Skip to content

O
openssl

btwise / openssl

通知 1
Star 0
Fork 0
O
openssl

体验新版 GitCode,发现更多精彩内容 >>

提交 aeeef83c 编写于 作者: M Matt Caswell
浏览文件
操作

Remove references to libdecaf 

Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
上级 35b7c85a
隐藏空白更改
内联 并排
Showing with 287 addition and 295 deletion
crypto/ec/curve448/arch_32/f_impl.c
浏览文件 @ aeeef83c
......@@ -13,7 +13,7 @@
#include "f_field.h"
#if (defined(__OPTIMIZE__) && !defined(__OPTIMIZE_SIZE__) && !I_HATE_UNROLLED_LOOPS) \
|| defined(DECAF_FORCE_UNROLL)
|| defined(C448_FORCE_UNROLL)
# define REPEAT8(_x) _x _x _x _x _x _x _x _x
# define FOR_LIMB(_i,_start,_end,_x) do { _i=_start; REPEAT8( if (_i<_end) { _x; } _i++;) } while (0)
#else
......
crypto/ec/curve448/curve448.c
浏览文件 @ aeeef83c
......@@ -23,8 +23,8 @@
#define COMBS_N 5
#define COMBS_T 5
#define COMBS_S 18
#define DECAF_WNAF_FIXED_TABLE_BITS 5
#define DECAF_WNAF_VAR_TABLE_BITS 3
#define C448_WNAF_FIXED_TABLE_BITS 5
#define C448_WNAF_VAR_TABLE_BITS 3
static const int EDWARDS_D = -39081;
static const curve448_scalar_t precomputed_scalarmul_adjustment = {
......@@ -38,7 +38,7 @@ static const curve448_scalar_t precomputed_scalarmul_adjustment = {
#define TWISTED_D ((EDWARDS_D)-1)
#define WBITS DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */
#define WBITS C448_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */
/* Projective Niels coordinates */
typedef struct {
......@@ -203,8 +203,8 @@ static void sub_pniels_from_pt(curve448_point_t p, const pniels_t pn,
sub_niels_from_pt(p, pn->n, before_double);
}
decaf_bool_t curve448_point_eq(const curve448_point_t p,
const curve448_point_t q)
c448_bool_t curve448_point_eq(const curve448_point_t p,
const curve448_point_t q)
{
mask_t succ;
......@@ -217,7 +217,7 @@ decaf_bool_t curve448_point_eq(const curve448_point_t p,
return mask_to_bool(succ);
}
decaf_bool_t curve448_point_valid(const curve448_point_t p)
c448_bool_t curve448_point_valid(const curve448_point_t p)
{
mask_t out;
......@@ -267,7 +267,7 @@ void curve448_precomputed_scalarmul(curve448_point_t out,
for (k = 0; k < t; k++) {
unsigned int bit = i + s * (k + j * t);
if (bit < DECAF_448_SCALAR_BITS) {
if (bit < C448_448_SCALAR_BITS) {
tab |=
(scalar1x->limb[bit / WBITS] >> (bit % WBITS) & 1) << k;
}
......@@ -294,7 +294,7 @@ void curve448_precomputed_scalarmul(curve448_point_t out,
}
void curve448_point_mul_by_ratio_and_encode_like_eddsa(
uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES],
uint8_t enc[C448_EDDSA_448_PUBLIC_BYTES],
const curve448_point_t p)
{
......@@ -329,9 +329,9 @@ void curve448_point_mul_by_ratio_and_encode_like_eddsa(
gf_mul(x, y, z);
/* Encode */
enc[DECAF_EDDSA_448_PRIVATE_BYTES - 1] = 0;
enc[C448_EDDSA_448_PRIVATE_BYTES - 1] = 0;
gf_serialize(enc, x, 1);
enc[DECAF_EDDSA_448_PRIVATE_BYTES - 1] |= 0x80 & gf_lobit(t);
enc[C448_EDDSA_448_PRIVATE_BYTES - 1] |= 0x80 & gf_lobit(t);
OPENSSL_cleanse(x, sizeof(x));
OPENSSL_cleanse(y, sizeof(y));
......@@ -340,22 +340,22 @@ void curve448_point_mul_by_ratio_and_encode_like_eddsa(
curve448_point_destroy(q);
}
decaf_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio(
c448_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio(
curve448_point_t p,
const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES])
const uint8_t enc[C448_EDDSA_448_PUBLIC_BYTES])
{
uint8_t enc2[DECAF_EDDSA_448_PUBLIC_BYTES];
uint8_t enc2[C448_EDDSA_448_PUBLIC_BYTES];
mask_t low;
mask_t succ;
memcpy(enc2, enc, sizeof(enc2));
low = ~word_is_zero(enc2[DECAF_EDDSA_448_PRIVATE_BYTES - 1] & 0x80);
enc2[DECAF_EDDSA_448_PRIVATE_BYTES - 1] &= ~0x80;
low = ~word_is_zero(enc2[C448_EDDSA_448_PRIVATE_BYTES - 1] & 0x80);
enc2[C448_EDDSA_448_PRIVATE_BYTES - 1] &= ~0x80;
succ = gf_deserialize(p->y, enc2, 1, 0);
#if 0 == 0
succ &= word_is_zero(enc2[DECAF_EDDSA_448_PRIVATE_BYTES - 1]);
succ &= word_is_zero(enc2[C448_EDDSA_448_PRIVATE_BYTES - 1]);
#endif
gf_sqr(p->x, p->y);
......@@ -396,12 +396,12 @@ decaf_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio(
OPENSSL_cleanse(enc2, sizeof(enc2));
assert(curve448_point_valid(p) || ~succ);
return decaf_succeed_if(mask_to_bool(succ));
return c448_succeed_if(mask_to_bool(succ));
}
decaf_error_t decaf_x448(uint8_t out[X_PUBLIC_BYTES],
const uint8_t base[X_PUBLIC_BYTES],
const uint8_t scalar[X_PRIVATE_BYTES])
c448_error_t c448_x448(uint8_t out[X_PUBLIC_BYTES],
const uint8_t base[X_PUBLIC_BYTES],
const uint8_t scalar[X_PRIVATE_BYTES])
{
gf x1, x2, z2, x3, z3, t1, t2;
int t;
......@@ -470,7 +470,7 @@ decaf_error_t decaf_x448(uint8_t out[X_PUBLIC_BYTES],
OPENSSL_cleanse(t1, sizeof(t1));
OPENSSL_cleanse(t2, sizeof(t2));
return decaf_succeed_if(mask_to_bool(nz));
return c448_succeed_if(mask_to_bool(nz));
}
void curve448_point_mul_by_ratio_and_encode_like_x448(uint8_t
......@@ -486,8 +486,8 @@ void curve448_point_mul_by_ratio_and_encode_like_x448(uint8_t
curve448_point_destroy(q);
}
void decaf_x448_derive_public_key(uint8_t out[X_PUBLIC_BYTES],
const uint8_t scalar[X_PRIVATE_BYTES])
void c448_x448_derive_public_key(uint8_t out[X_PUBLIC_BYTES],
const uint8_t scalar[X_PRIVATE_BYTES])
{
/* Scalar conditioning */
uint8_t scalar2[X_PRIVATE_BYTES];
......@@ -504,7 +504,7 @@ void decaf_x448_derive_public_key(uint8_t out[X_PUBLIC_BYTES],
curve448_scalar_decode_long(the_scalar, scalar2, sizeof(scalar2));
/* Compensate for the encoding ratio */
for (i = 1; i < DECAF_X448_ENCODE_RATIO; i <<= 1) {
for (i = 1; i < C448_X448_ENCODE_RATIO; i <<= 1) {
curve448_scalar_halve(the_scalar, the_scalar);
}
curve448_precomputed_scalarmul(p, curve448_precomputed_base, the_scalar);
......@@ -522,7 +522,7 @@ static int recode_wnaf(struct smvt_control *control,
const curve448_scalar_t scalar,
unsigned int table_bits)
{
unsigned int table_size = DECAF_448_SCALAR_BITS / (table_bits + 1) + 3;
unsigned int table_size = C448_448_SCALAR_BITS / (table_bits + 1) + 3;
int position = table_size - 1; /* at the end */
uint64_t current = scalar->limb[0] & 0xFFFF;
uint32_t mask = (1 << (table_bits + 1)) - 1;
......@@ -541,8 +541,8 @@ static int recode_wnaf(struct smvt_control *control,
* 1/5 op. Probably not worth it.
