Frank Denis
d343b75e7f
ghash & poly1305: fix handling of partial blocks and add pad()
...
pad() aligns the next input to the first byte of a block, which is
useful to implement the IETF version of ChaCha20Poly1305 and AES-GCM.
2020-10-05 23:50:38 +02:00
Frank Denis
97fd0974b9
ghash: add pclmul support on x86_64
2020-10-01 02:05:11 +02:00
Frank Denis
8161de7fa4
Implement ghash aggregated reduction
...
Performance increases from ~400 MiB/s to 450 MiB/s at the expense of
extra code. Thus, aggregation is disabled on ReleaseSmall.
Since the multiplication cost is significant compared to the reduction,
aggregating more than 2 blocks is probably not worth it.
2020-10-01 02:05:07 +02:00
Frank Denis
f1ad94437b
ghash & poly1305: use pointer to slices for keys and output
2020-10-01 02:04:30 +02:00
Frank Denis
58873ed3f9
std/crypto: add GHASH implementation
...
GHASH is required to implement AES-GCM.
Optimized implementations for CPUs with instructions for carry-less
multiplication will be added next.
2020-10-01 02:04:30 +02:00
