Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | curve25519-x86_64: avoid use of r12 | Jason A. Donenfeld | 2018-08-07 | 1 | -107/+107 |
| | | | | | | | This causes problems with RAP and KERNEXEC for PaX, as r12 is a reserved register. Suggested-by: PaX Team <pageexec@freemail.hu> | ||||
* | curve25519-x86_64: tighten reductions modulo 2^256-38 | Samuel Neves | 2018-07-28 | 1 | -21/+18 |
| | | | | | | | | | At this stage the value if C[4] is at most ((2^256-1) + 38*(2^256-1)) / 2^256 = 38, so there is no need to use a wide multiplication. Change inspired by Andy Polyakov's OpenSSL implementation. Signed-off-by: Samuel Neves <sneves@dei.uc.pt> | ||||
* | curve25519-x86_64: simplify the final reduction by adding 19 beforehand | Samuel Neves | 2018-07-28 | 1 | -40/+26 |
| | | | | | | | | | | | | | | | | | | | | Correctness can be quickly verified with the following z3py script: >>> from z3 import * >>> x = BitVec("x", 256) # any 256-bit value >>> ref = URem(x, 2**255 - 19) # correct value >>> t = Extract(255, 255, x); x &= 2**255 - 1; # btrq $63, %3 >>> u = If(t != 0, BitVecVal(38, 256), BitVecVal(19, 256)) # cmovncl %k5, %k4 >>> x += u # addq %4, %0; adcq $0, %1; adcq $0, %2; adcq $0, %3; >>> t = Extract(255, 255, x); x &= 2**255 - 1; # btrq $63, %3 >>> u = If(t != 0, BitVecVal(0, 256), BitVecVal(19, 256)) # cmovncl %k5, %k4 >>> x -= u # subq %4, %0; sbbq $0, %1; sbbq $0, %2; sbbq $0, %3; >>> prove(x == ref) proved Change inspired by Andy Polyakov's OpenSSL implementation. Signed-off-by: Samuel Neves <sneves@dei.uc.pt> | ||||
* | curve25519-x86_64: tighten the x25519 assembly | Samuel Neves | 2018-07-28 | 1 | -3/+3 |
| | | | | | | | | | | The wide multiplication by 38 in mul_a24_eltfp25519_1w is redundant: (2^256-1) * 121666 / 2^256 is at most 121665, and therefore a 64-bit multiplication can never overflow. Change inspired by Andy Polyakov's OpenSSL implementation. Signed-off-by: Samuel Neves <sneves@dei.uc.pt> | ||||
* | curve25519: x86_64: make symbol static | Jason A. Donenfeld | 2018-05-29 | 1 | -2/+2 |
| | |||||
* | curve25519: x86_64: satisfy sparse | Jason A. Donenfeld | 2018-05-29 | 1 | -260/+260 |
| | |||||
* | curve25519: precomp const correctness | Jason A. Donenfeld | 2018-03-09 | 1 | -24/+22 |
| | |||||
* | curve25519: memzero in batches | Jason A. Donenfeld | 2018-03-09 | 1 | -140/+124 |
| | |||||
* | curve25519: use cmov instead of xor for cswap | Jason A. Donenfeld | 2018-03-09 | 1 | -12/+39 |
| | | | | Also add cselect optimization. | ||||
* | curve25519: use precomp implementation instead of sandy2x | Jason A. Donenfeld | 2018-03-09 | 1 | -164/+2056 |
| | | | | It's faster and doesn't use the FPU. | ||||
* | crypto: read only after init | Jason A. Donenfeld | 2018-03-02 | 1 | -1/+2 |
| | |||||
* | curve25519: resolve symbol clash between fe types | Jason A. Donenfeld | 2018-01-18 | 1 | -7/+7 |
| | |||||
* | curve25519: modularize implementation | Jason A. Donenfeld | 2018-01-18 | 1 | -0/+175 |