std.crypto: remove inline from most functions

To quote the language reference,

It is generally better to let the compiler decide when to inline a
function, except for these scenarios:

* To change how many stack frames are in the call stack, for debugging
  purposes.
* To force comptime-ness of the arguments to propagate to the return
  value of the function, as in the above example.
* Real world performance measurements demand it. Don't guess!

Note that inline actually restricts what the compiler is allowed to do.
This can harm binary size, compilation speed, and even runtime
performance.

`zig run lib/std/crypto/benchmark.zig -OReleaseFast`
[-before-] vs {+after+}

              md5:        [-990-]        {+998+} MiB/s
             sha1:       [-1144-]       {+1140+} MiB/s
           sha256:       [-2267-]       {+2275+} MiB/s
           sha512:        [-762-]        {+767+} MiB/s
         sha3-256:        [-680-]        {+683+} MiB/s
         sha3-512:        [-362-]        {+363+} MiB/s
        shake-128:        [-835-]        {+839+} MiB/s
        shake-256:        [-680-]        {+681+} MiB/s
   turboshake-128:       [-1567-]       {+1570+} MiB/s
   turboshake-256:       [-1276-]       {+1282+} MiB/s
          blake2s:        [-778-]        {+789+} MiB/s
          blake2b:       [-1071-]       {+1086+} MiB/s
           blake3:       [-1148-]       {+1137+} MiB/s
            ghash:      [-10044-]      {+10033+} MiB/s
          polyval:       [-9726-]      {+10033+} MiB/s
         poly1305:       [-2486-]       {+2703+} MiB/s
         hmac-md5:        [-991-]        {+998+} MiB/s
        hmac-sha1:       [-1134-]       {+1137+} MiB/s
      hmac-sha256:       [-2265-]       {+2288+} MiB/s
      hmac-sha512:        [-765-]        {+764+} MiB/s
      siphash-2-4:       [-4410-]       {+4438+} MiB/s
      siphash-1-3:       [-7144-]       {+7225+} MiB/s
   siphash128-2-4:       [-4397-]       {+4449+} MiB/s
   siphash128-1-3:       [-7281-]       {+7374+} MiB/s
  aegis-128x4 mac:      [-73385-]      {+74523+} MiB/s
  aegis-256x4 mac:      [-30160-]      {+30539+} MiB/s
  aegis-128x2 mac:      [-66662-]      {+67267+} MiB/s
  aegis-256x2 mac:      [-16812-]      {+16806+} MiB/s
   aegis-128l mac:      [-33876-]      {+34055+} MiB/s
    aegis-256 mac:       [-8993-]       {+9087+} MiB/s
         aes-cmac:       2036 MiB/s
           x25519:      [-20670-]      {+16844+} exchanges/s
          ed25519:      [-29763-]      {+29576+} signatures/s
       ecdsa-p256:       [-4762-]       {+4900+} signatures/s
       ecdsa-p384:       [-1465-]       {+1500+} signatures/s
  ecdsa-secp256k1:       [-5643-]       {+5769+} signatures/s
          ed25519:      [-21926-]      {+21721+} verifications/s
          ed25519:      [-51200-]      {+50880+} verifications/s (batch)
 chacha20Poly1305:       [-1189-]       {+1109+} MiB/s
xchacha20Poly1305:       [-1196-]       {+1107+} MiB/s
 xchacha8Poly1305:       [-1466-]       {+1555+} MiB/s
 xsalsa20Poly1305:        [-660-]        {+620+} MiB/s
      aegis-128x4:      [-76389-]      {+78181+} MiB/s
      aegis-128x2:      [-53946-]      {+53495+} MiB/s
       aegis-128l:      [-27219-]      {+25621+} MiB/s
      aegis-256x4:      [-49351-]      {+49542+} MiB/s
      aegis-256x2:      [-32390-]      {+32366+} MiB/s
        aegis-256:       [-8881-]       {+8944+} MiB/s
       aes128-gcm:       [-6095-]       {+6205+} MiB/s
       aes256-gcm:       [-5306-]       {+5427+} MiB/s
       aes128-ocb:       [-8529-]      {+13974+} MiB/s
       aes256-ocb:       [-7241-]       {+9442+} MiB/s
        isapa128a:        [-204-]        {+214+} MiB/s
    aes128-single:  [-133857882-]  {+134170944+} ops/s
    aes256-single:   [-96306962-]   {+96408639+} ops/s
         aes128-8: [-1083210101-] {+1073727253+} ops/s
         aes256-8:  [-762042466-]  {+767091778+} ops/s
           bcrypt:      0.009 s/ops
           scrypt:      [-0.018-]      {+0.017+} s/ops
           argon2:      [-0.037-]      {+0.060+} s/ops
      kyber512d00:     [-206057-]     {+205779+} encaps/s
      kyber768d00:     [-156074-]     {+150711+} encaps/s
     kyber1024d00:     [-116626-]     {+115469+} encaps/s
      kyber512d00:     [-181149-]     {+182046+} decaps/s
      kyber768d00:     [-136965-]     {+135676+} decaps/s
     kyber1024d00:     [-101307-]     {+100643+} decaps/s
      kyber512d00:     [-123624-]     {+123375+} keygen/s
      kyber768d00:      [-69465-]      {+70828+} keygen/s
     kyber1024d00:      [-43117-]      {+43208+} keygen/s

Author: andrewrk

lib/std/crypto.zig

@@ -386,7 +386,7 @@ test "issue #4532: no index out of bounds" {
 
 /// Sets a slice to zeroes.
 /// Prevents the store from being optimized out.
-pub inline fn secureZero(comptime T: type, s: []volatile T) void {
+pub fn secureZero(comptime T: type, s: []volatile T) void {
     @memset(s, 0);
 }
 

lib/std/crypto/25519/curve25519.zig

@@ -15,12 +15,12 @@ pub const Curve25519 = struct {
     x: Fe,
 
     /// Decode a Curve25519 point from its compressed (X) coordinates.
-    pub inline fn fromBytes(s: [32]u8) Curve25519 {
+    pub fn fromBytes(s: [32]u8) Curve25519 {
         return .{ .x = Fe.fromBytes(s) };
     }
 
     /// Encode a Curve25519 point.
-    pub inline fn toBytes(p: Curve25519) [32]u8 {
+    pub fn toBytes(p: Curve25519) [32]u8 {
         return p.x.toBytes();
     }
 

lib/std/crypto/25519/edwards25519.zig

@@ -138,7 +138,7 @@ pub const Edwards25519 = struct {
     }
 
     /// Flip the sign of the X coordinate.
-    pub inline fn neg(p: Edwards25519) Edwards25519 {
+    pub fn neg(p: Edwards25519) Edwards25519 {
         return .{ .x = p.x.neg(), .y = p.y, .z = p.z, .t = p.t.neg() };
     }
 
@@ -190,14 +190,14 @@ pub const Edwards25519 = struct {
         return q;
     }
 
-    inline fn cMov(p: *Edwards25519, a: Edwards25519, c: u64) void {
+    fn cMov(p: *Edwards25519, a: Edwards25519, c: u64) void {
         p.x.cMov(a.x, c);
         p.y.cMov(a.y, c);
         p.z.cMov(a.z, c);
         p.t.cMov(a.t, c);
     }
 
-    inline fn pcSelect(comptime n: usize, pc: *const [n]Edwards25519, b: u8) Edwards25519 {
+    fn pcSelect(comptime n: usize, pc: *const [n]Edwards25519, b: u8) Edwards25519 {
         var t = Edwards25519.identityElement;
         comptime var i: u8 = 1;
         inline while (i < pc.len) : (i += 1) {

lib/std/crypto/25519/field.zig

@@ -56,15 +56,15 @@ pub const Fe = struct {
     pub const edwards25519sqrtam2 = Fe{ .limbs = .{ 1693982333959686, 608509411481997, 2235573344831311, 947681270984193, 266558006233600 } };
 
     /// Return true if the field element is zero
-    pub inline fn isZero(fe: Fe) bool {
+    pub fn isZero(fe: Fe) bool {
         var reduced = fe;
         reduced.reduce();
         const limbs = reduced.limbs;
         return (limbs[0] | limbs[1] | limbs[2] | limbs[3] | limbs[4]) == 0;
     }
 
     /// Return true if both field elements are equivalent
-    pub inline fn equivalent(a: Fe, b: Fe) bool {
+    pub fn equivalent(a: Fe, b: Fe) bool {
         return a.sub(b).isZero();
     }
 
@@ -168,7 +168,7 @@ pub const Fe = struct {
     }
 
     /// Add a field element
-    pub inline fn add(a: Fe, b: Fe) Fe {
+    pub fn add(a: Fe, b: Fe) Fe {
         var fe: Fe = undefined;
         comptime var i = 0;
         inline while (i < 5) : (i += 1) {
@@ -178,7 +178,7 @@ pub const Fe = struct {
     }
 
     /// Subtract a field element
-    pub inline fn sub(a: Fe, b: Fe) Fe {
+    pub fn sub(a: Fe, b: Fe) Fe {
         var fe = b;
         comptime var i = 0;
         inline while (i < 4) : (i += 1) {
@@ -197,17 +197,17 @@ pub const Fe = struct {
     }
 
     /// Negate a field element
-    pub inline fn neg(a: Fe) Fe {
+    pub fn neg(a: Fe) Fe {
         return zero.sub(a);
     }
 
     /// Return true if a field element is negative
-    pub inline fn isNegative(a: Fe) bool {
+    pub fn isNegative(a: Fe) bool {
         return (a.toBytes()[0] & 1) != 0;
     }
 
     /// Conditonally replace a field element with `a` if `c` is positive
-    pub inline fn cMov(fe: *Fe, a: Fe, c: u64) void {
+    pub fn cMov(fe: *Fe, a: Fe, c: u64) void {
         const mask: u64 = 0 -% c;
         var x = fe.*;
         comptime var i = 0;
@@ -248,7 +248,7 @@ pub const Fe = struct {
         }
     }
 
-    inline fn _carry128(r: *[5]u128) Fe {
+    fn _carry128(r: *[5]u128) Fe {
         var rs: [5]u64 = undefined;
         comptime var i = 0;
         inline while (i < 4) : (i += 1) {
@@ -321,17 +321,17 @@ pub const Fe = struct {
     }
 
     /// Square a field element
-    pub inline fn sq(a: Fe) Fe {
+    pub fn sq(a: Fe) Fe {
         return _sq(a, false);
     }
 
     /// Square and double a field element
-    pub inline fn sq2(a: Fe) Fe {
+    pub fn sq2(a: Fe) Fe {
         return _sq(a, true);
     }
 
     /// Multiply a field element with a small (32-bit) integer
-    pub inline fn mul32(a: Fe, comptime n: u32) Fe {
+    pub fn mul32(a: Fe, comptime n: u32) Fe {
         const sn = @as(u128, @intCast(n));
         var fe: Fe = undefined;
         var x: u128 = 0;

lib/std/crypto/25519/ristretto255.zig

@@ -42,7 +42,7 @@ pub const Ristretto255 = struct {
     }
 
     /// Reject the neutral element.
-    pub inline fn rejectIdentity(p: Ristretto255) IdentityElementError!void {
+    pub fn rejectIdentity(p: Ristretto255) IdentityElementError!void {
         return p.p.rejectIdentity();
     }
 
@@ -141,24 +141,24 @@ pub const Ristretto255 = struct {
     }
 
     /// Double a Ristretto255 element.
-    pub inline fn dbl(p: Ristretto255) Ristretto255 {
+    pub fn dbl(p: Ristretto255) Ristretto255 {
         return .{ .p = p.p.dbl() };
     }
 
     /// Add two Ristretto255 elements.
-    pub inline fn add(p: Ristretto255, q: Ristretto255) Ristretto255 {
+    pub fn add(p: Ristretto255, q: Ristretto255) Ristretto255 {
         return .{ .p = p.p.add(q.p) };
     }
 
     /// Subtract two Ristretto255 elements.
-    pub inline fn sub(p: Ristretto255, q: Ristretto255) Ristretto255 {
+    pub fn sub(p: Ristretto255, q: Ristretto255) Ristretto255 {
         return .{ .p = p.p.sub(q.p) };
     }
 
     /// Multiply a Ristretto255 element with a scalar.
     /// Return error.WeakPublicKey if the resulting element is
     /// the identity element.
-    pub inline fn mul(p: Ristretto255, s: [encoded_length]u8) (IdentityElementError || WeakPublicKeyError)!Ristretto255 {
+    pub fn mul(p: Ristretto255, s: [encoded_length]u8) (IdentityElementError || WeakPublicKeyError)!Ristretto255 {
         return .{ .p = try p.p.mul(s) };
     }
 

lib/std/crypto/25519/scalar.zig

@@ -50,7 +50,7 @@ pub fn reduce64(s: [64]u8) CompressedScalar {
 
 /// Perform the X25519 "clamping" operation.
 /// The scalar is then guaranteed to be a multiple of the cofactor.
-pub inline fn clamp(s: *CompressedScalar) void {
+pub fn clamp(s: *CompressedScalar) void {
     s[0] &= 248;
     s[31] = (s[31] & 127) | 64;
 }
@@ -514,7 +514,7 @@ pub const Scalar = struct {
     }
 
     /// Square a scalar `n` times
-    inline fn sqn(x: Scalar, comptime n: comptime_int) Scalar {
+    fn sqn(x: Scalar, comptime n: comptime_int) Scalar {
         var i: usize = 0;
         var t = x;
         while (i < n) : (i += 1) {

lib/std/crypto/aegis.zig

@@ -104,7 +104,7 @@ fn State128X(comptime degree: u7) type {
             return state;
         }
 
-        inline fn update(state: *State, d1: AesBlockVec, d2: AesBlockVec) void {
+        fn update(state: *State, d1: AesBlockVec, d2: AesBlockVec) void {
             const blocks = &state.blocks;
             const tmp = blocks[7];
             comptime var i: usize = 7;
@@ -413,7 +413,7 @@ fn State256X(comptime degree: u7) type {
             return state;
         }
 
-        inline fn update(state: *State, d: AesBlockVec) void {
+        fn update(state: *State, d: AesBlockVec) void {
             const blocks = &state.blocks;
             const tmp = blocks[5].encrypt(blocks[0]);
             comptime var i: usize = 5;