On 3/12/2024 8:18 AM, Ard Biesheuvel wrote:
I wonder whether we need aesni_set_key() at all.
The following looks to be relevant from the AES-NI whitepaper [1]:
The Relative Cost of the Key Expansion
...
Some less frequent applications require frequent key scheduling. For
example, some random number generators may rekey frequently to
achieve forward secrecy. One extreme example is a Davies-Meyer
hashing construction, which uses a block cipher primitive as a
compression function, and the cipher is re-keyed for each processed
data block.
Although these are not the mainstream usage models of the AES
instructions, we point out that the AESKEYGENASSIST and AESIMC
instructions facilitate Key Expansion procedure which is lookup
tables free, and faster than software only key expansion. In
addition, we point out that unrolling of the key expansion code,
which is provided in the previous sections, improves the key
expansion performance. The AES256 case can also utilize the
instruction AESENCLAST, for the sbox transformation, that is faster
than using AESKEYGENASSIST.
[1]
https://www.intel.com/content/dam/doc/white-paper/advanced-encryption-standard-new-instructions-set-paper.pdf
Thanks,
Chang