From db90b274a169b8027ef10fa9c5235c9698667215 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 6 Dec 2017 13:06:13 +0000 Subject: [PATCH] Remove duplicated 448 in the names of various things Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/5105) --- crypto/ec/curve448/curve448.c | 46 +++++++++---------- crypto/ec/curve448/ed448.h | 54 +++++++++++----------- crypto/ec/curve448/eddsa.c | 82 +++++++++++++++++----------------- crypto/ec/curve448/point_448.h | 35 +++++++-------- crypto/ec/curve448/scalar.c | 38 ++++++++-------- 5 files changed, 127 insertions(+), 128 deletions(-) diff --git a/crypto/ec/curve448/curve448.c b/crypto/ec/curve448/curve448.c index f28bce1e4a..920705bfcd 100644 --- a/crypto/ec/curve448/curve448.c +++ b/crypto/ec/curve448/curve448.c @@ -267,7 +267,7 @@ void curve448_precomputed_scalarmul(curve448_point_t out, for (k = 0; k < t; k++) { unsigned int bit = i + s * (k + j * t); - if (bit < C448_448_SCALAR_BITS) { + if (bit < C448_SCALAR_BITS) { tab |= (scalar1x->limb[bit / WBITS] >> (bit % WBITS) & 1) << k; } @@ -294,7 +294,7 @@ void curve448_precomputed_scalarmul(curve448_point_t out, } void curve448_point_mul_by_ratio_and_encode_like_eddsa( - uint8_t enc[C448_EDDSA_448_PUBLIC_BYTES], + uint8_t enc[EDDSA_448_PUBLIC_BYTES], const curve448_point_t p) { @@ -329,9 +329,9 @@ void curve448_point_mul_by_ratio_and_encode_like_eddsa( gf_mul(x, y, z); /* Encode */ - enc[C448_EDDSA_448_PRIVATE_BYTES - 1] = 0; + enc[EDDSA_448_PRIVATE_BYTES - 1] = 0; gf_serialize(enc, x, 1); - enc[C448_EDDSA_448_PRIVATE_BYTES - 1] |= 0x80 & gf_lobit(t); + enc[EDDSA_448_PRIVATE_BYTES - 1] |= 0x80 & gf_lobit(t); OPENSSL_cleanse(x, sizeof(x)); OPENSSL_cleanse(y, sizeof(y)); @@ -342,20 +342,20 @@ void curve448_point_mul_by_ratio_and_encode_like_eddsa( c448_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio( curve448_point_t p, - const uint8_t enc[C448_EDDSA_448_PUBLIC_BYTES]) + const uint8_t enc[EDDSA_448_PUBLIC_BYTES]) { - uint8_t enc2[C448_EDDSA_448_PUBLIC_BYTES]; + uint8_t enc2[EDDSA_448_PUBLIC_BYTES]; mask_t low; mask_t succ; memcpy(enc2, enc, sizeof(enc2)); - low = ~word_is_zero(enc2[C448_EDDSA_448_PRIVATE_BYTES - 1] & 0x80); - enc2[C448_EDDSA_448_PRIVATE_BYTES - 1] &= ~0x80; + low = ~word_is_zero(enc2[EDDSA_448_PRIVATE_BYTES - 1] & 0x80); + enc2[EDDSA_448_PRIVATE_BYTES - 1] &= ~0x80; succ = gf_deserialize(p->y, enc2, 1, 0); #if 0 == 0 - succ &= word_is_zero(enc2[C448_EDDSA_448_PRIVATE_BYTES - 1]); + succ &= word_is_zero(enc2[EDDSA_448_PRIVATE_BYTES - 1]); #endif gf_sqr(p->x, p->y); @@ -399,9 +399,9 @@ c448_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio( return c448_succeed_if(mask_to_bool(succ)); } -c448_error_t c448_x448(uint8_t out[X_PUBLIC_BYTES], - const uint8_t base[X_PUBLIC_BYTES], - const uint8_t scalar[X_PRIVATE_BYTES]) +c448_error_t x448_int(uint8_t out[X_PUBLIC_BYTES], + const uint8_t base[X_PUBLIC_BYTES], + const uint8_t scalar[X_PRIVATE_BYTES]) { gf x1, x2, z2, x3, z3, t1, t2; int t; @@ -486,8 +486,8 @@ void curve448_point_mul_by_ratio_and_encode_like_x448(uint8_t curve448_point_destroy(q); } -void c448_x448_derive_public_key(uint8_t out[X_PUBLIC_BYTES], - const uint8_t scalar[X_PRIVATE_BYTES]) +void x448_derive_public_key(uint8_t out[X_PUBLIC_BYTES], + const uint8_t scalar[X_PRIVATE_BYTES]) { /* Scalar conditioning */ uint8_t scalar2[X_PRIVATE_BYTES]; @@ -504,7 +504,7 @@ void c448_x448_derive_public_key(uint8_t out[X_PUBLIC_BYTES], curve448_scalar_decode_long(the_scalar, scalar2, sizeof(scalar2)); /* Compensate for the encoding ratio */ - for (i = 1; i < C448_X448_ENCODE_RATIO; i <<= 1) { + for (i = 1; i < X448_ENCODE_RATIO; i <<= 1) { curve448_scalar_halve(the_scalar, the_scalar); } curve448_precomputed_scalarmul(p, curve448_precomputed_base, the_scalar); @@ -522,7 +522,7 @@ static int recode_wnaf(struct smvt_control *control, const curve448_scalar_t scalar, unsigned int table_bits) { - unsigned int table_size = C448_448_SCALAR_BITS / (table_bits + 1) + 3; + unsigned int table_size = C448_SCALAR_BITS / (table_bits + 1) + 3; int position = table_size - 1; /* at the end */ uint64_t current = scalar->limb[0] & 0xFFFF; uint32_t mask = (1 << (table_bits + 1)) - 1; @@ -541,8 +541,8 @@ static int recode_wnaf(struct smvt_control *control, * 1/5 op. Probably not worth it. */ - for (w = 1; w < (C448_448_SCALAR_BITS - 1) / 16 + 3; w++) { - if (w < (C448_448_SCALAR_BITS - 1) / 16 + 1) { + for (w = 1; w < (C448_SCALAR_BITS - 1) / 16 + 3; w++) { + if (w < (C448_SCALAR_BITS - 1) / 16 + 1) { /* Refill the 16 high bits of current */ current += (uint32_t)((scalar->limb[w / B_OVER_16] >> (16 * (w % B_OVER_16))) << 16); @@ -612,9 +612,9 @@ void curve448_base_double_scalarmul_non_secret(curve448_point_t combo, { const int table_bits_var = C448_WNAF_VAR_TABLE_BITS, table_bits_pre = C448_WNAF_FIXED_TABLE_BITS; - struct smvt_control control_var[C448_448_SCALAR_BITS / + struct smvt_control control_var[C448_SCALAR_BITS / (C448_WNAF_VAR_TABLE_BITS + 1) + 3]; - struct smvt_control control_pre[C448_448_SCALAR_BITS / + struct smvt_control control_pre[C448_SCALAR_BITS / (C448_WNAF_FIXED_TABLE_BITS + 1) + 3]; int ncb_pre = recode_wnaf(control_pre, scalar1, table_bits_pre); int ncb_var = recode_wnaf(control_var, scalar2, table_bits_var); @@ -697,12 +697,12 @@ void curve448_point_destroy(curve448_point_t point) int X448(uint8_t out_shared_key[56], const uint8_t private_key[56], const uint8_t peer_public_value[56]) { - return c448_x448(out_shared_key, peer_public_value, private_key) - == C448_SUCCESS; + return x448_int(out_shared_key, peer_public_value, private_key) + == C448_SUCCESS; } void X448_public_from_private(uint8_t out_public_value[56], const uint8_t private_key[56]) { - c448_x448_derive_public_key(out_public_value, private_key); + x448_derive_public_key(out_public_value, private_key); } diff --git a/crypto/ec/curve448/ed448.h b/crypto/ec/curve448/ed448.h index abad0dbf71..ca53877273 100644 --- a/crypto/ec/curve448/ed448.h +++ b/crypto/ec/curve448/ed448.h @@ -20,20 +20,20 @@ extern "C" { #endif /* Number of bytes in an EdDSA public key. */ -# define C448_EDDSA_448_PUBLIC_BYTES 57 +# define EDDSA_448_PUBLIC_BYTES 57 /* Number of bytes in an EdDSA private key. */ -# define C448_EDDSA_448_PRIVATE_BYTES C448_EDDSA_448_PUBLIC_BYTES +# define EDDSA_448_PRIVATE_BYTES EDDSA_448_PUBLIC_BYTES /* Number of bytes in an EdDSA private key. */ -# define C448_EDDSA_448_SIGNATURE_BYTES (C448_EDDSA_448_PUBLIC_BYTES + \ - C448_EDDSA_448_PRIVATE_BYTES) +# define EDDSA_448_SIGNATURE_BYTES (EDDSA_448_PUBLIC_BYTES + \ + EDDSA_448_PRIVATE_BYTES) /* EdDSA encoding ratio. */ -# define C448_448_EDDSA_ENCODE_RATIO 4 +# define C448_EDDSA_ENCODE_RATIO 4 /* EdDSA decoding ratio. */ -# define C448_448_EDDSA_DECODE_RATIO (4 / 4) +# define C448_EDDSA_DECODE_RATIO (4 / 4) /* * EdDSA key generation. This function uses a different (non-Decaf) encoding. @@ -42,8 +42,8 @@ extern "C" { * privkey (in): The private key. */ c448_error_t c448_ed448_derive_public_key( - uint8_t pubkey [C448_EDDSA_448_PUBLIC_BYTES], - const uint8_t privkey [C448_EDDSA_448_PRIVATE_BYTES]); + uint8_t pubkey [EDDSA_448_PUBLIC_BYTES], + const uint8_t privkey [EDDSA_448_PRIVATE_BYTES]); /* * EdDSA signing. @@ -64,9 +64,9 @@ c448_error_t c448_ed448_derive_public_key( * it harder to screw this up, but this C code gives you no seat belt. */ c448_error_t c448_ed448_sign( - uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES], - const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES], - const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES], + uint8_t signature[EDDSA_448_SIGNATURE_BYTES], + const uint8_t privkey[EDDSA_448_PRIVATE_BYTES], + const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], const uint8_t *message, size_t message_len, uint8_t prehashed, const uint8_t *context, size_t context_len) @@ -90,9 +90,9 @@ c448_error_t c448_ed448_sign( * it harder to screw this up, but this C code gives you no seat belt. */ c448_error_t c448_ed448_sign_prehash( - uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES], - const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES], - const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES], + uint8_t signature[EDDSA_448_SIGNATURE_BYTES], + const uint8_t privkey[EDDSA_448_PRIVATE_BYTES], + const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], const uint8_t hash[64], const uint8_t *context, size_t context_len) @@ -118,9 +118,9 @@ c448_error_t c448_ed448_sign_prehash( * it harder to screw this up, but this C code gives you no seat belt. */ c448_error_t c448_ed448_verify(const uint8_t - signature[C448_EDDSA_448_SIGNATURE_BYTES], + signature[EDDSA_448_SIGNATURE_BYTES], const uint8_t - pubkey[C448_EDDSA_448_PUBLIC_BYTES], + pubkey[EDDSA_448_PUBLIC_BYTES], const uint8_t *message, size_t message_len, uint8_t prehashed, const uint8_t *context, uint8_t context_len) @@ -145,8 +145,8 @@ c448_error_t c448_ed448_verify(const uint8_t * it harder to screw this up, but this C code gives you no seat belt. */ c448_error_t c448_ed448_verify_prehash( - const uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES], - const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES], + const uint8_t signature[EDDSA_448_SIGNATURE_BYTES], + const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], const uint8_t hash[64], const uint8_t *context, uint8_t context_len) @@ -154,7 +154,7 @@ c448_error_t c448_ed448_verify_prehash( /* * EdDSA point encoding. Used internally, exposed externally. - * Multiplies by C448_448_EDDSA_ENCODE_RATIO first. + * Multiplies by C448_EDDSA_ENCODE_RATIO first. * * The multiplication is required because the EdDSA encoding represents * the cofactor information, but the Decaf encoding ignores it (which @@ -162,25 +162,25 @@ c448_error_t c448_ed448_verify_prehash( * EdDSA, the cofactor info must get cleared, because the intermediate * representation doesn't track it. * - * The way we handle this is to multiply by C448_448_EDDSA_DECODE_RATIO when - * decoding, and by C448_448_EDDSA_ENCODE_RATIO when encoding. The product of + * The way we handle this is to multiply by C448_EDDSA_DECODE_RATIO when + * decoding, and by C448_EDDSA_ENCODE_RATIO when encoding. The product of * these ratios is always exactly the cofactor 4, so the cofactor ends up * cleared one way or another. But exactly how that shakes out depends on the * base points specified in RFC 8032. * * The upshot is that if you pass the Decaf/Ristretto base point to - * this function, you will get C448_448_EDDSA_ENCODE_RATIO times the + * this function, you will get C448_EDDSA_ENCODE_RATIO times the * EdDSA base point. * * enc (out): The encoded point. * p (in): The point. */ void curve448_point_mul_by_ratio_and_encode_like_eddsa( - uint8_t enc [C448_EDDSA_448_PUBLIC_BYTES], + uint8_t enc [EDDSA_448_PUBLIC_BYTES], const curve448_point_t p); /* - * EdDSA point decoding. Multiplies by C448_448_EDDSA_DECODE_RATIO, and + * EdDSA point decoding. Multiplies by C448_EDDSA_DECODE_RATIO, and * ignores cofactor information. * * See notes on curve448_point_mul_by_ratio_and_encode_like_eddsa @@ -190,7 +190,7 @@ void curve448_point_mul_by_ratio_and_encode_like_eddsa( */ c448_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio( curve448_point_t p, - const uint8_t enc[C448_EDDSA_448_PUBLIC_BYTES]); + const uint8_t enc[EDDSA_448_PUBLIC_BYTES]); /* * EdDSA to ECDH private key conversion @@ -201,8 +201,8 @@ c448_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio( * ed (in): The EdDSA private key */ c448_error_t c448_ed448_convert_private_key_to_x448( - uint8_t x[C448_X448_PRIVATE_BYTES], - const uint8_t ed[C448_EDDSA_448_PRIVATE_BYTES]); + uint8_t x[X448_PRIVATE_BYTES], + const uint8_t ed[EDDSA_448_PRIVATE_BYTES]); #ifdef __cplusplus } /* extern "C" */ diff --git a/crypto/ec/curve448/eddsa.c b/crypto/ec/curve448/eddsa.c index d76c15dff1..aa182cdbe7 100644 --- a/crypto/ec/curve448/eddsa.c +++ b/crypto/ec/curve448/eddsa.c @@ -39,18 +39,18 @@ static c448_error_t oneshot_hash(uint8_t *out, size_t outlen, return C448_SUCCESS; } -static void clamp(uint8_t secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES]) +static void clamp(uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES]) { uint8_t hibit = (1 << 0) >> 1; /* Blarg */ secret_scalar_ser[0] &= -COFACTOR; if (hibit == 0) { - secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 1] = 0; - secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 2] |= 0x80; + secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] = 0; + secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 2] |= 0x80; } else { - secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 1] &= hibit - 1; - secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 1] |= hibit; + secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] &= hibit - 1; + secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] |= hibit; } } @@ -79,27 +79,27 @@ static c448_error_t hash_init_with_dom(EVP_MD_CTX *hashctx, uint8_t prehashed, /* In this file because it uses the hash */ c448_error_t c448_ed448_convert_private_key_to_x448( - uint8_t x[C448_X448_PRIVATE_BYTES], - const uint8_t ed [C448_EDDSA_448_PRIVATE_BYTES]) + uint8_t x[X448_PRIVATE_BYTES], + const uint8_t ed [EDDSA_448_PRIVATE_BYTES]) { /* pass the private key through oneshot_hash function */ - /* and keep the first C448_X448_PRIVATE_BYTES bytes */ - return oneshot_hash(x, C448_X448_PRIVATE_BYTES, ed, - C448_EDDSA_448_PRIVATE_BYTES); + /* and keep the first X448_PRIVATE_BYTES bytes */ + return oneshot_hash(x, X448_PRIVATE_BYTES, ed, + EDDSA_448_PRIVATE_BYTES); } c448_error_t c448_ed448_derive_public_key( - uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES], - const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES]) + uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], + const uint8_t privkey[EDDSA_448_PRIVATE_BYTES]) { /* only this much used for keygen */ - uint8_t secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES]; + uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES]; curve448_scalar_t secret_scalar; unsigned int c; curve448_point_t p; if (!oneshot_hash(secret_scalar_ser, sizeof(secret_scalar_ser), privkey, - C448_EDDSA_448_PRIVATE_BYTES)) + EDDSA_448_PRIVATE_BYTES)) return C448_FAILURE; clamp(secret_scalar_ser); @@ -115,7 +115,7 @@ c448_error_t c448_ed448_derive_public_key( * converted it effectively picks up a factor of 2 from the isogenies. So * we might start at 2 instead of 1. */ - for (c = 1; c < C448_448_EDDSA_ENCODE_RATIO; c <<= 1) + for (c = 1; c < C448_EDDSA_ENCODE_RATIO; c <<= 1) curve448_scalar_halve(secret_scalar, secret_scalar); curve448_precomputed_scalarmul(p, curve448_precomputed_base, secret_scalar); @@ -131,9 +131,9 @@ c448_error_t c448_ed448_derive_public_key( } c448_error_t c448_ed448_sign( - uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES], - const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES], - const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES], + uint8_t signature[EDDSA_448_SIGNATURE_BYTES], + const uint8_t privkey[EDDSA_448_PRIVATE_BYTES], + const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], const uint8_t *message, size_t message_len, uint8_t prehashed, const uint8_t *context, size_t context_len) @@ -142,7 +142,7 @@ c448_error_t c448_ed448_sign( EVP_MD_CTX *hashctx = EVP_MD_CTX_new(); c448_error_t ret = C448_FAILURE; curve448_scalar_t nonce_scalar; - uint8_t nonce_point[C448_EDDSA_448_PUBLIC_BYTES] = { 0 }; + uint8_t nonce_point[EDDSA_448_PUBLIC_BYTES] = { 0 }; unsigned int c; curve448_scalar_t challenge_scalar; @@ -152,12 +152,12 @@ c448_error_t c448_ed448_sign( { /* Schedule the secret key */ struct { - uint8_t secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES]; - uint8_t seed[C448_EDDSA_448_PRIVATE_BYTES]; + uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES]; + uint8_t seed[EDDSA_448_PRIVATE_BYTES]; } __attribute__ ((packed)) expanded; if (!oneshot_hash((uint8_t *)&expanded, sizeof(expanded), privkey, - C448_EDDSA_448_PRIVATE_BYTES)) + EDDSA_448_PRIVATE_BYTES)) goto err; clamp(expanded.secret_scalar_ser); curve448_scalar_decode_long(secret_scalar, expanded.secret_scalar_ser, @@ -175,7 +175,7 @@ c448_error_t c448_ed448_sign( /* Decode the nonce */ { - uint8_t nonce[2 * C448_EDDSA_448_PRIVATE_BYTES]; + uint8_t nonce[2 * EDDSA_448_PRIVATE_BYTES]; if (!EVP_DigestFinalXOF(hashctx, nonce, sizeof(nonce))) goto err; @@ -189,7 +189,7 @@ c448_error_t c448_ed448_sign( curve448_point_t p; curve448_scalar_halve(nonce_scalar_2, nonce_scalar); - for (c = 2; c < C448_448_EDDSA_ENCODE_RATIO; c <<= 1) { + for (c = 2; c < C448_EDDSA_ENCODE_RATIO; c <<= 1) { curve448_scalar_halve(nonce_scalar_2, nonce_scalar_2); } @@ -201,12 +201,12 @@ c448_error_t c448_ed448_sign( } { - uint8_t challenge[2 * C448_EDDSA_448_PRIVATE_BYTES]; + uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES]; /* Compute the challenge */ if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len) || !EVP_DigestUpdate(hashctx, nonce_point, sizeof(nonce_point)) - || !EVP_DigestUpdate(hashctx, pubkey, C448_EDDSA_448_PUBLIC_BYTES) + || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES) || !EVP_DigestUpdate(hashctx, message, message_len) || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) goto err; @@ -219,9 +219,9 @@ c448_error_t c448_ed448_sign( curve448_scalar_mul(challenge_scalar, challenge_scalar, secret_scalar); curve448_scalar_add(challenge_scalar, challenge_scalar, nonce_scalar); - OPENSSL_cleanse(signature, C448_EDDSA_448_SIGNATURE_BYTES); + OPENSSL_cleanse(signature, EDDSA_448_SIGNATURE_BYTES); memcpy(signature, nonce_point, sizeof(nonce_point)); - curve448_scalar_encode(&signature[C448_EDDSA_448_PUBLIC_BYTES], + curve448_scalar_encode(&signature[EDDSA_448_PUBLIC_BYTES], challenge_scalar); curve448_scalar_destroy(secret_scalar); @@ -235,9 +235,9 @@ c448_error_t c448_ed448_sign( } c448_error_t c448_ed448_sign_prehash( - uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES], - const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES], - const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES], + uint8_t signature[EDDSA_448_SIGNATURE_BYTES], + const uint8_t privkey[EDDSA_448_PRIVATE_BYTES], + const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], const uint8_t hash[64], const uint8_t *context, size_t context_len) { @@ -246,8 +246,8 @@ c448_error_t c448_ed448_sign_prehash( } c448_error_t c448_ed448_verify( - const uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES], - const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES], + const uint8_t signature[EDDSA_448_SIGNATURE_BYTES], + const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], const uint8_t *message, size_t message_len, uint8_t prehashed, const uint8_t *context, uint8_t context_len) @@ -270,13 +270,13 @@ c448_error_t c448_ed448_verify( { /* Compute the challenge */ EVP_MD_CTX *hashctx = EVP_MD_CTX_new(); - uint8_t challenge[2 * C448_EDDSA_448_PRIVATE_BYTES]; + uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES]; if (hashctx == NULL || !hash_init_with_dom(hashctx, prehashed, 0, context, context_len) || !EVP_DigestUpdate(hashctx, signature, - C448_EDDSA_448_PUBLIC_BYTES) - || !EVP_DigestUpdate(hashctx, pubkey, C448_EDDSA_448_PUBLIC_BYTES) + EDDSA_448_PUBLIC_BYTES) + || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES) || !EVP_DigestUpdate(hashctx, message, message_len) || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) { EVP_MD_CTX_free(hashctx); @@ -292,10 +292,10 @@ c448_error_t c448_ed448_verify( challenge_scalar); curve448_scalar_decode_long(response_scalar, - &signature[C448_EDDSA_448_PUBLIC_BYTES], - C448_EDDSA_448_PRIVATE_BYTES); + &signature[EDDSA_448_PUBLIC_BYTES], + EDDSA_448_PRIVATE_BYTES); - for (c = 1; c < C448_448_EDDSA_DECODE_RATIO; c <<= 1) + for (c = 1; c < C448_EDDSA_DECODE_RATIO; c <<= 1) curve448_scalar_add(response_scalar, response_scalar, response_scalar); /* pk_point = -c(x(P)) + (cx + k)G = kG */ @@ -306,8 +306,8 @@ c448_error_t c448_ed448_verify( } c448_error_t c448_ed448_verify_prehash( - const uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES], - const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES], + const uint8_t signature[EDDSA_448_SIGNATURE_BYTES], + const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], const uint8_t hash[64], const uint8_t *context, uint8_t context_len) { diff --git a/crypto/ec/curve448/point_448.h b/crypto/ec/curve448/point_448.h index 72a5e80f6f..92949e3fa9 100644 --- a/crypto/ec/curve448/point_448.h +++ b/crypto/ec/curve448/point_448.h @@ -20,22 +20,22 @@ extern "C" { #endif -# define C448_448_SCALAR_LIMBS ((446-1)/C448_WORD_BITS+1) +# define C448_SCALAR_LIMBS ((446-1)/C448_WORD_BITS+1) /* The number of bits in a scalar */ -# define C448_448_SCALAR_BITS 446 +# define C448_SCALAR_BITS 446 /* Number of bytes in a serialized scalar. */ -# define C448_448_SCALAR_BYTES 56 +# define C448_SCALAR_BYTES 56 /* X448 encoding ratio. */ -# define C448_X448_ENCODE_RATIO 2 +# define X448_ENCODE_RATIO 2 /* Number of bytes in an x448 public key */ -# define C448_X448_PUBLIC_BYTES 56 +# define X448_PUBLIC_BYTES 56 /* Number of bytes in an x448 private key */ -# define C448_X448_PRIVATE_BYTES 56 +# define X448_PRIVATE_BYTES 56 /* Twisted Edwards extended homogeneous coordinates */ typedef struct curve448_point_s { @@ -50,7 +50,7 @@ typedef struct curve448_precomputed_s curve448_precomputed_s; /* Scalar is stored packed, because we don't need the speed. */ typedef struct curve448_scalar_s { - c448_word_t limb[C448_448_SCALAR_LIMBS]; + c448_word_t limb[C448_SCALAR_LIMBS]; } curve448_scalar_t[1]; /* A scalar equal to 1. */ @@ -78,7 +78,7 @@ extern const struct curve448_precomputed_s *curve448_precomputed_base; */ __owur c448_error_t curve448_scalar_decode( curve448_scalar_t out, - const unsigned char ser[C448_448_SCALAR_BYTES]); + const unsigned char ser[C448_SCALAR_BYTES]); /* * Read a scalar from wire format or from bytes. Reduces mod scalar prime. @@ -96,7 +96,7 @@ void curve448_scalar_decode_long(curve448_scalar_t out, * ser (out): Serialized form of a scalar. * s (in): Deserialized scalar. */ -void curve448_scalar_encode(unsigned char ser[C448_448_SCALAR_BYTES], +void curve448_scalar_encode(unsigned char ser[C448_SCALAR_BYTES], const curve448_scalar_t s); /* @@ -198,12 +198,12 @@ void curve448_point_double(curve448_point_t two_a, const curve448_point_t a); * C448_FAILURE: The scalarmul didn't succeed, because the base point is in a * small subgroup. */ -__owur c448_error_t c448_x448(uint8_t out[C448_X448_PUBLIC_BYTES], - const uint8_t base[C448_X448_PUBLIC_BYTES], - const uint8_t scalar[C448_X448_PRIVATE_BYTES]); +__owur c448_error_t x448_int(uint8_t out[X448_PUBLIC_BYTES], + const uint8_t base[X448_PUBLIC_BYTES], + const uint8_t scalar[X448_PRIVATE_BYTES]); /* - * Multiply a point by C448_X448_ENCODE_RATIO, then encode it like RFC 7748. + * Multiply a point by X448_ENCODE_RATIO, then encode it like RFC 7748. * * This function is mainly used internally, but is exported in case * it will be useful. @@ -215,14 +215,14 @@ __owur c448_error_t c448_x448(uint8_t out[C448_X448_PUBLIC_BYTES], * * As it happens, this aligns with the base point definitions; that is, * if you pass the Decaf/Ristretto base point to this function, the result - * will be C448_X448_ENCODE_RATIO times the X448 + * will be X448_ENCODE_RATIO times the X448 * base point. * * out (out): The scaled and encoded point. * p (in): The point to be scaled and encoded. */ void curve448_point_mul_by_ratio_and_encode_like_x448( - uint8_t out[C448_X448_PUBLIC_BYTES], + uint8_t out[X448_PUBLIC_BYTES], const curve448_point_t p); /* @@ -232,9 +232,8 @@ void curve448_point_mul_by_ratio_and_encode_like_x448( * out (out): The scaled point base*scalar * scalar (in): The scalar to multiply by. */ -void c448_x448_derive_public_key( - uint8_t out[C448_X448_PUBLIC_BYTES], - const uint8_t scalar[C448_X448_PRIVATE_BYTES]); +void x448_derive_public_key(uint8_t out[X448_PUBLIC_BYTES], + const uint8_t scalar[X448_PRIVATE_BYTES]); /* * Multiply a precomputed base point by a scalar: out = scalar*base. diff --git a/crypto/ec/curve448/scalar.c b/crypto/ec/curve448/scalar.c index a93964e227..3c61ed6f06 100644 --- a/crypto/ec/curve448/scalar.c +++ b/crypto/ec/curve448/scalar.c @@ -47,7 +47,7 @@ const curve448_scalar_t curve448_scalar_zero = {{{0}}}; * Must have extra <= 1 */ static void sc_subx(curve448_scalar_t out, - const c448_word_t accum[C448_448_SCALAR_LIMBS], + const c448_word_t accum[C448_SCALAR_LIMBS], const curve448_scalar_t sub, const curve448_scalar_t p, c448_word_t extra) { @@ -55,7 +55,7 @@ static void sc_subx(curve448_scalar_t out, unsigned int i; c448_word_t borrow; - for (i = 0; i < C448_448_SCALAR_LIMBS; i++) { + for (i = 0; i < C448_SCALAR_LIMBS; i++) { chain = (chain + accum[i]) - sub->limb[i]; out->limb[i] = chain; chain >>= WBITS; @@ -63,7 +63,7 @@ static void sc_subx(curve448_scalar_t out, borrow = chain + extra; /* = 0 or -1 */ chain = 0; - for (i = 0; i < C448_448_SCALAR_LIMBS; i++) { + for (i = 0; i < C448_SCALAR_LIMBS; i++) { chain = (chain + out->limb[i]) + (p->limb[i] & borrow); out->limb[i] = chain; chain >>= WBITS; @@ -74,15 +74,15 @@ static void sc_montmul(curve448_scalar_t out, const curve448_scalar_t a, const curve448_scalar_t b) { unsigned int i, j; - c448_word_t