Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv-06

[Andy Polyakov <appro@openssl.org>]

>> But it's also the case that little-endian machines now dominate. It's
>> nice that some big cores can largely hide the cost of doing the byte
>> swap, but hiding work is not the same as avoiding it (as your Skylake
>> numbers show) and smaller cores may not be able to do the
>> out-of-order, superscalar magic needed.
> 
> The assertion that 20% improvement is rather anomaly than rule has
> lesser to do with cores being "little" or "big". And I feel that logic
> is getting twisted here. "Big" cores are considered to be more likely to
> amortize additional cost of byte swap, right? Skylake is "big" core and
> it does have computational resources to do so. And fails miserably.

I think I've misinterpreted the original remark in my head, as reply
appears orthogonal now, in the morning. Yes, some processors will fail
to amortize costs of byte swap, but point is that even if they won't,
*customarily* unamortized cost won't be anywhere near 20%. Yes, avoiding
byte swap will lift the question altogether, but question still is if
gain (and we are be talking about non-anomalous cases) justifies
introduction of new primitives. Yes, they might appear more elegant to
little-endian eye, but these two, performance and elegance, are not the
only parts of equation. Not to mention that every term has weight
coefficient. Performance's weight is improvement coefficient (6% on
Skylake, none to effectively negligible on others, negative for those
who choose easy way out(*)), and elegance's weight is...

(*) As mentioned earlier, "easy way out" refers to performing byte
swapping of GHASH input and output, and building modified CTR with
signle-block cipher subroutine. As opposite to investing into
high-performance code that would have to be dedicated. Even unstitched.