Hello @cronokirby!

I wanted to run the ProtonMail proton-bridge software on my riscv64 machine.

As riscv64 is in its early days, this lead me to building proton-bridge from source which for most things golang actually works fine since ca 2020 when it got supported.

But, then this library comes by and when building gives me the below errors.

Now, looking at the repo and its file names, I assume a file arith_riscv64.s is needed (?) - I own riscv64 hardware (a HiFive Unmatched) and am happy to dig into this. How can I contribute? What would be the best path forward here?

➜  proton-bridge git:(master) make build-nogui                
go build -tags='' -ldflags '-X github.com/ProtonMail/proton-bridge/internal/constants.Version=2.1.2+git -X github.com/ProtonMail/proton-bridge/internal/constants.Revision=3b07121f08 -X github.com/ProtonMail/proton-bridge/internal/constants.BuildTime=2022-04-10T11:17:16+0000' -o proton-bridge cmd/Desktop-Bridge/main.go
# github.com/cronokirby/saferith
vendor/github.com/cronokirby/saferith/arith_decl.go:10:6: missing function body
vendor/github.com/cronokirby/saferith/arith_decl.go:11:6: missing function body
vendor/github.com/cronokirby/saferith/arith_decl.go:12:6: missing function body
vendor/github.com/cronokirby/saferith/arith_decl.go:13:6: missing function body
vendor/github.com/cronokirby/saferith/arith_decl.go:14:6: missing function body
vendor/github.com/cronokirby/saferith/arith_decl.go:15:6: missing function body
vendor/github.com/cronokirby/saferith/arith_decl.go:16:6: missing function body
make: *** [Makefile:69: build-nogui] Error 2
➜  proton-bridge git:(master) 

To use safenum in protonmail's mobile applications, we'd like to add arm, arm64 and x86 support. I've copied the assembly implementations from big.Int and removed the non-needed implementations, similar to what was done for amd64. However I'm not sure if the code is constant time, I've seen that for amd64 some calls for 'large' subroutines were removed, I haven't found similar calls in the other archs.

When attempting to target wasm for compilation there are missing implementations

GOOS=js GOARCH=wasm go build -tags main.wasm -o init.go
# github.com/cronokirby/safenum
./arith_decl.go:10:6: missing function body
./arith_decl.go:11:6: missing function body
./arith_decl.go:12:6: missing function body
./arith_decl.go:13:6: missing function body
./arith_decl.go:14:6: missing function body
./arith_decl.go:15:6: missing function body
./arith_decl.go:16:6: missing function body

This copies the assembly files from https://cs.opensource.google/go/go/+/master:src/math/big/, to add support for all of the architectures supported by math/big. Most of these just jump to the pure implementations, and shouldn't pose any constant-timeness issues.

The only one I'm somewhat unsure about is the s390x implementation, which does some loop unrolling for small limbed numbers, but it doesn't do early returns based on the evaluation results, like the amd64 did, before we modified it.

This should address #48, but I haven't tested building and running the tests, so closing that issue is pending on doing that.

Fix issues where the implementation incorrectly assumed that the device was using words of 64 bits, leading to crashes and incorrect results on devices with 32 bit archs

When a, b = new(Nat), new(Nat), a.Coprime(b) panics since it accesses the first limb. Since both a and b are the same, the expected result would be 0.

• Setting x := new(Nat).Rsh(y, s, -1) would result in x not being updated.
• Added a test that would catch this, and tests the inverse round-trip with Lsh.
• Use the random generator to determine the size of the numbers generated for the quick tests. We ensure they are less than 128 bytes.
• Fixed some edge cases in tests that assumed that the len(x.limbs) > 0.

These functions are simple wrappers around Nat.SetBytes() and Nat.Bytes().

For Modulus, we additionally call precomputeValues() in UnmarshalBinary().

Int returns byte(i.sign) || i.nat.Bytes(), so that the result is always at least one byte long. Only the LSB of of the first byte is actually used.

Also includes test to check that MarshalBinary() -> UnmarshalBinary() returns the same result.

Or something like that. Right now, you can use CoPrime between two nats, but what we really want somewhat often is to check if a Nat x is a coprime to a modulus n. This would be better phrased as checking if x is a unit mod n.

Fixes #14.

This will be very useful for unbounded calculations, since it avoids bit explosion. This also adds support for omitting the bound passed to an operation, using a smart default instead.

We can't and don't need to support negative values in all places, but a few operations are actually needed, and can be implemented relatively easily, in a constant-time way:

• Multiplication
• Addition
• Converting to Nat via modular reduction
• Converting from Nat via modular reduction and range
• Checking in modular range

This adds the fuzzing code that resulted in d39f5a274f7c3b8c8d60456b1525cce26ffacfe7. These fuzz functions are written for dvyukov/go-fuzz.

All-in-all it's quite extensive and perhaps it fuzzes some stuff that may seem to trivial to fuzz. I'd be happy to remove parts of it if that's preferred and I also welcome any suggestions for how to improve the tests.

I put it together such that you can run these commands:

# get go-fuzz
$ go get -u github.com/dvyukov/go-fuzz/go-fuzz@latest github.com/dvyukov/go-fuzz/go-fuzz-build@latest

# build fuzz binary
$ go-fuzz-build

# run fuzzer on Nat
$ go-fuzz -workdir ./_fuzz_nat -func FuzzNat

# or run fuzzer on Int
$ go-fuzz -workdir ./_fuzz_int -func FuzzInt

to fuzz everything. Or run something more specific, e.g.:

# run fuzzer on Nat.ModSqrt
$ go-fuzz -workdir ./_fuzz_nat -func FuzzNatSqrt

to fuzz a specific (set of) function(s). The former is easier to use (just one run to fuzz everything) while the latter can be more efficient (because coverage guiding can do its job better and non-zero return values can be used).