Support for CPU instructions for hardware-accelerated SHA

[GamePad64]

I haven't found this in issue list. Two years ago Intel announced new assembler instructions, that could assist computing SHA-1 and SHA-256. There are not much Skylake CPU's on the market, but all new Intel processors will support these instructions as well. Is there any way to support such hardware acceleration? (I am not an assembler guy, so I can't make a PR)

[DevJPM]

Skylake doesn't support the Intel SHA-Extensions.

This article0 and Wikipedia1 confirm this.

Am 21.02.2016 um 05:24 schrieb Alexander Shishenko:

I haven't found this in issue list. Two years ago Intel announced new
assembler instructions, that could assist computing SHA-1 and SHA-256
https://software.intel.com/en-us/articles/intel-sha-extensions.
There are not much Skylake CPU's on the market, but all new Intel
processors will support these instructions as well. Is there any way
to support such hardware acceleration? (I am not an assembler guy, so
I can't make a PR)

[GamePad64]

Oh, I see, thanks! So, this is not really urgent for now. Maybe, it is worth leaving this feature in a wishlist?

[noloader]

What are you guys seeing in the field?

I see a lot of ARM Neon in mobile, so I know there's a [relatively] strong case for AES and SHA on the devices.

I was recently talking to Wei about VIA Padlock RNG, AES and SHA instructions. I'm almost afraid to make non-trivial changes to Rijndael because its so complicated. I'm kind of afraid of knocking something loose. The SHA files are quickly getting to the same state as Rijndael/AES.

[pavel-odintsov]

What about Intel Quick Assist acceleration cards? They has SHA instructions enabled.

[noloader]

@pavel-odintsov - For the QuickAssist 8920 Adapter, I think we would need engine support. We don't have that at the moment, but its on my radar. If we did have engine support, then I can't really say what else we would need since I've never worked with one.

At $775 per item, we probably won't support it. I buy our testing gear out of my own pocket, the boards are kind of pricey, and there's little ROI for the project. I think the money is better spent on commodity processors or different IoT gadgets since it benefits more people. That could change if Intel shipped me a card.

[noloader]

I think Intel CPUs with SHA extensions hit the market recently. It looks like processors which support it are Goldmont microarchitecture:

• Pentium J4205 (desktop)
• Pentium N4200 (mobile)
• Celeron J3455 (desktop)
• Celeron J3355 (desktop)
• Celeron N3450 (mobile)
• Celeron N3350 (mobile)

I looked through offerings at Amazon for machines with the architecture or the processor numbers, but I did not find any available (yet). I believe Acer had one laptop expected to be available in December 2016 that would meet testing needs.

We added runtime CPU feature detection at Commit ac01277d93636cd7. It will be available in the release ZIP that follows 5.6.5.

[noloader]

We picked up a Celeron J3455. The commits of interest are:

• Commit 6970ef702d8615ad, Add Intel SHA1 code generation tests
• Commit 7ab9b00f909b823f, Add Intel SHA1 extension support
• Commit 315b4b0b3e7b50af, Add Intel SHA256 code generation tests
• Commit cce56d3f79f73933, Add Intel SHA256 extension support

SHA1 was clocking around 9.5 cycles per byte (cpb) for the straight CXX implementation. Using the SHA1 extensions, its running around 2.7 cpb. SHA256 was running around 19.5 cpb using SSE2 ASM. Using the SHA256 extensions, its running around 3.9 cpb.

I suspect the results are skewed because the Celerons use TurboBoost. However, all the measurements were taken from the same machine, so the skewing among results should be consistent.

[noloader]

Closing the report. We now utilize SHA acceleration for the platforms we support (Intel and ARM).

If I can get my hands on some of the other boards, like the Intel one discussed earlier, then I'd be happy to revisit.

[Katharsas]

Do you support AMD Zen SHA acceleration too?

[noloader]

Do you support AMD Zen SHA acceleration too?

Yes. From cpu.cpp : 270:

else if (IsAMD(cpuid0))
{
    CRYPTOPP_CONSTANT(RDRAND_FLAG = (1 << 30))
    CRYPTOPP_CONSTANT(RDSEED_FLAG = (1 << 18))
    CRYPTOPP_CONSTANT(   ADX_FLAG = (1 << 19))
    CRYPTOPP_CONSTANT(   SHA_FLAG = (1 << 29))

    CpuId(0x80000005, 0, cpuid2);
    g_cacheLineSize = GETBYTE(cpuid2[2], 0);
    g_hasRDRAND = (cpuid1[2] /*ECX*/ & RDRAND_FLAG) != 0;

    if (cpuid0[0] /*EAX*/ >= 7)
    {
        if (CpuId(7, 0, cpuid2))
        {
            g_hasRDSEED = (cpuid2[1] /*EBX*/ & RDSEED_FLAG) != 0;
            g_hasADX = (cpuid2[1] /*EBX*/ & ADX_FLAG) != 0;
            g_hasSHA = (cpuid2[1] /*EBX*/ & SHA_FLAG) != 0;
        }
    }
}