On Mon, May 09, 2022 at 07:11:06PM +0000, Nathan Huckleberry wrote: > Add hardware accelerated version of POLYVAL for ARM64 CPUs with > Crypto Extensions support. > > This implementation is accelerated using PMULL instructions to perform > the finite field computations. For added efficiency, 8 blocks of the > message are processed simultaneously by precomputing the first 8 > powers of the key. > > Karatsuba multiplication is used instead of Schoolbook multiplication > because it was found to be slightly faster on ARM64 CPUs. Montgomery > reduction must be used instead of Barrett reduction due to the > difference in modulus between POLYVAL's field and other finite fields. > > More information on POLYVAL can be found in the HCTR2 paper: > "Length-preserving encryption with HCTR2": > https://eprint.iacr.org/2021/1441.pdf > > Signed-off-by: Nathan Huckleberry <nhuck@xxxxxxxxxx> > Reviewed-by: Ard Biesheuvel <ardb@xxxxxxxxxx> > --- > arch/arm64/crypto/Kconfig | 5 + > arch/arm64/crypto/Makefile | 3 + > arch/arm64/crypto/polyval-ce-core.S | 361 ++++++++++++++++++++++++++++ > arch/arm64/crypto/polyval-ce-glue.c | 193 +++++++++++++++ > 4 files changed, 562 insertions(+) > create mode 100644 arch/arm64/crypto/polyval-ce-core.S > create mode 100644 arch/arm64/crypto/polyval-ce-glue.c Reviewed-by: Eric Biggers <ebiggers@xxxxxxxxxx> - Eric