nisse@lysator.liu.se (Niels Möller) writes:
I'm considering reorganizing the internal gcm functions. I think I'd like to have
void _nettle_ghash_set_key (struct gcm_key *gcm, const union nettle_block16 *key);
which sets the key (typically, the key block is zero encrypte using aes).
void _nettle_ghash_update (const struct gcm_key *key, union nettle_block16 *x, size_t length, const uint8_t *data);
where the input is complete blocks (padding done in the calling C code). Not sure if length should be block count or byte count.
I'm trying this out, on the branch ghash-refactor, new internal interface in https://git.lysator.liu.se/nettle/nettle/-/blob/ghash-refactor/ghash-interna...
I settled for block count rather than byte count.
void _nettle_ghash_digest (union nettle_block16 *digest, const union nettle_block16 *x);
And I've dropped this function. Using different byte order complicates unit testing, testing, and I think cost of byteswapping the 16-byte state at start and end of ghash_update is pretty small.
I've done the needed changes for the C, the x86_64, arm64 and powerpc64 implementations. s390x code also needs update, I hope to get to that in a few days (unless someone else wants to do that).
Update has been fairly simple, split gcm_hash.asm into one file each for gcm_init_key and gcm_hash, update functions to new names and conventions, and delete the code to handle a partial block at the end of gsm_hash. Some small further simplifications are likely possible.
Would perhaps be good to also delete the code for GCM_TABLE_BITS != 8, which isn't enabled and haven't been tested in years.
Done that too.
The main gain is less complexity in the asm code, which no longer needs to deal with partial blocks, and less #ifdef complexity in the fat build setup.
Regards, /Niels