Commit 4eb210cd authored by Michael Hamburg's avatar Michael Hamburg

Mostly a cleanup release. Cleanup old code, improve documentation,

improve GCC-cleanness, etc.

Disable the crandom output buffer so that it won't return duplicate
data across fork().  I should still stir in more entropy into the
buffer at least when RDRAND is available, but this should prevent
disasters for now.

The Elligator code in the current version is incompatible with past
versions due to a minor tweak.  It wasn't being called by any of
the API functions, though.

Removing "magic" constants and type names.  So for example p448_t
is now field_t (though maybe it should really be felem_t?).  This
should enable other curves with the Goldilocks code in the not-too-
distant future.

Added CRANDOM_MIGHT_IS_MUST so that you don't have to -D a bunch of
things on the command line.

You can `make bat` to make an eBAT which probably doesn't work.

I haven't implemented the improved nonce generation from the
curves@moderncrypto.org thread yet.
parent 8ebdfaee
May 3, 2104:
July 11, 2014:
This is mostly a cleanup release.
Added CRANDOM_MIGHT_IS_MUST config flag (default: 1). When set, this
causes crandom to assume that all features in the target arch will
be available, instead of detecting them. This makes sense because
the rest of the Goldilocks code is not (yet?) able to detect features.
Also, I'd like to submit this to SUPERCOP eventually, and SUPERCOP won't
pass -DMUST_HAVE_XXX on the command line the way the Makefile here did.
Flag EXPERIMENT_CRANDOM_BUFFER_CUTOFF_BYTES to disable the crandom
output buffer. This buffer improves performance (very marginally at
Goldilocks sizes), but can cause problems with forking and VM
snapshotting. By default, the buffer is now disabled.
I've slightly tweaked the Elligator implementation (which is still
unused) to make it easier to invert. This makes anything using Elligator
(i.e. nothing) incompatible with previous releases.
I've been factoring "magic" constants such as curve orders, window sizes,
etc into a few headers, to reduce the effort to port the code to other
primes, curves, etc. For example, I could test the Microsoft curves, and
something like:
x^2 + y^2 = 1 +- 5382[45] x^2 y^2 mod 2^480-2^240-1
("Goldeneye"? "Ridinghood"?) might be a reasonable thing to try for
64-bit CPUs.
In a similar vein, most of the internal code has been changed to say
"field" instead of p448, so that a future version of magic.h can decide
which field header to include.
You can now `make bat` to create an eBAT in build/ed448-goldilocks. This
is only minimally tested, though, because SUPERCOP doesn't work on my
machine and I'm too lazy to reverse engineer it. It sets a new macro,
SUPERCOP_WONT_LET_ME_OPEN_FILES, which causes goldilocks_init() to fall
back to something horribly insecure if crandom_init_from_file raises
EMFILE.
Slightly improved documentation.
Removed some old commented-out code; restored the /* C-style */ comment
discipline.
The AMD-64 version should now be GCC clean, at least for reasonably
recent GCC (tested on OS X.9.3, Haswell, gcc-4.9).
History no longer says "2104".
May 3, 2014:
Minor changes to internal routines mean that this version is not
compatible with the previous one.
......
