From 18d6d0920bb6f511159de21f051b0c6d8dab246f Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Wed, 12 Sep 2018 18:33:01 +0200
Subject: Precompute s for small speedup

---
 poly1305-donna32.c | 14 ++++++++++----
 poly1305-donna64.c |  9 ++++++---
 2 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/poly1305-donna32.c b/poly1305-donna32.c
index eec66dd..dae05aa 100644
--- a/poly1305-donna32.c
+++ b/poly1305-donna32.c
@@ -27,6 +27,7 @@ struct poly1305_ctx {
 struct poly1305_internal {
 	u32 h[5];
 	u32 r[5];
+	u32 s[4];
 };
 
 static void poly1305_init_generic(void *ctx, const u8 key[16])
@@ -40,6 +41,11 @@ static void poly1305_init_generic(void *ctx, const u8 key[16])
 	st->r[3] = (get_unaligned_le32(&key[9]) >> 6) & 0x3f03fff;
 	st->r[4] = (get_unaligned_le32(&key[12]) >> 8) & 0x00fffff;
 
+	st->s[0] = st->r[1] * 5;
+	st->s[1] = st->r[2] * 5;
+	st->s[2] = st->r[3] * 5;
+	st->s[3] = st->r[4] * 5;
+
 	/* h = 0 */
 	st->h[0] = 0;
 	st->h[1] = 0;
@@ -65,10 +71,10 @@ static void poly1305_blocks_generic(void *ctx, const u8 *input, size_t len,
 	r3 = st->r[3];
 	r4 = st->r[4];
 
-	s1 = r1 * 5;
-	s2 = r2 * 5;
-	s3 = r3 * 5;
-	s4 = r4 * 5;
+	s1 = st->s[0];
+	s2 = st->s[1];
+	s3 = st->s[2];
+	s4 = st->s[3];
 
 	h0 = st->h[0];
 	h1 = st->h[1];
diff --git a/poly1305-donna64.c b/poly1305-donna64.c
index ca35f5e..75a2e73 100644
--- a/poly1305-donna64.c
+++ b/poly1305-donna64.c
@@ -29,6 +29,7 @@ typedef __uint128_t u128;
 struct poly1305_internal {
 	u64 r[3];
 	u64 h[3];
+	u64 s[2];
 };
 
 static void poly1305_init_generic(void *ctx, const u8 key[16])
@@ -40,11 +41,13 @@ static void poly1305_init_generic(void *ctx, const u8 key[16])
 	t0 = get_unaligned_le64(&key[0]);
 	t1 = get_unaligned_le64(&key[8]);
 
-	/* wiped after finalization */
 	st->r[0] = (t0) &0xffc0fffffff;
 	st->r[1] = ((t0 >> 44) | (t1 << 20)) & 0xfffffc0ffff;
 	st->r[2] = ((t1 >> 24)) & 0x00ffffffc0f;
 
+	st->s[0] = st->r[1] * 20;
+	st->s[1] = st->r[2] * 20;
+
 	/* h = 0 */
 	st->h[0] = 0;
 	st->h[1] = 0;
@@ -70,8 +73,8 @@ static void poly1305_blocks_generic(void *ctx, const u8 *input, size_t len,
 	h1 = st->h[1];
 	h2 = st->h[2];
 
-	s1 = r1 * (5 << 2);
-	s2 = r2 * (5 << 2);
+	s1 = st->s[0];
+	s2 = st->s[1];
 
 	while (len >= POLY1305_BLOCK_SIZE) {
 		u64 t0, t1;
-- 
cgit v1.2.3-59-g8ed1b