cloudflare
diff --git a/‎ecc/goldilocks/constants.go
+21-13 b/‎ecc/goldilocks/constants.go
+21-13
diff --git a/‎ecc/goldilocks/decaf.go
+62-60 b/‎ecc/goldilocks/decaf.go
+62-60
diff --git a/‎ecc/goldilocks/decaf_test.go
+104-33 b/‎ecc/goldilocks/decaf_test.go
+104-33
@@ -37,10 +37,28 @@ var (
 		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
 		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
 	}
-	// aMinusD is paramA-paramD used for Decaf.
-	aMinusD = fp.Elt{0xaa, 0x98}
-	// aMinusD is paramA-paramD used for Decaf.
+	// paramDTwist is -39082 in Fp. The D parameter of the twist curve.
+	paramDTwist = fp.Elt{
+		0x55, 0x67, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+		0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff,
+		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	}
+	// aMinusD is paramA-paramD used in Decaf.
 	aMinusDTwist = fp.Elt{0xa9, 0x98}
+	// sqrtAMinusDTwist is the smallest sqrt(paramATwist-paramDTwist) used in Decaf.
+	sqrtAMinusDTwist = fp.Elt{
+		0x36, 0x27, 0x57, 0x45, 0x0f, 0xef, 0x42, 0x96,
+		0x52, 0xce, 0x20, 0xaa, 0xf6, 0x7b, 0x33, 0x60,
+		0xd2, 0xde, 0x6e, 0xfd, 0xf4, 0x66, 0x9a, 0x83,
+		0xba, 0x14, 0x8c, 0x96, 0x80, 0xd7, 0xa2, 0x64,
+		0x4b, 0xd5, 0xb8, 0xa5, 0xb8, 0xa7, 0xf1, 0xa1,
+		0xa0, 0x6a, 0xa2, 0x2f, 0x72, 0x8d, 0xf6, 0x3b,
+		0x68, 0xf7, 0x24, 0xeb, 0xfb, 0x62, 0xd9, 0x22,
+	}
 	// order is 2^446-0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d,
 	// which is the number of points in the prime subgroup.
 	order = Scalar{
@@ -66,15 +84,5 @@ var (
 		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
 		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f,
 	}
-	// paramDTwist is -39082 in Fp. The D parameter of the twist curve.
-	paramDTwist = fp.Elt{
-		0x55, 0x67, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-		0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff,
-		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-	}
 	errInvalidDecoding = errors.New("invalid decoding")
 )
@@ -1,6 +1,8 @@
 package goldilocks
 
-import fp "github.com/cloudflare/circl/math/fp448"
+import (
+	fp "github.com/cloudflare/circl/math/fp448"
+)
 
 // Decaf provides a prime-order group.
 // Internally, the implementation uses the twist of goldilocks curve.
@@ -29,6 +31,9 @@ func (d Decaf) Order() Scalar { return order }
 // Add is
 func (d Decaf) Add(c, a, b *Elt) { c.p = a.p; c.p.Add(&b.p) }
 
+// Double is
+func (d Decaf) Double(c, a *Elt) { c.p = a.p; c.p.Double() }
+
 // Neg is
 func (d Decaf) Neg(c, a *Elt) { c.p = a.p; c.p.cneg(1) }
 
@@ -49,85 +54,82 @@ func (d Decaf) AreEqual(a, b *Elt) bool {
 
 // Marshal is
 func (e *Elt) Marshal() []byte {
-	r, u := &fp.Elt{}, &fp.Elt{}
-	one, s := &fp.Elt{}, &fp.Elt{}
-	x, y, ta, tb, z := e.p.x, e.p.y, e.p.ta, e.p.tb, e.p.z
-	t0, t1 := z, y
+	x, ta, tb, z := e.p.x, e.p.ta, e.p.tb, e.p.z
+	one, t, t2, s := &fp.Elt{}, &fp.Elt{}, &fp.Elt{}, &fp.Elt{}
 	fp.SetOne(one)
-	fp.AddSub(&t0, &t1)             // (t0,t1) = (z+y,z-y)
-	fp.Mul(&t0, &t0, &t1)           // t0 = (z+y)*(z-y)
-	fp.Mul(&t0, &t0, &aMinusDTwist) // t0 = (a-d)*(z+y)*(z-y)
-	fp.InvSqrt(r, one, &t0)         // r = 1/sqrt( (a-d)*(z+y)*(z-y) )
-	fp.Mul(u, r, &aMinusDTwist)     // u = (a-d)*r
-	fp.Mul(&t0, u, &z)              // t0 = u*Z
-	fp.Add(&t0, &t0, &t0)           // t0 = 2*u*Z
-	fp.Neg(&t0, &t0)                // t0 = -2*u*Z
-	isNeg := fp.Parity(&t0)         // isNeg = sgn(t0)
-	fp.Neg(&t1, r)                  // t1 = -r
-	fp.Cmov(r, &t1, uint(isNeg))    // if -2*u*Z is negative then r = -r
-	fp.Mul(&t1, &ta, &tb)           // t1 = Ta*Tb = T
-	fp.Mul(&t1, &t1, &y)            // t1 = Y*T
-	fp.Mul(&t1, &t1, &paramDTwist)  // t1 = d*Y*T
-	fp.Mul(&t0, &z, &x)             // t0 = Z*X
-	fp.Neg(&t0, &t0)                // t0 = a*Z*X
-	fp.Sub(&t0, &t0, &t1)           // t0 = a*Z*X - d*Y*T
-	fp.Mul(&t0, &t0, r)             // t0 = r*(a*Z*X - d*Y*T)
-	fp.Add(&t0, &t0, &y)            // t0 = r*(a*Z*X - d*Y*T) + Y
-	fp.Mul(s, &t0, u)               // s = (u)*(r*(a*Z*X - d*Y*T) + Y)
-	fp.Neg(s, s)                    // s = (u/a)*(r*(a*Z*X - d*Y*T) + Y)
-	isNeg = fp.Parity(s)            // isNeg = sgn(s)
-	fp.Neg(&t1, s)                  // t1 = -s
-	fp.Cmov(s, &t1, uint(isNeg))    // if s is negative then s = -s
+	fp.Mul(t, &ta, &tb)                // t = ta*tb
+	t0, t1 := x, *t                    // (t0,t1) = (x,t)
+	fp.Sqr(t2, &x)                     // t2 = x^2
+	fp.AddSub(&t0, &t1)                // (t0,t1) = (x+t,x-t)
+	fp.Mul(&t1, &t0, &t1)              // t1 = (x+t)*(x-t)
+	fp.Mul(&t0, &t1, &aMinusDTwist)    // t0 = (a-d)*(x+t)*(x-t)
+	fp.Mul(&t0, &t0, t2)               // t0 = x^2*(a-d)*(x+t)*(x-t)
+	fp.InvSqrt(&t0, one, &t0)          // t0 = 1/sqrt( x^2*(a-d)*(z+y)*(z-y) )
+	fp.Mul(&t1, &t1, &t0)              // t1 = (z+y)*(z-y)/sqrt( x^2*(a-d)*(z+y)*(z-y) )
+	fp.Mul(t2, &t1, &sqrtAMinusDTwist) // t2 = sqrt( (z+y)*(z-y) )/z
+	isNeg := fp.Parity(t2)             // isNeg = sgn(t2)
+	fp.Neg(t2, &t1)                    // t2 = -t1
+	fp.Cmov(&t1, t2, uint(isNeg))      // if t2 is negative then t1 = -t1
+	fp.Mul(s, &t1, &z)                 // s = t1*z
+	fp.Sub(s, s, t)                    // s = t1*z - t
+	fp.Mul(s, s, &x)                   // s = x*(t1*z - t)
+	fp.Mul(s, s, &t0)                  // s = isr*x*(t1*z - t)
+	fp.Mul(s, s, &aMinusDTwist)        // s = (a-d)*isr*x*(t1*z - t)
+	isNeg = fp.Parity(s)               // isNeg = sgn(s)
+	fp.Neg(&t0, s)                     // t0 = -s
+	fp.Cmov(s, &t0, uint(isNeg))       // if s is negative then s = -s
 
 	var encS [fp.Size]byte
 	_ = fp.ToBytes(encS[:], s)
 	return encS[:]
 }
 
 // Unmarshal is
-func (d Decaf) Unmarshal(b []byte) (*Elt, error) {
+func (e *Elt) Unmarshal(b []byte) error {
 	if len(b) < fp.Size {
-		return nil, errInvalidDecoding
+		return errInvalidDecoding
 	}
 
 	s := &fp.Elt{}
 	copy(s[:], b[:fp.Size])
 	isNeg := fp.Parity(s)
 	p := fp.P()
 	if isNeg == 1 || !isLessThan(b[:fp.Size], p[:]) {
-		return nil, errInvalidDecoding
+		return errInvalidDecoding
 	}
 
-	one, u, v, w := &fp.Elt{}, &fp.Elt{}, &fp.Elt{}, &fp.Elt{}
+	one, s2, den, num := &fp.Elt{}, &fp.Elt{}, &fp.Elt{}, &fp.Elt{}
+	isr, altx := &fp.Elt{}, &fp.Elt{}
 	t0, t1 := &fp.Elt{}, &fp.Elt{}
-	e := &Elt{}
 	fp.SetOne(one)
-	fp.Add(&e.p.x, s, s)           // X  = 2*s
-	fp.Sqr(t0, s)                  // t0 = s^2
-	fp.Sub(&e.p.z, one, t0)        // Z  = 1 + a*s^2
-	fp.Mul(t1, t0, &paramDTwist)   // t1 = d*s^2
-	fp.Add(t1, t1, t1)             // t1 = 2*d*s^2
-	fp.Add(t1, t1, t1)             // t1 = 4*d*s^2
-	fp.Sqr(u, &e.p.z)              // u  = Z^2
-	fp.Sub(u, u, t1)               // u  = Z^2 - 4*d*s^2
-	fp.Mul(t0, t0, u)              // t0 = u*s^2
-	isQR := fp.InvSqrt(v, one, t0) // v = 1/sqrt(u*s^2)
-	var isZero byte
+	fp.Sqr(s2, s)                    // s2  = s^2
+	fp.Sub(den, one, s2)             // den = 1 + a*s^2
+	fp.Mul(t1, s2, &paramDTwist)     // t1 = d*s^2
+	fp.Add(t1, t1, t1)               // t1 = 2*d*s^2
+	fp.Add(t1, t1, t1)               // t1 = 4*d*s^2
+	fp.Sqr(t0, den)                  // num = (1 + a*s^2)^2
+	fp.Sub(num, t0, t1)              // num = (1 + a*s^2)^2 - 4*d*s^2
+	fp.Mul(t0, t0, num)              // t0 = num*den^2
+	isQR := fp.InvSqrt(isr, one, t0) // v = 1/sqrt(num*den^2)
 	if !isQR {
-		if !fp.IsZero(t0) {
-			return nil, errInvalidDecoding
-		}
-		isZero = 1
+		return errInvalidDecoding
 	}
-	fp.Mul(t0, u, v)              // t0 = u*v
-	isNeg = fp.Parity(t0)         // isNeg = sgn(u*v)
-	fp.Neg(t1, v)                 // t1 = -v
-	fp.Cmov(v, t1, uint(isNeg))   // if u*v is negative then v = -v
-	fp.Sub(w, &fp.Elt{2}, &e.p.z) // w = 2-Z
-	fp.Mul(w, w, s)               // w = s*(2-Z)
-	fp.Mul(w, w, v)               // w = v*s*(2-Z)
-	fp.Add(w, w, &fp.Elt{isZero}) // if s=0 then w = w+1
-	fp.Mul(&e.p.y, &e.p.z, w)     // Y = w*Z
-	e.p.ta, e.p.tb = e.p.x, *w    // T = Ta*Tb = w*X
-	return e, nil
+	fp.Mul(t1, den, isr)                // altx = isr*den
+	fp.Mul(t1, t1, s)                   // altx = s*isr*den
+	fp.Add(t1, t1, t1)                  // t1   = 2*s*isr*den
+	fp.Mul(altx, t1, &sqrtAMinusDTwist) // altx = 2*s*isr*den*sqrt(A-D)
+	isNeg = fp.Parity(altx)             // isNeg = sgn(altx)
+	fp.Neg(t0, isr)                     // t0 = -isr
+	fp.Cmov(isr, t0, uint(isNeg))       // if altx is negative then isr = -isr
+	fp.Sqr(&e.p.x, isr)                 // x = isr^2
+	fp.Mul(&e.p.x, &e.p.x, den)         // x = isr^2*den
+	fp.Mul(&e.p.x, &e.p.x, num)         // x = isr^2*den*num
+	fp.Mul(&e.p.x, &e.p.x, s)           // x = s*isr^2*den*num
+	fp.Add(&e.p.x, &e.p.x, &e.p.x)      // x = 2*s*isr^2*den*num
+	fp.Mul(&e.p.y, isr, den)            // y = isr*den
+	fp.Add(t0, one, s2)                 // t0 = 1 - a*s^2
+	fp.Mul(&e.p.y, &e.p.y, t0)          // y = (1 - a*s^2)*isr*den
+	e.p.ta, e.p.tb = e.p.x, e.p.y       // T = Ta*Tb = x*y
+	fp.SetOne(&e.p.z)
+	return nil
 }
@@ -1,9 +1,13 @@
 package goldilocks_test
 
