Multiply function could be 20% faster and smaller

[nickovs]

All of the constants needed by AES for the inversion of the MixColumns function fit in 4 bits, but both the function and macro versions of the Multiply() function support 5 bits. The size and performance of this could be improved by removing the case when ((y >>4) & 1) is set, since this can never happen with the constants used.

[nickovs]

I just noticed the comment about vectorisation and the last xtime() call making the code smaller. That said, given that the constants used in the multiplication are all small, you can efficiently separate the polynomial multiplication and polynomial reduction and handle the reduction using a tiny, 8 value lookup table. The code below significantly reduces the code size when MULTIPLY_AS_A_FUNCTION is defined (by more than 350 bytes on an Intel x64 CPU using gcc).

static const uint8_t poly_reduce_mask[8] = {0, 27, 54, 45, 108, 119, 90, 65};
static uint8_t Multiply(uint8_t x, uint8_t y)
{
  uint16_t r = ((y & 1) * x) ^ ((y & 2) * x) ^ ((y & 4) * x) ^ ((y & 8) * x);
  return (uint8_t)(r ^ poly_reduce_mask[r>>8]);
}

[skater-boy]

Tested on Cortex M0+ 32-bit microcontroller, gcc with -Os switch and got a 24 bytes reduction in the code size. Not huge reduction but I think to keep your suggestion.
Thanks