......@@ -39,7 +39,7 @@ endif
ARCHFLAGS += -mcpu=cortex-a9 # FIXME
GENFLAGS = -DN_TESTS_BASE=1000 # sooooo sloooooow
else
ARCHFLAGS += -mssse3 -maes -mavx -mavx2 -DMUST_HAVE_AVX2 -mbmi2 #TODO
ARCHFLAGS += -maes -mavx2 -mbmi2 #TODO
endif
ifeq ($(CC),clang)
......@@ -48,26 +48,28 @@ endif
ifeq (,$(findstring 64,$(ARCH))$(findstring gcc,$(CC)))
# ARCHFLAGS += -m32
ARCHFLAGS += -DGOLDI_FORCE_32_BIT=1
XCFLAGS += -DGOLDI_FORCE_32_BIT=1
endif
CFLAGS = $(LANGFLAGS) $(WARNFLAGS) $(INCFLAGS) $(OFLAGS) $(ARCHFLAGS) $(GENFLAGS) $(XCFLAGS)
LDFLAGS = $(ARCHFLAGS) $(XLDFLAGS)
ASFLAGS = $(ARCHFLAGS)
.PHONY: clean all test bench todo doc lib
.PHONY: clean all test bench todo doc lib bat
.PRECIOUS: build/%.s
HEADERS= Makefile $(shell find . -name "*.h") build/timestamp
LIBCOMPONENTS= build/goldilocks.o build/barrett_field.o build/crandom.o \
build/p448.o build/ec_point.o build/scalarmul.o build/sha512.o
build/p448.o build/ec_point.o build/scalarmul.o build/sha512.o build/magic.o
TESTCOMPONENTS=build/test.o build/test_scalarmul.o build/test_sha512.o \
build/test_pointops.o build/test_arithmetic.o build/test_goldilocks.o
build/test_pointops.o build/test_arithmetic.o build/test_goldilocks.o build/magic.o
BENCHCOMPONENTS=build/bench.o
BATNAME=build/ed448-goldilocks
all: lib build/test build/bench
scan: clean
......@@ -118,6 +120,19 @@ doc/timestamp:
doc: Doxyfile doc/timestamp src/*.c src/include/*.h src/$(ARCH)/*.c src/$(ARCH)/*.h
doxygen
bat: $(BATNAME)
$(BATNAME): include/* src/* src/*/*
rm -fr $@
for arch in src/arch*; do \
mkdir -p $@/`basename $$arch`; \
cp include/* src/*.c src/include/* $$arch/* $@/`basename $$arch`; \
perl -p -i -e 's/.*endif.*GOLDILOCKS_CONFIG_H/#define SUPERCOP_WONT_LET_ME_OPEN_FILES 1\n\n$$&/' $@/`basename $$arch`/config.h; \
done
echo 'Mike Hamburg' > $@/designers
echo 'Ed448-Goldilocks sign and dh' > $@/description
todo::
@(find * -name '*.h'; find * -name '*.c') | xargs egrep --color=auto -w \
'HACK|TODO|FIXME|BUG|XXX|PERF|FUTURE|REMOVE|MAGIC'
......@@ -139,4 +154,4 @@ test: build/test
./$<
clean:
rm -fr build doc
rm -fr build doc $(BATNAME)
......@@ -25,8 +25,8 @@ Important work items for Ed448-Goldilocks:
* [DONE] Bugfix: make sure that init() and randomization are thread-safe.
* Security: check on deserialization that points are < p.
* Check also that they're nonzero or otherwise non-pathological?
* [DONE] Security: check on deserialization that points are < p.
* [NEEDS TESTING] Check also that they're nonzero or otherwise non-pathological?
* Testing:
* Corner-case testing
......@@ -39,16 +39,16 @@ Important work items for Ed448-Goldilocks:
* Most functions now have warn on ignored return.
* Safety:
* Check for init() if it's still required once we've done the above
* [DONE] Check for init() if it's still required once we've done the above
* Decide what to do about RNG failures
* abort
* return error and zeroize
* return error but continue if RNG is kind of mostly OK
* Flexibility: decide which API options are good.
* Eg, should functions take nbits and table sizes?
* [DONE?] Eg, should functions take nbits and table sizes?
* Remove hardcoded adjustments from comb control.
* [DONE] Remove hardcoded adjustments from comb control.
* These adjustments make the output wrong when it's not 450 bits.
* Other slow Barrett fields? Montgomery fields?
......@@ -71,6 +71,7 @@ Important work items for Ed448-Goldilocks:
* Portability: test and make clean with other compilers
* Using a fair amount of __attribute__ code.
* [DONE] Should work for GCC now.
* Portability: try to make the vector code as portable as possible
* Currently using clang ext_vector_length.
