diff options
| author |   Jason A. Donenfeld <Jason@zx2c4.com> | 2018-10-01 03:50:58 +0200 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2018-10-02 14:37:53 +0200 |
| commit | bb843fc610c5ad66c85b6a814560f59aa498e20d (patch) | |
| tree | 5d1f0eb66a82a2c3ec5a8e3eaf806173a6e86b7a /src/crypto/zinc | |
| parent | crypto: use ZINC_ARCH macros (diff) | |
| download | wireguard-monolithic-historical-bb843fc610c5ad66c85b6a814560f59aa498e20d.tar.xz wireguard-monolithic-historical-bb843fc610c5ad66c85b6a814560f59aa498e20d.zip | |
poly1305: document rationale for base 2^26->2^64/32 conversion
Diffstat (limited to 'src/crypto/zinc')
| -rw-r--r-- | src/crypto/zinc/poly1305/poly1305-arm-glue.h | 11 | ||||
| -rw-r--r-- | src/crypto/zinc/poly1305/poly1305-x86_64-glue.h | 9 |
2 files changed, 20 insertions, 0 deletions
diff --git a/src/crypto/zinc/poly1305/poly1305-arm-glue.h b/src/crypto/zinc/poly1305/poly1305-arm-glue.h index c694524..92aa226 100644 --- a/src/crypto/zinc/poly1305/poly1305-arm-glue.h +++ b/src/crypto/zinc/poly1305/poly1305-arm-glue.h @@ -50,6 +50,17 @@ struct poly1305_arch_internal { }; #endif +/* The NEON code uses base 2^26, while the scalar code uses base 2^64 on 64-bit + * and base 2^32 on 32-bit. If we hit the unfortunate situation of using NEON + * and then having to go back to scalar -- because the user is silly and has + * called the update function from two separate contexts -- then we need to + * convert back to the original base before proceeding. The below function is + * written for 64-bit integers, and so we have to swap words at the end on + * big-endian 32-bit. It is possible to reason that the initial reduction below + * is sufficient given the implementation invariants. However, for an avoidance + * of doubt and because this is not performance critical, we do the full + * reduction anyway. + */ static void convert_to_base2_64(void *ctx) { struct poly1305_arch_internal *state = ctx; diff --git a/src/crypto/zinc/poly1305/poly1305-x86_64-glue.h b/src/crypto/zinc/poly1305/poly1305-x86_64-glue.h index b1248e8..585b579 100644 --- a/src/crypto/zinc/poly1305/poly1305-x86_64-glue.h +++ b/src/crypto/zinc/poly1305/poly1305-x86_64-glue.h @@ -67,6 +67,15 @@ struct poly1305_arch_internal { struct { u32 r2, r1, r4, r3; } rn[9]; }; +/* The AVX code uses base 2^26, while the scalar code uses base 2^64. If we hit + * the unfortunate situation of using AVX and then having to go back to scalar + * -- because the user is silly and has called the update function from two + * separate contexts -- then we need to convert back to the original base before + * proceeding. It is possible to reason that the initial reduction below is + * sufficient given the implementation invariants. However, for an avoidance of + * doubt and because this is not performance critical, we do the full reduction + * anyway. + */ static void convert_to_base2_64(void *ctx) { struct poly1305_arch_internal *state = ctx; |