On Wed, Jul 05, 2017 at 12:43:19AM +0100, Ard Biesheuvel wrote: > Implement a NEON fallback for systems that do support NEON but have > no support for the optional 64x64->128 polynomial multiplication > instruction that is part of the ARMv8 Crypto Extensions. It is based > on the paper "Fast Software Polynomial Multiplication on ARM Processors > Using the NEON Engine" by Danilo Camara, Conrado Gouvea, Julio Lopez and > Ricardo Dahab (https://hal.inria.fr/hal-01506572), but has been reworked > extensively for the AArch64 ISA. > > On a low-end core such as the Cortex-A53 found in the Raspberry Pi3, the > NEON based implementation is 4x faster than the table based one, and > is time invariant as well, making it less vulnerable to timing attacks. > When combined with the bit-sliced NEON implementation of AES-CTR, the > AES-GCM performance increases by ~2x (from 58 to 30 cycles per byte). > > Signed-off-by: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx> This patch does not apply against cryptodev. Cheers, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt