jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 8ebdfaee0b
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '8ebdfaee0b'
${ noResults }
ed448goldilocks/HISTORY.txt

123 lines
5.3 KiB
Raw Blame History 

  1. May 3, 2104:

  2.     Minor changes to internal routines mean that this version is not

  3.     compatible with the previous one.

  4. 

  5.     Added ARM NEON code.

  6.     

  7.     Added the ability to precompute multiples of a partner's public key.  This

  8.     takes slightly longer than a signature verification, but reduces future

  9.     verifications with the precomputed key by ~63% and ECDH by ~70%.

  10.     

  11.         goldilocks_precompute_public_key

  12.         goldilocks_destroy_precomputed_public_key

  13.         goldilocks_verify_precomputed

  14.         goldilocks_shared_secret_precomputed

  15.     

  16.     The precomputation feature are is protected by a macro

  17.         GOLDI_IMPLEMENT_PRECOMPUTED_KEYS

  18.     which can be #defined to 0 to compile these functions out.  Unlike most

  19.     of Goldilocks' functions, goldilocks_precompute_public_key uses malloc()

  20.     (and goldilocks_destroy_precomputed_public_key uses free()).

  21.     

  22.     Changed private keys to be derived from just the symmetric part.  This

  23.     means that you can compress them to 32 bytes for cold storage, or derive

  24.     keypairs from crypto secrets from other systems.

  25.         goldilocks_derive_private_key

  26.         goldilocks_underive_private_key

  27.         goldilocks_private_to_public

  28.     

  29.     Fixed a number of bugs related to vector alignment on Sandy Bridge, which

  30.     has AVX but uses SSE2 alignment (because it doesn't have AVX2).  Maybe I

  31.     should just switch it to use AVX2 alignment?

  32.     

  33.     Beginning to factor out curve-specific magic, so as to build other curves

  34.     with the Goldilocks framework.  That would enable fair tests against eg

  35.     E-521, Ed25519 etc.  Still would be a lot of work.

  36.     

  37.     More thorough testing of arithmetic.  Now uses GMP for testing framework,

  38.     but not in the actual library.

  39.     

  40.     Added some high-level tests for the whole library, including some (bs)

  41.     negative testing.  Obviously, effective negative testing is a very difficult

  42.     proposition in a crypto library.

  43. 

  44. March 29, 2014:

  45.     Added a test directory with various tests.  Currently testing SHA512 Monte

  46.     Carlo, compatibility of the different scalarmul functions, and some

  47.     identities on EC point ops.  Began moving these tests out of benchmarker.

  48.     

  49.     Added scan-build support.

  50.     

  51.     Improved some internal interfaces.  Made a structure for Barrett primes

  52.     instead of passing parameters individually.  Moved some field operations

  53.     to places that make more sense, eg Barrett serialize and deserialize.  The

  54.     deserialize operation now checks that its argument is in [0,q).

  55.     

  56.     Added more documentation.

  57.     

  58.     Changed the names of a bunch of functions.  Still not entirely consistent,

  59.     but getting more so.

  60.     

  61.     Some minor speed improvements.  For example, multiply is now a couple cycles

  62.     faster.

  63.     

  64.     Added a hackish attempt at thread-safety and initialization sanity checking

  65.     in the Goldilocks top-level routines.

  66.     

  67.     Fixed some vector alignment bugs.  Compiling with -O0 should now work.

  68.     

  69.     Slightly simplified recode_wnaf.

  70. 

  71.     Add a config.h file for future configuration.  EXPERIMENT flags moved here.

  72.     

  73.     I've decided against major changes to SHA512 for the moment.  They add speed

  74.     but also significantly bloat the code, which is going to hurt L1 cache

  75.     performance.  Perhaps we should link to OpenSSL if a faster SHA512 is desired.

  76.     

  77.     Reorganize the source tree into src, test; factor arch stuff into src/arch_*.

  78.     

  79.     Make most of the code 32-bit clean.  There's now a 32-bit generic and 32-bit

  80.     vectorless ARM version.  No NEON version yet because I don't have a test

  81.     machine (could use my phone in a pinch I guess?).  The 32-bit version still

  82.     isn't heavily optimized, but on ARM it's using a nicely reworked signed/phi-adic

  83.     multiplier.  The squaring is also based on this, but could really stand some

  84.     improvement.

  85.     

  86.     When passed an even exponent (or extra doubles), the Montgomery ladder should

  87.     now be accept points if and only if they lie on the curve.  This needs

  88.     additional testing, but it passes the zero bit exponent test.

  89.     

  90.     On 32-bit, use 8x4x14 instead of 5x5x18 table organization.  Probably there's

  91.     a better heuristic.

  92. 

  93. March 5, 2014:

  94.     First revision.

  95.     

  96.     Private keys are now longer.  They now store a copy of the public key, and

  97.     a secret symmetric key for signing purposes.

  98.     

  99.     Signatures are now supported, though like everything else in this library,

  100.     their format is not stable.  They use a deterministic Schnorr mode,

  101.     similar to EdDSA.  Precomputed low-latency signing is not supported (yet?).

  102.     The hash function is SHA-512.

  103.     

  104.     The deterministic hashing mode needs to be changed to HMAC (TODO!).  It's

  105.     currently envelope-MAC.

  106.     

  107.     Probably in the future there will be a distinction between ECDH key and

  108.     signing keys (and possibly also MQV keys etc).

  109.     

  110.     Began renaming internal functions.  Removing p448_ prefixes from EC point

  111.     operations.  Trying to put the verb first.  For example,

  112.     "p448_isogeny_un_to_tw" is now called "twist_and_double".

  113.     

  114.     Began documenting with Doxygen.  Use "make doc" to make a very incomplete

  115.     documentation directory.

  116.     

  117.     There have been many other internal changes.

  118. 

  119. Feb 21, 2014:

  120.     Initial import and benchmarking scripts.

  121.     

  122.     Keygen and ECDH are implemented, but there's no hash function.