[Cfrg] Rust implementations of AES-GCM and AES-GCM-SIV built on POLYVAL
Tony Arcieri <bascule@gmail.com> Mon, 07 October 2019 01:18 UTC
Return-Path: <bascule@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 918E0120074 for <cfrg@ietfa.amsl.com>; Sun, 6 Oct 2019 18:18:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D3-ChM0crg8A for <cfrg@ietfa.amsl.com>; Sun, 6 Oct 2019 18:18:52 -0700 (PDT)
Received: from mail-ot1-x32f.google.com (mail-ot1-x32f.google.com [IPv6:2607:f8b0:4864:20::32f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2866D12002F for <cfrg@irtf.org>; Sun, 6 Oct 2019 18:18:52 -0700 (PDT)
Received: by mail-ot1-x32f.google.com with SMTP id 89so9584481oth.13 for <cfrg@irtf.org>; Sun, 06 Oct 2019 18:18:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=+v8kBiqsdIhmc1rf7Q9+ptg4J9IAhuu2X8aaPzq4fZU=; b=gc1u9wHMpN897UV999QVCDkhEcRyrU6bm6J9GgwMr/diUyKGkc2sKmr+iASyUtNWP0 rANWzlYVORbCQjIOZkt3OmCCtHSAyAXBv4mPr3qQTKXiQPbcJXjFU74m4sc4rxSTo47U xSoFZEVjE+yOwW9eqXG/WyGph+2t4zOSi5eU5mDMQPgS58NUD+hM3YnEjJEQnjE+rVQs /LqRM1+jruEe8gyO7ZQkIaPRM/p8wYiuFUOxsB9apCIEXeR1zgGvqOJuQDVlmLS76bs0 fX9TAZlQEJvfjuHXSyBAEaTAIJ00a8rxVSvV4ISm9wi4G4XT3l/jF09dGuLFsRvwIcjI z8Tw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=+v8kBiqsdIhmc1rf7Q9+ptg4J9IAhuu2X8aaPzq4fZU=; b=c5ZBvkWhJAHgcTWQYNm7F2IAoOXIsHbbq3YIgB82cgk3BjM/Z0YR0g+/Q8qXEb8nCq GRSqt9nr3oD6Cs0L+62VIdiGAuFu3yFhcUAVNO1tEQOamF6R9AG5WCbN4QACxW1d0ktG c8gAEvVJ/uorzgMUk7CT8pw7+iZKGze/ETWag2X4o9W0KxA3+k/a0uT+AW8yMgkhzeZ/ P2YgedMMCir1t87ZATwl3tzBG7c6pDl2zbxRJvtpMFMLtSTWlC4pl6+hF1IVvZRH+Xoz ChWj4Rag/hfX6K3C3vGaC8m8TmXxE1Wt6Q3bGaZONQcoJUG18h2KUXpGklwhAay/3fy3 1e8g==
X-Gm-Message-State: APjAAAV8KkursWujWIG7JYbg7K2AILwGvC6i3ut86i00huU55bosNC6w 0MPB/c91y9rbGjaUStXWaRIDoKpRlSy2XwsmF2RX+5n2Fo8=
X-Google-Smtp-Source: APXvYqzVWvAiNyluNSCWm15Sb8VGgOuDa+6th8JG1SnuV9XVcmqoaJ+idw8EUk7Dc5mE/Fwv2tmTA8u2l/m6gDiQk/M=
X-Received: by 2002:a9d:7a55:: with SMTP id z21mr18010009otm.26.1570411130860; Sun, 06 Oct 2019 18:18:50 -0700 (PDT)
MIME-Version: 1.0
From: Tony Arcieri <bascule@gmail.com>
Date: Sun, 06 Oct 2019 18:18:39 -0700
Message-ID: <CAHOTMV+bU-3Sky-qqLn=xU+UrWsC7KXF=sPDDYqBEc1wd4qgrA@mail.gmail.com>
To: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000009b3ca8059447d506"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/u4Jeyoh-S0TfDsSmedRbfG8WqSM>
Subject: [Cfrg] Rust implementations of AES-GCM and AES-GCM-SIV built on POLYVAL
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Oct 2019 01:18:54 -0000
RFC 8452 Appendix A suggests that GHASH can be implemented in terms of POLYVAL (by computing mulX_POLYVAL on the GHASH key and reversing GHASH inputs/outputs), allowing POLYVAL to be the common optimization target for both (provided you're mainly concerned with little endian architectures, which happens to be the case for me). I've gone ahead and done that in Rust implementations of AES-GCM and AES-GCM-SIV: https://crates.io/crates/aes-gcm https://crates.io/crates/aes-gcm-siv The underlying POLYVAL implementation supports (P)CLMUL(QDQ) on x86/x86_64 using Shay Gueron's carryless Karatsuba and fast Montgomery reduction techniques[1]. When that isn't available, it falls back on a software implementation adapted from BearSSL. [1]: https://crypto.stanford.edu/RealWorldCrypto/slides/gueron.pdf -- Tony Arcieri
- [Cfrg] Rust implementations of AES-GCM and AES-GC… Tony Arcieri