*/
for (w = 1; w < (DECAF_448_SCALAR_BITS - 1) / 16 + 3; w++) {
if (w < (DECAF_448_SCALAR_BITS - 1) / 16 + 1) {
for (w = 1; w < (C448_448_SCALAR_BITS - 1) / 16 + 3; w++) {
if (w < (C448_448_SCALAR_BITS - 1) / 16 + 1) {
/* Refill the 16 high bits of current */
current += (uint32_t)((scalar->limb[w / B_OVER_16]
>> (16 * (w % B_OVER_16))) << 16);
......@@ -610,15 +610,15 @@ void curve448_base_double_scalarmul_non_secret(curve448_point_t combo,
const curve448_point_t base2,
const curve448_scalar_t scalar2)
{
const int table_bits_var = DECAF_WNAF_VAR_TABLE_BITS,
table_bits_pre = DECAF_WNAF_FIXED_TABLE_BITS;
struct smvt_control control_var[DECAF_448_SCALAR_BITS /
(DECAF_WNAF_VAR_TABLE_BITS + 1) + 3];
struct smvt_control control_pre[DECAF_448_SCALAR_BITS /
(DECAF_WNAF_FIXED_TABLE_BITS + 1) + 3];
const int table_bits_var = C448_WNAF_VAR_TABLE_BITS,
table_bits_pre = C448_WNAF_FIXED_TABLE_BITS;
struct smvt_control control_var[C448_448_SCALAR_BITS /
(C448_WNAF_VAR_TABLE_BITS + 1) + 3];
struct smvt_control control_pre[C448_448_SCALAR_BITS /
(C448_WNAF_FIXED_TABLE_BITS + 1) + 3];
int ncb_pre = recode_wnaf(control_pre, scalar1, table_bits_pre);
int ncb_var = recode_wnaf(control_var, scalar2, table_bits_var);
pniels_t precmp_var[1 << DECAF_WNAF_VAR_TABLE_BITS];
pniels_t precmp_var[1 << C448_WNAF_VAR_TABLE_BITS];
int contp = 0, contv = 0, i;
prepare_wnaf_table(precmp_var, base2, table_bits_var);
......@@ -697,12 +697,12 @@ void curve448_point_destroy(curve448_point_t point)
int X448(uint8_t out_shared_key[56], const uint8_t private_key[56],
const uint8_t peer_public_value[56])
{
return decaf_x448(out_shared_key, peer_public_value, private_key)
== DECAF_SUCCESS;
return c448_x448(out_shared_key, peer_public_value, private_key)
== C448_SUCCESS;
}
void X448_public_from_private(uint8_t out_public_value[56],
const uint8_t private_key[56])
{
decaf_x448_derive_public_key(out_public_value, private_key);
c448_x448_derive_public_key(out_public_value, private_key);
}
crypto/ec/curve448/curve448utils.h
浏览文件 @ aeeef83c
......@@ -10,8 +10,8 @@
* Originally written by Mike Hamburg
*/
#ifndef __DECAF_COMMON_H__
# define __DECAF_COMMON_H__ 1
#ifndef __C448_COMMON_H__
# define __C448_COMMON_H__ 1
# include <openssl/e_os2.h>
......@@ -26,61 +26,61 @@ extern "C" {
* header was built with eg arch_neon, you might end up linking a library built
* with arch_arm32.
*/
# ifndef DECAF_WORD_BITS
# ifndef C448_WORD_BITS
# if (defined(__ILP64__) || defined(__amd64__) || defined(__x86_64__) \
|| (((__UINT_FAST32_MAX__)>>30)>>30))
# define DECAF_WORD_BITS 64 /* The number of bits in a word */
# define C448_WORD_BITS 64 /* The number of bits in a word */
# else
# define DECAF_WORD_BITS 32 /* The number of bits in a word */
# define C448_WORD_BITS 32 /* The number of bits in a word */
# endif
# endif
# if DECAF_WORD_BITS == 64
# if C448_WORD_BITS == 64
/* Word size for internal computations */
typedef uint64_t decaf_word_t;
typedef uint64_t c448_word_t;
/* Signed word size for internal computations */
typedef int64_t decaf_sword_t;
typedef int64_t c448_sword_t;
/* "Boolean" type, will be set to all-zero or all-one (i.e. -1u) */
typedef uint64_t decaf_bool_t;
typedef uint64_t c448_bool_t;
/* Double-word size for internal computations */
typedef __uint128_t decaf_dword_t;
typedef __uint128_t c448_dword_t;
/* Signed double-word size for internal computations */
typedef __int128_t decaf_dsword_t;
# elif DECAF_WORD_BITS == 32
typedef __int128_t c448_dsword_t;
# elif C448_WORD_BITS == 32
/* Word size for internal computations */
typedef uint32_t decaf_word_t;
typedef uint32_t c448_word_t;
/* Signed word size for internal computations */
typedef int32_t decaf_sword_t;
typedef int32_t c448_sword_t;
/* "Boolean" type, will be set to all-zero or all-one (i.e. -1u) */
typedef uint32_t decaf_bool_t;
typedef uint32_t c448_bool_t;
/* Double-word size for internal computations */
typedef uint64_t decaf_dword_t;
typedef uint64_t c448_dword_t;
/* Signed double-word size for internal computations */
typedef int64_t decaf_dsword_t;
typedef int64_t c448_dsword_t;
# else
# error "Only supporting DECAF_WORD_BITS = 32 or 64 for now"
# error "Only supporting C448_WORD_BITS = 32 or 64 for now"
# endif
/* DECAF_TRUE = -1 so that DECAF_TRUE & x = x */
static const decaf_bool_t DECAF_TRUE = -(decaf_bool_t) 1;
/* C448_TRUE = -1 so that C448_TRUE & x = x */
static const c448_bool_t C448_TRUE = -(c448_bool_t) 1;
/* DECAF_FALSE = 0 so that DECAF_FALSE & x = 0 */
static const decaf_bool_t DECAF_FALSE = 0;
/* C448_FALSE = 0 so that C448_FALSE & x = 0 */
static const c448_bool_t C448_FALSE = 0;
/* Another boolean type used to indicate success or failure. */
typedef enum {
DECAF_SUCCESS = -1, /**< The operation succeeded. */
DECAF_FAILURE = 0 /**< The operation failed. */
} decaf_error_t;
C448_SUCCESS = -1, /**< The operation succeeded. */
C448_FAILURE = 0 /**< The operation failed. */
} c448_error_t;
/* Return success if x is true */
static ossl_inline decaf_error_t decaf_succeed_if(decaf_bool_t x)
static ossl_inline c448_error_t c448_succeed_if(c448_bool_t x)
{
return (decaf_error_t) x;
return (c448_error_t) x;
}
#ifdef __cplusplus
} /* extern "C" */
#endif
#endif /* __DECAF_COMMON_H__ */
#endif /* __C448_COMMON_H__ */
crypto/ec/curve448/ed448.h
浏览文件 @ aeeef83c
......@@ -10,8 +10,8 @@
* Originally written by Mike Hamburg
*/
#ifndef __DECAF_ED448_H__
