From f2e85e88a3605855027d1608d6c935e93c4889b0 Mon Sep 17 00:00:00 2001 From: Kris Kwiatkowski Date: Wed, 24 Oct 2018 11:24:32 +0100 Subject: [PATCH] remove reference impl --- .../csidh-20180427-by-castryck-et-al/Makefile | 27 -- .../csidh-20180427-by-castryck-et-al/bench.c | 54 --- .../csidh-20180427-by-castryck-et-al/csidh.c | 220 --------- .../csidh-20180427-by-castryck-et-al/csidh.h | 26 - .../csidh-20180427-by-castryck-et-al/fp.h | 37 -- .../csidh-20180427-by-castryck-et-al/fp.s | 452 ------------------ .../csidh-20180427-by-castryck-et-al/main | Bin 31504 -> 0 bytes .../csidh-20180427-by-castryck-et-al/main.c | 99 ---- .../csidh-20180427-by-castryck-et-al/mont.c | 188 -------- .../csidh-20180427-by-castryck-et-al/mont.h | 19 - .../csidh-20180427-by-castryck-et-al/rng.c | 18 - .../csidh-20180427-by-castryck-et-al/rng.h | 8 - .../supersingular.sage | 128 ----- .../csidh-20180427-by-castryck-et-al/u512.h | 22 - .../csidh-20180427-by-castryck-et-al/u512.s | 102 ---- 15 files changed, 1400 deletions(-) delete mode 100644 reference/csidh-20180427-by-castryck-et-al/Makefile delete mode 100644 reference/csidh-20180427-by-castryck-et-al/bench.c delete mode 100644 reference/csidh-20180427-by-castryck-et-al/csidh.c delete mode 100644 reference/csidh-20180427-by-castryck-et-al/csidh.h delete mode 100644 reference/csidh-20180427-by-castryck-et-al/fp.h delete mode 100644 reference/csidh-20180427-by-castryck-et-al/fp.s delete mode 100755 reference/csidh-20180427-by-castryck-et-al/main delete mode 100644 reference/csidh-20180427-by-castryck-et-al/main.c delete mode 100644 reference/csidh-20180427-by-castryck-et-al/mont.c delete mode 100644 reference/csidh-20180427-by-castryck-et-al/mont.h delete mode 100644 reference/csidh-20180427-by-castryck-et-al/rng.c delete mode 100644 reference/csidh-20180427-by-castryck-et-al/rng.h delete mode 100755 reference/csidh-20180427-by-castryck-et-al/supersingular.sage delete mode 100644 reference/csidh-20180427-by-castryck-et-al/u512.h delete mode 100644 reference/csidh-20180427-by-castryck-et-al/u512.s diff --git a/reference/csidh-20180427-by-castryck-et-al/Makefile b/reference/csidh-20180427-by-castryck-et-al/Makefile deleted file mode 100644 index 926d7df..0000000 --- a/reference/csidh-20180427-by-castryck-et-al/Makefile +++ /dev/null @@ -1,27 +0,0 @@ -all: - @cc \ - -std=c99 -pedantic \ - -Wall -Wextra \ - -O2 -funroll-loops \ - rng.c \ - u512.s fp.s \ - mont.c \ - csidh.c \ - main.c \ - -o main - -debug: - cc \ - -std=c99 -pedantic \ - -Wall -Wextra \ - -g \ - rng.c \ - u512.s fp.s \ - mont.c \ - csidh.c \ - main.c \ - -o main - -clean: - rm -f main - diff --git a/reference/csidh-20180427-by-castryck-et-al/bench.c b/reference/csidh-20180427-by-castryck-et-al/bench.c deleted file mode 100644 index fd0f64a..0000000 --- a/reference/csidh-20180427-by-castryck-et-al/bench.c +++ /dev/null @@ -1,54 +0,0 @@ - -#include -#include -#include -#include -#include - -#include "u512.h" -#include "fp.h" -#include "mont.h" -#include "csidh.h" - -#include - -static __inline__ uint64_t rdtsc(void) -{ - uint32_t hi, lo; - __asm__ __volatile__ ("rdtsc" : "=a"(lo), "=d"(hi)); - return lo | (uint64_t) hi << 32; -} - -unsigned long its = 10000; - -int main() -{ - clock_t t0, t1, time = 0; - uint64_t c0, c1, cycles = 0; - - private_key priv; - public_key pub = base; - - for (unsigned long i = 0; i < its; ++i) { - - csidh_private(&priv); - - t0 = clock(); - c0 = rdtsc(); - - /**************************************/ - assert(validate(&pub)); - action(&pub, &pub, &priv); - /**************************************/ - - c1 = rdtsc(); - t1 = clock(); - cycles += c1 - c0; - time += t1 - t0; - } - - printf("iterations: %lu\n", its); - printf("clock cycles: %" PRIu64 "\n", (uint64_t) cycles / its); - printf("wall-clock time: %.3lf ms\n", 1000. * time / CLOCKS_PER_SEC / its); -} - diff --git a/reference/csidh-20180427-by-castryck-et-al/csidh.c b/reference/csidh-20180427-by-castryck-et-al/csidh.c deleted file mode 100644 index 6539f8e..0000000 --- a/reference/csidh-20180427-by-castryck-et-al/csidh.c +++ /dev/null @@ -1,220 +0,0 @@ - -#include -#include - -#include "csidh.h" -#include "rng.h" - -/* specific to p, should perhaps be somewhere else */ -const unsigned primes[num_primes] = { - 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, - 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137, - 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, - 229, 233, 239, 241, 251, 257, 263, 269, 271, 277, 281, 283, 293, 307, 311, 313, - 317, 331, 337, 347, 349, 353, 359, 367, 373, 587, -}; - -const u512 four_sqrt_p = {{ - 0x85e2579c786882cf, 0x4e3433657e18da95, 0x850ae5507965a0b3, 0xa15bc4e676475964, -}}; - - -const public_key base = {0}; /* A = 0 */ - -void csidh_private(private_key *priv) -{ - memset(&priv->e, 0, sizeof(priv->e)); - for (size_t i = 0; i < num_primes; ) { - int8_t buf[64]; - randombytes(buf, sizeof(buf)); - for (size_t j = 0; j < sizeof(buf); ++j) { - if (buf[j] <= max_exponent && buf[j] >= -max_exponent) { - priv->e[i / 2] |= (buf[j] & 0xf) << i % 2 * 4; - if (++i >= num_primes) - break; - } - } - } -} - -/* compute [(p+1)/l] P for all l in our list of primes. */ -/* divide and conquer is much faster than doing it naively, - * but uses more memory. */ -static void cofactor_multiples(proj *P, const proj *A, size_t lower, size_t upper) -{ - assert(lower < upper); - - if (upper - lower == 1) - return; - - size_t mid = lower + (upper - lower + 1) / 2; - - u512 cl = u512_1, cu = u512_1; - for (size_t i = lower; i < mid; ++i) - u512_mul3_64(&cu, &cu, primes[i]); - for (size_t i = mid; i < upper; ++i) - u512_mul3_64(&cl, &cl, primes[i]); - - xMUL(&P[mid], A, &P[lower], &cu); - xMUL(&P[lower], A, &P[lower], &cl); - - cofactor_multiples(P, A, lower, mid); - cofactor_multiples(P, A, mid, upper); -} - -/* never accepts invalid keys. */ -bool validate(public_key const *in) -{ - const proj A = {in->A, fp_1}; - - do { - - proj P[num_primes]; - fp_random(&P->x); - P->z = fp_1; - - /* maximal 2-power in p+1 */ - xDBL(P, &A, P); - xDBL(P, &A, P); - - cofactor_multiples(P, &A, 0, num_primes); - - u512 order = u512_1; - - for (size_t i = num_primes - 1; i < num_primes; --i) { - - /* we only gain information if [(p+1)/l] P is non-zero */ - if (memcmp(&P[i].z, &fp_0, sizeof(fp))) { - - u512 tmp; - u512_set(&tmp, primes[i]); - xMUL(&P[i], &A, &P[i], &tmp); - - if (memcmp(&P[i].z, &fp_0, sizeof(fp))) - /* P does not have order dividing p+1. */ - return false; - - u512_mul3_64(&order, &order, primes[i]); - - if (u512_sub3(&tmp, &four_sqrt_p, &order)) /* returns borrow */ - /* order > 4 sqrt(p), hence definitely supersingular */ - return true; - } - } - - /* P didn't have big enough order to prove supersingularity. */ - } while (1); -} - -/* compute x^3 + Ax^2 + x */ -static void montgomery_rhs(fp *rhs, fp const *A, fp const *x) -{ - fp tmp; - *rhs = *x; - fp_sq1(rhs); - fp_mul3(&tmp, A, x); - fp_add2(rhs, &tmp); - fp_add2(rhs, &fp_1); - fp_mul2(rhs, x); -} - -/* totally not constant-time. */ -void action(public_key *out, public_key const *in, private_key const *priv) -{ - u512 k[2]; - u512_set(&k[0], 4); /* maximal 2-power in p+1 */ - u512_set(&k[1], 4); /* maximal 2-power in p+1 */ - - uint8_t e[2][num_primes]; - - for (size_t i = 0; i < num_primes; ++i) { - - int8_t t = (int8_t) (priv->e[i / 2] << i % 2 * 4) >> 4; - - if (t > 0) { - e[0][i] = t; - e[1][i] = 0; - u512_mul3_64(&k[1], &k[1], primes[i]); - } - else if (t < 0) { - e[1][i] = -t; - e[0][i] = 0; - u512_mul3_64(&k[0], &k[0], primes[i]); - } - else { - e[0][i] = 0; - e[1][i] = 0; - u512_mul3_64(&k[0], &k[0], primes[i]); - u512_mul3_64(&k[1], &k[1], primes[i]); - } - } - - proj A = {in->A, fp_1}; - - bool done[2] = {false, false}; - - do { - - assert(!memcmp(&A.z, &fp_1, sizeof(fp))); - - proj P; - fp_random(&P.x); - P.z = fp_1; - - fp rhs; - montgomery_rhs(&rhs, &A.x, &P.x); - bool sign = !fp_issquare(&rhs); - - if (done[sign]) - continue; - - xMUL(&P, &A, &P, &k[sign]); - - done[sign] = true; - - for (size_t i = 0; i < num_primes; ++i) { - - if (e[sign][i]) { - - u512 cof = u512_1; - for (size_t j = i + 1; j < num_primes; ++j) - if (e[sign][j]) - u512_mul3_64(&cof, &cof, primes[j]); - - proj K; - xMUL(&K, &A, &P, &cof); - - if (memcmp(&K.z, &fp_0, sizeof(fp))) { - - xISOG(&A, &P, &K, primes[i]); - - if (!--e[sign][i]) - u512_mul3_64(&k[sign], &k[sign], primes[i]); - - } - - } - - done[sign] &= !e[sign][i]; - } - - fp_inv(&A.z); - fp_mul2(&A.x, &A.z); - A.z = fp_1; - - } while (!(done[0] && done[1])); - - out->A = A.x; -} - -/* includes public-key validation. */ -bool csidh(public_key *out, public_key const *in, private_key const *priv) -{ - if (!validate(in)) { - fp_random(&out->A); - return false; - } - action(out, in, priv); - return true; -} - diff --git a/reference/csidh-20180427-by-castryck-et-al/csidh.h b/reference/csidh-20180427-by-castryck-et-al/csidh.h deleted file mode 100644 index 52e9d54..0000000 --- a/reference/csidh-20180427-by-castryck-et-al/csidh.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef CSIDH_H -#define CSIDH_H - -#include "u512.h" -#include "fp.h" -#include "mont.h" - -/* specific to p, should perhaps be somewhere else */ -#define num_primes 74 -#define max_exponent 5 /* (2*5+1)^74 is roughly 2^256 */ - - -typedef struct private_key { - int8_t e[(num_primes + 1) / 2]; /* packed int4_t */ -} private_key; - -typedef struct public_key { - fp A; /* Montgomery coefficient: represents y^2 = x^3 + Ax^2 + x */ -} public_key; - -extern const public_key base; - -void csidh_private(private_key *priv); -bool csidh(public_key *out, public_key const *in, private_key const *priv); - -#endif diff --git a/reference/csidh-20180427-by-castryck-et-al/fp.h b/reference/csidh-20180427-by-castryck-et-al/fp.h deleted file mode 100644 index 6cfa064..0000000 --- a/reference/csidh-20180427-by-castryck-et-al/fp.h +++ /dev/null @@ -1,37 +0,0 @@ -#ifndef FP_H -#define FP_H - -#include "u512.h" - -/* fp is in the Montgomery domain, so interpreting that - as an integer should never make sense. - enable compiler warnings when mixing up u512 and fp. */ -typedef struct fp { - u512 x; -} fp; - -extern const fp fp_0; -extern const fp fp_1; - -void fp_set(fp *x, uint64_t y); -void fp_cswap(fp *x, fp *y, bool c); - -void fp_enc(fp *x, u512 const *y); /* encode to Montgomery representation */ -void fp_dec(u512 *x, fp const *y); /* decode from Montgomery representation */ - -void fp_add2(fp *x, fp const *y); -void fp_sub2(fp *x, fp const *y); -void fp_mul2(fp *x, fp const *y); - -void fp_add3(fp *x, fp const *y, fp const *z); -void fp_sub3(fp *x, fp const *y, fp const *z); -void fp_mul3(fp *x, fp const *y, fp const *z); - -void fp_sq1(fp *x); -void fp_sq2(fp *x, fp const *y); -void fp_inv(fp *x); -bool fp_issquare(fp const *x); - -void fp_random(fp *x); - -#endif diff --git a/reference/csidh-20180427-by-castryck-et-al/fp.s b/reference/csidh-20180427-by-castryck-et-al/fp.s deleted file mode 100644 index ac65d94..0000000 --- a/reference/csidh-20180427-by-castryck-et-al/fp.s +++ /dev/null @@ -1,452 +0,0 @@ - -.intel_syntax noprefix - -.section .rodata - -.set pbits, 511 -p: - .quad 0x1b81b90533c6c87b, 0xc2721bf457aca835, 0x516730cc1f0b4f25, 0xa7aac6c567f35507 - .quad 0x5afbfcc69322c9cd, 0xb42d083aedc88c42, 0xfc8ab0d15e3e4c4a, 0x65b48e8f740f89bf - - -.global fp_0 -fp_0: .quad 0, 0, 0, 0, 0, 0, 0, 0 - -.global fp_1 -fp_1: /* 2^512 mod p */ - .quad 0xc8fc8df598726f0a, 0x7b1bc81750a6af95, 0x5d319e67c1e961b4, 0xb0aa7275301955f1 - .quad 0x4a080672d9ba6c64, 0x97a5ef8a246ee77b, 0x06ea9e5d4383676a, 0x3496e2e117e0ec80 - - -/* (2^512)^2 mod p */ -.r_squared_mod_p: - .quad 0x36905b572ffc1724, 0x67086f4525f1f27d, 0x4faf3fbfd22370ca, 0x192ea214bcc584b1 - .quad 0x5dae03ee2f5de3d0, 0x1e9248731776b371, 0xad5f166e20e4f52d, 0x4ed759aea6f3917e - -/* -p^-1 mod 2^64 */ -.inv_min_p_mod_r: - .quad 0x66c1301f632e294d - - -.section .text - -.global fp_copy -fp_copy: - cld - mov rcx, 8 - rep movsq - ret - -.global fp_set -fp_set: - push rdi - call u512_set - pop rdi - mov rsi, rdi - jmp fp_enc - -.global fp_cswap -fp_cswap: - movzx rax, dl - neg rax - .set k, 0 - .rept 8 - mov rcx, [rdi + 8*k] - mov rdx, [rsi + 8*k] - - mov r8, rcx - xor r8, rdx - and r8, rax - - xor rcx, r8 - xor rdx, r8 - - mov [rdi + 8*k], rcx - mov [rsi + 8*k], rdx - - .set k, k+1 - .endr - ret - -.reduce_once: - push rbp - mov rbp, rdi - - mov rdi, [rbp + 0] - sub rdi, [rip + p + 0] - mov rsi, [rbp + 8] - sbb rsi, [rip + p + 8] - mov rdx, [rbp + 16] - sbb rdx, [rip + p + 16] - mov rcx, [rbp + 24] - sbb rcx, [rip + p + 24] - mov r8, [rbp + 32] - sbb r8, [rip + p + 32] - mov r9, [rbp + 40] - sbb r9, [rip + p + 40] - mov r10, [rbp + 48] - sbb r10, [rip + p + 48] - mov r11, [rbp + 56] - sbb r11, [rip + p + 56] - - setnc al - movzx rax, al - neg rax - -.macro cswap2, r, m - xor \r, \m - and \r, rax - xor \m, \r -.endm - - cswap2 rdi, [rbp + 0] - cswap2 rsi, [rbp + 8] - cswap2 rdx, [rbp + 16] - cswap2 rcx, [rbp + 24] - cswap2 r8, [rbp + 32] - cswap2 r9, [rbp + 40] - cswap2 r10, [rbp + 48] - cswap2 r11, [rbp + 56] - - pop rbp - ret - -.global fp_add3 -fp_add3: - push rdi - call u512_add3 - pop rdi - jmp .reduce_once - -.global fp_add2 -fp_add2: - mov rdx, rdi - jmp fp_add3 - -.global fp_sub3 -fp_sub3: - push rdi - call u512_sub3 - pop rdi - xor rsi, rsi - xor rdx, rdx - xor rcx, rcx - xor r8, r8 - xor r9, r9 - xor r10, r10 - xor r11, r11 - test rax, rax - cmovnz rax, [rip + p + 0] - cmovnz rsi, [rip + p + 8] - cmovnz rdx, [rip + p + 16] - cmovnz rcx, [rip + p + 24] - cmovnz r8, [rip + p + 32] - cmovnz r9, [rip + p + 40] - cmovnz r10, [rip + p + 48] - cmovnz r11, [rip + p + 56] - add [rdi + 0], rax - adc [rdi + 8], rsi - adc [rdi + 16], rdx - adc [rdi + 24], rcx - adc [rdi + 32], r8 - adc [rdi + 40], r9 - adc [rdi + 48], r10 - adc [rdi + 56], r11 - ret - -.global fp_sub2 -fp_sub2: - mov rdx, rdi - xchg rsi, rdx - jmp fp_sub3 - - -/* Montgomery arithmetic */ - -.global fp_enc -fp_enc: - lea rdx, [rip + .r_squared_mod_p] - jmp fp_mul3 - -.global fp_dec -fp_dec: - lea rdx, [rip + u512_1] - jmp fp_mul3 - -.global fp_mul3 -fp_mul3: - push rbp - push rbx - push r12 - push r13 - push r14 - push r15 - - push rdi - - mov rdi, rsi - mov rsi, rdx - - xor r8, r8 - xor r9, r9 - xor r10, r10 - xor r11, r11 - xor r12, r12 - xor r13, r13 - xor r14, r14 - xor r15, r15 - xor rbp, rbp - - /* flags are already cleared */ - -.macro MULSTEP, k, r0, r1, r2, r3, r4, r5, r6, r7, r8 - - mov rdx, [rsi + 0] - mulx rcx, rdx, [rdi + 8*\k] - add rdx, \r0 - mulx rcx, rdx, [rip + .inv_min_p_mod_r] - - xor rax, rax /* clear flags */ - - mulx rbx, rax, [rip + p + 0] - adox \r0, rax - - mulx rcx, rax, [rip + p + 8] - adcx \r1, rbx - adox \r1, rax - - mulx rbx, rax, [rip + p + 16] - adcx \r2, rcx - adox \r2, rax - - mulx rcx, rax, [rip + p + 24] - adcx \r3, rbx - adox \r3, rax - - mulx rbx, rax, [rip + p + 32] - adcx \r4, rcx - adox \r4, rax - - mulx rcx, rax, [rip + p + 40] - adcx \r5, rbx - adox \r5, rax - - mulx rbx, rax, [rip + p + 48] - adcx \r6, rcx - adox \r6, rax - - mulx rcx, rax, [rip + p + 56] - adcx \r7, rbx - adox \r7, rax - - mov rax, 0 - adcx \r8, rcx - adox \r8, rax - - - mov rdx, [rdi + 8*\k] - - xor rax, rax /* clear flags */ - - mulx rbx, rax, [rsi + 0] - adox \r0, rax - - mulx rcx, rax, [rsi + 8] - adcx \r1, rbx - adox \r1, rax - - mulx rbx, rax, [rsi + 16] - adcx \r2, rcx - adox \r2, rax - - mulx rcx, rax, [rsi + 24] - adcx \r3, rbx - adox \r3, rax - - mulx rbx, rax, [rsi + 32] - adcx \r4, rcx - adox \r4, rax - - mulx rcx, rax, [rsi + 40] - adcx \r5, rbx - adox \r5, rax - - mulx rbx, rax, [rsi + 48] - adcx \r6, rcx - adox \r6, rax - - mulx rcx, rax, [rsi + 56] - adcx \r7, rbx - adox \r7, rax - - mov rax, 0 - adcx \r8, rcx - adox \r8, rax - -.endm - - MULSTEP 0, r8, r9, r10, r11, r12, r13, r14, r15, rbp - MULSTEP 1, r9, r10, r11, r12, r13, r14, r15, rbp, r8 - MULSTEP 2, r10, r11, r12, r13, r14, r15, rbp, r8, r9 - MULSTEP 3, r11, r12, r13, r14, r15, rbp, r8, r9, r10 - MULSTEP 4, r12, r13, r14, r15, rbp, r8, r9, r10, r11 - MULSTEP 5, r13, r14, r15, rbp, r8, r9, r10, r11, r12 - MULSTEP 6, r14, r15, rbp, r8, r9, r10, r11, r12, r13 - MULSTEP 7, r15, rbp, r8, r9, r10, r11, r12, r13, r14 - - pop rdi - - mov [rdi + 0], rbp - mov [rdi + 8], r8 - mov [rdi + 16], r9 - mov [rdi + 24], r10 - mov [rdi + 32], r11 - mov [rdi + 40], r12 - mov [rdi + 48], r13 - mov [rdi + 56], r14 - - pop r15 - pop r14 - pop r13 - pop r12 - pop rbx - pop rbp - jmp .reduce_once - -.global fp_mul2 -fp_mul2: - mov rdx, rdi - jmp fp_mul3 - -.global fp_sq2 -fp_sq2: - /* TODO implement optimized Montgomery squaring */ - mov rdx, rsi - jmp fp_mul3 - -.global fp_sq1 -fp_sq1: - mov