You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 

121 lines
3.9 KiB

  1. Important work items for Ed448-Goldilocks:
  2. * Documentation: write high-level API docs, and internal docs to help
  3. other implementors.
  4. * Partial progress on Doxygenating the code.
  5. * Documentation: write a spec or add to Watson's
  6. * Cleanup: rename everything consistently.
  7. * namespace_op or op_namespace? namespace_op_type?
  8. * We don't have to be super-careful with the namespacing, because
  9. symbols will be scrubbed by exported.sym.
  10. * Cleanup: hard-coded tables (probably?)
  11. * This reduces the work required for goldilocks_init() at the expense
  12. of library size.
  13. * Makes error-handling and thread safety easier.
  14. * Use the SAGE tool?
  15. * Cleanup: unify intrinsics code
  16. * Word_t, mask_t, bigregister_t, etc.
  17. * Generate asm intrinsics with a script?
  18. * Bugfix: make sure that init() and randomization are thread-safe.
  19. * Security: check on deserialization that points are < p.
  20. * Check also that they're nonzero or otherwise non-pathological?
  21. * Testing:
  22. * Corner-case testing
  23. * More bulk random testing
  24. * Negative testing.
  25. * SAGE-(auto?)-generated test vectors
  26. * Test the Barrett fields
  27. * Safety: add static analysis attributes for compilers that support them
  28. * Most functions now have warn on ignored return.
  29. * Safety:
  30. * Check for init() if it's still required once we've done the above
  31. * Decide what to do about RNG failures
  32. * abort
  33. * return error and zeroize
  34. * return error but continue if RNG is kind of mostly OK
  35. * Flexibility: decide which API options are good.
  36. * Eg, should functions take nbits and table sizes?
  37. * Remove hardcoded adjustments from comb control.
  38. * These adjustments make the output wrong when it's not 450 bits.
  39. * Other slow Barrett fields? Montgomery fields?
  40. * Mid-level API
  41. * Make it easier to work with untwisted Edwards objects.
  42. * Probably use extended or projective, not extensible coordinates.
  43. * Scalarmul with other cofactor modes.
  44. * High-level API:
  45. * SPAKE2 Elligator Edition? Maybe write a paper first.
  46. * Elligator.
  47. * Need to write Elligator inverse. Might not be Elligator-2S.
  48. * FHMQV? Is this patented?
  49. * What low-level APIs to expose?
  50. * Edwards points with add, sub, scalarmul, =, ==, ser/deser?
  51. * Portability: test and make clean with other compilers
  52. * Using a fair amount of __attribute__ code.
  53. * Portability: try to make the vector code as portable as possible
  54. * Currently using clang ext_vector_length.
  55. * I can't get a simple for-loop to autovectorize :-/
  56. * SAGE tool?
  57. * Portability: make the inner layers of the code 32-bit clean.
  58. * Write new versions of the field code.
  59. * 28-bit limbs give less headroom for carries.
  60. * NEON and vectorless ARM.
  61. * Run through the SAGE tool to generate new bias & bound.
  62. * Portability: make the outer layers of the code 32-bit clean.
  63. * There are endian bugs in the signing algorithm.
  64. * NEON and vectorless constant-time comparison.
  65. * Performance: write and incorporate some extra routines
  66. * Deserialize_and_isogeny
  67. * Unconditional negate (or just plain subtract)
  68. * Performance: fixed parameters?
  69. * Perhaps useful for comb precomputation.
  70. * Performance: Improve SHA512.
  71. * Improve portability.
  72. * Improve speed.
  73. * Decide what things to stir into hashes for various functions.
  74. * Performance: improve the Barrett field code.
  75. * Support other primes?
  76. * Capture prime shape into a struct instead of passing 3 params.
  77. * Make 32-bit clean. (SAGE?)
  78. * Automation:
  79. * Improve the SAGE tool to cover more cases
  80. * Real SSA classes to cover branching and looping
  81. * Constant-time selection
  82. * Intrinsics code
  83. * Field code?
  84. * Vector-mul-chains
  85. * Negation "bubble pushing" optimization
  86. * Clear other TODO/FIXME/HACK/PERF items in the code
  87. * Submit to SUPERCOP