Rename decaf_448_* to curve448_* (e7772577) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

crypto/ec/curve448/decaf.c

+37 −38

Original line number	Diff line number	Diff line
		@@ -20,13 +20,12 @@
		#include "curve448_lcl.h"

		/* Template stuff */
		#define API_NS(_id) decaf_448_##_id
		#define SCALAR_BITS DECAF_448_SCALAR_BITS
		#define SCALAR_SER_BYTES DECAF_448_SCALAR_BYTES
		#define SCALAR_LIMBS DECAF_448_SCALAR_LIMBS
		#define scalar_t API_NS(scalar_t)
		#define point_t API_NS(point_t)
		#define precomputed_s API_NS(precomputed_s)
		#define scalar_t curve448_scalar_t
		#define point_t curve448_point_t
		#define precomputed_s curve448_precomputed_s
		#define COFACTOR 4

		/* Comb config: number of combs, n, t, s. */
		@@ -66,9 +65,9 @@ typedef struct { niels_t n; gf z; } VECTOR_ALIGNED pniels_s, pniels_t[1];
		/* Precomputed base */
		struct precomputed_s { niels_t table [COMBS_N<<(COMBS_T-1)]; };

		extern const gf API_NS(precomputed_base_as_fe)[];
		const precomputed_s *API_NS(precomputed_base) =
		(const precomputed_s *) &API_NS(precomputed_base_as_fe);
		extern const gf curve448_precomputed_base_as_fe[];
		const precomputed_s *curve448_precomputed_base =
		(const precomputed_s *) &curve448_precomputed_base_as_fe;

		/** Inverse. */
		static void
		@@ -84,7 +83,7 @@ gf_invert(gf y, const gf x, int assert_nonzero) {
		}

		/** identity = (0,1) */
		const point_t API_NS(point_identity) = {{{{{0}}},{{{1}}},{{{1}}},{{{0}}}}};
		const point_t curve448_point_identity = {{{{{0}}},{{{1}}},{{{1}}},{{{0}}}}};

		static DECAF_NOINLINE void
		point_double_internal (
		@@ -110,7 +109,7 @@ point_double_internal (
		if (!before_double) gf_mul ( p->t, b, d );
		}

		void API_NS(point_double)(point_t p, const point_t q) {
		void curve448_point_double(point_t p, const point_t q) {
		point_double_internal(p,q,0);
		}

		@@ -226,7 +225,7 @@ sub_pniels_from_pt (
		sub_niels_from_pt( p, pn->n, before_double );
		}

		decaf_bool_t API_NS(point_eq) ( const point_t p, const point_t q ) {
		decaf_bool_t curve448_point_eq ( const point_t p, const point_t q ) {
		/* equality mod 2-torsion compares x/y */
		gf a, b;
		gf_mul ( a, p->y, q->x );
		@@ -236,7 +235,7 @@ decaf_bool_t API_NS(point_eq) ( const point_t p, const point_t q ) {
		return mask_to_bool(succ);
		}

		decaf_bool_t API_NS(point_valid) (
		decaf_bool_t curve448_point_valid (
		const point_t p
		) {
		gf a,b,c;
		@@ -265,7 +264,7 @@ constant_time_lookup_niels (
		constant_time_lookup(ni, table, sizeof(niels_s), nelts, idx);
		}

		void API_NS(precomputed_scalarmul) (
		void curve448_precomputed_scalarmul (
		point_t out,
		const precomputed_s *table,
		const scalar_t scalar
		@@ -275,8 +274,8 @@ void API_NS(precomputed_scalarmul) (
		const unsigned int n = COMBS_N, t = COMBS_T, s = COMBS_S;

		scalar_t scalar1x;
		API_NS(scalar_add)(scalar1x, scalar, precomputed_scalarmul_adjustment);
		API_NS(scalar_halve)(scalar1x,scalar1x);
		curve448_scalar_add(scalar1x, scalar, precomputed_scalarmul_adjustment);
		curve448_scalar_halve(scalar1x,scalar1x);

		niels_t ni;

		@@ -312,7 +311,7 @@ void API_NS(precomputed_scalarmul) (
		OPENSSL_cleanse(scalar1x,sizeof(scalar1x));
		}

		void API_NS(point_mul_by_ratio_and_encode_like_eddsa) (
		void curve448_point_mul_by_ratio_and_encode_like_eddsa (
		uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES],
		const point_t p
		) {
		@@ -320,7 +319,7 @@ void API_NS(point_mul_by_ratio_and_encode_like_eddsa) (
		/* The point is now on the twisted curve. Move it to untwisted. */
		gf x, y, z, t;
		point_t q;
		API_NS(point_copy)(q,p);
		curve448_point_copy(q,p);

		{
		/* 4-isogeny: 2xy/(y^+x^2), (y^2-x^2)/(2z^2-y^2+x^2) */
		@@ -355,11 +354,11 @@ void API_NS(point_mul_by_ratio_and_encode_like_eddsa) (
		OPENSSL_cleanse(y,sizeof(y));
		OPENSSL_cleanse(z,sizeof(z));
		OPENSSL_cleanse(t,sizeof(t));
		API_NS(point_destroy)(q);
		curve448_point_destroy(q);
		}


		decaf_error_t API_NS(point_decode_like_eddsa_and_mul_by_ratio) (
		decaf_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio (
		point_t p,
		const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES]
		) {
		@@ -410,7 +409,7 @@ decaf_error_t API_NS(point_decode_like_eddsa_and_mul_by_ratio) (
		}

		OPENSSL_cleanse(enc2,sizeof(enc2));
		assert(API_NS(point_valid)(p) \|\| ~succ);
		assert(curve448_point_valid(p) \|\| ~succ);

		return decaf_succeed_if(mask_to_bool(succ));
		}
		@@ -514,17 +513,17 @@ void decaf_ed448_convert_public_key_to_x448 (
		}
		}

		void API_NS(point_mul_by_ratio_and_encode_like_x448) (
		void curve448_point_mul_by_ratio_and_encode_like_x448 (
		uint8_t out[X_PUBLIC_BYTES],
		const point_t p
		) {
		point_t q;
		API_NS(point_copy)(q,p);
		curve448_point_copy(q,p);
		gf_invert(q->t,q->x,0); /* 1/x */
		gf_mul(q->z,q->t,q->y); /* y/x */
		gf_sqr(q->y,q->z); /* (y/x)^2 */
		gf_serialize(out,q->y,1);
		API_NS(point_destroy(q));
		curve448_point_destroy(q);
		}

		void decaf_x448_derive_public_key (
		@@ -540,16 +539,16 @@ void decaf_x448_derive_public_key (
		scalar2[X_PRIVATE_BYTES-1] \|= 1<<((X_PRIVATE_BITS+7)%8);

		scalar_t the_scalar;
		API_NS(scalar_decode_long)(the_scalar,scalar2,sizeof(scalar2));
		curve448_scalar_decode_long(the_scalar,scalar2,sizeof(scalar2));

		/* Compensate for the encoding ratio */
		for (unsigned i=1; i<DECAF_X448_ENCODE_RATIO; i<<=1) {
		API_NS(scalar_halve)(the_scalar,the_scalar);
		curve448_scalar_halve(the_scalar,the_scalar);
		}
		point_t p;
		API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),the_scalar);
		API_NS(point_mul_by_ratio_and_encode_like_x448)(out,p);
		API_NS(point_destroy)(p);
		curve448_precomputed_scalarmul(p,curve448_precomputed_base,the_scalar);
		curve448_point_mul_by_ratio_and_encode_like_x448(out,p);
		curve448_point_destroy(p);
		}

		/**
		@@ -624,7 +623,7 @@ prepare_wnaf_table(

		if (tbits == 0) return;

