On Wed, 24 May 2023 11:08:31 GMT, Andrew Haley <a...@openjdk.org> wrote:
>> No, it doesn't break the invariants. >> >> R is the randomly-chosen 128-bit key. It is generated from an initial >> 128-bit-log string of random bits, then >> `r &= 0x0ffffffc0ffffffc0ffffffc0fffffff` >> >> This 128-bit-long string is split into 26-bit limbs before the intrinsic is >> called. The zero bits remain zero. >> When we repack R into two 64-bit registers those zero bits are still zero. > > See https://loup-vaillant.fr/tutorials/poly1305-design for more explanation Thanks for the link! So `r` refers to the value passed via `r_start` and it wasn't clear from the immediate context that `r_start` is already split into 26-bit limbs. So the `pack26` takes the 5 26-bit limbs and repacks them so that `R_0` has the low 64-bit of `r`, `R_1` the high bits. Makes sense. `R_2` is unused and could be reclaimed. Perhaps an override for `pack26` that only takes two registers and discards the last 2 bits? Might help clarify the setup. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/14085#discussion_r1204159348
