On Tue, 30 May 2023 at 14:52, Ard Biesheuvel <[email protected]> wrote: > > ARM intrinsics for AES deviate from the x86 ones in the way they cover > the different stages of each round, and so mapping one to the other is > not entirely straight-forward. However, with a bit of care, we can still > use the x86 ones to emulate the ARM ones, which makes them constant time > (which is an important property in crypto) and substantially more > efficient.
Do you have examples of workloads and speedups obtained, by the way? thanks -- PMM
