Re: [Cfrg] Benchmarks: 384 vs 389 vs Goldilocks vs ... on Haswell

Watson Ladd <> Wed, 31 December 2014 21:01 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A6C831A1AD9 for <>; Wed, 31 Dec 2014 13:01:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id md6gRyqN3H1t for <>; Wed, 31 Dec 2014 13:01:57 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4002:c07::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BB9721A1AD8 for <>; Wed, 31 Dec 2014 13:01:56 -0800 (PST)
Received: by with SMTP id 9so7936621ykp.8 for <>; Wed, 31 Dec 2014 13:01:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=W8Kvb6cOcI7BEh8CDDgY8G3EezaQwkdAYQ4z9j0KpBc=; b=CZN+jHiQMuKTRkAyH/3PIvOB0yXQ4r8jLxSB2Kebq87Up6BgBVTmzcaKUS6eHD1Feo eWkUNKQysisLCqbTgd+HthaQLjnjJWvUULjg4kB/2JHzDGes0UOAkv6HOaZByGYG/b2r QGCiF7v7wjwmtolAdZg3RJnyCF5wrcfwQsLKL1QJ9hgIBAPmYIc/bCMmEPAFfrJvEi5m 2y+jdRDTuHyXkJQYAzceXSqiXqilyCcO/hzdy8PONrOcnljOT7yw1pywyzctKqeZ6+XD iFxt04NhwiK/Y1Ps+8mKo6Nc2TAxEN0vSk4bDiPjqeKgQlpxDzEnKVFEYee+bmoJz8U7 PCug==
MIME-Version: 1.0
X-Received: by with SMTP id h38mr2594577yhq.172.1420059715922; Wed, 31 Dec 2014 13:01:55 -0800 (PST)
Received: by with HTTP; Wed, 31 Dec 2014 13:01:55 -0800 (PST)
In-Reply-To: <>
References: <> <>
Date: Wed, 31 Dec 2014 16:01:55 -0500
Message-ID: <>
From: Watson Ladd <>
To: "Paterson, Kenny" <>
Content-Type: text/plain; charset="UTF-8"
Cc: "" <>
Subject: Re: [Cfrg] Benchmarks: 384 vs 389 vs Goldilocks vs ... on Haswell
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 31 Dec 2014 21:01:59 -0000

On Wed, Dec 31, 2014 at 3:01 PM, Paterson, Kenny
<> wrote:
> Hi Mike,
> Thanks a lot for doing this work, especially over the holiday season -
> it's much appreciated.
> My take-away from your work is that there's no strong reason (in
> performance terms) to prefer P389 over P384-mers or vice-versa - the 8-9%
> difference is there, yes, but could easily disappear or increase with
> further optimisations on either side.

Would you say the same about 2^255-19 vs 2^256-189? That also had a 8%
performance increase iirc, for very similar reasons.

 One could also try 2^382-31, which would be much more similar to the
gain at the lower security level.

Furthermore, if the faster one was more optimized, and the slower one
not as much, that would be a reasonable conclusion. But we are
comparing a C implementation written yesterday to a handwritten
assembler one, with the C outperforming the assembly. Now, with
SUPERCOP, we could measure the fastest one on each machine, across
compilers and implementations.  That unfortunately isn't going to
happen in time, and regrettably the NUMS group did not make ECClib
into a SUPERCOP submission earlier. Having screwed up plenty of
benchmarks myself through stupid things, SUPERCOP is a really good
idea to force oneself to measure the right thing.

There is a theoretical reason to think that a carryless prime will
outperform a slightly larger packed one, and that is the algorithm one
uses for packed arithmetic will work with any c that isn't bigger than
the word, so the packed implementation could be adapted for the
unpacked case.

Watson Ladd

> Does that seem fair to you? Please feel free to give an alternative
> interpretation if you like.
> Regards,
> Kenny
> On 29/12/2014 23:14, "Mike Hamburg" <> wrote:
>>Hi all,
>>The chairs requested that I implement and benchmark 2^389 - 21, suggested
>>by Ilari.
>>I've benchmarked several primes that have been discussed on this list.  I
>>used a Haswell machine running Linux test everything, including MSR
>>ECCLib 1.1.  Cycle counts for mul/sqr:
>>MSR ECCLib (all asm, but no BMI2):
>>P256-mers: M = 59.2, S = 47.8.
>>P384-mers: M = 117.5, S = 89.8.
>>P512-mers: M = 199.9, S = 140.6.
>>My code (C with BMI2 mul+acc intrinsics):
>>P389: M = 112.5, S = 75.5.
>>Goldilocks P448: M = 118.0, S = 88.9.
>>Ridinghood P480: M = 118.2, S = 89.1.
>>NIST P521: M = 145.5, S = 110.7.
>>With this machine/compiler combination, 2^389 - 21 is showing at about
>>8-9% faster than MSR 384-mers and Goldilocks, which are within 0.1% of
>>each other.
>>Intel(R) Core(TM) i7-4790 CPU @ 3.60GHz .
>>Ubuntu clang version 3.5-1ubuntu1 (trunk) (based on LLVM 3.5)
>>Target: x86_64-pc-linux-gnu
>>Thread model: posix
>>* All benchmarks computed by timing and multiplying by 3.5932GHz, since
>>that's what calib() spat out.
>>* The P389 code is mul-after-add clean.  I did this by multiplying the
>>arguments to a multiply separately by 8 and 21.  The code without this
>>feature is marginally (<1%) faster.
>>* I haven't tested the correctness of the P389 code, nor have I built it
>>into a curve.  So sue me, I'm on vacation.
>>* ECCLib, P389*, P448: 10^8 trials, noinline'd functions, 32-byte-aligned
>>stack buffers, no dependencies in the multiplications.  TurboBoost and
>>HyperThreading disabled.  Benchmarks are stable to about 3 significant
>>* P480, P521, because I'm lazy: Goldilocks `make bench`, 10^8/2 trials,
>>noinlined functions, 32-byte-aligned stack buffers, no dependencies.
>>Almost exactly
>> consistent when benchmarking P448.
>>* For MSR ECCLib I called directly into ecc384.o's functions, using the
>>same benchmarking framework code as for P389.
>>* Earlier, offlist testing on a Haswell MacBook Air showed about a 2%
>>advantage to 2^389 - 21 instead of 8%.  The code improvements to P389
>>since then are not sufficient to explain the better results: they are
>>apparently machine/compiler dependent.  I thought
>> that Clang 3.5 might be responsible, since I've seen performance
>>differences in arithmetic code with it.  But clang-3.3, 3.4 and 3.5 all
>>give similar results for those primes.  GCC 4.9 gives slightly worse
>>results for everything but the MSR asm code.
>>* The P389 code is probably less tuned than its competitors. The MS code
>>is written in pure asm, but it doesn't take advantage of BMI2.  The
>>Goldilocks and P389 code are C with an asm multiply/accumulate intrinsic,
>>but I spent more time tuning the Goldilocks
>> code.
>>* The Ridinghood code is the same as the Goldilocks code with different
>>shift constants.  The P-521 code is the arch_x86_64_r12 version, using 9
>>limbs vector-aligned to a 12-word structure.
>>* I have no data about 2^389 - 21 on other platforms, but offlist
>>discussions suggest that it will be OK, if perhaps annoying to implement,
>>on 32-bit platforms.
>>-- Mike
> _______________________________________________
> Cfrg mailing list

"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin