To name just two families of uses, it’s the backbone         of many hash/checksum algorithms and error-correcting codes,         where the goal is often simply to go as fast as possible, and         uArch side-channel resistance is not a concern.                     – Steve                 


    

    

+1

    

See, e.g., https://lemire.me/blog/2015/10/26/crazily-fast-hashing-with-carry-less-multiplications/       -- and also, https://en.wikipedia.org/wiki/CLMUL_instruction_set,       "One use of these instructions is to improve the speed of       applications doing block cipher encryption in Galois/Counter Mode,       which depends on finite field GF(2^k) multiplication. Another       application is the fast calculation of CRC values, including those       used to implement the LZ77 sliding window DEFLATE algorithm in       zlib and pngcrush."
    

    

 -Hal

    


    

                    
                       On Jul 9, 2020, at 10:41 AM, Roman Lebedev via               llvm-dev <llvm-dev@lists.llvm.org>               wrote:
                                        What i do *NOT* understand is:                 what is the actual/main goal/driving               factor of adding an LLVM intrinsic                 for it?                              The use that was mentioned is                 crypto, and i'm personally not really               registering anything else. Am i                 just misreading it?               The crypto use-case doesn't make                 sense to me, because               as of this moment LLVM                 "explicitly" has zero constant-time               guarantees for LLVM IR                 instructions/intrinsics.                                                        
             _______________________________________________ LLVM Developers mailing list llvm-dev@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev          --  Hal Finkel Lead, Compiler Technology and Programming Languages Leadership Computing Facility Argonne National Laboratory    ">

(original) (raw)


On 7/9/20 10:13 AM, Steve (Numerics) Canon via llvm-dev wrote:

CLMUL is absolutely useful outside of “crypto” contexts that
want/require “constant time” operation.




To name just two families of uses, it’s the backbone
of many hash/checksum algorithms and error-correcting codes,
where the goal is often simply to go as fast as possible, and
uArch side-channel resistance is not a concern.




– Steve






+1


See, e.g.,
https://lemire.me/blog/2015/10/26/crazily-fast-hashing-with-carry-less-multiplications/
-- and also, https://en.wikipedia.org/wiki/CLMUL_instruction_set,
"One use of these instructions is to improve the speed of
applications doing block cipher encryption in Galois/Counter Mode,
which depends on finite field GF(2^k) multiplication. Another
application is the fast calculation of CRC values, including those
used to implement the LZ77 sliding window DEFLATE algorithm in
zlib and pngcrush."


-Hal










On Jul 9, 2020, at 10:41 AM, Roman Lebedev via
llvm-dev <llvm-dev@lists.llvm.org>
wrote:





What i do *NOT* understand is:
what is the actual/main goal/driving

factor of adding an LLVM intrinsic
for it?



The use that was mentioned is
crypto, and i'm personally not really

registering anything else. Am i
just misreading it?

The crypto use-case doesn't make
sense to me, because

as of this moment LLVM
"explicitly" has zero constant-time

guarantees for LLVM IR
instructions/intrinsics.










_______________________________________________
LLVM Developers mailing list
llvm-dev@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev


--
Hal Finkel
Lead, Compiler Technology and Programming Languages
Leadership Computing Facility
Argonne National Laboratory