......@@ -79,15 +80,15 @@ Important work items for Ed448-Goldilocks:
* Portability: make the inner layers of the code 32-bit clean.
* Write new versions of the field code.
* 28-bit limbs give less headroom for carries.
* Now have a vectorless ARM version; need NEON.
* [DONE] 28-bit limbs give less headroom for carries.
* [DONE] Now have a vectorless ARM version; need NEON.
* Improve speed of 32-bit field code.
* Run through the SAGE tool to generate new bias & bound.
* [DONE] Run through the SAGE tool to generate new bias & bound.
* [DONE] Portability: make the outer layers of the code 32-bit clean.
* Performance/flexibility: decide which parameters should be hard-coded.
* [DONE] Performance/flexibility: decide which parameters should be hard-coded.
* Perhaps useful for comb precomputation.
* Performance: Improve SHA512.
......@@ -120,4 +121,4 @@ Important work items for Ed448-Goldilocks:
* Clear other TODO/FIXME/HACK/PERF items in the code
* Submit to SUPERCOP
* [DONE?] Submit to SUPERCOP
This diff is collapsed.
......@@ -4,7 +4,6 @@
#include "word.h"
#include "p448.h"
//#include "x86-64-arith.h"
static inline mask_t __attribute__((always_inline))
is_zero (
......@@ -27,13 +26,7 @@ p448_mul (
p448_t *__restrict__ cs,
const p448_t *as,
const p448_t *bs
) {
// p448_t ar, br;
// p448_copy(&ar,as);
// p448_copy(&br,bs);
// p448_weak_reduce(&ar);
// p448_weak_reduce(&br);
) {
const uint32_t *a = as->limb, *b = bs->limb;
uint32_t *c = cs->limb;
......@@ -41,13 +34,7 @@ p448_mul (
uint32_t mask = (1<<28) - 1;
uint32_t aa[8], bb[8];
/* For some reason clang doesn't vectorize this without prompting? */
// unsigned int i;
// for (i=0; i<sizeof(aa)/sizeof(uint64xn_t); i++) {
// ((uint64xn_t*)aa)[i] = ((const uint64xn_t*)a)[i] + ((const uint64xn_t*)(&a[4]))[i];
// ((uint64xn_t*)bb)[i] = ((const uint64xn_t*)b)[i] + ((const uint64xn_t*)(&b[4]))[i];
// }
int i,j;
for (i=0; i<8; i++) {
aa[i] = a[i] + a[i+8];
......@@ -144,7 +131,7 @@ p448_sqr (
p448_t *__restrict__ cs,
const p448_t *as
) {
p448_mul(cs,as,as); // PERF
p448_mul(cs,as,as); /* PERF */
}
void
......
This diff is collapsed.
......@@ -4,7 +4,6 @@
#include "word.h"
#include "p448.h"
//#include "x86-64-arith.h"
static inline mask_t __attribute__((always_inline))
is_zero (
......@@ -105,11 +104,6 @@ p448_mul (
const p448_t *as,
const p448_t *bs
) {
// p448_t ar, br;
// p448_copy(&ar,as);
// p448_copy(&br,bs);
// p448_weak_reduce(&ar);
// p448_weak_reduce(&br);
const uint32_t *a = as->limb, *b = bs->limb;
uint32_t *c = cs->limb;
......@@ -119,12 +113,6 @@ p448_mul (
uint32_t aa[8], bm[8];
/* For some reason clang doesn't vectorize this without prompting? */
// unsigned int i;
// for (i=0; i<sizeof(aa)/sizeof(uint64xn_t); i++) {
// ((uint64xn_t*)aa)[i] = ((const uint64xn_t*)a)[i] + ((const uint64xn_t*)(&a[4]))[i];
// ((uint64xn_t*)bb)[i] = ((const uint64xn_t*)b)[i] + ((const uint64xn_t*)(&b[4]))[i];
// }
int i;
for (i=0; i<8; i++) {
aa[i] = a[i] + a[i+8];
......@@ -466,12 +454,6 @@ p448_sqr (
p448_t *__restrict__ cs,
const p448_t *as
) {
// p448_t ar, br;
// p448_copy(&ar,as);
// p448_copy(&br,bs);
// p448_weak_reduce(&ar);
// p448_weak_reduce(&br);
const uint32_t *a = as->limb;
uint32_t *c = cs->limb;
......@@ -479,13 +461,7 @@ p448_sqr (
uint32_t mask = (1<<28) - 1;
uint32_t bm[8];
/* For some reason clang doesn't vectorize this without prompting? */
// unsigned int i;
// for (i=0; i<sizeof(aa)/sizeof(uint64xn_t); i++) {
// ((uint64xn_t*)aa)[i] = ((const uint64xn_t*)a)[i] + ((const uint64xn_t*)(&bm[4]))[i];
// ((uint64xn_t*)bb)[i] = ((const uint64xn_t*)b)[i] + ((const uint64xn_t*)(&b[4]))[i];
// }
int i;
for (i=0; i<8; i++) {
bm[i] = a[i] - a[i+8];
......
This diff is collapsed.
......@@ -8,9 +8,12 @@
*
* This lets you test and debug NEON code on x86.
*/
#ifndef __NEON_EMULATION_H__
#define __NEON_EMULATION_H__ 1
/** @cond internal */
#include "word.h"
#include <stdint.h>
......@@ -147,4 +150,6 @@ static inline int64x2_t vmull_lane_s32 (
return xx*(lane?yy.yy:yy.xx);
}
/** @endcond */
#endif /* __NEON_EMULATION_H__ */
......@@ -37,7 +37,7 @@ xx_vaddup_s64(int64x2_t x) {
}
#else
#include "neon_emulation.h"
#endif // ARM_NEON
#endif /* ARM_NEON */
static inline void __attribute__((gnu_inline,always_inline))
smlal (
......@@ -75,12 +75,6 @@ smull2 (
*acc = (int64_t)(int32_t)a * (int64_t)(int32_t)b * 2;
}
// static inline int64x2_t copy_now(int64x2_t x) {
// int64x2_t y;
// __asm__ ("vmov %0, %1" : "=w"(y) : "w"(x));
// return y;
// }
void
p448_mul (
p448_t *__restrict__ cs,
......
This diff is collapsed.
......@@ -180,9 +180,6 @@ p448_mulw (
c[3] = accum0 & mask; accum0 >>= 56;
c[7] = accum4 & mask; accum4 >>= 56;
// c[4] += accum0 + accum4;
// c[0] += accum4;
accum0 += accum4 + c[4];
c[4] = accum0 & mask;
......
......@@ -5,8 +5,11 @@
/* Chacha random number generator code copied from crandom */
#include "intrinsics.h"
#include "crandom.h"
#include "intrinsics.h"
#include "config.h"
#include "magic.h"
#include <stdio.h>
volatile unsigned int crandom_features = 0;
......@@ -67,7 +70,7 @@ INTRINSIC u_int64_t rdrand(int abort_on_fail) {
out = out << 32 | reg;
return out;
# else
abort(); // whut
abort(); /* whut */
# endif
} else {
tries = 0;
......@@ -296,9 +299,6 @@ crandom_chacha_expand(u_int64_t iv,
#endif /* NEED_CONV */
}
/* "return 4", cf xkcd #221 */
#define CRANDOM_MAGIC 0x72657475726e2034ull
int
crandom_init_from_file(
struct crandom_state_t *state,
......@@ -361,6 +361,52 @@ crandom_generate(
int ret = 0;
/*
* Addition 5/21/2014.
*
* If this is used in an application inside a VM, and the VM
* is snapshotted and restored, then crandom_generate() would
* produce the same output.
*
* Of course, the real defense against this is "don't do that",
* but we mitigate it by the RDRAND and/or rdtsc() in the refilling
* code. Since chacha is pseudorandom, when the attacker doesn't
* know the state, it's good enough if RDRAND/rdtsc() return
* different results. However, if (part of) the request is filled
* from the buffer, this won't help.
*
* So, add a flag EXPERIMENT_CRANDOM_BUFFER_CUTOFF_BYTES which
* disables the buffer for requests larger than this size.
*
* Suggest EXPERIMENT_CRANDOM_BUFFER_CUTOFF_BYTES = 0, which
* disables the buffer. But instead you can set it to say 16,
* so that pulls of at least 128 bits will be stirred. This
* could still be a problem for eg 64-bit nonces, but those
* aren't entirely collision-resistant anyway.
*
* Heuristic: large requests are more likely to be
* cryptographically important, and the buffer doesn't impact
* their performance as much. So if the request is bigger
* than a certain size, just drop the buffer on the floor.
*
* This code isn't activated if state->reseed_interval == 0,
* because then the PRNG is deterministic anyway.
*
* TODO: sample 128 bits out of RDRAND() instead of 64 bits.
* TODO: option to completely remove the buffer and fill?
* FUTURE: come up with a less band-aid-y solution to this problem.
*/
#ifdef EXPERIMENT_CRANDOM_BUFFER_CUTOFF_BYTES
if (state->reseed_interval
#if EXPERIMENT_CRANDOM_CUTOFF_BYTES > 0
/* #if'd to a warning from -Wtype-limits in GCC when it's zero */
&& length >= EXPERIMENT_CRANDOM_BUFFER_CUTOFF_BYTES
#endif
) {
state->fill = 0;
}
#endif
while (length) {
if (unlikely(state->fill <= 0)) {
uint64_t iv = 0;
......
This diff is collapsed.
/**
* @file sizes.h
* @copyright
* Copyright (c) 2014 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
* @author Mike Hamburg
* @brief BATMAN / SUPERCOP glue for benchmarking.
*/
#include <string.h>
#include "goldilocks.h"
#define PUBLICKEY_BYTES GOLDI_PUBLIC_KEY_BYTES
#define SECRETKEY_BYTES GOLDI_PRIVATE_KEY_BYTES
#define SIGNATURE_BYTES GOLDI_SIGNATURE_BYTES
#define SHAREDSECRET_BYTES GOLDI_SHARED_SECRET_BYTES
#define crypto_dh_PUBLICKEYBYTES PUBLICKEY_BYTES
#define crypto_dh_SECRETKEYBYTES SECRETKEY_BYTES
#define PRIVATEKEY_BYTES SECRETKEY_BYTES
#define crypto_dh_BYTES SHAREDSECRET_BYTES
#define crypto_dh_IMPLEMENTATION "AMD64"
#define crypto_dh_VERSION "2014-07-11"
#define crypto_sign_PUBLICKEYBYTES PUBLICKEY_BYTES
#define crypto_sign_SECRETKEYBYTES SECRETKEY_BYTES
#define crypto_sign_IMPLEMENTATION "AMD64"
#define crypto_sign_VERSION "2014-07-11"
#define crypto_sign_BYTES SIGNATURE_BYTES
#define CRYPTO_DETERMINISTIC 1
/*
#ifndef LOOPS
#define LOOPS 512
#endif
*/
static inline int timingattacks() { return 0; }
static inline int copyrightclaims() { return 0; }
static inline int patentclaims() {
/* Until the end of July 2014, point compression
* is patented. */
return 20;
}
#define crypto_sign_keypair crypto_dh_keypair
static inline int crypto_dh_keypair (
unsigned char pk[SECRETKEY_BYTES],
unsigned char sk[PUBLICKEY_BYTES]
) {
int ret;
ret = goldilocks_init();
if (ret && ret != GOLDI_EALREADYINIT)
return ret;
if ((ret = goldilocks_keygen(
(struct goldilocks_private_key_t *)sk,
(struct goldilocks_public_key_t *)pk
))) abort();
return ret;
}
static inline void keypair (
unsigned char sk[SECRETKEY_BYTES],
unsigned long long *sklen,
unsigned char pk[PUBLICKEY_BYTES],
unsigned long long *pklen
) {
