Go code cosmetic fixes #949
Comments
|
I think these would be nice improvements if they're easy and don't add complexity to fiat-crypto's output routines (which aren't verified), but I don't think any of these affect the assembly ultimately generated by the Go compilers? |
|
@JasonGross definitely types for differentiating between Montgomery domain. +1 |
JasonGross
added a commit
to JasonGross/fiat-crypto
that referenced
this issue
Apr 28, 2021
JasonGross
added a commit
to JasonGross/fiat-crypto
that referenced
this issue
Apr 28, 2021
|
FWIW, the syntax rules for Go documentation are described at: https://golang.org/pkg/go/doc/#ToHTML I think the main noteworthy things for fiat-go code are that blank lines separate paragraphs, and runs of indented lines get formatted with <pre>. |
JasonGross
added a commit
to JasonGross/fiat-crypto
that referenced
this issue
Apr 29, 2021
JasonGross
added a commit
to JasonGross/fiat-crypto
that referenced
this issue
Apr 29, 2021
JasonGross
added a commit
to JasonGross/fiat-crypto
that referenced
this issue
Apr 29, 2021
JasonGross
added a commit
to JasonGross/fiat-crypto
that referenced
this issue
Apr 30, 2021
@mdempsky What's the rule for runs of indented lines not separated from the previous line by a newline. That is, how is something like Which indented lines become |
This one is a bit tricky logistically, I'd rather not make |
It looks like lines 3 and 4, 6 and 7, and 9 and 10 become pre blocks: testing with `go doc`(This is the command-line output, but it uses the same parser. The 4-space indented blocks correspond to HTML
Out of curiosity, what's the logistic difficulty here? I thought Go is pretty generally available nowadays.
gofmt can be somewhat finnicky about things; e.g., it'll format However, to the extent you're able to better match the output, that sounds good and desirable. |
The files are regenerated by the default makefile target. I'd like to be able to say all of the following:
|
|
Makes sense. So we just need a formally verified implementation of gofmt in Coq? :) |
Sure, you can run |
JasonGross
added a commit
to JasonGross/fiat-crypto
that referenced
this issue
Apr 30, 2021
JasonGross
added a commit
to JasonGross/fiat-crypto
that referenced
this issue
May 1, 2021
JasonGross
added a commit
to JasonGross/fiat-crypto
that referenced
this issue
May 1, 2021
JasonGross
added a commit
to JasonGross/fiat-crypto
that referenced
this issue
May 3, 2021
Part of mit-plv#949 Indent Go code and adjust spacing Minor spacing changes Add `--doc-newline-before-package-declaration` Now we have package docs back for Go code, when we want them. Add `--doc-prepend-header{,-raw}`, use `--doc-text-before-function-name` Fixes mit-plv#958
JasonGross
added a commit
to JasonGross/fiat-crypto
that referenced
this issue
May 3, 2021
Part of mit-plv#949 Indent Go code and adjust spacing Minor spacing changes Add `--doc-newline-before-package-declaration` Now we have package docs back for Go code, when we want them. Add `--doc-prepend-header{,-raw}`, use `--doc-text-before-function-name` Fixes mit-plv#958
JasonGross
added a commit
to JasonGross/fiat-crypto
that referenced
this issue
May 3, 2021
Part of mit-plv#949 Indent Go code and adjust spacing Minor spacing changes Add `--doc-newline-before-package-declaration` Now we have package docs back for Go code, when we want them. Add `--doc-prepend-header{,-raw}`, use `--doc-text-before-function-name` Fixes mit-plv#958
JasonGross
added a commit
to JasonGross/fiat-crypto
that referenced
this issue
May 3, 2021
Part of mit-plv#949 Indent Go code and adjust spacing Minor spacing changes Add `--doc-newline-before-package-declaration` Now we have package docs back for Go code, when we want them. Add `--doc-prepend-header{,-raw}`, use `--doc-text-before-function-name` Fixes mit-plv#958
gopherbot
pushed a commit
to golang/go
that referenced
this issue
May 9, 2021
