commit acd09505ae9f0e420a55108983fefd46997b1c9e Author: Michael Hamburg Date: Fri Feb 21 11:26:37 2014 -0800 Just the text files, until I get Legal approval to push the button diff --git a/LICENSE.txt b/LICENSE.txt new file mode 100644 index 0000000..9c8013b --- /dev/null +++ b/LICENSE.txt @@ -0,0 +1,22 @@ +The MIT License (MIT) + +Copyright (c) 2011 Stanford University. +Copyright (c) 2014 Cryptography Research, Inc. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/README.txt b/README.txt new file mode 100644 index 0000000..c73c88a --- /dev/null +++ b/README.txt @@ -0,0 +1,42 @@ +Ed448-Goldilocks + +This software is an experimental implementation of a new 448-bit elliptic +curve called Ed448-Goldilocks. The implementation itself is based on that of +an earlier, unnamed 252-bit curve which should probably be referred to as +Ed252-MontgomeryStation. See http://eprint.iacr.org/2012/309 for details of +that implementation. + +The source files here are all by Mike Hamburg. Most of them are (c) 2014 +Cryptography Research, Inc (a division of Rambus). The cRandom +implementation is the exception: these files are from the OpenConflict video +game protection system out of Stanford, and are (c) 2011 Stanford +University. All of these files are usable under the MIT license contained in +LICENSE.txt. + +The Makefile is set for my 2013 MacBook Air. You can `make runbench` to run +a completely arbitrary set of benchmarks and tests, or `make +build/goldilocks.so` to build a stripped-down version of the library. For +non-Haswell platforms, you need to replace -mavx2 -mbmi2 by an appropriate +vector declaration. For non-Mac platforms, you won't be able to build a +library with this Makefile. This is fine, because you shouldn't be using +this for much at this stage anyway. + +I've attempted to protect against timing attacks and invalid point attacks, +but as of yet no attempt to protect against power analysis. This is an early +revision, so I haven't done much analysis or correctness testing of +corner-cases. + +The code in ec_point.c and ec_point.h was generated with the help of a tool +written in SAGE. The field code in p448.h doesn't reduce after add/sub, and +so it requires care to prevent overflow. The SAGE tool figures out where to +put reductions and adjustments to prevent overflow. It also formally +verifies that the formulas produce points on the curve. I'm planning to add +more features to it eventually. That tool is even more experimental than +this library, though, and so I won't be releasing it just yet. + +This software is incomplete, and lacks documentation. None of the APIs are +stable. The software is probably not secure. Please consult TODO.txt for +additional agenda items. Do not taunt happy fun ball. + +Cheers, +-- Mike Hamburg diff --git a/TODO.txt b/TODO.txt new file mode 100644 index 0000000..18cd7eb --- /dev/null +++ b/TODO.txt @@ -0,0 +1,120 @@ +Important work items for Ed448-Goldilocks: + +* Import SHA-512 or SHA-3. + * Decide which. + * Get a public-domain version which is 64-bit and 32-bit clean. + * Update LICENSE and README to reflect that SHA is not my code. + * Incorporate hashing into goldilocks_shared_secret. + * It's a pretty terrible shared secret right now. + * Decide on output size + +* Documentation: write high-level API docs, and internal docs to help + other implementors. + +* Documentation: write a spec or add to Watson's + +* Cleanup: rename everything consistently. + * namespace_op or op_namespace? namespace_op_type? + * We don't have to be super-careful with the namespacing, because + symbols will be scrubbed by exported.sym. + +* Cleanup: hard-coded tables (probably?) + * This reduces the work required for goldilocks_init() at the expense + of library size. + + * Makes error-handling and thread safety easier. + + * Use the SAGE tool? + +* Cleanup: unify intrinsics code + * Word_t, mask_t, bigregister_t, etc. + * Generate asm intrinsics with a script? + +* Bugfix: make sure that init() and randomization are thread-safe. + +* Security: check on deserialization that points are < p. + * Check also that they're nonzero or otherwise non-pathological? + +* Testing: + * Corner-case testing + * more bulk random testing + * SAGE-(auto?)-generated test vectors + * Test the Barrett fields + +* Safety: add static analysis attributes for compilers that support them + * EG, warn on ignored return types + +* Safety: + * Check for init() if it's still required once we've done the above + * Decide what to do about RNG failures + * abort + * return error and zeroize + * return error but continue if RNG is kind of mostly OK + +* Flexibility: decide which API options are good. + * Eg, should functions take nbits and table sizes? + + * Remove hardcoded adjustments from comb control. + * These adjustments make the output wrong when it's not 450 bits. + + * Other slow Barrett fields? Montgomery fields? + +* Mid-level API + * Make it easier to work with untwisted Edwards objects. + * Probably use extended or projective, not extensible coordinates. + * Scalarmul with other cofactor modes. + +* High-level API: + * Signatures. + * Decide on strictness level. + + * SPAKE2 Elligator Edition? Maybe write a paper first. + + * Elligator. + * Need to write Elligator inverse. Might not be Elligator-2S. + + * What low-level APIs to expose? + * Edwards points with add, sub, scalarmul, =, ==, ser/deser? + +* Portability: try to make the vector code as portable as possible + * Currently using clang ext_vector_length. + * I can't get a simple for-loop to autovectorize :-/ + * SAGE tool? + +* Portability: make the inner layers of the code 32-bit clean. + * Write new versions of the field code. + * 28-bit limbs give less headroom for carries. + * NEON and vectorless ARM. + + * Run through the SAGE tool to generate new bias & bound. + +* Portability: make the outer layers of the code 32-bit clean. + * I don't think that there are endian bugs, but who knows? + + * NEON and vectorless constant-time comparison. + +* Performance: write and incorporate some extra routines + * Deserialize_and_isogeny + * Unconditional negate (or just plain subtract) + +* Performance: fixed parameters? + * Perhaps useful for comb precomputation. + +* Performance: improve the Barrett field code. + * Support other primes? + * Capture prime shape into a struct instead of passing 3 params. + * Make 32-bit clean. (SAGE?) + +* Automation: + * Improve the SAGE tool to cover more cases + * Real SSA classes to cover branching and looping + * Constant-time selection + * Intrinsics code + * Field code? + + * Vector-mul-chains + * Negation "bubble pushing" optimization + +* Clear other TODO/FIXME/HACK/PERF items in the code + +* Submit to SUPERCOP