• Ard Biesheuvel's avatar
    ARM: add support for bit sliced AES using NEON instructions · e4e7f10b
    Ard Biesheuvel authored
    Bit sliced AES gives around 45% speedup on Cortex-A15 for encryption
    and around 25% for decryption. This implementation of the AES algorithm
    does not rely on any lookup tables so it is believed to be invulnerable
    to cache timing attacks.
    
    This algorithm processes up to 8 blocks in parallel in constant time. This
    means that it is not usable by chaining modes that are strictly sequential
    in nature, such as CBC encryption. CBC decryption, however, can benefit from
    this implementation and runs about 25% faster. The other chaining modes
    implemented in this module, XTS and CTR, can execute fully in parallel in
    both directions.
    
    The core code has been adopted from the OpenSSL project (in collaboration
    with the original author, on cc). For ease of maintenance, this version is
    identical to the upstream OpenSSL code, i.e., all modifications that were
    required to make it suitable for inclusion into the kernel have been made
    upstream. The original can be found here:
    
        http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6f6a6130
    
    Note to integrators:
    While this implementation is significantly faster than the existing table
    based ones (generic or ARM asm), especially in CTR mode, the effects on
    power efficiency are unclear as of yet. This code does fundamentally more
    work, by calculating values that the table based code obtains by a simple
    lookup; only by doing all of that work in a SIMD fashion, it manages to
    perform better.
    
    Cc: Andy Polyakov <appro@openssl.org>
    Acked-by: default avatarNicolas Pitre <nico@linaro.org>
    Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
    e4e7f10b
aesbs-core.S_shipped 51.6 KB