diff options
author | Nathan Huckleberry <nhuck@google.com> | 2022-05-20 18:14:59 +0000 |
---|---|---|
committer | Herbert Xu <herbert@gondor.apana.org.au> | 2022-06-10 16:40:17 +0800 |
commit | 34f7f6c3011276313383099156be287ac745bcea (patch) | |
tree | 54cceaf783df3b379afd1b6c52a699c5ed8301c4 /crypto/Kconfig | |
parent | c0eb7591c1ed9cbdb0ad796bb56aed13748b55fa (diff) | |
download | linux-34f7f6c3011276313383099156be287ac745bcea.tar.gz linux-34f7f6c3011276313383099156be287ac745bcea.tar.bz2 linux-34f7f6c3011276313383099156be287ac745bcea.zip |
crypto: x86/polyval - Add PCLMULQDQ accelerated implementation of POLYVAL
Add hardware accelerated version of POLYVAL for x86-64 CPUs with
PCLMULQDQ support.
This implementation is accelerated using PCLMULQDQ instructions to
perform the finite field computations. For added efficiency, 8 blocks
of the message are processed simultaneously by precomputing the first
8 powers of the key.
Schoolbook multiplication is used instead of Karatsuba multiplication
because it was found to be slightly faster on x86-64 machines.
Montgomery reduction must be used instead of Barrett reduction due to
the difference in modulus between POLYVAL's field and other finite
fields.
More information on POLYVAL can be found in the HCTR2 paper:
"Length-preserving encryption with HCTR2":
https://eprint.iacr.org/2021/1441.pdf
Signed-off-by: Nathan Huckleberry <nhuck@google.com>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'crypto/Kconfig')
-rw-r--r-- | crypto/Kconfig | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/crypto/Kconfig b/crypto/Kconfig index dfcc3235e918..9b654984de79 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -792,6 +792,15 @@ config CRYPTO_POLYVAL POLYVAL is the hash function used in HCTR2. It is not a general-purpose cryptographic hash function. +config CRYPTO_POLYVAL_CLMUL_NI + tristate "POLYVAL hash function (CLMUL-NI accelerated)" + depends on X86 && 64BIT + select CRYPTO_POLYVAL + help + This is the x86_64 CLMUL-NI accelerated implementation of POLYVAL. It is + used to efficiently implement HCTR2 on x86-64 processors that support + carry-less multiplication instructions. + config CRYPTO_POLY1305 tristate "Poly1305 authenticator algorithm" select CRYPTO_HASH |