| Age | Commit message (Collapse) | Author |
|---|
|
Change-Id: Ia209f0a6d9b19d14e655c65d1287a1416b48c487
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/707535
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Sean Liao <sean@liao.dev>
Reviewed-by: Nicola Murino <nicola.murino@gmail.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Sean Liao <sean@liao.dev>
|
|
The performance improvements on Loongson-3A5000 and Loongson-3A6000 are as follows:
goos: linux
goarch: loong64
pkg: golang.org/x/crypto/internal/poly1305
cpu: Loongson-3A5000 @ 2500.00MHz
| bench.old | bench.new |
| sec/op | sec/op vs base |
64 122.8n ± 0% 100.0n ± 0% -18.57% (p=0.000 n=10)
1K 1152.0n ± 0% 732.2n ± 0% -36.44% (p=0.000 n=10)
2M 2.356m ± 0% 1.443m ± 0% -38.74% (p=0.000 n=10)
64Unaligned 122.7n ± 0% 101.5n ± 0% -17.24% (p=0.000 n=10)
1KUnaligned 1152.0n ± 0% 745.4n ± 0% -35.30% (p=0.000 n=10)
2MUnaligned 2.336m ± 0% 1.473m ± 0% -36.94% (p=0.000 n=10)
Write64 77.92n ± 0% 54.88n ± 0% -29.57% (p=0.000 n=10)
Write1K 1106.0n ± 0% 683.3n ± 0% -38.22% (p=0.000 n=10)
Write2M 2.356m ± 0% 1.444m ± 0% -38.72% (p=0.000 n=10)
Write64Unaligned 77.87n ± 0% 55.69n ± 0% -28.49% (p=0.000 n=10)
Write1KUnaligned 1106.0n ± 0% 708.1n ± 0% -35.97% (p=0.000 n=10)
Write2MUnaligned 2.335m ± 0% 1.471m ± 0% -37.01% (p=0.000 n=10)
geomean 6.373µ 4.272µ -32.96%
| bench.old | bench.new |
| B/s | B/s vs base |
64 497.1Mi ± 0% 610.3Mi ± 0% +22.78% (p=0.000 n=10)
1K 847.6Mi ± 0% 1333.7Mi ± 0% +57.35% (p=0.000 n=10)
2M 849.0Mi ± 0% 1385.9Mi ± 0% +63.24% (p=0.000 n=10)
64Unaligned 497.4Mi ± 0% 600.9Mi ± 0% +20.81% (p=0.000 n=10)
1KUnaligned 847.6Mi ± 0% 1310.1Mi ± 0% +54.57% (p=0.000 n=10)
2MUnaligned 856.3Mi ± 0% 1357.9Mi ± 0% +58.58% (p=0.000 n=10)
Write64 783.3Mi ± 0% 1112.2Mi ± 0% +41.99% (p=0.000 n=10)
Write1K 882.8Mi ± 0% 1429.1Mi ± 0% +61.88% (p=0.000 n=10)
Write2M 849.0Mi ± 0% 1385.4Mi ± 0% +63.18% (p=0.000 n=10)
Write64Unaligned 783.8Mi ± 0% 1096.1Mi ± 0% +39.85% (p=0.000 n=10)
Write1KUnaligned 882.8Mi ± 0% 1379.0Mi ± 0% +56.20% (p=0.000 n=10)
Write2MUnaligned 856.5Mi ± 0% 1359.9Mi ± 0% +58.76% (p=0.000 n=10)
geomean 772.2Mi 1.125Gi +49.18%
goos: linux
goarch: loong64
pkg: golang.org/x/crypto/internal/poly1305
cpu: Loongson-3A6000-HV @ 2500.00MHz
| bench.old | bench.new |
| sec/op | sec/op vs base |
64 92.06n ± 0% 71.55n ± 0% -22.28% (p=0.000 n=10)
1K 998.4n ± 0% 607.7n ± 0% -39.13% (p=0.000 n=10)
2M 1.976m ± 0% 1.165m ± 0% -41.07% (p=0.000 n=10)
64Unaligned 92.05n ± 0% 71.55n ± 0% -22.27% (p=0.000 n=10)
1KUnaligned 998.3n ± 0% 607.6n ± 0% -39.13% (p=0.000 n=10)
2MUnaligned 1.975m ± 0% 1.222m ± 0% -38.11% (p=0.000 n=10)
Write64 65.24n ± 0% 45.23n ± 0% -30.67% (p=0.000 n=10)
Write1K 970.8n ± 0% 577.6n ± 0% -40.51% (p=0.000 n=10)
Write2M 1.965m ± 0% 1.163m ± 0% -40.81% (p=0.000 n=10)
Write64Unaligned 65.24n ± 0% 45.24n ± 0% -30.66% (p=0.000 n=10)
Write1KUnaligned 970.8n ± 0% 577.6n ± 0% -40.50% (p=0.000 n=10)
Write2MUnaligned 1.965m ± 0% 1.222m ± 0% -37.81% (p=0.000 n=10)
geomean 5.317µ 3.426µ -35.58%
| bench.old | bench.new |
| B/s | B/s vs base |
64 663.0Mi ± 0% 853.1Mi ± 0% +28.67% (p=0.000 n=10)
1K 978.1Mi ± 0% 1606.9Mi ± 0% +64.28% (p=0.000 n=10)
2M 1012.0Mi ± 0% 1717.4Mi ± 0% +69.70% (p=0.000 n=10)
64Unaligned 663.1Mi ± 0% 853.1Mi ± 0% +28.65% (p=0.000 n=10)
1KUnaligned 978.2Mi ± 0% 1607.1Mi ± 0% +64.29% (p=0.000 n=10)
2MUnaligned 1012.6Mi ± 0% 1636.2Mi ± 0% +61.58% (p=0.000 n=10)
Write64 935.5Mi ± 0% 1349.3Mi ± 0% +44.23% (p=0.000 n=10)
Write1K 1005.9Mi ± 0% 1690.9Mi ± 0% +68.09% (p=0.000 n=10)
Write2M 1017.7Mi ± 0% 1719.5Mi ± 0% +68.95% (p=0.000 n=10)
Write64Unaligned 935.6Mi ± 0% 1349.3Mi ± 0% +44.22% (p=0.000 n=10)
Write1KUnaligned 1006.0Mi ± 0% 1690.9Mi ± 0% +68.08% (p=0.000 n=10)
Write2MUnaligned 1017.7Mi ± 0% 1636.4Mi ± 0% +60.80% (p=0.000 n=10)
geomean 925.6Mi 1.403Gi +55.22%
Change-Id: If05a8bfc868b3e6f903ff169eed7a894af741f9b
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/638455
Reviewed-by: David Chase <drchase@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Reviewed-by: abner chenc <chenguoqi@loongson.cn>
|
