Bas Westerbaan
Bas Westerbaan
Many cryptographic schemes assume a group of prime order. Edwards25519 is not a group of prime order (it has order 8 * `l`, where `l` is the order of the...
Assembly file: https://gist.github.com/bwesterb/1daba528b15e1073498a16e2ab34672a
- [x] Simple arithmetic - [x] NTT - [x] InvNTT - [ ] Sampling - [x] NTT-domain multiplication - [ ] (De)compression of polynomials - [ ] (Un)packing
- [ ] Does it negatively impact performance if we implement `ShakeHash` on `AesStream` to simplify the sampling code. (Due to esacape-to-heap allocations.) - [ ] How far to go...
- [ ] Documentation and examples are still lacking - [ ] Deal with multiple very similar modes of the same scheme. I.e. ed{25519,448}{ph,ctx,}
Instead of using intrinsics and full unrolling, this uses a four-round unrolled version adapted from the one I wrote for Cloudflare's CIRCL library: github.com/cloudflare/circl/simd/keccakf1600 This is about 10-20% faster on...