diff --git a/cbits/decaf/cryptonite_p448_arch_32.c b/cbits/decaf/cryptonite_p448_arch_32.c deleted file mode 100644 index 31f77ba..0000000 --- a/cbits/decaf/cryptonite_p448_arch_32.c +++ /dev/null @@ -1,15 +0,0 @@ -/* - The Makefile in the original project uses variable include directories - for each field, but Cabal does not support this. The following trick - preloads the field-dependent headers "f_field.h" and "f_impl.h" so that - further includes of "field.h" have nothing to do later. -*/ -#include "p448/arch_32/field.h" -#include "p448/arch_32/f_impl.c" - -#include "ed448goldilocks/decaf.c" -#include "ed448goldilocks/decaf_tables.c" -#include "ed448goldilocks/eddsa.c" -#include "ed448goldilocks/scalar.c" -#include "p448/f_arithmetic.c" -#include "p448/f_generic.c" diff --git a/cbits/decaf/cryptonite_p448_arch_ref64.c b/cbits/decaf/cryptonite_p448_arch_ref64.c deleted file mode 100644 index 0b40963..0000000 --- a/cbits/decaf/cryptonite_p448_arch_ref64.c +++ /dev/null @@ -1,15 +0,0 @@ -/* - The Makefile in the original project uses variable include directories - for each field, but Cabal does not support this. The following trick - preloads the field-dependent headers "f_field.h" and "f_impl.h" so that - further includes of "field.h" have nothing to do later. -*/ -#include "p448/arch_ref64/field.h" -#include "p448/arch_ref64/f_impl.c" - -#include "ed448goldilocks/decaf.c" -#include "ed448goldilocks/decaf_tables.c" -#include "ed448goldilocks/eddsa.c" -#include "ed448goldilocks/scalar.c" -#include "p448/f_arithmetic.c" -#include "p448/f_generic.c" diff --git a/cbits/decaf/p448/arch_32/field.h b/cbits/decaf/p448/arch_32/field.h deleted file mode 100644 index 842c4ff..0000000 --- a/cbits/decaf/p448/arch_32/field.h +++ /dev/null @@ -1,107 +0,0 @@ -/** - * @file field.h - * @brief Generic gf header. - * @copyright - * Copyright (c) 2014 Cryptography Research, Inc. \n - * Released under the MIT License. See LICENSE.txt for license information. - * @author Mike Hamburg - */ - -#ifndef __GF_H__ -#define __GF_H__ - -#include "constant_time.h" -#include "f_field.h" -#include - -/** Square x, n times. */ -static CRYPTONITE_DECAF_INLINE void cryptonite_gf_sqrn ( - cryptonite_gf_s *__restrict__ y, - const gf x, - int n -) { - gf tmp; - assert(n>0); - if (n&1) { - cryptonite_gf_sqr(y,x); - n--; - } else { - cryptonite_gf_sqr(tmp,x); - cryptonite_gf_sqr(y,tmp); - n-=2; - } - for (; n; n-=2) { - cryptonite_gf_sqr(tmp,y); - cryptonite_gf_sqr(y,tmp); - } -} - -#define cryptonite_gf_add_nr cryptonite_gf_add_RAW - -/** Subtract mod p. Bias by 2 and don't reduce */ -static inline void cryptonite_gf_sub_nr ( gf c, const gf a, const gf b ) { - cryptonite_gf_sub_RAW(c,a,b); - cryptonite_gf_bias(c, 2); - if (GF_HEADROOM < 3) cryptonite_gf_weak_reduce(c); -} - -/** Subtract mod p. Bias by amt but don't reduce. */ -static inline void cryptonite_gf_subx_nr ( gf c, const gf a, const gf b, int amt ) { - cryptonite_gf_sub_RAW(c,a,b); - cryptonite_gf_bias(c, amt); - if (GF_HEADROOM < amt+1) cryptonite_gf_weak_reduce(c); -} - -/** Mul by