kriskwiatkowski / nobs Goto Github PK

https://github.com/henrydcase/nobs/blob/24408329a59bc2679bce4235ca4d58ac33c1dbfb/utils/cpuid_amd64.go#L26

https://eprint.iacr.org/2018/700 (in 3.2) describes optimization in P503 which takes advantage of the fact that P503+1 can be reduced to 4, 64-bit words (shifting by 8-bits).

This can be also useful for x86 (maybe)
Optimization was introduced initially in a paper by J. Bos

this is done on mkem branch in gitlab

using standard implementation of AES causes memory allocation.
I've a PoC which has SetKey operation, so that I don't need to do NewCipher in DRBG update. PoC lacks ARM and X86 hardware acceleration

The code should be completely rewritten, as the initial idea probably wasn't well thought.

Few ideas on how to improve can be found here:
https://eprint.iacr.org/2020/660.pdf
https://eprint.iacr.org/2022/054
https://www.hertzbleed.com/hertzbleed.pdf

I may need it soon

Seems like a bug:

	// Minimum entropy input (SP800-90A, 10.2.1)
	if len(entropy) < int(c.strength/8) {
		return false
	}

	// Security strength for AES-256 as per SP800-57, 5.6.1
	c.strength = 256

Code doesn't check if imported key is exactly k-bits long (where k is a length of private key). In such case code will import the key, it will perform calculation, but those calculations will be wrong.

Reason is that implementation of ScalarMul3Pt() function assumes that first bit is set and if this is not a case, montgomery ladder is calculated wrongly

Hi,

you redirected your path to https://github.com/henrydcase/nobscrypto and in your code it's always https://github.com/henrydcase/nobs, could you update it please ?

Thanks

does "golang.org/x/sys/cpu" have such feature?

add fuzzing to SIKE implementation

Frodo will use same KEM API as SIKE. currently that API is implemented directly in SIKE, but should be extracted and placed in the kem/ directory. That will also be useful for mKEM

• what are exact gains?

It's known that complete reset of SHA3 is needed. In addition to issues listed here:
https://bit.ly/2VUETE7

there is another one which should be taken into account:
see golang/go#35173

On x86 there is RDSEED instruction available. Why not to use it...

Just as a side note: seems some library (i.e. boringssl) use it. bssl also has ctr-drbg

Currently SIDH/SIKE uses "crypto/rand" as a source of randomness - this is done even in benchmarking.
"crypto/rand" does weird mutexing when accessing randomness source. This may influence benchmark results.

there are two fields SharedSecretSize and KEMSize and a function called SharedSecretSize which returns KEMSize.

That's probably a leftover from Round1

build error log:

src/github.com/henrydcase/nobs/drbg/internal/aes/cipher_asm.go:15:6: missing function body
src/github.com/henrydcase/nobs/drbg/internal/aes/cipher_asm.go:18:6: missing function body
src/github.com/henrydcase/nobs/drbg/internal/aes/cipher_asm.go:21:6: missing function body

and another one:

src/github.com/henrydcase/nobs/dh/csidh/csidh.go:88:4: undefined: mul512
src/github.com/henrydcase/nobs/dh/csidh/csidh.go:102:3: undefined: mul512
src/github.com/henrydcase/nobs/dh/csidh/csidh.go:106:3: undefined: mul512
src/github.com/henrydcase/nobs/dh/csidh/csidh.go:135:4: undefined: mul512
src/github.com/henrydcase/nobs/dh/csidh/csidh.go:139:4: undefined: mul512
src/github.com/henrydcase/nobs/dh/csidh/csidh.go:143:4: undefined: mul512
src/github.com/henrydcase/nobs/dh/csidh/csidh.go:144:4: undefined: mul512
src/github.com/henrydcase/nobs/dh/csidh/csidh.go:170:7: undefined: mul512
src/github.com/henrydcase/nobs/dh/csidh/csidh.go:179:7: undefined: mul512
src/github.com/henrydcase/nobs/dh/csidh/csidh.go:187:3: undefined: mulRdc
src/github.com/henrydcase/nobs/dh/csidh/csidh.go:187:3: too many errors

https://eprint.iacr.org/2018/954.pdf