"Yuriy M. Kaminskiy" yumkam@gmail.com writes:
From fa19a36985b7554517e9122b4cd193cd1a9c4f0e Mon Sep 17 00:00:00 2001 From: "Yuriy M. Kaminskiy" yumkam@gmail.com Date: Sun, 10 Mar 2019 11:08:46 +0300 Subject: [PATCH] Add fast constant-time ARM NEON ghash/gcm
Based on code from https://conradoplg.cryptoland.net/software/ecc-and-ae-for-arm-neon/ and https://hal.inria.fr/hal-01506572 Note: arm->neon is fast, neon->arm slow, so we delay bitreverse (performed in arm) as much as possible and keep ctx->x and ctx->key bitreversed.
Thanks! I think I looked at the paper at some point, and it's clever. Some initial comments.
Regarding bit-reversal, I think carryless multiplication is symmetric under bitreversal (reversing the two 8-bit inputs corresponds to bit-reversal of the 15-bit product), so unless input and output for some reason uses different bitorder, I hope it should be possible to do any needed bit reversal at key-setup only.
+.macro MUL64k3t4 rq rl rh ad bd k16 k32 k48 t0q t0l t0h t1q t1l t1h t2q t2l t2h t3q t3l t3h
Could you do these as m4 macros, like in the rest of the Nettle asm code?
Regards, /Niels