Nikos Mavrogiannopoulos <[email protected]> writes:
> I've also done a comparison benchmark of AES-GCM (the 4-bit table one)
> versus HMAC-SHAx+AES-CBC... AES-GCM in software is disappointing...
Now I've tried 8-bit tables. Then I get into the same ballpark as md5
and the sha functions (benchmarking on intel x86_64):
Algorithm mode Mbyte/s cycles/byte cycles/block
md5 update 174.20 7.12 455.48
sha1 update 158.09 7.84 501.89
sha256 update 68.36 18.14 1160.65
sha512 update 104.99 11.81 1511.55
gmac auth 65.93 18.80 300.87
I think both sha512 and gmac benefit from 64-bit wide registers, while
md5, sha1 and sha256 does not. And I think there are still a couple of
microoptimizations left to do for gmac.
(I'm only benchmarking gmac; the encryption should be about the same as
AES in ECB or CTR mode, which is roughly 17 cycles/byte on the same
hardware).
Now the question is if it's a good tradeoff to expand the key to a 4 KB
table.
BTW, I hadn't noticed before that sha512 is faster per byte than sha256.
Regards,
/Niels
--
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.
_______________________________________________
nettle-bugs mailing list
[email protected]
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
