Skip to content

non-temporal aes-gcm engine#384

Merged
kazuho merged 52 commits into
masterfrom
kazuho/fastls
Jun 30, 2022
Merged

non-temporal aes-gcm engine#384
kazuho merged 52 commits into
masterfrom
kazuho/fastls

Conversation

@kazuho

@kazuho kazuho commented May 1, 2022
edited
Loading

Copy link
Copy Markdown
Member

This PR implements "non-temporal aes-gcm" engine, that uses non-temporal store instructions when emitting encrypted bytes.

ToDo:

  • Add more tests (like unaligned output).
  • Use 256-bit AESNI / CLMUL instructions when available (Zen 3).
  • Suppress false positives found by ASAN. The engine works on 64-byte lines. If either edge of the supplied output buffer is not aligned to 64-byte, the engine reads the 64-byte line covering the edge, modifies the necessary bytes, then write back the entire line.
  • Implement decrypt side. It's a bit slower than OpenSSL with GCC, bit faster with clang.

Builds on top of #385.

non-temporal aes-gcm engine (encrypt; commit 9f8e12ae)

Older result: as of e0caecc, aes128gcm (16KB block) throughput, compared to openssl (ubuntu 20.04):

gcc (nt on) gcc (nt off1) clang (nt on) clang (nt off)
Core i5 9400 84.1% 95.8% 91.1% 92.2%
Ryzen 7 4750G 97.9% 101.8% 97.3% 101.2%

*: "nt off" indicates that non-temporal store instructions (_mm_stream_si256) were replaced by ordinary stores (_mm_store_si256).

@kazuho kazuho mentioned this pull request May 1, 2022
Merged
@kazuho kazuho changed the base branch from master to kazuho/vectorized May 1, 2022 06:03
huitema
huitema reviewed May 1, 2022
View reviewed changes

@huitema huitema left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe split this PR in two? First, do the API changes in struct st_ptls_aead_context_t, including the changes in the bcrypt library, and then, add the support for fastls?

Comment thread include/picotls.h
@kazuho

kazuho commented May 1, 2022

Copy link
Copy Markdown
Member Author

Maybe split this PR in two? First, do the API changes in struct st_ptls_aead_context_t, including the changes in the bcrypt library, and then, add the support for fastls?

Right. I opened the PRs in the wrong order, but #385 is supposed to do that.

kazuho added 21 commits May 2, 2022 11:51
@kazuho
9-th gen Core, slowdown is 6% compared to fusion, when mm256_store is…
791036a 
… used
@kazuho
this helps on gcc
59983e9
@kazuho
gcc 9.4 (ubuntu 20.04) cannot detect this transformation
e0caecc
@kazuho
Merge branch 'master' into kazuho/fastls
7c0fc38
@kazuho
disable address sanitization of fastly_encrypt_v, as it overwrites …
8b9cd57 
…64B lines
@kazuho
wip
122a334
@kazuho
more space, to suppress out-of-bounds read warning
700beb9
@kazuho
no pointer arithmetic on void *
7a0685d
@kazuho
Merge branch 'master' into kazuho/fastls
608b16e
@kazuho
Merge branch 'master' into kazuho/fastls
34037b9
@kazuho
oops
65f3b13
@kazuho
no need to check; bytes_copied + srclen is guaranteed to be less than…
86aa4f6 
… 6 * 16
@kazuho
We need this - srclen can increase when switching to the next vector …
fa3cd32 
…(revert prev commit)

This reverts commit 86aa4f6.
@kazuho
make sure ek0 is encrypted in the main loop
3b2ab61
@kazuho
oops
9430f84
@kazuho
remove needless if
4f6bcae
@kazuho
add compile options for 256-bit-wide aesgcm
204e765
@kazuho
aes-gcm using 256-bit insns
680ce18
@kazuho
update copyright
d1a0912
@kazuho
less sexy name
34e9b2d
@kazuho
oops again
0a8330b
kazuho added 12 commits May 10, 2022 08:11
@kazuho
windows does not like = {}
6144b4f
@kazuho
Use dedicated types, as ASAN does not understand flexibly arrays insi…
07f37c2 
…de union. It's annoying, but using separate types makes the code safer
@kazuho
we do out-of-bounds access within the same page directly, which asan …
196e477 
…complains
@kazuho
extract "unsafe" logic
13ced82
@kazuho
retain the attribute, as we write to output adjusted to out-of-bounds
4543982
@kazuho
turn fusion off on platform that does not have GCC with support for v…
2344f27 
…aes, vpclmulqdq
@kazuho
decoder works
2094f78
@kazuho
use avx256 instructions for load, store, xor
5f76ffc
@kazuho
full matrix testing
b93d856
@kazuho
teach GCC that xor should not be delayed across multiple steps of gfm…
9f8e12a 
…ul, as that causes spills. Works better for encrypt_v128
@kazuho
revert to the simple method; previous method (using 256-bit registers…
908f00a 
… for xor as well as retaining 96-bytes of encrypted bytes) was better but GCC can no longer reorder much
@kazuho
expansion should retain 32-byte alignment
688d70c
@kazuho kazuho marked this pull request as ready for review May 11, 2022 05:04
@kazuho kazuho mentioned this pull request May 11, 2022
Merged
3 tasks
kazuho added a commit to h2o/quicly that referenced this pull request May 11, 2022
@kazuho
adopt h2o/picotls#384
a933e96
@kazuho kazuho mentioned this pull request May 11, 2022
Merged
@kazuho kazuho changed the base branch from kazuho/vectorized to master June 27, 2022 02:54
@kazuho kazuho merged commit 57d4ec5 into master Jun 30, 2022
@kazuho kazuho mentioned this pull request Jul 6, 2022
Merged
@huitema huitema mentioned this pull request Jul 9, 2022
Closed
@kazuho kazuho mentioned this pull request Jul 11, 2022
Closed
@gfx gfx mentioned this pull request Jul 27, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@huitema huitema huitema left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kazuho @huitema