floodyberry
commented
10 years ago RE: array loads, I realized you could use a fully packed table for the scalarmult_base lookup (the 24k table used by amd64-64-24k), and expand ysubx, xaddy, and t2d at the end. This results in slightly-slower-to-about-the-same for the portable code (handling endian safe loads in curve25519_expand), but is noticeably faster otherwise. With 64bit code you only need one pass of the table using SSE2 registers. Since I don't need a dummy register I'll see if I can squeeze it in to 12 registers and see how cmov performs.
erichocean
crackcomm
I've forked this code to add Diffie-Hellman key exchange, so the same keypair can be used for signing and encryption (primitive ge25519_scalarmult; I've first written a variable time scalarmult derived from the verifying code, to make sure the constant time one does the same thing).
The other thing I changed is that I can compile a shared library consisting only of the primitives, not the signing/verifying code itself; as I use SHA-3/Keccak as hash, keeping the actual signature function out of the primitive library makes those experiments easier.
I've also experimented with a high-level implementation that makes GCC generate cmove instructions for the constant time array loads, which does about the same thing as your recently written assembler code; though I use less registers (3 or 4, because starting with 5, gcc thinks a branch is better).
BTW: You don't need to load into a register first, CMOVcc always reads, so you can use a mem operand. Andy Glew originally wanted it to actually load conditionally, but that request was denied, so cmove reg, mem is fine for crypto code - it will always load from mem, regardless of the condition.