aadomn / aes Goto Github PK

Hi @aadomn,

Recalling this observation and your paper, specifically Figure 6 and the following paragraph on page 8.

The paper gives a count of 27 XOR, 32 AND and 16 OR instructions on top of 16 circular and 32 logical shifts, where the ANDs, ORs and shifts come from 16 instances of the form ROR(BYTE_ROR_n, m) (per your C code in this repo.).

Actually in the rust code, we use just 32 circular shifts, 2 for each rotate_rows_and_columns_m_n call.

Essentially the outer ROR call is merged into the two shifts inside BYTE_ROR_n (which become circular shifts). Assuming ROR is converted by the compiler to a single rotate instruction, then there are 16 instructions to be saved here.

I'm not sure this would make much difference where there's a barrel shifter, but for the general case it may be worth reporting.

In the ARM Cortex masked implementation the header file implies that there are two keys given as arguments for the keyschedulers, aes128_keyschedule_ffs and aes128_keyschedule_sfs, but in the assembly code, the same functions are only documented to take one key. It seems the header file is incorrect here as it does not seem like a second key is ever used in the code.

Thank you otherwise for having thorough comments and well documented code :)