[Libre-soc-bugs] [Bug 1157] Implement poly1305

Mon Sep 18 16:37:20 BST 2023

https://bugs.libre-soc.org/show_bug.cgi?id=1157

--- Comment #18 from Luke Kenneth Casson Leighton <lkcl at lkcl.net> ---
(In reply to Sadoon Albader from comment #17)
> Alright just git pulled openpower-isa to test things out, I wanted to make
> sure that we can handle both messages larger than 16 bytes *and* messages
> with leftover bytes (not multiple of 16). I grabbed the known MAC from
> poly1305-donna with its key and message, all seem to be working flawlessly.
> Brilliant Luke!

awesome. did you remember to add those verifications as unit tests?
i had a bug where c was multiplied by *four* not five and so the
possibility i described in comment #14 is a very real one.

i look forward to seeing you follow the standard project development
procedures (which i also look forward to not being placed into a position
of having to remind you of again) to put the commit git diff URL into
a bugreport alongside reports such as the above, with those unit tests.

i suggest just doing a test_poly1305.py which imports from both
poly1305.py and poly1305_donna.py and chucks a whole stack of
random-length random-data at them both and compares the two.

> Time to get to porting to SVP64, one baby step at a time.

i just tried adding a python-based implementation of dsrd
which *should* be possible to use
https://git.libre-soc.org/?p=openpower-isa.git;a=commitdiff;h=49d5222a

you can see places where it could potentially be used:

            h0 += (( t0                    ) & 0xfffffffffff);
            h1 += (((t0 >> 44) | (t1 << 20)) & 0xfffffffffff);
            h2 += (((t1 >> 24)             ) & 0x3ffffffffff) | hibit;

that would be *TWO* uses of dsrd, not 3 - because h2 ends up with the
remainder of t1 from the *second* use of dsrd.

the dsrd calls can be split out:

            dd0 = (( t0                    ) & 0xfffffffffff);
            dd1 = (((t0 >> 44) | (t1 << 20)) & 0xfffffffffff);
            dd2 = (((t1 >> 24)             ) & 0x3ffffffffff)

            h0 += dd0;
            h1 += dd1;
            h2 += dd2 | hibit;

where (guessing here):

            dd0,dd1 = dsrd(t0, 0, 44)
            dd0,dd1 = dsrd(t0, t1, 44)

you see how that would work? it's not quite there, but close.

-- 
You are receiving this mail because:
You are on the CC list for the bug.