> Use aesenclast to do key expansion for AES-256 rather than aeskeygenassist. > > Shay Gueron gives the technique in his AES-NI whitepaper; I > discovered, after implementing my own version (and looking for places > to patch), that he and Vlad Krasnov had already implemented this > technique in NSS. > > Relative speedup (key expansion microbenchmark): 1.9x > > Relative speedup, AES-256-GCM seal of 16B messages (BoringSSL > tool/bssl speed): 1.17x > > This can obviously be extended to other key-lengths; but since I don't > think people should be using AES-128, and no one uses AES-192, I see > little point in doing so.
I actually have improved implementation (well, it's not actually a *lot* better, can't be made a *lot* better because of aesenclast latency, but it should get better on processors with lower latency) for all key lengths. The trouble with this approach is that it's *not* faster on processors other than contemporary i[57]-*, especially on Silvermont it's a lot slower. One can still argue that improvement on i[57]-* outweighs losses on others. Reasonable compromise for today can be to detect AVX capability so that Westmere and Silvermont are exempted. Bottom line is that specific submission is dismissed, and as there is interest I can proceed committing my code. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
