Rijndael in Assembler for x86?
Ian Goldberg
iang at abraham.cs.berkeley.edu
Fri Sep 14 10:24:24 EDT 2001
In article <87d74urezs.fsf at snark.piermont.com>,
Perry E. Metzger <perry at piermont.com> wrote:
>
>Helger Lipmaa <helger at tcs.hut.fi> writes:
>> > Does anyone have an open source implementation of Rijndael in
>> > assembler for the Pentium?
>>
>> Why just not to use a C code?
>
>Because it is typically slower by many times than hand tuned assembler.
Are you sure? For general code, that certainly hasn't been true in a
long time; optimizing compilers nowadays can often do *better* then
hand-coded assembler. However, for encryption code in particular,
I can imagine the C primitives (which usually lack rotate, etc.
instructions) may be suboptimal.
That being said, back when I wrote the 40-bit RC5 breaker for the RSA
challenge, I thought the same thing. I figured I would first write a C
version, and then tune the resulting assembler. When I looked at what
gcc had output, it had already done all the tricks I had in mind.
I would severely doubt a slowdown of "many times". I'm more likely to
believe a few percent, and would not be surprised if the compiler's
optimizer is smarter than most people's.
- Ian
[Moderator's note: The best DES implementations for i386s in assembler
are several times faster than the best in C. I'm not sure about AES
but I'd prefer to try and see. Perhaps it's a feature of DES's odd bit
manipulation patterns, perhaps not. I have yet to see GCC produce code
for almost anything that was just as fast as hand tuned assembler,
though. --Perry]
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list