RE: Chacha-Poly performance on ARM64

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> -----Original Message-----
> From: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx>
> Sent: Thursday, September 26, 2019 4:59 PM
> To: Pascal Van Leeuwen <pvanleeuwen@xxxxxxxxxxxxxx>
> Cc: Linux Crypto Mailing List <linux-crypto@xxxxxxxxxxxxxxx>
> Subject: Re: Chacha-Poly performance on ARM64
> 
> On Thu, 26 Sep 2019 at 16:55, Pascal Van Leeuwen
> <pvanleeuwen@xxxxxxxxxxxxxx> wrote:
> >
> > Hi,
> >
> > I'm currently doing some performance benchmarking on a quad core Cortex
> > A72 (Macchiatobin dev board) for rfc7539esp (ChachaPoly) and the
> > relatively low performance kind of took me by surprise, considering how
> > everyone  keeps shouting how efficient Chacha-Poly is in software on
> > modern CPU's.
> >
> > Then I noticed that it was using chacha20-generic for the encrypt
> > direction, while a chacha20-neon implementation exists (it actually
> > DOES use that one for decryption). Why would that be?
> >
> > Also, it also uses poly1305-generic in both cases. Is that the best
> > possible on ARM64? I did a quick search in the codebase but couldn't
> > find any ARM64 optimized version ...
> >
> 
> The Poly1305 implementation is part of the 18 piece WireGuard series I
> just sent out yesterday (which I know you have seen :-))
> 
I've seen the series but I must have missed that detail. I had hunch you
would be the one working on it though :-) I'll look it up and try it 
tomorrow.

> The Chacha20 code should be used in preference to the generic code, so
> if you end up with the wrong version, there's a bug somewhere we need
> to fix.
> 
Yes, I think so too. In fact, I think it may be the same bug I reported
earlier regarding the selftests, where it also unexpectedly picked the
generic implementation. IIRC the response I got back was that this was
a known issue where for the very first use of a cipher, the generic 
implementation gets chosen instead of the optimal one. I guess no one
has looked into that yet ...

> Also, how do you know which direction uses which transform? 
>
Well, tcrypt just logs that to the message log.

> What are the refcounts for the transforms in /proc/crypto?
>
All refcnt's in /proc/crypto are 1.

Regards,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
www.insidesecure.com
[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux