"Yuriy M. Kaminskiy" <yum...@gmail.com> writes: > From fa19a36985b7554517e9122b4cd193cd1a9c4f0e Mon Sep 17 00:00:00 2001 > From: "Yuriy M. Kaminskiy" <yum...@gmail.com> > Date: Sun, 10 Mar 2019 11:08:46 +0300 > Subject: [PATCH] Add fast constant-time ARM NEON ghash/gcm > > Based on code from > https://conradoplg.cryptoland.net/software/ecc-and-ae-for-arm-neon/ > and > https://hal.inria.fr/hal-01506572 > Note: arm->neon is fast, neon->arm slow, so we delay bitreverse > (performed in arm) as much as possible and keep ctx->x and ctx->key > bitreversed.
Thanks! I think I looked at the paper at some point, and it's clever. Some initial comments. Regarding bit-reversal, I think carryless multiplication is symmetric under bitreversal (reversing the two 8-bit inputs corresponds to bit-reversal of the 15-bit product), so unless input and output for some reason uses different bitorder, I hope it should be possible to do any needed bit reversal at key-setup only. > +.macro MUL64k3t4 rq rl rh ad bd k16 k32 k48 t0q t0l t0h t1q t1l t1h t2q t2l > t2h t3q t3l t3h Could you do these as m4 macros, like in the rest of the Nettle asm code? Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance. _______________________________________________ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