Fiat Cryptography (https://github.com/mit-plv/fiat-crypto) is a project that produces prime order field implementations (the code that does arithmetic modulo a prime number) based on a formally verified model. The formal verification covers some of the most subtle and hard to test parts of an elliptic curve implementation, like carry chains. It would probably have prevented #20040 and #43786. This CL imports a 64-bit implementation of the P-521 base field, replacing the horribly slow and catastrophically variable time big.Int CurveParams implementation. The code in p521_fiat64.go is generated reproducibly by fiat-crypto, building and running the Dockerfile according to the README. The code in fiat/p521.go is a thin and idiomatic wrapper around the fiat-crypto code. It includes an Invert method generated with the help of github.com/mmcloughlin/addchain. The code in elliptic/p521.go is a line-by-line port of the CurveParams implementation. Lsh(x, N) was replaced with repeated Add(x, x) calls. Mul(x, x) was replaced with Square(x). Mod calls were removed, as all operations are modulo P. Likewise, Add calls to bring values back to positive were removed. The ScalarMult ladder implementation is now constant time, copied from p224ScalarMult. Only other notable changes are adding a p512Point type to keep (x, y, z) together, and making addJacobian and doubleJacobian methods on that type, with the usual receiver semantics to save 4 allocations per step. This amounts to a proof of concept, and is far from a mature elliptic curve implementation. Here's a non-exhaustive list of things that need improvement, most of which are pre-existing issues with crypto/elliptic. Some of these can be fixed without API change, so can't. - Marshal and Unmarshal still use the slow, variable time big.Int arithmetic. The Curve interface does not expose field operations, so we'll have to make our own abstraction. - Point addition uses an incomplete Jacobian formula, which has variable time behaviors for points at infinity and equal points. There are better, complete formulae these days, but I wanted to keep this CL reviewable against the existing code. - The scalar multiplication ladder is still heavily variable time. This is easy to fix and I'll do it in a follow-up CL, but I wanted to keep this one easier to review. - Fundamentally, values have to go in and out of big.Int representation when they pass through the Curve interface, which is both slow and slightly variable-time. - There is no scalar field implementation, so crypto/ecdsa ends up using big.Int for signing. - Extending this to P-384 would involve either duplicating all P-521 code, or coming up with some lower-level interfaces for the base field. Even better, generics, which would maybe let us save heap allocations due to virtual calls. - The readability and idiomaticity of the autogenerated code can improve, although we have a clear abstraction and well-enforced contract, which makes it unlikely we'll have to resort to manually modifying the code. See mit-plv/fiat-crypto#949. - We could also have a 32-bit implementation, since it's almost free to have fiat-crypto generate one. Anyway, it's definitely better than CurveParams, and definitely faster. name old time/op new time/op delta pkg:crypto/elliptic goos:darwin goarch:arm64 ScalarBaseMult/P521-8 4.18ms ± 3% 0.86ms ± 2% -79.50% (p=0.000 n=10+9) ScalarMult/P521-8 4.17ms ± 2% 0.85ms ± 6% -79.68% (p=0.000 n=10+10) pkg:crypto/ecdsa goos:darwin goarch:arm64 Sign/P521-8 4.23ms ± 1% 0.94ms ± 0% -77.70% (p=0.000 n=9+8) Verify/P521-8 8.31ms ± 2% 1.75ms ± 4% -78.99% (p=0.000 n=9+10) GenerateKey/P521-8 4.15ms ± 2% 0.85ms ± 2% -79.49% (p=0.000 n=10+9) name old alloc/op new alloc/op delta pkg:crypto/elliptic goos:darwin goarch:arm64 ScalarBaseMult/P521-8 3.06MB ± 3% 0.00MB ± 0% -99.97% (p=0.000 n=10+10) ScalarMult/P521-8 3.05MB ± 1% 0.00MB ± 0% -99.97% (p=0.000 n=9+10) pkg:crypto/ecdsa goos:darwin goarch:arm64 Sign/P521-8 3.03MB ± 0% 0.01MB ± 0% -99.74% (p=0.000 n=10+8) Verify/P521-8 6.06MB ± 1% 0.00MB ± 0% -99.93% (p=0.000 