Peter Dettman
Peter Dettman
In the current fixslice implementation there is some redundancy in the way keys are stored (2x for fixslice32, 4x for fixslice64). This enables the round keys to simply be XORed...
Builds on #252. This is a demo of another isomorphism trick that I originally described here: http://www.ietf.org/mail-archive/web/cfrg/current/msg05770.html . This PR adds secp256k1_xo_multiply(), with test and benchmark (bench_ecdh_xo), plus a new...
Sets up pre- and post- method verification of _ge and _gej group elements. At the moment, this is concerned mainly with imposing a tighter limit (than the default) on the...
Use a "borrowing" trick in _fe_normalize to simplify the handling of values in [P, 2^256). This is significantly faster too (according to bench_internal), though performance of _fe_normalize isn't that important....
Changes to _divsteps_59 (_30) that give maybe 4% speed improvement to const-time modinv on 64 bit. I see a larger gain on 32 bit but measured on 64 bit so...
- Precomputed basepoint multiples are mapped to random iso - Per-scalar-mult extra cost of 1 field mult. - Per-blinding extra cost of 2000 field mults. The idea is to choose...
(Not for immediate merge) In #452 I noted that sqr and mul take about the same time in my config (OSX, 64-bit, no-asm, -O3 -march=native), so this is a quick...
- avoid overly-wide multiplications - save a few multiplies, masks and shifts - final residual left in r[9] instead of r[2] @gmaxwell It looks faster to me, but if you...
See the paper "Attacking embedded ECC implementations through cmov side channels" for a description of the problem. @sipa and I discussed this briefly in NYC, and we thought maybe this...
Hi @aadomn, Recalling [this observation](https://github.com/RustCrypto/block-ciphers/pull/184) and [your paper](https://eprint.iacr.org/2020/1123.pdf), specifically Figure 6 and the following paragraph on page 8. The paper gives a count of _27 XOR, 32 AND and 16...