Use open instead of merge, loop backwards when generating.

configure.ac

@@ -13,14 +13,14 @@ AC_PROG_CC_C99
 AC_PROG_RANLIB
 
 # Checks for libraries.
+AC_CHECK_LIB(gmp, __gmpz_init, ,
+             [AC_MSG_ERROR([GNU MP not found, see https://gmplib.org/])])
 
 # have _GNU_SOURCE defined aroud.
 AC_GNU_SOURCE
 
 # Checks for header files.
 AC_CHECK_HEADERS([limits.h stdint.h stdlib.h string.h unistd.h])
-AC_CHECK_LIB(gmp, __gmpz_init, ,
-[AC_MSG_ERROR([GNU MP not found, see https://gmplib.org/])])
 AC_CHECK_SIZEOF(mp_limb_t, 8, [#include <gmp.h>])
 
 # Checks for typedefs, structures, and compiler characteristics.
@@ -32,12 +32,17 @@ AC_FUNC_MALLOC
 #AC_CHECK_FUNCS([dup2 setlocale strdup])
 
 # Add compiler/linker flags
-CFLAGS="--std=c99 -Wall -march=native"
+CFLAGS+=" -O3 --std=c99 -Wall --pedantic -march=native -DNDEBUG"
+
+# Shut up automake
+#AM_SILENT_RULES([yes])
+AC_SUBST([AM_MAKEFLAGS], [--no-print-directory])
 
 # Adding package options
+
 AC_ARG_ENABLE(debug,
    AS_HELP_STRING([--enable-debug], [enable debugging, default: no]),
-   CFLAGS+=" -DDEBUG -DBN_DEBUG -O0 -ggdb")
+   CFLAGS+=" -UNDEBUG -O0 -ggdb")
 
 AC_OUTPUT([Makefile
            src/Makefile

hss.c

@@ -70,7 +70,7 @@ void naif_fbpowm(mpz_t rop, const pbase_t pb, uint32_t exp)
 }
 
 
-void precompute(pbase_t *pb)
+void fbprecompute(pbase_t *pb)
 {
   for (size_t j = 0; j < 4; j++) {
     for (size_t i = 0; i <= 0xFF; i++) {
@@ -82,14 +82,15 @@ void precompute(pbase_t *pb)
   }
 }
 
+static inline
 void fbpowm(mpz_t rop, const pbase_t * const pb, uint32_t exp)
 {
-  uint8_t *e = (uint8_t *) &exp;
+  const uint8_t *e = (uint8_t *) &exp;
 
-  mpz_set_ui(rop, 1);
-  mpz_mul(rop, rop, pb->T[0][e[0]]);
-  mpz_mul(rop, rop, pb->T[1][e[1]]);
+  mpz_mul(rop, pb->T[0][e[0]], pb->T[1][e[1]]);
+  mpz_mod(rop, rop, p);
   mpz_mul(rop, rop, pb->T[2][e[2]]);
+  mpz_mod(rop, rop, p);
   mpz_mul(rop, rop, pb->T[3][e[3]]);
   mpz_mod(rop, rop, p);
 
@@ -115,19 +116,19 @@ int main()
   pbase_t pb;
   mpz_init_set_ui(pb.base, 2);
   //  mpz_urandomm(pb.base, _rstate, p);
-  precompute(&pb);
+  fbprecompute(&pb);
 
   mpz_t expected;
   mpz_init(expected);
 
   INIT_TIMEIT();
-  for (int i = 0; i < (int) 1e5; i++) {
+  for (int i = 0; i < (int) 1e4; i++) {
     getrandom(&exp, sizeof(exp), GRND_NONBLOCK);
     START_TIMEIT();
     fbpowm(x, &pb, exp);
     END_TIMEIT();
-    naif_fbpowm(expected, pb, exp);
-    assert(!mpz_cmp(expected, x));
+    //naif_fbpowm(expected, pb, exp);
+    //assert(!mpz_cmp(expected, x));
   }
 
   printf(TIMEIT_FORMAT "\n", GET_TIMEIT());

src/hss.c

@@ -1,5 +1,7 @@
 #include "config.h"
 
+#include <assert.h>
+
 #include "hss.h"
 
 /**
@@ -50,6 +52,38 @@ void ssl1_clear(ssl1_t s)
   }
 }
 
+void ssl1_share(ssl1_t r1, ssl1_t r2, const mpz_t v, const elgamal_key_t key)
+{
+  mpz_t zero;
+  mpz_init_set_ui(zero, 0);
+
+  elgamal_encrypt_shares(r1->w, r2->w, key, v);
+  for (size_t t = 0; t < 160; t++) {
+    if (mpz_tstbit(key->sk, 159-t)) {
+      elgamal_encrypt_shares(r1->cw[t], r2->cw[t], key, v);
+    } else {
+      elgamal_encrypt_shares(r1->cw[t], r2->cw[t], key, zero);
+    }
+  }
+
+  mpz_clear(zero);
+}
+
+void ssl1_open(mpz_t rop, const ssl1_t r1, const ssl1_t r2, const elgamal_key_t key)
+{
+  mpz_t rop1, rop2;
+  mpz_inits(rop1, rop2, NULL);
+
+  elgamal_decrypt(rop1, key, r1->w);
+  elgamal_decrypt(rop2, key, r2->w);
+
+  assert(!mpz_cmp(rop1, rop2));
+  mpz_set(rop, rop1);
+
+  mpz_clears(rop1, rop2, NULL);
+}
+
+
 void ssl2_init(ssl2_t s)
 {
   mpz_inits(s->x, s->cx, NULL);
@@ -60,3 +94,21 @@ void ssl2_clear(ssl2_t s)
   mpz_clear(s->x);
   mpz_clear(s->cx);
 }
+
+
+void ssl2_share(ssl2_t s1, ssl2_t s2, const mpz_t v, const mpz_t sk)
+{
+  mpz_urandomb(s1->x, _rstate, 192);
+  mpz_add(s2->x, v, s1->x);
+
+  mpz_urandomb(s1->cx, _rstate, 192);
+  mpz_mul(s2->cx, sk, v);
+  mpz_add(s2->cx, s2->cx, s1->cx);
+}
+
+
+void ssl2_open(mpz_t rop, const ssl2_t s1, const ssl2_t s2)
+{
+  mpz_sub(rop, s2->x, s1->x);
+  mpz_abs(rop, rop);
+}

src/hss.h

@@ -28,6 +28,8 @@ typedef struct ssl1 {
 
 void ssl1_init(ssl1_t s);
 void ssl1_clear(ssl1_t s);
+void ssl1_share(ssl1_t r1, ssl1_t r2, const mpz_t v, const elgamal_key_t key);
+void ssl1_open(mpz_t rop, const ssl1_t r1, const ssl1_t r2, const elgamal_key_t key);
 
 /** A level-2 share are subractive shares.
     This shares have at most 192 bits.
@@ -40,3 +42,5 @@ typedef struct ssl2 {
 #define ssl2_add(rop, a, b) mpz_add(rop, a, b)
 void ssl2_init(ssl2_t s);
 void ssl2_clear(ssl2_t s);
+void ssl2_share(ssl2_t s1, ssl2_t s2, const mpz_t v, const mpz_t sk);
+void ssl2_open(mpz_t rop, const ssl2_t s1, const ssl2_t s2);

src/rms.c

@@ -13,57 +13,6 @@
 #include "hss.h"
 #include "timeit.h"
 
-/** this function is only for testing purposes. */
-void ssl2_share(ssl2_t s1, ssl2_t s2, const mpz_t v, const mpz_t sk)
-{
-  mpz_urandomb(s1->x, _rstate, 192);
-  mpz_add(s2->x, v, s1->x);
-
-  mpz_urandomb(s1->cx, _rstate, 192);
-  mpz_mul(s2->cx, sk, v);
-  mpz_add(s2->cx, s2->cx, s1->cx);
-}
-
-
-void ssl2_merge(mpz_t rop, const ssl2_t s1, const ssl2_t s2)
-{
-  mpz_sub(rop, s2->x, s1->x);
-  mpz_abs(rop, rop);
-}
-
-
-void ssl1_share(ssl1_t r1, ssl1_t r2, const mpz_t v, const elgamal_key_t key)
-{
-  mpz_t zero;
-  mpz_init_set_ui(zero, 0);
-
-  elgamal_encrypt_shares(r1->w, r2->w, key, v);
-  for (size_t t = 0; t < 160; t++) {
-    if (mpz_tstbit(key->sk, t)) {
-      elgamal_encrypt_shares(r1->cw[t], r2->cw[t], key, v);
-    } else {
-      elgamal_encrypt_shares(r1->cw[t], r2->cw[t], key, zero);
-    }
-  }
-
-  mpz_clear(zero);
-}
-
-void ssl1_merge(mpz_t rop, const ssl1_t r1, const ssl1_t r2, const elgamal_key_t key)
-{
-  mpz_t rop1, rop2;
-  mpz_inits(rop1, rop2, NULL);
-
-  elgamal_decrypt(rop1, key, r1->w);
-  elgamal_decrypt(rop2, key, r2->w);
-
-  assert(!mpz_cmp(rop1, rop2));
-  mpz_set(rop, rop1);
-
-  mpz_clears(rop1, rop2, NULL);
-}
-
-
 #define strip_size 16
 uint32_t naif_convert(mpz_t n)
 {
@@ -111,7 +60,7 @@ void hss_mul(ssl2_t rop, const ssl1_t sl1, const ssl2_t sl2)
   mpz_set_ui(rop->x, converted);
 
   mpz_set_ui(rop->cx, 0);
-  for (ssize_t t = 159; t >= 0; t--) {
+  for (size_t t = 0; t < 160; t++) {
     converted = __mul_single(op1, op2,
                              sl1->cw[t]->c1, sl1->cw[t]->c2, sl2->x, sl2->cx);
     mpz_add_ui(rop->cx, rop->cx, converted);
@@ -124,7 +73,6 @@ void hss_mul(ssl2_t rop, const ssl1_t sl1, const ssl2_t sl2)
 
 int main()
 {
-  /* set up entropy, prime modulus etc. */
   mpz_entropy_init();
   hss_init();
 
@@ -158,11 +106,11 @@ int main()
     /* mpz_set_ui(y, 1); */
 
     ssl2_share(s1, s2, x, key->sk);
-    ssl2_merge(test, s1, s2);
+    ssl2_open(test, s1, s2);
     assert(!mpz_cmp(test, x));
 
     ssl1_share(r1, r2, y, key);
-    ssl1_merge(test, r1, r2, key);
+    ssl1_open(test, r1, r2, key);
     assert(!mpz_cmp_ui(test, mpz_cmp_ui(y, 0) ? 2 : 1));
 
     START_TIMEIT();
@@ -175,7 +123,7 @@ int main()
 #endif
 
     mpz_mul(xy, x, y);
-    ssl2_merge(test, t2, t1);
+    ssl2_open(test, t2, t1);
     assert(!mpz_cmp(test, xy));
 
     mpz_sub(test, t2->cx, t1->cx);