}
// "Small" dangerous ephemeral key.
+// Use if you need to shrink the size of the binary, and can tolerate a
+// slowdow by a factor of two (compared to the fast version)
+//
// This version works by decoupling the cofactor from the main factor.
//
// - The trimmed scalar determines the main factor
}
// "Fast" dangerous ephemeral key
+// We use this one by default.
//
// This version works by performing a regular scalar multiplication,
// then add a low order point. The scalar multiplication is done in
-// Edwards space for more speed. The cost is a bigger binary programs
-// that don't also sign messages.
+// Edwards space for more speed (*2 compared to the "small" version).
+// The cost is a bigger binary programs that don't also sign messages.
void crypto_x25519_dangerous_fast(u8 public_key[32], const u8 secret_key[32])
{
static const fe lop_x = {
TIMING_END;
}
+static u64 x25519_sp_fast(void)
+{
+ RANDOM_INPUT(sk, 32);
+ TIMING_START {
+ crypto_x25519_dangerous_fast(sk, sk);
+ }
+ TIMING_END;
+}
+
+static u64 x25519_sp_small(void)
+{
+ RANDOM_INPUT(sk, 32);
+ TIMING_START {
+ crypto_x25519_dangerous_small(sk, sk);
+ }
+ TIMING_END;
+}
+
int main()
{
print("Chacha20 ",chacha20() *MUL ,"megabytes per second");
print("EdDSA(sign) ",edDSA_sign() ,"signatures per second");
print("EdDSA(check) ",edDSA_check() ,"checks per second");
print("x25519 inverse ",x25519_inverse() ,"scalar inv per second");
+ print("x25519 special fast ",x25519_sp_fast() ,"scalar inv per second");
+ print("x25519 special small",x25519_sp_small() ,"scalar inv per second");
printf("\n");
return 0;
}
projects / Monocypher.git / commitdiff