n=9+9) GenerateKey/P521-8 3.02MB ± 0% 0.00MB ± 0% -99.96% (p=0.000 n=9+10) name old allocs/op new allocs/op delta pkg:crypto/elliptic goos:darwin goarch:arm64 ScalarBaseMult/P521-8 19.8k ± 3% 0.0k ± 0% -99.95% (p=0.000 n=10+10) ScalarMult/P521-8 19.7k ± 1% 0.0k ± 0% -99.95% (p=0.000 n=9+10) pkg:crypto/ecdsa goos:darwin goarch:arm64 Sign/P521-8 19.6k ± 0% 0.1k ± 0% -99.63% (p=0.000 n=10+10) Verify/P521-8 39.2k ± 1% 0.1k ± 0% -99.84% (p=0.000 n=9+10) GenerateKey/P521-8 19.5k ± 0% 0.0k ± 0% -99.91% (p=0.000 n=9+10) Updates #40171 Change-Id: Ic898b09a2388382bf51ec007d9a79d72d44efe10 Reviewed-on: https://go-review.googlesource.com/c/go/+/315271 Run-TryBot: Filippo Valsorda <[email protected]> TryBot-Result: Go Bot <[email protected]> Reviewed-by: Katie Hockman <[email protected]> Trust: Katie Hockman <[email protected]> Trust: Filippo Valsorda <[email protected]>
This is more than cosmetic. Getting rid of the wrappers and assuming that While we're wishing for various fixes to the Go output, [0]: With go 1.16.5. 1.17beta1 does a better job of optimizing the current code so the gain is "only" ~31%. |
If you typedef uint1 to uint64, does that give you the performance benefit? If removing the wrappers is really that important, I can add a rewriting pass to relax the bounds for go output. |
It is considerably faster, but the wrapper still has overhead, even though it gets inlined, because of what appears to be inline marking. Since I don't see soul crushing NOP-walls of doom in the version of the routine where I manually removed the wrapper, I assume that the compiler doesn't emit a At some point (in the far future) the compiler behavior may resolve itself, but at least one related issue has been open since 2019 (golang/go#29571). |
JasonGross
added a commit
to JasonGross/fiat-crypto
that referenced
this issue
Aug 3, 2021
This is a partial fix for item 1 of mit-plv#949 (comment) also mentioned at golang/go#40171 (comment) Unfortunately, we still cast the arguments to uint1 because we don't have enough information in the right places to relax the casts. We really want a fused absint/rewriting pass, where we get access to true bounds information rather than just casts.
JasonGross
added a commit
to JasonGross/fiat-crypto
that referenced
this issue
Aug 4, 2021
This is a partial fix for item 1 of mit-plv#949 (comment) also mentioned at golang/go#40171 (comment) Unfortunately, we still cast the arguments to uint1 because we don't have enough information in the right places to relax the casts. We really want a fused absint/rewriting pass, where we get access to true bounds information rather than just casts.
JasonGross
added a commit
to JasonGross/fiat-crypto
that referenced
this issue
Aug 4, 2021
This is a partial fix for item 1 of mit-plv#949 (comment) also mentioned at golang/go#40171 (comment) Unfortunately, we still cast the arguments to uint1 because we don't have enough information in the right places to relax the casts. We really want a fused absint/rewriting pass, where we get access to true bounds information rather than just casts.
JasonGross
added a commit
to JasonGross/fiat-crypto
that referenced
this issue
Aug 4, 2021
This is a partial fix for item 1 of mit-plv#949 (comment) also mentioned at golang/go#40171 (comment) Unfortunately, we still cast the arguments to uint1 because we don't have enough information in the right places to relax the casts. We really want a fused absint/rewriting pass, where we get access to true bounds information rather than just casts.
JasonGross
added a commit
to JasonGross/fiat-crypto
that referenced
this issue
Aug 6, 2021
This is a partial fix for item 1 of mit-plv#949 (comment) also mentioned at golang/go#40171 (comment) Unfortunately, we still cast the arguments to uint1 because we don't have enough information in the right places to relax the casts. We really want a fused absint/rewriting pass, where we get access to true bounds information rather than just casts.
