Commit acd09505 authored by Michael Hamburg's avatar Michael Hamburg

Just the text files, until I get Legal approval to push the button

parents
The MIT License (MIT)
Copyright (c) 2011 Stanford University.
Copyright (c) 2014 Cryptography Research, Inc.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
Ed448-Goldilocks
This software is an experimental implementation of a new 448-bit elliptic
curve called Ed448-Goldilocks. The implementation itself is based on that of
an earlier, unnamed 252-bit curve which should probably be referred to as
Ed252-MontgomeryStation. See http://eprint.iacr.org/2012/309 for details of
that implementation.
The source files here are all by Mike Hamburg. Most of them are (c) 2014
Cryptography Research, Inc (a division of Rambus). The cRandom
implementation is the exception: these files are from the OpenConflict video
game protection system out of Stanford, and are (c) 2011 Stanford
University. All of these files are usable under the MIT license contained in
LICENSE.txt.
The Makefile is set for my 2013 MacBook Air. You can `make runbench` to run
a completely arbitrary set of benchmarks and tests, or `make
build/goldilocks.so` to build a stripped-down version of the library. For
non-Haswell platforms, you need to replace -mavx2 -mbmi2 by an appropriate
vector declaration. For non-Mac platforms, you won't be able to build a
library with this Makefile. This is fine, because you shouldn't be using
this for much at this stage anyway.
I've attempted to protect against timing attacks and invalid point attacks,
but as of yet no attempt to protect against power analysis. This is an early
revision, so I haven't done much analysis or correctness testing of
corner-cases.
The code in ec_point.c and ec_point.h was generated with the help of a tool
written in SAGE. The field code in p448.h doesn't reduce after add/sub, and
so it requires care to prevent overflow. The SAGE tool figures out where to
put reductions and adjustments to prevent overflow. It also formally
verifies that the formulas produce points on the curve. I'm planning to add
more features to it eventually. That tool is even more experimental than
this library, though, and so I won't be releasing it just yet.
This software is incomplete, and lacks documentation. None of the APIs are
stable. The software is probably not secure. Please consult TODO.txt for
additional agenda items. Do not taunt happy fun ball.
Cheers,
-- Mike Hamburg
Important work items for Ed448-Goldilocks:
* Import SHA-512 or SHA-3.
* Decide which.
* Get a public-domain version which is 64-bit and 32-bit clean.
* Update LICENSE and README to reflect that SHA is not my code.
* Incorporate hashing into goldilocks_shared_secret.
* It's a pretty terrible shared secret right now.
* Decide on output size
* Documentation: write high-level API docs, and internal docs to help
other implementors.
* Documentation: write a spec or add to Watson's
* Cleanup: rename everything consistently.
* namespace_op or op_namespace? namespace_op_type?
* We don't have to be super-careful with the namespacing, because
symbols will be scrubbed by exported.sym.
* Cleanup: hard-coded tables (probably?)
* This reduces the work required for goldilocks_init() at the expense
of library size.
* Makes error-handling and thread safety easier.
* Use the SAGE tool?
* Cleanup: unify intrinsics code
* Word_t, mask_t, bigregister_t, etc.
* Generate asm intrinsics with a script?
* Bugfix: make sure that init() and randomization are thread-safe.
* Security: check on deserialization that points are < p.
* Check also that they're nonzero or otherwise non-pathological?
* Testing:
* Corner-case testing
* more bulk random testing
* SAGE-(auto?)-generated test vectors
* Test the Barrett fields
* Safety: add static analysis attributes for compilers that support them
* EG, warn on ignored return types
* Safety:
* Check for init() if it's still required once we've done the above
* Decide what to do about RNG failures
* abort
* return error and zeroize
* return error but continue if RNG is kind of mostly OK
* Flexibility: decide which API options are good.
* Eg, should functions take nbits and table sizes?
* Remove hardcoded adjustments from comb control.
* These adjustments make the output wrong when it's not 450 bits.
* Other slow Barrett fields? Montgomery fields?
* Mid-level API
* Make it easier to work with untwisted Edwards objects.
* Probably use extended or projective, not extensible coordinates.
* Scalarmul with other cofactor modes.
* High-level API:
* Signatures.
* Decide on strictness level.
* SPAKE2 Elligator Edition? Maybe write a paper first.
* Elligator.
* Need to write Elligator inverse. Might not be Elligator-2S.
* What low-level APIs to expose?
* Edwards points with add, sub, scalarmul, =, ==, ser/deser?
* Portability: try to make the vector code as portable as possible
* Currently using clang ext_vector_length.
* I can't get a simple for-loop to autovectorize :-/
* SAGE tool?
* Portability: make the inner layers of the code 32-bit clean.
* Write new versions of the field code.
* 28-bit limbs give less headroom for carries.
* NEON and vectorless ARM.
* Run through the SAGE tool to generate new bias & bound.
* Portability: make the outer layers of the code 32-bit clean.
* I don't think that there are endian bugs, but who knows?
* NEON and vectorless constant-time comparison.
* Performance: write and incorporate some extra routines
* Deserialize_and_isogeny
* Unconditional negate (or just plain subtract)
* Performance: fixed parameters?
* Perhaps useful for comb precomputation.
* Performance: improve the Barrett field code.
* Support other primes?
* Capture prime shape into a struct instead of passing 3 params.
* Make 32-bit clean. (SAGE?)
* Automation:
* Improve the SAGE tool to cover more cases
* Real SSA classes to cover branching and looping
* Constant-time selection
* Intrinsics code
* Field code?
* Vector-mul-chains
* Negation "bubble pushing" optimization
* Clear other TODO/FIXME/HACK/PERF items in the code
* Submit to SUPERCOP
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment