On 10/19/23 12:59, Philippe Mathieu-Daudé wrote:
+ /* Even round */
+ t = SHA256_CH(E, F, G) + SHA256_RNDS1(E) + wk0 + H;
+ AA = t + SHA256_MAJ(A, B, C) + SHA256_RNDS0(A);
+ EE = t + D;
+
+ /* These will be B and F at the end of the odd round */
+ d->L(2) = AA;
+ d->L(0) = EE;
+
+ D = C, C = B, B = A, A = AA;
+ H = G, G = F, F = E, E = EE;
+
+ /* Odd round */
+ t = SHA256_CH(E, F, G) + SHA256_RNDS1(E) + wk1 + H;
+ AA = t + SHA256_MAJ(A, B, C) + SHA256_RNDS0(A);
+ EE = t + D;
Better would be to implement that generically, so we can reuse
host crypto accelerators when available. Can be done later...
(See commit range fb250c59aa..ff494c8e2a for example.)
ARM extensions are probably too different from x86. ARM does four
rounds per instructions, while x86 does two. And Intel passes ABEF/CDGH
in the arguments, while ARM passes ABCD/EFGH.
Paolo
