package p751sidh import ( "bytes" "crypto/rand" mathRand "math/rand" "reflect" "testing" "testing/quick" ) import . "github.com/cloudflare/p751sidh/p751toolbox" func TestMultiplyByThree(t *testing.T) { // sage: repr((3^238 -1).digits(256)) var three238minus1 = [48]byte{248, 132, 131, 130, 138, 113, 205, 237, 20, 122, 66, 212, 191, 53, 59, 115, 56, 207, 215, 148, 207, 41, 130, 248, 214, 42, 124, 12, 153, 108, 197, 99, 199, 34, 66, 143, 126, 168, 88, 184, 245, 234, 37, 181, 198, 201, 84, 2} // sage: repr((3*(3^238 -1)).digits(256)) var threeTimesThree238minus1 = [48]byte{232, 142, 138, 135, 159, 84, 104, 201, 62, 110, 199, 124, 63, 161, 177, 89, 169, 109, 135, 190, 110, 125, 134, 233, 132, 128, 116, 37, 203, 69, 80, 43, 86, 104, 198, 173, 123, 249, 9, 41, 225, 192, 113, 31, 84, 93, 254, 6} multiplyByThree(&three238minus1) for i := 0; i < 48; i++ { if three238minus1[i] != threeTimesThree238minus1[i] { t.Error("Digit", i, "error: found", three238minus1[i], "expected", threeTimesThree238minus1[i]) } } } func TestCheckLessThanThree238(t *testing.T) { var three238minus1 = [48]byte{248, 132, 131, 130, 138, 113, 205, 237, 20, 122, 66, 212, 191, 53, 59, 115, 56, 207, 215, 148, 207, 41, 130, 248, 214, 42, 124, 12, 153, 108, 197, 99, 199, 34, 66, 143, 126, 168, 88, 184, 245, 234, 37, 181, 198, 201, 84, 2} var three238 = [48]byte{249, 132, 131, 130, 138, 113, 205, 237, 20, 122, 66, 212, 191, 53, 59, 115, 56, 207, 215, 148, 207, 41, 130, 248, 214, 42, 124, 12, 153, 108, 197, 99, 199, 34, 66, 143, 126, 168, 88, 184, 245, 234, 37, 181, 198, 201, 84, 2} var three238plus1 = [48]byte{250, 132, 131, 130, 138, 113, 205, 237, 20, 122, 66, 212, 191, 53, 59, 115, 56, 207, 215, 148, 207, 41, 130, 248, 214, 42, 124, 12, 153, 108, 197, 99, 199, 34, 66, 143, 126, 168, 88, 184, 245, 234, 37, 181, 198, 201, 84, 2} var result = uint32(57) checkLessThanThree238(&three238minus1, &result) if result != 0 { t.Error("Expected 0, got", result) } checkLessThanThree238(&three238, &result) if result == 0 { t.Error("Expected nonzero, got", result) } checkLessThanThree238(&three238plus1, &result) if result == 0 { t.Error("Expected nonzero, got", result) } } // This throws away the generated public key, forcing us to recompute it in the test, // but generating the value *in* the quickcheck predicate breaks the testing. func (x SIDHSecretKeyAlice) Generate(quickCheckRand *mathRand.Rand, size int) reflect.Value { // use crypto/rand instead of the quickCheck-provided RNG _, aliceSecret, err := GenerateAliceKeypair(rand.Reader) if err != nil { panic("error generating secret key") } return reflect.ValueOf(*aliceSecret) } func (x SIDHSecretKeyBob) Generate(quickCheckRand *mathRand.Rand, size int) reflect.Value { // use crypto/rand instead of the quickCheck-provided RNG _, bobSecret, err := GenerateBobKeypair(rand.Reader) if err != nil { panic("error generating secret key") } return reflect.ValueOf(*bobSecret) } func TestEphemeralSharedSecret(t *testing.T) { sharedSecretsMatch := func(aliceSecret SIDHSecretKeyAlice, bobSecret SIDHSecretKeyBob) bool { alicePublic := aliceSecret.PublicKey() bobPublic := bobSecret.PublicKey() aliceSharedSecret := aliceSecret.SharedSecret(&bobPublic) bobSharedSecret := bobSecret.SharedSecret(&alicePublic) return bytes.Equal(aliceSharedSecret[:], bobSharedSecret[:]) } if err := quick.Check(sharedSecretsMatch, nil); err != nil { t.Error(err) } } // Perform Alice's (2-isogeny) key generation, using the slow but simple multiplication-based strategy. // // This function just exists to ensure that the fast isogeny-tree strategy works correctly. func aliceKeyGenSlow(secretKey *SIDHSecretKeyAlice) SIDHPublicKeyAlice { var xP, xQ, xQmP, xR, xS ProjectivePoint xP.FromAffinePrimeField(&Affine_xPB) // = ( x_P : 1) = x(P_B) xQ.FromAffinePrimeField(&Affine_xPB) // xQ.X.Neg(&xQ.X) // = (-x_P : 1) = x(Q_B) xQmP = DistortAndDifference(&Affine_xPB) // = x(Q_B - P_B) xR = SecretPoint(&Affine_xPA, &Affine_yPA, secretKey.Scalar[:]) var currentCurve ProjectiveCurveParameters // Starting curve has a = 0, so (A:C) = (0,1) currentCurve.A.Zero() currentCurve.C.One() var firstPhi FirstFourIsogeny currentCurve, firstPhi = ComputeFirstFourIsogeny(¤tCurve) xP = firstPhi.Eval(&xP) xQ = firstPhi.Eval(&xQ) xQmP = firstPhi.Eval(&xQmP) xR = firstPhi.Eval(&xR) var phi FourIsogeny for e := (372 - 4); e >= 0; e -= 2 { xS.Pow2k(¤tCurve, &xR, uint32(e)) currentCurve, phi = ComputeFourIsogeny(&xS) xR = phi.Eval(&xR) xP = phi.Eval(&xP) xQ = phi.Eval(&xQ) xQmP = phi.Eval(&xQmP) } var invZP, invZQ, invZQmP ExtensionFieldElement ExtensionFieldBatch3Inv(&xP.Z, &xQ.Z, &xQmP.Z, &invZP, &invZQ, &invZQmP) var publicKey SIDHPublicKeyAlice publicKey.affine_xP.Mul(&xP.X, &invZP) publicKey.affine_xQ.Mul(&xQ.X, &invZQ) publicKey.affine_xQmP.Mul(&xQmP.X, &invZQmP) return publicKey } // Perform Bob's (3-isogeny) key generation, using the slow but simple multiplication-based strategy. // // This function just exists to ensure that the fast isogeny-tree strategy works correctly. func bobKeyGenSlow(secretKey *SIDHSecretKeyBob) SIDHPublicKeyBob { var xP, xQ, xQmP, xR, xS ProjectivePoint xP.FromAffinePrimeField(&Affine_xPA) // = ( x_P : 1) = x(P_A) xQ.FromAffinePrimeField(&Affine_xPA) // xQ.X.Neg(&xQ.X) // = (-x_P : 1) = x(Q_A) xQmP = DistortAndDifference(&Affine_xPA) // = x(Q_B - P_B) xR = SecretPoint(&Affine_xPB, &Affine_yPB, secretKey.Scalar[:]) var currentCurve ProjectiveCurveParameters // Starting curve has a = 0, so (A:C) = (0,1) currentCurve.A.Zero() currentCurve.C.One() var phi ThreeIsogeny for e := 238; e >= 0; e-- { xS.Pow3k(¤tCurve, &xR, uint32(e)) currentCurve, phi = ComputeThreeIsogeny(&xS) xR = phi.Eval(&xR) xP = phi.Eval(&xP) xQ = phi.Eval(&xQ) xQmP = phi.Eval(&xQmP) } var invZP, invZQ, invZQmP ExtensionFieldElement ExtensionFieldBatch3Inv(&xP.Z, &xQ.Z, &xQmP.Z, &invZP, &invZQ, &invZQmP) var publicKey SIDHPublicKeyBob publicKey.affine_xP.Mul(&xP.X, &invZP) publicKey.affine_xQ.Mul(&xQ.X, &invZQ) publicKey.affine_xQmP.Mul(&xQmP.X, &invZQmP) return publicKey } // Perform Alice's key agreement, using the slow but simple multiplication-based strategy. // // This function just exists to ensure that the fast isogeny-tree strategy works correctly. func aliceSharedSecretSlow(bobPublic *SIDHPublicKeyBob, aliceSecret *SIDHSecretKeyAlice) [188]byte { var currentCurve = RecoverCurveParameters(&bobPublic.affine_xP, &bobPublic.affine_xQ, &bobPublic.affine_xQmP) var xR, xS, xP, xQ, xQmP ProjectivePoint xP.FromAffine(&bobPublic.affine_xP) xQ.FromAffine(&bobPublic.affine_xQ) xQmP.FromAffine(&bobPublic.affine_xQmP) xR.ThreePointLadder(¤tCurve, &xP, &xQ, &xQmP, aliceSecret.Scalar[:]) var firstPhi FirstFourIsogeny currentCurve, firstPhi = ComputeFirstFourIsogeny(¤tCurve) xR = firstPhi.Eval(&xR) var phi FourIsogeny for e := (372 - 4); e >= 2; e -= 2 { xS.Pow2k(¤tCurve, &xR, uint32(e)) currentCurve, phi = ComputeFourIsogeny(&xS) xR = phi.Eval(&xR) } currentCurve, _ = ComputeFourIsogeny(&xR) var sharedSecret [SharedSecretSize]byte var jInv = currentCurve.JInvariant() jInv.ToBytes(sharedSecret[:]) return sharedSecret } // Perform Bob's key agreement, using the slow but simple multiplication-based strategy. // // This function just exists to ensure that the fast isogeny-tree strategy works correctly. func bobSharedSecretSlow(alicePublic *SIDHPublicKeyAlice, bobSecret *SIDHSecretKeyBob) [188]byte { var currentCurve = RecoverCurveParameters(&alicePublic.affine_xP, &alicePublic.affine_xQ, &alicePublic.affine_xQmP) var xR, xS, xP, xQ, xQmP ProjectivePoint xP.FromAffine(&alicePublic.affine_xP) xQ.FromAffine(&alicePublic.affine_xQ) xQmP.FromAffine(&alicePublic.affine_xQmP) xR.ThreePointLadder(¤tCurve, &xP, &xQ, &xQmP, bobSecret.Scalar[:]) var phi ThreeIsogeny for e := 238; e >= 1; e-- { xS.Pow3k(¤tCurve, &xR, uint32(e)) currentCurve, phi = ComputeThreeIsogeny(&xS) xR = phi.Eval(&xR) } currentCurve, _ = ComputeThreeIsogeny(&xR) var sharedSecret [SharedSecretSize]byte var jInv = currentCurve.JInvariant() jInv.ToBytes(sharedSecret[:]) return sharedSecret } func TestBobKeyGenFastVsSlow(t *testing.T) { // m_B = 3*randint(0,3^238) var m_B = [48]uint8{246, 217, 158, 190, 100, 227, 224, 181, 171, 32, 120, 72, 92, 115, 113, 62, 103, 57, 71, 252, 166, 121, 126, 201, 55, 99, 213, 234, 243, 228, 171, 68, 9, 239, 214, 37, 255, 242, 217, 180, 25, 54, 242, 61, 101, 245, 78, 0} var bobSecretKey = SIDHSecretKeyBob{Scalar: m_B} var fastPubKey = bobSecretKey.PublicKey() var slowPubKey = bobKeyGenSlow(&bobSecretKey) if !fastPubKey.affine_xP.VartimeEq(&slowPubKey.affine_xP) { t.Error("Expected affine_xP = ", fastPubKey.affine_xP, "found", slowPubKey.affine_xP) } if !fastPubKey.affine_xQ.VartimeEq(&slowPubKey.affine_xQ) { t.Error("Expected affine_xQ = ", fastPubKey.affine_xQ, "found", slowPubKey.affine_xQ) } if !fastPubKey.affine_xQmP.VartimeEq(&slowPubKey.affine_xQmP) { t.Error("Expected affine_xQmP = ", fastPubKey.affine_xQmP, "found", slowPubKey.affine_xQmP) } } func TestAliceKeyGenFastVsSlow(t *testing.T) { // m_A = 2*randint(0,2^371) var m_A = [48]uint8{248, 31, 9, 39, 165, 125, 79, 135, 70, 97, 87, 231, 221, 204, 245, 38, 150, 198, 187, 184, 199, 148, 156, 18, 137, 71, 248, 83, 111, 170, 138, 61, 112, 25, 188, 197, 132, 151, 1, 0, 207, 178, 24, 72, 171, 22, 11, 0} var aliceSecretKey = SIDHSecretKeyAlice{Scalar: m_A} var fastPubKey = aliceSecretKey.PublicKey() var slowPubKey = aliceKeyGenSlow(&aliceSecretKey) if !fastPubKey.affine_xP.VartimeEq(&slowPubKey.affine_xP) { t.Error("Expected affine_xP = ", fastPubKey.affine_xP, "found", slowPubKey.affine_xP) } if !fastPubKey.affine_xQ.VartimeEq(&slowPubKey.affine_xQ) { t.Error("Expected affine_xQ = ", fastPubKey.affine_xQ, "found", slowPubKey.affine_xQ) } if !fastPubKey.affine_xQmP.VartimeEq(&slowPubKey.affine_xQmP) { t.Error("Expected affine_xQmP = ", fastPubKey.affine_xQmP, "found", slowPubKey.affine_xQmP) } } func TestSharedSecret(t *testing.T) { // m_A = 2*randint(0,2^371) var m_A = [48]uint8{248, 31, 9, 39, 165, 125, 79, 135, 70, 97, 87, 231, 221, 204, 245, 38, 150, 198, 187, 184, 199, 148, 156, 18, 137, 71, 248, 83, 111, 170, 138, 61, 112, 25, 188, 197, 132, 151, 1, 0, 207, 178, 24, 72, 171, 22, 11, 0} // m_B = 3*randint(0,3^238) var m_B = [48]uint8{246, 217, 158, 190, 100, 227, 224, 181, 171, 32, 120, 72, 92, 115, 113, 62, 103, 57, 71, 252, 166, 121, 126, 201, 55, 99, 213, 234, 243, 228, 171, 68, 9, 239, 214, 37, 255, 242, 217, 180, 25, 54, 242, 61, 101, 245, 78, 0} var aliceSecret = SIDHSecretKeyAlice{Scalar: m_A} var bobSecret = SIDHSecretKeyBob{Scalar: m_B} var alicePublic = aliceSecret.PublicKey() var bobPublic = bobSecret.PublicKey() var aliceSharedSecretSlow = aliceSharedSecretSlow(&bobPublic, &aliceSecret) var aliceSharedSecretFast = aliceSecret.SharedSecret(&bobPublic) var bobSharedSecretSlow = bobSharedSecretSlow(&alicePublic, &bobSecret) var bobSharedSecretFast = bobSecret.SharedSecret(&alicePublic) if !bytes.Equal(aliceSharedSecretFast[:], aliceSharedSecretSlow[:]) { t.Error("Shared secret (fast) mismatch: Alice has ", aliceSharedSecretFast, " Bob has ", bobSharedSecretFast) } if !bytes.Equal(aliceSharedSecretSlow[:], bobSharedSecretSlow[:]) { t.Error("Shared secret (slow) mismatch: Alice has ", aliceSharedSecretSlow, " Bob has ", bobSharedSecretSlow) } if !bytes.Equal(aliceSharedSecretSlow[:], bobSharedSecretFast[:]) { t.Error("Shared secret mismatch: Alice (slow) has ", aliceSharedSecretSlow, " Bob (fast) has ", bobSharedSecretFast) } } func TestSecretPoint(t *testing.T) { // m_A = 2*randint(0,2^371) var m_A = [48]uint8{248, 31, 9, 39, 165, 125, 79, 135, 70, 97, 87, 231, 221, 204, 245, 38, 150, 198, 187, 184, 199, 148, 156, 18, 137, 71, 248, 83, 111, 170, 138, 61, 112, 25, 188, 197, 132, 151, 1, 0, 207, 178, 24, 72, 171, 22, 11, 0} // m_B = 3*randint(0,3^238) var m_B = [48]uint8{246, 217, 158, 190, 100, 227, 224, 181, 171, 32, 120, 72, 92, 115, 113, 62, 103, 57, 71, 252, 166, 121, 126, 201, 55, 99, 213, 234, 243, 228, 171, 68, 9, 239, 214, 37, 255, 242, 217, 180, 25, 54, 242, 61, 101, 245, 78, 0} var xR_A = SecretPoint(&Affine_xPA, &Affine_yPA, m_A[:]) var xR_B = SecretPoint(&Affine_xPB, &Affine_yPB, m_B[:]) var sageAffine_xR_A = ExtensionFieldElement{A: Fp751Element{0x29f1dff12103d089, 0x7409b9bf955e0d87, 0xe812441c1cca7288, 0xc32b8b13efba55f9, 0xc3b76a80696d83da, 0x185dd4f93a3dc373, 0xfc07c1a9115b6717, 0x39bfcdd63b5c4254, 0xc4d097d51d41efd8, 0x4f893494389b21c7, 0x373433211d3d0446, 0x53c35ccc3d22}, B: Fp751Element{0x722e718f33e40815, 0x8c5fc0fdf715667, 0x850fd292bbe8c74c, 0x212938a60fcbf5d3, 0xfdb2a099d58dc6e7, 0x232f83ab63c9c205, 0x23eda62fa5543f5e, 0x49b5758855d9d04f, 0x6b455e6642ef25d1, 0x9651162537470202, 0xfeced582f2e96ff0, 0x33a9e0c0dea8}} var sageAffine_xR_B = ExtensionFieldElement{A: Fp751Element{0xdd4e66076e8499f5, 0xe7efddc6907519da, 0xe31f9955b337108c, 0x8e558c5479ffc5e1, 0xfee963ead776bfc2, 0x33aa04c35846bf15, 0xab77d91b23617a0d, 0xbdd70948746070e2, 0x66f71291c277e942, 0x187c39db2f901fce, 0x69262987d5d32aa2, 0xe1db40057dc}, B: Fp751Element{0xd1b766abcfd5c167, 0x4591059dc8a382fa, 0x1ddf9490736c223d, 0xc96db091bdf2b3dd, 0x7b8b9c3dc292f502, 0xe5b18ad85e4d3e33, 0xc3f3479b6664b931, 0xa4f17865299e21e6, 0x3f7ef5b332fa1c6e, 0x875bedb5dab06119, 0x9b5a06ea2e23b93, 0x43d48296fb26}} var affine_xR_A = xR_A.ToAffine() if !sageAffine_xR_A.VartimeEq(affine_xR_A) { t.Error("Expected \n", sageAffine_xR_A, "\nfound\n", affine_xR_A) } var affine_xR_B = xR_B.ToAffine() if !sageAffine_xR_B.VartimeEq(affine_xR_B) { t.Error("Expected \n", sageAffine_xR_B, "\nfound\n", affine_xR_B) } } var keygenBenchPubKeyAlice SIDHPublicKeyAlice var keygenBenchPubKeyBob SIDHPublicKeyBob func BenchmarkAliceKeyGen(b *testing.B) { for n := 0; n < b.N; n++ { GenerateAliceKeypair(rand.Reader) } } func BenchmarkAliceKeyGenSlow(b *testing.B) { // m_A = 2*randint(0,2^371) var m_A = [48]uint8{248, 31, 9, 39, 165, 125, 79, 135, 70, 97, 87, 231, 221, 204, 245, 38, 150, 198, 187, 184, 199, 148, 156, 18, 137, 71, 248, 83, 111, 170, 138, 61, 112, 25, 188, 197, 132, 151, 1, 0, 207, 178, 24, 72, 171, 22, 11, 0} var aliceSecretKey = SIDHSecretKeyAlice{Scalar: m_A} for n := 0; n < b.N; n++ { keygenBenchPubKeyAlice = aliceKeyGenSlow(&aliceSecretKey) } } func BenchmarkBobKeyGen(b *testing.B) { for