Rearrange tables, to avoid large offsets.

3 files changed, 23 insertions, 17 deletions

diff --git a/ghash-set-key.c b/ghash-set-key.c
index 58ebb633..da1c90f0 100644
--- a/ghash-set-key.c
+++ b/ghash-set-key.c
@@ -62,10 +62,9 @@ _ghash_set_key (struct gcm_key *ctx, const union nettle_block16 *key)
 {
   /* Table elements hold the key, premultiplied by all needed powers
      of x. Element ordering follows the order bits are processed in
-     _ghash_update, first u64[0] bits, starting from the least
-     significant end, then the u64[1] bits, also from least
-     significant end. In the gcm bit order, bits (left to right)
-     correspond to x powers (the numbers) like
+     _ghash_update, alternating u64[0] and u64[1] bits, starting from
+     the least significant end. In the gcm bit order, bits (left to
+     right) correspond to x powers (the numbers) like
 
        |0...7|8...15|...|56...63|64...71|72...79|...|120...127|
 
@@ -87,7 +86,11 @@ _ghash_set_key (struct gcm_key *ctx, const union nettle_block16 *key)
 #endif
   unsigned i;
 
-  block16_set (&ctx->h[INDEX_PERMUTE], key);
-  for (i = 1; i < 128; i++)
-    block16_mulx_ghash(&ctx->h[i ^ INDEX_PERMUTE], &ctx->h[(i-1) ^ INDEX_PERMUTE]);
+  block16_set (&ctx->h[2*INDEX_PERMUTE], key);
+  for (i = 1; i < 64; i++)
+    block16_mulx_ghash(&ctx->h[2*(i ^ INDEX_PERMUTE)], &ctx->h[2*((i-1) ^ INDEX_PERMUTE)]);
+
+  block16_mulx_ghash(&ctx->h[2*INDEX_PERMUTE + 1], &ctx->h[2*(63^INDEX_PERMUTE)]);
+  for (i = 1; i < 64; i++)
+    block16_mulx_ghash(&ctx->h[2*(i ^ INDEX_PERMUTE)+1], &ctx->h[2*((i-1) ^ INDEX_PERMUTE)+1]);
 }
diff --git a/ghash-update.c b/ghash-update.c
index 7cd19643..bdeaa38d 100644
--- a/ghash-update.c
+++ b/ghash-update.c
@@ -68,10 +68,10 @@ gcm_gf_mul (union nettle_block16 *x, const union nettle_block16 *table)
     {
       uint64_t m0 = -(x0 & 1);
       uint64_t m1 = -(x1 & 1);
-      r0 ^= m0 & table[i].u64[0];
-      r1 ^= m0 & table[i].u64[1];
-      r0 ^= m1 & table[64+i].u64[0];
-      r1 ^= m1 & table[64+i].u64[1];
+      r0 ^= m0 & table[2*i].u64[0];
+      r1 ^= m0 & table[2*i].u64[1];
+      r0 ^= m1 & table[2*i+1].u64[0];
+      r1 ^= m1 & table[2*i+1].u64[1];
     }
   x->u64[0] = r0; x->u64[1] = r1;
 }
diff --git a/x86_64/ghash-update.asm b/x86_64/ghash-update.asm
index 2c4958bf..b3417e45 100644
--- a/x86_64/ghash-update.asm
+++ b/x86_64/ghash-update.asm
@@ -37,6 +37,7 @@ define(`XP', `%rsi')
 define(`BLOCKS', `%rdx')
 define(`SRC', `%rcx')
 define(`CNT', `%rax')
+define(`KEY32', `%r8')
 define(`X', `%xmm0')
 define(`R', `%xmm1')
 define(`M0', `%xmm2')
@@ -57,6 +58,8 @@ PROLOGUE(_nettle_ghash_update)
 	sub	$1, BLOCKS
 	movups	(XP), X
 	jc	.Ldone
+	C Table offset corresponding to 32 bits.
+	lea	1024(KEY), KEY32
 
 ALIGN(16)
 .Lblock_loop:
@@ -64,10 +67,10 @@ ALIGN(16)
 	movups	(SRC), M0
 	pxor	M0, X
 	pxor	R, R
-	mov	$496, CNT
+	mov	$992, CNT
 ALIGN(16)
 .Loop_bit:
-	movaps	X, M3
+	movdqa	X, M3
 	psrad	$31, M3
 	pshufd	$0x00, M3, M0
 	pshufd	$0x55, M3, M1
@@ -75,15 +78,15 @@ ALIGN(16)
 	pshufd	$0xff, M3, M3
 	pslld	$1, X
 	pand	(KEY, CNT), M0
-	pand	512(KEY, CNT), M1
-	pand	1024(KEY, CNT), M2
-	pand	1536(KEY, CNT), M3
+	pand	(KEY32, CNT), M1
+	pand	16(KEY, CNT), M2
+	pand	16(KEY32, CNT), M3
 	pxor	M0, M1
 	pxor	M2, M3
 	pxor	M1, R
 	pxor	M3, R
 
-	sub	$16, CNT
+	sub	$32, CNT
 	jnc	.Loop_bit
 
 	movaps	R, X