GCM: GHASH optimizations

* cipher/cipher-gcm.c [GCM_USE_TABLES] (gcmR, ghash): Replace with new.
[GCM_USE_TABLES] [GCM_TABLES_USE_U64] (bshift, fillM, do_ghash): New.
[GCM_USE_TABLES] [!GCM_TABLES_USE_U64] (bshift, fillM): Replace with
new.
[GCM_USE_TABLES] [!GCM_TABLES_USE_U64] (do_ghash): New.
(_gcry_cipher_gcm_tag): Remove extra memcpy to outbuf and use
buf_eq_const for comparing authentication tag.
* cipher/cipher-internal.h (gcry_cipher_handle): Different 'gcm_table'
for 32-bit and 64-bit platforms.
--

Patch improves GHASH speed.

Intel Haswell (x86-64):
Old:
       GCM auth |     26.22 ns/B     36.38 MiB/s     83.89 c/B
New:
       GCM auth |      3.18 ns/B     300.0 MiB/s     10.17 c/B

Intel Haswell (mingw32):
Old:
       GCM auth |     27.27 ns/B     34.97 MiB/s     87.27 c/B
New:
       GCM auth |      7.58 ns/B     125.7 MiB/s     24.27 c/B

Cortex-A8:
Old:
       GCM auth |     231.4 ns/B      4.12 MiB/s     233.3 c/B
New:
       GCM auth |     30.82 ns/B     30.94 MiB/s     31.07 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>

1 files changed, 8 insertions, 1 deletions

diff --git a/cipher/cipher-internal.h b/cipher/cipher-internal.h
index 7da9c680..b4d0ff9d 100644
--- a/cipher/cipher-internal.h
+++ b/cipher/cipher-internal.h
@@ -129,7 +129,14 @@ struct gcry_cipher_handle
   int unused;  /* Number of unused bytes in LASTIV. */
   unsigned char length[MAX_BLOCKSIZE]; /* bit counters for GCM */
 #ifdef GCM_USE_TABLES
-  unsigned char gcm_table[16 * 16]; /* pre-calculated table for GCM */
+ #if defined(HAVE_U64_TYPEDEF) && \
+     (SIZEOF_UNSIGNED_LONG == 8 || defined(__x86_64__))
+  #define GCM_TABLES_USE_U64 1
+  u64 gcm_table[2 * 16]; /* pre-calculated table for GCM */
+ #else
+  #undef GCM_TABLES_USE_U64
+  u32 gcm_table[4 * 16]; /* pre-calculated table for GCM */
+ #endif
 #endif
 
   union {