jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
550 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: a5c33de79b
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a5c33de79b'
${ noResults }
ed448goldilocks/HISTORY.txt

471 lines
21 KiB
Raw Blame History 

  1. October 10, 2020:

  2.     A paper by Konstantinos Chalkias, François Garillot, and Valeria

  3.     Nikolaenko, to be found at:

  4. 

  5.     https://eprint.iacr.org/2020/1244.pdf

  6.     

  7.     discusses malleability in EdDSA implementations.  Their test

  8.     vectors reveal unintentional malleability in libdecaf's version

  9.     of EdDSA verify, in violation of RFC 8032.  With this malleability,

  10.     an attacker could modify an existing valid signature to create a

  11.     new signature that is still valid, but only for the same message.

  12.     

  13.     Releave v1.0.1, correcting this flaw.

  14. 

  15. July 12, 2018:

  16.     Release 1.0 with Johan Pascal's build scripts.

  17. 

  18. October 13, 2017:

  19.     OK, back to preparations for 1.0, today with major changes.

  20.     

  21.     Another group (Isis Lovecruft and Henry de Valence) implemented

  22.     Decaf for Ed25519, whereas this code was implemented for IsoEd25519.

  23.     

  24.     These curves are isogenous, but not exactly the same, so the

  25.     encodings all came out differently.

  26.      

  27.     To harmonize these two so that there is only one implementation

  28.     for Ed25519, we've hammered out a compromise implementation called

  29.     Ristretto.  This is different from the old Decaf encoding in two

  30.     major ways:

  31.         * It checks the sign of x on Ed25519 instead of IsoEd25519.

  32.         * It considers a number "negative" if its low bit is set,

  33.           instead of its high bit.

  34.     

  35.     To avoid extra branches in the code, Ed448Goldilocks is also

  36.     getting these changes to match Ristretto.

  37.     

  38.     The C++ class is also renamed to Ristretto, but IsoEd25519 is a

  39.     synonym for that class.

  40.     

  41.     We might need to check the high bit again instead of low bit if

  42.     E-521 is ever implemented, but I'll special case it then.

  43. 

  44. April 22, 2017:

  45.     Remove STROBE in preparation for 1.0 release.  STROBE has its own

  46.     repo now at https://strobe.sourceforge.io.  I might re-integrate

  47.     it into Decaf once I have produced a version that matches the

  48.     STROBE v1 spec, but it's just confusing to keep v0.2 in here.

  49.     

  50.     Change x{25519,448}_generate_key to _derive_public_key.

  51. 

  52. January 15, 2016:

  53.     Lots of changes since the last entry in HISTORY.TXT.

  54.     

  55.     Pushing eventually toward a 1.0 release, at least for the curves

  56.     themselves (i.e. not for STROBE), still a fair amount of stuff to

  57.     do.

  58.     

  59.     I have pretty much all the functions I want implemented, except

  60.     that maybe there should be a compatibility mode for whatever CFRG

  61.     decides the real life format should be.

  62.     

  63.     The library now supports multiple curves at once.  A decaffeinated

  64.     curve isogenous to Curve25519 is now supported, but not especially

  65.     fast.  This is all still a little rough around the edges.  To make

  66.     it work in a sane way, most of the headers are generated using

  67.     Python templates.  Probably those should be turned back into .h

  68.     files for syntax hilighting purposes; the code generation system

  69.     in general needs quite a tuneup.

  70.     

  71.     The plus side is that this reduces the source code size, especially

  72.     for supporting many curves over many fields.

  73.     

  74.     Currently the code only kind of halfway works on ARM, and not as

  75.     fast as it used to (on NEON anyway), by maybe 15-20%.  I'm

  76.     investigating why.  It's about as fast as it used to be on x86,

  77.     maybe a hair slower.

  78.     

  79.     Montgomery ladder is currently out.  Putting it back in might help

  80.     pin down the ARM NEON performance regression.

  81. 

  82.     The BAT is currently broken.

  83.     

  84.     Tracking at 55 TODO items, about half of which are important-ish.

  85.     Source code size is currently 12.8k wc-lines, including tests and

  86.     old fields (p480 and p521).  I'm still trying to get that down, but

  87.     with things like 600 lines of NEON f_impl.c, that's not an easy task.

  88. 

  89. April 23, 2015:

  90.     Removed the original Goldilocks code; Decaf now stands on its own.

  91.     This cuts the source code approximately in half, to a still-large

  92.     13.7k wc-lines.  (Most of these lines are in the arch-specific

  93.     field implementations.)

  94.     

  95.     Note that the decaf_crypto routines are not intended to set

  96.     standards.  They should be secure, but they're intended more as

  97.     examples of how the core ECC library could be used.

  98.     

  99.     The SHAKE stuff is also mostly an experiment, particularly the

  100.     STROBE protocol/mode stuff.  This is all fine, because the ECC

  101.     library itself is the core, and doesn't require the SHAKE stuff.

  102.     (Except for the C++ header, which should probably also be factored

  103.     so that it doesn't need the SHAKE stuff.)

  104.     

  105.     I've started work on making a Decaf BAT, but not done yet.

  106.     

  107.     I haven't ripped out all old multi-field code, because I intend

  108.     to add support for other fields eventually.  Maybe properly this

  109.     time, instead of with a million compile flags like the original.

  110. 

  111. March 23, 2015:

  112.     I've been fleshing out Decaf, and hopefully the API is somewhere

  113.     near final.  I will probably move a few things around and add a

  114.     scalar inversion command (for AugPAKE and such).

  115.     

  116.     I've built a "decaf_fast" implementation which is about as fast as

  117.     Goldilocks, except that verification still isn't as fast, because

  118.     it needs a precomputed wNAF table which I haven't implemented yet.

  119.     Precomputation is noticeably faster than in Goldilocks; while

  120.     neither is especially optimized, the extended point format works

  121.     slightly better for that purpose.

  122.     

  123.     While optimizing decaf_fast I also found a minor perf problem in

  124.     the constant time lookup code, so that's fixed (I hope?) and

  125.     everything is faster at least on my test machine.

  126.     

  127.     At some point soon-ish, I'd like to start removing the base

  128.     Goldilocks code from this branch.  That will require porting more

  129.     of the tests.  I might make a C++ header for Decaf, which would

  130.     definitely simplify testing.

  131. 

  132. March 1, 2015:

  133.     While by no means complete or stable, I've done most of the ground

  134.     work to implement the "Decaf" point encoding.  This point encoding

  135.     essentially divides the cofactor by 4, turning Goldilocks (or

  136.     Ridinghood or E-521) into a prime-order group.  Furthermore, like

  137.     the Goldilocks encoding, this encoding avoids incompleteness in

  138.     the twisted Edwards formulas with a=-1 by sticking to the order-2q

  139.     subgroup.

  140. 

  141.     Because the group is prime order, and because the "isogeny strategy"

  142.     is not needed, the decaf API can be very simple.  I'm still working

  143.     on exactly what it should be though.  The goal is to have a single-

  144.     file (or a few files) for a "ref" version, which is designed for

  145.     auditability.  The ref version won't be quite so simple as TweetNaCl,

  146.     but nearly so simple and much better commented.  Then there can also

  147.     be an optimized version, perhaps per-platform, which is as fast as

  148.     the original Goldilocks code but hopefully still simpler.

  149. 

  150.     I'm experimenting with SHAKE as the hash function here.  Possibly I

  151.     will also add Keyak as an encryption primitive, so that everything

  152.     can be based on Keccak-f, but I'm open to suggestions.  For example,

  153.     if there's a way to make BLAKE2 as simple and useful as SHAKE

  154.     (including in oversized curves like E-521), then the extra speed

  155.     would certainly be welcome.

  156. 

  157. October 27, 2014:

  158.     Added more support for >512-bit primes.  Changed shared secret

  159.     to not overflow the buffer in this case.  Changed hashing to

  160.     SHA512-PRNG; this doesn't change the behavior in the case that

  161.     only one block is required.

  162. 

  163.     E-521 appears to be working.  Needs more testing, and maybe some

  164.     careful analysis since the carry-handling bounds are awfully tight

  165.     under the current analysis (the "< 5<<57" that it #if0 asserts is

  166.     not actually tight enough under the current analysis; need

  167.     it to be < (1+epsilon) << 59).

  168.     

  169.     So you actually do need to reduce often, at least in the x86_64_r12

  170.     version.

  171.     

  172.     p521/arch_ref64: simple and relatively slow impl.  Like

  173.     p448/arch_ref64, this arch reduces after every add or sub.

  174.     

  175.     p521/arch_x86_64_r12: aggressive, fast implementation.  This impl

  176.     stores 521 bits not in 9 limbs, but 12!  Limbs 3,7,11 are 0, and

  177.     are there only for vector alignment.  (TODO: remove those limbs

  178.     from precomputed tables, so that we don't have to look them up!).

  179.     The carry handling on this build is very tight, and probably could

  180.     stand more analysis.  This is why I have the careful balancing of

  181.     "hexad" and "nonad" multiplies in its Chung-Hasan mul routine.

  182.     

  183.     (TODO: reconsider whether this is even worthwhile on machines

  184.     without AVX2.)

  185.     

  186.     The 'r12 build is a work in progress, and currently only works on

  187.     clang (because it rearranges vectors in the timesW function).

  188.     

  189.     Timings for the fast, aggressive arch on Haswell:

  190.         mul:    146cy

  191.         sqr:    111cy

  192.         invert: 62kcy

  193.         

  194.         keygen: 270kcy

  195.         ecdh:   803kcy

  196.         sign:   283kcy

  197.         verif:  907kcy

  198.         

  199.     Same rules as other Goldi benchmarks.  Turbo off, HT off,

  200.     timing-channel protected (no dataflow from secrets to branches,

  201.     memory lookups or known vt instructions), compressed points.

  202.     

  203. 

  204. October 23, 2014:

  205.     Pushing through changes for curve flexibility.  First up is

  206.     Ed480-Ridinghood, because it has the same number of words.  Next

  207.     is E-521.

  208.     

  209.     Experimental support for Ed480-Ridinghood.  To use, compile with

  210.         make ... FIELD=p480 -XCFLAGS=-DGOLDI_FIELD_BITS=480

  211.     

  212.     I still need to figure out what to do about the fact that the library

  213.     is called "goldilocks", but in will soon support curves that are not

  214.     ed448-goldilocks, at least experimentally.

  215.         

  216.     Currently the whole system's header "goldilocks.h" doesn't have

  217.     a simpler way to override field size, but it does work (as a hack)

  218.     with -DGOLDI_FIELD_BITS=...

  219.     

  220.     There is no support yet for coexistence of multiple fields in one

  221.     library.  The field routines will have unique names, but scalarmul*

  222.     won't, and the top-level goldilocks routines have fixed names.

  223.     

  224.     Current timings on Haswell:

  225.         Goldilocks: 178kcy keygen, 536kcy ecdh

  226.         Ridinghood: 193kcy keygen, 617kcy ecdh

  227.     

  228.     Note that Ridinghood ECDH does worse than 480/448.  This is at least

  229.     in part because I haven't calculated the overflow handling limits yet

  230.     in ec_point.h (this is a disadvantage of dropping the automated

  231.     tool for generating that file).  So I'm reducing much more often

  232.     than I need to.  (There's a really loud TODO in ec_point.h for that.)

  233.     

  234.     Also, I haven't tested the limits on these reductions in a while, so

  235.     it could be that there are actual (security-critical) bugs in this

  236.     area, at least for p448.  Now that there's field flexibility, it's

  237.     probably a good idea to make a field impl with extra words to check

  238.     this.

  239.     

  240.     Furthermore, field_mulw_scc will perform differently on these two

  241.     curves based on whether the curve constant is positive or negative.

  242.     I should probably go optimize the "hot" routines like montgomery_step

  243.     to have separate cases for positive and negative.

  244. 

  245. September 29, 2014:

  246.     Yesterday I put in some more architecture detection, but it should

  247.     really be based on the arch directory, because what's in there really

  248.     was a terrible hack.  So I've changed it to use $arch/arch_config.h

  249.     to get WORD_BITS.

  250.     

  251.     I've tweaked the eBAT construction code to rename the architectures

  252.     using test/batarch.map.  Maybe I should also rename them internally,

  253.     but not yet.

  254.     

  255.     I added some new TODO.txt items.  Some folks have been asking for a

  256.     more factored library, instead of this combined arithmetic, curve code,

  257.     encodings and protocol all-in-one jumble.  Likewise the hash and RNG

  258.     should be flexible.

  259.     

  260.     I've also been meaning to put more work in on SPAKE2EE, which would

  261.     also mean finalizing the Elligator code.

  262. 

  263. September 18, 2014:

  264.     Begin work on a "ref" implementation.  Currently this is just the

  265.     arch_ref64 architecture.  The ref implementation always weak_reduces

  266.     after arithmetic, and doesn't use vectors or other hackery.  Currently

  267.     it still must declare field elements as vector aligned, though,

  268.     other code outside the arch directory can be vectorized.

  269. 

  270.     Change goldilocks.c to use field_eq instead of calling deep into field

  271.     apis.

  272. 

  273. September 6, 2014:

  274.     Pull in minor changes from David Leon Gil and Nicholas Wilson, with

  275.     some adjustments.  I hope the adjustments don't break their compiles.

  276. 

  277.     `make bat` now makes a bat which passes supercop-fastbuild, though

  278.     the benchmarks are rather different from `make bench`.  I need to track

  279.     down why.

  280. 

  281. August 4, 2014:

  282.     Experiments and bug fixes.

  283. 

  284.     Add really_memset = memset_s (except not because I'm setting -std=c99),

  285.     thanks David Leon Gil.  I think I put it in the right places.

  286. 

  287.     Try to work around what I think is a compiler bug in GCC -O3 on non-AVX

  288.     platforms.  I can't seem to work around it as -Os, so I'm just flagging

  289.     a warning (-Werror makes it an error) for now.  Will take more

  290.     investigation.  Thanks Samuel Neves.

  291. 

  292.     Added an experimental (not ready yet!) ARM NEON implementation in

  293.     arch_neon_experimental.  This implementation seems to work, but needs

  294.     more testing.  It is currently asm-heavy and not GCC clean.  I am

  295.     planning to have a flag for it to use intrinsics instead of asm;

  296.     currently the intrinsics are commented out.  On clang this does ECDH

  297.     in 1850kcy on my BeagleBone Black, comparable to Curve41417.  Once this

  298.     is ready, I will probably move it to arch_neon proper, since arch_neon

  299.     isn't particularly tuned.

  300. 

  301. July 11, 2014:

  302.     This is mostly a cleanup release.

  303. 

  304.     Added CRANDOM_MIGHT_IS_MUST config flag (default: 1).  When set, this

  305.     causes crandom to assume that all features in the target arch will

  306.     be available, instead of detecting them.  This makes sense because

  307.     the rest of the Goldilocks code is not (yet?) able to detect features.

  308.     Also, I'd like to submit this to SUPERCOP eventually, and SUPERCOP won't

  309.     pass -DMUST_HAVE_XXX on the command line the way the Makefile here did.

  310.     