		API_NS(point_double)(tmp,working);
		curve448_point_double(tmp,working);
		pniels_t twop;
		pt_to_pniels(twop, tmp);

		@@ -636,14 +635,14 @@ prepare_wnaf_table(
		pt_to_pniels(output[i], tmp);
		}

		API_NS(point_destroy)(tmp);
		curve448_point_destroy(tmp);
		OPENSSL_cleanse(twop,sizeof(twop));
		}

		extern const gf API_NS(precomputed_wnaf_as_fe)[];
		static const niels_t API_NS(wnaf_base) = (const niels_t )API_NS(precomputed_wnaf_as_fe);
		extern const gf curve448_precomputed_wnaf_as_fe[];
		static const niels_t curve448_wnaf_base = (const niels_t )curve448_precomputed_wnaf_as_fe;

		void API_NS(base_double_scalarmul_non_secret) (
		void curve448_base_double_scalarmul_non_secret (
		point_t combo,
		const scalar_t scalar1,
		const point_t base2,
		@@ -663,18 +662,18 @@ void API_NS(base_double_scalarmul_non_secret) (
		int contp=0, contv=0, i = control_var[0].power;

		if (i < 0) {
		API_NS(point_copy)(combo, API_NS(point_identity));
		curve448_point_copy(combo, curve448_point_identity);
		return;
		} else if (i > control_pre[0].power) {
		pniels_to_pt(combo, precmp_var[control_var[0].addend >> 1]);
		contv++;
		} else if (i == control_pre[0].power && i >=0 ) {
		pniels_to_pt(combo, precmp_var[control_var[0].addend >> 1]);
		add_niels_to_pt(combo, API_NS(wnaf_base)[control_pre[0].addend >> 1], i);
		add_niels_to_pt(combo, curve448_wnaf_base[control_pre[0].addend >> 1], i);
		contv++; contp++;
		} else {
		i = control_pre[0].power;
		niels_to_pt(combo, API_NS(wnaf_base)[control_pre[0].addend >> 1]);
		niels_to_pt(combo, curve448_wnaf_base[control_pre[0].addend >> 1]);
		contp++;
		}

		@@ -697,9 +696,9 @@ void API_NS(base_double_scalarmul_non_secret) (
		assert(control_pre[contp].addend);

		if (control_pre[contp].addend > 0) {
		add_niels_to_pt(combo, API_NS(wnaf_base)[control_pre[contp].addend >> 1], i);
		add_niels_to_pt(combo, curve448_wnaf_base[control_pre[contp].addend >> 1], i);
		} else {
		sub_niels_from_pt(combo, API_NS(wnaf_base)[(-control_pre[contp].addend) >> 1], i);
		sub_niels_from_pt(combo, curve448_wnaf_base[(-control_pre[contp].addend) >> 1], i);
		}
		contp++;
		}
		@@ -714,7 +713,7 @@ void API_NS(base_double_scalarmul_non_secret) (
		assert(contp == ncb_pre); (void)ncb_pre;
		}

		void API_NS(point_destroy) (
		void curve448_point_destroy (
		point_t point
		) {
		OPENSSL_cleanse(point, sizeof(point_t));

crypto/ec/curve448/decaf_tables.c

+2 −3

Original line number	Diff line number	Diff line
		@@ -3,8 +3,7 @@

		#include "point_448.h"

		#define API_NS(_id) decaf_448_##_id
		const gf API_NS(precomputed_base_as_fe)[240]
		const gf curve448_precomputed_base_as_fe[240]
		VECTOR_ALIGNED __attribute__((visibility("hidden"))) = {
		{FIELD_LITERAL(0x00cc3b062366f4cc,0x003d6e34e314aa3c,0x00d51c0a7521774d,0x0094e060eec6ab8b,0x00d21291b4d80082,0x00befed12b55ef1e,0x00c3dd2df5c94518,0x00e0a7b112b8d4e6)},
		{FIELD_LITERAL(0x0019eb5608d8723a,0x00d1bab52fb3aedb,0x00270a7311ebc90c,0x0037c12b91be7f13,0x005be16cd8b5c704,0x003e181acda888e1,0x00bc1f00fc3fc6d0,0x00d3839bfa319e20)},
		@@ -247,7 +246,7 @@ VECTOR_ALIGNED __attribute__((visibility("hidden"))) = {
		{FIELD_LITERAL(0x004a2902926f8d3f,0x00ad79b42637ab75,0x0088f60b90f2d4e8,0x0030f54ef0e398c4,0x00021dc9bf99681e,0x007ebf66fde74ee3,0x004ade654386e9a4,0x00e7485066be4c27)},
		{FIELD_LITERAL(0x00445f1263983be0,0x004cf371dda45e6a,0x00744a89d5a310e7,0x001f20ce4f904833,0x00e746edebe66e29,0x000912ab1f6c153d,0x00f61d77d9b2444c,0x0001499cd6647610)}
		};
		const gf API_NS(precomputed_wnaf_as_fe)[96]
		const gf curve448_precomputed_wnaf_as_fe[96]
		VECTOR_ALIGNED __attribute__((visibility("hidden"))) = {
		{FIELD_LITERAL(0x00303cda6feea532,0x00860f1d5a3850e4,0x00226b9fa4728ccd,0x00e822938a0a0c0c,0x00263a61c9ea9216,0x001204029321b828,0x006a468360983c65,0x0002846f0a782143)},
		{FIELD_LITERAL(0x00303cda6feea532,0x00860f1d5a3850e4,0x00226b9fa4728ccd,0x006822938a0a0c0c,0x00263a61c9ea9215,0x001204029321b828,0x006a468360983c65,0x0082846f0a782143)},

crypto/ec/curve448/ed448.h

+5 −5

Original line number	Diff line number	Diff line
		@@ -195,22 +195,22 @@ decaf_error_t decaf_ed448_verify_prehash (
		* @param [out] enc The encoded point.
		* @param [in] p The point.
		*/
		void decaf_448_point_mul_by_ratio_and_encode_like_eddsa (
		void curve448_point_mul_by_ratio_and_encode_like_eddsa (
		uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES],
		const decaf_448_point_t p
		const curve448_point_t p
		) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

		/**
		* @brief EdDSA point decoding. Multiplies by DECAF_448_EDDSA_DECODE_RATIO,
		* and ignores cofactor information.
		*
		* See notes on decaf_448_point_mul_by_ratio_and_encode_like_eddsa
		* See notes on curve448_point_mul_by_ratio_and_encode_like_eddsa
		*
		* @param [out] enc The encoded point.
		* @param [in] p The point.
		*/
		decaf_error_t decaf_448_point_decode_like_eddsa_and_mul_by_ratio (
		decaf_448_point_t p,
		decaf_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio (
		curve448_point_t p,
		const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES]
		) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

crypto/ec/curve448/eddsa.c

+39 −40

Original line number	Diff line number	Diff line
		@@ -20,7 +20,6 @@
		#include <string.h>

		#define API_NAME "decaf_448"
		#define API_NS(_id) decaf_448_##_id

		#define hash_ctx_t decaf_shake256_ctx_t
		#define hash_init decaf_shake256_init
		@@ -121,8 +120,8 @@ void decaf_ed448_derive_public_key (
		);
		clamp(secret_scalar_ser);

		API_NS(scalar_t) secret_scalar;
		API_NS(scalar_decode_long)(secret_scalar, secret_scalar_ser, sizeof(secret_scalar_ser));
		curve448_scalar_t secret_scalar;
		curve448_scalar_decode_long(secret_scalar, secret_scalar_ser, sizeof(secret_scalar_ser));

