jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
157 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 2eb89045d5
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '2eb89045d5'
${ noResults }
ed448goldilocks/TODO.txt

136 lines
4.4 KiB
Raw Blame History 

  1. Important work items for Ed448-Goldilocks:

  2. 

  3. * Better architecture detection / factoring of arch-related headers.

  4.     [PROGRESS]

  5. 

  6. * Better factoring of high-level vs low-level library.

  7. 

  8. * Factor out hash, crandom from core library?

  9. 

  10. * Signed 32-bit NEON implementation to avoid bias/reduce after subtract

  11. 

  12. 

  13. 

  14. * Documentation: write high-level API docs, and internal docs to help

  15.   other implementors.

  16.     * Partial progress on Doxygenating the code.

  17. 

  18. * Documentation: write a spec or add to Watson's

  19. 

  20. * Cleanup: rename everything consistently.

  21.     * namespace_op or op_namespace?  namespace_op_type?

  22.     * We don't have to be super-careful with the namespacing, because

  23.       symbols will be scrubbed by exported.sym.

  24. 

  25. * Cleanup: hard-coded tables (probably?)

  26.     * This reduces the work required for goldilocks_init() at the expense

  27.       of library size.

  28.      

  29.     * Makes error-handling and thread safety easier.

  30.     

  31.     * Use the SAGE tool?

  32. 

  33. * Cleanup: unify intrinsics code

  34.     * Word_t, mask_t, bigregister_t, etc.

  35.     * Generate asm intrinsics with a script?

  36. 

  37. * [DONE] Bugfix: make sure that init() and randomization are thread-safe.

  38. 

  39. * [DONE] Security: check on deserialization that points are < p.

  40.     * [NEEDS TESTING] Check also that they're nonzero or otherwise non-pathological?

  41. 

  42. * Testing:

  43.     * Corner-case testing

  44.     * More bulk random testing

  45.     * Negative testing.

  46.     * SAGE-(auto?)-generated test vectors

  47.     * Test the Barrett fields

  48. 

  49. * Safety: add static analysis attributes for compilers that support them

  50.     * Most functions now have warn on ignored return.

  51. 

  52. * Safety:

  53.     * [DONE] Check for init() if it's still required once we've done the above

  54.     * Decide what to do about RNG failures

  55.         * abort

  56.         * return error and zeroize

  57.         * return error but continue if RNG is kind of mostly OK

  58.     

  59. * Flexibility: decide which API options are good.

  60.     * [DONE?] Eg, should functions take nbits and table sizes?

  61.     

  62.     * [DONE] Remove hardcoded adjustments from comb control.

  63.         * These adjustments make the output wrong when it's not 450 bits.

  64.         

  65.     * Other slow Barrett fields?  Montgomery fields?

  66. 

  67. * Mid-level API

  68.     * Make it easier to work with untwisted Edwards objects.

  69.     * Probably use extended or projective, not extensible coordinates.

  70.     * Scalarmul with other cofactor modes.

  71. 

  72. * High-level API:

  73.     * SHA512 Elligator Edition?  Maybe write a paper first.

  74.     

  75.     * Elligator.

  76.         * Need to write Elligator inverse.  Might not be Elligator-2S.

  77.     

  78.     * FHMQV? Is this patented?

  79.     

  80.     * What low-level APIs to expose?

  81.         * Edwards points with add, sub, scalarmul, =, ==, ser/deser?

  82. 

  83. * Portability: test and make clean with other compilers

  84.     * Using a fair amount of __attribute__ code.

  85.     * [DONE] Should work for GCC now.

  86. 

  87. * Portability: try to make the vector code as portable as possible

  88.     * Currently using clang ext_vector_length.

  89.     * I can't get a simple for-loop to autovectorize :-/

  90.     * SAGE tool?

  91. 

  92. * Portability: make the inner layers of the code 32-bit clean.

  93.     * Write new versions of the field code.

  94.         * [DONE] 28-bit limbs give less headroom for carries.

  95.         * [DONE] Now have a vectorless ARM version; need NEON.

  96.         * Improve speed of 32-bit field code.

  97.     

  98.     * [DONE] Run through the SAGE tool to generate new bias & bound.

  99. 

  100. * [DONE] Portability: make the outer layers of the code 32-bit clean.

  101. 

  102. * [DONE] Performance/flexibility: decide which parameters should be hard-coded.

  103.     * Perhaps useful for comb precomputation.

  104. 

  105. * Performance: Improve SHA512.

  106.     * [DONE?] Improve portability.

  107.     * Improve speed.

  108.         * Except not, because this adds too much code size.

  109.         * Link OpenSSL if a fast SHA is desired.

  110. 

  111. * Protocol:

  112.     * Decide what things to stir into hashes for various functions.

  113.     

  114. * Performance: improve the Barrett field code.

  115.     * Support other primes?

  116.     * Capture prime shape into a struct instead of passing 3 params.

  117.     * [DONE] Make 32-bit clean.

  118. 

  119. * Automation:

  120.     * Improve the SAGE tool to cover more cases

  121.         * Real SSA classes to cover branching and looping

  122.         * Constant-time selection

  123.         * Intrinsics code

  124.         * Field code?

  125.     

  126.     * SAGE tool is impossibly slow on 32-bit

  127.          * Currently stuck on Elligator after 19 hours.

  128.          * [FIXED] at least for now.

  129.         

  130.     * Vector-mul-chains

  131.     * Negation "bubble pushing" optimization

  132. 

  133. * Clear other TODO/FIXME/HACK/PERF items in the code

  134. 

  135. * [DONE?] Submit to SUPERCOP