)]}'
{
  "commit": "9855c1c59a53a80f9dec91624fac1a042fc66e51",
  "tree": "caee9dac311bff954fe1df8a3f7eb17089af427d",
  "parents": [
    "98f969491ce613f146087d6c694808b7d0e81d88"
  ],
  "author": {
    "name": "David Benjamin",
    "email": "davidben@google.com",
    "time": "Thu Nov 07 23:42:58 2019 -0500"
  },
  "committer": {
    "name": "CQ bot account: commit-bot@chromium.org",
    "email": "commit-bot@chromium.org",
    "time": "Tue Nov 12 00:27:02 2019 +0000"
  },
  "message": "Add a constant-time fallback GHASH implementation.\n\nWe have several variable-time table-based GHASH implementations, called\n\"4bit\" in the code. We have a fallback one in C and assembly\nimplementations for x86, x86_64, and armv4. This are used if assembly is\noff or if the hardware lacks NEON or SSSE3.\n\nNote these benchmarks are all on hardware several generations beyond\nwhat would actually run this code, so it\u0027s a bit artificial.\n\nImplement a constant-time implementation of GHASH based on the notes in\nhttps://bearssl.org/constanttime.html#ghash-for-gcm, as well as the\nreduction algorithm described in\nhttps://crypto.stanford.edu/RealWorldCrypto/slides/gueron.pdf.\n\nThis new implementation is actually faster than the fallback C code for\nboth 32-bit and 64-bit. It is slower than the assembly implementations,\nparticularly for 32-bit. I\u0027ve left 32-bit x86 alone but replaced the\nx86_64 and armv4 ones.  The perf hit on x86_64 is smaller and affects a\nsmall percentage of 64-bit Chrome on Windows users. ARM chips without\nNEON is rare (Chrome for Android requires it), so replace that too.\n\nThe answer for 32-bit x86 is unclear. More 32-bit Chrome on Windows\nusers lack SSSE3, and the perf hit is dramatic. gcm_gmult_4bit_mmx uses\nSSE2, so perhaps we can close the gap with an SSE2 version of this\nstrategy, or perhaps we can decide this perf hit is worth fixing the\ntiming leaks.\n\n32-bit x86 with OPENSSL_NO_ASM\nBefore: (4bit C)\nDid 1136000 AES-128-GCM (16 bytes) seal operations in 1000762us (1135135.0 ops/sec): 18.2 MB/s\nDid 190000 AES-128-GCM (256 bytes) seal operations in 1003533us (189331.1 ops/sec): 48.5 MB/s\nDid 40000 AES-128-GCM (1350 bytes) seal operations in 1022114us (39134.6 ops/sec): 52.8 MB/s\nDid 7282 AES-128-GCM (8192 bytes) seal operations in 1117575us (6515.9 ops/sec): 53.4 MB/s\nDid 3663 AES-128-GCM (16384 bytes) seal operations in 1098538us (3334.4 ops/sec): 54.6 MB/s\nAfter:\nDid 1503000 AES-128-GCM (16 bytes) seal operations in 1000054us (1502918.8 ops/sec): 24.0 MB/s\nDid 252000 AES-128-GCM (256 bytes) seal operations in 1001173us (251704.8 ops/sec): 64.4 MB/s\nDid 53000 AES-128-GCM (1350 bytes) seal operations in 1016983us (52114.9 ops/sec): 70.4 MB/s\nDid 9317 AES-128-GCM (8192 bytes) seal operations in 1056367us (8819.9 ops/sec): 72.3 MB/s\nDid 4356 AES-128-GCM (16384 bytes) seal operations in 1000445us (4354.1 ops/sec): 71.3 MB/s\n\n64-bit x86 with OPENSSL_NO_ASM\nBefore: (4bit C)\nDid 2976000 AES-128-GCM (16 bytes) seal operations in 1000258us (2975232.4 ops/sec): 47.6 MB/s\nDid 510000 AES-128-GCM (256 bytes) seal operations in 1000295us (509849.6 ops/sec): 130.5 MB/s\nDid 106000 AES-128-GCM (1350 bytes) seal operations in 1001573us (105833.5 ops/sec): 142.9 MB/s\nDid 18000 AES-128-GCM (8192 bytes) seal operations in 1003895us (17930.2 ops/sec): 146.9 MB/s\nDid 9000 AES-128-GCM (16384 bytes) seal operations in 1003352us (8969.9 ops/sec): 147.0 MB/s\nAfter:\nDid 2972000 AES-128-GCM (16 bytes) seal operations in 1000178us (2971471.1 ops/sec): 47.5 MB/s\nDid 515000 AES-128-GCM (256 bytes) seal operations in 1001850us (514049.0 ops/sec): 131.6 MB/s\nDid 108000 AES-128-GCM (1350 bytes) seal operations in 1004941us (107469.0 ops/sec): 145.1 MB/s\nDid 19000 AES-128-GCM (8192 bytes) seal operations in 1034966us (18358.1 ops/sec): 150.4 MB/s\nDid 9250 AES-128-GCM (16384 bytes) seal operations in 1005269us (9201.5 ops/sec): 150.8 MB/s\n\n32-bit ARM without NEON\nBefore: (4bit armv4 asm)\nDid 952000 AES-128-GCM (16 bytes) seal operations in 1001009us (951040.4 ops/sec): 15.2 MB/s\nDid 152000 AES-128-GCM (256 bytes) seal operations in 1005576us (151157.1 ops/sec): 38.7 MB/s\nDid 32000 AES-128-GCM (1350 bytes) seal operations in 1024522us (31234.1 ops/sec): 42.2 MB/s\nDid 5290 AES-128-GCM (8192 bytes) seal operations in 1005335us (5261.9 ops/sec): 43.1 MB/s\nDid 2650 AES-128-GCM (16384 bytes) seal operations in 1004396us (2638.4 ops/sec): 43.2 MB/s\nAfter:\nDid 540000 AES-128-GCM (16 bytes) seal operations in 1000009us (539995.1 ops/sec): 8.6 MB/s\nDid 90000 AES-128-GCM (256 bytes) seal operations in 1000028us (89997.5 ops/sec): 23.0 MB/s\nDid 19000 AES-128-GCM (1350 bytes) seal operations in 1022041us (18590.3 ops/sec): 25.1 MB/s\nDid 3150 AES-128-GCM (8192 bytes) seal operations in 1003199us (3140.0 ops/sec): 25.7 MB/s\nDid 1694 AES-128-GCM (16384 bytes) seal operations in 1076156us (1574.1 ops/sec): 25.8 MB/s\n(Note fallback AES is dampening the perf hit.)\n\n64-bit x86 with OPENSSL_ia32cap\u003d0\nBefore: (4bit x86_64 asm)\nDid 2615000 AES-128-GCM (16 bytes) seal operations in 1000220us (2614424.8 ops/sec): 41.8 MB/s\nDid 431000 AES-128-GCM (256 bytes) seal operations in 1001250us (430461.9 ops/sec): 110.2 MB/s\nDid 89000 AES-128-GCM (1350 bytes) seal operations in 1002209us (88803.8 ops/sec): 119.9 MB/s\nDid 16000 AES-128-GCM (8192 bytes) seal operations in 1064535us (15030.0 ops/sec): 123.1 MB/s\nDid 8261 AES-128-GCM (16384 bytes) seal operations in 1096787us (7532.0 ops/sec): 123.4 MB/s\nAfter:\nDid 2355000 AES-128-GCM (16 bytes) seal operations in 1000096us (2354773.9 ops/sec): 37.7 MB/s\nDid 373000 AES-128-GCM (256 bytes) seal operations in 1000981us (372634.4 ops/sec): 95.4 MB/s\nDid 77000 AES-128-GCM (1350 bytes) seal operations in 1003557us (76727.1 ops/sec): 103.6 MB/s\nDid 13000 AES-128-GCM (8192 bytes) seal operations in 1003058us (12960.4 ops/sec): 106.2 MB/s\nDid 7139 AES-128-GCM (16384 bytes) seal operations in 1099576us (6492.5 ops/sec): 106.4 MB/s\n(Note fallback AES is dampening the perf hit. Pairing with AESNI to roughly\nisolate GHASH shows a 40% hit.)\n\nFor comparison, this is what removing gcm_gmult_4bit_mmx would do.