)]}' { "commit": "7922e5abccdafb070efa98e7da39a394d05c5801", "tree": "f68bcb6c62b28c8d8e05d89f7e1fb531a2f36950", "parents": [ "c12b7cda729f9a05e3bfb391e7e4273b0f342963" ], "author": { "name": "Kris Kwiatkowski", "email": "kris@cloudflare.com", "time": "Wed Mar 06 18:19:25 2019 +0000" }, "committer": { "name": "Adam Langley", "email": "alangley@gmail.com", "time": "Thu May 16 22:04:58 2019 +0000" }, "message": "Add support for SIKE/p503 post-quantum KEM\n\nBased on Microsoft\u0027s implementation available on github:\nSource: https://github.com/Microsoft/PQCrypto-SIDH\nCommit: 77044b76181eb61c744ac8eb7ddc7a8fe72f6919\n\nFollowing changes has been applied\n\n* In intel assembly, use MOV instead of MOVQ:\n Intel instruction reference in the Intel Software Developer\u0027s Manual\n volume 2A, the MOVQ has 4 forms. None of them mentions moving\n literal to GPR, hence \"movq $rax, 0x0\" is wrong. Instead, on 64bit\n system, MOV can be used.\n\n* Some variables were wrongly zero-initialized (as per C99 spec).\n\n* Rewrite x86_64 assembly to AT\u0026T format.\n\n* Move assembly for x86_64 and aarch64 to perlasm.\n\n* Changes to aarch64 assembly, to avoid using x18 platform register.\n Assembly also correctly constructs linked list of stack-frames as\n described in AAPCS64, 5.2.3.\n\n* Move constant values to .RODATA segment, as keeping them in .TEXT\n segment is not compatible with XOM.\n\n* Fixes issue in arm64 code related to the fact that compiler doesn\u0027t\n reserve enough space for the linker to relocate address of a global\n variable when used by \u0027ldr\u0027 instructions. Solution is to use \u0027adrp\u0027\n followed by \u0027add\u0027 instruction. Relocations for \u0027adrp\u0027 and \u0027add\u0027\n instructions is generated by prefixing the label with :pg_hi21:\n and :lo12: respectively.\n\n* Enable MULX and ADX. Code from MS doesn\u0027t support PIC. MULX can\u0027t\n reference global variable directly. Instead RIP-relative addressing\n can be used. This improves performance around 10%-13% on SkyLake\n\n* Check if CPU supports BMI2 and ADOX instruction at runtime. On AMD64\n optimized implementation of montgomery multiplication and reduction\n have 2 implementations - faster one takes advantage of BMI2\n instruction set introduced in Haswell and ADOX introduced in\n Broadwell. Thanks to OPENSSL_ia32cap_P it can be decided at runtime\n which implementation to choose. As CPU configuration is static by\n nature, branch predictor will be correct most of the time and hence\n this check very often has no cost.\n\n* Reuse some utilities from boringssl instead of reimplementing them.\n This includes things like:\n * definition of a limb size (use crypto_word_t instead of digit_t)\n * use functions for checking in constant time if value is 0 and/or\n less then\n * #define\u0027s used for conditional compilation\n\n* Use SSE2 for conditional swap on vector registers. Improves\n performance a little bit.\n\n* Fix f2elm_t definition. Code imported from MSR defines f2elm_t type as\n a array of arrays. This decays to a pointer to an array (when passing\n as an argument). In C, one can\u0027t assign const pointer to an array with\n non-const pointer to an array. Seems it violates 6.7.3/8 from C99\n (same for C11). This problem occures in GCC 6, only when -pedantic\n flag is specified and it occures always in GCC 4.9 (debian jessie).\n\n* Fix definition of eval_3_isog. Second argument in eval_3_isog mustn\u0027t be\n const. Similar reason as above.\n\n* Use HMAC-SHA256 instead of cSHAKE-256 to avoid upstreaming cSHAKE\n and SHA3 code.\n\n* Add speed and unit tests for SIKE.\n\nSome speed results:\n\nSkylake (64-bit):\n\nDid 408 SIKE/P503 generate operations in 1002573us (407.0 ops/sec)\nDid 275 SIKE/P503 encap operations in 1070570us (256.9 ops/sec)\nDid 264 SIKE/P503 decap operations in 1098955us (240.2 ops/sec)\n\nSkylake (32-bit):\n\nDid 9 SIKE/P503 generate operations in 1051620us (8.6 ops/sec)\nDid 5 SIKE/P503 encap operations in 1038251us (4.8 ops/sec)\nDid 5 SIKE/P503 decap operations in 1103617us (4.5 ops/sec)\n\nChange-Id: I22f0bb1f9edff314a35cd74b48e8c4962568e330\nReviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/35204\nReviewed-by: Adam Langley \u003calangley@gmail.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "49c41fa7afc25208346efe1dd1db7e7431478965", "old_mode": 33188, "old_path": "LICENSE", "new_id": "2f4dfcdb04c83058baaed1031699bef95037e445", "new_mode": 33188, "new_path": "LICENSE" }, { "type": "modify", "old_id": "5cdfa4021df8e8906bca7563ed75f366032bef6c", "old_mode": 33188, "old_path": "crypto/CMakeLists.txt", "new_id": "1c505bc9f256bb58dc7213f517156a833919b4d7", "new_mode": 33188, "new_path": "crypto/CMakeLists.txt" }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "5cf7c8db62837e4f91aaa5392443a2372d4a6937", "new_mode": 33188, "new_path": "third_party/sike/LICENSE" }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "aecf623cca17efb2b9ec1a82088a9a383d970a31", "new_mode": 33188, "new_path": "third_party/sike/P503.c" }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "a1728d13fd03c1704c37380f521b53f39623bccc", "new_mode": 33188, "new_path": "third_party/sike/asm/fp-armv8.pl" }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "c093c203bda138358ed48363d9df3e9564f57abf", "new_mode": 33261, "new_path": "third_party/sike/asm/fp-x86_64.pl" }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "cb786ffe5103f6d01a4ad0595fc0bfbf06ef91dd", "new_mode": 33188, "new_path": "third_party/sike/asm/fp_generic.c" }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "abb1ca25953b3213e2de1faec34ff78231bc9c6f", "new_mode": 33188, "new_path": "third_party/sike/fpx.c" }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "ed6776822309f2f90430a6318460e19248b5c324", "new_mode": 33188, "new_path": "third_party/sike/fpx.h" }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "45f9c400508fffcd84c40a94feb06ee7577dea90", "new_mode": 33188, "new_path": "third_party/sike/isogeny.c" }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "460c8c662f6c5cef853052bfc591529e4817e945", "new_mode": 33188, "new_path": "third_party/sike/isogeny.h" }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "01add94f0d6bde1cee629775e046abd070b40317", "new_mode": 33188, "new_path": "third_party/sike/sike.c" }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "09093cd172bd624bc45aa7c2731db3436ebf54f8", "new_mode": 33188, "new_path": "third_party/sike/sike.h" }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "a1426ef157d5a01b2ae751929faecedb47cf0737", "new_mode": 33188, "new_path": "third_party/sike/sike_test.cc" }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "ee9e6851b1b5ada3daee74c65480142b13db80ba", "new_mode": 33188, "new_path": "third_party/sike/utils.h" }, { "type": "modify", "old_id": "b26470ec56b8ca40dc7679ff3f944c5c9d31baaa", "old_mode": 33188, "old_path": "tool/speed.cc", "new_id": "47edc7515f629c6be131cad21dad563e64c23673", "new_mode": 33188, "new_path": "tool/speed.cc" } ] }