n := 0; n < b.N; n++ { GenerateBobKeypair(rand.Reader) } } func BenchmarkBobKeyGenSlow(b *testing.B) { // m_B = 3*randint(0,3^238) var m_B = [48]uint8{246, 217, 158, 190, 100, 227, 224, 181, 171, 32, 120, 72, 92, 115, 113, 62, 103, 57, 71, 252, 166, 121, 126, 201, 55, 99, 213, 234, 243, 228, 171, 68, 9, 239, 214, 37, 255, 242, 217, 180, 25, 54, 242, 61, 101, 245, 78, 0} var bobSecretKey = SIDHSecretKeyBob{Scalar: m_B} for n := 0; n < b.N; n++ { keygenBenchPubKeyBob = bobKeyGenSlow(&bobSecretKey) } } var benchSharedSecretAlicePublic = SIDHPublicKeyAlice{affine_xP: ExtensionFieldElement{A: Fp751Element{0xea6b2d1e2aebb250, 0x35d0b205dc4f6386, 0xb198e93cb1830b8d, 0x3b5b456b496ddcc6, 0x5be3f0d41132c260, 0xce5f188807516a00, 0x54f3e7469ea8866d, 0x33809ef47f36286, 0x6fa45f83eabe1edb, 0x1b3391ae5d19fd86, 0x1e66daf48584af3f, 0xb430c14aaa87}, B: Fp751Element{0x97b41ebc61dcb2ad, 0x80ead31cb932f641, 0x40a940099948b642, 0x2a22fd16cdc7fe84, 0xaabf35b17579667f, 0x76c1d0139feb4032, 0x71467e1e7b1949be, 0x678ca8dadd0d6d81, 0x14445daea9064c66, 0x92d161eab4fa4691, 0x8dfbb01b6b238d36, 0x2e3718434e4e}}, affine_xQ: ExtensionFieldElement{A: Fp751Element{0xb055cf0ca1943439, 0xa9ff5de2fa6c69ed, 0x4f2761f934e5730a, 0x61a1dcaa1f94aa4b, 0xce3c8fadfd058543, 0xeac432aaa6701b8e, 0x8491d523093aea8b, 0xba273f9bd92b9b7f, 0xd8f59fd34439bb5a, 0xdc0350261c1fe600, 0x99375ab1eb151311, 0x14d175bbdbc5}, B: Fp751Element{0xffb0ef8c2111a107, 0x55ceca3825991829, 0xdbf8a1ccc075d34b, 0xb8e9187bd85d8494, 0x670aa2d5c34a03b0, 0xef9fe2ed2b064953, 0xc911f5311d645aee, 0xf4411f409e410507, 0x934a0a852d03e1a8, 0xe6274e67ae1ad544, 0x9f4bc563c69a87bc, 0x6f316019681e}}, affine_xQmP: ExtensionFieldElement{A: Fp751Element{0x6ffb44306a153779, 0xc0ffef21f2f918f3, 0x196c46d35d77f778, 0x4a73f80452edcfe6, 0x9b00836bce61c67f, 0x387879418d84219e, 0x20700cf9fc1ec5d1, 0x1dfe2356ec64155e, 0xf8b9e33038256b1c, 0xd2aaf2e14bada0f0, 0xb33b226e79a4e313, 0x6be576fad4e5}, B: Fp751Element{0x7db5dbc88e00de34, 0x75cc8cb9f8b6e11e, 0x8c8001c04ebc52ac, 0x67ef6c981a0b5a94, 0xc3654fbe73230738, 0xc6a46ee82983ceca, 0xed1aa61a27ef49f0, 0x17fe5a13b0858fe0, 0x9ae0ca945a4c6b3c, 0x234104a218ad8878, 0xa619627166104394, 0x556a01ff2e7e}}} var benchSharedSecretBobPublic = SIDHPublicKeyBob{affine_xP: ExtensionFieldElement{A: Fp751Element{0x6e1b8b250595b5fb, 0x800787f5197d963b, 0x6f4a4e314162a8a4, 0xe75cba4d37c02128, 0x2212e7579817a216, 0xd8a5fdb0ab2f843c, 0x44230c9f998cfd6c, 0x311ff789b26aa292, 0x73d05c379ff53e40, 0xddd8f5a223bad56c, 0x94b611e6e931c8b5, 0x4d6b9bfe3555}, B: Fp751Element{0x1a3686cfc8381294, 0x57f089b14f639cc4, 0xdb6a1565f2f5cabe, 0x83d67e8f6a02f215, 0x1946272593815e87, 0x2d839631785ca74c, 0xf149dcb2dee2bee, 0x705acd79efe405bf, 0xae3769b67687fbed, 0xacd5e29f2c203cb0, 0xdd91f08fa3153e08, 0x5a9ad8cb7400}}, affine_xQ: ExtensionFieldElement{A: Fp751Element{0xd30ed48b8c0d0c4a, 