From aeeef83cb536216a414287dee1f424265283da88 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 5 Dec 2017 16:37:57 +0000 Subject: Remove references to libdecaf Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/5105) --- crypto/ec/curve448/arch_32/f_impl.c | 2 +- crypto/ec/curve448/curve448.c | 74 +++++++------- crypto/ec/curve448/curve448utils.h | 56 +++++------ crypto/ec/curve448/ed448.h | 81 ++++++++-------- crypto/ec/curve448/eddsa.c | 187 +++++++++++++++++------------------- crypto/ec/curve448/point_448.h | 74 +++++++------- crypto/ec/curve448/scalar.c | 82 ++++++++-------- crypto/ec/curve448/word.h | 26 ++--- 8 files changed, 287 insertions(+), 295 deletions(-) (limited to 'crypto') diff --git a/crypto/ec/curve448/arch_32/f_impl.c b/crypto/ec/curve448/arch_32/f_impl.c index 3d8a331e3e..8189e1e53e 100644 --- a/crypto/ec/curve448/arch_32/f_impl.c +++ b/crypto/ec/curve448/arch_32/f_impl.c @@ -13,7 +13,7 @@ #include "f_field.h" #if (defined(__OPTIMIZE__) && !defined(__OPTIMIZE_SIZE__) && !I_HATE_UNROLLED_LOOPS) \ - || defined(DECAF_FORCE_UNROLL) + || defined(C448_FORCE_UNROLL) # define REPEAT8(_x) _x _x _x _x _x _x _x _x # define FOR_LIMB(_i,_start,_end,_x) do { _i=_start; REPEAT8( if (_i<_end) { _x; } _i++;) } while (0) #else diff --git a/crypto/ec/curve448/curve448.c b/crypto/ec/curve448/curve448.c index e2c5770803..f28bce1e4a 100644 --- a/crypto/ec/curve448/curve448.c +++ b/crypto/ec/curve448/curve448.c @@ -23,8 +23,8 @@ #define COMBS_N 5 #define COMBS_T 5 #define COMBS_S 18 -#define DECAF_WNAF_FIXED_TABLE_BITS 5 -#define DECAF_WNAF_VAR_TABLE_BITS 3 +#define C448_WNAF_FIXED_TABLE_BITS 5 +#define C448_WNAF_VAR_TABLE_BITS 3 static const int EDWARDS_D = -39081; static const curve448_scalar_t precomputed_scalarmul_adjustment = { @@ -38,7 +38,7 @@ static const curve448_scalar_t precomputed_scalarmul_adjustment = { #define TWISTED_D ((EDWARDS_D)-1) -#define WBITS DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */ +#define WBITS C448_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */ /* Projective Niels coordinates */ typedef struct { @@ -203,8 +203,8 @@ static void sub_pniels_from_pt(curve448_point_t p, const pniels_t pn, sub_niels_from_pt(p, pn->n, before_double); } -decaf_bool_t curve448_point_eq(const curve448_point_t p, - const curve448_point_t q) +c448_bool_t curve448_point_eq(const curve448_point_t p, + const curve448_point_t q) { mask_t succ; @@ -217,7 +217,7 @@ decaf_bool_t curve448_point_eq(const curve448_point_t p, return mask_to_bool(succ); } -decaf_bool_t curve448_point_valid(const curve448_point_t p) +c448_bool_t curve448_point_valid(const curve448_point_t p) { mask_t out; @@ -267,7 +267,7 @@ void curve448_precomputed_scalarmul(curve448_point_t out, for (k = 0; k < t; k++) { unsigned int bit = i + s * (k + j * t); - if (bit < DECAF_448_SCALAR_BITS) { + if (bit < C448_448_SCALAR_BITS) { tab |= (scalar1x->limb[bit / WBITS] >> (bit % WBITS) & 1) << k; } @@ -294,7 +294,7 @@ void curve448_precomputed_scalarmul(curve448_point_t out, } void curve448_point_mul_by_ratio_and_encode_like_eddsa( - uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES], + uint8_t enc[C448_EDDSA_448_PUBLIC_BYTES], const curve448_point_t p) { @@ -329,9 +329,9 @@ void curve448_point_mul_by_ratio_and_encode_like_eddsa( gf_mul(x, y, z); /* Encode */ - enc[DECAF_EDDSA_448_PRIVATE_BYTES - 1] = 0; + enc[C448_EDDSA_448_PRIVATE_BYTES - 1] = 0; gf_serialize(enc, x, 1); - enc[DECAF_EDDSA_448_PRIVATE_BYTES - 1] |= 0x80 & gf_lobit(t); + enc[C448_EDDSA_448_PRIVATE_BYTES - 1] |= 0x80 & gf_lobit(t); OPENSSL_cleanse(x, sizeof(x)); OPENSSL_cleanse(y, sizeof(y)); @@ -340,22 +340,22 @@ void curve448_point_mul_by_ratio_and_encode_like_eddsa( curve448_point_destroy(q); } -decaf_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio( +c448_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio( curve448_point_t p, - const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES]) + const uint8_t enc[C448_EDDSA_448_PUBLIC_BYTES]) { - uint8_t enc2[DECAF_EDDSA_448_PUBLIC_BYTES]; + uint8_t enc2[C448_EDDSA_448_PUBLIC_BYTES]; mask_t low; mask_t succ; memcpy(enc2, enc, sizeof(enc2)); - low = ~word_is_zero(enc2[DECAF_EDDSA_448_PRIVATE_BYTES - 1] & 0x80); - enc2[DECAF_EDDSA_448_PRIVATE_BYTES - 1] &= ~0x80; + low = ~word_is_zero(enc2[C448_EDDSA_448_PRIVATE_BYTES - 1] & 0x80); + enc2[C448_EDDSA_448_PRIVATE_BYTES - 1] &= ~0x80; succ = gf_deserialize(p->y, enc2, 1, 0); #if 0 == 0 - succ &= word_is_zero(enc2[DECAF_EDDSA_448_PRIVATE_BYTES - 1]); + succ &= word_is_zero(enc2[C448_EDDSA_448_PRIVATE_BYTES - 1]); #endif gf_sqr(p->x, p->y); @@ -396,12 +396,12 @@ decaf_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio( OPENSSL_cleanse(enc2, sizeof(enc2)); assert(curve448_point_valid(p) || ~succ); - return decaf_succeed_if(mask_to_bool(succ)); + return c448_succeed_if(mask_to_bool(succ)); } -decaf_error_t decaf_x448(uint8_t out[X_PUBLIC_BYTES], - const uint8_t base[X_PUBLIC_BYTES], - const uint8_t scalar[X_PRIVATE_BYTES]) +c448_error_t c448_x448(uint8_t out[X_PUBLIC_BYTES], + const uint8_t base[X_PUBLIC_BYTES], + const uint8_t scalar[X_PRIVATE_BYTES]) { gf x1, x2, z2, x3, z3, t1, t2; int t; @@ -470,7 +470,7 @@ decaf_error_t decaf_x448(uint8_t out[X_PUBLIC_BYTES], OPENSSL_cleanse(t1, sizeof(t1)); OPENSSL_cleanse(t2, sizeof(t2)); - return decaf_succeed_if(mask_to_bool(nz)); + return c448_succeed_if(mask_to_bool(nz)); } void curve448_point_mul_by_ratio_and_encode_like_x448(uint8_t @@ -486,8 +486,8 @@ void curve448_point_mul_by_ratio_and_encode_like_x448(uint8_t curve448_point_destroy(q); } -void decaf_x448_derive_public_key(uint8_t out[X_PUBLIC_BYTES], - const uint8_t scalar[X_PRIVATE_BYTES]) +void c448_x448_derive_public_key(uint8_t out[X_PUBLIC_BYTES], + const uint8_t scalar[X_PRIVATE_BYTES]) { /* Scalar conditioning */ uint8_t scalar2[X_PRIVATE_BYTES]; @@ -504,7 +504,7 @@ void decaf_x448_derive_public_key(uint8_t out[X_PUBLIC_BYTES], curve448_scalar_decode_long(the_scalar, scalar2, sizeof(scalar2)); /* Compensate for the encoding ratio */ - for (i = 1; i < DECAF_X448_ENCODE_RATIO; i <<= 1) { + for (i = 1; i < C448_X448_ENCODE_RATIO; i <<= 1) { curve448_scalar_halve(the_scalar, the_scalar); } curve448_precomputed_scalarmul(p, curve448_precomputed_base, the_scalar); @@ -522,7 +522,7 @@ static int recode_wnaf(struct smvt_control *control, const curve448_scalar_t scalar, unsigned int table_bits) { - unsigned int table_size = DECAF_448_SCALAR_BITS / (table_bits + 1) + 3; + unsigned int table_size = C448_448_SCALAR_BITS / (table_bits + 1) + 3; int position = table_size - 1; /* at the end */ uint64_t current = scalar->limb[0] & 0xFFFF; uint32_t mask = (1 << (table_bits + 1)) - 1; @@ -541,8 +541,8 @@ static int recode_wnaf(struct smvt_control *control, * 1/5 op. Probably not worth it. */ - for (w = 1; w < (DECAF_448_SCALAR_BITS - 1) / 16 + 3; w++) { - if (w < (DECAF_448_SCALAR_BITS - 1) / 16 + 1) { + for (w = 1; w < (C448_448_SCALAR_BITS - 1) / 16 + 3; w++) { + if (w < (C448_448_SCALAR_BITS - 1) / 16 + 1) { /* Refill the 16 high bits of current */ current += (uint32_t)((scalar->limb[w / B_OVER_16] >> (16 * (w % B_OVER_16))) << 16); @@ -610,15 +610,15 @@ void curve448_base_double_scalarmul_non_secret(curve448_point_t combo, const curve448_point_t base2, const curve448_scalar_t scalar2) { - const int table_bits_var = DECAF_WNAF_VAR_TABLE_BITS, - table_bits_pre = DECAF_WNAF_FIXED_TABLE_BITS; - struct smvt_control control_var[DECAF_448_SCALAR_BITS / - (DECAF_WNAF_VAR_TABLE_BITS + 1) + 3]; - struct smvt_control control_pre[DECAF_448_SCALAR_BITS / - (DECAF_WNAF_FIXED_TABLE_BITS + 1) + 3]; + const int table_bits_var = C448_WNAF_VAR_TABLE_BITS, + table_bits_pre = C448_WNAF_FIXED_TABLE_BITS; + struct smvt_control control_var[C448_448_SCALAR_BITS / + (C448_WNAF_VAR_TABLE_BITS + 1) + 3]; + struct smvt_control control_pre[C448_448_SCALAR_BITS / + (C448_WNAF_FIXED_TABLE_BITS + 1) + 3]; int ncb_pre = recode_wnaf(control_pre, scalar1, table_bits_pre); int ncb_var = recode_wnaf(control_var, scalar2, table_bits_var); - pniels_t precmp_var[1 << DECAF_WNAF_VAR_TABLE_BITS]; + pniels_t precmp_var[1 << C448_WNAF_VAR_TABLE_BITS]; int contp = 0, contv = 0, i; prepare_wnaf_table(precmp_var, base2, table_bits_var); @@ -697,12 +697,12 @@ void curve448_point_destroy(curve448_point_t point) int X448(uint8_t out_shared_key[56], const uint8_t private_key[56], const uint8_t peer_public_value[56]) { - return decaf_x448(out_shared_key, peer_public_value, private_key) - == DECAF_SUCCESS; + return c448_x448(out_shared_key, peer_public_value, private_key) + == C448_SUCCESS; } void X448_public_from_private(uint8_t out_public_value[56], const uint8_t private_key[56]) { - decaf_x448_derive_public_key(out_public_value, private_key); + c448_x448_derive_public_key(out_public_value, private_key); } diff --git a/crypto/ec/curve448/curve448utils.h b/crypto/ec/curve448/curve448utils.h index edc1761c54..10902e7bed 100644 --- a/crypto/ec/curve448/curve448utils.h +++ b/crypto/ec/curve448/curve448utils.h @@ -10,8 +10,8 @@ * Originally written by Mike Hamburg */ -#ifndef __DECAF_COMMON_H__ -# define __DECAF_COMMON_H__ 1 +#ifndef __C448_COMMON_H__ +# define __C448_COMMON_H__ 1 # include @@ -26,61 +26,61 @@ extern "C" { * header was built with eg arch_neon, you might end up linking a library built * with arch_arm32. */ -# ifndef DECAF_WORD_BITS +# ifndef C448_WORD_BITS # if (defined(__ILP64__) || defined(__amd64__) || defined(__x86_64__) \ || (((__UINT_FAST32_MAX__)>>30)>>30)) -# define DECAF_WORD_BITS 64 /* The number of bits in a word */ +# define C448_WORD_BITS 64 /* The number of bits in a word */ # else -# define DECAF_WORD_BITS 32 /* The number of bits in a word */ +# define C448_WORD_BITS 32 /* The number of bits in a word */ # endif # endif -# if DECAF_WORD_BITS == 64 +# if C448_WORD_BITS == 64 /* Word size for internal computations */ -typedef uint64_t decaf_word_t; +typedef uint64_t c448_word_t; /* Signed word size for internal computations */ -typedef int64_t decaf_sword_t; +typedef int64_t c448_sword_t; /* "Boolean" type, will be set to all-zero or all-one (i.e. -1u) */ -typedef uint64_t decaf_bool_t; +typedef uint64_t c448_bool_t; /* Double-word size for internal computations */ -typedef __uint128_t decaf_dword_t; +typedef __uint128_t c448_dword_t; /* Signed double-word size for internal computations */ -typedef __int128_t decaf_dsword_t; -# elif DECAF_WORD_BITS == 32 +typedef __int128_t c448_dsword_t; +# elif C448_WORD_BITS == 32 /* Word size for internal computations */ -typedef uint32_t decaf_word_t; +typedef uint32_t c448_word_t; /* Signed word size for internal computations */ -typedef int32_t decaf_sword_t; +typedef int32_t c448_sword_t; /* "Boolean" type, will be set to all-zero or all-one (i.e. -1u) */ -typedef uint32_t decaf_bool_t; +typedef uint32_t c448_bool_t; /* Double-word size for internal computations */ -typedef uint64_t decaf_dword_t; +typedef uint64_t c448_dword_t; /* Signed double-word size for internal computations */ -typedef int64_t decaf_dsword_t; +typedef int64_t c448_dsword_t; # else -# error "Only supporting DECAF_WORD_BITS = 32 or 64 for now" +# error "Only supporting C448_WORD_BITS = 32 or 64 for now" # endif -/* DECAF_TRUE = -1 so that DECAF_TRUE & x = x */ -static const decaf_bool_t DECAF_TRUE = -(decaf_bool_t) 1; +/* C448_TRUE = -1 so that C448_TRUE & x = x */ +static const c448_bool_t C448_TRUE = -(c448_bool_t) 1; -/* DECAF_FALSE = 0 so that DECAF_FALSE & x = 0 */ -static const decaf_bool_t DECAF_FALSE = 0; +/* C448_FALSE = 0 so that C448_FALSE & x = 0 */ +static const c448_bool_t C448_FALSE = 0; /* Another boolean type used to indicate success or failure. */ typedef enum { - DECAF_SUCCESS = -1, /**< The operation succeeded. */ - DECAF_FAILURE = 0 /**< The operation failed. */ -} decaf_error_t; + C448_SUCCESS = -1, /**< The operation succeeded. */ + C448_FAILURE = 0 /**< The operation failed. */ +} c448_error_t; /* Return success if x is true */ -static ossl_inline decaf_error_t decaf_succeed_if(decaf_bool_t x) +static ossl_inline c448_error_t c448_succeed_if(c448_bool_t x) { - return (decaf_error_t) x; + return (c448_error_t) x; } #ifdef __cplusplus } /* extern "C" */ #endif -#endif /* __DECAF_COMMON_H__ */ +#endif /* __C448_COMMON_H__ */ diff --git