|
Change-Id: Ieb2f0d45f82647978f0bd1eb47bb347f0bfb7d13
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/649499
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
|
|
The cipher needs to load the stream in LE order. Use the byte
reversing loads on BE.
Also, remove the unused variable poly1305Mask in the PPC64
asm file too.
Change-Id: Ie90fe7bb0ea7a3bcb76583e0cf9c1e4133499541
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/614298
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Archana Ravindar <aravinda@redhat.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: David Chase <drchase@google.com>
|
|
This implementation utilizes the same registers found in the reference
implementation, aiming to produce a minimal semantic diff between the
Avo-generated output and the original hand-written assembly.
To verify the Avo implementation, the reference and Avo-generated
assembly files are fed to `go tool asm`, capturing the debug output into
corresponding temp files. The debug output contains supplementary
metadata (line numbers, instruction offsets, and source file references)
that must be removed in order to obtain a semantic diff of the two
files. This is accomplished via a small utility script written in awk.
Commands used to verify Avo output:
GOROOT=$(go env GOROOT)
ASM_PATH="internal/poly1305/sum_amd64.s"
REFERENCE="b2d3a6a4b4d36521cd7f653879cf6981e7c5c340"
go tool asm -o /dev/null -I "$GOROOT"/src/runtime -debug \
<(git cat-file -p "$REFERENCE:$ASM_PATH") \
> /tmp/reference.s
go tool asm -o /dev/null -I "$GOROOT"/src/runtime -debug \
"$ASM_PATH" \
> /tmp/avo.s
normalize(){
awk '{
$1=$2=$3="";
print substr($0,4)
}'
}
diff <(normalize < /tmp/reference.s) <(normalize < /tmp/avo.s)
Change-Id: I80212c95d1b05335d7f6b73a3030b6f812f6105b
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/600035
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
|
|
Also, remove the legacy import annotations.
Fixes golang/go#68147
Change-Id: Ibfcc9322f27224c0ba92ea42cd56912a7d8783fd
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/594256
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
|
Change-Id: I3078492dc020770aca630e0b362df0212bd41e32
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/569156
Auto-Submit: Ian Lance Taylor <iant@google.com>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Nicola Murino <nicola.murino@gmail.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Auto-Submit: Nicola Murino <nicola.murino@gmail.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
|
|
This contains a few minor improvements to sum_ppc64le.s
which result in up to 10% performance improvement for
some of the benchmarks in this directory.
- ADDZE followed by ADD can be combined into ADDE
- PCALIGN added to the loop
- Eliminate a few unnecessary register moves
goos: linux
goarch: ppc64le
pkg: golang.org/x/crypto/internal/poly1305
cpu: POWER10
│ poly.orig.out │ poly.out │
│ sec/op │ sec/op vs base │
64 40.34n ± 0% 38.13n ± 0% -5.47% (p=0.002 n=6)
1K 482.2n ± 0% 444.6n ± 0% -7.81% (p=0.002 n=6)
2M 978.4µ ± 0% 879.3µ ± 0% -10.12% (p=0.002 n=6)
64Unaligned 40.35n ± 0% 38.16n ± 0% -5.42% (p=0.002 n=6)
1KUnaligned 482.0n ± 0% 444.2n ± 0% -7.84% (p=0.002 n=6)
2MUnaligned 978.4µ ± 0% 879.4µ ± 0% -10.12% (p=0.002 n=6)
Write64 32.69n ± 0% 30.71n ± 0% -6.04% (p=0.002 n=6)
Write1K 472.4n ± 0% 436.5n ± 0% -7.60% (p=0.002 n=6)
Write2M 978.3µ ± 0% 879.4µ ± 0% -10.11% (p=0.002 n=6)
Write64Unaligned 32.67n ± 0% 30.71n ± 0% -6.00% (p=0.002 n=6)
Write1KUnaligned 472.6n ± 0% 436.4n ± 0% -7.66% (p=0.002 n=6)
Write2MUnaligned 978.5µ ± 0% 879.6µ ± 0% -10.10% (p=0.002 n=6)
geomean 2.569µ 2.367µ -7.87%
Change-Id: I63314e7252ef10fb2d157f623c4bc2e31a63ae32
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/558775
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Paul Murphy <murp@ibm.com>
Run-TryBot: Lynn Boger <laboger@linux.vnet.ibm.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
|
|
Other packages already dropped compatibility with go1.12, so it should be safe to remove it for this package as well.
Change-Id: Ieecc7cd06a0a4e69e8c1c09ef6fefe95d78ceb75
GitHub-Last-Rev: 1971e0309bdd31facbc60d70cd36a91f6a22f4b2
GitHub-Pull-Request: golang/crypto#239
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/448239
Reviewed-by: Joedian Reid <joedian@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Matthew Dempsky <mdempsky@google.com>
|
|
Done with:
go get go@1.18
go mod tidy
go fix ./...
Using go1.21.3.
Also update avo to v0.5.0 in the curve25519/internal/field/_asm module.
It's newer and produces no diff in the generated code.
For golang/go#60268.
Change-Id: I9bd771ee8561595d7f68aaca76df6e3e33d35013
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/534141
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
|
|
This is a follow-up to CL 317169, which dropped go1.12 compatibility,
and made the golang.org/x/crypto/ed25519 package an alias / wrapper for
crypto/ed25519 in stdlib.
This patch updates uses within this repository to use stdlib instead of
depending on the wrapper. With this patch applied, the only remaining
use of the wrapper is in ed25519_test, which appears to be in place to
verify compatibility of the wrapper itself.
Change-Id: I0195396102a75ae20bdd82ca8ab59855c0eb5cea
GitHub-Last-Rev: 24dbec563cbd84bc47bdc7736b0245fc83dd3353
GitHub-Pull-Request: golang/crypto#238
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/448238
Reviewed-by: Bryan Mills <bcmills@google.com>
Run-TryBot: Nicola Murino <nicola.murino@gmail.com>
Reviewed-by: Nicola Murino <nicola.murino@gmail.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Joedian Reid <joedian@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
|
|
The testdata for this package is around 8 MB and downloaded dynamically
via 'go mod download' from its canonical source rather than being copied
to this repository. We're moving towards disallowing all network use in
short test mode, including proxy.golang.org, so add a corresponding test
skip.
Needing to lookup a go test flag is unfortunate, but I don't know of a
less bad available option while the test does the download in TestMain.
On balance, it becomes viable to no longer disable the checksum database
since the test will only run on builders that permit internet use and so
sum.golang.org should just work.
Change-Id: Iaffe3899351da375928aaba114c4875f5438336b
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/510695
Run-TryBot: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Heschi Kreinick <heschi@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
|
|
This uses a copy of testenv.Command copied from the main repo, with
light edits to allow the testenv helpers to build with Go 1.19.
The testenv helper revealed an exec.Command leak in TestCertLogin, so
we also fix that leak and simplify server cleanup using
testing.T.Cleanup.
For golang/go#60099.
Fixes golang/go#60343.
Change-Id: I7f79fcdb559498b987ee7689972ac53b83870aaf
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/496935
Auto-Submit: Bryan Mills <bcmills@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Run-TryBot: Bryan Mills <bcmills@google.com>
|
|
Check both Verify and VerifyASN1 in the ECDSA tests.
Change-Id: Id767354484a7da18ae4e00cd6f2a01a2909e6732
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/453755
Reviewed-by: Than McIntosh <thanm@google.com>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
|
|
For golang/go#56052
Change-Id: If34d01132e221ff525319e43d127ef14579f9054
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/451095
Reviewed-by: Bryan Mills <bcmills@google.com>
Reviewed-by: Joedian Reid <joedian@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Joedian Reid <joedian@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
|
|
For golang/go#45557
Change-Id: I447530cc66896aef7a8d528ccb8d095b80e3cf47
GitHub-Last-Rev: 5f385ff46487ac318bd1147cdbbd26bb0ffd0426
GitHub-Pull-Request: golang/crypto#230
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/430797
Auto-Submit: Ian Lance Taylor <iant@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Reviewed-by: Meng Zhuo <mzh@golangcn.org>
Run-TryBot: Ian Lance Taylor <iant@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
|
|
Alongside the existing ECDH tests, add tests that use the new
crypto/ecdh package. The test vectors include a number of private
that use non-standard sizes, which we reject, but aren't flagged,
so we need to skip them.
Change-Id: Iaaef225b0149a86833095f51748d230385d43bfe
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/424274
Reviewed-by: Russ Cox <rsc@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
|
|
This avoids an import conflict in code that needs to import
crypto/subtle as well.
CL 424194 does the same for the main repo.