int ret = goldilocks_init();
if (ret) abort();
ret = goldilocks_keygen(
(struct goldilocks_private_key_t *)sk,
(struct goldilocks_public_key_t *)pk
);
if (ret) abort();
*sklen = SECRETKEY_BYTES;
*pklen = PUBLICKEY_BYTES;
}
static inline int crypto_sign (
unsigned char *sm,
unsigned long long *smlen,
const unsigned char *m,
unsigned long long mlen,
const unsigned char sk[SECRETKEY_BYTES]
) {
int ret = goldilocks_sign(
sm, m, mlen,
(const struct goldilocks_private_key_t *)sk
);
if (ret) abort();
memcpy(sm + SIGNATURE_BYTES, m, mlen);
*smlen = mlen + SIGNATURE_BYTES;
return 0;
}
static inline void signmessage (
unsigned char *sm,
unsigned long long *smlen,
const unsigned char *m,
unsigned long long mlen,
const unsigned char sk[SECRETKEY_BYTES],
unsigned long long sklen
) {
if (sklen != PRIVATEKEY_BYTES) abort();
int ret = goldilocks_sign(
sm, m, mlen,
(const struct goldilocks_private_key_t *)sk
);
if (ret) abort();
memcpy(sm + SIGNATURE_BYTES, m, mlen);
*smlen = mlen + SIGNATURE_BYTES;
}
static inline int crypto_sign_open (
unsigned char *m,
unsigned long long *mlen,
const unsigned char *sm,
unsigned long long smlen,
const unsigned char pk[PUBLICKEY_BYTES]
) {
int ret = goldilocks_verify(
sm, sm + SIGNATURE_BYTES, smlen - SIGNATURE_BYTES,
(const struct goldilocks_public_key_t *)pk
);
if (!ret) {
*mlen = smlen - SIGNATURE_BYTES;
memcpy(m, sm + SIGNATURE_BYTES, *mlen);
}
return ret ? -1 : 0;
}
static inline int verification (
const unsigned char *m,
unsigned long long mlen,
const unsigned char *sm,
unsigned long long smlen,
const unsigned char pk[PUBLICKEY_BYTES],
unsigned long long pklen
) {
if (pklen != PUBLICKEY_BYTES) abort();
int ret = goldilocks_verify(
sm, m, mlen,
(const struct goldilocks_public_key_t *)pk
);
return ret ? -1 : 0;
}
static inline int crypto_dh (
unsigned char s[SHAREDSECRET_BYTES],
const unsigned char sk[SECRETKEY_BYTES],
const unsigned char pk[PUBLICKEY_BYTES]
) {
return goldilocks_shared_secret (
s,
(const struct goldilocks_private_key_t *)sk,
(const struct goldilocks_public_key_t *)pk
);
}
static inline int sharedsecret (
unsigned char s[SHAREDSECRET_BYTES],
unsigned long long *slen,
const unsigned char sk[SECRETKEY_BYTES],
unsigned long long sklen,
const unsigned char pk[PUBLICKEY_BYTES],
unsigned long long pklen
) {
if (pklen != PUBLICKEY_BYTES) abort();
if (sklen != SECRETKEY_BYTES) abort();
int ret = goldilocks_shared_secret (
s,
(const struct goldilocks_private_key_t *)sk,
(const struct goldilocks_public_key_t *)pk
);
if (ret) return -1;
*slen = SHAREDSECRET_BYTES;
return 0;
}
......@@ -32,7 +32,7 @@ struct barrett_prime_t {
/**
* The Goldilocks prime. I'm not sure this is the right place for it, but oh well.
*/
extern const struct barrett_prime_t goldi_q448;
extern const struct barrett_prime_t curve_prime_order;
/**
* Reduce a number (with optional high carry word) mod p.
......
/**
* @file config.h
* @copyright
* Copyright (c) 2014 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
* @author Mike Hamburg
* @brief Goldilocks top-level configuration flags.
*/
#ifndef __GOLDILOCKS_CONFIG_H__
#define __GOLDILOCKS_CONFIG_H__ 1
/** @brief crandom architecture detection.
* With this flag set to 1, crandom will assume that any flag
* supported by -march and friends (MIGHT_HAVE) will actually
* be available on the target machine (MUST_HAVE), instead of
* trying to detect it.
*
* Without this flag, crandom can detect, eg, that while -mavx
* was passed, the currint machine doesn't support AVX, and can
* fall back to SSE2 or whatever. But the rest of the
* Goldilocks code doesn't support this, so it'll still crash
* with an illegal instruction error.
*
* Setting this flag will make the library smaller.
*/
#define CRANDOM_MIGHT_IS_MUST 1
/**
* @brief Causes crandom to refuse to buffer requests bigger
* than this size. Setting 0 disables buffering for all
* requests, which hurts performance.
*
* The advantage is that if a user process forks or is VM-
* snapshotted, the buffer is not adjusted (FUTURE). However,
* with the buffer disabled, the refresh routines will stir
* in entropy from RDTSC and/or RDRAND, making this operation
* mostly-safe.
*/
#define EXPERIMENT_CRANDOM_BUFFER_CUTOFF_BYTES 0
/**
* @brief Goldilocks uses libpthread mutexes to provide
* thread-safety. If you disable this flag, it won't link
* libpthread, but it won't be thread-safe either.
*/
#define GOLDILOCKS_USE_PTHREAD 1
/**
* @brief Experiment to change the hash inputs for ECDH,
* in a way that obliterates the result -- overwriting it with
* a safe pseudorandom value -- if the public key is invalid.
* That way users who ignore the status result won't be
* exposed to invalid key attacks.
*/
#define EXPERIMENT_ECDH_OBLITERATE_CT 1
/**
* @brief ECDH adds public keys into the hash, to prevent
* esoteric attacks.
*/
#define EXPERIMENT_ECDH_STIR_IN_PUBKEYS 1
#endif // __GOLDILOCKS_CONFIG_H__
#endif /* __GOLDILOCKS_CONFIG_H__ */
......@@ -12,6 +12,7 @@
#ifndef __GOLDI_CRANDOM_H__
#define __GOLDI_CRANDOM_H__ 1
#define _XOPEN_SOURCE 600
#include <stdint.h> /* for uint64_t */
#include <fcntl.h> /* for open */
#include <errno.h> /* for returning errors after open */
......
/**
* @file field.h
* @brief Field switch code.
* @copyright
* Copyright (c) 2014 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
* @author Mike Hamburg
*/
#ifndef __FIELD_H__
#define __FIELD_H__
#include "magic.h"
#include "p448.h"
#define field_t p448_t
#define field_mul p448_mul
#define field_add p448_add
#define field_sub p448_sub
#define field_bias p448_bias
#define field_copy p448_copy
#define field_weak_reduce p448_weak_reduce
#define field_strong_reduce p448_strong_reduce
#define field_cond_swap p448_cond_swap
#define field_cond_neg p448_cond_neg
#define field_serialize p448_serialize
#define field_deserialize p448_deserialize
#define field_is_zero p448_is_zero
#define simultaneous_invert simultaneous_invert_p448 /* FUTURE: consistency */
#endif /* __FIELD_H__ */
......@@ -11,25 +11,27 @@
#define __CRANDOM_INTRINSICS_H__ 1
#include <sys/types.h>
#include "config.h"
#if __i386__ || __x86_64__
#include <immintrin.h>
#endif
/** @brief Macro to make a function static, forcibly inlined and possibly unused. */
#define INTRINSIC \
static __inline__ __attribute__((__gnu_inline__, __always_inline__, unused))
#define GEN 1
#define SSE2 2
#define SSSE3 4
#define AESNI 8
#define XOP 16
#define AVX 32
#define AVX2 64
#define RDRAND 128
#define GEN 1 /**< @brief Intrinsics field has been generated. */