mirage-crypto-ec: add 25519 #107
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
hannesm
commented
Mar 10, 2021
•
hannesm
commented
- add ED25519
- figure out performance (whether to move scalar_mult + inversion to C to avoid lots of OCaml -> C calls)
hannesm
force-pushed
the
25519
branch
2 times, most recently
from
4099a3e to
7cc310b
Compare
hannesm
changed the title
|
I evaluated the performance using the 5 existing X25519 implementations (I did not use
I only ran the key exchange (i.e. a scalar multiplication), and compared the result for correctness (String.equal / Bytes.equal / Cstruct.equal). Conversions of private and public were done upfront once. Each library did as many key exchanges as it could in 10s. Since the C code is boring (taken from BoringSSL), I do not see a reason to retain the arithmetic instructions in OCaml (esp. since it is a pretty high price to pay for all the OCaml<->C calling). Heap allocation still happens on the OCaml side, though memmove and memset is used on the C side. |
|
Seems very good 🎉! |
Code originates mostly from (a) fiat-crypto and (b) boringssl Tests from RFC 7748, RFC 8032, and wycheproof
kit-ty-kate
pushed a commit
to ocaml/opam-repository
that referenced
this pull request
Mar 31, 2021
…ge-crypto-rng, mirage-crypto-rng-mirage and mirage-crypto-rng-async (0.9.0) CHANGES: - Elliptic curve support in the new package mirage-crypto-ec The arithmetic code is generated by [fiat-crypto](https://github.com/mit-plv/fiat-crypto), a development in Coq which includes proofs of constant time behaviour. The generation can be reproduced (see ec/native/GNUmakefile). The group operation implementations are taken from BoringSSL. The high-level mechanisms (signature DSA and key exchange ECDH) are implemented in OCaml. The ECDSA implementation (as our DSA one) uses a deterministic k (RFC 6979). The NIST curves P224 (SECP224R1), P256 (SECP256R1), P384 (SECP384R1), and P521 (SECP521R1) are supported (ECDH and ECDSA), in addition to Curve25519 (X25519 and Ed25519). Performance of X25519 has been measured and is roughly the same as the hacl_x25519 and also the hacl opam package (see mirage/mirage-crypto#107 for numbers). Tests vectors are from RFCs and wycheproof. Import mirage/fiat repository (@pascutto @emillon @NathanReb @hannesm mirage/mirage-crypto#101) Check bounds of message (reported by @greg42, fixed by @hannesm mirage/mirage-crypto#108) Remove blinding, since constant time arithmetics is used (@hannesm mirage/mirage-crypto#106) Curve 25519 (X25519 & Ed25519) support (@hannesm mirage/mirage-crypto#107 imported from BoringSSL) Partially reviewed by @JasonGross @avsm @dinosaure Partially sponsored by Nitrokey GmbH
|
FWIW, see #202 (comment) for an updated table, and a utility (bench/ec.exe) to generate such a table. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.