RE: Rijndael patch

Tue, 17 Jul 2001 11:38:08 -0700 

> -----Original Message-----
> From: Andy Polyakov [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 17, 2001 6:31 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Rijndael patch

First, Andy thanks for the thorough feedback.  The code was arrived
at after several rounds with the compiler, disassembler, and
testing on various platforms.  You are correct however in that my
testing was limited to IA systems and I should do some validation
on non-IA.

> The proposed code (hereafter referring to the *core* en-/decryption
> routines found at the URL above) is byte-order dependent and will fail
> on all big-endians.

It is certainly possible that I've done things wrong for
big endian.  Let me verify.

> and produces correct result on all platforms at the nominal cost (I
> estimate at most 5% across all platforms) of collecting 32-bit values
> with 4 byte-loads and accompanying shift and or operations 
> (or couple of rotates and or if compiled with Microsoft C).

"Well, I estimate the new implementation will do better than 5%."  :)

You know, given the complexity of modern architectures and
this algorithm, it's difficult to say without actually doing
the benchmarking.  My submission was based on Brian Gladman's
implementation and he's done fairly extensive testing with the
original Rijmen code (the one that is now in OpenSSL).

  http://www.gladman.uk.net/

Perhaps, I'll produce some actual numbers using OpenSSL and
both implementations to prove my case.

> The proposed code is IA-32 specific as IA-32 is the only 
> platform immune
> to misaligned memory references.

I don't believe this is true, but I'd be happy to see a
specific example.  I'm doing memcpy's into aligned buffers
before doing any 32-bit accesses.  The tables are all
unsigned long[] so the contents will be 32-bit aligned.

> I also wondered if one
> really has to spend whole page (of 4K) on those tables. I mean one can
> instead have single 1K table and perform rotation at run-time as there
> might enough time while waiting for data to become available. 

Those rotations at runtime are very costly.  See Brian Gladman's
numbers to confirm that.  Or, simply look at the existing
implementation.  Rijmen is doing the exact same thing.

-Andy

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to