IETF Logo Mail Archive

Re: [Cfrg] Timing of libsodium, curve25519-donna, MSR ECCLib, and openssl-master

Watson Ladd <watsonbladd@gmail.com> Thu, 09 October 2014 05:05 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D3421A90BB for <cfrg@ietfa.amsl.com>; Wed, 8 Oct 2014 22:05:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DTgZBWNWbkeb for <cfrg@ietfa.amsl.com>; Wed, 8 Oct 2014 22:05:49 -0700 (PDT)
Received: from mail-yh0-x231.google.com (mail-yh0-x231.google.com [IPv6:2607:f8b0:4002:c01::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46A661A90BA for <cfrg@irtf.org>; Wed, 8 Oct 2014 22:05:49 -0700 (PDT)
Received: by mail-yh0-f49.google.com with SMTP id a41so259468yho.8 for <cfrg@irtf.org>; Wed, 08 Oct 2014 22:05:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=7vrBmUuGuI4ta2puVbHVShJwCpQ/J0OxrTD81CHK1UI=; b=Pc/KNFcXN9mxpmys79K2xxuH0ukMB9LWtaA1MtDhNgYI/AlIeKatAeo/9BfMvF4Ag9 m3jOHToum1VzBDWunR1n8/8mY24cWDpYNMHaLIAl/whN9GeBzlGynS5J3rKIAUA4SlYC 373rZs9Q4EFwfo+0RZ7JGUorn1zfj81msjcglSpXy/INbxrICX672Sj3rJWmvTLlVVsF J3wBwtpOCDfS9tKxTqGDmx+M6BHMVZ0DfCP2K4euXNBU/I9SW/4IXbxslIh7cJ3v3liU gBIHm275gbpiTzAQZu8W0GGk+Fc9i75BxHfRIq4VA79JFi7DurQ8pAkk1i0DT6I+c5/m cjOA==
MIME-Version: 1.0
X-Received: by 10.236.66.164 with SMTP id h24mr8047047yhd.157.1412831148461; Wed, 08 Oct 2014 22:05:48 -0700 (PDT)
Received: by 10.170.195.149 with HTTP; Wed, 8 Oct 2014 22:05:48 -0700 (PDT)
In-Reply-To: <543616FF.4010503@brainhub.org>
References: <53F0010B.6080101@brainhub.org> <CD159876-F061-4EB8-B1DC-FAB8E4798E26@shiftleft.org> <53F108CF.4040704@brainhub.org> <53F18607.3000005@brainhub.org> <5406C23E.80205@brainhub.org> <5407C176.3000109@brainhub.org> <5435DE66.7080803@brainhub.org> <29E067B7-C1F3-427C-8E4A-14F2096A71E4@shiftleft.org> <543616FF.4010503@brainhub.org>
Date: Wed, 08 Oct 2014 22:05:48 -0700
Message-ID: <CACsn0cnDKbiHjjOAAC_xb8bseCLHoS8bKExutMC5DKk8utYVjQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Andrey Jivsov <crypto@brainhub.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/oXyjeTzWEAgaJPm8BwFaI0s8Pf4
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Timing of libsodium, curve25519-donna, MSR ECCLib, and openssl-master
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Oct 2014 05:05:51 -0000

On Wed, Oct 8, 2014 at 10:02 PM, Andrey Jivsov <crypto@brainhub.org> wrote:
> On 10/08/2014 07:05 PM, Michael Hamburg wrote:
>>
>> Whoa, they improved the performance by 50% since the paper and initial
>> patch?!
>
>
> on 09/03/2014 I reported 40% advantage of Curve25519-donna
> (17384.8/12348.9=1.40). Now it's 14% (17383.6/15168.1=1.146). That's on an
> AVX2 machine.
>
> On my older i5 machine (not an AVX2 machine) the ratio is also improved.
> With the same instructions as quoted below:
>
> was 14131.5/5231.7=2.7 (reported on 09/03/2013)
> now: 14251.3/11105.2=1.27
> (apparently due to Montgomery-style assembler code specialized for P-256
> prime)
>
> This is even more interesting. These performance improvements apparently
> cover most of x86 CPUs in use today, clients and servers.

Wouldn't the speedups from reducing the number of field operations by
changing the curve shape stack on top of these? I don't really see the
relevance to picking which wire format to use.

>
>
>>
>>> On Oct 8, 2014, at 6:01 PM, Andrey Jivsov <crypto@brainhub.org> wrote:
>>>
>>> Now that the P-256 enhancements are in the OpenSSL tree, let commands
>>> speak for themselves.
>>>
>>> Type in a Linux terminal on a Haswell machine (no HT, no
>>> SpeedStep/Turboboost) and observe:
>>>
>>> 1. P-256:
>>>
>>> $ git clone git://git.openssl.org/openssl.git A
>>> $ cd A
>>> $ ./config
>>> $ make && apps/openssl speed ecdhp256
>>>
>>> 15078.1 op/s
>>>
>>> 2. X25519:
>>>
>>> $ git clone https://github.com/brainhub/curve25519-donna.git B
>>> $ cd B
>>> $ make speed-curve25519-donna-c64 && ./speed-curve25519-donna-c64
>>>
>>> 17289.4 op/s
>>>
>>> -----------------------------
>>>
>>> 17383.6 / 15168.1 = 14.6% faster
>>>
>>> The difference is about the cost of point decompression/coordinate
>>> conversion (e.g. Edwards coordinate conversion to Montgomery + point
>>> multiplication would have about the same performance as P-256 point
>>> multiplication).
>>>
>>> _______________________________________________
>>> Cfrg mailing list
>>> Cfrg@irtf.org
>>> http://www.irtf.org/mailman/listinfo/cfrg
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email