nisse@lysator.liu.se (Niels Möller) writes:
As I wrote, I'm working with poly1305.
I just pushed a poly1305 branch to the public repo. Includes the code contributed by Nikos, based on MIT-licensed code by Andrew M. (floodyberry), with some modifications, and an initial x86_64 implementation, which needs fixes to support the w64 abi, and better testing.
The C implementation runs at 5.4 cycles/byte, and the assembly code at 3 cycles/byte.
Some further changes I think I will do:
* Take out the nonce from struct poly1305_ctx, and let poly1305_aes do all nonce handling. poly1305_digest gets the encrypted nonce as argument.
* For poly1305_aes, use aes128_ctx (it's hard coded for 128-bit AES anyway), and perhaps rename it to poly1305_aes128.
* Introduce a poly1305_update function, and use preprocessor casting tricks to define poly1305_aes128_update (and any other poly1305_*_update) as an alias.
* Promote union gcm_block to a more general abstraction, renaming it to nettle_block16 or so, and use it to guarantee nicer alignment for block buffer and nonce in poly1305.
Regards, /Niels