Simon Josefsson simon@josefsson.org writes:
Please find attached a port of DJB's public domain code for Salsa20 to nettle. The patch is not meant to be applied as-is but to start a discussion.
Nevertheless, I have now commited salsa20.[ch] and the testcase, postponing remaining work for later. ;-)
Needed:
* Support in nettle-benchmark in some way (can probably get away with a stupid nettle_cipher setting the iv to some fixed value).
* A bit of cleanup of the code.
* Try optimization of the C code for 64-bit machines. One ought to be able to do two column or row operations in parallel by putting two salsa20 words into a uint64_t variable. May need some tricks to avoid carry propagation between the words, but I suspect it may be a win due to lower register pressure. A bit similar to the HAVE_NATIVE_64_BIT in camellia-crypt-internal.c.
* Try an sse2 assembly implementation (the djb:s papers outline how to do that). Or copy some existing implementation.
* Documentation.
As for the salsa20_* interface:
* It would be possible to change the interface to not expose the block size, doing a little buffering instead. But I think it's better to not do that, and follow what the ctr code and gcm code does.
* One advertised feature of the cipher is random access. I think we should have something like a salsa20_set_pos, taking a block count as argument.
Regards, /Niels