 import (
+	"bytes"
 	"crypto/rand"
 	"encoding/hex"
+	"encoding/json"
 	"fmt"
+	"io/ioutil"
+	"os"
 	"testing"
 
 	"github.com/cloudflare/circl/ecc/goldilocks"
@@ -12,40 +16,107 @@ import (
 
 func TestDecafDevel(t *testing.T) {
 	var d goldilocks.Decaf
+	var P goldilocks.Elt
+
 	G := d.Generator()
-	fmt.Printf("G: %v\n%v\n\n", G, hex.EncodeToString(G.Marshal()))
-
-	Q := d.Identity()
-	for i := 0; i < 18; i++ {
-		enc := Q.Marshal()
-		decP, err := d.Unmarshal(enc)
-		if err != nil {
-			t.Fatalf("dd")
-		}
-		got := d.AreEqual(Q, decP)
-		want := true
-		if got != want {
-			fmt.Printf("%v\n", Q)
-			fmt.Printf("%v\n", decP)
-			test.ReportError(t, got, want, i)
-		}
-		d.Add(Q, Q, G)
+	d.Double(G, G)
+	encG := G.Marshal()
+	P.Unmarshal(encG)
+	encP := P.Marshal()
+	// fmt.Printf("G: %v\n", G)
+	fmt.Printf("encG: %v\n", hex.EncodeToString(encG))
+	// fmt.Printf("P: %v\n", P)
+	fmt.Printf("valid: %v\n", d.IsValid(&P))
+	fmt.Printf("equal: %v\n", d.AreEqual(G, &P))
+	fmt.Printf("encP: %v\n", hex.EncodeToString(encP))
+
+}
+
+type testJSONFile struct {
+	Group     string `json:"group"`
+	Version   string `json:"version"`
+	Generator struct {
+		X string `json:"x"`
+		Y string `json:"y"`
+		T string `json:"t"`
+		Z string `json:"z"`
+	} `json:"generator"`
+	Vectors []struct {
+		K  string `json:"k"`
+		KG string `json:"kG"`
+		KP string `json:"kP"`
+	} `json:"vectors"`
+}
+
+func (kat *testJSONFile) readFile(t *testing.T, fileName string) {
+	jsonFile, err := os.Open(fileName)
+	if err != nil {
+		t.Fatalf("File %v can not be opened. Error: %v", fileName, err)
+	}
+	defer jsonFile.Close()
+	input, _ := ioutil.ReadAll(jsonFile)
+
+	err = json.Unmarshal(input, &kat)
+	if err != nil {
+		t.Fatalf("File %v can not be loaded. Error: %v", fileName, err)
+	}
+}
+
+func verify(t *testing.T, i int, gotkG *goldilocks.Elt, wantEnckG []byte) {
+	var d goldilocks.Decaf
+	wantkG := &goldilocks.Elt{}
+
+	gotEnckG := gotkG.Marshal()
+	got := bytes.Equal(gotEnckG, wantEnckG)
+	want := true
+	if got != want {
+		test.ReportError(t, got, want, i)
+	}
+
+	err := wantkG.Unmarshal(wantEnckG)
+	got = err == nil &&
+		d.IsValid(gotkG) &&
+		d.IsValid(wantkG) &&
+		d.AreEqual(gotkG, wantkG)
+	want = true
+	if got != want {
+		test.ReportError(t, got, want, i)
+	}
+}
+
+func TestDecafv1_1(t *testing.T) {
+	var kat testJSONFile
+	kat.readFile(t, "testdata/decafv1.1_vectors.json")
+
+	got := kat.Group
+	want := "decaf"
+	if got != want {
+		test.ReportError(t, got, want)
+	}
+	got = kat.Version
+	want = "v1.1"
+	if got != want {
+		test.ReportError(t, got, want)
+	}
+	var d goldilocks.Decaf
+	var scalar goldilocks.Scalar
+	var P goldilocks.Elt
+
+	for i := range kat.Vectors {
+		k, _ := hex.DecodeString(kat.Vectors[i].K)
+		wantEnckG, _ := hex.DecodeString(kat.Vectors[i].KG)
+		wantEnckP, _ := hex.DecodeString(kat.Vectors[i].KP)
+		scalar.FromBytes(k)
+
+		d.MulGen(&P, &scalar)
+		verify(t, i, &P, wantEnckG)
+
+		d.Mul(&P, &scalar, d.Generator())
+		verify(t, i, &P, wantEnckG)
+
+		d.Mul(&P, &scalar, &P)
+		verify(t, i, &P, wantEnckP)
 	}
-	// fmt.Printf("2GE: %v\n%v\n\n", GE, enc(GE))
-
-	// GT := c.push(GE)
-	// GT.ToAffine()
-	// fmt.Printf("GT: %v\n%v\n", GT, enc(GT))
-
-	// fmt.Printf("0: %v\n", hex.EncodeToString(d.Marshal(d.Identity())))
-	// fmt.Printf("G: %v\n", hex.EncodeToString(d.Marshal(d.Generator())))
-	// P := d.Generator()
-	// fmt.Printf("G:\n%v\n%v\n", P, hex.EncodeToString(d.Marshal(P)))
-	// for i := 1; i < 2; i++ {
-	// P = d.Add(P, P)
-	// fmt.Printf("[2^%v]G:\n%v\n", i, P)
-	// fmt.Printf("[2^%v]G: %v\n", i, hex.EncodeToString(d.Marshal(P)))
-	// }
 }
 
 func BenchmarkDecaf(b *testing.B) {
@@ -79,7 +150,7 @@ func BenchmarkDecaf(b *testing.B) {
 	})
 	b.Run("Unmarshal", func(b *testing.B) {
 		for i := 0; i < b.N; i++ {
-			d.Unmarshal(enc)
+			P.Unmarshal(enc)
 		}
 	})
 }