#define COMBS_N 5
#define COMBS_T 5
#define COMBS_S 18
-#define DECAF_WINDOW_BITS 5
#define DECAF_WNAF_FIXED_TABLE_BITS 5
#define DECAF_WNAF_VAR_TABLE_BITS 3
}
};
-const uint8_t decaf_x448_base_point[DECAF_X448_PUBLIC_BYTES] = { 0x05 };
-
#define TWISTED_D ((EDWARDS_D)-1)
-#define EFF_D (-(TWISTED_D))
-#define NEG_D 1
-
-/* End of template stuff */
-
#define WBITS DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */
/* Projective Niels coordinates */
typedef struct {
niels_t n;
gf z;
-} VECTOR_ALIGNED pniels_s, pniels_t[1];
+} VECTOR_ALIGNED pniels_t[1];
/* Precomputed base */
struct curve448_precomputed_s {
return decaf_succeed_if(mask_to_bool(nz));
}
-/* Thanks Johan Pascal */
-void decaf_ed448_convert_public_key_to_x448(uint8_t x[DECAF_X448_PUBLIC_BYTES],
- const uint8_t
- ed[DECAF_EDDSA_448_PUBLIC_BYTES])
-{
- gf y;
- const uint8_t mask = (uint8_t)(0xFE << (7));
- ignore_result(gf_deserialize(y, ed, 1, mask));
-
- {
- gf n, d;
-
- /* u = y^2 * (1-dy^2) / (1-y^2) */
- gf_sqr(n, y); /* y^2 */
- gf_sub(d, ONE, n); /* 1-y^2 */
- gf_invert(d, d, 0); /* 1/(1-y^2) */
- gf_mul(y, n, d); /* y^2 / (1-y^2) */
- gf_mulw(d, n, EDWARDS_D); /* dy^2 */
- gf_sub(d, ONE, d); /* 1-dy^2 */
- gf_mul(n, y, d); /* y^2 * (1-dy^2) / (1-y^2) */
- gf_serialize(x, n, 1);
-
- OPENSSL_cleanse(y, sizeof(y));
- OPENSSL_cleanse(n, sizeof(n));
- OPENSSL_cleanse(d, sizeof(d));
- }
-}
-
void curve448_point_mul_by_ratio_and_encode_like_x448(uint8_t
out[X_PUBLIC_BYTES],
const curve448_point_t p)
return (decaf_error_t) x;
}
-/* Return DECAF_TRUE iff x == DECAF_SUCCESS */
-static ossl_inline decaf_bool_t decaf_successful(decaf_error_t e)
-{
- decaf_dword_t w = ((decaf_word_t) e) ^ ((decaf_word_t) DECAF_SUCCESS);
- return (w - 1) >> DECAF_WORD_BITS;
-}
-
#ifdef __cplusplus
} /* extern "C" */
#endif
# define DECAF_EDDSA_448_SIGNATURE_BYTES (DECAF_EDDSA_448_PUBLIC_BYTES + \
DECAF_EDDSA_448_PRIVATE_BYTES)
-/* Does EdDSA support non-contextual signatures? */
-# define DECAF_EDDSA_448_SUPPORTS_CONTEXTLESS_SIGS 0
-
/* EdDSA encoding ratio. */
# define DECAF_448_EDDSA_ENCODE_RATIO 4
curve448_point_t p,
const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES]);
-/*
- * EdDSA to ECDH public key conversion
- * Deserialize the point to get y on Edwards curve,
- * Convert it to u coordinate on Montgomery curve.
- *
- * This function does not check that the public key being converted is a valid
- * EdDSA public key (FUTURE?)
- *
- * x (out): The ECDH public key as in RFC7748(point on Montgomery curve)
- * ed (in): The EdDSA public key(point on Edwards curve)
- */
-void decaf_ed448_convert_public_key_to_x448(
- uint8_t x[DECAF_X448_PUBLIC_BYTES],
- const uint8_t ed[DECAF_EDDSA_448_PUBLIC_BYTES]);
-
/*
* EdDSA to ECDH private key conversion
* Using the appropriate hash function, hash the EdDSA private key
#include <string.h>
#include "internal/numbers.h"
-#define API_NAME "decaf_448"
-
-#define NO_CONTEXT DECAF_EDDSA_448_SUPPORTS_CONTEXTLESS_SIGS
-#define EDDSA_USE_SIGMA_ISOGENY 0
#define COFACTOR 4
-#define EDDSA_PREHASH_BYTES 64
-
-#if NO_CONTEXT
-const uint8_t NO_CONTEXT_POINTS_HERE = 0;
-const uint8_t *const DECAF_ED448_NO_CONTEXT = &NO_CONTEXT_POINTS_HERE;
-#endif
-
-/*
- * EDDSA_BASE_POINT_RATIO = 1 or 2 Because EdDSA25519 is not on E_d but on the
- * isogenous E_sigma_d, its base point is twice ours.
- */
-#define EDDSA_BASE_POINT_RATIO (1+EDDSA_USE_SIGMA_ISOGENY) /* TODO: remove */
static decaf_error_t oneshot_hash(uint8_t *out, size_t outlen,
const uint8_t *in, size_t inlen)
if (context_len > UINT8_MAX)
return DECAF_FAILURE;
-#if NO_CONTEXT
- if (context_len == 0 && context == DECAF_ED448_NO_CONTEXT) {
- (void)prehashed;
- (void)for_prehash;
- (void)context;
- (void)context_len;
- return DECAF_SUCCESS;
- }
-#endif
-
if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL)
|| !EVP_DigestUpdate(hashctx, dom_s, strlen(dom_s))
|| !EVP_DigestUpdate(hashctx, dom, sizeof(dom))
# include "word.h"
-# define __DECAF_448_GF_DEFINED__ 1
# define NLIMBS (64/sizeof(word_t))
# define X_SER_BYTES 56
# define SER_BYTES 56
-typedef struct gf_448_s {
+typedef struct gf_s {
word_t limb[NLIMBS];
-} __attribute__ ((aligned(32))) gf_448_s, gf_448_t[1];
-
-# define GF_LIT_LIMB_BITS 56
-# define GF_BITS 448
-# define ZERO gf_448_ZERO
-# define ONE gf_448_ONE
-# define MODULUS gf_448_MODULUS
-# define gf gf_448_t
-# define gf_s gf_448_s
-# define gf_eq gf_448_eq
-# define gf_hibit gf_448_hibit
-# define gf_lobit gf_448_lobit
-# define gf_copy gf_448_copy
-# define gf_add gf_448_add
-# define gf_sub gf_448_sub
-# define gf_add_RAW gf_448_add_RAW
-# define gf_sub_RAW gf_448_sub_RAW
-# define gf_bias gf_448_bias
-# define gf_weak_reduce gf_448_weak_reduce
-# define gf_strong_reduce gf_448_strong_reduce
-# define gf_mul gf_448_mul
-# define gf_sqr gf_448_sqr
-# define gf_mulw_unsigned gf_448_mulw_unsigned
-# define gf_isr gf_448_isr
-# define gf_serialize gf_448_serialize
-# define gf_deserialize gf_448_deserialize
+} __attribute__ ((aligned(32))) gf_s, gf[1];
/* RFC 7748 support */
# define X_PUBLIC_BYTES X_SER_BYTES
# endif
# define LIMB_MASK(i) (((1)<<LIMB_PLACE_VALUE(i))-1)
-static const gf ZERO = { {{0}} }, ONE = { { {
-1}}};
+static const gf ZERO = {{{0}}}, ONE = {{{1}}};
#endif /* __P448_F_FIELD_H__ */
0xffffffffffffff, 0xffffffffffffff)
};
-/** Serialize to wire format. */
+/* Serialize to wire format. */
void gf_serialize(uint8_t serial[SER_BYTES], const gf x, int with_hibit)
{
unsigned int j = 0, fill = 0;
constant_time_cond_swap(x, y, sizeof(gf_s), swap);
}
-static ossl_inline void gf_mul_qnr(gf_s * __restrict__ out, const gf x)
-{
- gf_sub(out, ZERO, x);
-}
-
-static ossl_inline void gf_div_qnr(gf_s * __restrict__ out, const gf x)
-{
- gf_sub(out, ZERO, x);
-}
-
#endif /* __GF_H__ */
/* The number of bits in a scalar */
# define DECAF_448_SCALAR_BITS 446
-/* Number of bytes in a serialized point. */
-# define DECAF_448_SER_BYTES 56
-
-/*
- * Number of bytes in an elligated point. For now set the same as SER_BYTES
- * but could be different for other curves.
- */
-# define DECAF_448_HASH_BYTES 56
-
/* Number of bytes in a serialized scalar. */
# define DECAF_448_SCALAR_BYTES 56
-/* Number of bits in the "which" field of an elligator inverse */
-# define DECAF_448_INVERT_ELLIGATOR_WHICH_BITS 3
-
-/* The cofactor the curve would have, if we hadn't removed it */
-# define DECAF_448_REMOVED_COFACTOR 4
-
/* X448 encoding ratio. */
# define DECAF_X448_ENCODE_RATIO 2
/* Twisted Edwards extended homogeneous coordinates */
typedef struct curve448_point_s {
- gf_448_t x, y, z, t;
+ gf x, y, z, t;
} curve448_point_t[1];
/* Precomputed table based on a point. Can be trivial implementation. */
/* The identity point on the curve. */
extern const curve448_point_t curve448_point_identity;
-/* An arbitrarily chosen base point on the curve. */
-extern const curve448_point_t curve448_point_base;
-
/* Precomputed table for the base point on the curve. */
extern const struct curve448_precomputed_s *curve448_precomputed_base;
uint8_t out[DECAF_X448_PUBLIC_BYTES],
const curve448_point_t p);
-/* The base point for X448 Diffie-Hellman */
-extern const uint8_t decaf_x448_base_point[DECAF_X448_PUBLIC_BYTES];
-
/*
* RFC 7748 Diffie-Hellman base point scalarmul. This function uses a different
* (non-Decaf) encoding.
}
};
-/* End of template stuff */
-
#define WBITS DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */
const curve448_scalar_t curve448_scalar_one = {{{1}}};
projects / openssl.git / commitdiff