std/crypto: make gimli slightly faster

Before:
       gimli-hash:        120 MiB/s
       gimli-aead:        130 MiB/s

After:
       gimli-hash:        195 MiB/s
       gimli-aead:        208 MiB/s

Also fixes in-place decryption by the way.

If the input & output buffers were the same, decryption used to fail.

Return on decryption error in the benchmark to detect similar issues
in future AEADs even in non release-fast mode.

2 files changed, 22 insertions, 14 deletions

diff --git a/lib/std/crypto/benchmark.zig b/lib/std/crypto/benchmark.zig
index 860f1269f0..4397f7312a 100644
--- a/lib/std/crypto/benchmark.zig
+++ b/lib/std/crypto/benchmark.zig
@@ -168,7 +168,7 @@ pub fn benchmarkAead(comptime Aead: anytype, comptime bytes: comptime_int) !u64
     const start = timer.lap();
     while (offset < bytes) : (offset += in.len) {
         Aead.encrypt(in[0..], tag[0..], in[0..], &[_]u8{}, nonce, key);
-        Aead.decrypt(in[0..], in[0..], tag, &[_]u8{}, nonce, key) catch unreachable;
+        try Aead.decrypt(in[0..], in[0..], tag, &[_]u8{}, nonce, key);
     }
     mem.doNotOptimizeAway(&in);
     const end = timer.read();
diff --git a/lib/std/crypto/gimli.zig b/lib/std/crypto/gimli.zig
index 5b572aad7d..e5f93f5833 100644
--- a/lib/std/crypto/gimli.zig
+++ b/lib/std/crypto/gimli.zig
@@ -40,8 +40,8 @@ pub const State = struct {
 
     pub fn permute(self: *Self) void {
         const state = &self.data;
-        var round = @as(u32, 24);
-        while (round > 0) : (round -= 1) {
+        comptime var round = @as(u32, 24);
+        inline while (round > 0) : (round -= 1) {
             var column = @as(usize, 0);
             while (column < 4) : (column += 1) {
                 const x = math.rotl(u32, state[column], 24);
@@ -249,15 +249,19 @@ pub const Aead = struct {
             in = in[State.RATE..];
             out = out[State.RATE..];
         }) {
-            for (buf[0..State.RATE]) |*p, i| {
-                p.* ^= in[i];
-                out[i] = p.*;
+            const d = in[0..State.RATE];
+            for (d) |v, i| {
+                buf[i] ^= v;
+            }
+            for (d) |_, i| {
+                out[i] = buf[i];
             }
             state.permute();
         }
-        for (buf[0..in.len]) |*p, i| {
-            p.* ^= in[i];
-            out[i] = p.*;
+        const d = in[0..];
+        for (d) |v, i| {
+            buf[i] ^= v;
+            out[i] = buf[i];
         }
 
         // XOR 1 into the next byte of the state
@@ -291,15 +295,19 @@ pub const Aead = struct {
             in = in[State.RATE..];
             out = out[State.RATE..];
         }) {
-            for (buf[0..State.RATE]) |*p, i| {
-                out[i] = p.* ^ in[i];
-                p.* = in[i];
+            const d = in[0..State.RATE].*;
+            for (d) |v, i| {
+                out[i] = buf[i] ^ v;
+            }
+            for (d) |v, i| {
+                buf[i] = v;
             }
             state.permute();
         }
         for (buf[0..in.len]) |*p, i| {
-            out[i] = p.* ^ in[i];
-            p.* = in[i];
+            const d = in[i];
+            out[i] = p.* ^ d;
+            p.* = d;
         }
 
         // XOR 1 into the next byte of the state