		/* Since we are going to mul_by_cofactor during encoding, divide by it here.
		* However, the EdDSA base point is not the same as the decaf base point if
		@@ -131,17 +130,17 @@ void decaf_ed448_derive_public_key (
		* picks up a factor of 2 from the isogenies. So we might start at 2 instead of 1.
		*/
		for (unsigned int c=1; c<DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) {
		API_NS(scalar_halve)(secret_scalar,secret_scalar);
		curve448_scalar_halve(secret_scalar,secret_scalar);
		}

		API_NS(point_t) p;
		API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),secret_scalar);
		curve448_point_t p;
		curve448_precomputed_scalarmul(p,curve448_precomputed_base,secret_scalar);

		API_NS(point_mul_by_ratio_and_encode_like_eddsa)(pubkey, p);
		curve448_point_mul_by_ratio_and_encode_like_eddsa(pubkey, p);

		/* Cleanup */
		API_NS(scalar_destroy)(secret_scalar);
		API_NS(point_destroy)(p);
		curve448_scalar_destroy(secret_scalar);
		curve448_point_destroy(p);
		OPENSSL_cleanse(secret_scalar_ser, sizeof(secret_scalar_ser));
		}

		@@ -155,7 +154,7 @@ void decaf_ed448_sign (
		const uint8_t *context,
		uint8_t context_len
		) {
		API_NS(scalar_t) secret_scalar;
		curve448_scalar_t secret_scalar;
		hash_ctx_t hash;
		{
		/* Schedule the secret key */
		@@ -170,7 +169,7 @@ void decaf_ed448_sign (
		DECAF_EDDSA_448_PRIVATE_BYTES
		);
		clamp(expanded.secret_scalar_ser);
		API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser));
		curve448_scalar_decode_long(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser));

		/* Hash to create the nonce */
		hash_init_with_dom(hash,prehashed,0,context,context_len);
		@@ -180,31 +179,31 @@ void decaf_ed448_sign (
		}

		/* Decode the nonce */
		API_NS(scalar_t) nonce_scalar;
		curve448_scalar_t nonce_scalar;
		{
		uint8_t nonce[2*DECAF_EDDSA_448_PRIVATE_BYTES];
		hash_final(hash,nonce,sizeof(nonce));
		API_NS(scalar_decode_long)(nonce_scalar, nonce, sizeof(nonce));
		curve448_scalar_decode_long(nonce_scalar, nonce, sizeof(nonce));
		OPENSSL_cleanse(nonce, sizeof(nonce));
		}

		uint8_t nonce_point[DECAF_EDDSA_448_PUBLIC_BYTES] = {0};
		{
		/* Scalarmul to create the nonce-point */
		API_NS(scalar_t) nonce_scalar_2;
		API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar);
		curve448_scalar_t nonce_scalar_2;
		curve448_scalar_halve(nonce_scalar_2,nonce_scalar);
		for (unsigned int c = 2; c < DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) {
		API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar_2);
		curve448_scalar_halve(nonce_scalar_2,nonce_scalar_2);
		}

		API_NS(point_t) p;
		API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),nonce_scalar_2);
		API_NS(point_mul_by_ratio_and_encode_like_eddsa)(nonce_point, p);
		API_NS(point_destroy)(p);
		API_NS(scalar_destroy)(nonce_scalar_2);
		curve448_point_t p;
		curve448_precomputed_scalarmul(p,curve448_precomputed_base,nonce_scalar_2);
		curve448_point_mul_by_ratio_and_encode_like_eddsa(nonce_point, p);
		curve448_point_destroy(p);
		curve448_scalar_destroy(nonce_scalar_2);
		}

		API_NS(scalar_t) challenge_scalar;
		curve448_scalar_t challenge_scalar;
		{
		/* Compute the challenge */
		hash_init_with_dom(hash,prehashed,0,context,context_len);
		@@ -214,20 +213,20 @@ void decaf_ed448_sign (
		uint8_t challenge[2*DECAF_EDDSA_448_PRIVATE_BYTES];
		hash_final(hash,challenge,sizeof(challenge));
		hash_destroy(hash);
		API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));
		curve448_scalar_decode_long(challenge_scalar,challenge,sizeof(challenge));
		OPENSSL_cleanse(challenge,sizeof(challenge));
		}