JasonGross
added a commit
that referenced
this issue
Aug 7, 2021
This is a partial fix for item 1 of #949 (comment) also mentioned at golang/go#40171 (comment) Unfortunately, we still cast the arguments to uint1 because we don't have enough information in the right places to relax the casts. We really want a fused absint/rewriting pass, where we get access to true bounds information rather than just casts.
We should either do this or export |
FiloSottile
added a commit
to FiloSottile/nistec
that referenced
this issue
May 13, 2022
Fiat Cryptography (https://github.com/mit-plv/fiat-crypto) is a project that produces prime order field implementations (the code that does arithmetic modulo a prime number) based on a formally verified model. The formal verification covers some of the most subtle and hard to test parts of an elliptic curve implementation, like carry chains. It would probably have prevented #20040 and #43786. This CL imports a 64-bit implementation of the P-521 base field, replacing the horribly slow and catastrophically variable time big.Int CurveParams implementation. The code in p521_fiat64.go is generated reproducibly by fiat-crypto, building and running the Dockerfile according to the README. The code in fiat/p521.go is a thin and idiomatic wrapper around the fiat-crypto code. It includes an Invert method generated with the help of github.com/mmcloughlin/addchain. The code in elliptic/p521.go is a line-by-line port of the CurveParams implementation. Lsh(x, N) was replaced with repeated Add(x, x) calls. Mul(x, x) was replaced with Square(x). Mod calls were removed, as all operations are modulo P. Likewise, Add calls to bring values back to positive were removed. The ScalarMult ladder implementation is now constant time, copied from p224ScalarMult. Only other notable changes are adding a p512Point type to keep (x, y, z) together, and making addJacobian and doubleJacobian methods on that type, with the usual receiver semantics to save 4 allocations per step. This amounts to a proof of concept, and is far from a mature elliptic curve implementation. Here's a non-exhaustive list of things that need improvement, most of which are pre-existing issues with crypto/elliptic. Some of these can be fixed without API change, so can't. - Marshal and Unmarshal still use the slow, variable time big.Int arithmetic. The Curve interface does not expose field operations, so we'll have to make our own abstraction. - Point addition uses an incomplete Jacobian formula, which has variable time behaviors for points at infinity and equal points. There are better, complete formulae these days, but I wanted to keep this CL reviewable against the existing code. - The scalar multiplication ladder is still heavily variable time. This is easy to fix and I'll do it in a follow-up CL, but I wanted to keep this one easier to review. - Fundamentally, values have to go in and out of big.Int representation when they pass through the Curve interface, which is both slow and slightly variable-time. - There is no scalar field implementation, so crypto/ecdsa ends up using big.Int for signing. - Extending this to P-384 would involve either duplicating all P-521 code, or coming up with some lower-level interfaces for the base field. Even better, generics, which would maybe let us save heap allocations due to virtual calls. - The readability and idiomaticity of the autogenerated code can improve, although we have a clear abstraction and well-enforced contract, which makes it unlikely we'll have to resort to manually modifying the code. See mit-plv/fiat-crypto#949. - We could also have a 32-bit implementation, since it's almost free to have fiat-crypto generate one. Anyway, it's definitely better than CurveParams, and definitely faster. name old time/op new time/op delta pkg:crypto/elliptic goos:darwin goarch:arm64 ScalarBaseMult/P521-8 4.18ms ± 3% 0.86ms ± 2% -79.50% (p=0.000 n=10+9) ScalarMult/P521-8 4.17ms ± 2% 0.85ms ± 6% -79.68% (p=0.000 n=10+10) pkg:crypto/ecdsa goos:darwin goarch:arm64 Sign/P521-8 4.23ms ± 1% 0.94ms ± 0% -77.70% (p=0.000 n=9+8) Verify/P521-8 8.31ms ± 2% 1.75ms ± 4% -78.99% (p=0.000 n=9+10) GenerateKey/P521-8 4.15ms ± 2% 0.85ms ± 2% -79.49% (p=0.000 n=10+9) name old alloc/op new alloc/op delta pkg:crypto/elliptic goos:darwin goarch:arm64 ScalarBaseMult/P521-8 3.06MB ± 3% 0.00MB ± 0% -99.97% (p=0.000 n=10+10) ScalarMult/P521-8 3.05MB ± 1% 0.00MB ± 0% -99.97% (p=0.000 n=9+10) pkg:crypto/ecdsa goos:darwin goarch:arm64 Sign/P521-8 3.03MB ± 0% 0.01MB ± 0% -99.74% (p=0.000 n=10+8) Verify/P521-8 6.06MB ± 1% 0.00MB ± 0% -99.93% (p=0.000 n=9+9) GenerateKey/P521-8 3.02MB ± 0% 0.00MB ± 0% -99.96% (p=0.000 n=9+10) name old allocs/op new allocs/op delta pkg:crypto/elliptic goos:darwin goarch:arm64 ScalarBaseMult/P521-8 19.8k ± 3% 0.0k ± 0% -99.95% (p=0.000 n=10+10) ScalarMult/P521-8 19.7k ± 1% 0.0k ± 0% -99.95% (p=0.000 n=9+10) pkg:crypto/ecdsa goos:darwin goarch:arm64 Sign/P521-8 19.6k ± 0% 0.1k ± 0% -99.63% (p=0.000 n=10+10) Verify/P521-8 39.2k ± 1% 0.1k ± 0% -99.84% (p=0.000 n=9+10) GenerateKey/P521-8 19.5k ± 0% 0.0k ± 0% -99.91% (p=0.000 n=9+10) Updates #40171 Change-Id: Ic898b09a2388382bf51ec007d9a79d72d44efe10 Reviewed-on: https://go-review.googlesource.com/c/go/+/315271 Run-TryBot: Filippo Valsorda <[email protected]> TryBot-Result: Go Bot <[email protected]> Reviewed-by: Katie Hockman <[email protected]> Trust: Katie Hockman <[email protected]> Trust: Filippo Valsorda <[email protected]>
bassosimone
pushed a commit
to ooni/oocrypto
that referenced
this issue
May 21, 2022
Fiat Cryptography (https://github.com/mit-plv/fiat-crypto) is a project that produces prime order field implementations (the code that does arithmetic modulo a prime number) based on a formally verified model. The formal verification covers some of the most subtle and hard to test parts of an elliptic curve implementation, like carry chains. It would probably have prevented #20040 and #43786. This CL imports a 64-bit implementation of the P-521 base field, replacing the horribly slow and catastrophically variable time big.Int CurveParams implementation. The code in p521_fiat64.go is generated reproducibly by fiat-crypto, building and running the Dockerfile according to the README. The code in fiat/p521.go is a thin and idiomatic wrapper around the fiat-crypto code. It includes an Invert method generated with the help of github.com/mmcloughlin/addchain. The code in elliptic/p521.go is a line-by-line port of the CurveParams implementation. Lsh(x, N) was replaced with repeated Add(x, x) calls. Mul(x, x) was replaced with Square(x). Mod calls were removed, as all operations are modulo P. Likewise, Add calls to bring values back to positive were removed. The ScalarMult ladder implementation is now constant time, copied from p224ScalarMult. Only other notable changes are adding a p512Point type to keep (x, y, z) together, and making addJacobian and doubleJacobian methods on that type, with the usual receiver semantics to save 4 allocations per step. This amounts to a proof of concept, and is far from a mature elliptic curve implementation. Here's a non-exhaustive list of things that need improvement, most of which are pre-existing issues with crypto/elliptic. Some of these can be fixed without API change, so can't. - Marshal and Unmarshal still