curve25519: replace field implementation with filippo.io/edwards25519

This imports the crypto/ed25519/internal/edwards25519/field package from CL 276272, and uses it in x/crypto/curve25519. The ScalarMult code was ported 1:1 from curve25519_generic.go. old code lines new code lines Go 896 463 Assembly (manually written) 1772 (1772) 362 (34) 43% performance loss on amd64, 33% loss on 386, and 45% gain on arm64. Feels worth it to remove 1700 lines of manually written assembly. Apple M1 name old time/op new time/op delta X25519Basepoint-8 85.0µs ± 1% 46.4µs ± 0% -45.39% (p=0.000 n=10+9) X25519-8 84.4µs ± 0% 46.7µs ± 2% -44.76% (p=0.000 n=8+9) Intel(R) Core(TM) i5-7400 CPU @ 3.00GHz name old time/op new time/op delta X25519Basepoint-4 42.6µs ± 1% 60.9µs ± 1% +43.22% (p=0.000 n=9+10) X25519-4 42.5µs ± 1% 60.9µs ± 0% +43.17% (p=0.000 n=9+9) Intel(R) Core(TM) i5-7400 CPU @ 3.00GHz [GOARCH=386] name old time/op new time/op delta X25519Basepoint-4 530µs ± 1% 703µs ± 1% +32.81% (p=0.000 n=10+10) X25519-4 530µs ± 1% 706µs ± 1% +33.18% (p=0.000 n=10+10) Change-Id: I1dc62a6a3a3e417a1366ff873c475087a0395124 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/315269 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Trust: Filippo Valsorda <filippo@golang.org> Trust: Katie Hockman <katie@golang.org> Reviewed-by: Katie Hockman <katie@golang.org>
atlassian-forks · May 5, 2021 · 3497b51 · 3497b51
1 parent e9a3299
commit 3497b51
Show file tree

Hide file tree

Showing 23 changed files with 2,318 additions and 2,882 deletions.
diff --git a/curve25519/curve25519.go b/curve25519/curve25519.go
@@ -10,6 +10,8 @@ package curve25519 // import "golang.org/x/crypto/curve25519"
 import (
 	"crypto/subtle"
 	"fmt"
+
+	"golang.org/x/crypto/curve25519/internal/field"
 )
 
 // ScalarMult sets dst to the product scalar * point.
@@ -18,7 +20,55 @@ import (
 // zeroes, irrespective of the scalar. Instead, use the X25519 function, which
 // will return an error.
 func ScalarMult(dst, scalar, point *[32]byte) {
-	scalarMult(dst, scalar, point)
+	var e [32]byte
+
+	copy(e[:], scalar[:])
+	e[0] &= 248
+	e[31] &= 127
+	e[31] |= 64
+
+	var x1, x2, z2, x3, z3, tmp0, tmp1 field.Element
+	x1.SetBytes(point[:])
+	x2.One()
+	x3.Set(&x1)
+	z3.One()
+
+	swap := 0
+	for pos := 254; pos >= 0; pos-- {
+		b := e[pos/8] >> uint(pos&7)
+		b &= 1
+		swap ^= int(b)
+		x2.Swap(&x3, swap)
+		z2.Swap(&z3, swap)
+		swap = int(b)
+
+		tmp0.Subtract(&x3, &z3)
+		tmp1.Subtract(&x2, &z2)
+		x2.Add(&x2, &z2)
+		z2.Add(&x3, &z3)
+		z3.Multiply(&tmp0, &x2)
+		z2.Multiply(&z2, &tmp1)
+		tmp0.Square(&tmp1)
+		tmp1.Square(&x2)
+		x3.Add(&z3, &z2)
+		z2.Subtract(&z3, &z2)
+		x2.Multiply(&tmp1, &tmp0)
+		tmp1.Subtract(&tmp1, &tmp0)
+		z2.Square(&z2)
+
+		z3.Mult32(&tmp1, 121666)
+		x3.Square(&x3)
+		tmp0.Add(&tmp0, &z3)
+		z3.Multiply(&x1, &z2)
+		z2.Multiply(&tmp1, &tmp0)
+	}
+
+	x2.Swap(&x3, swap)
+	z2.Swap(&z3, swap)
+
+	z2.Invert(&z2)
+	x2.Multiply(&x2, &z2)
+	copy(dst[:], x2.Bytes())
 }
 
 // ScalarBaseMult sets dst to the product scalar * base where base is the

diff --git a/curve25519/curve25519_amd64.go b/curve25519/curve25519_amd64.go