polyval: Add runtime PCLMULQDQ detection

When the `std` feature is enabled (which it is now by default), this
adds runtime detection for PCLMULQDQ support on x86/x86_64
architectures.

The detection happens once at the time `Polyval` is instantated. The
`polyval::field::Element` type has been changed into an enum which
remembers the detection result, and its API changed to operate on
bytestring representations of POLYVAL field elements.

This appears to have a negligable performance impact.

Author: tarcieri

.travis.yml

@@ -34,10 +34,10 @@ matrix:
       script: cd polyval && cargo test --release --tests
 
     # no_std build
-    - name: "Rust: stable (thumbv7em-none-eabihf)"
+    - name: "Rust: stable (thumbv7em-none-eabi)"
       rust: stable
-      install: rustup target add thumbv7em-none-eabihf
-      script: cargo build --all --target thumbv7em-none-eabihf --release
+      install: rustup target add thumbv7em-none-eabi
+      script: ./build_nostd.sh
     - name "Rust: nightly (benches)"
       rust: nightly
       script: cargo build --all-features --benches

build_nostd.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -eux
+
+# Due to the fact that cargo does not disable default features when we use
+# cargo build --all --no-default-features we have to explicitly iterate over
+# all crates (see https://github.com/rust-lang/cargo/issues/4753 )
+DIRS=`ls -d */`
+TARGET="thumbv7em-none-eabi"
+cargo clean
+
+for dir in $DIRS; do
+    if [ $dir = "target/" ]
+    then
+        continue
+    fi
+
+    pushd $dir
+    cargo build --no-default-features --verbose --target $TARGET || {
+        echo $dir failed
+        exit 1
+    }
+    popd
+done

ghash/Cargo.toml

@@ -14,13 +14,16 @@ keywords = ["aes-gcm", "crypto", "universal-hashing"]
 categories = ["cryptography", "no-std"]
 edition = "2018"
 
-[dependencies]
-polyval = { version = "0.0.1", path = "../polyval" }
+[dependencies.polyval]
+version = "0.0.1"
+default-features = false
+path = "../polyval"
 
 [dev-dependencies]
 hex-literal = "0.1"
 
 [features]
+default = ["std"]
 std = ["polyval/std"]
 
 [badges]

polyval/Cargo.toml

@@ -22,6 +22,7 @@ zeroize = { version = "0.10", optional = true, default-features = false }
 hex-literal = "0.1"
 
 [features]
+default = ["std"]
 std = ["universal-hash/std"]
 
 [badges]

polyval/src/field.rs

@@ -14,10 +14,23 @@
 //!
 //! [RFC 8452 Section 3]: https://tools.ietf.org/html/rfc8452#section-3
 
-pub mod backend;
+#[cfg(all(
+    target_feature = "pclmulqdq",
+    target_feature = "sse2",
+    target_feature = "sse4.1",
+    any(target_arch = "x86", target_arch = "x86_64")
+))]
+mod pclmulqdq;
+mod soft;
 
-use self::backend::Backend;
-use core::ops::{Add, Mul};
+#[cfg(all(
+    target_feature = "pclmulqdq",
+    target_feature = "sse2",
+    target_feature = "sse4.1",
+    any(target_arch = "x86", target_arch = "x86_64")
+))]
+use self::pclmulqdq::M128i;
+use self::soft::U64x2;
 
 /// Size of GF(2^128) in bytes (16-bytes).
 pub const FIELD_SIZE: usize = 16;
@@ -27,29 +40,64 @@ pub type Block = [u8; FIELD_SIZE];
 
 /// POLYVAL field element.
 #[derive(Copy, Clone)]
-pub struct Element<B: Backend>(B);
+pub enum Element {
+    #[cfg(all(
+        target_feature = "pclmulqdq",
+        target_feature = "sse2",
+        target_feature = "sse4.1",
+        any(target_arch = "x86", target_arch = "x86_64")
+    ))]
+    /// (P)CLMUL(QDQ)-accelerated backend on supported x86 architectures
+    Clmul(M128i),
 
-impl<B: Backend> Element<B> {
+    /// Portable software fallback
+    Soft(U64x2),
+}
+
+impl Element {
     /// Load a `FieldElement` from its bytestring representation.
+    #[cfg(all(
+        target_feature = "pclmulqdq",
+        target_feature = "sse2",
+        target_feature = "sse4.1",
+        any(target_arch = "x86", target_arch = "x86_64")
+    ))]
     pub fn from_bytes(bytes: Block) -> Self {
-        Element(bytes.into())
+        if cfg!(feature = "std") {
+            if is_x86_feature_detected!("pclmulqdq") {
+                Element::Clmul(bytes.into())
+            } else {
+                Element::Soft(bytes.into())
+            }
+        } else {
+            Element::Clmul(bytes.into())
+        }
     }
 
-    /// Serialize this `FieldElement` as a bytestring.
-    pub fn to_bytes(self) -> Block {
-        self.0.into()
+    /// Load a `FieldElement` from its bytestring representation.
+    #[cfg(not(all(
+        target_feature = "pclmulqdq",
+        target_feature = "sse2",
+        target_feature = "sse4.1",
+        any(target_arch = "x86", target_arch = "x86_64")
+    )))]
+    pub fn from_bytes(bytes: Block) -> Self {
+        Element::Soft(bytes.into())
     }
-}
 
-impl<B: Backend> Default for Element<B> {
-    fn default() -> Self {
-        Self::from_bytes(Block::default())
+    /// Serialize this `FieldElement` as a bytestring.
+    pub fn to_bytes(self) -> Block {
+        match self {
+            #[cfg(all(
+                target_feature = "pclmulqdq",
+                target_feature = "sse2",
+                target_feature = "sse4.1",
+                any(target_arch = "x86", target_arch = "x86_64")
+            ))]
+            Element::Clmul(m128i) => m128i.into(),
+            Element::Soft(u64x2) => u64x2.into(),
+        }
     }
-}
-
-#[allow(clippy::suspicious_arithmetic_impl)]
-impl<B: Backend> Add for Element<B> {
-    type Output = Self;
 
     /// Adds two POLYVAL field elements.
     ///
@@ -58,16 +106,21 @@ impl<B: Backend> Add for Element<B> {
     /// > "The sum of any two elements in the field is the result of XORing them."
     ///
     /// [RFC 8452 Section 3]: https://tools.ietf.org/html/rfc8452#section-3
-    fn add(self, rhs: Self) -> Self {
-        Element(self.0 + rhs.0)
+    #[allow(clippy::should_implement_trait)]
+    pub fn add(self, other: Block) -> Self {
+        match self {
+            #[cfg(all(
+                target_feature = "pclmulqdq",
+                target_feature = "sse2",
+                target_feature = "sse4.1",
+                any(target_arch = "x86", target_arch = "x86_64")
+            ))]
+            Element::Clmul(m128i) => Element::Clmul(m128i + M128i::from(other)),
+            Element::Soft(u64x2) => Element::Soft(u64x2 + U64x2::from(other)),
+        }
     }
-}
-
-#[allow(clippy::suspicious_arithmetic_impl)]
-impl<B: Backend> Mul for Element<B> {
-    type Output = Self;
 
-    /// Computes POLYVAL multiplication over GF(2^128).
+    /// Computes carryless POLYVAL multiplication over GF(2^128).
     ///
     /// From [RFC 8452 Section 3]:
     ///
@@ -76,13 +129,22 @@ impl<B: Backend> Mul for Element<B> {
     /// > irreducible polynomial."
     ///
     /// [RFC 8452 Section 3]: https://tools.ietf.org/html/rfc8452#section-3
-    fn mul(self, rhs: Self) -> Self {
-        Element(self.0 * rhs.0)
+    pub fn clmul(self, other: Block) -> Self {
+        match self {
+            #[cfg(all(
+                target_feature = "pclmulqdq",
+                target_feature = "sse2",
+                target_feature = "sse4.1",
+                any(target_arch = "x86", target_arch = "x86_64")
+            ))]
+            Element::Clmul(m128i) => Element::Clmul(m128i * M128i::from(other)),
+            Element::Soft(u64x2) => Element::Soft(u64x2 * U64x2::from(other)),
+        }
     }
 }
 
-impl<B: Backend> From<B> for Element<B> {
-    fn from(element: B) -> Element<B> {
-        Element(element)
+impl Default for Element {
+    fn default() -> Self {
+        Self::from_bytes(Block::default())
     }
 }

polyval/src/field/backend.rs

@@ -6,7 +6,6 @@ use core::arch::x86::*;
 #[cfg(target_arch = "x86_64")]
 use core::arch::x86_64::*;
 
-use super::Backend;
 use crate::field::Block;
 use core::ops::{Add, Mul};
 
@@ -15,8 +14,6 @@ use core::ops::{Add, Mul};
 #[derive(Copy, Clone)]
 pub struct M128i(__m128i);
 
-impl Backend for M128i {}
-
 impl From<Block> for M128i {
     // `_mm_loadu_si128` performs an unaligned load
     #[allow(clippy::cast_ptr_alignment)]

polyval/src/field/backend/pclmulqdq.rs polyval/src/field/pclmulqdq.rspolyval/src/field/backend/pclmulqdq.rs renamed to polyval/src/field/pclmulqdq.rs

@@ -5,7 +5,6 @@
 //!
 //! Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
 
-use super::Backend;
 use crate::field::Block;
 use core::{
     convert::TryInto,
@@ -16,8 +15,6 @@ use core::{
 #[derive(Copy, Clone, Debug, Eq, PartialEq)]
 pub struct U64x2(u64, u64);
 
-impl Backend for U64x2 {}
-
 impl From<Block> for U64x2 {
     fn from(bytes: Block) -> U64x2 {
         U64x2(
@@ -29,14 +26,7 @@ impl From<Block> for U64x2 {
 
 impl From<U64x2> for Block {
     fn from(u64x2: U64x2) -> Block {
-        let x: u128 = u64x2.into();
-        x.to_le_bytes()
-    }
-}
-
-impl From<U64x2> for u128 {
-    fn from(u64x2: U64x2) -> u128 {
-        u128::from(u64x2.0) | (u128::from(u64x2.1) << 64)
+        (u128::from(u64x2.0) | (u128::from(u64x2.1) << 64)).to_le_bytes()
     }
 }
 

polyval/src/field/backend/soft.rs polyval/src/field/soft.rspolyval/src/field/backend/soft.rs renamed to polyval/src/field/soft.rs

@@ -46,26 +46,33 @@
 #![doc(html_logo_url = "https://github.com/RustCrypto/meta/master/logo_small.png")]
 #![warn(missing_docs, rust_2018_idioms)]
 
+#[cfg(all(
+    feature = "std",
+    target_feature = "pclmulqdq",
+    target_feature = "sse2",
+    target_feature = "sse4.1",
+    any(target_arch = "x86", target_arch = "x86_64")
+))]
+#[macro_use]
+extern crate std;
+
 pub mod field;
 
 pub use universal_hash;
 
 use universal_hash::generic_array::{typenum::U16, GenericArray};
 use universal_hash::{Output, UniversalHash};
 
-// TODO(tarcieri): runtime selection of CLMUL vs soft backend when both are available
-use field::backend::M128i;
-
 /// **POLYVAL**: GHASH-like universal hash over GF(2^128).
 #[allow(non_snake_case)]
 #[derive(Clone)]
 #[repr(align(16))]
 pub struct Polyval {
     /// GF(2^128) field element input blocks are multiplied by
-    H: field::Element<M128i>,
+    H: field::Element,
 
     /// Field element representing the computed universal hash
-    S: field::Element<M128i>,
+    S: field::Element,
 }
 
 impl UniversalHash for Polyval {
@@ -82,8 +89,7 @@ impl UniversalHash for Polyval {
 
     /// Input a field element `X` to be authenticated
     fn update_block(&mut self, x: &GenericArray<u8, U16>) {
-        let x = field::Element::from_bytes(x.clone().into());
-        self.S = (self.S + x) * self.H;
+        self.S = self.H.clmul(self.S.add(x.clone().into()).to_bytes());
     }
 
     /// Reset internal state