\n32-bit x86 with OPENSSL_ia32cap\u003d0\nBefore:\nDid 2014000 AES-128-GCM (16 bytes) seal operations in 1000026us (2013947.6 ops/sec): 32.2 MB/s\nDid 367000 AES-128-GCM (256 bytes) seal operations in 1000097us (366964.4 ops/sec): 93.9 MB/s\nDid 77000 AES-128-GCM (1350 bytes) seal operations in 1002135us (76836.0 ops/sec): 103.7 MB/s\nDid 13000 AES-128-GCM (8192 bytes) seal operations in 1011394us (12853.5 ops/sec): 105.3 MB/s\nDid 7227 AES-128-GCM (16384 bytes) seal operations in 1099409us (6573.5 ops/sec): 107.7 MB/s\nIf gcm_gmult_4bit_mmx were replaced:\nDid 1350000 AES-128-GCM (16 bytes) seal operations in 1000128us (1349827.2 ops/sec): 21.6 MB/s\nDid 219000 AES-128-GCM (256 bytes) seal operations in 1000090us (218980.3 ops/sec): 56.1 MB/s\nDid 46000 AES-128-GCM (1350 bytes) seal operations in 1017365us (45214.8 ops/sec): 61.0 MB/s\nDid 8393 AES-128-GCM (8192 bytes) seal operations in 1115579us (7523.4 ops/sec): 61.6 MB/s\nDid 3840 AES-128-GCM (16384 bytes) seal operations in 1001928us (3832.6 ops/sec): 62.8 MB/s\n(Note fallback AES is dampening the perf hit. Pairing with AESNI to roughly\nisolate GHASH shows a 73% hit. gcm_gmult_4bit_mmx is almost 4x as faster.)\n\nChange-Id: Ib28c981e92e200b17fb9ddc89aef695ac6733a43\nReviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/38724\nCommit-Queue: David Benjamin \u003cdavidben@google.com\u003e\nReviewed-by: Adam Langley \u003cagl@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "91b91701f7635d52b9fe20df19a9e7777078ad09",
      "old_mode": 33188,
      "old_path": "crypto/fipsmodule/bcm.c",
      "new_id": "7485f6ccd928a31f2524b7183baa862cc3bfbf70",
      "new_mode": 33188,
      "new_path": "crypto/fipsmodule/bcm.c"
    },
    {
      "type": "modify",
      "old_id": "cdb6fb489f80d5123d1a27b84ac1269ac05043c7",
      "old_mode": 33188,
      "old_path": "crypto/fipsmodule/modes/asm/ghash-armv4.pl",
      "new_id": "daf52e8ec23086a3bf37995036cc7433fe7c53cb",
      "new_mode": 33188,
      "new_path": "crypto/fipsmodule/modes/asm/ghash-armv4.pl"
    },
    {
      "type": "modify",
      "old_id": "5c4122fe81ef61c291a8009e7ce8e1b15547be34",
      "old_mode": 33188,
      "old_path": "crypto/fipsmodule/modes/asm/ghash-x86_64.pl",
      "new_id": "a1c9220efcac5221a9e58c44e771a15f85dc4f1f",
      "new_mode": 33188,
      "new_path": "crypto/fipsmodule/modes/asm/ghash-x86_64.pl"
    },
    {
      "type": "modify",
      "old_id": "3860ebed6b0bca03f6bfba2b224fa483ca104327",
      "old_mode": 33188,
      "old_path": "crypto/fipsmodule/modes/gcm.c",
      "new_id": "51e7b73048c9fe209029cbda2080930fce03b891",
      "new_mode": 33188,
      "new_path": "crypto/fipsmodule/modes/gcm.c"
    },
    {
      "type": "add",
      "old_id": "0000000000000000000000000000000000000000",
      "old_mode": 0,
      "old_path": "/dev/null",
      "new_id": "2a5051a4392a20c6c7d59b24451576e1df4d15e4",
      "new_mode": 33188,
      "new_path": "crypto/fipsmodule/modes/gcm_nohw.c"
    },
    {
      "type": "modify",
      "old_id": "b2e805c194a77c5abf0e3fe40c88cfc361dfeb86",
      "old_mode": 33188,
      "old_path": "crypto/fipsmodule/modes/gcm_test.cc",
      "new_id": "a25c17a6aec9bbdb7a5778fe364c4259d15bac45",
      "new_mode": 33188,
      "new_path": "crypto/fipsmodule/modes/gcm_test.cc"
    },
    {
      "type": "modify",
      "old_id": "0971a90ed35283eb15499233c6092a90c0ad06b5",
      "old_mode": 33188,
      "old_path": "crypto/fipsmodule/modes/internal.h",
      "new_id": "a3135abf8f91139687447fd26260b50dde73a374",
      "new_mode": 33188,
      "new_path": "crypto/fipsmodule/modes/internal.h"
    }
  ]
}