# define __DECAF_ED448_H__ 1
#ifndef __C448_ED448_H__
# define __C448_ED448_H__ 1
# include "point_448.h"
......@@ -20,20 +20,20 @@ extern "C" {
#endif
/* Number of bytes in an EdDSA public key. */
# define DECAF_EDDSA_448_PUBLIC_BYTES 57
# define C448_EDDSA_448_PUBLIC_BYTES 57
/* Number of bytes in an EdDSA private key. */
# define DECAF_EDDSA_448_PRIVATE_BYTES DECAF_EDDSA_448_PUBLIC_BYTES
# define C448_EDDSA_448_PRIVATE_BYTES C448_EDDSA_448_PUBLIC_BYTES
/* Number of bytes in an EdDSA private key. */
# define DECAF_EDDSA_448_SIGNATURE_BYTES (DECAF_EDDSA_448_PUBLIC_BYTES + \
DECAF_EDDSA_448_PRIVATE_BYTES)
# define C448_EDDSA_448_SIGNATURE_BYTES (C448_EDDSA_448_PUBLIC_BYTES + \
C448_EDDSA_448_PRIVATE_BYTES)
/* EdDSA encoding ratio. */
# define DECAF_448_EDDSA_ENCODE_RATIO 4
# define C448_448_EDDSA_ENCODE_RATIO 4
/* EdDSA decoding ratio. */
# define DECAF_448_EDDSA_DECODE_RATIO (4 / 4)
# define C448_448_EDDSA_DECODE_RATIO (4 / 4)
/*
* EdDSA key generation. This function uses a different (non-Decaf) encoding.
......@@ -41,9 +41,9 @@ extern "C" {
* pubkey (out): The public key.
* privkey (in): The private key.
*/
decaf_error_t decaf_ed448_derive_public_key(
uint8_t pubkey [DECAF_EDDSA_448_PUBLIC_BYTES],
const uint8_t privkey [DECAF_EDDSA_448_PRIVATE_BYTES]);
c448_error_t c448_ed448_derive_public_key(
uint8_t pubkey [C448_EDDSA_448_PUBLIC_BYTES],
const uint8_t privkey [C448_EDDSA_448_PRIVATE_BYTES]);
/*
* EdDSA signing.
......@@ -63,10 +63,10 @@ decaf_error_t decaf_ed448_derive_public_key(
* disambiguation. For Ed448 it is safe. The C++ wrapper is designed to make
* it harder to screw this up, but this C code gives you no seat belt.
*/
decaf_error_t decaf_ed448_sign(
uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
c448_error_t c448_ed448_sign(
uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],
const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES],
const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
const uint8_t *message, size_t message_len,
uint8_t prehashed, const uint8_t *context,
size_t context_len)
......@@ -89,10 +89,10 @@ decaf_error_t decaf_ed448_sign(
* disambiguation. For Ed448 it is safe. The C++ wrapper is designed to make
* it harder to screw this up, but this C code gives you no seat belt.
*/
decaf_error_t decaf_ed448_sign_prehash(
uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
c448_error_t c448_ed448_sign_prehash(
uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],
const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES],
const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
const uint8_t hash[64],
const uint8_t *context,
size_t context_len)
......@@ -117,10 +117,10 @@ decaf_error_t decaf_ed448_sign_prehash(
* disambiguation. For Ed448 it is safe. The C++ wrapper is designed to make
* it harder to screw this up, but this C code gives you no seat belt.
*/
decaf_error_t decaf_ed448_verify(const uint8_t
signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
c448_error_t c448_ed448_verify(const uint8_t
signature[C448_EDDSA_448_SIGNATURE_BYTES],
const uint8_t
pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
pubkey[C448_EDDSA_448_PUBLIC_BYTES],
const uint8_t *message, size_t message_len,
uint8_t prehashed, const uint8_t *context,
uint8_t context_len)
......@@ -144,9 +144,9 @@ decaf_error_t decaf_ed448_verify(const uint8_t
* disambiguation. For Ed448 it is safe. The C++ wrapper is designed to make
* it harder to screw this up, but this C code gives you no seat belt.
*/
decaf_error_t decaf_ed448_verify_prehash(
const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
c448_error_t c448_ed448_verify_prehash(
const uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],
const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
const uint8_t hash[64],
const uint8_t *context,
uint8_t context_len)
......@@ -154,7 +154,7 @@ decaf_error_t decaf_ed448_verify_prehash(
/*
* EdDSA point encoding. Used internally, exposed externally.
* Multiplies by DECAF_448_EDDSA_ENCODE_RATIO first.
* Multiplies by C448_448_EDDSA_ENCODE_RATIO first.
*
* The multiplication is required because the EdDSA encoding represents
* the cofactor information, but the Decaf encoding ignores it (which
......@@ -162,26 +162,25 @@ decaf_error_t decaf_ed448_verify_prehash(
* EdDSA, the cofactor info must get cleared, because the intermediate
* representation doesn't track it.
*
* The way libdecaf handles this is to multiply by
* DECAF_448_EDDSA_DECODE_RATIO when decoding, and by
* DECAF_448_EDDSA_ENCODE_RATIO when encoding. The product of these
* ratios is always exactly the cofactor 4, so the cofactor
* ends up cleared one way or another. But exactly how that shakes
* out depends on the base points specified in RFC 8032.
* The way we handle this is to multiply by C448_448_EDDSA_DECODE_RATIO when
* decoding, and by C448_448_EDDSA_ENCODE_RATIO when encoding. The product of
* these ratios is always exactly the cofactor 4, so the cofactor ends up
* cleared one way or another. But exactly how that shakes out depends on the
* base points specified in RFC 8032.
*
* The upshot is that if you pass the Decaf/Ristretto base point to
* this function, you will get DECAF_448_EDDSA_ENCODE_RATIO times the
* this function, you will get C448_448_EDDSA_ENCODE_RATIO times the
* EdDSA base point.
*
* enc (out): The encoded point.
* p (in): The point.
