• Ard Biesheuvel's avatar
    crypto: arm64/ghash - add NEON accelerated fallback for 64-bit PMULL · 03c9a333
    Ard Biesheuvel authored
    Implement a NEON fallback for systems that do support NEON but have
    no support for the optional 64x64->128 polynomial multiplication
    instruction that is part of the ARMv8 Crypto Extensions. It is based
    on the paper "Fast Software Polynomial Multiplication on ARM Processors
    Using the NEON Engine" by Danilo Camara, Conrado Gouvea, Julio Lopez and
    Ricardo Dahab (https://hal.inria.fr/hal-01506572), but has been reworked
    extensively for the AArch64 ISA.
    On a low-end core such as the Cortex-A53 found in the Raspberry Pi3, the
    NEON based implementation is 4x faster than the table based one, and
    is time invariant as well, making it less vulnerable to timing attacks.
    When combined with the bit-sliced NEON implementation of AES-CTR, the
    AES-GCM performance increases by 2x (from 58 to 29 cycles per byte).
    Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
    Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
ghash-ce-glue.c 14.4 KB