Ferenc Rakoczi wrote:
> Hi, Mark,
>
> I have two comments:
>
> 1. the en/decryption part of the GCM mode is plain old
> CTR en/decryption with counter_bits=32. Maybe it would be better
> to reuse the CTR code here.
Except that the code would process every block twice
in separate loops - once for CTR and again for the
authentication tag (gcm_mul()).
You suggestion would work well in cases where hardware can
accelerate all counter blocks in one shot.
> 2. the gcm_mul() function is called enough times to deserve a little
> optimization:
> a. You don't need the arrays, z[i+1] only depends on
> z[i] and v[i] and v[i+1] only depends on v[i], so
> as it is written right now, you can just get rid of the indexes
> and use a scalar z and v . (A really smart compiler could do
> this optimization for you, but I don't know whether ours is
> that smart or not).
> b. it is faster to right shift a 128-bit number v this way:
> v.b = (v.a<<63)|(v.b>>1);
> v.a = v.a>>1;
> c. as R.b = 0, you don't need the "v.b = v.b ^ R.b;" line
> d. you can save the "if (i < 64)" line if you decompose the for
> loop into two.
> e. when you want to do something in a loop based on whether
> the ith bit of a variable x is set, it is faster if you use
> for (i = 0; i<64; i++, x>>1) { if (x&1) {...} ... }
>
> Something like the following (not tested even for syntax...):
I should have thought more about optimization.
All of your suggestions have been gratefully accepted.
>
> {
> uinr64_t R = 0xe100000000000000ULL;
> struct aes_block z = { 0, 0 };
> struct aes_block v;
> uint64_t x;
> int i,j;
>
> x = ntohll(x_in[0]);
> v.a = ntohll(y[0]);
> v.b = ntohll(y[1]);
> for (j = 0; j < 2; j++) {
> x = ntohll(x_in[j]);
> for (i = 0; i < 64; i++, x>>1) {
for (i = 0; i < 64; i++, x <<= 1) {
> if ((x & 1ULL) {
if (x & 0x8000000000000000ULL) {
> z.a = z.a ^ v.a;
> z.b = z.b ^ v.b;
> }
> if (v.b & 1ULL) {
> v.b = (v.b >> 1) | (v.a <<63);
> v.a = (v.a >> 1) ^ R;
> } else {
> v.b = (v.b >> 1) | (v.a <<63);
> v.a = v.a >> 1;
> }
> }
> }
>
> res[0] = htonll(z.a);
> res[1] = htonll(z.b);
> }
>
> Ferenc
>
> On 10/17/08 22:13, mark powers wrote:
>> mark powers wrote:
>>
>>> Folks,
>>>
>>> I need a code review for
>>> 6260053 EF needs support for AES in GCM mode
>>>
>>> The webrev is at
>>> http://cr.opensolaris.org/~mcpowers/gcm/
>>>
>>> For reference, see
>>> csrc.nist.gov/publications/nistpubs/*800-38D*/SP-*800-38D*.pdf
>>>
>> csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
>>
>>
>>> Please reply with comments by October 30.
>>>
>>> Thanks.
>>>
>>> Mark
>>> _______________________________________________
>>> crypto-discuss mailing list
>>> crypto-discuss at opensolaris.org
>>> http://mail.opensolaris.org/mailman/listinfo/crypto-discuss
>>>
>>
>>
>> _______________________________________________
>> crypto-discuss mailing list
>> crypto-discuss at opensolaris.org
>> http://mail.opensolaris.org/mailman/listinfo/crypto-discuss
>>