a/crypto/ec/curve448/ed448.h b/crypto/ec/curve448/ed448.h index fb46546a47..abad0dbf71 100644 --- a/crypto/ec/curve448/ed448.h +++ b/crypto/ec/curve448/ed448.h @@ -10,8 +10,8 @@ * Originally written by Mike Hamburg */ -#ifndef __DECAF_ED448_H__ -# define __DECAF_ED448_H__ 1 +#ifndef __C448_ED448_H__ +# define __C448_ED448_H__ 1 # include "point_448.h" @@ -20,20 +20,20 @@ extern "C" { #endif /* Number of bytes in an EdDSA public key. */ -# define DECAF_EDDSA_448_PUBLIC_BYTES 57 +# define C448_EDDSA_448_PUBLIC_BYTES 57 /* Number of bytes in an EdDSA private key. */ -# define DECAF_EDDSA_448_PRIVATE_BYTES DECAF_EDDSA_448_PUBLIC_BYTES +# define C448_EDDSA_448_PRIVATE_BYTES C448_EDDSA_448_PUBLIC_BYTES /* Number of bytes in an EdDSA private key. */ -# define DECAF_EDDSA_448_SIGNATURE_BYTES (DECAF_EDDSA_448_PUBLIC_BYTES + \ - DECAF_EDDSA_448_PRIVATE_BYTES) +# define C448_EDDSA_448_SIGNATURE_BYTES (C448_EDDSA_448_PUBLIC_BYTES + \ + C448_EDDSA_448_PRIVATE_BYTES) /* EdDSA encoding ratio. */ -# define DECAF_448_EDDSA_ENCODE_RATIO 4 +# define C448_448_EDDSA_ENCODE_RATIO 4 /* EdDSA decoding ratio. */ -# define DECAF_448_EDDSA_DECODE_RATIO (4 / 4) +# define C448_448_EDDSA_DECODE_RATIO (4 / 4) /* * EdDSA key generation. This function uses a different (non-Decaf) encoding. @@ -41,9 +41,9 @@ extern "C" { * pubkey (out): The public key. * privkey (in): The private key. */ -decaf_error_t decaf_ed448_derive_public_key( - uint8_t pubkey [DECAF_EDDSA_448_PUBLIC_BYTES], - const uint8_t privkey [DECAF_EDDSA_448_PRIVATE_BYTES]); +c448_error_t c448_ed448_derive_public_key( + uint8_t pubkey [C448_EDDSA_448_PUBLIC_BYTES], + const uint8_t privkey [C448_EDDSA_448_PRIVATE_BYTES]); /* * EdDSA signing. @@ -63,10 +63,10 @@ decaf_error_t decaf_ed448_derive_public_key( * disambiguation. For Ed448 it is safe. The C++ wrapper is designed to make * it harder to screw this up, but this C code gives you no seat belt. */ -decaf_error_t decaf_ed448_sign( - uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES], - const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES], - const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], +c448_error_t c448_ed448_sign( + uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES], + const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES], + const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES], const uint8_t *message, size_t message_len, uint8_t prehashed, const uint8_t *context, size_t context_len) @@ -89,10 +89,10 @@ decaf_error_t decaf_ed448_sign( * disambiguation. For Ed448 it is safe. The C++ wrapper is designed to make * it harder to screw this up, but this C code gives you no seat belt. */ -decaf_error_t decaf_ed448_sign_prehash( - uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES], - const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES], - const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], +c448_error_t c448_ed448_sign_prehash( + uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES], + const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES], + const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES], const uint8_t hash[64], const uint8_t *context, size_t context_len) @@ -117,10 +117,10 @@ decaf_error_t decaf_ed448_sign_prehash( * disambiguation. For Ed448 it is safe. The C++ wrapper is designed to make * it harder to screw this up, but this C code gives you no seat belt. */ -decaf_error_t decaf_ed448_verify(const uint8_t - signature[DECAF_EDDSA_448_SIGNATURE_BYTES], +c448_error_t c448_ed448_verify(const uint8_t + signature[C448_EDDSA_448_SIGNATURE_BYTES], const uint8_t - pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], + pubkey[C448_EDDSA_448_PUBLIC_BYTES], const uint8_t *message, size_t message_len, uint8_t prehashed, const uint8_t *context, uint8_t context_len) @@ -144,9 +144,9 @@ decaf_error_t decaf_ed448_verify(const uint8_t * disambiguation. For Ed448 it is safe. The C++ wrapper is designed to make * it harder to screw this up, but this C code gives you no seat belt. */ -decaf_error_t decaf_ed448_verify_prehash( - const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES], - const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], +c448_error_t c448_ed448_verify_prehash( + const uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES], + const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES], const uint8_t hash[64], const uint8_t *context, uint8_t context_len) @@ -154,7 +154,7 @@ decaf_error_t decaf_ed448_verify_prehash( /* * EdDSA point encoding. Used internally, exposed externally. - * Multiplies by DECAF_448_EDDSA_ENCODE_RATIO first. + * Multiplies by C448_448_EDDSA_ENCODE_RATIO first. * * The multiplication is required because the EdDSA encoding represents * the cofactor information, but the Decaf encoding ignores it (which @@ -162,26 +162,25 @@ decaf_error_t decaf_ed448_verify_prehash( * EdDSA, the cofactor info must get cleared, because the intermediate * representation doesn't track it. * - * The way libdecaf handles this is to multiply by - * DECAF_448_EDDSA_DECODE_RATIO when decoding, and by - * DECAF_448_EDDSA_ENCODE_RATIO when encoding. The product of these - * ratios is always exactly the cofactor 4, so the cofactor - * ends up cleared one way or another. But exactly how that shakes - * out depends on the base points specified in RFC 8032. + * The way we handle this is to multiply by C448_448_EDDSA_DECODE_RATIO when + * decoding, and by C448_448_EDDSA_ENCODE_RATIO when encoding. The product of + * these ratios is always exactly the cofactor 4, so the cofactor ends up + * cleared one way or another. But exactly how that shakes out depends on the + * base points specified in RFC 8032. * * The upshot is that if you pass the Decaf/Ristretto base point to - * this function, you will get DECAF_448_EDDSA_ENCODE_RATIO times the + * this function, you will get C448_448_EDDSA_ENCODE_RATIO times the * EdDSA base point. * * enc (out): The encoded point. * p (in): The point. */ void curve448_point_mul_by_ratio_and_encode_like_eddsa( - uint8_t enc [DECAF_EDDSA_448_PUBLIC_BYTES], + uint8_t enc [C448_EDDSA_448_PUBLIC_BYTES], const curve448_point_t p); /* - * EdDSA point decoding. Multiplies by DECAF_448_EDDSA_DECODE_RATIO, and + * EdDSA point decoding. Multiplies by C448_448_EDDSA_DECODE_RATIO, and * ignores cofactor information. * * See notes on curve448_point_mul_by_ratio_and_encode_like_eddsa @@ -189,9 +188,9 @@ void curve448_point_mul_by_ratio_and_encode_like_eddsa( * enc (out): The encoded point. * p (in): The point. */ -decaf_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio( +c448_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio( curve448_point_t p, - const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES]); + const uint8_t enc[C448_EDDSA_448_PUBLIC_BYTES]); /* * EdDSA to ECDH private key conversion @@ -201,12 +200,12 @@ decaf_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio( * x (out): The ECDH private key as in RFC7748 * ed (in): The EdDSA private key */ -decaf_error_t decaf_ed448_convert_private_key_to_x448( - uint8_t x[DECAF_X448_PRIVATE_BYTES], - const uint8_t ed[DECAF_EDDSA_448_PRIVATE_BYTES]); +c448_error_t c448_ed448_convert_private_key_to_x448( + uint8_t x[C448_X448_PRIVATE_BYTES], + const uint8_t ed[C448_EDDSA_448_PRIVATE_BYTES]); #ifdef __cplusplus } /* extern "C" */ #endif -#endif /* __DECAF_ED448_H__ */ +#endif /* __C448_ED448_H__ */ diff --git a/crypto/ec/curve448/eddsa.c b/crypto/ec/curve448/eddsa.c index 7d9ef8e221..d76c15dff1 100644 --- a/crypto/ec/curve448/eddsa.c +++ b/crypto/ec/curve448/eddsa.c @@ -20,45 +20,44 @@ #define COFACTOR 4 -static decaf_error_t oneshot_hash(uint8_t *out, size_t outlen, - const uint8_t *in, size_t inlen) +static c448_error_t oneshot_hash(uint8_t *out, size_t outlen, + const uint8_t *in, size_t inlen) { EVP_MD_CTX *hashctx = EVP_MD_CTX_new(); if (hashctx == NULL) - return DECAF_FAILURE; + return C448_FAILURE; if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL) || !EVP_DigestUpdate(hashctx, in, inlen) || !EVP_DigestFinalXOF(hashctx, out, outlen)) { EVP_MD_CTX_free(hashctx); - return DECAF_FAILURE; + return C448_FAILURE; } EVP_MD_CTX_free(hashctx); - return DECAF_SUCCESS; + return C448_SUCCESS; } -static void clamp(uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES]) +static void clamp(uint8_t secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES]) { uint8_t hibit = (1 << 0) >> 1; /* Blarg */ secret_scalar_ser[0] &= -COFACTOR; if (hibit == 0) { - secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] = 0; - secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 2] |= 0x80; + secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 1] = 0; + secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 2] |= 0x80; } else { - secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] &= hibit - 1; - secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] |= hibit; + secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 1] &= hibit - 1; + secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 1] |= hibit; } } -static decaf_error_t hash_init_with_dom(EVP_MD_CTX *hashctx, - uint8_t prehashed, - uint8_t for_prehash, - const uint8_t *context, - size_t context_len) +static c448_error_t hash_init_with_dom(EVP_MD_CTX *hashctx, uint8_t prehashed, + uint8_t for_prehash, + const uint8_t *context, + size_t context_len) { const char *dom_s = "SigEd448"; uint8_t dom[2]; @@ -67,42 +66,41 @@ static decaf_error_t hash_init_with_dom(EVP_MD_CTX *hashctx, dom[1] = (uint8_t)context_len; if (context_len > UINT8_MAX) - return DECAF_FAILURE; + return C448_FAILURE; if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL) || !EVP_DigestUpdate(hashctx, dom_s, strlen(dom_s)) || !EVP_DigestUpdate(hashctx, dom, sizeof(dom)) || !EVP_DigestUpdate(hashctx, context, context_len)) - return DECAF_FAILURE; + return C448_FAILURE; - return DECAF_SUCCESS; + return C448_SUCCESS; } /* In this file because it uses the hash */ -decaf_error_t decaf_ed448_convert_private_key_to_x448( - uint8_t x[DECAF_X448_PRIVATE_BYTES], - const uint8_t ed [DECAF_EDDSA_448_PRIVATE_BYTES]) +c448_error_t c448_ed448_convert_private_key_to_x448( + uint8_t x[C448_X448_PRIVATE_BYTES], + const uint8_t ed [C448_EDDSA_448_PRIVATE_BYTES]) { /* pass the private key through oneshot_hash function */ - /* and keep the first DECAF_X448_PRIVATE_BYTES bytes */ - return oneshot_hash(x, - DECAF_X448_PRIVATE_BYTES, - ed, DECAF_EDDSA_448_PRIVATE_BYTES); + /* and keep the first C448_X448_PRIVATE_BYTES bytes */ + return oneshot_hash(x, C448_X448_PRIVATE_BYTES, ed, + C448_EDDSA_448_PRIVATE_BYTES); } -decaf_error_t decaf_ed448_derive_public_key( - uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], - const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES]) +c448_error_t c448_ed448_derive_public_key( + uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES], + const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES]) { /* only this much used for keygen */ - uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES]; + uint8_t secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES]; curve448_scalar_t secret_scalar; unsigned int c; curve448_point_t p; if (!oneshot_hash(secret_scalar_ser, sizeof(secret_scalar_ser), privkey, - DECAF_EDDSA_448_PRIVATE_BYTES)) - return DECAF_FAILURE; + C448_EDDSA_448_PRIVATE_BYTES)) + return C448_FAILURE; clamp(secret_scalar_ser); @@ -117,7 +115,7 @@ decaf_error_t decaf_ed448_derive_public_key( * converted it effectively picks up a factor of 2 from the isogenies. So * we might start at 2 instead of 1. */ - for (c = 1; c < DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) + for (c = 1; c < C448_448_EDDSA_ENCODE_RATIO; c <<= 1) curve448_scalar_halve(secret_scalar, secret_scalar); curve448_precomputed_scalarmul(p, curve448_precomputed_base, secret_scalar); @@ -129,37 +127,37 @@ decaf_error_t decaf_ed448_derive_public_key( curve448_point_destroy(p); OPENSSL_cleanse(secret_scalar_ser, sizeof(secret_scalar_ser)); - return DECAF_SUCCESS; + return C448_SUCCESS; } -decaf_error_t decaf_ed448_sign( - uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES], - const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES], - const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], +c448_error_t