-
Notifications
You must be signed in to change notification settings - Fork 182
Conversation
HS1-SIV uses ChaCha and a new hash algorithm. This implementation is based on the paper and the reference implementation.
I generated custom test vectors since none seem to be provided. I've included the reference implementation to show how they've been generated.
Hs1Params is quite ugly, but I'm unsure if I can make it any cleaner. It could be hidden by using newtypes for the 3 parameter sets instead.
trait ChaChaImpl is necessary because chacha20::variants::Variant and in particular chacha20::variants::Ietf isn't exposed, so chacha20::ChaChaCore is unusable.
I've spent some time optimizing it. It certainly can be optimized more, though so far further attempts have failed.
It should be free of any data-dependent branches, though I haven't looked at the generated assembly very closely.
|
It's not clear to me why benches fails, since I can run it fine locally. Compiler version difference? (I use I'm guessing a feature related to trait bounds got stabilized between 1.81 and 1.84, since |
|
I don't think we need the
You could try bumping the compiler version used for benchmarks. |
|
I believe the failing mgm test isn't related to this PR? |
|
@Demindiro it does look unrelated, yes |
instead spills to memory
code, even though it should be obviously beneficial.
I suspect LLVM is thrown off by the 64 bit multiply, which is missing in
the SSE2 instruction set. It did take me a while to figure out that
casting an array of __m128i to [u64; 2] would end up the most
performant.
The SSE2 version is about ~%20 faster for me, so it is a substantial
improvement.
Also, inline(always) on pretty much everything is now beneficial,
whereas before it led to significant regressions. It does create a fair
bit of code bloat though.