		API_NS(scalar_mul)(challenge_scalar,challenge_scalar,secret_scalar);
		API_NS(scalar_add)(challenge_scalar,challenge_scalar,nonce_scalar);
		curve448_scalar_mul(challenge_scalar,challenge_scalar,secret_scalar);
		curve448_scalar_add(challenge_scalar,challenge_scalar,nonce_scalar);

		OPENSSL_cleanse(signature,DECAF_EDDSA_448_SIGNATURE_BYTES);
		memcpy(signature,nonce_point,sizeof(nonce_point));
		API_NS(scalar_encode)(&signature[DECAF_EDDSA_448_PUBLIC_BYTES],challenge_scalar);
		curve448_scalar_encode(&signature[DECAF_EDDSA_448_PUBLIC_BYTES],challenge_scalar);

		API_NS(scalar_destroy)(secret_scalar);
		API_NS(scalar_destroy)(nonce_scalar);
		API_NS(scalar_destroy)(challenge_scalar);
		curve448_scalar_destroy(secret_scalar);
		curve448_scalar_destroy(nonce_scalar);
		curve448_scalar_destroy(challenge_scalar);
		}


		@@ -260,14 +259,14 @@ decaf_error_t decaf_ed448_verify (
		const uint8_t *context,
		uint8_t context_len
		) {
		API_NS(point_t) pk_point, r_point;
		decaf_error_t error = API_NS(point_decode_like_eddsa_and_mul_by_ratio)(pk_point,pubkey);
		curve448_point_t pk_point, r_point;
		decaf_error_t error = curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point,pubkey);
		if (DECAF_SUCCESS != error) { return error; }

		error = API_NS(point_decode_like_eddsa_and_mul_by_ratio)(r_point,signature);
		error = curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point,signature);
		if (DECAF_SUCCESS != error) { return error; }

		API_NS(scalar_t) challenge_scalar;
		curve448_scalar_t challenge_scalar;
		{
		/* Compute the challenge */
		hash_ctx_t hash;
		@@ -278,31 +277,31 @@ decaf_error_t decaf_ed448_verify (
		uint8_t challenge[2*DECAF_EDDSA_448_PRIVATE_BYTES];
		hash_final(hash,challenge,sizeof(challenge));
		hash_destroy(hash);
		API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));
		curve448_scalar_decode_long(challenge_scalar,challenge,sizeof(challenge));
		OPENSSL_cleanse(challenge,sizeof(challenge));
		}
		API_NS(scalar_sub)(challenge_scalar, API_NS(scalar_zero), challenge_scalar);
		curve448_scalar_sub(challenge_scalar, curve448_scalar_zero, challenge_scalar);

		API_NS(scalar_t) response_scalar;
		API_NS(scalar_decode_long)(
		curve448_scalar_t response_scalar;
		curve448_scalar_decode_long(
		response_scalar,
		&signature[DECAF_EDDSA_448_PUBLIC_BYTES],
		DECAF_EDDSA_448_PRIVATE_BYTES
		);

		for (unsigned c=1; c<DECAF_448_EDDSA_DECODE_RATIO; c<<=1) {
		API_NS(scalar_add)(response_scalar,response_scalar,response_scalar);
		curve448_scalar_add(response_scalar,response_scalar,response_scalar);
		}


		/* pk_point = -c(x(P)) + (cx + k)G = kG */
		API_NS(base_double_scalarmul_non_secret)(
		curve448_base_double_scalarmul_non_secret(
		pk_point,
		response_scalar,
		pk_point,
		challenge_scalar
		);
		return decaf_succeed_if(API_NS(point_eq(pk_point,r_point)));
		return decaf_succeed_if(curve448_point_eq(pk_point,r_point));
		}

crypto/ec/curve448/point_448.h

+93 −93

File changed.

Preview size limit exceeded, changes collapsed.