c448_ed448_sign( + uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES], + const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES], + const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES], const uint8_t *message, size_t message_len, uint8_t prehashed, const uint8_t *context, size_t context_len) { curve448_scalar_t secret_scalar; EVP_MD_CTX *hashctx = EVP_MD_CTX_new(); - decaf_error_t ret = DECAF_FAILURE; + c448_error_t ret = C448_FAILURE; curve448_scalar_t nonce_scalar; - uint8_t nonce_point[DECAF_EDDSA_448_PUBLIC_BYTES] = { 0 }; + uint8_t nonce_point[C448_EDDSA_448_PUBLIC_BYTES] = { 0 }; unsigned int c; curve448_scalar_t challenge_scalar; if (hashctx == NULL) - return DECAF_FAILURE; + return C448_FAILURE; { /* Schedule the secret key */ struct { - uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES]; - uint8_t seed[DECAF_EDDSA_448_PRIVATE_BYTES]; + uint8_t secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES]; + uint8_t seed[C448_EDDSA_448_PRIVATE_BYTES]; } __attribute__ ((packed)) expanded; if (!oneshot_hash((uint8_t *)&expanded, sizeof(expanded), privkey, - DECAF_EDDSA_448_PRIVATE_BYTES)) + C448_EDDSA_448_PRIVATE_BYTES)) goto err; clamp(expanded.secret_scalar_ser); curve448_scalar_decode_long(secret_scalar, expanded.secret_scalar_ser, @@ -177,7 +175,7 @@ decaf_error_t decaf_ed448_sign( /* Decode the nonce */ { - uint8_t nonce[2 * DECAF_EDDSA_448_PRIVATE_BYTES]; + uint8_t nonce[2 * C448_EDDSA_448_PRIVATE_BYTES]; if (!EVP_DigestFinalXOF(hashctx, nonce, sizeof(nonce))) goto err; @@ -191,7 +189,7 @@ decaf_error_t decaf_ed448_sign( curve448_point_t p; curve448_scalar_halve(nonce_scalar_2, nonce_scalar); - for (c = 2; c < DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) { + for (c = 2; c < C448_448_EDDSA_ENCODE_RATIO; c <<= 1) { curve448_scalar_halve(nonce_scalar_2, nonce_scalar_2); } @@ -203,12 +201,12 @@ decaf_error_t decaf_ed448_sign( } { - uint8_t challenge[2 * DECAF_EDDSA_448_PRIVATE_BYTES]; + uint8_t challenge[2 * C448_EDDSA_448_PRIVATE_BYTES]; /* Compute the challenge */ if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len) || !EVP_DigestUpdate(hashctx, nonce_point, sizeof(nonce_point)) - || !EVP_DigestUpdate(hashctx, pubkey, DECAF_EDDSA_448_PUBLIC_BYTES) + || !EVP_DigestUpdate(hashctx, pubkey, C448_EDDSA_448_PUBLIC_BYTES) || !EVP_DigestUpdate(hashctx, message, message_len) || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) goto err; @@ -221,73 +219,68 @@ decaf_error_t decaf_ed448_sign( curve448_scalar_mul(challenge_scalar, challenge_scalar, secret_scalar); curve448_scalar_add(challenge_scalar, challenge_scalar, nonce_scalar); - OPENSSL_cleanse(signature, DECAF_EDDSA_448_SIGNATURE_BYTES); + OPENSSL_cleanse(signature, C448_EDDSA_448_SIGNATURE_BYTES); memcpy(signature, nonce_point, sizeof(nonce_point)); - curve448_scalar_encode(&signature[DECAF_EDDSA_448_PUBLIC_BYTES], + curve448_scalar_encode(&signature[C448_EDDSA_448_PUBLIC_BYTES], challenge_scalar); curve448_scalar_destroy(secret_scalar); curve448_scalar_destroy(nonce_scalar); curve448_scalar_destroy(challenge_scalar); - ret = DECAF_SUCCESS; + ret = C448_SUCCESS; err: EVP_MD_CTX_free(hashctx); return ret; } -decaf_error_t decaf_ed448_sign_prehash(uint8_t - signature - [DECAF_EDDSA_448_SIGNATURE_BYTES], - const uint8_t - privkey[DECAF_EDDSA_448_PRIVATE_BYTES], - const uint8_t - pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], - const uint8_t hash[64], - const uint8_t *context, - size_t context_len) +c448_error_t c448_ed448_sign_prehash( + uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES], + const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES], + const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES], + const uint8_t hash[64], const uint8_t *context, + size_t context_len) { - return decaf_ed448_sign(signature, privkey, pubkey, hash, 64, 1, context, - context_len); + return c448_ed448_sign(signature, privkey, pubkey, hash, 64, 1, context, + context_len); } -decaf_error_t decaf_ed448_verify(const uint8_t - signature[DECAF_EDDSA_448_SIGNATURE_BYTES], - const uint8_t - pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], - const uint8_t *message, size_t message_len, - uint8_t prehashed, const uint8_t *context, - uint8_t context_len) +c448_error_t c448_ed448_verify( + const uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES], + const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES], + const uint8_t *message, size_t message_len, + uint8_t prehashed, const uint8_t *context, + uint8_t context_len) { curve448_point_t pk_point, r_point; - decaf_error_t error = + c448_error_t error = curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey); curve448_scalar_t challenge_scalar; curve448_scalar_t response_scalar; unsigned int c; - if (DECAF_SUCCESS != error) + if (C448_SUCCESS != error) return error; error = curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point, signature); - if (DECAF_SUCCESS != error) + if (C448_SUCCESS != error) return error; { /* Compute the challenge */ EVP_MD_CTX *hashctx = EVP_MD_CTX_new(); - uint8_t challenge[2 * DECAF_EDDSA_448_PRIVATE_BYTES]; + uint8_t challenge[2 * C448_EDDSA_448_PRIVATE_BYTES]; if (hashctx == NULL || !hash_init_with_dom(hashctx, prehashed, 0, context, context_len) || !EVP_DigestUpdate(hashctx, signature, - DECAF_EDDSA_448_PUBLIC_BYTES) - || !EVP_DigestUpdate(hashctx, pubkey, DECAF_EDDSA_448_PUBLIC_BYTES) + C448_EDDSA_448_PUBLIC_BYTES) + || !EVP_DigestUpdate(hashctx, pubkey, C448_EDDSA_448_PUBLIC_BYTES) || !EVP_DigestUpdate(hashctx, message, message_len) || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) { EVP_MD_CTX_free(hashctx); - return DECAF_FAILURE; + return C448_FAILURE; } EVP_MD_CTX_free(hashctx); @@ -299,29 +292,29 @@ decaf_error_t decaf_ed448_verify(const uint8_t challenge_scalar); curve448_scalar_decode_long(response_scalar, - &signature[DECAF_EDDSA_448_PUBLIC_BYTES], - DECAF_EDDSA_448_PRIVATE_BYTES); + &signature[C448_EDDSA_448_PUBLIC_BYTES], + C448_EDDSA_448_PRIVATE_BYTES); - for (c = 1; c < DECAF_448_EDDSA_DECODE_RATIO; c <<= 1) + for (c = 1; c < C448_448_EDDSA_DECODE_RATIO; c <<= 1) curve448_scalar_add(response_scalar, response_scalar, response_scalar); /* pk_point = -c(x(P)) + (cx + k)G = kG */ curve448_base_double_scalarmul_non_secret(pk_point, response_scalar, pk_point, challenge_scalar); - return decaf_succeed_if(curve448_point_eq(pk_point, r_point)); + return c448_succeed_if(curve448_point_eq(pk_point, r_point)); } -decaf_error_t decaf_ed448_verify_prehash( - const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES], - const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], +c448_error_t c448_ed448_verify_prehash( + const uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES], + const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES], const uint8_t hash[64], const uint8_t *context, uint8_t context_len) { - decaf_error_t ret; + c448_error_t ret; - ret = decaf_ed448_verify(signature, pubkey, hash, 64, 1, context, - context_len); + ret = c448_ed448_verify(signature, pubkey, hash, 64, 1, context, + context_len); return ret; } @@ -331,25 +324,25 @@ int ED448_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len, const uint8_t *context, size_t context_len) { - return decaf_ed448_sign(out_sig, private_key, public_key, message, - message_len, 0, context, context_len) - == DECAF_SUCCESS; + return c448_ed448_sign(out_sig, private_key, public_key, message, + message_len, 0, context, context_len) + == C448_SUCCESS; } int ED448_verify(const uint8_t *message, size_t message_len, const uint8_t signature[114], const uint8_t public_key[57], const uint8_t *context, size_t context_len) { - return decaf_ed448_verify(signature, public_key, message, message_len, 0, - context, context_len) == DECAF_SUCCESS; + return c448_ed448_verify(signature, public_key, message, message_len, 0, + context, context_len) == C448_SUCCESS; } int ED448ph_sign(uint8_t *out_sig, const uint8_t hash[64], const uint8_t public_key[57], const uint8_t private_key[57], const uint8_t *context, size_t context_len) { - return decaf_ed448_sign_prehash(out_sig, private_key, public_key, hash, - context, context_len) == DECAF_SUCCESS; + return c448_ed448_sign_prehash(out_sig, private_key, public_key, hash, + context, context_len) == C448_SUCCESS; } @@ -357,13 +350,13 @@ int ED448ph_verify(const uint8_t hash[64], const uint8_t signature[114], const uint8_t public_key[57], const uint8_t *context, size_t context_len) { - return decaf_ed448_verify_prehash(signature, public_key, hash, context, - context_len) == DECAF_SUCCESS; + return c448_ed448_verify_prehash(signature, public_key, hash, context, + context_len) == C448_SUCCESS; } int ED448_public_from_private(uint8_t out_public_key[57], const uint8_t private_key[57]) { - return decaf_ed448_derive_public_key(out_public_key, private_key) - == DECAF_SUCCESS; + return c448_ed448_derive_public_key(out_public_key, private_key) + == C448_SUCCESS; } diff --git a/crypto/ec/curve448/point_448.h b/crypto/ec/curve448/point_448.h index a788259749..72a5e80f6f 100644 --- a/crypto/ec/curve448/point_448.h +++ b/crypto/ec/curve448/point_448.h @@ -10,8 +10,8 @@ * Originally written by Mike Hamburg */ -#ifndef __DECAF_POINT_448_H__ -# define __DECAF_POINT_448_H__ 1 +#ifndef __C448_POINT_448_H__ +# define __C448_POINT_448_H__ 1 # include "curve448utils.h" # include "field.h" @@ -20,22 +20,22 @@ extern "C" { #endif -# define DECAF_448_SCALAR_LIMBS ((446-1)/DECAF_WORD_BITS+1) +# define C448_448_SCALAR_LIMBS ((446-1)/C448_WORD_BITS+1) /* The number of bits in a scalar */ -# define DECAF_448_SCALAR_BITS 446 +# define C448_448_SCALAR_BITS 446 /* Number of bytes in a serialized scalar. */ -# define DECAF_448_SCALAR_BYTES 56 +# define C448_448_SCALAR_BYTES 56 /* X448 encoding ratio. */ -# define DECAF_X448_ENCODE_RATIO 2 +# define C448_X448_ENCODE_RATIO 2 /* Number of bytes in an x448 public key */ -# define DECAF_X448_PUBLIC_BYTES 56 +# define C448_X448_PUBLIC_BYTES 56 /* Number of bytes in an x448 private key */ -# define DECAF_X448_PRIVATE_BYTES 56 +# define C448_X448_PRIVATE_BYTES 56 /* Twisted Edwards extended homogeneous coordinates */ typedef struct curve448_point_s { @@ -50,7 +50,7 @@ typedef struct curve448_precomputed_s curve448_precomputed_s; /* Scalar is stored packed, because we don't need the speed. */ typedef struct curve448_scalar_s { - decaf_word_t limb[DECAF_448_SCALAR_LIMBS]; + c448_word_t limb[C448_448_SCALAR_LIMBS]; } curve448_scalar_t[1]; /* A scalar equal to 1. */ @@ -72,13 +72,13 @@ extern const struct curve448_precomputed_s *curve448_precomputed_base; * out (out): Deserialized form. * * Returns: - * DECAF_SUCCESS: The scalar was correctly encoded. - * DECAF_FAILURE: The scalar was greater than the modulus, and has been reduced + * C448_SUCCESS: The scalar was correctly encoded. + * C448_FAILURE: The scalar was greater than the modulus, and has been reduced * modulo that modulus. */ -__owur decaf_error_t curve448_scalar_decode( +__owur c448_error_t curve448_scalar_decode( curve448_scalar_t out, - const unsigned char ser[DECAF_448_SCALAR_BYTES]); + const unsigned char ser[C448_448_SCALAR_BYTES]); /* * Read a scalar from wire format or from bytes. Reduces mod scalar prime. @@ -96,7 +96,7 @@ void curve448_scalar_decode_long(curve448_scalar_t out, * ser (out): Serialized form of a scalar. * s (in): Deserialized scalar. */ -void curve448_scalar_encode(unsigned char ser[DECAF_448_SCALAR_BYTES], +void curve448_scalar_encode(unsigned char ser[C448_448_SCALAR_BYTES], const curve448_scalar_t s); /* @@ -163,18 +163,18 @@ static ossl_inline void curve448_point_copy(curve448_point_t a, } /* - * Test whether two points are equal. If yes, return DECAF_TRUE, else return - * DECAF_FALSE. + * Test whether two points are equal. If yes, return C448_TRUE, else return + * C448_FALSE. * * a (in): A point. * b (in): Another point. * * Returns: - * DECAF_TRUE: The points are equal. - * DECAF_FALSE: The points are not equal. + * C448_TRUE: The points are equal. + * C448_FALSE: The points are not equal. */ -__owur decaf_bool_t curve448_point_eq(const curve448_point_t a, - const curve448_point_t b); +__owur c448_bool_t curve448_point_eq(const curve448_point_t a, + const curve448_point_t b); /* * Double a point. Equivalent to curve448_point_add(two_a,a,a), but potentially @@ -194,35 +194,35 @@ void curve448_point_double(curve448_point_t two_a, const curve448_point_t a); * scalar (in): The scalar to multiply by. * * Returns: - * DECAF_SUCCESS: The scalarmul succeeded. - * DECAF_FAILURE: The scalarmul didn't succeed, because the base point is in a + * C448_SUCCESS: The scalarmul succeeded. + * C448_FAILURE: The scalarmul didn't succeed, because the base point is in a * small subgroup. */ -__owur decaf_error_t decaf_x448(uint8_t out[DECAF_X448_PUBLIC_BYTES], - const uint8_t base[DECAF_X448_PUBLIC_BYTES], - const uint8_t scalar[DECAF_X448_PRIVATE_BYTES]); +__owur c448_error_t c448_x448(uint8_t out[C448_X448_PUBLIC_BYTES], + const uint8_t base[C448_X448_PUBLIC_BYTES], + const uint8_t scalar[C448_X448_PRIVATE_BYTES]); /* - * Multiply a point by DECAF_X448_ENCODE_RATIO, then encode it like RFC 7748. + * Multiply a point by C448_X448_ENCODE_RATIO, then encode it like RFC 7748. * * This function is mainly used internally, but is exported in case * it will be useful. * * The ratio is necessary because the internal representation doesn't * track the cofactor information, so on output we must clear the cofactor. - * This would multiply by the cofactor, but in fact internally libdecaf's - * points are always even, so it multiplies by half the cofactor instead. + * This would multiply by the cofactor, but in fact internally points are always + * even, so it multiplies by half the cofactor instead. * * As it happens, this aligns with the base point definitions; that is, * if you pass the Decaf/Ristretto base point to this function, the result - * will be DECAF_X448_ENCODE_RATIO times the X448 + * will be C448_X448_ENCODE_RATIO times the X448 * base point. * * out (out): The scaled and encoded point. * p (in): The point to be scaled and encoded. */ void curve448_point_mul_by_ratio_and_encode_like_x448( - uint8_t out[DECAF_X448_PUBLIC_BYTES], + uint8_t out[C448_X448_PUBLIC_BYTES], const curve448_point_t p); /* @@ -232,9 +232,9 @@ void curve448_point_mul_by_ratio_and_encode_like_x448( * out (out): The scaled point base*scalar * scalar (in): The scalar to multiply by. */ -void decaf_x448_derive_public_key( - uint8_t out[DECAF_X448_PUBLIC_BYTES], - const uint8_t scalar[DECAF_X448_PRIVATE_BYTES]); +void c448_x448_derive_public_key( + uint8_t out[C448_X448_PUBLIC_BYTES], + const uint8_t scalar[C448_X448_PRIVATE_BYTES]); /* * Multiply a precomputed base point by a scalar: out = scalar*base. @@ -273,10 +273,10 @@ void curve448_base_double_scalarmul_non_secret(curve448_point_t combo, * to_test (in): The point to test. * * Returns: - * DECAF_TRUE The point is valid. - * DECAF_FALSE The point is invalid. + * C448_TRUE The point is valid. + * C448_FALSE The point is invalid. */ -__owur decaf_bool_t curve448_point_valid(const curve448_point_t to_test); +__owur c448_bool_t curve448_point_valid(const curve448_point_t to_test); /* Overwrite scalar with zeros. */ void curve448_scalar_destroy(curve448_scalar_t scalar); @@ -288,4 +288,4 @@ void curve448_point_destroy(curve448_point_t point); } /* extern "C" */ #endif -#endif /* __DECAF_POINT_448_H__ */ +#endif /* __C448_POINT_448_H__ */ diff --git a/crypto/ec/curve448/scalar.c b/crypto/ec/curve448/scalar.c index 446670734f..a93964e227 100644 --- a/crypto/ec/curve448/scalar.c +++ b/crypto/ec/curve448/scalar.c @@ -15,7 +15,7 @@ #include "constant_time.h" #include "point_448.h" -static const decaf_word_t MONTGOMERY_FACTOR = (decaf_word_t) 0x3bd440fae918bc5; +static const c448_word_t MONTGOMERY_FACTOR = (c448_word_t) 0x3bd440fae918bc5; static const curve448_scalar_t sc_p = { { { @@ -37,7 +37,7 @@ static const curve448_scalar_t sc_p = { } }; -#define WBITS DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */ +#define WBITS C448_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */ const curve448_scalar_t curve448_scalar_one = {{{1}}}; const curve448_scalar_t curve448_scalar_zero = {{{0}}}; @@ -47,15 +47,15 @@ const curve448_scalar_t curve448_scalar_zero = {{{0}}}; * Must have extra <= 1 */ static void sc_subx(curve448_scalar_t out, - const decaf_word_t accum[DECAF_448_SCALAR_LIMBS], + const c448_word_t accum[C448_448_SCALAR_LIMBS], const curve448_scalar_t sub, - const curve448_scalar_t p, decaf_word_t extra) + const curve448_scalar_t p, c448_word_t extra) { - decaf_dsword_t chain = 0; + c448_dsword_t chain = 0; unsigned int i; - decaf_word_t borrow; + c448_word_t borrow; - for (i = 0; i < DECAF_448_SCALAR_LIMBS; i++) { + for (i = 0; i < C448_448_SCALAR_LIMBS; i++) { chain = (chain + accum[i]) - sub->limb[i]; out->limb[i] = chain; chain >>= WBITS; @@ -63,7 +63,7 @@ static void sc_subx(curve448_scalar_t out, borrow = chain + extra; /* = 0 or -1 */ chain = 0; - for (i = 0; i < DECAF_448_SCALAR_LIMBS; i++) { + for (i = 0; i < C448_448_SCALAR_LIMBS; i++) { chain = (chain + out->limb[i]) + (p->limb[i] & borrow); out->limb[i] = chain; chain >>= WBITS; @@ -74,16 +74,16 @@ static void sc_montmul(curve448_scalar_t out, const curve448_scalar_t a, const curve448_scalar_t b) { unsigned int i, j; - decaf_word_t accum[DECAF_448_SCALAR_LIMBS + 1] = { 0 }; - decaf_word_t hi_carry = 0; + c448_word_t accum[C448_448_SCALAR_LIMBS + 1] = { 0 }; + c448_word_t hi_carry = 0; - for (i = 0; i < DECAF_448_SCALAR_LIMBS; i++) { - decaf_word_t mand = a->limb[i]; - const decaf_word_t *mier = b->limb; + for (i = 0; i < C448_448_SCALAR_LIMBS; i++) { + c448_word_t mand = a->limb[i]; + const c448_word_t *mier = b->limb; - decaf_dword_t chain = 0; - for (j = 0; j < DECAF_448_SCALAR_LIMBS; j++) { - chain += ((decaf_dword_t) mand) * mier[j] + accum[j]; + c448_dword_t chain = 0; + for (j = 0; j < C448_448_SCALAR_LIMBS; j++) { + chain += ((c448_dword_t) mand) * mier[j] + accum[j]; accum[j] = chain; chain >>= WBITS; } @@ -92,8 +92,8 @@ static void sc_montmul(curve448_scalar_t out, const curve448_scalar_t a, mand = accum[0] * MONTGOMERY_FACTOR; chain = 0; mier = sc_p->limb; - for (j = 0; j < DECAF_448_SCALAR_LIMBS; j++) { - chain += (decaf_dword_t) mand *mier[j] + accum[j]; + for (j = 0; j < C448_448_SCALAR_LIMBS; j++) { + chain += (c448_dword_t) mand *mier[j] + accum[j]; if (j) accum[j - 1] = chain; chain >>= WBITS; @@ -123,10 +123,10 @@ void curve448_scalar_sub(curve448_scalar_t out, const curve448_scalar_t a, void curve448_scalar_add(curve448_scalar_t out, const curve448_scalar_t a, const curve448_scalar_t b) { - decaf_dword_t chain = 0; + c448_dword_t chain = 0; unsigned int i; - for (i = 0; i < DECAF_448_SCALAR_LIMBS; i++) { + for (i = 0; i < C448_448_SCALAR_LIMBS; i++) { chain = (chain + a->limb[i]) + b->limb[i]; out->limb[i] = chain; chain >>= WBITS; @@ -140,30 +140,30 @@ static ossl_inline void scalar_decode_short(curve448_scalar_t s, { unsigned int i, j, k = 0; - for (i = 0; i < DECAF_448_SCALAR_LIMBS; i++) { - decaf_word_t out = 0; + for (i = 0; i < C448_448_SCALAR_LIMBS; i++) { + c448_word_t out = 0; - for (j = 0; j < sizeof(decaf_word_t) && k < nbytes; j++, k++) - out |= ((decaf_word_t) ser[k]) << (8 * j); + for (j = 0; j < sizeof(c448_word_t) && k < nbytes; j++, k++) + out |= ((c448_word_t) ser[k]) << (8 * j); s->limb[i] = out; } } -decaf_error_t curve448_scalar_decode( +c448_error_t curve448_scalar_decode( curve448_scalar_t s, - const unsigned char ser[DECAF_448_SCALAR_BYTES]) + const unsigned char ser[C448_448_SCALAR_BYTES]) { unsigned int i; - decaf_dsword_t accum = 0; + c448_dsword_t accum = 0; - scalar_decode_short(s, ser, DECAF_448_SCALAR_BYTES); - for (i = 0; i < DECAF_448_SCALAR_LIMBS; i++) + scalar_decode_short(s, ser, C448_448_SCALAR_BYTES); + for (i = 0; i < C448_448_SCALAR_LIMBS; i++) accum = (accum + s->limb[i] - sc_p->limb[i]) >> WBITS; /* Here accum == 0 or -1 */ curve448_scalar_mul(s, s, curve448_scalar_one); /* ham-handed reduce */ - return decaf_succeed_if(~word_is_zero(accum)); + return c448_succeed_if(~word_is_zero(accum)); } void curve448_scalar_destroy(curve448_scalar_t scalar) @@ -182,9 +182,9 @@ void curve448_scalar_decode_long(curve448_scalar_t s, return; } - i = ser_len - (ser_len % DECAF_448_SCALAR_BYTES); + i = ser_len - (ser_len % C448_448_SCALAR_BYTES); if (i == ser_len) - i -= DECAF_448_SCALAR_BYTES; + i -= C448_448_SCALAR_BYTES; scalar_decode_short(t1, &ser[i], ser_len - i); @@ -197,7 +197,7 @@ void curve448_scalar_decode_long(curve448_scalar_t s, } while (i) { - i -= DECAF_448_SCALAR_BYTES; + i -= C448_448_SCALAR_BYTES; sc_montmul(t1, t1, sc_r2); ignore_result(curve448_scalar_decode(t2, ser + i)); curve448_scalar_add(t1, t1, t2); @@ -208,28 +208,28 @@ void curve448_scalar_decode_long(curve448_scalar_t s, curve448_scalar_destroy(t2); } -void curve448_scalar_encode(unsigned char ser[DECAF_448_SCALAR_BYTES], +void curve448_scalar_encode(unsigned char ser[C448_448_SCALAR_BYTES], const curve448_scalar_t s) { unsigned int i, j, k = 0; - for (i = 0; i < DECAF_448_SCALAR_LIMBS; i++) { - for (j = 0; j < sizeof(decaf_word_t); j++, k++) + for (i = 0; i < C448_448_SCALAR_LIMBS; i++) { + for (j = 0; j < sizeof(c448_word_t); j++, k++) ser[k] = s->limb[i] >> (8 * j); } } void curve448_scalar_halve(curve448_scalar_t out, const curve448_scalar_t a) { - decaf_word_t mask = -(a->limb[0] & 1); - decaf_dword_t chain = 0; + c448_word_t mask = -(a->limb[0] & 1); + c448_dword_t chain = 0; unsigned int i; - for (i = 0; i < DECAF_448_SCALAR_LIMBS; i++) { + for (i = 0; i < C448_448_SCALAR_LIMBS; i++) { chain = (chain + a->limb[i]) + (sc_p->limb[i] & mask); out->limb[i] = chain; - chain >>= DECAF_WORD_BITS; + chain >>= C448_WORD_BITS; } - for (i = 0; i < DECAF_448_SCALAR_LIMBS - 1; i++) + for (i = 0; i < C448_448_SCALAR_LIMBS - 1; i++) out->limb[i] = out->limb[i] >> 1 | out->limb[i + 1] << (WBITS - 1); out->limb[i] = out->limb[i] >> 1 | chain << (WBITS - 1); } diff --git a/crypto/ec/curve448/word.h b/crypto/ec/curve448/word.h index 258ef5f253..4320909f33 100644 --- a/crypto/ec/curve448/word.h +++ b/crypto/ec/curve448/word.h @@ -54,19 +54,19 @@ typedef int16_t hsword_t; typedef int32_t sword_t; typedef int64_t dsword_t; # else -# error "For now, libdecaf only supports 32- and 64-bit architectures." +# error "For now, we only support 32- and 64-bit architectures." # endif /* * Scalar limbs are keyed off of the API word size instead of the arch word * size. */ -# if DECAF_WORD_BITS == 64 +# if C448_WORD_BITS == 64 # define SC_LIMB(x) (x) -# elif DECAF_WORD_BITS == 32 +# elif C448_WORD_BITS == 32 # define SC_LIMB(x) ((uint32_t)x),(x>>32) # else -# error "For now, libdecaf only supports 32- and 64-bit architectures." +# error "For now we only support 32- and 64-bit architectures." # endif # ifdef __ARM_NEON__ @@ -184,26 +184,26 @@ static ossl_inline big_register_t br_is_zero(big_register_t x) # endif /* - * The plan on booleans: The external interface uses decaf_bool_t, but this + * The plan on booleans: The external interface uses c448_bool_t, but this * might be a different size than our particular arch's word_t (and thus * mask_t). Also, the caller isn't guaranteed to pass it as nonzero. So * bool_to_mask converts word sizes and checks nonzero. On the flip side, * mask_t is always -1 or 0, but it might be a different size than - * decaf_bool_t. On the third hand, we have success vs boolean types, but - * that's handled in common.h: it converts between decaf_bool_t and - * decaf_error_t. + * c448_bool_t. On the third hand, we have success vs boolean types, but + * that's handled in common.h: it converts between c448_bool_t and + * c448_error_t. */ -static ossl_inline decaf_bool_t mask_to_bool(mask_t m) +static ossl_inline c448_bool_t mask_to_bool(mask_t m) { - return (decaf_sword_t)(sword_t)m; + return (c448_sword_t)(sword_t)m; } -static ossl_inline mask_t bool_to_mask(decaf_bool_t m) +static ossl_inline mask_t bool_to_mask(c448_bool_t m) { /* On most arches this will be optimized to a simple cast. */ mask_t ret = 0; unsigned int i; - unsigned int limit = sizeof(decaf_bool_t) / sizeof(mask_t); + unsigned int limit = sizeof(c448_bool_t) / sizeof(mask_t); if (limit < 1) limit = 1; @@ -213,7 +213,7 @@ static ossl_inline mask_t bool_to_mask(decaf_bool_t m) return ret; } -static ossl_inline void ignore_result(decaf_bool_t boo) +static ossl_inline void ignore_result(c448_bool_t boo) { (void)boo; } -- cgit v1.2.3