Go to file
Kris Kwiatkowski 4b728181d2 Add support for SIKE/p503 post-quantum KEM
Based on Microsoft's implementation available on github:
Source: https://github.com/Microsoft/PQCrypto-SIDH
Commit: 77044b76181eb61c744ac8eb7ddc7a8fe72f6919

Following changes has been applied

* In intel assembly, use MOV instead of MOVQ:
  Intel instruction reference in the Intel Software Developer's Manual
  volume 2A, the MOVQ has 4 forms. None of them mentions moving
  literal to GPR, hence "movq $rax, 0x0" is wrong. Instead, on 64bit
  system, MOV can be used.

* Some variables were wrongly zero-initialized (as per C99 spec).

* Rewrite x86_64 assembly to AT&T format.

* Move assembly for x86_64 and aarch64 to perlasm.

* Move constant values to .RODATA segment, as keeping them in .TEXT
  segment is not compatible with XOM.

* Fixes issue in arm64 code related to the fact that compiler doesn't
  reserve enough space for the linker to relocate address of a global
  variable when used by 'ldr' instructions. Solution is to use 'adrp'
  followed by 'add' instruction. Relocations for 'adrp' and 'add'
  instructions is generated by prefixing the label with :pg_hi21:
  and :lo12: respectively.

* Enable MULX and ADX. Code from MS doesn't support PIC. MULX can't
  reference global variable directly. Instead RIP-relative addressing
  can be used. This improves performance around 10%-13% on SkyLake

* Check if CPU supports BMI2 and ADOX instruction at runtime. On AMD64
  optimized implementation of montgomery multiplication and reduction
  have 2 implementations - faster one takes advantage of BMI2
  instruction set introduced in Haswell and ADOX introduced in
  Broadwell. Thanks to OPENSSL_ia32cap_P it can be decided at runtime
  which implementation to choose. As CPU configuration is static by
  nature, branch predictor will be correct most of the time and hence
  this check very often has no cost.

* Reuse some utilities from boringssl instead of reimplementing them.
  This includes things like:
  * definition of a limb size (use crypto_word_t instead of digit_t)
  * use functions for checking in constant time if value is 0 and/or
    less then
  * #define's used for conditional compilation

* Use SSE2 for conditional swap on vector registers. Improves
  performance a little bit.

* Fix f2elm_t definition. Code imported from MSR defines f2elm_t type as
  a array of arrays. This decays to a pointer to an array (when passing
  as an argument). In C, one can't assign const pointer to an array with
  non-const pointer to an array. Seems it violates 6.7.3/8 from C99
  (same for C11). This problem occures in GCC 6, only when -pedantic
  flag is specified and it occures always in GCC 4.9 (debian jessie).

* Fix definition of eval_3_isog. Second argument in eval_3_isog mustn't be
  const. Similar reason as above.

* Use HMAC-SHA256 instead of cSHAKE-256 to avoid upstreaming cSHAKE
  and SHA3 code.

* Add speed and unit tests for SIKE.

Change-Id: I22f0bb1f9edff314a35cd74b48e8c4962568e330
2019-04-23 14:42:03 +01:00
.github Add a PULL_REQUEST_TEMPLATE. 2016-03-08 15:23:52 +00:00
crypto Add support for SIKE/p503 post-quantum KEM 2019-04-23 14:42:03 +01:00
decrepit Rename 'md' output parameter to 'out' and add bounds. 2019-04-08 18:19:01 +00:00
fipstools Add a CFI tester to CHECK_ABI. 2019-01-03 22:01:55 +00:00
fuzz Refresh fuzzer corpus. 2019-01-08 17:55:08 +00:00
include/openssl Predeclare enums in base.h 2019-04-22 21:49:12 +00:00
ssl Predeclare enums in base.h 2019-04-22 21:49:12 +00:00
third_party Add support for SIKE/p503 post-quantum KEM 2019-04-23 14:42:03 +01:00
tool Add support for SIKE/p503 post-quantum KEM 2019-04-23 14:42:03 +01:00
util Update other build tools. 2019-04-04 17:42:09 +00:00
.clang-format Import `newhope' (post-quantum key exchange). 2016-04-26 22:53:59 +00:00
.gitignore Add compiled python files to .gitignore. 2019-02-21 17:41:59 +00:00
API-CONVENTIONS.md Clarify "reference" and fix typo. 2018-09-05 19:06:48 +00:00
BREAKING-CHANGES.md Add some notes on how to handle breaking changes. 2018-04-28 00:04:41 +00:00
BUILDING.md Add instructions for debugging on Android with gdb. 2019-02-01 02:51:11 +00:00
CMakeLists.txt Update third_party/googletest. 2019-04-10 22:09:43 +00:00
codereview.settings Comment change in codereview.settings 2018-07-26 00:23:04 +00:00
CONTRIBUTING.md
FUZZING.md Switch to Clang 6.0's fuzzer support. 2018-08-27 17:18:56 +00:00
go.mod Add go 1.11 to go.mod. 2019-02-21 16:42:44 +00:00
INCORPORATING.md Update URL for GN quick start guide. 2018-08-16 20:18:41 +00:00
LICENSE Note licenses for support code in the top-level LICENSE file. 2018-03-27 17:03:47 +00:00
PORTING.md Remove reference to SSL3 in PORTING.md. 2018-06-29 17:46:32 +00:00
README.md Add some notes on how to handle breaking changes. 2018-04-28 00:04:41 +00:00
sources.cmake Add new curve/hash ECDSA combinations from Wycheproof. 2018-08-10 18:26:06 +00:00
STYLE.md Fix some style guide samples. 2017-08-31 14:24:45 +00:00

BoringSSL

BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.

Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.

BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.

Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.

There are other files in this directory which might be helpful: