Re: [Cfrg] Timing of libsodium, curve25519-donna, MSR ECCLib, and openssl-master

Andrey Jivsov <crypto@brainhub.org> Thu, 09 October 2014 05:03 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31D9C1A90B9 for <cfrg@ietfa.amsl.com>; Wed, 8 Oct 2014 22:03:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ATXEnorxyy3x for <cfrg@ietfa.amsl.com>; Wed, 8 Oct 2014 22:02:58 -0700 (PDT)
Received: from resqmta-ch2-07v.sys.comcast.net (resqmta-ch2-07v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:39]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FAA31A90B8 for <cfrg@irtf.org>; Wed, 8 Oct 2014 22:02:57 -0700 (PDT)
Received: from resomta-ch2-09v.sys.comcast.net ([69.252.207.105]) by resqmta-ch2-07v.sys.comcast.net with comcast id 0t2i1p0042GyhjZ01t2xzo; Thu, 09 Oct 2014 05:02:57 +0000
Received: from [192.168.1.2] ([71.202.164.227]) by resomta-ch2-09v.sys.comcast.net with comcast id 0t2v1p00K4uhcbK01t2wiL; Thu, 09 Oct 2014 05:02:56 +0000
Message-ID: <543616FF.4010503@brainhub.org>
Date: Wed, 08 Oct 2014 22:02:55 -0700
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1
MIME-Version: 1.0
To: Michael Hamburg <mike@shiftleft.org>
References: <53F0010B.6080101@brainhub.org> <CD159876-F061-4EB8-B1DC-FAB8E4798E26@shiftleft.org> <53F108CF.4040704@brainhub.org> <53F18607.3000005@brainhub.org> <5406C23E.80205@brainhub.org> <5407C176.3000109@brainhub.org> <5435DE66.7080803@brainhub.org> <29E067B7-C1F3-427C-8E4A-14F2096A71E4@shiftleft.org>
In-Reply-To: <29E067B7-C1F3-427C-8E4A-14F2096A71E4@shiftleft.org>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1412830977; bh=NzSekbc60S8TrIe7VVRaLGKt8UsO/gOh+vZTVPEEsW0=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=kPSFDELCUq4smc62TO/jqo/0Z1AMCRv0sOfAALaA6lhn5emmsTEOjvlOEynUkzq7o Ue/20lg/i02t9rvoayG/snsCpU5vLonGNPIPl4pLFalyTmWzKv5wamPapS7bXhk+ku +omts/r0o6JCH7Xxt6aoWH+3xR3pWAC4J7CEmNTfkcylXfpRFmtbdgZFhRQ1vWb51Z jIhgXUC6McjraJtwVgmWOzV5dQlJI5bW+E6T6pFcF796QDBgj6OQoc49vvg8fxLBu5 c3J2NzvkM4jFdGJBEsI4Y/deHy+sra82sMJFEEEN0v7u7mbBrUsBDYXmnFKdwjLL1L z0qKsTuhQDs8Q==
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/ldWr8lfpj-oyrR4vy6v9TSTskGU
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Timing of libsodium, curve25519-donna, MSR ECCLib, and openssl-master
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Oct 2014 05:03:00 -0000

On 10/08/2014 07:05 PM, Michael Hamburg wrote:
> Whoa, they improved the performance by 50% since the paper and initial patch?!

on 09/03/2014 I reported 40% advantage of Curve25519-donna 
(17384.8/12348.9=1.40). Now it's 14% (17383.6/15168.1=1.146). That's on 
an AVX2 machine.

On my older i5 machine (not an AVX2 machine) the ratio is also improved. 
With the same instructions as quoted below:

was 14131.5/5231.7=2.7 (reported on 09/03/2013)
now: 14251.3/11105.2=1.27
(apparently due to Montgomery-style assembler code specialized for P-256 
prime)

This is even more interesting. These performance improvements 
apparently cover most of x86 CPUs in use today, clients and servers.

>
>> On Oct 8, 2014, at 6:01 PM, Andrey Jivsov <crypto@brainhub.org> wrote:
>>
>> Now that the P-256 enhancements are in the OpenSSL tree, let commands speak for themselves.
>>
>> Type in a Linux terminal on a Haswell machine (no HT, no SpeedStep/Turboboost) and observe:
>>
>> 1. P-256:
>>
>> $ git clone git://git.openssl.org/openssl.git A
>> $ cd A
>> $ ./config
>> $ make && apps/openssl speed ecdhp256
>>
>> 15078.1 op/s
>>
>> 2. X25519:
>>
>> $ git clone https://github.com/brainhub/curve25519-donna.git B
>> $ cd B
>> $ make speed-curve25519-donna-c64 && ./speed-curve25519-donna-c64
>>
>> 17289.4 op/s
>>
>> -----------------------------
>>
>> 17383.6 / 15168.1 = 14.6% faster
>>
>> The difference is about the cost of point decompression/coordinate conversion (e.g. Edwards coordinate conversion to Montgomery + point multiplication would have about the same performance as P-256 point multiplication).
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> http://www.irtf.org/mailman/listinfo/cfrg