0x949cad95959ec462, 0x188675581e9d1f2a, 0xf57ed3233d33031c, 0x564c6532f7283ce7, 0x80cbef8ee3b66ecb, 0x5c687359315f22ce, 0x1da950f8671fac50, 0x6fa6c045f513ef6, 0x25ffc65a8da12d4a, 0x8b0f4ac0f5244f23, 0xadcb0e07fd92}, B: Fp751Element{0x37a43cd933ebfec4, 0x2a2806ef28dacf84, 0xd671fe718611b71e, 0xef7d73f01a676326, 0x99db1524e5799cf2, 0x860271dfbf67ff62, 0xedc2a0a14114bcf, 0x6c7b9b14b1264e5a, 0xf52de61707dc38b4, 0xccddb13fcc691f5a, 0x80f37a1220163920, 0x6a9175b9d5a1}}, affine_xQmP: ExtensionFieldElement{A: Fp751Element{0xf08af9e695c626da, 0x7a4b4d52b54e1b38, 0x980272cd4c8b8c10, 0x1afcb6151d113176, 0xaef7dbd877c00f0c, 0xe8a5ea89078700c3, 0x520c1901aa8323fa, 0xfba049c947f3383a, 0x1c38abcab48be9af, 0x9f1212b923481ea, 0x1522da3457a7c293, 0xb746f78e3a61}, B: Fp751Element{0x48010d0b48491128, 0x6d1c5c509f99f450, 0xaa3522330e3a8a62, 0x872aaf46193b2bb2, 0xc89260a2d8508973, 0x98bbbebf5524be83, 0x35711d01d895c217, 0x5e44e09ec506ed7, 0xac653a760ef6fd58, 0x5837954e30ad688d, 0xcbd3e9a1b5661da8, 0x15547f5d091a}}} func BenchmarkSharedSecretAlice(b *testing.B) { // m_A = 2*randint(0,2^371) var m_A = [48]uint8{248, 31, 9, 39, 165, 125, 79, 135, 70, 97, 87, 231, 221, 204, 245, 38, 150, 198, 187, 184, 199, 148, 156, 18, 137, 71, 248, 83, 111, 170, 138, 61, 112, 25, 188, 197, 132, 151, 1, 0, 207, 178, 24, 72, 171, 22, 11, 0} var aliceSecret = SIDHSecretKeyAlice{Scalar: m_A} for n := 0; n < b.N; n++ { aliceSecret.SharedSecret(&benchSharedSecretBobPublic) } } func BenchmarkSharedSecretAliceSlow(b *testing.B) { // m_A = 2*randint(0,2^371) var m_A = [48]uint8{248, 31, 9, 39, 165, 125, 79, 135, 70, 97, 87, 231, 221, 204, 245, 38, 150, 198, 187, 184, 199, 148, 156, 18, 137, 71, 248, 83, 111, 170, 138, 61, 112, 25, 188, 197, 132, 151, 1, 0, 207, 178, 24, 72, 171, 22, 11, 0} var aliceSecret = SIDHSecretKeyAlice{Scalar: m_A} for n := 0; n < b.N; n++ { aliceSharedSecretSlow(&benchSharedSecretBobPublic, &aliceSecret) } } func BenchmarkSharedSecretBob(b *testing.B) { // m_B = 3*randint(0,3^238) var m_B = [48]uint8{246, 217, 158, 190, 100, 227, 224, 181, 171, 32, 120, 72, 92, 115, 113, 62, 103, 57, 71, 252, 166, 121, 126, 201, 55, 99, 213, 234, 243, 228, 171, 68, 9, 239, 214, 37, 255, 242, 217, 180, 25, 54, 242, 61, 101, 245, 78, 0} var bobSecret = SIDHSecretKeyBob{Scalar: m_B} for n := 0; n < b.N; n++ { bobSecret.SharedSecret(&benchSharedSecretAlicePublic) } } func BenchmarkSharedSecretBobSlow(b *testing.B) { // m_B = 3*randint(0,3^238) var m_B = [48]uint8{246, 217, 158, 190, 100, 227, 224, 181, 171, 32, 120, 72, 92, 115, 113, 62, 103, 57, 71, 252, 166, 121, 126, 201, 55, 99, 213, 234, 243, 228, 171, 68, 9, 239, 214, 37, 255, 242, 217, 180, 25, 54, 242, 61, 101, 245, 78, 0} var bobSecret = SIDHSecretKeyBob{Scalar: m_B} for n := 0; n < b.N; n++ { bobSharedSecretSlow(&benchSharedSecretAlicePublic, &bobSecret) } }