  311.     Flag EXPERIMENT_CRANDOM_BUFFER_CUTOFF_BYTES to disable the crandom

  312.     output buffer.  This buffer improves performance (very marginally at

  313.     Goldilocks sizes), but can cause problems with forking and VM

  314.     snapshotting.  By default, the buffer is now disabled.

  315.     

  316.     I've slightly tweaked the Elligator implementation (which is still

  317.     unused) to make it easier to invert.  This makes anything using Elligator

  318.     (i.e. nothing) incompatible with previous releases.

  319.     

  320.     I've been factoring "magic" constants such as curve orders, window sizes,

  321.     etc into a few headers, to reduce the effort to port the code to other

  322.     primes, curves, etc.  For example, I could test the Microsoft curves, and

  323.     something like:

  324.         x^2 + y^2 = 1 +- 5382[45] x^2 y^2 mod 2^480-2^240-1

  325.     ("Goldeneye"? "Ridinghood"?) might be a reasonable thing to try for

  326.     64-bit CPUs.

  327.     

  328.     In a similar vein, most of the internal code has been changed to say

  329.     "field" instead of p448, so that a future version of magic.h can decide

  330.     which field header to include.

  331.     

  332.     You can now `make bat` to create an eBAT in build/ed448-goldilocks.  This

  333.     is only minimally tested, though, because SUPERCOP doesn't work on my

  334.     machine and I'm too lazy to reverse engineer it.  It sets a new macro,

  335.     SUPERCOP_WONT_LET_ME_OPEN_FILES, which causes goldilocks_init() to fall

  336.     back to something horribly insecure if crandom_init_from_file raises

  337.     EMFILE.

  338.     

  339.     Slightly improved documentation.

  340.     

  341.     Removed some old commented-out code; restored the /* C-style */ comment

  342.     discipline.

  343.     

  344.     The AMD-64 version should now be GCC clean, at least for reasonably

  345.     recent GCC (tested on OS X.9.3, Haswell, gcc-4.9).

  346.     

  347.     History no longer says "2104".

  348. 

  349. May 3, 2014:

  350.     Minor changes to internal routines mean that this version is not

  351.     compatible with the previous one.

  352. 

  353.     Added ARM NEON code.

  354.     

  355.     Added the ability to precompute multiples of a partner's public key.  This

  356.     takes slightly longer than a signature verification, but reduces future

  357.     verifications with the precomputed key by ~63% and ECDH by ~70%.

  358.     

  359.         goldilocks_precompute_public_key

  360.         goldilocks_destroy_precomputed_public_key

  361.         goldilocks_verify_precomputed

  362.         goldilocks_shared_secret_precomputed

  363.     

  364.     The precomputation feature are is protected by a macro

  365.         GOLDI_IMPLEMENT_PRECOMPUTED_KEYS

  366.     which can be #defined to 0 to compile these functions out.  Unlike most

  367.     of Goldilocks' functions, goldilocks_precompute_public_key uses malloc()

  368.     (and goldilocks_destroy_precomputed_public_key uses free()).

  369.     

  370.     Changed private keys to be derived from just the symmetric part.  This

  371.     means that you can compress them to 32 bytes for cold storage, or derive

  372.     keypairs from crypto secrets from other systems.

  373.         goldilocks_derive_private_key

  374.         goldilocks_underive_private_key

  375.         goldilocks_private_to_public

  376.     

  377.     Fixed a number of bugs related to vector alignment on Sandy Bridge, which

  378.     has AVX but uses SSE2 alignment (because it doesn't have AVX2).  Maybe I

  379.     should just switch it to use AVX2 alignment?

  380.     

  381.     Beginning to factor out curve-specific magic, so as to build other curves

  382.     with the Goldilocks framework.  That would enable fair tests against eg

  383.     E-521, Ed25519 etc.  Still would be a lot of work.

  384.     

  385.     More thorough testing of arithmetic.  Now uses GMP for testing framework,

  386.     but not in the actual library.

  387.     

  388.     Added some high-level tests for the whole library, including some (bs)

  389.     negative testing.  Obviously, effective negative testing is a very difficult

  390.     proposition in a crypto library.

  391. 

  392. March 29, 2014:

  393.     Added a test directory with various tests.  Currently testing SHA512 Monte

  394.     Carlo, compatibility of the different scalarmul functions, and some

  395.     identities on EC point ops.  Began moving these tests out of benchmarker.

  396.     

  397.     Added scan-build support.

  398.     

  399.     Improved some internal interfaces.  Made a structure for Barrett primes

  400.     instead of passing parameters individually.  Moved some field operations

  401.     to places that make more sense, eg Barrett serialize and deserialize.  The

  402.     deserialize operation now checks that its argument is in [0,q).

  403.     

  404.     Added more documentation.

  405.     

  406.     Changed the names of a bunch of functions.  Still not entirely consistent,

  407.     but getting more so.

  408.     

  409.     Some minor speed improvements.  For example, multiply is now a couple cycles

  410.     faster.

  411.     

  412.     Added a hackish attempt at thread-safety and initialization sanity checking

  413.     in the Goldilocks top-level routines.

  414.     

  415.     Fixed some vector alignment bugs.  Compiling with -O0 should now work.

  416.     

  417.     Slightly simplified recode_wnaf.

  418. 

  419.     Add a config.h file for future configuration.  EXPERIMENT flags moved here.

  420.     

  421.     I've decided against major changes to SHA512 for the moment.  They add speed

  422.     but also significantly bloat the code, which is going to hurt L1 cache

  423.     performance.  Perhaps we should link to OpenSSL if a faster SHA512 is desired.

  424.     

  425.     Reorganize the source tree into src, test; factor arch stuff into src/arch_*.

  426.     

  427.     Make most of the code 32-bit clean.  There's now a 32-bit generic and 32-bit

  428.     vectorless ARM version.  No NEON version yet because I don't have a test

  429.     machine (could use my phone in a pinch I guess?).  The 32-bit version still

  430.     isn't heavily optimized, but on ARM it's using a nicely reworked signed/phi-adic

  431.     multiplier.  The squaring is also based on this, but could really stand some

  432.     improvement.

  433.     

  434.     When passed an even exponent (or extra doubles), the Montgomery ladder should

  435.     now be accept points if and only if they lie on the curve.  This needs

  436.     additional testing, but it passes the zero bit exponent test.

  437.     

  438.     On 32-bit, use 8x4x14 instead of 5x5x18 table organization.  Probably there's

  439.     a better heuristic.

  440. 

  441. March 5, 2014:

  442.     First revision.

  443.     

  444.     Private keys are now longer.  They now store a copy of the public key, and

  445.     a secret symmetric key for signing purposes.

  446.     

  447.     Signatures are now supported, though like everything else in this library,

  448.     their format is not stable.  They use a deterministic Schnorr mode,

  449.     similar to EdDSA.  Precomputed low-latency signing is not supported (yet?).

  450.     The hash function is SHA-512.

  451.     

  452.     The deterministic hashing mode needs to be changed to HMAC (TODO!).  It's

  453.     currently envelope-MAC.

  454.     

  455.     Probably in the future there will be a distinction between ECDH key and

  456.     signing keys (and possibly also MQV keys etc).

  457.     

  458.     Began renaming internal functions.  Removing p448_ prefixes from EC point

  459.     operations.  Trying to put the verb first.  For example,

  460.     "p448_isogeny_un_to_tw" is now called "twist_and_double".

  461.     

  462.     Began documenting with Doxygen.  Use "make doc" to make a very incomplete

  463.     documentation directory.

  464.     

  465.     There have been many other internal changes.

  466. 

  467. Feb 21, 2014:

  468.     Initial import and benchmarking scripts.

  469.     

  470.     Keygen and ECDH are implemented, but there's no hash function.