*/
void curve448_point_mul_by_ratio_and_encode_like_eddsa(
uint8_t enc [DECAF_EDDSA_448_PUBLIC_BYTES],
uint8_t enc [C448_EDDSA_448_PUBLIC_BYTES],
const curve448_point_t p);
/*
* EdDSA point decoding. Multiplies by DECAF_448_EDDSA_DECODE_RATIO, and
* EdDSA point decoding. Multiplies by C448_448_EDDSA_DECODE_RATIO, and
* ignores cofactor information.
*
* See notes on curve448_point_mul_by_ratio_and_encode_like_eddsa
......@@ -189,9 +188,9 @@ void curve448_point_mul_by_ratio_and_encode_like_eddsa(
* enc (out): The encoded point.
* p (in): The point.
*/
decaf_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio(
c448_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio(
curve448_point_t p,
const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES]);
const uint8_t enc[C448_EDDSA_448_PUBLIC_BYTES]);
/*
* EdDSA to ECDH private key conversion
......@@ -201,12 +200,12 @@ decaf_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio(
* x (out): The ECDH private key as in RFC7748
* ed (in): The EdDSA private key
*/
decaf_error_t decaf_ed448_convert_private_key_to_x448(
uint8_t x[DECAF_X448_PRIVATE_BYTES],
const uint8_t ed[DECAF_EDDSA_448_PRIVATE_BYTES]);
c448_error_t c448_ed448_convert_private_key_to_x448(
uint8_t x[C448_X448_PRIVATE_BYTES],
const uint8_t ed[C448_EDDSA_448_PRIVATE_BYTES]);
#ifdef __cplusplus
} /* extern "C" */
#endif
#endif /* __DECAF_ED448_H__ */
#endif /* __C448_ED448_H__ */
crypto/ec/curve448/eddsa.c
浏览文件 @ aeeef83c
......@@ -20,45 +20,44 @@
#define COFACTOR 4
static decaf_error_t oneshot_hash(uint8_t *out, size_t outlen,
const uint8_t *in, size_t inlen)
static c448_error_t oneshot_hash(uint8_t *out, size_t outlen,
const uint8_t *in, size_t inlen)
{
EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
if (hashctx == NULL)
return DECAF_FAILURE;
return C448_FAILURE;
if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL)
|| !EVP_DigestUpdate(hashctx, in, inlen)
|| !EVP_DigestFinalXOF(hashctx, out, outlen)) {
EVP_MD_CTX_free(hashctx);
return DECAF_FAILURE;
return C448_FAILURE;
}
EVP_MD_CTX_free(hashctx);
return DECAF_SUCCESS;
return C448_SUCCESS;
}
static void clamp(uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES])
static void clamp(uint8_t secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES])
{
uint8_t hibit = (1 << 0) >> 1;
/* Blarg */
secret_scalar_ser[0] &= -COFACTOR;
if (hibit == 0) {
secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] = 0;
secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 2] |= 0x80;
secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 1] = 0;
secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 2] |= 0x80;
} else {
secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] &= hibit - 1;
secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] |= hibit;
secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 1] &= hibit - 1;
secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 1] |= hibit;
}
}
static decaf_error_t hash_init_with_dom(EVP_MD_CTX *hashctx,
uint8_t prehashed,
uint8_t for_prehash,
const uint8_t *context,
size_t context_len)
static c448_error_t hash_init_with_dom(EVP_MD_CTX *hashctx, uint8_t prehashed,
uint8_t for_prehash,
const uint8_t *context,
size_t context_len)
{
const char *dom_s = "SigEd448";
uint8_t dom[2];
......@@ -67,42 +66,41 @@ static decaf_error_t hash_init_with_dom(EVP_MD_CTX *hashctx,
dom[1] = (uint8_t)context_len;
if (context_len > UINT8_MAX)
return DECAF_FAILURE;
return C448_FAILURE;
if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL)
|| !EVP_DigestUpdate(hashctx, dom_s, strlen(dom_s))
|| !EVP_DigestUpdate(hashctx, dom, sizeof(dom))
|| !EVP_DigestUpdate(hashctx, context, context_len))
return DECAF_FAILURE;
return C448_FAILURE;
return DECAF_SUCCESS;
return C448_SUCCESS;
}
/* In this file because it uses the hash */
decaf_error_t decaf_ed448_convert_private_key_to_x448(
uint8_t x[DECAF_X448_PRIVATE_BYTES],
const uint8_t ed [DECAF_EDDSA_448_PRIVATE_BYTES])
c448_error_t c448_ed448_convert_private_key_to_x448(
uint8_t x[C448_X448_PRIVATE_BYTES],
const uint8_t ed [C448_EDDSA_448_PRIVATE_BYTES])
{
/* pass the private key through oneshot_hash function */
/* and keep the first DECAF_X448_PRIVATE_BYTES bytes */
return oneshot_hash(x,
DECAF_X448_PRIVATE_BYTES,
ed, DECAF_EDDSA_448_PRIVATE_BYTES);
/* and keep the first C448_X448_PRIVATE_BYTES bytes */
return oneshot_hash(x, C448_X448_PRIVATE_BYTES, ed,
C448_EDDSA_448_PRIVATE_BYTES);
}
decaf_error_t decaf_ed448_derive_public_key(
uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES])
c448_error_t c448_ed448_derive_public_key(
uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES])
{
/* only this much used for keygen */
uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES];
uint8_t secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES];
curve448_scalar_t secret_scalar;
unsigned int c;
curve448_point_t p;
if (!oneshot_hash(secret_scalar_ser, sizeof(secret_scalar_ser), privkey,
DECAF_EDDSA_448_PRIVATE_BYTES))
return DECAF_FAILURE;
C448_EDDSA_448_PRIVATE_BYTES))
return C448_FAILURE;
clamp(secret_scalar_ser);
......@@ -117,7 +115,7 @@ decaf_error_t decaf_ed448_derive_public_key(
* converted it effectively picks up a factor of 2 from the isogenies. So
* we might start at 2 instead of 1.
*/
for (c = 1; c < DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1)
for (c = 1; c < C448_448_EDDSA_ENCODE_RATIO; c <<= 1)
curve448_scalar_halve(secret_scalar, secret_scalar);
curve448_precomputed_scalarmul(p, curve448_precomputed_base, secret_scalar);
......@@ -129,37 +127,37 @@ decaf_error_t decaf_ed448_derive_public_key(
curve448_point_destroy(p);
OPENSSL_cleanse(secret_scalar_ser, sizeof(secret_scalar_ser));
return DECAF_SUCCESS;
return C448_SUCCESS;
}
decaf_error_t decaf_ed448_sign(
uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
c448_error_t c448_ed448_sign(
uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],
const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES],
const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
const uint8_t *message, size_t message_len,
uint8_t prehashed, const uint8_t *context,
size_t context_len)
{
curve448_scalar_t secret_scalar;
EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
decaf_error_t ret = DECAF_FAILURE;
c448_error_t ret = C448_FAILURE;
curve448_scalar_t nonce_scalar;
uint8_t nonce_point[DECAF_EDDSA_448_PUBLIC_BYTES] = { 0 };
uint8_t nonce_point[C448_EDDSA_448_PUBLIC_BYTES] = { 0 };
unsigned int c;
curve448_scalar_t challenge_scalar;
if (hashctx == NULL)
return DECAF_FAILURE;
return C448_FAILURE;
{
/* Schedule the secret key */
struct {
uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES];
uint8_t seed[DECAF_EDDSA_448_PRIVATE_BYTES];
uint8_t secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES];
uint8_t seed[C448_EDDSA_448_PRIVATE_BYTES];
} __attribute__ ((packed)) expanded;
if (!oneshot_hash((uint8_t *)&expanded, sizeof(expanded), privkey,
DECAF_EDDSA_448_PRIVATE_BYTES))
C448_EDDSA_448_PRIVATE_BYTES))
goto err;
clamp(expanded.secret_scalar_ser);
curve448_scalar_decode_long(secret_scalar, expanded.secret_scalar_ser,
......@@ -177,7 +175,7 @@ decaf_error_t decaf_ed448_sign(
/* Decode the nonce */
{
uint8_t nonce[2 * DECAF_EDDSA_448_PRIVATE_BYTES];
uint8_t nonce[2 * C448_EDDSA_448_PRIVATE_BYTES];
if (!EVP_DigestFinalXOF(hashctx, nonce, sizeof(nonce)))
goto err;
......@@ -191,7 +189,7 @@ decaf_error_t decaf_ed448_sign(
curve448_point_t p;
curve448_scalar_halve(nonce_scalar_2, nonce_scalar);
for (c = 2; c < DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) {
for (c = 2; c < C448_448_EDDSA_ENCODE_RATIO; c <<= 1) {
curve448_scalar_halve(nonce_scalar_2, nonce_scalar_2);
}
......@@ -203,12 +201,12 @@ decaf_error_t decaf_ed448_sign(
}
{
uint8_t challenge[2 * DECAF_EDDSA_448_PRIVATE_BYTES];
uint8_t challenge[2 * C448_EDDSA_448_PRIVATE_BYTES];
/* Compute the challenge */
if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len)
|| !EVP_DigestUpdate(hashctx, nonce_point, sizeof(nonce_point))
|| !EVP_DigestUpdate(hashctx, pubkey, DECAF_EDDSA_448_PUBLIC_BYTES)
|| !EVP_DigestUpdate(hashctx, pubkey, C448_EDDSA_448_PUBLIC_BYTES)
|| !EVP_DigestUpdate(hashctx, message, message_len)
|| !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge)))
goto err;
......@@ -221,73 +219,68 @@ decaf_error_t decaf_ed448_sign(
curve448_scalar_mul(challenge_scalar, challenge_scalar, secret_scalar);
curve448_scalar_add(challenge_scalar, challenge_scalar, nonce_scalar);
OPENSSL_cleanse(signature, DECAF_EDDSA_448_SIGNATURE_BYTES);
OPENSSL_cleanse(signature, C448_EDDSA_448_SIGNATURE_BYTES);
memcpy(signature, nonce_point, sizeof(nonce_point));
curve448_scalar_encode(&signature[DECAF_EDDSA_448_PUBLIC_BYTES],
curve448_scalar_encode(&signature[C448_EDDSA_448_PUBLIC_BYTES],
challenge_scalar);
curve448_scalar_destroy(secret_scalar);
curve448_scalar_destroy(nonce_scalar);
curve448_scalar_destroy(challenge_scalar);
ret = DECAF_SUCCESS;
ret = C448_SUCCESS;
err:
EVP_MD_CTX_free(hashctx);
return ret;
}
decaf_error_t decaf_ed448_sign_prehash(uint8_t
signature
[DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t
privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
const uint8_t
pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const uint8_t hash[64],
const uint8_t *context,
size_t context_len)
c448_error_t c448_ed448_sign_prehash(
uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],
const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES],
const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
const uint8_t hash[64], const uint8_t *context,
size_t context_len)
{
return decaf_ed448_sign(signature, privkey, pubkey, hash, 64, 1, context,
context_len);
return c448_ed448_sign(signature, privkey, pubkey, hash, 64, 1, context,
context_len);
}
decaf_error_t decaf_ed448_verify(const uint8_t
signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t
pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const uint8_t *message, size_t message_len,
uint8_t prehashed, const uint8_t *context,
uint8_t context_len)
c448_error_t c448_ed448_verify(
const uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],
const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
const uint8_t *message, size_t message_len,
uint8_t prehashed, const uint8_t *context,
uint8_t context_len)
{
curve448_point_t pk_point, r_point;
decaf_error_t error =
c448_error_t error =
curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey);
curve448_scalar_t challenge_scalar;
curve448_scalar_t response_scalar;
unsigned int c;
if (DECAF_SUCCESS != error)
if (C448_SUCCESS != error)
return error;
error =
curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point, signature);
if (DECAF_SUCCESS != error)
if (C448_SUCCESS != error)
return error;
{
/* Compute the challenge */
EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
uint8_t challenge[2 * DECAF_EDDSA_448_PRIVATE_BYTES];
uint8_t challenge[2 * C448_EDDSA_448_PRIVATE_BYTES];
if (hashctx == NULL
|| !hash_init_with_dom(hashctx, prehashed, 0, context, context_len)
|| !EVP_DigestUpdate(hashctx, signature,
DECAF_EDDSA_448_PUBLIC_BYTES)
|| !EVP_DigestUpdate(hashctx, pubkey, DECAF_EDDSA_448_PUBLIC_BYTES)
C448_EDDSA_448_PUBLIC_BYTES)
|| !EVP_DigestUpdate(hashctx, pubkey, C448_EDDSA_448_PUBLIC_BYTES)
|| !EVP_DigestUpdate(hashctx, message, message_len)
|| !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) {
EVP_MD_CTX_free(hashctx);
return DECAF_FAILURE;
return C448_FAILURE;
}
EVP_MD_CTX_free(hashctx);
......@@ -299,29 +292,29 @@ decaf_error_t decaf_ed448_verify(const uint8_t
challenge_scalar);
curve448_scalar_decode_long(response_scalar,
&signature[DECAF_EDDSA_448_PUBLIC_BYTES],
DECAF_EDDSA_448_PRIVATE_BYTES);
&signature[C448_EDDSA_448_PUBLIC_BYTES],
C448_EDDSA_448_PRIVATE_BYTES);
for (c = 1; c < DECAF_448_EDDSA_DECODE_RATIO; c <<= 1)
for (c = 1; c < C448_448_EDDSA_DECODE_RATIO; c <<= 1)
curve448_scalar_add(response_scalar, response_scalar, response_scalar);