rsi, rdi - jmp fp_sq2 - -/* (obviously) not constant time in the exponent! */ -.fp_pow: - push rbx - mov rbx, rsi - push r12 - push r13 - push rdi - sub rsp, 64 - - mov rsi, rdi - mov rdi, rsp - call fp_copy - - mov rdi, [rsp + 64] - lea rsi, [rip + fp_1] - call fp_copy - -.macro POWSTEP, k - mov r13, [rbx + 8*\k] - xor r12, r12 - - 0: - test r13, 1 - jz 1f - - mov rdi, [rsp + 64] - mov rsi, rsp - call fp_mul2 - - 1: - mov rdi, rsp - call fp_sq1 - - shr r13 - - inc r12 - test r12, 64 - jz 0b -.endm - - POWSTEP 0 - POWSTEP 1 - POWSTEP 2 - POWSTEP 3 - POWSTEP 4 - POWSTEP 5 - POWSTEP 6 - POWSTEP 7 - - add rsp, 64+8 - pop r13 - pop r12 - pop rbx - ret - -.section .rodata -.p_minus_2: - .quad 0x1b81b90533c6c879, 0xc2721bf457aca835, 0x516730cc1f0b4f25, 0xa7aac6c567f35507 - .quad 0x5afbfcc69322c9cd, 0xb42d083aedc88c42, 0xfc8ab0d15e3e4c4a, 0x65b48e8f740f89bf - -.section .text - -/* TODO use a better addition chain? */ -.global fp_inv -fp_inv: - lea rsi, [rip + .p_minus_2] - jmp .fp_pow - -.section .rodata -.p_minus_1_halves: - .quad 0x8dc0dc8299e3643d, 0xe1390dfa2bd6541a, 0xa8b398660f85a792, 0xd3d56362b3f9aa83 - .quad 0x2d7dfe63499164e6, 0x5a16841d76e44621, 0xfe455868af1f2625, 0x32da4747ba07c4df - -.section .text - -/* TODO use a better addition chain? */ -.global fp_issquare -fp_issquare: - push rdi - lea rsi, [rip + .p_minus_1_halves] - call .fp_pow - pop rdi - - xor rax, rax - .set k, 0 - .rept 8 - mov rsi, [rdi + 8*k] - xor rsi, [rip + fp_1 + 8*k] - or rax, rsi - .set k, k+1 - .endr - test rax, rax - setz al - movzx rax, al - ret - - -/* not constant time (but this shouldn't leak anything of importance) */ -.global fp_random -fp_random: - - push rdi - mov rsi, 64 - call randombytes - pop rdi - mov rax, 1 - shl rax, (pbits % 64) - dec rax - and [rdi + 56], rax - - .set k, 7 - .rept 8 - mov rax, [rip + p + 8*k] - cmp [rdi + 8*k], rax - jge fp_random - jl 0f - .set k, k-1 - .endr - 0: - ret - diff --git a/reference/csidh-20180427-by-castryck-et-al/main b/reference/csidh-20180427-by-castryck-et-al/main deleted file mode 100755 index d8e66dedd70670f8a1f3eab2d7791ecb4d51336c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 31504 zcmeHweSB2K)&Jdugoq>?6f}yF#V$5fhzTJWtmrNza2M|qgz%yQn~($&%^S%EB1Mf) z5@cOgsny4q(w4SreJob|i54wlFbHU?1*wYIA}d%gn!4h&8#PY#bulD9HEnW(qR=##mZx2S&q3N1 zS|Z>C+=|X6V=6o)S*tKfvWZ973wK_e0P^Bo98uvF0!9tuQW8=~^>tk?85QCB+eA`@ zn&x1D%8{(8b2y2xm?J7IlX6tZP?e)3mCKOjGGsXwZj*wkP_>WRMt70qR}|+$iqb9$ zw0!>T3W=7k$)EenDBe7clL%cLQQ=AfYbsRbZb7-;GVk9BQYFz8S>O5ea#XfYg)*sK zTU9xC)W~bA%7#}})-*N^Z^|1reALLyhT6;#+-~Aev=b(YhA2HcfRW7oagz;D{$$6K zCuS{OIQ@ecHHom?=7%BmaDfBVV=ZC!Z{vWX`Z1xa;DB_Z>xYilIp(_hqP#o{ZuLJd3r;erOSj<4 zCs5vG3yy|Gu9+6RPXyI8z2(a!J(%FV&7tXS?fwMw_sG;+HYIfkqHyk5WQB+1NDNQQr+{Wn_^)5p*uHhjc^Lha@xMu?LTT? zM~uI=-}}{REg|%Gn>JSt(e}@ae;Xm<5N#rGt6EB{5A?a za*o(eJskz^65yFA@GSwJjRMyQ@VhAR=K?$z1uhj}IJ>U>^%ps_x~hi) zkAju`mF^1M$#{$cI|LZ5z&{8uT7gdpFj|4F0*qE*tpKAHc$)yD6<8p^Xa!~g>{)@A zAjf?1tWaRF9@w{G&n+(4=Ue71Obo5<_SWBE1ep(kLg~^~B&|AHjeQNFMheY06i2f> zU(=$x>?vfKH*r4HtcTV+SHX~FwH@Z?Zc*(;RBc+M+MOF#^jz(uH;Za1G<9YxIGTsX z#nk*Gs`;%m)Yi3JDOJ7)m803z;yYy3_t?Pd7obxuHhZr6a#=Nn=DW;S@H6XTt9}8w z=0qmpM*E$`RJj8+(Re@V5{*6tVay*yYTmiQg+&p2kZ4`6nkX7gp*dC7Ow7y^=(Q+y z=OTB*6UzKy%T6X=E9#aCcn$Sy=IPVna9exh^bIdr$iD&D<;YO}GXNN!5#MI+U_cKp zXO~u{=k#SCXK%X?O!fOVk>|U8cE^TaTDblSWez?2Y6Y728Z9(7JWQFXNSgV`5*bjd z%vgsGFt3SZpp7!4f-)|OWLzJ~NTZBzzlGL6!w1b5*+UTs)~4yhn-J(Nr&9F5=L-j}Lj^oN^_%?$WrX*D zxRpR{b_dlmFH@yAQ2sRizQfF5O@(-3zc?m*mucn0Dbh-V<4g*c{z30a8eA)beLp8er=-Tq2DS8`3H zl7W^=23jf^XsKkNrILY`N(Ndg85mv3rnzTMT!MyBI48-lZG!|!l$f46&tuO!0S!z@ z<;*lrzln4j=Q|?#4$jYr6t1u7Q zdEK+o@ze7wC0fv6EIa2Nv< zp5&-E!x)(S7)PgN83PAA!qM4z#=!KSB5MB`TNSA`2Q>`dqGuz>K@Ed9>)8l$P{ZIi z^=t$=sA2F%J=>dR@^1xK-I-}(&oFpO-_nj@rp?nKQ0H;_H1*)6QuHgChQ*$g z6f5(bR7NZUPfBCNBJCUpBNkC7WiVoqb50f`79l6)G4g#9vbGE1j^1H)KY>;$b%$<{ z>SoO*FGZ5s?cm0+X4CId;KvNIW|ONFxSv7RY`RZ@oeZ*Olcy-~ID@R&^a2Hb%it+i zcOHSH)k9LZQr*=58=0f0i*)VD=ksc(y{Qr{LqrM@jvLf`*N zM4|6g!}dPwdnlTv^qu}=sc&JlmmtadwwOWs1q!rSLh@Oxa+uO$4CzM{Xt9UneF~H& z!RGw|fflo6eQ#Bi9a6a#eZS4nR_Hr5O5ZHE)VD=wsc(zKQr{MFrM@k)N_|@dg}!5? zl=l67A_{${8Ma-l?^n?*rSIoQOMMHgeFjO^qQwl-pHQI15|WoI&|(bf_bSk056Sfe zT1tZ!3+(lIFaP5wlB2I$)nrEiv7>f36&!hc&Nmio4c3w_7PD(%}MsMNPb zN~!Pf6H(|p!?1n9`u-TrQu=;(l+?HIwVRP-eOt^R{Z$28EFpO{ficFA{wqakv4`Y` z6(~)D_1&gGX}7HJCIw2zVAZ$u4A6H*l)hPRsc(zW(!MPcL*FstO8d6RD)ns+Gi>y-L7D1)H zEmBH-f1ij#-+6}ZH0%3YJhV{y{whc6TdWWcAQ@{0=^qnlStGD+{-QvOF{HntK#M&j z|33vvlVE*6tw3qF%=2*tO2=T;xAY9qcV3jfS#Ib%)^>$IvD&U!4_d^P`nJd_^=%PU z>f0iv)c5&C#NO~)1KUy~P?%~2W~3PbpTh{u&oBbDSw>({p4;c1GHE@Q=_AWr)MFV(k7Yi@rkj+o8)5f)GI}iY8(HSL9?N9)Sf)mnS=eKlydKM3 zFUySWUItHEbnfd8bXp)A4>hg=(F`QkBVi6e0^3cjy06o7a`$FoTwZWg4`Pp)llw^| zg&l702a!}7Qh$x497w$#No63_5lLks^?D?ghtwZss;%Ar2=A{uX6RcslUbNKUy&$V z+R2XejeBm=!&~*i6R`hJh@(QIC*<9|V@Vy7hwu~t$*j9KEh$0rZz7p-_sdJBAo;pT zI_`dE$v7mR5y`Z>A6qgK$%jNT_3mX$h9KD_l1cVZBTQk*MSx~A)Y~2^B}D6R&u~xo z1U|yf7e{R0O`~yP&~SLy8`y;BKPII02HuN$1hf+vJpvkwfwIJjQxqJ;YS~Baom01VUp*dX{UOjM+gCJw(xt2vD2o~`l+|Irxew>WD{x>l%|LIvi*Q=@!BivgH7n^| z=m|FQ5s4D1`YYRVkiMpqLdLTcbT&o6Phpr`>2(95^6`y5*o$OS|>r&zMtdt zoou$5(yZ11BQa_{{3Ve|u$^czjeNnNsL`Cu#nv-pa~cw!P@_dLpPDndW}z(NK<1uL z7?efL>QYuJltqnKmepbYY%iU0Yc$@)U_Z-)9ZJ%1%xVOGqzCUvHG;RL8Nn$IBRDa` z2;!JHxH!)U*1L@0VqFgy&ZH0$f3`+L^_9tDP={MsWD$ z*AU6@ffNMRI+t-SLRQF1r%vf$eX$Wt*O+ojlM#5tIhhL&_~u8Vl<+{yosUy}ka87= zk2s%YF0IaD=DMCA4jHJWj*17?JL$0y)w+U1l;;rTIYfDc-oP-Y2Z~7YLJ_H6C?d^( zd9PvC%bhbpVg!>LNRnV~e*{J_p_)_4DI6r&8BEXM)RtPnY z%2{E$zrgSfEoYg@HymZz-!lU5m{%i<{9|aP$i>hfL=aX^NgIfR`Qd?Z7|&qa-tI-R z`JG9xp99Pu=%o3o%v?>Gp}XNEPSR8n_|E*5%y}3&ddpWfKL^7ESC$G>kFMbsFcC3*vkl%Z6Z3 z5wRR_1ALHZTttJR?iUj227FdCtcvm`Q-a1XC1z5Bh9@P8DM4eD5*3tKB@=a&pwUV> z7~#VI8lhHp7Y3B;(4kj6hmnIk1jXra1jK+nxhSp&VAZR+c0I6?D>e_FfbXSV5FPei zIHto`^`u;M4!TbC5Ooaqvg{pbiCktH2|zDbao>;&S%bkq@~-1>wX+=|RlSu%tdz*V zoZ*!3F4z%S7 zjC4{ekLVms*Xqn5I&@DG<+v!8N->>ccn;<#Z{jDV`eB%eWl#)W1WYMbK`|_6;nXSS zq8KV78x4xSp#)|M;i)MBCofidlqjYI^)w~m`o+5r7JH0X91)=RY3T_ncG##3Hm$n6 z%S?$Bw!wA@`=NOU_J}DbVlOdWAF&o`D5QO=!9SM$8~LMCm`KUH(R&#>8I`j3i0uXT z!RBe4!?w(y)0VU4yKv(Mnx$#V?3$%%{YSH}nx%RD_i^<4PtMnvtnd5s6#Pll3~U0x z4BYZ<95oI0hVHX3oq)H$PHaT&f3~+?g}5j1Atprh$V9k+dn!D^nmT>^A#X6n8yw%{ z4bFi9)3eGca602>dV}}Cs%zk$=D`rx%jtDBPk1Puhtg>V%!(#FZ*WqU0S!IQcDRx) zndVwy$!p~#D&DZ5GGxDGa&;WSEs=VgxGtwF3l2`N^WbqjYGZ>APC~D*=RrX8*dFvHF+Igh*K&V&LNzX|q-bcm zz=1eTM(7P3;nifT9A+zd6jSqPWKnZySbAEvxTrGfMpDI04xi$oXoQ~P_f^bQSku$W zuo&xOp6r%5Gt3}^WcX4pa~2^)0a>t2R)uJFN}H+G&SEe(r>b&9G!zMMFcF=YglDOE z%#AKddo_!OQE;IH+Ysm@18**%*D&-aVS*S>HZYk)C2r(ZDiFdF(DQSOsd;sbFLyRE zKD`1g>&PWFbDAt*VG}878Pj3C4dXzRw6F@HC-i(XYZ)VlVR$^IY;~^V5O%^i)C*H# z2&Tc|dgtSuwbr?lLUim*^E92|w48xC&vItjTSvg;4QQ;GdN3sHP>0tiUr3sCpx|qW zqiJwAG}u#Vsj`YiGRWm&{-eSYuGtYDKGpgQ!y%VtnGi-ysLp!{IU7n5mdKZSu2Dq>{F-uX5 zoDW!%u>^LRPwgQ_FqOmRAYT1rfywm|`ADh-}W+8=86nbYZJ1=v%M6fW}Z8|uC1po#`*R(PW(+W)$mT845<`IKI6d4bl zk3-Mq;vIN%ZOScprL6|a-7p%lHzwf2ToB2qj%2tfV*gXu3`fldw%s7Ii0H?dW! zV<2Gx1)*V>_Q%vvUNEi*UDm*4un>7Z#DDzp^h~2x4#BXZF@@;NfXGi^e`9VsZA?r6LyZzXLhF{FCsR z;2(j{ME@nh{?Ahdg00^2md%_Ep54(2J)+q?q62$G6M96CU@6kQwvT~wyM77LS48ET zuZt385vk4J3#6h8c|ssnUC8|csp~=-1>)~QN(Iu?h1?>LB@qM~N-}>8l%%`AG>n;X z^kI5)+F@V%CiOw!5c-T&>J62n!*;NXJmR$-cem{CO{>N<^UO{vc0k86InBN_h+=p# z$=>=8v{l&YY7s-%1w}00UxS=p{#)>w;2(+4ME|9z=xH{NP&t-naKuN|Yj zWHTS=8E)tqp4Bs4&@-IbGkhsvw9&ql+9LO-(UO_}{748ZdXnYeDPa&11WdBte>?iqz|0CS@-c=S?d?)&MuzLu zHy*^q{5Qk)5zkn=%}Z%k40MVV%?*hF$nldWH3FR&Q8YKWa5!oNj?sCl0Irp%wB)wB z-03xNr{viz?)23)OZoZ*T#n>0?INe6G);jKIg9z%F;oUVF=4n+MC7mJZv-y>adx zd&egk17OQ%Jofwl2=n%Y3T&Ryo9wOcu$zLd-$5vRvVSo?f4V*`0me7nl(o9_0h0_FVDBXq7{Vn1b6edvgB?EDM}uWl-!e_l%Fe04(TeH zS`fMoCC|u`Xv;oPva2oo@{@{GTMj`lR428i?RQ9Yev6M4Mrg9l{))>MsuOy-n)LFC z5W=(lkQ8Fap0P>!=~9MYqnz9R$`o5@G0KGdEV_!y>=e~|w&RswR^^U;W0Q&!xXhvj z(9y&=cgUS^L!U*?z{jvBsd{~TS3~#aCmEuli(H=2*m#KQpJ9I`FF!N^4L#Mze*YvG zIaT&?%R$j^ovN~fW0RI73jvpAfQlTH-esd#;6d0-VW4=;I-gX54qo~mUbj5-H}kPS zN8WFany=HY1|hwW#_!1bu*+ZM(1W!ZMsPxw#Wr!c48rVoBRJ-l1E@rA%*iV`b}x>8 z20Vc%PFtTO1pA6+=#TdY94;5na^!SOQ|c@sf#-cTC_U+bIe|>zx|x%q;$l z^f=&s{I4U{68kwA^G^ggkNuoe$s0Hr{#ObhicaPkOkYFE&?C%+TEr_W)Y{Cos6%3S zqgJ`qUCzhPv{R}82i|ECrw|T*h7jkKd?;+%aqbx58{zknc@ig#v;buOQu^%oU!92R z%%9+_3XN#In8Z%L5y6IIg)YPgT+dMYj}gF|LP;Kq1(T;RKI9q>h7aRx{Cmf1F0eBK zeVw!vf|rDUrTqyu`*f~?MNtN=mh#L8-liAm{q@20&n}@h@K$5D`R+E75!-lb5ROG$ z5rMG-S$Z%WX8tT2&4&5R#opFR`@Fy|JPV;mDR*xtCd_f)1_x$#GZ6@#w#*^A(ClU_ zmru=eTZJt7!68$XFth@9u`sW@XrRQ(avDmG=CY2t*xTq(faeUBoXx?X9-eW&+B+H;qotbD}TK#|1i}PDz&zy<*QyaPi02h^SqNPAyv>rp1QwM zL;lobdwvwv9^ztdA+6ZkGN>M!+*qE$-Q;-=T&X>Apz~mLY!wK*wqG+Fe{Fv7dD^o? zgxQZN&V!!rQJR%7)oAVBCZ&0j%}Yu1Gj5SpyH~I@jZGeGRW$0jmameG(Z}tr1`gVy zS@sqzTmOjt3#5xuRRN^K1I6}k{T|m%vi8lar&b+o=sDJM_H%HmefeL3`0*^cNXx`; z8Yp9(-^KIu55*(3Z}8uf*v8O5PR_*si#8G1bFXHvL}OzO@}m5z4k|p0{OP;+ZzV2> zkM#-s~2Qx-P1cp`uZ7 zXjGhPgb~=QZ|{VbN2Z`@s1KFxIN)kO*9(g$D19?5!nG_%Xi2U`Su5rze<2k?HEo}R z#uJ=|gSNYISXzLSH*cCZIL+Y=&d%@#8?np8i6qqL4OZh=e0W(3WDX{jBfum!k5lRM zImoTxAi0wB#@xZF0e4b>=`asG$aw0|w=|=;xJz*2$RW-uITSMpO@TBS(UeCs4b3>> zuvMM2J|&;Du8cf4UBPtXNhZxqt2iy5WNyY2A`Ksd!HEwcAO^CXJ>qB;=cvKl z@mxqe>A)l4o4C|)7o+m1IJiN43JWW5#ABu9Oc)#6u501fX4i zg*+1|qUT#{$JBn0crCR^oqTe zUZp~GFruZ1>Nq>Y3QoviKnrX*LG{>twOqVNg8|)4sufyeg9$z*4JMl&Q;=VZEG~_} zUD$M0Vl_~irU!0u7=Z;?3fv04mgL#nK28Le`!0-YUtE!+m1ckpAge-4h{Q*5qO)2N;*F8is^dBvs_jWhma3%ch zN9bH5^b^bpVay5il_~fKOnd8S;Xv6BJ z)@E;`11op)l1$7Np=n6}Kbek0dUl+>ZHr9D!$b<=?QMUT>0U@T_OiDfm1%7HLf!;> zTQAf>{1Q?A?nHZA8q$dM7HS%flxS+}A}nVx_3&{aop{%gJY;DhtR{qn_SU%|Qm1J| zL;2Onw@BPNNicepW=Up5M7kuB&1fAhh<*`8^aDvG+t%vj+S;OM!f%P%WP4jvndapv znolH+)IsZ6cpf=zvp}Q?66z&Mmk6UWK@-({QW6n82qMvEJIH}yB~YgZl^RSm^JT%{ z%yICCdJvOP*HX|7uNRXKbsUC{9_;UQ+aGz0mM;Z^zr?7yIe%GMe+POVu7S3Nb<{(s z_^%&Ob>PhD6Xs5wXk%a34)1`;c_TTA;Fvc#mC(UK@+J-jyv0HKW&{|cTPVQpP4In6 zz8!>35c9=54IE+%%;6)E2c@f!)-jhqi?DMzJWIr128aD(7I!Wd4>Zom-x0AC*3D0q zJI&AWNCz!0SO%v7uZE5y-K6p}h;!zsO>kI;pwf9OqV!HWznt=Z1AU19*ADiNwv#iM z&pT6*-E}V5Wwum)7ZHdrR-ki+Zv0=Pd}oAzxBMq5|KjuKFQ)u{=g+^5^69-!A%8di z*HiwZaQ3gRx&>!+H0H$_T^*9Bz)Ye?UC@KPqe0mgj#Fm0s*9sWVQ;o=9ldyk_ooM8rbMh<3Nus-b1$l9zK zUF=s7e?2teCY%?BYQuOXm%q`2>af2u<0enwOV7|vp3v+Yv)l2&f&Y7*A2uXVyYO8j ztz=pJuwg$Mj)f{7HjtY`3@6s)`w@%x*WD++u{fbmh_LjsJ80v8L=W|iJ72gqM#V$e`U-%FENLFdBf_&69F z@SEsq1x~K5FRb#xusID@&Fh4o+M6V5jBfAoKe7^{+q+wU(d~U(fYI$;E5PXX{z`z+ z?R`Li(d}&n*wxp`VlW z>l?p|Hy?ThT=CTpj_gm=^G6IfJZH@Zhj9PDljBFNjW{7z8s?X(E$8vaJK#)-A1Dyj zY}gT8TUNgC+Q#~lnzGtz0RP$bldYR`5?;M;VD7W4XZ&+u{hLDyFC6rjtogU}o_2ix zTbrNz-MepJ^|Q@q&)hb4`PQ$lPa3{|@g|%WABDZcSO$YaiDqCQbaw!5ZfSN1lG{j`=O) zX8-bw#O5#eT)KDPe~)xtdiL5Gx33s=_t(dU6x1fof2ZyT@4s==3xzMXzO}ypZ!$02 zwtx1uhvWY+d%;T!FKy5tzH<0CpE+tS@jZXfPme$Ihg(0IIw))7yu1EGJ&Y;a z|HOa&y*+e!(TCTZP9DAY;or5{=RN+?vn|hk`_kOf4|W_V`>Ch&+}*( z4Y_*I3l%d9&V9P6_iGa->>7bDMDu5sYIizr9OKAAFvKy!F=mV-TWj)6Eu5g0HdK~X zAit`1QF*=N21jFEU3oopKUjRzTE^Ax%*DeTSI?{SWe;;SR4y*BotH7MZs^e1?kOqt zSJu{ap{2F+0M*v}svE2Pm339+4PANv8?nFsS4Gpx8T;BE-IaDvdCtg5FRd!SYx3uP z+RAR7u<*d9+kgG9>cq;Kzpt@3!V7U@N3He4jZnz8&{$+;pNlA9pS8M%*`Jc`zhvL`6lD)~Am~-?#_Eap2Mh z-ky_PJ*lwBQE{)Np5l{nt|Jo`*EDXJPKWC zV^dNeiW{4f_F#NLiX+r(Y)Z!Rg#47OrHSs8yq4ZmQ&z>r&$abQ$#bV3q1Mv$HzvaYlX)ly%Ntl|_92fUZpOg%Dio+dMoMoqd`&K*>r5!qz ze~`+D;>V{rmQ(qqBu`7?)RgwPxbOO~7~m5v2Di&V`8DY4r+W)NvR#n5Te~KvG$+L0 z)BF7GB0a4Hzf?Tde;m6?lB*j(=tSyiLdu$?_-hispWm0@SG+46?oYPzulOCc#qa8M zetx9)8(_0ppW+EMLT!9R?@*4^`{a~nTl|!`7{!k#L!kC8LAhpZT=V}OdA1qxKS(&g zJjCxW#P2{jyq_xQYF|%wWu&a=9e=dv_DxjsT|r|IZ<|g7JK`tp3U)2q=S|6)jmC|$ zSXIG=Ml?WWagn~Nz%L8@jz~M}W~Y-=vf|&fMVl#?7UOI+%J0D@Qls)1R7>Mv%q{T~ zQtIN4h+*bd!;Ht}-$CzM9S$!i{dUpclCmN`{xsT715=ftG2FKo^oLz;In~*d{&cc8 zoyMg%#Z}+am}LJ`1U}D#51GaPUH_+n|I@(#o(8t{busfbGE_B@i=az|eMM4RmEhtS zt?TJ3Ds*vp8Gq9Etrv4_piJX29$%NsFiqyu+JG*V|IN8@Eu|lib5Ria&iD3sk)|n( zu61!P3ba1_scHW$LtY#po+i@+WT*nTGI13bbEtgFP6?}Z3{Aas(O!kFt-V|vDtwJh zE4fvD7cf;<{WvV;_S8vw9Mf=G>GP;ePnY?!`2TvKzQ;bcq7P-i9+2S)873yWnDi1E zUM<5>G8`|%=`xJvi*|=6j2m~oBV*d!#u|U4BR6woX4ddgjhxE9Cwo+8*2v84tf3;q zF(NB_RMx00e1p=zzT#n>d2z08g!E11MLpv2n!iW9SH$kD%;I5%>w2V5)RbLD)A!bT z>d$ysxw3<3`U^B=Ptkavh}}iw7e>ZkG~QQhm;DuuCu_w$^h>;!qS5!f#$NH7Ju;rH zdGT7RRxHPPG~O@rdj-+>MVe!}%L;Kk9;X1xKUg#4G3zV85RDJe=<8i$uXybe{60fZ z_@$BWi?^1EC$AvKeKdX<;GXzguK9b!l~?QHLgTrYb}Zb5h#2`xo7P=^@{@7Ue^!jY zCC-G`#o(C|kM+;_%)d)cUdRx5e;Z%Jkj)52Xm52ajffGG_=Q3Tiw57{+9{S0w*kfVk?*+A{O*s$!TuD#=xNf}`aXM9d zF=iamTQ&6S2n!~=tmN8ViarKc@{nJpOBH&6=~J|`_GmtjNqk0nH2y2e|J4}&&q@5- z7@Xjq^hvLZ*>IY%?zU+D^!9g8_765a^7)YKy||knILLgukN2aJKGvVa^TgiWFI@uM z)`K4y2K*w}8+{8lU20uGd(%|li<1S;nfNFG-VZr@q`j%!iIRRwjGk`+?ofp-;o^A0 zyZfJN$>-^qdKXFj-BeYhV0JI#mv!@3OMzcxsZT|pVER;z-WRf7zhwFp&G7?)^H~N6 ze#`VJ+Sr(Ojbi%l^TqEOw{jNoEt1c%6v1Cnymub@PR3KT_Ui;apAn$YN#=v`5;Km@ zN&bCe_|th9^{*!N$!AR9(_i8%ZWjD`j}H8D#u16RhMfn$`8>E!^55fi2~KRUIOmdh zu|wc|h6Rc`;AC%~$H?Ercy~K#15S46z{7pI#HXhH6u5(cm}`~fzct2wo+UnUmuVHn z#Ze_*CLH|Lys!NHCg7~kt6WUaXJ&}KE%BpLpL|9E{BMeWn4ssgDB!z*Q+p@I*wtQ1 zPhUq*7oQ~{r0>We`u0ICf+N>H=rvWlT%)g-w_f*1KAN2G)S2ZO$;asDvXX1@XdwH6 z>jlndN}!-K4XRg*@v8$E@0x!Vv%!+SHl`mlC4aT<;xiQ#%3)lU?h5JqMyTEyF>=z` z2;r46_$<~M|{oZ|@yifAajgkK_aJF+f zjxu0RbbTY~*T;+(t+d|X;BTBa507kozKP?e_zcg~BA-tyE3Yq~U)kU}k`ky)C2a_RF;o>EX$bgOUt zv`OQNJcW~dzRc{r(bq*DUH0&(v8OU4M&@1z0lG6Ak(-sRo@VuwpEEKiSG(3BN$n>EmZ+*5WyyLKc_h-j)lbZf>Q&LCdW7HQ|*x3|DoFex7$CVEfB zqjXrN`SNd_^0E?tiTGVFmrMOH7ySemJz3V8-1+$w!^7ecs6P7Fz`E#1GCv3s^~+#g`NWSO z;L$IP(c?uSNw#bO2_oKZn0uEWdSz0Lepf7-MYkUoi_R8L#-lOnM*2}Rtto%3AsbU# zTSpd84HrL2rp>EuB=f+}mDM35>bJ_k01BhVmo?O)<7>*GN1vwUgEdKOXR$D{guN+O6=iMm)dR4uY!G8lgW%PoHnu`7v*E64f5}{g{(2Es zs2Dn}ydJ}}rq*Ac=^pDD?k|}yQ}b&YGv_u|;HCVV{Dt4gQ<4SU4us{G^;&>o6r&aXwpU*3dI@|z&4<#Cc(ULieYMH!f= zlqf1(rYND}ca(w*)s$3MmO_SFzo!b6dSP0Ny6~;0QRUV7m|rq-M^6GZo!zSP>*8EU(K#;%T9TZP>D+*#s(hNr)}|xGlpiVI z9`E9ub^>v!^I?(duD?0Rz&1J}zdFC0E*pyf0_01{ujEwWoyeuLUX@noe08$COBCmG z53BqV)@VOMq^i6+4_qV5t9GjTW82><%a4@|)p_++S$?O)sXXzDE&m`el1rV-tdi%5 zt7L_jBhPwCwh<_Rn6-SnEZ;86uZmELNUBV$@DZe~<%<(tOi?TaQu4}T5&2d67l>HP ztMzrAEWb}zlp<91D)hH8<<;|yqC!ET&h-_2Z2SL5mRJ3!_DjXGyhABgGH@tHGJFvs z$*;<*-+fiT2fH$cKDPchV#=#?R|gFYTq|P=#Om{H&|r7NV~FV0d5Zdd*jW15^am(o zx0F}sxM?)7aK+NcruTw|+AoJ| -#include -#include -#include -#include -#include - -#include "u512.h" -#include "fp.h" -#include "mont.h" -#include "csidh.h" - -void u512_print(u512 const *x) -{ - for (size_t i = 63; i < 64; --i) - printf("%02hhx", i[(unsigned char *) x->c]); -} - -void fp_print(fp const *x) -{ - u512 y; - fp_dec(&y, x); - u512_print(&y); -} - -int main() -{ - clock_t t0, t1; - - private_key priv_alice, priv_bob; - public_key pub_alice, pub_bob; - public_key shared_alice, shared_bob; - - printf("\n"); - - - t0 = clock(); - csidh_private(&priv_alice); - t1 = clock(); - - printf("Alice's private key (%7.3lf ms):\n ", 1000. * (t1 - t0) / CLOCKS_PER_SEC); - for (size_t i = 0; i < sizeof(priv_alice); ++i) - printf("%02hhx", i[(uint8_t *) &priv_alice]); - printf("\n\n"); - - t0 = clock(); - csidh_private(&priv_bob); - t1 = clock(); - - printf("Bob's private key (%7.3lf ms):\n ", 1000. * (t1 - t0) / CLOCKS_PER_SEC); - for (size_t i = 0; i < sizeof(priv_bob); ++i) - printf("%02hhx", i[(uint8_t *) &priv_bob]); - printf("\n\n"); - - - t0 = clock(); - assert(csidh(&pub_alice, &base, &priv_alice)); - t1 = clock(); - - printf("Alice's public key (%7.3lf ms):\n ", 1000. * (t1 - t0) / CLOCKS_PER_SEC); - fp_print(&pub_alice.A); - printf("\n\n"); - - t0 = clock(); - assert(csidh(&pub_bob, &base, &priv_bob)); - t1 = clock(); - - printf("Bob's public key (%7.3lf ms):\n ", 1000. * (t1 - t0) / CLOCKS_PER_SEC); - fp_print(&pub_bob.A); - printf("\n\n"); - - - t0 = clock(); - assert(csidh(&shared_alice, &pub_bob, &priv_alice)); - t1 = clock(); - - printf("Alice's shared secret (%7.3lf ms):\n ", 1000. * (t1 - t0) / CLOCKS_PER_SEC); - fp_print(&shared_alice.A); - printf("\n\n"); - - t0 = clock(); - assert(csidh(&shared_bob, &pub_alice, &priv_bob)); - t1 = clock(); - - printf("Bob's shared secret (%7.3lf ms):\n ", 1000. * (t1 - t0) / CLOCKS_PER_SEC); - fp_print(&shared_bob.A); - printf("\n\n"); - - printf(" "); - if (memcmp(&shared_alice, &shared_bob, sizeof(public_key))) - printf("\x1b[31mNOT EQUAL!\x1b[0m\n"); - else - printf("\x1b[32mequal.\x1b[0m\n"); - printf("\n"); - - printf("\n"); -} - diff --git a/reference/csidh-20180427-by-castryck-et-al/mont.c b/reference/csidh-20180427-by-castryck-et-al/mont.c deleted file mode 100644 index d2a6533..0000000 --- a/reference/csidh-20180427-by-castryck-et-al/mont.c +++ /dev/null @@ -1,188 +0,0 @@ - -#include - -#include "mont.h" - -void xDBLADD(proj *R, proj *S, proj const *P, proj const *Q, proj const *PQ, proj const *A24) -{ - fp tmp0, tmp1, tmp2; - - fp_add3(&tmp0, &P->x, &P->z); - fp_sub3(&tmp1, &P->x, &P->z); - fp_sq2(&R->x, &tmp0); - fp_sub3(&tmp2, &Q->x, &Q->z); - fp_add3(&S->x, &Q->x, &Q->z); - fp_mul2(&tmp0, &tmp2); - fp_sq2(&R->z, &tmp1); - fp_mul2(&tmp1, &S->x); - fp_sub3(&tmp2, &R->x, &R->z); - fp_mul2(&R->z, &A24->z); - fp_mul2(&R->x, &R->z); - fp_mul3(&S->x, &A24->x, &tmp2); - fp_sub3(&S->z, &tmp0, &tmp1); - fp_add2(&R->z, &S->x); - fp_add3(&S->x, &tmp0, &tmp1); - fp_mul2(&R->z, &tmp2); - fp_sq1(&S->z); - fp_sq1(&S->x); - fp_mul2(&S->z, &PQ->x); - fp_mul2(&S->x, &PQ->z); -} - -void xDBL(proj *Q, proj const *A, proj const *P) -{ - fp a, b, c; - fp_add3(&a, &P->x, &P->z); - fp_sq1(&a); - fp_sub3(&b, &P->x, &P->z); - fp_sq1(&b); - fp_sub3(&c, &a, &b); - fp_add2(&b, &b); fp_add2(&b, &b); /* multiplication by 4 */ - fp_mul2(&b, &A->z); - fp_mul3(&Q->x, &a, &b); - fp_add3(&a, &A->z, &A->z); /* multiplication by 2 */ - fp_add2(&a, &A->x); - fp_mul2(&a, &c); - fp_add2(&a, &b); - fp_mul3(&Q->z, &a, &c); -} - -void xADD(proj *S, proj const *P, proj const *Q, proj const *PQ) -{ - fp a, b, c, d; - fp_add3(&a, &P->x, &P->z); - fp_sub3(&b, &P->x, &P->z); - fp_add3(&c, &Q->x, &Q->z); - fp_sub3(&d, &Q->x, &Q->z); - fp_mul2(&a, &d); - fp_mul2(&b, &c); - fp_add3(&c, &a, &b); - fp_sub3(&d, &a, &b); - fp_sq1(&c); - fp_sq1(&d); - fp_mul3(&S->x, &PQ->z, &c); - fp_mul3(&S->z, &PQ->x, &d); -} - -/* Montgomery ladder. */ -/* P must not be the unique point of order 2. */ -/* not constant-time! */ -void xMUL(proj *Q, proj const *A, proj const *P, u512 const *k) -{ - proj R = *P; - proj A24; - const proj Pcopy = *P; /* in case Q = P */ - - Q->x = fp_1; - Q->z = fp_0; - - fp_add3(&A24.x, &A->z, &A->z); - fp_add3(&A24.z, &A24.x, &A24.x); - fp_add2(&A24.x, &A->x); - - unsigned long i = 512; - while (--i && !u512_bit(k, i)); - - do { - - bool bit = u512_bit(k, i); - - if (bit) { proj T = *Q; *Q = R; R = T; } /* not constant-time */ - //fp_cswap(&Q->x, &R.x, bit); - //fp_cswap(&Q->z, &R.z, bit); - - xDBLADD(Q, &R, Q, &R, &Pcopy, &A24); - - if (bit) { proj T = *Q; *Q = R; R = T; } /* not constant-time */ - //fp_cswap(&Q->x, &R.x, bit); - //fp_cswap(&Q->z, &R.z, bit); - - } while (i--); -} - - -/* computes the isogeny with kernel point K of order k */ -/* returns the new curve coefficient A and the image of P */ -/* (obviously) not constant time in k */ -void xISOG(proj *A, proj *P, proj const *K, uint64_t k) -{ - assert (k >= 3); - assert (k % 2 == 1); - - fp tmp0, tmp1; - fp T[4] = {K->z, K->x, K->x, K->z}; - proj Q; - - fp_mul3(&Q.x, &P->x, &K->x); - fp_mul3(&tmp0, &P->z, &K->z); - fp_sub2(&Q.x, &tmp0); - - fp_mul3(&Q.z, &P->x, &K->z); - fp_mul3(&tmp0, &P->z, &K->x); - fp_sub2(&Q.z, &tmp0); - - proj M[3] = {*K}; - xDBL(&M[1], A, K); - - for (uint64_t i = 1; i < k / 2; ++i) { - - if (i >= 2) - xADD(&M[i % 3], &M[(i - 1) % 3], K, &M[(i - 2) % 3]); - - fp_mul3(&tmp0, &M[i % 3].x, &T[0]); - fp_mul3(&tmp1, &M[i % 3].z, &T[1]); - fp_add3(&T[0], &tmp0, &tmp1); - - fp_mul2(&T[1], &M[i % 3].x); - - fp_mul3(&tmp0, &M[i % 3].z, &T[2]); - fp_mul3(&tmp1, &M[i % 3].x, &T[3]); - fp_add3(&T[2], &tmp0, &tmp1); - - fp_mul2(&T[3], &M[i % 3].z); - - - fp_mul3(&tmp0, &P->x, &M[i % 3].x); - fp_mul3(&tmp1, &P->z, &M[i % 3].z); - fp_sub2(&tmp0, &tmp1); - fp_mul2(&Q.x, &tmp0); - - fp_mul3(&tmp0, &P->x, &M[i % 3].z); - fp_mul3(&tmp1, &P->z, &M[i % 3].x); - fp_sub2(&tmp0, &tmp1); - fp_mul2(&Q.z, &tmp0); - } - - fp_mul2(&T[0], &T[1]); - fp_add2(&T[0], &T[0]); /* multiplication by 2 */ - - fp_sq1(&T[1]); - - fp_mul2(&T[2], &T[3]); - fp_add2(&T[2], &T[2]); /* multiplication by 2 */ - - fp_sq1(&T[3]); - - /* Ax := T[1] * T[3] * Ax - 3 * Az * (T[1] * T[2] - T[0] * T[3]) */ - fp_mul3(&tmp0, &T[1], &T[2]); - fp_mul3(&tmp1, &T[0], &T[3]); - fp_sub2(&tmp0, &tmp1); - fp_mul2(&tmp0, &A->z); - fp_add3(&tmp1, &tmp0, &tmp0); fp_add2(&tmp0, &tmp1); /* multiplication by 3 */ - - fp_mul3(&tmp1, &T[1], &T[3]); - fp_mul2(&tmp1, &A->x); - - fp_sub3(&A->x, &tmp1, &tmp0); - - /* Az := Az * T[3]^2 */ - fp_sq1(&T[3]); - fp_mul2(&A->z, &T[3]); - - /* X := X * Xim^2, Z := Z * Zim^2 */ - fp_sq1(&Q.x); - fp_sq1(&Q.z); - fp_mul2(&P->x, &Q.x); - fp_mul2(&P->z, &Q.z); -} - diff --git a/reference/csidh-20180427-by-castryck-et-al/mont.h b/reference/csidh-20180427-by-castryck-et-al/mont.h deleted file mode 100644 index 36b3ad7..0000000 --- a/reference/csidh-20180427-by-castryck-et-al/mont.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef MONT_H -#define MONT_H - -#include "u512.h" -#include "fp.h" - -/* P^1 over fp. */ -typedef struct proj { - fp x; - fp z; -} proj; - -void xDBL(proj *Q, proj const *A, proj const *P); -void xADD(proj *S, proj const *P, proj const *Q, proj const *PQ); -void xDBLADD(proj *R, proj *S, proj const *P, proj const *Q, proj const *PQ, proj const *A); -void xMUL(proj *Q, proj const *A, proj const *P, u512 const *k); -void xISOG(proj *A, proj *P, proj const *K, uint64_t k); - -#endif diff --git a/reference/csidh-20180427-by-castryck-et-al/rng.c b/reference/csidh-20180427-by-castryck-et-al/rng.c deleted file mode 100644 index fc28c87..0000000 --- a/reference/csidh-20180427-by-castryck-et-al/rng.c +++ /dev/null @@ -1,18 +0,0 @@ - -#include "rng.h" - -#include -#include -#include - -void randombytes(void *x, size_t l) -{ - static int fd = -1; - ssize_t n; - if (fd < 0 && 0 > (fd = open("/dev/urandom", O_RDONLY))) - exit(1); - for (size_t i = 0; i < l; i += n) - if (0 >= (n = read(fd, (char *) x + i, l - i))) - exit(2); -} - diff --git a/reference/csidh-20180427-by-castryck-et-al/rng.h b/reference/csidh-20180427-by-castryck-et-al/rng.h deleted file mode 100644 index 30e01d0..0000000 --- a/reference/csidh-20180427-by-castryck-et-al/rng.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef RNG_H -#define RNG_H - -#include - -void randombytes(void *x, size_t l); - -#endif diff --git a/reference/csidh-20180427-by-castryck-et-al/supersingular.sage b/reference/csidh-20180427-by-castryck-et-al/supersingular.sage deleted file mode 100755 index 928f695..0000000 --- a/reference/csidh-20180427-by-castryck-et-al/supersingular.sage +++ /dev/null @@ -1,128 +0,0 @@ -#!