Commit 49629216 authored by Michael Hamburg's avatar Michael Hamburg

simplify elligator (todo: test more? eg 1/(1-d) on 25519)

parent 3f1c687f
......@@ -48,6 +48,11 @@ LANGXXFLAGS = -fno-strict-aliasing
GENFLAGS = -ffunction-sections -fdata-sections -fvisibility=hidden -fomit-frame-pointer -fPIC
OFLAGS ?= -O2
MACOSX_VERSION_MIN ?= 10.9
ifeq ($(UNAME),Darwin)
GENFLAGS += -mmacosx-version-min=$(MACOSX_VERSION_MIN)
endif
TODAY = $(shell date "+%Y-%m-%d")
ifneq (,$(findstring arm,$(MACHINE)))
......@@ -184,7 +189,7 @@ $(BUILD_LIB)/libdecaf.so: $(BUILD_LIB)/libdecaf.so.1
$(BUILD_LIB)/libdecaf.so.1: $(LIBCOMPONENTS)
rm -f $@
ifeq ($(UNAME),Darwin)
libtool -macosx_version_min 10.6 -dynamic -dead_strip -lc -x -o $@ \
libtool -macosx_version_min $(MACOSX_VERSION_MIN) -dynamic -dead_strip -lc -x -o $@ \
$(LIBCOMPONENTS)
else
$(LD) $(LDFLAGS) -shared -Wl,-soname,`basename $@` -Wl,--gc-sections -o $@ $(LIBCOMPONENTS)
......
......@@ -1094,7 +1094,6 @@ void API_NS(point_from_hash_nonuniform) (
/* Compute D := (dr+a-d)(dr-ar-d) with a=1 */
gf_sub(a,c,dee);
gf_add(a,a,ONE);
decaf_bool_t special_identity_case = gf_eq(a,ZERO);
gf_sub(b,c,r);
gf_sub(b,b,dee);
gf_mul(D,a,b);
......@@ -1108,9 +1107,6 @@ void API_NS(point_from_hash_nonuniform) (
gf_mul(a,rN,D);
decaf_bool_t square = gf_isqrt_chk(e,a,DECAF_FALSE);
decaf_bool_t r_is_zero = gf_eq(r,ZERO);
square |= r_is_zero;
square |= special_identity_case;
/* b <- t/s */
cond_sel(c,r0,r,square); /* r? = sqr ? r : 1 */
......@@ -1136,7 +1132,7 @@ void API_NS(point_from_hash_nonuniform) (
gf_mul(c,a,b);
/* Normalize/negate */
decaf_bool_t neg_s = hibit(a)^~square;
decaf_bool_t neg_s = hibit(a) ^ ~square;
cond_neg(a,neg_s); /* ends up negative if ~square */
/* b <- t */
......@@ -1145,7 +1141,7 @@ void API_NS(point_from_hash_nonuniform) (
/* isogenize */
#if IMAGINE_TWIST
gf_mul(c,a,SQRT_MINUS_ONE);
gf_cpy(a,c); // TODO rename
gf_cpy(a,c);
#endif
gf_sqr(c,a); /* s^2 */
......
......@@ -63,20 +63,25 @@ public:
return typename Group::Point(ser);
}
/** @brief Verify a sig. TODO: nothrow version? FIXME: doesn't check reduction of scalar! */
/** @brief Verify a sig. TODO: nothrow version? */
inline bool verify_shake(const SHAKE<SHAKE_BITS> &ctx_, const FixedBlock<SIG_BYTES> &sig) throw(CryptoException) {
SHAKE<SHAKE_BITS> ctx(ctx_);
ctx << ser << sig.slice(0,Group::Point::SER_BYTES);
FixedArrayBuffer<CHALLENGE_BYTES> challenge;
ctx.output(challenge);
const typename Group::Point combo = point().non_secret_combo_with_base(
typename Group::Scalar(challenge),
typename Group::Scalar response;
decaf_bool_t scalar_OK = Group::Scalar::decode(
response,
sig.slice(Group::Point::SER_BYTES, Group::Scalar::SER_BYTES)
);
const typename Group::Point combo = point().non_secret_combo_with_base(
typename Group::Scalar(challenge), response
);
//if (combo != typename Group::Point(sig.slice(0,Group::Point::SER_BYTES)))
// throw CryptoException();
return combo == typename Group::Point(sig.slice(0,Group::Point::SER_BYTES));
return scalar_OK & (combo == typename Group::Point(sig.slice(0,Group::Point::SER_BYTES)));
}
/** @brief Sign from a message. */
......
......@@ -195,7 +195,7 @@ public:
decaf_bool_t allow_identity=DECAF_FALSE,
decaf_bool_t short_circuit=DECAF_TRUE
) const throw(CryptoException) {
SecureBuffer out(/*FIXME Point::*/SER_BYTES);
SecureBuffer out(Point::SER_BYTES);
if (DECAF_SUCCESS !=
decaf_448_direct_scalarmul(out.data(), in.data(), s, allow_identity, short_circuit)
) {
......
......@@ -158,8 +158,13 @@ static void test_arithmetic() {
if (i%20) continue;
if (y!=0) arith_check(test,x,y,z,x*y/y,x,"invert");
// TODO: negative test, but this throws an exception
//arith_check(test,x,y,z,x/0,0,"invert0");
try {
y = x/0;
test.fail();
printf(" Inverted zero!");
print("x", x);
print("y", y);
} catch(CryptoException) {}
}
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment