Review AES/GCM and ChaCha20+Poly1305 Audit by NCCGroup

[zer0x64]

NCCGroup recently did a formal audit of RustCrypto's AES/GCM and ChaCha20Poly1305 for MobileCoin and published the report here:
https://research.nccgroup.com/2020/02/26/public-report-rustcrypto-aes-gcm-and-chacha20poly1305-implementation-review/

There aren't any identified vulnerability, but there is a bunch of remarks that could help increase the performance of the implementations.

[tarcieri]

Yep. Some of them have already been addressed (we got early access to the audit): the buffering logic used by the ChaCha20 crate was completely rewritten to work more like the ctr crate.

The main other notable performance-related finding was in regard to the aes-soft crate: the bitslicing implementation is less efficient than it could be.

It'd be good to file an issue for aes-soft specifically, otherwise I believe all of the other findings have been addressed. Also note that the polyval crate now matches the ideal ASM.

[zer0x64]

I opened the issue for aes-soft here.
If all the other issues has already been addressed, I think you can close this one!

[tarcieri]

Fantastic, thanks!