No security implications, but the current hash-to-curve standard
defines the sign of the Y coordinate to be negative if `gx1`
is a square, positive otherwise.
We were doing it the other way round.
These changes have been made to resolve issue #10037. The `Random`
interface was implemented in such a way that causes significant slowdown
when calling the `fill` function of the rng used.
The `Random` interface is no longer stored in a field of the rng, and is
instead returned by the child function `random()` of the rng. This
avoids the performance issues caused by the interface.
* std lib tests are passing on x86_64-linux with and without -lc
* stage2 is building from source on x86_64-linux
* down to 38 remaining uses of `usingnamespace`
We already have a LICENSE file that covers the Zig Standard Library. We
no longer need to remind everyone that the license is MIT in every single
file.
Previously this was introduced to clarify the situation for a fork of
Zig that made Zig's LICENSE file harder to find, and replaced it with
their own license that required annual payments to their company.
However that fork now appears to be dead. So there is no need to
reinforce the copyright notice in every single file.
The only known use case for this is the hash-to-curve operation where the top bit is always cleared.
But the function is public, so let's make it work as one would expect in the general case.
Also fix the comment by the way.
This breaking change disambiguates between overriding the lib dir when
performing an installation with the Zig Build System, and overriding the
lib dir that the Zig installation itself uses.
fiat-crypto now generates proper types, so take advantage of that.
Add mixed subtraction and double base multiplication.
We will eventually leverage mixed addition/subtraction for fixed
base multiplication. The reason we don't right now is that
precomputing the tables at comptime would take forever.
We don't use combs for the same reason. Stage2 + less function
calls in the fiat-crypto generated code will eventually address
that.
Also make the edwards25519 code consistent with these changes.
No functional changes.
The atfork handler is executed even when fork()-ing threads that have
never initialized their local csprng. Handle this case gracefully
instead of raising a runtime error.
Fixes#8841
Some libc implementations (glib) deduplicate identical hooks, others
(musl, macos) do not and blindly append them to an internal list.
Ensure there's only a single call to pthread_atfork to prevent unbounded
memory use when lots of threads/forks are used.
Conflicts:
* src/codegen/spirv.zig
* src/link/SpirV.zig
We're going to want to improve the stage2 test harness to print
the source file name when a compile error occurs otherwise std lib
contributors are going to see some confusing CI failures when they cause
stage2 AstGen compile errors.
Let mmap allocate a block of memory that's wide enough to use with
MADV_WIPEONFORK, madvise granularity is the current system page size
(using a static buffer of mem.page_size bytes would be wrong, that's the
minimum page size).
As a result, we don't zero some random chunk of memory every time we
fork the process.
Fixes#7609
Conflicts:
* lib/std/os/linux.zig
* lib/std/os/windows/bits.zig
* src/Module.zig
* src/Sema.zig
* test/stage2/test.zig
Mainly I wanted Jakub's new macOS code for respecting stack size, since
we now depend on it for debug builds able to pass one of the test cases
for recursive comptime function calls with `@setEvalBranchQuota`.
The conflicts were all trivial.
Instead of multiple references to an anonymous structure to represent affine coordinates, add an actual `AffineCoordinates` structure.
Also properly handle the neutral element during coordinate conversion and fix mixed addition.
And comptime the small precomputation table for basepoint multiplication.
Conflicts:
* doc/langref.html.in
* lib/std/enums.zig
* lib/std/fmt.zig
* lib/std/hash/auto_hash.zig
* lib/std/math.zig
* lib/std/mem.zig
* lib/std/meta.zig
* test/behavior/alignof.zig
* test/behavior/bitcast.zig
* test/behavior/bugs/1421.zig
* test/behavior/cast.zig
* test/behavior/ptrcast.zig
* test/behavior/type_info.zig
* test/behavior/vector.zig
Master branch added `try` to a bunch of testing function calls, and some
lines also had changed how to refer to the native architecture and other
`@import("builtin")` stuff.
Functions generated by Fiat-crypto are not prefixed by their description any more. This matches an upstream change.
We can now use a single type for different curves and implementations.
The field type is now generic, so we can properly handle the base field and scalars without code duplication.
Uses verified code generated by fiat-crypto for field arithmetic, and complete formulas to avoid side channels.
There's still plenty of room for optimizations, especially with a fixed base. But this gives us a framework to easily add other similar curves.
Conflicts:
lib/std/crypto/25519/field.zig
lib/std/crypto/poly1305.zig
I had resolved those by removing `comptime` but master branch decided to
make the parameters `comptime`.
This also pulls in the updated default `zig build` install directory.
* 25519: remove unused const, safeguard against unreduced scalars
No behavior change, but it makes the existing code better match
the forthcoming code for other curves.
Rename nonAdjacentForm() to slide(), remove an unneeded and
confusing constant, and do a reduction in slide() if 257 bits would
be required.
Note that in all the high-level functions, the top bit is always
cleared, so the reduction is never necessary. But since the low-level
functions are public, the check is a safe thing to have.
* 25519: make identityElement public, deprecate neutralElement
Also fix a few comments by the way.
