[llvm-dev] [RFC] carry-less multiplication instruction
Shawn Landden via llvm-dev
llvm-dev at lists.llvm.org
Mon Jul 6 04:41:56 PDT 2020
05.07.2020, 07:12, "Nicolai Hähnle" <nhaehnle at gmail.com>:
> On 05.07.20 12:21, Roman Lebedev via llvm-dev wrote:
>> On Sun, Jul 5, 2020 at 12:18 PM Shawn Landden via llvm-dev
>> <llvm-dev at lists.llvm.org> wrote:
>>> This proposal is to add a llvm.clmul instruction.
>>
>> What benefit would this intrinsic would bring to the middle-end IR,
>> over it's current naive expanded form?
>
> Isn't a "naive" expansion of NxN carryless multiply extremely involved?
> I'd expect something like 2N shifts, N truncs, N selects, and N xors.
Yes it is. And this is then sped up with a table (such as in the official GCM spec), however using a table can introduce key-dependent loads and security problems. The 32+32->64 or 64+64->64 multiplication lowering is generally constant-time and does not have these security problems.
>
> That link mentions an alternative that is more efficient, but I wouldn't
> exactly call it naive...
>
> Cheers,
> Nicolai
More information about the llvm-dev
mailing list