accum[C448_448_SCALAR_LIMBS + 1] = { 0 }; + c448_word_t accum[C448_SCALAR_LIMBS + 1] = { 0 }; c448_word_t hi_carry = 0; - for (i = 0; i < C448_448_SCALAR_LIMBS; i++) { + for (i = 0; i < C448_SCALAR_LIMBS; i++) { c448_word_t mand = a->limb[i]; const c448_word_t *mier = b->limb; c448_dword_t chain = 0; - for (j = 0; j < C448_448_SCALAR_LIMBS; j++) { + for (j = 0; j < C448_SCALAR_LIMBS; j++) { chain += ((c448_dword_t) mand) * mier[j] + accum[j]; accum[j] = chain; chain >>= WBITS; @@ -92,7 +92,7 @@ static void sc_montmul(curve448_scalar_t out, const curve448_scalar_t a, mand = accum[0] * MONTGOMERY_FACTOR; chain = 0; mier = sc_p->limb; - for (j = 0; j < C448_448_SCALAR_LIMBS; j++) { + for (j = 0; j < C448_SCALAR_LIMBS; j++) { chain += (c448_dword_t) mand *mier[j] + accum[j]; if (j) accum[j - 1] = chain; @@ -126,7 +126,7 @@ void curve448_scalar_add(curve448_scalar_t out, const curve448_scalar_t a, c448_dword_t chain = 0; unsigned int i; - for (i = 0; i < C448_448_SCALAR_LIMBS; i++) { + for (i = 0; i < C448_SCALAR_LIMBS; i++) { chain = (chain + a->limb[i]) + b->limb[i]; out->limb[i] = chain; chain >>= WBITS; @@ -140,7 +140,7 @@ static ossl_inline void scalar_decode_short(curve448_scalar_t s, { unsigned int i, j, k = 0; - for (i = 0; i < C448_448_SCALAR_LIMBS; i++) { + for (i = 0; i < C448_SCALAR_LIMBS; i++) { c448_word_t out = 0; for (j = 0; j < sizeof(c448_word_t) && k < nbytes; j++, k++) @@ -151,13 +151,13 @@ static ossl_inline void scalar_decode_short(curve448_scalar_t s, c448_error_t curve448_scalar_decode( curve448_scalar_t s, - const unsigned char ser[C448_448_SCALAR_BYTES]) + const unsigned char ser[C448_SCALAR_BYTES]) { unsigned int i; c448_dsword_t accum = 0; - scalar_decode_short(s, ser, C448_448_SCALAR_BYTES); - for (i = 0; i < C448_448_SCALAR_LIMBS; i++) + scalar_decode_short(s, ser, C448_SCALAR_BYTES); + for (i = 0; i < C448_SCALAR_LIMBS; i++) accum = (accum + s->limb[i] - sc_p->limb[i]) >> WBITS; /* Here accum == 0 or -1 */ @@ -182,9 +182,9 @@ void curve448_scalar_decode_long(curve448_scalar_t s, return; } - i = ser_len - (ser_len % C448_448_SCALAR_BYTES); + i = ser_len - (ser_len % C448_SCALAR_BYTES); if (i == ser_len) - i -= C448_448_SCALAR_BYTES; + i -= C448_SCALAR_BYTES; scalar_decode_short(t1, &ser[i], ser_len - i); @@ -197,7 +197,7 @@ void curve448_scalar_decode_long(curve448_scalar_t s, } while (i) { - i -= C448_448_SCALAR_BYTES; + i -= C448_SCALAR_BYTES; sc_montmul(t1, t1, sc_r2); ignore_result(curve448_scalar_decode(t2, ser + i)); curve448_scalar_add(t1, t1, t2); @@ -208,12 +208,12 @@ void curve448_scalar_decode_long(curve448_scalar_t s, curve448_scalar_destroy(t2); } -void curve448_scalar_encode(unsigned char ser[C448_448_SCALAR_BYTES], +void curve448_scalar_encode(unsigned char ser[C448_SCALAR_BYTES], const curve448_scalar_t s) { unsigned int i, j, k = 0; - for (i = 0; i < C448_448_SCALAR_LIMBS; i++) { + for (i = 0; i < C448_SCALAR_LIMBS; i++) { for (j = 0; j < sizeof(c448_word_t); j++, k++) ser[k] = s->limb[i] >> (8 * j); } @@ -224,12 +224,12 @@ void curve448_scalar_halve(curve448_scalar_t out, const curve448_scalar_t a) c448_word_t mask = -(a->limb[0] & 1); c448_dword_t chain = 0; unsigned int i; - for (i = 0; i < C448_448_SCALAR_LIMBS; i++) { + for (i = 0; i < C448_SCALAR_LIMBS; i++) { chain = (chain + a->limb[i]) + (sc_p->limb[i] & mask); out->limb[i] = chain; chain >>= C448_WORD_BITS; } - for (i = 0; i < C448_448_SCALAR_LIMBS - 1; i++) + for (i = 0; i < C448_SCALAR_LIMBS - 1; i++) out->limb[i] = out->limb[i] >> 1 | out->limb[i + 1] << (WBITS - 1); out->limb[i] = out->limb[i] >> 1 | chain << (WBITS - 1); } -- 2.34.1