Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

field: Use fiat-crypto #21

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

field: Use fiat-crypto #21

wants to merge 1 commit into from

Conversation

Yawning
Copy link

@Yawning Yawning commented Jul 31, 2021
edited

Since I'm experimenting with this for my library, I figured I would try it with this one as well, to see how difficult it would be. Note that I was lazy and didn't bother fixing the field sub-package tests since this is more of an experiment/food-for-thought branch than anything else.

Numbers taken on an i7-8565U with turbo and SMT disabled, using go1.17beta1 as the compiler.

name \ time/op                 baseline     baseline-purego  fiat
MultiScalarMultSize8-4          410µs ± 0%       543µs ± 0%   476µs ± 0%
ScalarBaseMult-4               34.6µs ± 0%      44.7µs ± 0%  40.2µs ± 0%
ScalarMult-4                    115µs ± 0%       160µs ± 0%   127µs ± 0%
VarTimeDoubleScalarBaseMult-4   109µs ± 0%       155µs ± 0%   117µs ± 0%

"baseline" is the existing code, with the assembly language routines. "baseline-purego" is the existing code, with purego set to disable assembly, "fiat" is the fiat-crypto branch. For clarity's sake, comparing the existing code with assembly, to just using fiat looks like this:

name                           old time/op  new time/op  delta
MultiScalarMultSize8-4          410µs ± 0%   476µs ± 0%  +15.92%  (p=0.008 n=5+5)
ScalarBaseMult-4               34.6µs ± 0%  40.2µs ± 0%  +16.20%  (p=0.008 n=5+5)
ScalarMult-4                    115µs ± 0%   127µs ± 0%  +10.62%  (p=0.008 n=5+5)
VarTimeDoubleScalarBaseMult-4   109µs ± 0%   117µs ± 0%   +7.48%  (p=0.008 n=5+5)

X25519 performance would be worse because Mult32 no longer is special cased (solved by adding Element.Mult121666 backed by CarryScmul121666). I haven't looked at how you implemented the ladder in x/crypto, but leveraging the fact that fiat's CarryMul and CarrySquare calls can take LooseFieldElements a's inputs will also shave off some reductions, though if to decide to do that it's easiest to use the raw fiat routines instead of the field abstraction.

[0]: Regarding CLA stuff if it comes up, I'll need to bother work again.. I asked about that the last time, and my inquiry disappeared into the bureaucratic black-hole.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@Yawning