Change-Id: Ic54cb62bbfdcf5c2cb6f15ac47075ee1c41981ad
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/424175
Reviewed-by: Cherry Mui <cherryyz@google.com>
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Russ Cox <rsc@golang.org>
|
|
On the boringcrypto builder, skip the RSAPSS tests that use the
truncated SHA-512 hashes, since boringcrypto does not support them.
Fixes #52670
Change-Id: I8caecd0f34eb6d2740372db2b641563e3965ac7c
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/404654
Run-TryBot: Roland Shoemaker <roland@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Bryan Mills <bcmills@google.com>
|
|
Fixes golang/go#38936
Change-Id: I231d30fcc683abd9efb36b6fd9cc05f599078ade
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/396174
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <valsorda@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
|
Gofmt to update doc comments to the new formatting.
For golang/go#51082.
Change-Id: I076031b6613691eefbb0f21739366e3fd2011ec9
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/399356
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Russ Cox <rsc@golang.org>
Reviewed-by: Ian Lance Taylor <iant@google.com>
|
|
This test downloads JSON test files from GitHub. If the network
connection flakes, the test may hang indefinitely, and builders with
flaky network connections might want to avoid unnecessary downloading
anyway.
Fixes golang/go#50076
Change-Id: I0655a34fce8a003794290c0c82ae75492eda4429
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/370659
Trust: Bryan Mills <bcmills@google.com>
Run-TryBot: Bryan Mills <bcmills@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
|
|
Change-Id: Ie08e43ae603cf2c691d51be0bfb5d164c8fd45ff
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/337189
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Trust: Cherry Mui <cherryyz@google.com>
|
|
Fixes golang/go#36646
Change-Id: Ic19dd2171c84472fc9d3f44803224b87fc5c0417
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/345649
Trust: Filippo Valsorda <filippo@golang.org>
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
|
|
Make all our package sources use Go 1.17 gofmt format
(adding //go:build lines).
Not strictly necessary but will avoid spurious changes
as files are edited.
Part of //go:build change (#41184).
See https://golang.org/design/draft-gobuild
Change-Id: I70526bf588bf4078887e567795867ece785d666b
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/294415
Trust: Russ Cox <rsc@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
|
|
appengine is obsolete and superseded by purego, and gc is a more
precise tag for files that use gc-syntax assembly.
Change-Id: I716f59de772ebeee4adf4d2a432edf300122cef0
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/269920
Trust: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
|
|
Uses only the test vectors that use the same MGF and label hashes.
Change-Id: I971f78556e7b8fdbc785978dca7a613728676697
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/234917
Trust: Roland Shoemaker <roland@golang.org>
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
|
|
Add a generic AEAD test that exercises the vectors for AES GCM,
ChaCha20Poly-1305, and XChaCha20-Poly1305. Removes the existing
chacha20_poly1305_test.go test.
Change-Id: Icfaba30f8db2a1e32a9459c98cd3af5d63052027
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/234688
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
|
|
Required updating wycheproofModVer to pull the most recent test
vectors. Tests against SHA1, SHA224, SHA256, SHA384, and SHA512
constructions but not the SHA3 variants.
Change-Id: I5b66632ac0c7106bd9b405f6636922a6383d8b9e
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/234718
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
|
|
Change-Id: Ibd6ce156550615cb85c06e734641c34fca0cfcd0
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/220697
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
|
|
Change-Id: I71d62f95954a39c476bee55e22b6fcf96a196de1
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/214939
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
|
|
Change-Id: Ie60bdc10065018e193271b4f90f50298f1272396
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/218323
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
|
|
Change-Id: I501bcc2f4bd8107937756087d20e849e3a4bc182
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/214584
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
|
|
When int is 32 bits wide (on 32-bit architectures like 386 and arm), an
overflow could occur, causing a panic, due to malformed ASN.1 being
passed to any of the ASN1 methods of String.
Tested on linux/386 and darwin/amd64.
This fixes CVE-2020-7919 and was found thanks to the Project Wycheproof
test vectors.
Change-Id: I8c9696a8bfad1b40ec877cd740dba3467d66ab54
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/645211
Reviewed-by: Katie Hockman <katiehockman@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/216677
Run-TryBot: Katie Hockman <katie@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
|
|
Fixes golang/go#36164
Change-Id: I4248cb3e25346f6859c473b729811b36ac6cf872
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/212625
Reviewed-by: Filippo Valsorda <filippo@golang.org>
|
|
https://github.com/google/wycheproof provides test vectors exposing
vulnerabilities in crypto packages. This change creates a new package
called internal/wycheproof that runs these Wycheproof tests against
a number of pacakages in the standard library (and in the future,
x/crypto).
Directory structure:
- interal/wycheproof/internal/ecdsa: internal version of ecdsa package which
includes a new function that verifies ASN encoded signatures directly
- interal/wycheproof/internal/dsa: internal version of dsa package which
includes a new function that verifies ASN encoded signatures directly
- internal/wycheproof: all tests
internal/wycheproof/wycheproof_test.go provides utility functions that are
common to many tests in the package, and contains the TestMain which
fetches github.com/google/wycheproof from the source.
This change includes tests for signature verification with dsa, ecdsa,
eddsa, and rsa (both PKCS#1 v1.5 and PSS signatures).
Note that these tests download testdata from github.com/google/wycheproof
by running `go mod download` in the TestMain. This means that internet
access will be necessary in order to run these tests if the testdata is
not already in your module cache.
More tests will be added incrementally.
Change-Id: I0378d4be24b5679fdc186e9fc94c1cc0068e81f7
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/209221
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
|
|
const KeySize = 32
const NonceSize = 12
func HChaCha20(key, nonce []byte) ([]byte, error)
type Cipher struct {}
func NewUnauthenticatedCipher(key, nonce []byte) (*Cipher, error)
func (s *Cipher) XORKeyStream(dst, src []byte)
Small performance hit in chacha20poly1305, probably due to the loss
of the Advance API, which we might consider adding later. No new
allocations, thanks to the mid-stack inliner.
name old time/op new time/op delta
Chacha20Poly1305/Open-64-8 1.60µs ± 0% 1.68µs ± 1% +4.94% (p=0.000 n=9+10)
Chacha20Poly1305/Seal-64-8 1.56µs ± 0% 1.64µs ± 1% +5.21% (p=0.000 n=8+10)
Chacha20Poly1305/Open-64-X-8 2.10µs ± 1% 2.22µs ± 1% +5.81% (p=0.000 n=10+10)
Chacha20Poly1305/Seal-64-X-8 2.07µs ± 1% 2.17µs ± 0% +4.88% (p=0.000 n=10+10)
Chacha20Poly1305/Open-1350-8 15.4µs ± 0% 15.7µs ± 1% +1.65% (p=0.000 n=10+10)
Chacha20Poly1305/Seal-1350-8 15.6µs ± 2% 15.9µs ± 1% +1.58% (p=0.028 n=10+9)
Chacha20Poly1305/Open-1350-X-8 16.0µs ± 1% 16.3µs ± 2% +2.00% (p=0.000 n=10+10)
Chacha20Poly1305/Seal-1350-X-8 15.9µs ± 0% 16.3µs ± 1% +1.91% (p=0.000 n=10+8)
Chacha20Poly1305/Open-8192-8 85.6µs ± 0% 86.6µs ± 1% +1.21% (p=0.000 n=10+10)
Chacha20Poly1305/Seal-8192-8 85.7µs ± 0% 86.3µs ± 0% +0.68% (p=0.001 n=9+9)
Chacha20Poly1305/Open-8192-X-8 86.4µs ± 1% 87.1µs ± 1% +0.76% (p=0.035 n=10+9)
Chacha20Poly1305/Seal-8192-X-8 86.0µs ± 0% 87.0µs ± 1% +1.14% (p=0.000 n=9+9)
Updates golang/go#24485
Change-Id: I2ec2ef487a03f013049915d9063751c75a78408b
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/185980
Reviewed-by: Michael Munday <mike.munday@ibm.com>
|
|
name old speed new speed delta
ChaCha20/64-4 428MB/s ± 1% 432MB/s ± 1% ~ (p=0.089 n=10+10)
ChaCha20/256-4 497MB/s ± 1% 507MB/s ± 2% +1.94% (p=0.000 n=9+10)
ChaCha20/10x25-4 273MB/s ± 1% 285MB/s ± 3% +4.37% (p=0.000 n=10+10)
ChaCha20/4096-4 495MB/s ± 1% 508MB/s ± 1% +2.51% (p=0.000 n=8+10)
ChaCha20/100x40-4 407MB/s ± 1% 439MB/s ± 1% +7.92% (p=0.000 n=9+9)
ChaCha20/65536-4 521MB/s ± 2% 537MB/s ± 1% +3.00% (p=0.000 n=10+10)
ChaCha20/1000x65-4 498MB/s ± 2% 521MB/s ± 2% +4.70% (p=0.000 n=10+10)
Curiously, even if we omit the critical s.precompDone = true step, we
see a significant performance improvement across the board, maybe due to
reduced register pressure. (See below. Actually using the precomputed
values only impacts the 10x25, 100x40 and 1000x65 benchmarks, as
expected.)
name old speed new speed delta
ChaCha20/64-4 428MB/s ± 1% 428MB/s ± 1% ~ (p=0.912 n=10+10)
ChaCha20/256-4 497MB/s ± 1% 510MB/s ± 1% +2.64% (p=0.000 n=9+10)
ChaCha20/10x25-4 273MB/s ± 1% 277MB/s ± 2% +1.36% (p=0.003 n=10+10)
ChaCha20/4096-4 495MB/s ± 1% 507MB/s ± 2% +2.28% (p=0.000 n=8+10)
ChaCha20/100x40-4 407MB/s ± 1% 418MB/s ± 1% +2.69% (p=0.000 n=9+10)
ChaCha20/65536-4 521MB/s ± 2% 536MB/s ± 1% +2.76% (p=0.000 n=10+8)
ChaCha20/1000x65-4 498MB/s ± 2% 519MB/s ± 1% +4.15% (p=0.000 n=10+9)
Updates golang/go#24485
Change-Id: I117fab938787819aae1cc4371354888701e4e54b
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/185440
Reviewed-by: Michael Munday <mike.munday@ibm.com>
|
|
Separated the complex buffering logic from key stream generation more
clearly, added plenty of comments and generally refactored the Go
implementation for readability. Made the interface with the
generic/assembly cores smaller and more consistent, according to
golang.org/wiki/TargetSpecific.
We will recover the lost performance on unaligned calls by caching 3/4
of the first round across XORKeyStream invocations, which we now have
complexity budget for.
name old speed new speed delta
ChaCha20/64-4 435MB/s ± 2% 429MB/s ± 2% -1.47% (p=0.013 n=10+9)
ChaCha20/256-4 496MB/s ± 1% 493MB/s ± 2% ~ (p=0.280 n=10+10)
ChaCha20/10x25-4 283MB/s ± 1% 274MB/s ± 2% -3.13% (p=0.000 n=10+10)
ChaCha20/4096-4 494MB/s ± 1% 493MB/s ± 5% ~ (p=0.631 n=10+10)
ChaCha20/100x40-4 421MB/s ± 3% 408MB/s ± 1% -3.14% (p=0.003 n=9+9)
ChaCha20/65536-4 515MB/s ± 1% 519MB/s ± 3% ~ (p=0.161 n=7+10)
ChaCha20/1000x65-4 501MB/s ± 2% 501MB/s ± 3% ~ (p=0.497 n=9+10)
Also applied a fix for a lingering bug in the ppc64le assembly written
by Lynn Boger <laboger@linux.vnet.ibm.com>.
Updates golang/go#24485
Change-Id: I10cf24a7f10359b1b4ae63c9bb1946735b98ac9b
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/185439
Reviewed-by: Michael Munday <mike.munday@ibm.com>
|
|
This corrects a compile error due to a mismatch between function
description and the assembler code that first appeared when running
TryBots on the change to vendor this code. This fixes that problem
and adds and minor change based on a comment in CL 195959.
Change-Id: I42cbd3f75e281913f12f74850deaedf14eb21989
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/205659
Reviewed-by: Filippo Valsorda <filippo@golang.org>
|
|
This improves the performance of the asm implementation for
chacha20 on ppc64le by updating to the vsx implementation
provided in cryptogams. The previous implementation was found to
not perform as well as possible on power9. This implementation
improves performance on both power8 and power9.
Power9 improvement with this change as compared to current:
name old time/op new time/op delta
ChaCha20/32-64 361ns ± 0% 225ns ± 0% -37.67% (p=1.000 n=1+1)
ChaCha20/63-64 364ns ± 0% 229ns ± 0% -37.09% (p=1.000 n=1+1)
ChaCha20/64-64 364ns ± 0% 231ns ± 0% -36.54% (p=1.000 n=1+1)
ChaCha20/256-64 332ns ± 0% 199ns ± 0% -40.06% (p=1.000 n=1+1)
ChaCha20/1024-64 1.24µs ± 0% 0.70µs ± 0% -43.23% (p=1.000 n=1+1)
ChaCha20/1350-64 1.89µs ± 0% 1.03µs ± 0% -45.35% (p=1.000 n=1+1)
ChaCha20/65536-64 77.0µs ± 0% 42.5µs ± 0% -44.83% (p=1.000 n=1+1)
This is discussed in issue golang/go#25051.
A few asm instructions vmrgew and vmrgow were just added in Go 1.14
so have been encoded using WORD at this point.
Change-Id: I2b192a63cf46b0b20195e60e4412c43c5dd14ad8
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/195959
Run-TryBot: Lynn Boger <laboger@linux.vnet.ibm.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Carlos Eduardo Seo <cseo@linux.vnet.ibm.com>
|
|
Wrong variable naming was causing 'go vet' to fail. This change fixes that.
Change-Id: I71e1842ece098198773fb326a725b57fad02f82f
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/181720
Run-TryBot: Lynn Boger <laboger@linux.vnet.ibm.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Lynn Boger <laboger@linux.vnet.ibm.com>
|
|
Add asm implementation for chacha20 using vector instructions on ppc64le.
Below, the difference using the new code:
name old speed new speed delta
ChaCha20/32-16 167MB/s ± 0% 129MB/s ± 0% -22.60% (p=0.008 n=5+5)
ChaCha20/63-16 308MB/s ± 0% 249MB/s ± 0% -19.00% (p=0.008 n=5+5)
ChaCha20/64-16 357MB/s ± 0% 251MB/s ± 0% -29.57% (p=0.008 n=5+5)
ChaCha20/256-16 398MB/s ± 0% 1199MB/s ± 0% +201.20% (p=0.008 n=5+5)
ChaCha20/1024-16 413MB/s ± 0% 1398MB/s ± 0% +238.67% (p=0.008 n=5+5)
ChaCha20/1350-16 395MB/s ± 0% 1189MB/s ± 0% +200.71% (p=0.008 n=5+5)
ChaCha20/65536-16 420MB/s ± 0% 1489MB/s ± 0% +254.10% (p=0.008 n=5+5)
Small sizes are slower due the fact that it always calculates using
256 bytes of key stream.
This change was originally from Paulo Flabiano Smorigo <pfsmorigo@linux.vnet.ibm.com>
and started as CL 108999 (https://go-review.googlesource.com/c/crypto/+/108999).
Fixes golang/go#25051
Change-Id: Ie510494249b227379e23d993467256b3d4088035
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/172177
Run-TryBot: Carlos Eduardo Seo <cseo@linux.vnet.ibm.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Lynn Boger <laboger@linux.vnet.ibm.com>
|
|
Use the recently added CPU feature detection API rather than custom
assembly. This will need to be updated to use 'internal/cpu' when
the package is revendored into std.
Change-Id: Icf0f28236ca0c351c88035f36e5b9c29d4bc2ba7
Reviewed-on: https://go-review.googlesource.com/c/164383
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
|
|
Inspired by Vectorization of ChaCha Stream Cipher
https://eprint.iacr.org/2013/759.pdf
name old time/op new time/op delta
ChaCha20/32 690ns ± 0% 872ns ± 0% +26.38% (p=0.000 n=10+10)
ChaCha20/63 750ns ± 0% 987ns ± 0% +31.53% (p=0.000 n=10+10)
ChaCha20/64 674ns ± 0% 879ns ± 0% +30.42% (p=0.000 n=8+10)
ChaCha20/256 2.28µs ± 0% 0.82µs ± 0% -64.13% (p=0.000 n=10+10)
ChaCha20/1024 8.64µs ± 0% 2.92µs ± 0% -66.15% (p=0.000 n=9+9)
ChaCha20/1350 11.9µs ± 0% 4.5µs ± 0% -62.51% (p=0.000 n=10+8)
ChaCha20/65536 554µs ± 0% 181µs ± 0% -67.33% (p=0.000 n=10+10)
name old speed new speed delta
ChaCha20/32 46.3MB/s ± 0% 36.7MB/s ± 0% -20.87% (p=0.000 n=10+9)
ChaCha20/63 83.9MB/s ± 0% 63.8MB/s ± 0% -23.97% (p=0.000 n=10+10)
ChaCha20/64 94.9MB/s ± 0% 72.8MB/s ± 0% -23.31% (p=0.000 n=10+10)
ChaCha20/256 112MB/s ± 0% 312MB/s ± 0% +178.74% (p=0.000 n=10+10)
ChaCha20/1024 119MB/s ± 0% 350MB/s ± 0% +195.31% (p=0.000 n=10+9)
ChaCha20/1350 114MB/s ± 0% 303MB/s ± 0% +166.73% (p=0.000 n=8+8)
ChaCha20/65536 118MB/s ± 0% 362MB/s ± 0% +206.12% (p=0.000 n=10+10)
Updates golang/go#22809
Change-Id: I487487faa2ae4ff29de6fd8eb1317740c2939c10
Reviewed-on: https://go-review.googlesource.com/c/107628
Reviewed-by: Filippo Valsorda <filippo@golang.org>
|
|
The XChaCha20 construction does not have an authoritative spec, but this
implementation is based on the following documents:
https://cr.yp.to/snuffle/xsalsa-20081128.pdf
https://download.libsodium.org/doc/secret-key_cryptography/aead.html
http://loup-vaillant.fr/tutorials/chacha20-design
https://tools.ietf.org/html/draft-paragon-paseto-rfc-00#section-7
Tested against the following implementations:
https://github.com/jedisct1/libsodium/blob/7cdf3f0e841/test/default/aead_xchacha20poly1305.c
https://git.kernel.org/pub/scm/linux/kernel/git/zx2c4/linux.git/diff/lib/zinc/selftest/chacha20poly1305.h?h=zinc
https://git.zx2c4.com/wireguard-go/tree/xchacha20poly1305/xchacha20.go
name time/op speed
Chacha20Poly1305/Open-64-8 225ns ± 1% 283MB/s ± 1%
Chacha20Poly1305/Open-64-X-8 390ns ± 0% 164MB/s ± 0%
Chacha20Poly1305/Seal-64-8 222ns ± 0% 287MB/s ± 0%
Chacha20Poly1305/Seal-64-X-8 386ns ± 0% 165MB/s ± 1%
Chacha20Poly1305/Open-1350-8 1.12µs ± 1% 1.21GB/s ± 1%
Chacha20Poly1305/Open-1350-X-8 1.28µs ± 0% 1.05GB/s ± 0%
Chacha20Poly1305/Seal-1350-8 1.15µs ± 0% 1.17GB/s ± 0%
Chacha20Poly1305/Seal-1350-X-8 1.32µs ± 1% 1.02GB/s ± 0%
Chacha20Poly1305/Open-8192-8 5.53µs ± 0% 1.48GB/s ± 0%
Chacha20Poly1305/Open-8192-X-8 5.71µs ± 1% 1.44GB/s ± 1%
Chacha20Poly1305/Seal-8192-8 5.54µs ± 1% 1.48GB/s ± 1%
Chacha20Poly1305/Seal-8192-X-8 5.74µs ± 1% 1.43GB/s ± 1%
Updates golang/go#24485
Change-Id: Iea6f3b4c2be67f16f56720a200dcc895c0f9d520
Reviewed-on: https://go-review.googlesource.com/127819
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
|
|
The new package subtle added in golang.org/cl/112236 breaks
compatibility with App Engine due to the import of unsafe.
This changes adds an App Engine alternative without using unsafe.
Tested with:
$ go test -test.tags=appengine -v
=== RUN TestAliasing
--- PASS: TestAliasing (0.00s)
PASS
ok golang.org/x/crypto/internal/subtle 0.009s
Change-Id: I2fc6b02a860b3ee11fa31652ba302fc7db9df153
Reviewed-on: https://go-review.googlesource.com/119095
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
|
|
packages
AnyOverlap and InexactOverlap implement checks for the aliasing
requirements defined by the crypto/cipher interfaces. Apply them to all
implementations as the actual requirement could be architecture-dependent
and user code should not rely on undefined behavior.
Updates golang/go#21624
Change-Id: I465de02fb3fec4e0c6f1fdee1ef6ae7ed5abff10
Reviewed-on: https://go-review.googlesource.com/112236
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
|
|
Based on the SIMD algorithm described in:
ChaCha, a variant of Salsa20 by Daniel J. Bernstein
https://cr.yp.to/chacha/chacha-20080128.pdf
Requires the vector facility (vx).
name old speed new speed delta
ChaCha20/32 178MB/s ± 0% 174MB/s ± 0% -2.10% (p=0.000 n=9+10)
ChaCha20/63 341MB/s ± 0% 337MB/s ± 0% -1.16% (p=0.000 n=10+10)
ChaCha20/64 367MB/s ± 0% 335MB/s ± 0% -8.73% (p=0.000 n=10+10)
ChaCha20/256 404MB/s ± 0% 1448MB/s ± 0% +258.61% (p=0.000 n=9+10)
ChaCha20/1024 410MB/s ± 0% 1568MB/s ± 0% +282.73% (p=0.000 n=9+10)
ChaCha20/1350 393MB/s ± 0% 1389MB/s ± 0% +253.58% (p=0.000 n=10+10)
ChaCha20/65536 414MB/s ± 0% 1634MB/s ± 0% +294.79% (p=0.000 n=10+10)
Change-Id: I9a600fb5ae8ee3f3b81ae6b01cff139c1272d684
Reviewed-on: https://go-review.googlesource.com/35842
Run-TryBot: Michael Munday <mike.munday@ibm.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
|
|
SIMD implementations of ChaCha20 (such as CL 35842) interleave block
computations in order to achieve high performance. This means that
they produce more than 64 bytes of output at a time. Unfortunately
when encrypting small amounts of data (such as Poly1305 keys) the
current interface to ChaCha20 forces the additional encrypted blocks
of output to be discarded and recomputed later since it does not
maintain any state. This additional overhead slows down the encryption
of small amounts of data when using such optimized code.
This CL makes the generic ChaCha20 implementation stateful, caching
key, nonce and counter values and buffering any unused key stream bytes.
ChaCha20 now also implements the high level cipher.Stream interface
which makes the API more consistent with other stream ciphers in the
standard library's crypto package. This will make it easier to add high
performance SIMD implementations in the future.
In addition to modifying the API I have also added some optimizations
to improve the performance of the generic implementation. Note that
the performance will improve further on amd64 with Go 1.11 due to
CL 95475 (binary.LittleEndian.PutUint32 optimization). These benchmarks
are based on Go 1.10.1.
name old speed new speed delta
ChaCha20/32 174MB/s ± 2% 174MB/s ± 1% ~ (p=0.796 n=10+10)
ChaCha20/63 309MB/s ± 1% 337MB/s ± 2% +9.32% (p=0.000 n=10+9)
ChaCha20/64 299MB/s ± 2% 350MB/s ± 1% +17.12% (p=0.000 n=9+8)
ChaCha20/256 297MB/s ± 2% 390MB/s ± 1% +31.40% (p=0.000 n=10+10)
ChaCha20/1024 300MB/s ± 0% 400MB/s ± 3% +33.38% (p=0.000 n=7+10)
ChaCha20/1350 290MB/s ± 1% 386MB/s ± 2% +33.10% (p=0.000 n=9+10)
ChaCha20/65536 301MB/s ± 1% 416MB/s ± 2% +38.25% (p=0.000 n=9+10)
ChaCha20-Poly1305 (AEAD optimizations manually disabled):
name old speed new speed delta
Chacha20Poly1305Open_64 122MB/s ± 7% 131MB/s ± 2% +7.23% (p=0.000 n=18+18)
Chacha20Poly1305Seal_64 125MB/s ± 4% 137MB/s ± 2% +9.88% (p=0.000 n=20+19)
Chacha20Poly1305Open_1350 244MB/s ± 4% 305MB/s ± 3% +25.04% (p=0.000 n=20+19)
Chacha20Poly1305Seal_1350 242MB/s ± 3% 309MB/s ± 2% +27.56% (p=0.000 n=20+19)
Chacha20Poly1305Open_8K 260MB/s ± 7% 338MB/s ± 3% +29.96% (p=0.000 n=20+19)
Chacha20Poly1305Seal_8K 262MB/s ± 5% 335MB/s ± 4% +27.80% (p=0.000 n=20+19)
No change in allocations for either set of benchmarks.
Change-Id: I28ca7947904e9d79debe2d5aac6623526fe5e595
Reviewed-on: https://go-review.googlesource.com/104856
Run-TryBot: Michael Munday <mike.munday@ibm.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
|