signed int. Not constant-time WRT the sign of that int. */ -static inline void cryptonite_gf_mulw(gf c, const gf a, int32_t w) { - if (w>0) { - cryptonite_gf_mulw_unsigned(c, a, w); - } else { - cryptonite_gf_mulw_unsigned(c, a, -w); - cryptonite_gf_sub(c,ZERO,c); - } -} - -/** Constant time, x = is_z ? z : y */ -static inline void cryptonite_gf_cond_sel(gf x, const gf y, const gf z, mask_t is_z) { - constant_time_select(x,y,z,sizeof(gf),is_z,0); -} - -/** Constant time, if (neg) x=-x; */ -static inline void cryptonite_gf_cond_neg(gf x, mask_t neg) { - gf y; - cryptonite_gf_sub(y,ZERO,x); - cryptonite_gf_cond_sel(x,x,y,neg); -} - -/** Constant time, if (swap) (x,y) = (y,x); */ -static inline void -cryptonite_gf_cond_swap(gf x, cryptonite_gf_s *__restrict__ y, mask_t swap) { - constant_time_cond_swap(x,y,sizeof(cryptonite_gf_s),swap); -} - -static CRYPTONITE_DECAF_INLINE void cryptonite_gf_mul_qnr(cryptonite_gf_s *__restrict__ out, const gf x) { -#if P_MOD_8 == 5 - /* r = QNR * r0^2 */ - cryptonite_gf_mul(out,x,SQRT_MINUS_ONE); -#elif P_MOD_8 == 3 || P_MOD_8 == 7 - cryptonite_gf_sub(out,ZERO,x); -#else - #error "Only supporting p=3,5,7 mod 8" -#endif -} - -static CRYPTONITE_DECAF_INLINE void cryptonite_gf_div_qnr(cryptonite_gf_s *__restrict__ out, const gf x) { -#if P_MOD_8 == 5 - /* r = QNR * r0^2 */ - cryptonite_gf_mul(out,x,SQRT_MINUS_ONE); - cryptonite_gf_sub(out,ZERO,out); -#elif P_MOD_8 == 3 || P_MOD_8 == 7 - cryptonite_gf_sub(out,ZERO,x); -#else - #error "Only supporting p=3,5,7 mod 8" -#endif -} - - -#endif // __GF_H__ diff --git a/cbits/decaf/p448/arch_ref64/f_field.h b/cbits/decaf/p448/arch_ref64/f_field.h deleted file mode 100644 index c7bd217..0000000 --- a/cbits/decaf/p448/arch_ref64/f_field.h +++ /dev/null @@ -1,108 +0,0 @@ -/** - * @file p448/f_field.h - * @author Mike Hamburg - * - * @copyright - * Copyright (c) 2015-2016 Cryptography Research, Inc. \n - * Released under the MIT License. See LICENSE.txt for license information. - * - * @brief Field-specific code for 2^448 - 2^224 - 1. - * - * @warning This file was automatically generated in Python. - * Please do not edit it. - */ - -#ifndef __P448_F_FIELD_H__ -#define __P448_F_FIELD_H__ 1 - -#include "constant_time.h" -#include -#include - -#include "word.h" - -#define __CRYPTONITE_DECAF_448_GF_DEFINED__ 1 -#define NLIMBS (64/sizeof(word_t)) -#define X_SER_BYTES 56 -#define SER_BYTES 56 -typedef struct cryptonite_gf_448_s { - word_t limb[NLIMBS]; -} __attribute__((aligned(32))) cryptonite_gf_448_s, cryptonite_gf_448_t[1]; - -#define GF_LIT_LIMB_BITS 56 -#define GF_BITS 448 -#define ZERO cryptonite_gf_448_ZERO -#define ONE cryptonite_gf_448_ONE -#define MODULUS cryptonite_gf_448_MODULUS -#define gf cryptonite_gf_448_t -#define cryptonite_gf_s cryptonite_gf_448_s -#define cryptonite_gf_eq cryptonite_gf_448_eq -#define cryptonite_gf_hibit cryptonite_gf_448_hibit -#define cryptonite_gf_copy cryptonite_gf_448_copy -#define cryptonite_gf_add cryptonite_gf_448_add -#define cryptonite_gf_sub cryptonite_gf_448_sub -#define cryptonite_gf_add_RAW cryptonite_gf_448_add_RAW -#define cryptonite_gf_sub_RAW cryptonite_gf_448_sub_RAW -#define cryptonite_gf_bias cryptonite_gf_448_bias -#define cryptonite_gf_weak_reduce cryptonite_gf_448_weak_reduce -#define cryptonite_gf_strong_reduce cryptonite_gf_448_strong_reduce -#define cryptonite_gf_mul cryptonite_gf_448_mul -#define cryptonite_gf_sqr cryptonite_gf_448_sqr -#define cryptonite_gf_mulw_unsigned cryptonite_gf_448_mulw_unsigned -#define cryptonite_gf_isr cryptonite_gf_448_isr -#define cryptonite_gf_serialize cryptonite_gf_448_serialize -#define cryptonite_gf_deserialize cryptonite_gf_448_deserialize - -/* RFC 7748 support */ -#define X_PUBLIC_BYTES X_SER_BYTES -#define X_PRIVATE_BYTES X_PUBLIC_BYTES -#define X_PRIVATE_BITS 448 - -#define SQRT_MINUS_ONE P448_SQRT_MINUS_ONE /* might not be defined */ - -#define INLINE_UNUSED __inline__ __attribute__((unused,always_inline)) - -#ifdef __cplusplus -extern "C" { -#endif - -/* Defined below in f_impl.h */ -static INLINE_UNUSED void cryptonite_gf_copy (gf out, const gf a) { *out = *a; } -static INLINE_UNUSED void cryptonite_gf_add_RAW (gf out, const gf a, const gf b); -static INLINE_UNUSED void cryptonite_gf_sub_RAW (gf out, const gf a, const gf b); -static INLINE_UNUSED void cryptonite_gf_bias (gf inout, int amount); -static INLINE_UNUSED void cryptonite_gf_weak_reduce (gf inout); - -void cryptonite_gf_strong_reduce (gf inout); -void cryptonite_gf_add (gf out, const gf a, const gf b); -void cryptonite_gf_sub (gf out, const gf a, const gf b); -void cryptonite_gf_mul (cryptonite_gf_s *__restrict__ out, const gf a, const gf b); -void cryptonite_gf_mulw_unsigned (cryptonite_gf_s *__restrict__ out, const gf a, uint32_t b); -void cryptonite_gf_sqr (cryptonite_gf_s *__restrict__ out, const gf a); -mask_t cryptonite_gf_isr(gf a, const gf x); /** a^2 x = 1, QNR, or 0 if x=0. Return true if successful */ -mask_t cryptonite_gf_eq (const gf x, const gf y); -mask_t cryptonite_gf_hibit (const gf x); - -void cryptonite_gf_serialize (uint8_t *serial, const gf x,int with_highbit); -mask_t cryptonite_gf_deserialize (gf x, const uint8_t serial[SER_BYTES],int with_highbit); - - -#ifdef __cplusplus -} /* extern "C" */ -#endif - -#include "f_impl.h" /* Bring in the inline implementations */ - -#define P_MOD_8 7 -#if P_MOD_8 == 5 - extern const gf SQRT_MINUS_ONE; -#endif - -#ifndef LIMBPERM - #define LIMBPERM(i) (i) -#endif -#define LIMB_MASK(i) (((1ull)< - -/** Square x, n times. */ -static CRYPTONITE_DECAF_INLINE void cryptonite_gf_sqrn ( - cryptonite_gf_s *__restrict__ y, - const gf x, - int n -) { - gf tmp; - assert(n>0); - if (n&1) { - cryptonite_gf_sqr(y,x); - n--; - } else { - cryptonite_gf_sqr(tmp,x); - cryptonite_gf_sqr(y,tmp); - n-=2; - } - for (; n; n-=2) { - cryptonite_gf_sqr(tmp,y); - cryptonite_gf_sqr(y,tmp); - } -} - -#define cryptonite_gf_add_nr cryptonite_gf_add_RAW - -/** Subtract mod p. Bias by 2 and don't reduce */ -static inline void cryptonite_gf_sub_nr ( gf c, const gf a, const gf b ) { - cryptonite_gf_sub_RAW(c,a,b); - cryptonite_gf_bias(c, 2); - if (GF_HEADROOM < 