/usr/bin/env sage -#coding: utf8 - -proof.all(False) - - -# parameters. - -ls = list(primes(3, 374)) + [587] # Elkies primes -#ls = list(primes(3, 47)) + [97] # (a smaller example) -p = 4 * prod(ls) - 1 -assert is_prime(p) -print "\nElkies primes:", " ".join(map(str, ls)) - -max_exp = ceil((sqrt(p) ** (1/len(ls)) - 1) / 2) -assert (2 * max_exp + 1) ** len(ls) >= sqrt(p) -print "exponents are chosen in the range {}..{}.".format(-max_exp, max_exp) - -base = GF(p)(0) # Montgomery coefficient of starting curve - - -# helper functions. - -# NB: all the operations can be computed entirely over the prime field, -# but for simplicity of this implementation we will make use of curves -# defined over GF(p^2). note this slows everything down quite a bit. - -Fp2. = GF(p**2, modulus = x**2 + 1) - -def montgomery_curve(A): - return EllipticCurve(Fp2, [0, A, 0, 1, 0]) - -# sage's isogeny formulas return Weierstraß curves, hence we need this... -def montgomery_coefficient(E): - Ew = E.change_ring(GF(p)).short_weierstrass_model() - _, _, _, a, b = Ew.a_invariants() - R. = GF(p)[] - r = (z**3 + a*z + b).roots(multiplicities=False)[0] - s = sqrt(3 * r**2 + a) - if not is_square(s): s = -s - A = 3 * r / s - assert montgomery_curve(A).change_ring(GF(p)).is_isomorphic(Ew) - return GF(p)(A) - - -# actual implementation. - -def private(): - return [randrange(-max_exp, max_exp + 1) for _ in range(len(ls))] - -def validate(A): - while True: - k = 1 - P = montgomery_curve(A).lift_x(GF(p).random_element()) - for l in ls: - Q = (p + 1) // l * P - if not Q: continue - if l * Q: return False - k *= l - if k > 4 * sqrt(p): return True - -def action(pub, priv): - - E = montgomery_curve(pub) - es = priv[:] - - while any(es): - - E._order = (p + 1)**2 # else sage computes this - - P = E.lift_x(GF(p).random_element()) - s = +1 if P.xy()[1] in GF(p) else -1 - k = prod(l for l, e in zip(ls, es) if sign(e) == s) - P *= (p + 1) // k - - for i, (l, e) in enumerate(zip(ls, es)): - - if sign(e) != s: continue - - Q = k // l * P - if not Q: continue - Q._order = l # else sage computes this - phi = E.isogeny(Q) - - E, P = phi.codomain(), phi(P) - es[i] -= s - k //= l - - return montgomery_coefficient(E) - - -# example. - -print - -print "testing public-key validation on random ordinary curves (should be all 0s):\n ", -for _ in range(16): - while True: - A = GF(p).random_element() - if montgomery_curve(A).is_ordinary(): break - print int(validate(A)), -print - -privA = private() -print "\nAlice's private key:\n ", " ".join(map('{:2d}'.format, privA)) - -pubA = action(base, privA) -print "\nAlice's public key:\n ", pubA, -print " (valid: {})".format(int(validate(pubA))) - -privB = private() -print "\nBob's private key:\n ", " ".join(map('{:2d}'.format, privB)) - -pubB = action(base, privB) -print "\nBob's public key:\n ", pubB, -print " (valid: {})".format(int(validate(pubB))) - -sharedA = action(pubB, privA) -print "\nAlice's shared secret:\n ", sharedA - -sharedB = action(pubA, privB) -print "\nBob's shared secret:\n ", sharedB - -if sharedA == sharedB: - print "\n--> equal!\n" -else: - print "\n--> NOT EQUAL?!\n" - diff --git a/reference/csidh-20180427-by-castryck-et-al/u512.h b/reference/csidh-20180427-by-castryck-et-al/u512.h deleted file mode 100644 index 6eaae93..0000000 --- a/reference/csidh-20180427-by-castryck-et-al/u512.h +++ /dev/null @@ -1,22 +0,0 @@ -#ifndef UINT_H -#define UINT_H - -#include -#include - -typedef struct u512 { - uint64_t c[8]; -} u512; - -extern const u512 u512_1; - -void u512_set(u512 *x, uint64_t y); - -bool u512_bit(u512 const *x, uint64_t k); - -bool u512_add3(u512 *x, u512 const *y, u512 const *z); /* returns carry */ -bool u512_sub3(u512 *x, u512 const *y, u512 const *z); /* returns borrow */ - -void u512_mul3_64(u512 *x, u512 const *y, uint64_t z); - -#endif diff --git a/reference/csidh-20180427-by-castryck-et-al/u512.s b/reference/csidh-20180427-by-castryck-et-al/u512.s deleted file mode 100644 index 779be3e..0000000 --- a/reference/csidh-20180427-by-castryck-et-al/u512.s +++ /dev/null @@ -1,102 +0,0 @@ - -.intel_syntax noprefix - -.section .rodata - -.global u512_1 -u512_1: .quad 1, 0, 0, 0, 0, 0, 0, 0 - - -.section .text - -.global u512_set -u512_set: - cld - mov rax, rsi - stosq - xor rax, rax - mov rcx, 7 - rep stosq - ret - - -.global u512_bit -u512_bit: - mov rcx, rsi - and rcx, 0x3f - shr rsi, 6 - mov rax, [rdi + 8*rsi] - shr rax, cl - and rax, 1 - ret - - -.global u512_add3 -u512_add3: - mov rax, [rsi + 0] - add rax, [rdx + 0] - mov [rdi + 0], rax - .set k, 1 - .rept 7 - mov rax, [rsi + 8*k] - adc rax, [rdx + 8*k] - mov [rdi + 8*k], rax - .set k, k+1 - .endr - setc al - movzx rax, al - ret - -.global u512_sub3 -u512_sub3: - mov rax, [rsi + 0] - sub rax, [rdx + 0] - mov [rdi + 0], rax - .set k, 1 - .rept 7 - mov rax, [rsi + 8*k] - sbb rax, [rdx + 8*k] - mov [rdi + 8*k], rax - .set k, k+1 - .endr - setc al - movzx rax, al - ret - - -.global u512_mul3_64 -u512_mul3_64: - - mulx r10, rax, [rsi + 0] - mov [rdi + 0], rax - - mulx r11, rax, [rsi + 8] - add rax, r10 - mov [rdi + 8], rax - - mulx r10, rax, [rsi + 16] - adcx rax, r11 - mov [rdi + 16], rax - - mulx r11, rax, [rsi + 24] - adcx rax, r10 - mov [rdi + 24], rax - - mulx r10, rax, [rsi + 32] - adcx rax, r11 - mov [rdi + 32],rax - - mulx r11, rax, [rsi + 40] - adcx rax, r10 - mov [rdi + 40],rax - - mulx r10, rax, [rsi + 48] - adcx rax, r11 - mov [rdi + 48],rax - - mulx r11, rax, [rsi + 56] - adcx rax, r10 - mov [rdi + 56],rax - - ret -