I wonder if there's some practical way to implement ghash without table
lokups where indices are sensitive (since such lookups result in side
channel leakage).
I've tried a straight bitwise loop, which needs a precomputed table of
x^k H (mod P), but that table is accessed purely
Maamoun TK writes:
> Yes, this is exactly how I do it. Four messages arranged vertically in YMM
> registers.
Could you add comments explaining the register layout in a bit more
detail? From this, I take it you use 5 message registers, each one
holding 26 bits from each of 4 messages (in which
Maamoun TK writes:
> Thank you for merging the patch. There is a very tiny change that keeps
> itching me since I submitted the patch, the following PR
> https://git.lysator.liu.se/nettle/nettle/-/merge_requests/59 would scratch
> that itch.
Merged.
/Niels
--
Niels Möller. PGP key
