Nikos Mavrogiannopoulos nmav@gnutls.org writes:
On Tue, 2015-01-27 at 22:53 +0100, Niels Möller wrote:
Nikos Mavrogiannopoulos nmav@gnutls.org writes:
About the release... Since you added the fat, would it include AESNI +PCLMUL?
AESNI is in. If you have the time, it would be interesting if you could benchmark it against the gnutls code. The nettle implementation is pretty basic, maybe it could be sped up a bit by unrolling or by caching subkeys in registers.
Currently the numbers I get with the current implementation: $ ./gnutls-cli --benchmark-ciphers AES-128-CBC-SHA1 0.41 GB/sec AES-128-CBC-SHA256 0.27 GB/sec AES-128-GCM 3.02 GB/sec
If I use nettle's only $ GNUTLS_CPUID_OVERRIDE=0x1 ./gnutls-cli --benchmark-ciphers AES-128-CBC-SHA1 0.29 GB/sec AES-128-CBC-SHA256 188.68 MB/sec AES-128-GCM 0.29 GB/sec
(I verified that nettle detects aesni)
Ok, so it's a factor 1.4 for the first two. And even with aesni, it seems aes is a lot of work compared to the sha1 or sha256 mac ("-SHA1" means HMAC-SHA1, right?).
Unrelated but I realized that I also have overrides for non-AESNI systems which use this implementation by Mike Hamburg: https://github.com/openssl/openssl/blob/e0fc7961c4fbd27577fb519d9aea2dc78874...
This takes advantage of SSSE3 and is faster while being constant time as well.
Constant time definitely is a good feature. Impressing that it can be done *and* be faster.
Regards, /Niels