diff --git a/crypto/ec/curve448/curve448.c b/crypto/ec/curve448/curve448.c index 12ed36d8b8a7a1b267c7757953ec3516ea578c99..e2c57708033f5aed497d8170807f3a7e89c8732f 100644 --- a/crypto/ec/curve448/curve448.c +++ b/crypto/ec/curve448/curve448.c @@ -23,7 +23,6 @@ #define COMBS_N 5 #define COMBS_T 5 #define COMBS_S 18 -#define DECAF_WINDOW_BITS 5 #define DECAF_WNAF_FIXED_TABLE_BITS 5 #define DECAF_WNAF_VAR_TABLE_BITS 3 @@ -37,15 +36,8 @@ static const curve448_scalar_t precomputed_scalarmul_adjustment = { } }; -const uint8_t decaf_x448_base_point[DECAF_X448_PUBLIC_BYTES] = { 0x05 }; - #define TWISTED_D ((EDWARDS_D)-1) -#define EFF_D (-(TWISTED_D)) -#define NEG_D 1 - -/* End of template stuff */ - #define WBITS DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */ /* Projective Niels coordinates */ @@ -55,7 +47,7 @@ typedef struct { typedef struct { niels_t n; gf z; -} VECTOR_ALIGNED pniels_s, pniels_t[1]; +} VECTOR_ALIGNED pniels_t[1]; /* Precomputed base */ struct curve448_precomputed_s { @@ -481,34 +473,6 @@ decaf_error_t decaf_x448(uint8_t out[X_PUBLIC_BYTES], return decaf_succeed_if(mask_to_bool(nz)); } -/* Thanks Johan Pascal */ -void decaf_ed448_convert_public_key_to_x448(uint8_t x[DECAF_X448_PUBLIC_BYTES], - const uint8_t - ed[DECAF_EDDSA_448_PUBLIC_BYTES]) -{ - gf y; - const uint8_t mask = (uint8_t)(0xFE << (7)); - ignore_result(gf_deserialize(y, ed, 1, mask)); - - { - gf n, d; - - /* u = y^2 * (1-dy^2) / (1-y^2) */ - gf_sqr(n, y); /* y^2 */ - gf_sub(d, ONE, n); /* 1-y^2 */ - gf_invert(d, d, 0); /* 1/(1-y^2) */ - gf_mul(y, n, d); /* y^2 / (1-y^2) */ - gf_mulw(d, n, EDWARDS_D); /* dy^2 */ - gf_sub(d, ONE, d); /* 1-dy^2 */ - gf_mul(n, y, d); /* y^2 * (1-dy^2) / (1-y^2) */ - gf_serialize(x, n, 1); - - OPENSSL_cleanse(y, sizeof(y)); - OPENSSL_cleanse(n, sizeof(n)); - OPENSSL_cleanse(d, sizeof(d)); - } -} - void curve448_point_mul_by_ratio_and_encode_like_x448(uint8_t out[X_PUBLIC_BYTES], const curve448_point_t p) diff --git a/crypto/ec/curve448/curve448utils.h b/crypto/ec/curve448/curve448utils.h index f112f0bd14fefc3fbb79ae2c8c39c082f5b67897..edc1761c5464c2651c74c25306272960afda3844 100644 --- a/crypto/ec/curve448/curve448utils.h +++ b/crypto/ec/curve448/curve448utils.h @@ -79,13 +79,6 @@ static ossl_inline decaf_error_t decaf_succeed_if(decaf_bool_t x) return (decaf_error_t) x; } -/* Return DECAF_TRUE iff x == DECAF_SUCCESS */ -static ossl_inline decaf_bool_t decaf_successful(decaf_error_t e) -{ - decaf_dword_t w = ((decaf_word_t) e) ^ ((decaf_word_t) DECAF_SUCCESS); - return (w - 1) >> DECAF_WORD_BITS; -} - #ifdef __cplusplus } /* extern "C" */ #endif diff --git a/crypto/ec/curve448/ed448.h b/crypto/ec/curve448/ed448.h index f710dc5618362724e41a1480dd7c32d3a467d955..fb46546a47277380ee6a3beebfdf1ad56ea44176 100644 --- a/crypto/ec/curve448/ed448.h +++ b/crypto/ec/curve448/ed448.h @@ -29,9 +29,6 @@ extern "C" { # define DECAF_EDDSA_448_SIGNATURE_BYTES (DECAF_EDDSA_448_PUBLIC_BYTES + \ DECAF_EDDSA_448_PRIVATE_BYTES) -/* Does EdDSA support non-contextual signatures? */ -# define DECAF_EDDSA_448_SUPPORTS_CONTEXTLESS_SIGS 0 - /* EdDSA encoding ratio. */ # define DECAF_448_EDDSA_ENCODE_RATIO 4 @@ -196,21 +193,6 @@ decaf_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio( curve448_point_t p, const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES]); -/* - * EdDSA to ECDH public key conversion - * Deserialize the point to get y on Edwards curve, - * Convert it to u coordinate on Montgomery curve. - * - * This function does not check that the public key being converted is a valid - * EdDSA public key (FUTURE?) - * - * x (out): The ECDH public key as in RFC7748(point on Montgomery curve) - * ed (in): The EdDSA public key(point on Edwards curve) - */ -void decaf_ed448_convert_public_key_to_x448( - uint8_t x[DECAF_X448_PUBLIC_BYTES], - const uint8_t ed[DECAF_EDDSA_448_PUBLIC_BYTES]); - /* * EdDSA to ECDH private key conversion * Using the appropriate hash function, hash the EdDSA private key diff --git a/crypto/ec/curve448/eddsa.c b/crypto/ec/curve448/eddsa.c index a5a715d94f0d43d33309f0ed6cec9c07cfdfff96..7d9ef8e2212e5ea7ce752935e928048950b45d50 100644 --- a/crypto/ec/curve448/eddsa.c +++ b/crypto/ec/curve448/eddsa.c @@ -18,23 +18,7 @@ #include #include "internal/numbers.h" -#define API_NAME "decaf_448" - -#define NO_CONTEXT DECAF_EDDSA_448_SUPPORTS_CONTEXTLESS_SIGS -#define EDDSA_USE_SIGMA_ISOGENY 0 #define COFACTOR 4 -#define EDDSA_PREHASH_BYTES 64 - -#if NO_CONTEXT -const uint8_t NO_CONTEXT_POINTS_HERE = 0; -const uint8_t *const DECAF_ED448_NO_CONTEXT = &NO_CONTEXT_POINTS_HERE; -#endif - -/* - * EDDSA_BASE_POINT_RATIO = 1 or 2 Because EdDSA25519 is not on E_d but on the - * isogenous E_sigma_d, its base point is twice ours. - */ -#define EDDSA_BASE_POINT_RATIO (1+EDDSA_USE_SIGMA_ISOGENY) /* TODO: remove */ static decaf_error_t oneshot_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) @@ -85,16 +69,6 @@ static decaf_error_t hash_init_with_dom(EVP_MD_CTX *hashctx, if (context_len > UINT8_MAX) return DECAF_FAILURE; -#if NO_CONTEXT - if (context_len == 0 && context == DECAF_ED448_NO_CONTEXT) { - (void)prehashed; - (void)for_prehash; - (void)context; - (void)context_len; - return DECAF_SUCCESS; - } -#endif - if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL) || !EVP_DigestUpdate(hashctx, dom_s, strlen(dom_s)) || !EVP_DigestUpdate(hashctx, dom, sizeof(dom)) diff --git a/crypto/ec/curve448/f_field.h b/crypto/ec/curve448/f_field.h index 46897f1a60b5a6787747afdf326c9e60a1e89b89..c2a151fdd7edec45f8cdda2f1b40251c1d1e9514 100644 --- a/crypto/ec/curve448/f_field.h +++ b/crypto/ec/curve448/f_field.h @@ -19,38 +19,12 @@ # include "word.h" -# define __DECAF_448_GF_DEFINED__ 1 # define NLIMBS (64/sizeof(word_t)) # define X_SER_BYTES 56 # define SER_BYTES 56 -typedef struct gf_448_s { +typedef struct gf_s { word_t limb[NLIMBS]; -} __attribute__ ((aligned(32))) gf_448_s, gf_448_t[1]; - -# define GF_LIT_LIMB_BITS 56 -# define GF_BITS 448 -# define ZERO gf_448_ZERO -# define ONE gf_448_ONE -# define MODULUS gf_448_MODULUS -# define gf gf_448_t -# define gf_s gf_448_s -# define gf_eq gf_448_eq -# define gf_hibit gf_448_hibit -# define gf_lobit gf_448_lobit -# define gf_copy gf_448_copy -# define gf_add gf_448_add -# define gf_sub gf_448_sub -# define gf_add_RAW gf_448_add_RAW -# define gf_sub_RAW gf_448_sub_RAW -# define gf_bias gf_448_bias -# define gf_weak_reduce gf_448_weak_reduce -# define gf_strong_reduce gf_448_strong_reduce -# define gf_mul gf_448_mul -# define gf_sqr gf_448_sqr -# define gf_mulw_unsigned gf_448_mulw_unsigned -# define gf_isr gf_448_isr -# define gf_serialize gf_448_serialize -# define gf_deserialize gf_448_deserialize +} __attribute__ ((aligned(32))) gf_s, gf[1]; /* RFC 7748 support */ # define X_PUBLIC_BYTES X_SER_BYTES @@ -101,7 +75,6 @@ mask_t gf_deserialize(gf x, const uint8_t serial[SER_BYTES], int with_hibit, # endif # define LIMB_MASK(i) (((1)<