Integrating ed25519 components

[andres-erbsen]

This puts together several key components of the ed25519, with proofs wherever easy and admits (for now) if not. The main achievement is an elliptic curve scalar multiplication routine that uses the extended representation of the underlying Edwards curve and a non-uniform base system with lazy carrying for the field elements. I have extracted this code and executed it using GHC, passing the test that multiplication by group order returns identity. A lot of work is to be done, still -- the correctness proof of the described implementation has several non-trivial admits and the limbs of the field elements are stored as arbitrary-precision integers, not machine words.

The main hurdle in this patch is Shrink Obligations, which seems to have different behavior in 8.6 and older versions regardless of the state of the flag. @JasonGross please investigate and help -- I think this PR as-is does not build in 8.6.

The merge is also likely to be somewhat nasty, but I haven't looked into it yet.

@jadephilipoom please review the EdDSA and Ed25519 specs, cross-referencing with "eddsa for more curves" and the ed25519 RFC wherever relevant.

@JasonGross please see whether the setoid_rewrites at https://github.com/mit-plv/fiat-crypto/compare/fiat-crypto-integration?expand=1#diff-5366caedd04016399124d528353b4a5cR134 and the next derivation in that file can be made less fragile.

Other crap that leaked in:

• F.of_nat and F.to_nat
• Require-s moved out of sections
• fix reversed carry chain in GF25519

[JasonGross]

If

Global Unset Shrink Abstract.
Global Unset Shrink Obligations.

does not allow the code to build in both 8.5 and 8.6, that's a bug in Coq. I'll look into it tomorrow.

GitHub claims there are no merge conflicts.

[JasonGross]

This is unsupported. Coq only fully supports requires at top level. (Symptoms of unsupportedness include anomalies, inconsistent states, and sad bug minimizers.)

[andres-erbsen]

done.

[andres-erbsen]

I added Global Unset Shrink Abstract and moved the Require out of modules, but the build still fails in my slightly dated 8.6.

[JasonGross]

You seem to have broken the 8.4 (and 8.5) build(s) with the latest commit.

[JasonGross]

the build still fails in my slightly dated 8.6

Bug #5044 Your bash tactic is the culprit. Try this (don't pose proof E.char_gt_2 if you don't need to) instead:

    Local Ltac bash' :=
      repeat match goal with
             | |- Proper _ _ => intro
             | _ => progress intros
             | [ H: _ /\ _ |- _ ] => destruct H
             | [ p:E.point |- _ ] => destruct p as [ [??] ? ]
             | [ p:point |- _ ] => destruct p as [ [ [ [??] ? ] ? ] ? ]
             | _ => progress autounfold with bash in *
             | |- _ /\ _ => split
             | _ => solve [neq01]
             | _ => solve [eauto]
             | _ => solve [intuition eauto]
             | _ => solve [etransitivity; eauto]
             | |- _*_ <> 0 => apply Ring.zero_product_iff_zero_factor
             | [H: _ |- _ ] => solve [intro; apply H; super_nsatz]
             | _ => progress uninv
             | |- Feq _ _ => super_nsatz
             end.
    Local Ltac bash := bash'; pose proof E.char_gt_2; bash'.

[JasonGross]

What's up with your changes to ExtendedCoordinates? It's 2x slower now than it was (2m on travis rather than 1m). Is this expected?

[JasonGross]

You could instead do repeat repeat (assumption||reflexivity||econstructor). The answer is goal ordering and evar information.

[JasonGross]

see whether the setoid_rewrites at https://github.com/mit-plv/fiat-crypto/compare/fiat-crypto-integration?expand=1#diff-5366caedd04016399124d528353b4a5cR134 and the next derivation in that file can be made less fragile.

You're not going to get setoid_rewrite to do this transformation in a nice way. You can't rely on higher-order unification to find non-unique solutions for you in the way you want. I can probably get an approach working where first you "tag" a term with the proof that you want to rewrite with, and then you push the tags in until either you hit bottom (whence you drop them), or until you find the pattern you're supposed to be rewriting. Except setoid_rewrite is modulo delta, so it might unfold too many things. If Ltac supported manipulation of open terms, you could just use pattern, but, alas, it does not (yet). If you can figure out a way to break apart your transformation into multiple steps, none of which require higher-order unification to infer non-unique solutions (for example, if you have an inverse function to Eenc, that is probably sufficient), then you might be able to make things work nicely.

[andres-erbsen]

@JasonGross I think this change and the tactics to undo it in proofs made this file slower. I did this to make the generated code not duplicate the inversion. Not sure how to best fix it.

[JasonGross]

It's possible that moving uninv to the top of bash will be enough to fix it. You can also do something like:

Let to_twisted_final (P:point) := (let '(X,Y,Z,T) := coordinates P in let iZ := Finv Z in ((X*iZ), (Y*iZ))).
Let to_twisted_fast (P:point) := (let '(X,Y,Z,T) := coordinates P in ((X/Z), (Y/Z))).
Lemma to_twisted_speed (P : point) : to_twisted_final P = to_twisted_fast P. ... Qed.

and then rewrite with to_twisted_speed wherever you need to.

[andres-erbsen]

The parts of this that did not have open issues were merged as commits
1ea69cd through e51fb9e