On Thu, Apr 1, 2021 at 7:57 AM Niels Möller wrote:
> For GCM, are there instructions that combine AES-CTR and GCM HASH? Or
> are those done separately? It would be nice to have GCM HASH being fast
> by itself, for performance with other ciphers than aes.
>
MSA_X4 has a GHASH implementation
ni...@lysator.liu.se (Niels Möller) writes:
> (iii) I've considered doing it earlier, to make it easier to implement
> aes without a round loop (like for all current versions of
> aes-encrypt-internal.*). E.g., on x86_64, for aes128 we could load
> all subkeys into registers and