Just the text files, until I get Legal approval to push the button

LICENSE.txt

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2011 Stanford University.
+Copyright (c) 2014 Cryptography Research, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

README.txt

@@ -0,0 +1,42 @@
+Ed448-Goldilocks
+
+This software is an experimental implementation of a new 448-bit elliptic
+curve called Ed448-Goldilocks. The implementation itself is based on that of
+an earlier, unnamed 252-bit curve which should probably be referred to as
+Ed252-MontgomeryStation. See http://eprint.iacr.org/2012/309 for details of
+that implementation.
+
+The source files here are all by Mike Hamburg. Most of them are (c) 2014
+Cryptography Research, Inc (a division of Rambus). The cRandom
+implementation is the exception: these files are from the OpenConflict video
+game protection system out of Stanford, and are (c) 2011 Stanford
+University. All of these files are usable under the MIT license contained in
+LICENSE.txt.
+
+The Makefile is set for my 2013 MacBook Air. You can `make runbench` to run
+a completely arbitrary set of benchmarks and tests, or `make
+build/goldilocks.so` to build a stripped-down version of the library. For
+non-Haswell platforms, you need to replace -mavx2 -mbmi2 by an appropriate
+vector declaration. For non-Mac platforms, you won't be able to build a
+library with this Makefile. This is fine, because you shouldn't be using
+this for much at this stage anyway.
+
+I've attempted to protect against timing attacks and invalid point attacks,
+but as of yet no attempt to protect against power analysis. This is an early
+revision, so I haven't done much analysis or correctness testing of
+corner-cases.
+
+The code in ec_point.c and ec_point.h was generated with the help of a tool
+written in SAGE. The field code in p448.h doesn't reduce after add/sub, and
+so it requires care to prevent overflow. The SAGE tool figures out where to
+put reductions and adjustments to prevent overflow. It also formally
+verifies that the formulas produce points on the curve. I'm planning to add
+more features to it eventually. That tool is even more experimental than
+this library, though, and so I won't be releasing it just yet.
+
+This software is incomplete, and lacks documentation. None of the APIs are
+stable. The software is probably not secure. Please consult TODO.txt for
+additional agenda items. Do not taunt happy fun ball.
+
+Cheers,
+-- Mike Hamburg

TODO.txt

@@ -0,0 +1,120 @@
+Important work items for Ed448-Goldilocks:
+
+* Import SHA-512 or SHA-3.
+    * Decide which.
+    * Get a public-domain version which is 64-bit and 32-bit clean.
+    * Update LICENSE and README to reflect that SHA is not my code.
+    * Incorporate hashing into goldilocks_shared_secret.
+        * It's a pretty terrible shared secret right now.
+        * Decide on output size
+
+* Documentation: write high-level API docs, and internal docs to help
+  other implementors.
+
+* Documentation: write a spec or add to Watson's
+
+* Cleanup: rename everything consistently.
+    * namespace_op or op_namespace?  namespace_op_type?
+    * We don't have to be super-careful with the namespacing, because
+      symbols will be scrubbed by exported.sym.
+
+* Cleanup: hard-coded tables (probably?)
+    * This reduces the work required for goldilocks_init() at the expense
+      of library size.
+     
+    * Makes error-handling and thread safety easier.
+    
+    * Use the SAGE tool?
+
+* Cleanup: unify intrinsics code
+    * Word_t, mask_t, bigregister_t, etc.
+    * Generate asm intrinsics with a script?
+
+* Bugfix: make sure that init() and randomization are thread-safe.
+
+* Security: check on deserialization that points are < p.
+    * Check also that they're nonzero or otherwise non-pathological?
+
+* Testing:
+    * Corner-case testing
+    * more bulk random testing
+    * SAGE-(auto?)-generated test vectors
+    * Test the Barrett fields
+
+* Safety: add static analysis attributes for compilers that support them
+    * EG, warn on ignored return types
+
+* Safety:
+    * Check for init() if it's still required once we've done the above
+    * Decide what to do about RNG failures
+        * abort
+        * return error and zeroize
+        * return error but continue if RNG is kind of mostly OK
+    
+* Flexibility: decide which API options are good.
+    * Eg, should functions take nbits and table sizes?
+    
+    * Remove hardcoded adjustments from comb control.
+        * These adjustments make the output wrong when it's not 450 bits.
+        
+    * Other slow Barrett fields?  Montgomery fields?
+
+* Mid-level API
+    * Make it easier to work with untwisted Edwards objects.
+    * Probably use extended or projective, not extensible coordinates.
+    * Scalarmul with other cofactor modes.
+
+* High-level API:
+    * Signatures.
+        * Decide on strictness level.
+        
+    * SPAKE2 Elligator Edition?  Maybe write a paper first.
+    
+    * Elligator.
+        * Need to write Elligator inverse.  Might not be Elligator-2S.
+    
+    * What low-level APIs to expose?
+        * Edwards points with add, sub, scalarmul, =, ==, ser/deser?
+
+* Portability: try to make the vector code as portable as possible
+    * Currently using clang ext_vector_length.
+    * I can't get a simple for-loop to autovectorize :-/
+    * SAGE tool?
+
+* Portability: make the inner layers of the code 32-bit clean.
+    * Write new versions of the field code.
+        * 28-bit limbs give less headroom for carries.
+        * NEON and vectorless ARM.
+    
+    * Run through the SAGE tool to generate new bias & bound.
+
+* Portability: make the outer layers of the code 32-bit clean.
+    * I don't think that there are endian bugs, but who knows?
+    
+    * NEON and vectorless constant-time comparison.
+
+* Performance: write and incorporate some extra routines
+    * Deserialize_and_isogeny
+    * Unconditional negate (or just plain subtract)
+
+* Performance: fixed parameters?
+    * Perhaps useful for comb precomputation.
+    
+* Performance: improve the Barrett field code.
+    * Support other primes?
+    * Capture prime shape into a struct instead of passing 3 params.
+    * Make 32-bit clean.  (SAGE?)
+
+* Automation:
+    * Improve the SAGE tool to cover more cases
+        * Real SSA classes to cover branching and looping
+        * Constant-time selection
+        * Intrinsics code
+        * Field code?
+        
+    * Vector-mul-chains
+    * Negation "bubble pushing" optimization
+
+* Clear other TODO/FIXME/HACK/PERF items in the code
+
+* Submit to SUPERCOP