Functions generated by Fiat-crypto are not prefixed by their description any more. This matches an upstream change.
We can now use a single type for different curves and implementations.
The field type is now generic, so we can properly handle the base field and scalars without code duplication.
Leave the minimum amount of stack space required by the ABI (16 * 8
bytes for the window contents plus 6 * 8 bytes for the input arguments)
on the new thread stack.
Uses verified code generated by fiat-crypto for field arithmetic, and complete formulas to avoid side channels.
There's still plenty of room for optimizations, especially with a fixed base. But this gives us a framework to easily add other similar curves.
* Add a yield pattern for PowerPC64
* Fix compile error on pre-v6 ARM targets
* Use isb instead of yield on AArch64 to give the CPU a chance to enter
low-power states.
* Make the hint an inline function, the call overhead can be avoided.
Currently the default install prefix is $BUILD_ROOT/zig-cache,
but mixing cache and artifacts makes little sense. Instead make
$BUILD_ROOT/zig-out the default.
Should be good enough to unblock progress on the stage2 compiler.
Unifying this parser and the regular one (and perhaps rewrite it, #2207)
is left as an exercise for the reader.
* 25519: remove unused const, safeguard against unreduced scalars
No behavior change, but it makes the existing code better match
the forthcoming code for other curves.
Rename nonAdjacentForm() to slide(), remove an unneeded and
confusing constant, and do a reduction in slide() if 257 bits would
be required.
Note that in all the high-level functions, the top bit is always
cleared, so the reduction is never necessary. But since the low-level
functions are public, the check is a safe thing to have.
* 25519: make identityElement public, deprecate neutralElement
Also fix a few comments by the way.
This reverts commit 77cb45f59f.
Zig's error return traces will point to the return token if they
happen to occur, so having multiple return statements makes those
stack traces really helpful. This destroys debuggability.
* #8454 Fix for std.mem.replacementSize adjacent matches bug.
When two 'needle' values are adjacent in the 'input' slice, the size is not
counted correctly. The 2nd 'needle' value is not matched because the index is
incremented by one after changing the index to account for the first value.
The impact is the the size returned is incorrect, and could cause UB when this
amount is used to size of the buffer passed to std.mem.replace.
* Apply changes from PR review:
- Add assert checking that the needle is non-empty and doc for this.
- Add minimal test that an empty input works.
- Use testing.expectEqualStrings.
Flush all the register windows to stack before starting the stack walk,
we may otherwise try to read garbage and crash and burn.
Add a few comptime annotations to debloat some functions.
A little function to complement the existing crypto.utils.timingSafeEql
function with a way to compare large numbers serialized as arrays.
This is useful to compare nonces and to check that group elements are
in canonical form.
Absence of side channels remains a best effort, reusing the common
pattern we use elsewhere.