3) cryptonite_gf_weak_reduce(c); -} - -/** Subtract mod p. Bias by amt but don't reduce. */ -static inline void cryptonite_gf_subx_nr ( gf c, const gf a, const gf b, int amt ) { - cryptonite_gf_sub_RAW(c,a,b); - cryptonite_gf_bias(c, amt); - if (GF_HEADROOM < amt+1) cryptonite_gf_weak_reduce(c); -} - -/** Mul by signed int. Not constant-time WRT the sign of that int. */ -static inline void cryptonite_gf_mulw(gf c, const gf a, int32_t w) { - if (w>0) { - cryptonite_gf_mulw_unsigned(c, a, w); - } else { - cryptonite_gf_mulw_unsigned(c, a, -w); - cryptonite_gf_sub(c,ZERO,c); - } -} - -/** Constant time, x = is_z ? z : y */ -static inline void cryptonite_gf_cond_sel(gf x, const gf y, const gf z, mask_t is_z) { - constant_time_select(x,y,z,sizeof(gf),is_z,0); -} - -/** Constant time, if (neg) x=-x; */ -static inline void cryptonite_gf_cond_neg(gf x, mask_t neg) { - gf y; - cryptonite_gf_sub(y,ZERO,x); - cryptonite_gf_cond_sel(x,x,y,neg); -} - -/** Constant time, if (swap) (x,y) = (y,x); */ -static inline void -cryptonite_gf_cond_swap(gf x, cryptonite_gf_s *__restrict__ y, mask_t swap) { - constant_time_cond_swap(x,y,sizeof(cryptonite_gf_s),swap); -} - -static CRYPTONITE_DECAF_INLINE void cryptonite_gf_mul_qnr(cryptonite_gf_s *__restrict__ out, const gf x) { -#if P_MOD_8 == 5 - /* r = QNR * r0^2 */ - cryptonite_gf_mul(out,x,SQRT_MINUS_ONE); -#elif P_MOD_8 == 3 || P_MOD_8 == 7 - cryptonite_gf_sub(out,ZERO,x); -#else - #error "Only supporting p=3,5,7 mod 8" -#endif -} - -static CRYPTONITE_DECAF_INLINE void cryptonite_gf_div_qnr(cryptonite_gf_s *__restrict__ out, const gf x) { -#if P_MOD_8 == 5 - /* r = QNR * r0^2 */ - cryptonite_gf_mul(out,x,SQRT_MINUS_ONE); - cryptonite_gf_sub(out,ZERO,out); -#elif P_MOD_8 == 3 || P_MOD_8 == 7 - cryptonite_gf_sub(out,ZERO,x); -#else - #error "Only supporting p=3,5,7 mod 8" -#endif -} - - -#endif // __GF_H__ diff --git a/cbits/decaf/p448/arch_32/f_field.h b/cbits/decaf/p448/f_field.h similarity index 100% rename from cbits/decaf/p448/arch_32/f_field.h rename to cbits/decaf/p448/f_field.h diff --git a/cbits/decaf/tools/generate.sh b/cbits/decaf/tools/generate.sh index 0a3f441..2770eaf 100755 --- a/cbits/decaf/tools/generate.sh +++ b/cbits/decaf/tools/generate.sh @@ -69,42 +69,15 @@ for CURVE in ed448goldilocks; do done for FIELD in p448; do - if [ $FIELD = p25519 ]; then - CURVE=curve25519 - elif [ $FIELD = p448 ]; then - CURVE=ed448goldilocks - else - echo "Invalid field: $FIELD" && exit 1 - fi - mkdir -p "$DEST_DIR"/$FIELD convert "$SRC_DIR"/$FIELD/f_arithmetic.c "$DEST_DIR"/$FIELD convert "$SRC_DIR"/GENERATED/c/$FIELD/f_generic.c "$DEST_DIR"/$FIELD + convert "$SRC_DIR"/GENERATED/c/$FIELD/f_field.h "$DEST_DIR"/$FIELD for ARCH in $ARCHITECTURES; do mkdir -p "$DEST_DIR"/$FIELD/$ARCH - convert "$SRC_DIR"/include/field.h "$DEST_DIR"/$FIELD/$ARCH - convert "$SRC_DIR"/GENERATED/c/$FIELD/f_field.h "$DEST_DIR"/$FIELD/$ARCH convert "$SRC_DIR"/$FIELD/$ARCH/f_impl.h "$DEST_DIR"/$FIELD/$ARCH convert "$SRC_DIR"/$FIELD/$ARCH/f_impl.c "$DEST_DIR"/$FIELD/$ARCH - - cat > "$DEST_DIR"/cryptonite_$FIELD\_$ARCH.c <