Commit f18cf359 authored by Michael Hamburg's avatar Michael Hamburg

remove files used by goldilocks/master, leaving only decaf

parent 484e05b4
......@@ -28,7 +28,7 @@ endif
FIELD ?= p448
WARNFLAGS = -pedantic -Wall -Wextra -Werror -Wunreachable-code \
-Wmissing-declarations -Wunused-function -Wno-overlength-strings $(EXWARN)
-Wmissing-declarations -Wunused-function $(EXWARN)
INCFLAGS = -Isrc/include -Iinclude -Isrc/$(FIELD) -Isrc/$(FIELD)/$(ARCH)
......@@ -55,26 +55,17 @@ ifeq ($(CC),clang)
WARNFLAGS += -Wgcc-compat
endif
ifeq (,$(findstring 64,$(ARCH))$(findstring gcc,$(CC)))
# ARCHFLAGS += -m32
XCFLAGS += -DGOLDI_FORCE_32_BIT=1
endif
ARCHFLAGS += $(XARCHFLAGS)
CFLAGS = $(LANGFLAGS) $(WARNFLAGS) $(INCFLAGS) $(OFLAGS) $(ARCHFLAGS) $(GENFLAGS) $(XCFLAGS)
CXXFLAGS = $(LANGXXFLAGS) $(WARNFLAGS) $(INCFLAGS) $(OFLAGS) $(ARCHFLAGS) $(GENFLAGS) $(XCXXFLAGS)
LDFLAGS = $(ARCHFLAGS) $(XLDFLAGS)
ASFLAGS = $(ARCHFLAGS) $(XASFLAGS)
.PHONY: clean all test bench test_decaf bench_decaf todo doc lib bat
.PHONY: clean all test bench todo doc lib bat
.PRECIOUS: build/%.s
HEADERS= Makefile $(shell find . -name "*.h") $(shell find . -name "*.hxx") build/timestamp
LIBCOMPONENTS= build/goldilocks.o build/barrett_field.o build/crandom.o \
build/$(FIELD).o build/ec_point.o build/scalarmul.o build/sha512.o build/magic.o \
build/f_arithmetic.o build/arithmetic.o
DECAFCOMPONENTS= build/$(DECAF).o build/shake.o build/decaf_crypto.o \
build/$(FIELD).o build/f_arithmetic.o # TODO
......@@ -82,19 +73,12 @@ ifeq ($(DECAF),decaf_fast)
DECAFCOMPONENTS += build/decaf_tables.o
endif
TESTCOMPONENTS=build/test.o build/test_scalarmul.o build/test_sha512.o \
build/test_pointops.o build/test_arithmetic.o build/test_goldilocks.o build/magic.o \
build/shake.o
TESTDECAFCOMPONENTS=build/test_decaf.o
BENCHDECAFCOMPONENTS=build/bench_decaf.o
BENCHCOMPONENTS = build/bench.o build/shake.o
BATBASE=ed448goldilocks-bats-$(TODAY)
BATBASE=ed448goldilocks-decaf-bats-$(TODAY)
BATNAME=build/$(BATBASE)
all: lib decaf_lib build/test build/bench build/shakesum
all: lib build/test build/bench build/shakesum
scan: clean
scan-build --use-analyzer=`which clang` \
......@@ -102,36 +86,16 @@ scan: clean
-enable-checker osx -enable-checker security -enable-checker unix \
make build/bench build/test all
build/bench: $(LIBCOMPONENTS) $(BENCHCOMPONENTS) $(DECAFCOMPONENTS)
$(LD) $(LDFLAGS) -o $@ $^
build/test: $(LIBCOMPONENTS) $(TESTCOMPONENTS) $(DECAFCOMPONENTS)
$(LD) $(LDFLAGS) -o $@ $^ -lgmp
build/test_decaf: $(TESTDECAFCOMPONENTS) decaf_lib
$(LDXX) $(LDFLAGS) -o $@ $< -Lbuild -Wl,-rpath=`pwd`/build -ldecaf
build/test: build/test_decaf.o lib
$(LDXX) $(LDFLAGS) -o $@ $< -Lbuild -ldecaf
build/bench_decaf: $(BENCHDECAFCOMPONENTS) decaf_lib
$(LDXX) $(LDFLAGS) -o $@ $< -Lbuild -Wl,-rpath=`pwd`/build -ldecaf
build/bench: build/bench_decaf.o lib
$(LDXX) $(LDFLAGS) -o $@ $< -Lbuild -ldecaf
build/shakesum: build/shakesum.o build/shake.o
$(LD) $(LDFLAGS) -o $@ $^
lib: build/libgoldilocks.so
decaf_lib: build/libdecaf.so
build/libgoldilocks.so: $(LIBCOMPONENTS)
rm -f $@
ifeq ($(UNAME),Darwin)
libtool -macosx_version_min 10.6 -dynamic -dead_strip -lc -x -o $@ \
$(LIBCOMPONENTS)
else
$(LD) $(LDFLAGS) -shared -Wl,-soname,libgoldilocks.so.1 -Wl,--gc-sections -o $@ $(LIBCOMPONENTS)
strip --discard-all $@
ln -sf `basename $@` build/libgoldilocks.so.1
endif
lib: build/libdecaf.so
build/libdecaf.so: $(DECAFCOMPONENTS)
rm -f $@
......@@ -190,18 +154,17 @@ bat: $(BATNAME)
$(BATNAME): include/* src/* src/*/* test/batarch.map
rm -fr $@
for prim in dh sign; do \
targ="$@/crypto_$$prim/ed448goldilocks"; \
targ="$@/crypto_$$prim/ed448goldilocks-decaf"; \
(while read arch where; do \
mkdir -p $$targ/`basename $$arch`; \
cp include/*.h src/*.c src/include/*.h src/bat/$$prim.c src/p448/$$where/*.c src/p448/$$where/*.h src/p448/*.c src/p448/*.h $$targ/`basename $$arch`; \
cp src/bat/api_$$prim.h $$targ/`basename $$arch`/api.h; \
perl -p -i -e 's/.*endif.*GOLDILOCKS_CONFIG_H/#define SUPERCOP_WONT_LET_ME_OPEN_FILES 1\n\n$$&/' $$targ/`basename $$arch`/config.h; \
perl -p -i -e 's/SYSNAME/'`basename $(BATNAME)`_`basename $$arch`'/g' $$targ/`basename $$arch`/api.h; \
perl -p -i -e 's/__TODAY__/'$(TODAY)'/g' $$targ/`basename $$arch`/api.h; \
done \
) < test/batarch.map; \
echo 'Mike Hamburg' > $$targ/designers; \
echo 'Ed448-Goldilocks sign and dh' > $$targ/description; \
echo 'Ed448-Goldilocks Decaf sign and dh' > $$targ/description; \
done
(cd build && tar czf $(BATBASE).tgz $(BATBASE) )
......@@ -223,17 +186,11 @@ todo::
bench: build/bench
./$<
test: build/test test_decaf
test: build/test
build/test
test_decaf: build/test_decaf
build/test_decaf
bench_decaf: build/bench_decaf
build/bench_decaf
microbench_decaf: build/bench_decaf
build/bench_decaf --micro
microbench: build/bench
./$< --micro
clean:
rm -fr build doc $(BATNAME)
This diff is collapsed.
This diff is collapsed.
/**
* @cond internal
* @file field.c
* @copyright
* Copyright (c) 2014 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
* @author Mike Hamburg
* @brief High-level arithmetic routines, independent of field (except 3 mod 4).
*/
#include "field.h"
#include "ec_point.h"
mask_t
field_eq (
const field_a_t a,
const field_a_t b
) {
field_a_t ra, rb;
field_copy(ra, a);
field_copy(rb, b);
field_weak_reduce(ra);
field_weak_reduce(rb);
field_sub_RAW(ra, ra, rb);
field_bias(ra, 2);
return field_is_zero(ra);
}
void
field_inverse (
field_a_t a,
const field_a_t x
) {
field_a_t L0, L1;
field_isr ( L0, x );
field_sqr ( L1, L0 );
field_sqr ( L0, L1 );
field_mul ( a, x, L0 );
}
mask_t
field_is_square (
const field_a_t x
) {
field_a_t L0, L1;
field_isr ( L0, x );
field_sqr ( L1, L0 );
field_mul ( L0, x, L1 );
field_subw( L0, 1 );
return field_is_zero( L0 ) | field_is_zero( x );
}
void
field_simultaneous_invert (
field_a_t *__restrict__ out,
const field_a_t *in,
unsigned int n
) {
if (n==0) {
return;
} else if (n==1) {
field_inverse(out[0],in[0]);
return;
}
field_copy(out[1], in[0]);
int i;
for (i=1; i<(int) (n-1); i++) {
field_mul(out[i+1], out[i], in[i]);
}
field_mul(out[0], out[n-1], in[n-1]);
field_a_t tmp;
field_inverse(tmp, out[0]);
field_copy(out[0], tmp);
/* at this point, out[0] = product(in[i]) ^ -1
* out[i] = product(in[0]..in[i-1]) if i != 0
*/
for (i=n-1; i>0; i--) {
field_mul(tmp, out[i], out[0]);
field_copy(out[i], tmp);
field_mul(tmp, out[0], in[i]);
field_copy(out[0], tmp);
}
}
/* Copyright (c) 2014 Cryptography Research, Inc.
* Released under the MIT License. See LICENSE.txt for license information.
*/
#include "barrett_field.h"
#include <string.h>
#include <assert.h>
word_t
add_nr_ext_packed(
word_t *out,
const word_t *a,
uint32_t nwords_a,
const word_t *c,
uint32_t nwords_c,
word_t mask
) {
uint32_t i;
dword_t carry = 0;
for (i=0; i<nwords_c; i++) {
out[i] = carry = carry + a[i] + (c[i]&mask);
carry >>= WORD_BITS;
}
for (; i<nwords_a; i++) {
out[i] = carry = carry + a[i];
carry >>= WORD_BITS;
}
return carry;
}
static __inline__ word_t
add_nr_packed(
word_t *a,
const word_t *c,
uint32_t nwords
) {
uint32_t i;
dword_t carry = 0;
for (i=0; i<nwords; i++) {
a[i] = carry = carry + a[i] + c[i];
carry >>= WORD_BITS;
}
return carry;
}
word_t
sub_nr_ext_packed(
word_t *out,
const word_t *a,
uint32_t nwords_a,
const word_t *c,
uint32_t nwords_c,
word_t mask
) {
uint32_t i;
dsword_t carry = 0;
for (i=0; i<nwords_c; i++) {
out[i] = carry = carry + a[i] - (c[i]&mask);
carry >>= WORD_BITS;
}
for (; i<nwords_a; i++) {
out[i] = carry = carry + a[i];
carry >>= WORD_BITS;
}
return carry;
}
static word_t
widemac(
word_t *accum,
uint32_t nwords_accum,
const word_t *mier,
uint32_t nwords_mier,
word_t mand,
word_t carry
) {
uint32_t i;
assert(nwords_mier <= nwords_accum);
for (i=0; i<nwords_mier; i++) {
#ifdef __clang_analyzer__
/* always true, but this satisfies scan-build (bug in scan-build?) */
assert(i<nwords_accum);
#endif
/* UMAAL chain for the wordy part of p */
dword_t product = ((dword_t)mand) * mier[i];
product += accum[i];
product += carry;
accum[i] = product;
carry = product >> WORD_BITS;
}
for (; i<nwords_accum; i++) {
dword_t sum = ((dword_t)carry) + accum[i];
accum[i] = sum;
carry = sum >> WORD_BITS;
}
return carry;
}
void
barrett_negate (
word_t *a,
uint32_t nwords_a,
const struct barrett_prime_t *prime
) {
uint32_t i;
dsword_t carry = 0;
barrett_reduce(a,nwords_a,0,prime);
/* Have p = 2^big - p_lo. Want p - a = 2^big - p_lo - a */
for (i=0; i<prime->nwords_lo; i++) {
a[i] = carry = carry - prime->p_lo[i] - a[i];
carry >>= WORD_BITS;
}
for (; i<prime->nwords_p; i++) {
a[i] = carry = carry - a[i];
if (i<prime->nwords_p-1) {
carry >>= WORD_BITS;
}
}
a[prime->nwords_p-1] = carry = carry + (((word_t)1) << prime->p_shift);
for (; i<nwords_a; i++) {
assert(!a[i]);
}
assert(!(carry>>WORD_BITS));
}
void
barrett_reduce(
word_t *a,
uint32_t nwords_a,
word_t a_carry,
const struct barrett_prime_t *prime
) {
uint32_t repeat, nwords_left_in_a=nwords_a;
/* Is there a point to this a_carry business? */
assert(a_carry < ((word_t)1) << prime->p_shift);
assert(nwords_a >= prime->nwords_p);
assert(prime->nwords_p > 0); /* scan-build: prevent underflow */
for (; nwords_left_in_a >= prime->nwords_p; nwords_left_in_a--) {
for (repeat=0; repeat<2; repeat++) {
/* PERF: surely a more careful implementation could
* avoid this double round
*/
word_t mand = a[nwords_left_in_a-1] >> prime->p_shift;
a[nwords_left_in_a-1] &= (((word_t)1)<<prime->p_shift)-1;
if (prime->p_shift && !repeat) {
/* collect high bits when there are any */
if (nwords_left_in_a < nwords_a) {
mand |= a[nwords_left_in_a] << (WORD_BITS-prime->p_shift);
a[nwords_left_in_a] = 0;
} else {
mand |= a_carry << (WORD_BITS-prime->p_shift);
}
}
word_t carry = widemac(
a+nwords_left_in_a-prime->nwords_p,
prime->nwords_p,
prime->p_lo,
prime->nwords_lo,
mand,
0
);
assert(!carry);
(void)carry;
}
}
assert(nwords_left_in_a == prime->nwords_p-1);
/* OK, but it still isn't reduced. Add and subtract p_lo. */
word_t cout = add_nr_ext_packed(a,a,prime->nwords_p,prime->p_lo,prime->nwords_lo,-1);
if (prime->p_shift) {
cout = (cout<<(WORD_BITS-prime->p_shift)) + (a[prime->nwords_p-1]>>prime->p_shift);
a[prime->nwords_p-1] &= (((word_t)1)<<prime->p_shift)-1;
}
/* mask = carry-1: if no carry then do sub, otherwise don't */
sub_nr_ext_packed(a,a,prime->nwords_p,prime->p_lo,prime->nwords_lo,cout-1);
}
/* PERF: This function is horribly slow. Enough to break 1%. */
void
barrett_mul_or_mac(
word_t *accum,
uint32_t nwords_accum,
const word_t *a,
uint32_t nwords_a,
const word_t *b,
uint32_t nwords_b,
const struct barrett_prime_t *prime,
mask_t doMac
) {
assert(nwords_accum >= prime->nwords_p);
/* nwords_tmp = max(nwords_a + 1, nwords_p + 1, nwords_accum if doMac); */
uint32_t nwords_tmp = (nwords_a > prime->nwords_p) ? nwords_a : prime->nwords_p;
nwords_tmp++;
assert(nwords_tmp > 0); /* scan-build: prevent underflow. */
if (nwords_tmp < nwords_accum && doMac)
nwords_tmp = nwords_accum;
word_t tmp[nwords_tmp];
int bpos, idown;
uint32_t i;
for (i=0; i<nwords_tmp; i++) {
tmp[i] = 0;
}
for (bpos=nwords_b-1; bpos >= 0; bpos--) {
/* Invariant at the beginning of the loop: the high word is unused. */
assert(tmp[nwords_tmp-1] == 0);
/* shift up */
for (idown=nwords_tmp-2; idown>=0; idown--) {
tmp[idown+1] = tmp[idown];
}
tmp[0] = 0;
/* mac and reduce */
word_t carry = widemac(tmp, nwords_tmp, a, nwords_a, b[bpos], 0);
/* the mac can't carry, because nwords_tmp >= nwords_a+1 and its high word is clear */
assert(!carry);
barrett_reduce(tmp, nwords_tmp, carry, prime);
/* at this point, the number of words used is nwords_p <= nwords_tmp-1,
* so the high word is again clear */
}
if (doMac) {
word_t cout = add_nr_packed(tmp, accum, nwords_accum);
barrett_reduce(tmp, nwords_tmp, cout, prime);
}
for (i=0; i<nwords_tmp && i<nwords_accum; i++) {
accum[i] = tmp[i];
}
for (; i<nwords_tmp; i++) {
assert(tmp[i] == 0);
}
for (; i<nwords_accum; i++) {
accum[i] = 0;
}
}
mask_t
barrett_deserialize (
word_t *x,
const uint8_t *serial,
const struct barrett_prime_t *prime
) {
unsigned int i,j,nserial = prime->nwords_p * sizeof(word_t);
if (prime->p_shift) {
nserial -= (WORD_BITS - prime->p_shift) / 8;
}
/* Track x < p, p = 2^k - p_lo <==> x + p_lo < 2^k */
dword_t carry = 0;
for (i=0; i*sizeof(word_t)<nserial; i++) {
carry >>= WORD_BITS;
word_t the = 0;
for (j=0; j<sizeof(word_t) && sizeof(word_t)*i+j < nserial; j++) {
the |= ((word_t)serial[sizeof(word_t)*i+j]) << (8*j);
}
x[i] = the;
carry += the;
if (i < prime->nwords_lo) carry += prime->p_lo[i];
}
/* check for reduction */
if (prime->p_shift) {
carry >>= prime->p_shift;
} else {
carry >>= WORD_BITS;
}
/* at this point, carry > 0 indicates failure */
dsword_t scarry = carry;
scarry = -scarry;
scarry >>= WORD_BITS;
scarry >>= WORD_BITS;
return (mask_t) ~scarry;
}
void
barrett_deserialize_and_reduce (
word_t *x,
const uint8_t *serial,
uint32_t nserial,
const struct barrett_prime_t *prime
) {
unsigned int size = (nserial + sizeof(word_t) - 1)/sizeof(word_t);
if (size < prime->nwords_p) {
size = prime->nwords_p;
}
word_t tmp[size];
memset(tmp,0,sizeof(tmp));
unsigned int i,j;
for (i=0; i*sizeof(word_t)<nserial; i++) {
word_t the = 0;
for (j=0; j<sizeof(word_t) && sizeof(word_t)*i+j < nserial; j++) {
the |= ((word_t)serial[sizeof(word_t)*i+j]) << (8*j);
}
tmp[i] = the;
}
barrett_reduce(tmp,size,0,prime);
for (i=0; i<prime->nwords_p; i++) {
x[i] = tmp[i];
}
for (; i<size; i++) {
assert(!tmp[i]);
}
}
void
barrett_serialize (
uint8_t *serial,
const word_t *x,
uint32_t nserial
) {
unsigned int i,j;
for (i=0; i*sizeof(word_t)<nserial; i++) {
for (j=0; j<sizeof(word_t); j++) {
serial[sizeof(word_t)*i+j] = x[i]>>(8*j);
}
}
}
......@@ -8,11 +8,11 @@
*/
#include <string.h>
#include "goldilocks.h"
#include "decaf_crypto.h"
#define PUBLICKEY_BYTES GOLDI_PUBLIC_KEY_BYTES
#define SECRETKEY_BYTES GOLDI_PRIVATE_KEY_BYTES
#define SHAREDSECRET_BYTES GOLDI_SHARED_SECRET_BYTES
#define PUBLICKEY_BYTES (sizeof(decaf_448_public_key_t))
#define SECRETKEY_BYTES (sizeof(decaf_448_private_key_t))
#define SHAREDSECRET_BYTES 32
#define CRYPTO_PUBLICKEYBYTES PUBLICKEY_BYTES
#define CRYPTO_SECRETKEYBYTES SECRETKEY_BYTES
......
......@@ -10,9 +10,9 @@
#include <string.h>
#include "goldilocks.h"
#define PUBLICKEY_BYTES GOLDI_PUBLIC_KEY_BYTES
#define SECRETKEY_BYTES GOLDI_PRIVATE_KEY_BYTES
#define SIGNATURE_BYTES GOLDI_SIGNATURE_BYTES
#define PUBLICKEY_BYTES (sizeof(decaf_448_public_key_t))
#define SECRETKEY_BYTES (sizeof(decaf_448_private_key_t))
#define SIGNATURE_BYTES (sizeof(decaf_448_signature_t))
#define CRYPTO_PUBLICKEYBYTES PUBLICKEY_BYTES
#define CRYPTO_SECRETKEYBYTES SECRETKEY_BYTES
......
......@@ -11,20 +11,20 @@
#include <stdlib.h>
#include "api.h"
#include "crypto_dh.h"
#include "randombytes.h"
int crypto_dh_keypair (
unsigned char pk[SECRETKEY_BYTES],
unsigned char sk[PUBLICKEY_BYTES]
) {
int ret;
ret = goldilocks_init();
if (ret && ret != GOLDI_EALREADYINIT)
return ret;
if ((ret = goldilocks_keygen(
(struct goldilocks_private_key_t *)sk,
(struct goldilocks_public_key_t *)pk
))) abort();
return ret;
decaf_448_symmetric_key_t proto;
randombytes(proto,sizeof(proto));
decaf_448_derive_private_key((decaf_448_private_key_s *)sk,proto);
decaf_448_private_to_public(
(decaf_448_public_key_s *)pk,
(decaf_448_private_key_s *)sk
);
return 0;
}
int crypto_dh (
......@@ -32,9 +32,10 @@ int crypto_dh (
const unsigned char pk[PUBLICKEY_BYTES],
const unsigned char sk[SECRETKEY_BYTES]
) {
return goldilocks_shared_secret (
return !decaf_448_shared_secret (
s,
(const struct goldilocks_private_key_t *)sk,
(const struct goldilocks_public_key_t *)pk
);
SHAREDSECRET_BYTES,
(const decaf_448_private_key_s *)sk,
(const decaf_448_public_key_s *)pk
);
}
......@@ -16,15 +16,14 @@ int crypto_sign_keypair (
unsigned char pk[SECRETKEY_BYTES],
unsigned char sk[PUBLICKEY_BYTES]
) {
int ret;
ret = goldilocks_init();
if (ret && ret != GOLDI_EALREADYINIT)
return ret;
if ((ret = goldilocks_keygen(
(struct goldilocks_private_key_t *)sk,
(struct goldilocks_public_key_t *)pk
))) abort();
return ret;
decaf_448_symmetric_key_t proto;
randombytes(proto,sizeof(proto));
decaf_448_derive_private_key((decaf_448_private_key_s *)sk,proto);
decaf_448_private_to_public(
(decaf_448_public_key_s *)pk,
(decaf_448_private_key_s *)sk
);
return 0;
}
int crypto_sign (
......@@ -35,16 +34,15 @@ int crypto_sign (
const unsigned char sk[SECRETKEY_BYTES]
) {
unsigned char sig[SIGNATURE_BYTES];
int ret = goldilocks_sign(
sig, m, mlen,
(const struct goldilocks_private_key_t *)sk
decaf_448_sign(
sig,
(const struct goldilocks_private_key_t *)sk,
m, mlen
);
if (!ret) {
memmove(sm + SIGNATURE_BYTES, m, mlen);
memcpy(sm, sig, SIGNATURE_BYTES);
*smlen = mlen + SIGNATURE_BYTES;
}
return ret ? -1 : 0;
memmove(sm + SIGNATURE_BYTES, m, mlen);
memcpy(sm, sig, SIGNATURE_BYTES);
*smlen = mlen + SIGNATURE_BYTES;
return 0;
}
int crypto_sign_open (
......@@ -54,13 +52,14 @@ int crypto_sign_open (
unsigned long long smlen,
const unsigned char pk[PUBLICKEY_BYTES]
) {
int ret = goldilocks_verify(
sm, sm + SIGNATURE_BYTES, smlen - SIGNATURE_BYTES,
(const struct goldilocks_public_key_t *)pk
int ret = decaf_448_verify(
sm,
(const struct goldilocks_public_key_t *)pk,
sm + SIGNATURE_BYTES, smlen - SIGNATURE_BYTES
);
if (!ret) {
if (ret) {
*mlen = smlen - SIGNATURE_BYTES;
memmove(m, sm + SIGNATURE_BYTES, *mlen);
}
return ret ? -1 : 0;
return ret ? 0 : -1;
}
This diff is collapsed.
......@@ -10,7 +10,6 @@
#include "decaf_crypto.h"
#include <string.h>
#include "sha512.h"