FYI: fast gcm/ghash for arm neon
Jussi Kivilinna
jussi.kivilinna at iki.fi
Mon Mar 11 18:13:20 CET 2019
On 11.3.2019 19.05, Jussi Kivilinna wrote:
> Hello,
>
> On 10.3.2019 10.38, Yuriy M. Kaminskiy wrote:
>> Currently ghash/gcm performance on arm in both gcrypt and nettle is a bit abysmal:
>> === bench-slopes-nettle ===
>> GCM auth | 28.43 ns/B 33.54 MiB/s 39.81 c/B 1400.2
>> === bench-slopes-gcrypt ===
>> GCM auth | 21.86 ns/B 43.62 MiB/s 30.52 c/B 1396.0
>> === bench-slopes-openssl [1.1.1a] ===
>> GCM auth | 5.99 ns/B 159.3 MiB/s 8.38 c/B 1399.6
>> === cut ===> Current openssl/cryptograms code is based on ideas from
>> https://hal.inria.fr/hal-01506572 (licensed CC BY 4.0)
>> and there are linked implementation
>> https://conradoplg.cryptoland.net/software/ecc-and-ae-for-arm-neon/
>> (licensed LGPL 2.1+), which I guess should be acceptable to borrow.
>
> Thanks for providing link to these. My focus for AES/GCM has been on
> ARM crypto extension instruction set so I hadn't look into ARM/NEON
> implementation. When CPU has support for crypto instructions, gcrypt
> performs significantly better and gives results similar to openssl:
Forgot to mention that gcrypt ARM-CE/GCM implementation is based on
paper "Gouvêa, C. P. L. & López, J. Implementing GCM on ARMv8. Topics in
Cryptology — CT-RSA 2015", https://conradoplg.cryptoland.net/publications/
-Jussi
More information about the Gcrypt-devel
mailing list