaf_keccak_sponge_t sponge +) DECAF_API_VIS; + +/** + * @brief Hash (in) to (out) + * @param [in] in The input data. + * @param [in] inlen The length of the input data. + * @param [out] out A buffer for the output data. + * @param [in] outlen The length of the output data. + * @param [in] params The parameters of the sponge hash. + */ +decaf_error_t decaf_sha3_hash ( + uint8_t *out, + size_t outlen, + const uint8_t *in, + size_t inlen, + const struct decaf_kparams_s *params +) DECAF_API_VIS; + +/* FUTURE: expand/doxygenate individual DECAF_SHAKE/DECAF_SHA3 instances? */ + +/** @cond internal */ +#define DECAF_DEC_SHAKE(n) \ + extern const struct decaf_kparams_s DECAF_SHAKE##n##_params_s DECAF_API_VIS; \ + typedef struct decaf_shake##n##_ctx_s { decaf_keccak_sponge_t s; } decaf_shake##n##_ctx_t[1]; \ + static inline void DECAF_NONNULL decaf_shake##n##_init(decaf_shake##n##_ctx_t sponge) { \ + decaf_sha3_init(sponge->s, &DECAF_SHAKE##n##_params_s); \ + } \ + static inline void DECAF_NONNULL decaf_shake##n##_gen_init(decaf_keccak_sponge_t sponge) { \ + decaf_sha3_init(sponge, &DECAF_SHAKE##n##_params_s); \ + } \ + static inline decaf_error_t DECAF_NONNULL decaf_shake##n##_update(decaf_shake##n##_ctx_t sponge, const uint8_t *in, size_t inlen ) { \ + return decaf_sha3_update(sponge->s, in, inlen); \ + } \ + static inline void DECAF_NONNULL decaf_shake##n##_final(decaf_shake##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \ + decaf_sha3_output(sponge->s, out, outlen); \ + decaf_sha3_init(sponge->s, &DECAF_SHAKE##n##_params_s); \ + } \ + static inline void DECAF_NONNULL decaf_shake##n##_output(decaf_shake##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \ + decaf_sha3_output(sponge->s, out, outlen); \ + } \ + static inline void DECAF_NONNULL decaf_shake##n##_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) { \ + decaf_sha3_hash(out,outlen,in,inlen,&DECAF_SHAKE##n##_params_s); \ + } \ + static inline void DECAF_NONNULL decaf_shake##n##_destroy( decaf_shake##n##_ctx_t sponge ) { \ + decaf_sha3_destroy(sponge->s); \ + } + +#define DECAF_DEC_SHA3(n) \ + extern const struct decaf_kparams_s DECAF_SHA3_##n##_params_s DECAF_API_VIS; \ + typedef struct decaf_sha3_##n##_ctx_s { decaf_keccak_sponge_t s; } decaf_sha3_##n##_ctx_t[1]; \ + static inline void DECAF_NONNULL decaf_sha3_##n##_init(decaf_sha3_##n##_ctx_t sponge) { \ + decaf_sha3_init(sponge->s, &DECAF_SHA3_##n##_params_s); \ + } \ + static inline void DECAF_NONNULL decaf_sha3_##n##_gen_init(decaf_keccak_sponge_t sponge) { \ + decaf_sha3_init(sponge, &DECAF_SHA3_##n##_params_s); \ + } \ + static inline decaf_error_t DECAF_NONNULL decaf_sha3_##n##_update(decaf_sha3_##n##_ctx_t sponge, const uint8_t *in, size_t inlen ) { \ + return decaf_sha3_update(sponge->s, in, inlen); \ + } \ + static inline decaf_error_t DECAF_NONNULL decaf_sha3_##n##_final(decaf_sha3_##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \ + decaf_error_t ret = decaf_sha3_output(sponge->s, out, outlen); \ + decaf_sha3_init(sponge->s, &DECAF_SHA3_##n##_params_s); \ + return ret; \ + } \ + static inline decaf_error_t DECAF_NONNULL decaf_sha3_##n##_output(decaf_sha3_##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \ + return decaf_sha3_output(sponge->s, out, outlen); \ + } \ + static inline decaf_error_t DECAF_NONNULL decaf_sha3_##n##_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) { \ + return decaf_sha3_hash(out,outlen,in,inlen,&DECAF_SHA3_##n##_params_s); \ + } \ + static inline void DECAF_NONNULL decaf_sha3_##n##_destroy(decaf_sha3_##n##_ctx_t sponge) { \ + decaf_sha3_destroy(sponge->s); \ + } +/** @endcond */ + +DECAF_DEC_SHAKE(128) +DECAF_DEC_SHAKE(256) +DECAF_DEC_SHA3(224) +DECAF_DEC_SHA3(256) +DECAF_DEC_SHA3(384) +DECAF_DEC_SHA3(512) +#undef DECAF_DEC_SHAKE +#undef DECAF_DEC_SHA3 + +#ifdef __cplusplus +} /* extern "C" */ +#endif + +#endif /* __DECAF_SHAKE_H__ */