RFR: 8296411: AArch64: Accelerated Poly1305 intrinsics [v2]
Claes Redestad
redestad at openjdk.org
Wed May 24 13:41:56 UTC 2023
On Wed, 24 May 2023 11:08:31 GMT, Andrew Haley <aph at openjdk.org> wrote:
>> No, it doesn't break the invariants.
>>
>> R is the randomly-chosen 128-bit key. It is generated from an initial 128-bit-log string of random bits, then
>> `r &= 0x0ffffffc0ffffffc0ffffffc0fffffff`
>>
>> This 128-bit-long string is split into 26-bit limbs before the intrinsic is called. The zero bits remain zero.
>> When we repack R into two 64-bit registers those zero bits are still zero.
>
> See https://loup-vaillant.fr/tutorials/poly1305-design for more explanation
Thanks for the link!
So `r` refers to the value passed via `r_start` and it wasn't clear from the immediate context that `r_start` is already split into 26-bit limbs. So the `pack26` takes the 5 26-bit limbs and repacks them so that `R_0` has the low 64-bit of `r`, `R_1` the high bits. Makes sense.
`R_2` is unused and could be reclaimed. Perhaps an override for `pack26` that only takes two registers and discards the last 2 bits? Might help clarify the setup.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/14085#discussion_r1204159348
More information about the security-dev
mailing list