/* pk_point = -c(x(P)) + (cx + k)G = kG */
curve448_base_double_scalarmul_non_secret(pk_point,
response_scalar,
pk_point, challenge_scalar);
return decaf_succeed_if(curve448_point_eq(pk_point, r_point));
return c448_succeed_if(curve448_point_eq(pk_point, r_point));
}
decaf_error_t decaf_ed448_verify_prehash(
const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
c448_error_t c448_ed448_verify_prehash(
const uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES],
const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES],
const uint8_t hash[64], const uint8_t *context,
uint8_t context_len)
{
decaf_error_t ret;
c448_error_t ret;
ret = decaf_ed448_verify(signature, pubkey, hash, 64, 1, context,
context_len);
ret = c448_ed448_verify(signature, pubkey, hash, 64, 1, context,
context_len);
return ret;
}
......@@ -331,25 +324,25 @@ int ED448_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
const uint8_t *context, size_t context_len)
{
return decaf_ed448_sign(out_sig, private_key, public_key, message,
message_len, 0, context, context_len)
== DECAF_SUCCESS;
return c448_ed448_sign(out_sig, private_key, public_key, message,
message_len, 0, context, context_len)
== C448_SUCCESS;
}
int ED448_verify(const uint8_t *message, size_t message_len,
const uint8_t signature[114], const uint8_t public_key[57],
const uint8_t *context, size_t context_len)
{
return decaf_ed448_verify(signature, public_key, message, message_len, 0,
context, context_len) == DECAF_SUCCESS;
return c448_ed448_verify(signature, public_key, message, message_len, 0,
context, context_len) == C448_SUCCESS;
}
int ED448ph_sign(uint8_t *out_sig, const uint8_t hash[64],
const uint8_t public_key[57], const uint8_t private_key[57],
const uint8_t *context, size_t context_len)
{
return decaf_ed448_sign_prehash(out_sig, private_key, public_key, hash,
context, context_len) == DECAF_SUCCESS;
return c448_ed448_sign_prehash(out_sig, private_key, public_key, hash,
context, context_len) == C448_SUCCESS;
}
......@@ -357,13 +350,13 @@ int ED448ph_verify(const uint8_t hash[64], const uint8_t signature[114],
const uint8_t public_key[57], const uint8_t *context,
size_t context_len)
{
return decaf_ed448_verify_prehash(signature, public_key, hash, context,
context_len) == DECAF_SUCCESS;
return c448_ed448_verify_prehash(signature, public_key, hash, context,
context_len) == C448_SUCCESS;
}
int ED448_public_from_private(uint8_t out_public_key[57],
const uint8_t private_key[57])
{
return decaf_ed448_derive_public_key(out_public_key, private_key)
== DECAF_SUCCESS;
return c448_ed448_derive_public_key(out_public_key, private_key)
== C448_SUCCESS;
}
crypto/ec/curve448/point_448.h
浏览文件 @ aeeef83c
......@@ -10,8 +10,8 @@
* Originally written by Mike Hamburg
*/
#ifndef __DECAF_POINT_448_H__
# define __DECAF_POINT_448_H__ 1
#ifndef __C448_POINT_448_H__
# define __C448_POINT_448_H__ 1
# include "curve448utils.h"
# include "field.h"
......@@ -20,22 +20,22 @@
extern "C" {
#endif
# define DECAF_448_SCALAR_LIMBS ((446-1)/DECAF_WORD_BITS+1)
# define C448_448_SCALAR_LIMBS ((446-1)/C448_WORD_BITS+1)
/* The number of bits in a scalar */
# define DECAF_448_SCALAR_BITS 446
# define C448_448_SCALAR_BITS 446
/* Number of bytes in a serialized scalar. */
# define DECAF_448_SCALAR_BYTES 56
# define C448_448_SCALAR_BYTES 56
/* X448 encoding ratio. */
# define DECAF_X448_ENCODE_RATIO 2
# define C448_X448_ENCODE_RATIO 2
/* Number of bytes in an x448 public key */
# define DECAF_X448_PUBLIC_BYTES 56
# define C448_X448_PUBLIC_BYTES 56
/* Number of bytes in an x448 private key */
# define DECAF_X448_PRIVATE_BYTES 56
# define C448_X448_PRIVATE_BYTES 56
/* Twisted Edwards extended homogeneous coordinates */
typedef struct curve448_point_s {
......@@ -50,7 +50,7 @@ typedef struct curve448_precomputed_s curve448_precomputed_s;
/* Scalar is stored packed, because we don't need the speed. */
typedef struct curve448_scalar_s {
decaf_word_t limb[DECAF_448_SCALAR_LIMBS];
c448_word_t limb[C448_448_SCALAR_LIMBS];
} curve448_scalar_t[1];
/* A scalar equal to 1. */
......@@ -72,13 +72,13 @@ extern const struct curve448_precomputed_s *curve448_precomputed_base;
* out (out): Deserialized form.
*
* Returns:
* DECAF_SUCCESS: The scalar was correctly encoded.
* DECAF_FAILURE: The scalar was greater than the modulus, and has been reduced
* C448_SUCCESS: The scalar was correctly encoded.
* C448_FAILURE: The scalar was greater than the modulus, and has been reduced
* modulo that modulus.
*/
__owur decaf_error_t curve448_scalar_decode(
__owur c448_error_t curve448_scalar_decode(
curve448_scalar_t out,
const unsigned char ser[DECAF_448_SCALAR_BYTES]);
const unsigned char ser[C448_448_SCALAR_BYTES]);
/*
* Read a scalar from wire format or from bytes. Reduces mod scalar prime.
......@@ -96,7 +96,7 @@ void curve448_scalar_decode_long(curve448_scalar_t out,
* ser (out): Serialized form of a scalar.
* s (in): Deserialized scalar.
*/
void curve448_scalar_encode(unsigned char ser[DECAF_448_SCALAR_BYTES],
void curve448_scalar_encode(unsigned char ser[C448_448_SCALAR_BYTES],
const curve448_scalar_t s);
/*
......@@ -163,18 +163,18 @@ static ossl_inline void curve448_point_copy(curve448_point_t a,
}
/*
* Test whether two points are equal. If yes, return DECAF_TRUE, else return
* DECAF_FALSE.
* Test whether two points are equal. If yes, return C448_TRUE, else return
* C448_FALSE.
*
* a (in): A point.
* b (in): Another point.
*
* Returns:
* DECAF_TRUE: The points are equal.
* DECAF_FALSE: The points are not equal.
* C448_TRUE: The points are equal.
* C448_FALSE: The points are not equal.
*/
__owur decaf_bool_t curve448_point_eq(const curve448_point_t a,
const curve448_point_t b);
__owur c448_bool_t curve448_point_eq(const curve448_point_t a,
const curve448_point_t b);
/*
* Double a point. Equivalent to curve448_point_add(two_a,a,a), but potentially
......@@ -194,35 +194,35 @@ void curve448_point_double(curve448_point_t two_a, const curve448_point_t a);
* scalar (in): The scalar to multiply by.
*
* Returns:
* DECAF_SUCCESS: The scalarmul succeeded.
* DECAF_FAILURE: The scalarmul didn't succeed, because the base point is in a
* C448_SUCCESS: The scalarmul succeeded.
* C448_FAILURE: The scalarmul didn't succeed, because the base point is in a
* small subgroup.
*/
__owur decaf_error_t decaf_x448(uint8_t out[DECAF_X448_PUBLIC_BYTES],
const uint8_t base[DECAF_X448_PUBLIC_BYTES],
const uint8_t scalar[DECAF_X448_PRIVATE_BYTES]);
__owur c448_error_t c448_x448(uint8_t out[C448_X448_PUBLIC_BYTES],
const uint8_t base[C448_X448_PUBLIC_BYTES],
const uint8_t scalar[C448_X448_PRIVATE_BYTES]);
/*
* Multiply a point by DECAF_X448_ENCODE_RATIO, then encode it like RFC 7748.
* Multiply a point by C448_X448_ENCODE_RATIO, then encode it like RFC 7748.
*
* This function is mainly used internally, but is exported in case
* it will be useful.
*
* The ratio is necessary because the internal representation doesn't
* track the cofactor information, so on output we must clear the cofactor.
* This would multiply by the cofactor, but in fact internally libdecaf's
* points are always even, so it multiplies by half the cofactor instead.
* This would multiply by the cofactor, but in fact internally points are always
* even, so it multiplies by half the cofactor instead.
*
* As it happens, this aligns with the base point definitions; that is,
* if you pass the Decaf/Ristretto base point to this function, the result
* will be DECAF_X448_ENCODE_RATIO times the X448
* will be C448_X448_ENCODE_RATIO times the X448
* base point.
*
* out (out): The scaled and encoded point.
* p (in): The point to be scaled and encoded.
*/
void curve448_point_mul_by_ratio_and_encode_like_x448(
uint8_t out[DECAF_X448_PUBLIC_BYTES],
uint8_t out[C448_X448_PUBLIC_BYTES],
const curve448_point_t p);
/*
......@@ -232,9 +232,9 @@ void curve448_point_mul_by_ratio_and_encode_like_x448(
* out (out): The scaled point base*scalar
* scalar (in): The scalar to multiply by.
*/
void decaf_x448_derive_public_key(
uint8_t out[DECAF_X448_PUBLIC_BYTES],
const uint8_t scalar[DECAF_X448_PRIVATE_BYTES]);
void c448_x448_derive_public_key(
uint8_t out[C448_X448_PUBLIC_BYTES],
const uint8_t scalar[C448_X448_PRIVATE_BYTES]);
/*
* Multiply a precomputed base point by a scalar: out = scalar*base.
......@@ -273,10 +273,10 @@ void curve448_base_double_scalarmul_non_secret(curve448_point_t combo,
* to_test (in): The point to test.
*
* Returns:
* DECAF_TRUE The point is valid.
* DECAF_FALSE The point is invalid.
* C448_TRUE The point is valid.
* C448_FALSE The point is invalid.
*/
__owur decaf_bool_t curve448_point_valid(const curve448_point_t to_test);
__owur c448_bool_t curve448_point_valid(const curve448_point_t to_test);
/* Overwrite scalar with zeros. */
void curve448_scalar_destroy(curve448_scalar_t scalar);
......@@ -288,4 +288,4 @@ void curve448_point_destroy(curve448_point_t point);
} /* extern "C" */
#endif
#endif /* __DECAF_POINT_448_H__ */
#endif /* __C448_POINT_448_H__ */
crypto/ec/curve448/scalar.c
浏览文件 @ aeeef83c
......@@ -15,7 +15,7 @@
#include "constant_time.h"
#include "point_448.h"
static const decaf_word_t MONTGOMERY_FACTOR = (decaf_word_t) 0x3bd440fae918bc5;
static const c448_word_t MONTGOMERY_FACTOR = (c448_word_t) 0x3bd440fae918bc5;
static const curve448_scalar_t sc_p = {
{
{
......@@ -37,7 +37,7 @@ static const curve448_scalar_t sc_p = {
}
};
#define WBITS DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */
#define WBITS C448_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */
const curve448_scalar_t curve448_scalar_one = {{{1}}};
const curve448_scalar_t curve448_scalar_zero = {{{0}}};
......@@ -47,15 +47,15 @@ const curve448_scalar_t curve448_scalar_zero = {{{0}}};
* Must have extra <= 1
*/
static void sc_subx(curve448_scalar_t out,
const decaf_word_t accum[DECAF_448_SCALAR_LIMBS],
const c448_word_t accum[C448_448_SCALAR_LIMBS],
const curve448_scalar_t sub,
const curve448_scalar_t p, decaf_word_t extra)
const curve448_scalar_t p, c448_word_t extra)
{
decaf_dsword_t chain = 0;
c448_dsword_t chain = 0;
unsigned int i;
decaf_word_t borrow;
c448_word_t borrow;
for (i = 0; i < DECAF_448_SCALAR_LIMBS; i++) {
for (i = 0; i < C448_448_SCALAR_LIMBS; i++) {
chain = (chain + accum[i]) - sub->limb[i];
out->limb[i] = chain;
chain >>= WBITS;
......@@ -63,7 +63,7 @@ static void sc_subx(curve448_scalar_t out,
borrow = chain + extra; /* = 0 or -1 */
chain = 0;
for (i = 0; i < DECAF_448_SCALAR_LIMBS; i++) {
for (i = 0; i < C448_448_SCALAR_LIMBS; i++) {
chain = (chain + out->limb[i]) + (p->limb[i] & borrow);
out->limb[i] = chain;
chain >>= WBITS;
......@@ -74,16 +74,16 @@ static void sc_montmul(curve448_scalar_t out, const curve448_scalar_t a,
const curve448_scalar_t b)
{
unsigned int i, j;
decaf_word_t accum[DECAF_448_SCALAR_LIMBS + 1] = { 0 };
decaf_word_t hi_carry = 0;
c448_word_t accum[C448_448_SCALAR_LIMBS + 1] = { 0 };
c448_word_t hi_carry = 0;
for (i = 0; i < DECAF_448_SCALAR_LIMBS; i++) {
decaf_word_t mand = a->limb[i];
const decaf_word_t *mier = b->limb;
for (i = 0; i < C448_448_SCALAR_LIMBS; i++) {
c448_word_t mand = a->limb[i];
const c448_word_t *mier = b->limb;
decaf_dword_t chain = 0;
for (j = 0; j < DECAF_448_SCALAR_LIMBS; j++) {
chain += ((decaf_dword_t) mand) * mier[j] + accum[j];
c448_dword_t chain = 0;
for (j = 0; j < C448_448_SCALAR_LIMBS; j++) {
chain += ((c448_dword_t) mand) * mier[j] + accum[j];
accum[j] = chain;
chain >>= WBITS;
}
......@@ -92,8 +92,8 @@ static void sc_montmul(curve448_scalar_t out, const curve448_scalar_t a,
mand = accum[0] * MONTGOMERY_FACTOR;
chain = 0;
mier = sc_p->limb;
for (j = 0; j < DECAF_448_SCALAR_LIMBS; j++) {
chain += (decaf_dword_t) mand *mier[j] + accum[j];
for (j = 0; j < C448_448_SCALAR_LIMBS; j++) {
chain += (c448_dword_t) mand *mier[j] + accum[j];
if (j)
accum[j - 1] = chain;
chain >>= WBITS;
......@@ -123,10 +123,10 @@ void curve448_scalar_sub(curve448_scalar_t out, const curve448_scalar_t a,
void curve448_scalar_add(curve448_scalar_t out, const curve448_scalar_t a,
const curve448_scalar_t b)
{
decaf_dword_t chain = 0;
c448_dword_t chain = 0;
unsigned int i;
for (i = 0; i < DECAF_448_SCALAR_LIMBS; i++) {
for (i = 0; i < C448_448_SCALAR_LIMBS; i++) {
chain = (chain + a->limb[i]) + b->limb[i];
out->limb[i] = chain;
chain >>= WBITS;
......@@ -140,30 +140,30 @@ static ossl_inline void scalar_decode_short(curve448_scalar_t s,
{
unsigned int i, j, k = 0;
for (i = 0; i < DECAF_448_SCALAR_LIMBS; i++) {
decaf_word_t out = 0;
for (i = 0; i < C448_448_SCALAR_LIMBS; i++) {
c448_word_t out = 0;
for (j = 0; j < sizeof(decaf_word_t) && k < nbytes; j++, k++)
out |= ((decaf_word_t) ser[k]) << (8 * j);
for (j = 0; j < sizeof(c448_word_t) && k < nbytes; j++, k++)
out |= ((c448_word_t) ser[k]) << (8 * j);
s->limb[i] = out;
}
}
decaf_error_t curve448_scalar_decode(
c448_error_t curve448_scalar_decode(
curve448_scalar_t s,
const unsigned char ser[DECAF_448_SCALAR_BYTES])
const unsigned char ser[C448_448_SCALAR_BYTES])
{
unsigned int i;
decaf_dsword_t accum = 0;
c448_dsword_t accum = 0;
scalar_decode_short(s, ser, DECAF_448_SCALAR_BYTES);
for (i = 0; i < DECAF_448_SCALAR_LIMBS; i++)
scalar_decode_short(s, ser, C448_448_SCALAR_BYTES);
for (i = 0; i < C448_448_SCALAR_LIMBS; i++)
accum = (accum + s->limb[i] - sc_p->limb[i]) >> WBITS;
/* Here accum == 0 or -1 */
curve448_scalar_mul(s, s, curve448_scalar_one); /* ham-handed reduce */
return decaf_succeed_if(~word_is_zero(accum));
return c448_succeed_if(~word_is_zero(accum));
}
void curve448_scalar_destroy(curve448_scalar_t scalar)
......@@ -182,9 +182,9 @@ void curve448_scalar_decode_long(curve448_scalar_t s,
return;
}
i = ser_len - (ser_len % DECAF_448_SCALAR_BYTES);
i = ser_len - (ser_len % C448_448_SCALAR_BYTES);
if (i == ser_len)
i -= DECAF_448_SCALAR_BYTES;
i -= C448_448_SCALAR_BYTES;
scalar_decode_short(t1, &ser[i], ser_len - i);
......@@ -197,7 +197,7 @@ void curve448_scalar_decode_long(curve448_scalar_t s,
}
while (i) {
i -= DECAF_448_SCALAR_BYTES;
i -= C448_448_SCALAR_BYTES;
sc_montmul(t1, t1, sc_r2);
ignore_result(curve448_scalar_decode(t2, ser + i));
curve448_scalar_add(t1, t1, t2);
......@@ -208,28 +208,28 @@ void curve448_scalar_decode_long(curve448_scalar_t s,
curve448_scalar_destroy(t2);
}
void curve448_scalar_encode(unsigned char ser[DECAF_448_SCALAR_BYTES],
void curve448_scalar_encode(unsigned char ser[C448_448_SCALAR_BYTES],
const curve448_scalar_t s)
{
unsigned int i, j, k = 0;
for (i = 0; i < DECAF_448_SCALAR_LIMBS; i++) {
for (j = 0; j < sizeof(decaf_word_t); j++, k++)
for (i = 0; i < C448_448_SCALAR_LIMBS; i++) {
for (j = 0; j < sizeof(c448_word_t); j++, k++)
ser[k] = s->limb[i] >> (8 * j);
}
}
void curve448_scalar_halve(curve448_scalar_t out, const curve448_scalar_t a)
{
decaf_word_t mask = -(a->limb[0] & 1);
decaf_dword_t chain = 0;
c448_word_t mask = -(a->limb[0] & 1);
c448_dword_t chain = 0;
unsigned int i;
for (i = 0; i < DECAF_448_SCALAR_LIMBS; i++) {
for (i = 0; i < C448_448_SCALAR_LIMBS; i++) {
chain = (chain + a->limb[i]) + (sc_p->limb[i] & mask);
out->limb[i] = chain;
chain >>= DECAF_WORD_BITS;
chain >>= C448_WORD_BITS;
}
for (i = 0; i < DECAF_448_SCALAR_LIMBS - 1; i++)
for (i = 0; i < C448_448_SCALAR_LIMBS - 1; i++)
out->limb[i] = out->limb[i] >> 1 | out->limb[i + 1] << (WBITS - 1);
out->limb[i] = out->limb[i] >> 1 | chain << (WBITS - 1);
}
crypto/ec/curve448/word.h
浏览文件 @ aeeef83c
......@@ -54,19 +54,19 @@ typedef int16_t hsword_t;
typedef int32_t sword_t;
typedef int64_t dsword_t;
# else
# error "For now, libdecaf only supports 32- and 64-bit architectures."
# error "For now, we only support 32- and 64-bit architectures."
# endif
/*
* Scalar limbs are keyed off of the API word size instead of the arch word
* size.
*/
# if DECAF_WORD_BITS == 64
# if C448_WORD_BITS == 64
# define SC_LIMB(x) (x)
# elif DECAF_WORD_BITS == 32
# elif C448_WORD_BITS == 32
# define SC_LIMB(x) ((uint32_t)x),(x>>32)
# else
# error "For now, libdecaf only supports 32- and 64-bit architectures."
# error "For now we only support 32- and 64-bit architectures."
# endif
# ifdef __ARM_NEON__
......@@ -184,26 +184,26 @@ static ossl_inline big_register_t br_is_zero(big_register_t x)
# endif
/*
* The plan on booleans: The external interface uses decaf_bool_t, but this
* The plan on booleans: The external interface uses c448_bool_t, but this
* might be a different size than our particular arch's word_t (and thus
* mask_t). Also, the caller isn't guaranteed to pass it as nonzero. So
* bool_to_mask converts word sizes and checks nonzero. On the flip side,
* mask_t is always -1 or 0, but it might be a different size than
* decaf_bool_t. On the third hand, we have success vs boolean types, but
* that's handled in common.h: it converts between decaf_bool_t and
* decaf_error_t.
* c448_bool_t. On the third hand, we have success vs boolean types, but
* that's handled in common.h: it converts between c448_bool_t and
* c448_error_t.
*/
static ossl_inline decaf_bool_t mask_to_bool(mask_t m)
static ossl_inline c448_bool_t mask_to_bool(mask_t m)
{
return (decaf_sword_t)(sword_t)m;
return (c448_sword_t)(sword_t)m;
}
static ossl_inline mask_t bool_to_mask(decaf_bool_t m)
static ossl_inline mask_t bool_to_mask(c448_bool_t m)
{
/* On most arches this will be optimized to a simple cast. */
mask_t ret = 0;
unsigned int i;
unsigned int limit = sizeof(decaf_bool_t) / sizeof(mask_t);
unsigned int limit = sizeof(c448_bool_t) / sizeof(mask_t);
if (limit < 1)
limit = 1;
......@@ -213,7 +213,7 @@ static ossl_inline mask_t bool_to_mask(decaf_bool_t m)
return ret;
}
static ossl_inline void ignore_result(decaf_bool_t boo)
static ossl_inline void ignore_result(c448_bool_t boo)
{
(void)boo;
}
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册