cryptopp icon indicating copy to clipboard operation
cryptopp copied to clipboard

Published 20 hours ago verified publisher icon weidai11

Separate AES from Rijndael; Support Rijndael 192-bit and 256-bit block sizes

Open mouse07410 opened this issue 7 years ago • 10 comments

For the purpose of supporting Rijndael features not included in AES, specifically 192- and 256-bit block sizes.

In case it matters, AESNI instruction set allows hardware-optimized RIjndael implementation, not only AES.

mouse07410 avatar Sep 21 '16 14:09 mouse07410

The reason why it was not done in the past is (I believe) the fact that the library has no support (yet?) for blocktransformations with dynamic size. So the main interface class and the helper classes all focus on a static, fixed block size.

Thus a change here wouldn't be impossible, but would take some time to be done.

DevJPM avatar Sep 21 '16 15:09 DevJPM

... the library has no support (yet?) for blocktransformations with dynamic size ...

Yes, this needs addressing. As I expect ciphers to come that have this property (block size varies, like the key size).

Thus a change here wouldn't be impossible,

Good!

but would take some time to be done

Understood.

mouse07410 avatar Sep 21 '16 19:09 mouse07410

With the advent of Issue 302: AES and incorrect argument to _freea() under Microsoft compilers, we have got to clean that Rijndael code up...

The cleanup will allow us to logically segregate all the things going on so we can make changes like Padlock implementation, ARMv8 implementation and additional block sizes. Right now its practically impossible to maintain.

For completeness, here are the intertwined implementations I am aware of:

  • Straight C++ implementation
  • SSE2 implementation
  • AES-NI implementation
  • Aligned data-access
  • Unaligned data access
  • Compressed tables
  • GCC ASM
  • Microsoft MASM

noloader avatar Sep 23 '16 02:09 noloader

@johnwbyrd, Take a look at this report. There's a fair amount of intersection with your observation in the 302 Issue. If you have any design suggestions, then we would be delighted to hear them.

noloader avatar Sep 23 '16 05:09 noloader

I do have opinions on this, but they might be too complex to list as an addendum to a bug report.

To summarize, I think the only long-term maintainable approach to implementing a cross-platform AES that addresses all these issues, involves implementing AES as a cross-platform template library, for which specializations exist for each target and for each instruction set. I believe that per-platform assembly code should be minimized to a few particular and obvious cases, and instead vectorization speedup should be performed by representing transformations mostly in a way in which the new auto-vectorization features of clang and MSVC can detect.

More details later...

johnwbyrd avatar Sep 25 '16 22:09 johnwbyrd

Whatever solution is chosen must take into account the ever-exploding number of instruction sets and speedups thereof: http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/communications-ia-multi-buffer-paper.pdf

johnwbyrd avatar Oct 04 '16 20:10 johnwbyrd

It is 2018 now, so where is the support for 192-bit and 256-bit block sizes? Sorry for commenting on this issue after 2 years :(

EAirPeter avatar Apr 15 '18 11:04 EAirPeter

I'd like to know what the plan for these block sizes is as well? Any updates?

bgarisn avatar Jun 26 '18 14:06 bgarisn

Don't GCC and MSVC now give access to a lot of the SSE2 instructions as __builtin functions? As well as things like counting leading zeroes in a data type?

fionafibration avatar Jul 11 '19 21:07 fionafibration

@ThePlasmaRailgun,

We can gain access to the SIMD unit using intrinsics, like:

__m128i x = _mm_setzero_si128();
x = _mm_add_si128(x, y);

But we don't have a way to convert the ASM directly. That is, we can't convert something like this because the intrinsics do not map to the integer unit.

push ebp
mov ebp, esp
mov eax, 0

noloader avatar Jul 11 '19 21:07 noloader