use the slow, variable time big.Int arithmetic. The Curve interface does not expose field operations, so we'll have to make our own abstraction. - Point addition uses an incomplete Jacobian formula, which has variable time behaviors for points at infinity and equal points. There are better, complete formulae these days, but I wanted to keep this CL reviewable against the existing code. - The scalar multiplication ladder is still heavily variable time. This is easy to fix and I'll do it in a follow-up CL, but I wanted to keep this one easier to review. - Fundamentally, values have to go in and out of big.Int representation when they pass through the Curve interface, which is both slow and slightly variable-time. - There is no scalar field implementation, so crypto/ecdsa ends up using big.Int for signing. - Extending this to P-384 would involve either duplicating all P-521 code, or coming up with some lower-level interfaces for the base field. Even better, generics, which would maybe let us save heap allocations due to virtual calls. - The readability and idiomaticity of the autogenerated code can improve, although we have a clear abstraction and well-enforced contract, which makes it unlikely we'll have to resort to manually modifying the code. See mit-plv/fiat-crypto#949. - We could also have a 32-bit implementation, since it's almost free to have fiat-crypto generate one. Anyway, it's definitely better than CurveParams, and definitely faster. name old time/op new time/op delta pkg:crypto/elliptic goos:darwin goarch:arm64 ScalarBaseMult/P521-8 4.18ms ± 3% 0.86ms ± 2% -79.50% (p=0.000 n=10+9) ScalarMult/P521-8 4.17ms ± 2% 0.85ms ± 6% -79.68% (p=0.000 n=10+10) pkg:crypto/ecdsa goos:darwin goarch:arm64 Sign/P521-8 4.23ms ± 1% 0.94ms ± 0% -77.70% (p=0.000 n=9+8) Verify/P521-8 8.31ms ± 2% 1.75ms ± 4% -78.99% (p=0.000 n=9+10) GenerateKey/P521-8 4.15ms ± 2% 0.85ms ± 2% -79.49% (p=0.000 n=10+9) name old alloc/op new alloc/op delta pkg:crypto/elliptic goos:darwin goarch:arm64 ScalarBaseMult/P521-8 3.06MB ± 3% 0.00MB ± 0% -99.97% (p=0.000 n=10+10) ScalarMult/P521-8 3.05MB ± 1% 0.00MB ± 0% -99.97% (p=0.000 n=9+10) pkg:crypto/ecdsa goos:darwin goarch:arm64 Sign/P521-8 3.03MB ± 0% 0.01MB ± 0% -99.74% (p=0.000 n=10+8) Verify/P521-8 6.06MB ± 1% 0.00MB ± 0% -99.93% (p=0.000 n=9+9) GenerateKey/P521-8 3.02MB ± 0% 0.00MB ± 0% -99.96% (p=0.000 n=9+10) name old allocs/op new allocs/op delta pkg:crypto/elliptic goos:darwin goarch:arm64 ScalarBaseMult/P521-8 19.8k ± 3% 0.0k ± 0% -99.95% (p=0.000 n=10+10) ScalarMult/P521-8 19.7k ± 1% 0.0k ± 0% -99.95% (p=0.000 n=9+10) pkg:crypto/ecdsa goos:darwin goarch:arm64 Sign/P521-8 19.6k ± 0% 0.1k ± 0% -99.63% (p=0.000 n=10+10) Verify/P521-8 39.2k ± 1% 0.1k ± 0% -99.84% (p=0.000 n=9+10) GenerateKey/P521-8 19.5k ± 0% 0.0k ± 0% -99.91% (p=0.000 n=9+10) Updates #40171 Change-Id: Ic898b09a2388382bf51ec007d9a79d72d44efe10 Reviewed-on: https://go-review.googlesource.com/c/go/+/315271 Run-TryBot: Filippo Valsorda <[email protected]> TryBot-Result: Go Bot <[email protected]> Reviewed-by: Katie Hockman <[email protected]> Trust: Katie Hockman <[email protected]> Trust: Filippo Valsorda <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
use
uint64instead ofuint1and drop addcarryxU64 and subborrowxU64 wrappersuse
:=instead ofvardeclarationsemit types for different domains (Montgomery and not Montgomery)
make comments shorter
This should be the first line in the file, which by convention will get recognized by various tooling as autogenerated code and left alone.
gofmton the output (which will only fix some of the whitespaceThe text was updated successfully, but these errors were encountered: