Seems like an i386 issue, probably assuming a variable width incorrectly somewhere. Can reproduce the same issue with wine. Getting late here, so will fix this up tomorrow.

This looks like #537.

Feel free to disable the test for 32 bit windows. There are enough instances of this that we should probably remove 32 bit windows support from the readme and remove it from the test matrix, until we can pass all the tests.

@tiehuis
I'm trying to reproduce your findings here. I see that the nayuki page has a test harness for the C implementations. What did you do to come up with the zig numbers?

Ah, I found std/crypto/throughput_test.zig

I looked into this a little bit, and I noticed that the throughput test in zig was getting LTO (in the sense that we emit only a single LLVM module/ .o file) while the C benchmark had to make function calls across .o files. So I copied the sha256.c function into the test .c file and made all the functions static. This actually did not change the timings. I found that your zig implementation of sha256 generates 14% faster machine code.

I looked at a comparison of the assembly and it's hard to tell exactly what is different, but it appears that the zig implementation has slightly better instruction selection.

Your zig sha256 implementation is faster than the hand rolled assembly from the nayuki page.

• nayuki hand rolled x86_64 assembly sha256: 192.6 MB/s
• zig stdlib sha256 throughput test: 204 MB/s

The initial tests here I actually exported the zig functions with c bindings so the call overhead was the same.

I think I know what's going on. If you look at https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/sha-256-implementations-paper.pdf there's a section called "Optimizations with rorx". I believe that LLVM is able to come up with these optimizations with the zig implementation, but it somehow does not discover them with the clang implementation.