Skip to content

8329538: Accelerate P256 on x86_64 using Montgomery intrinsic #18583

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 17 commits into from
Closed

8329538: Accelerate P256 on x86_64 using Montgomery intrinsic #18583

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
e36a552
rebase
vpaprotsk Sep 26, 2023
6285a33
conditionalAssign intrinsic
vpaprotsk Oct 10, 2023
c431528
Address comments from Anas and thorough cleanup
vpaprotsk Feb 19, 2024
bc8d611
Fix rebase typo
vpaprotsk Mar 26, 2024
7bf06b7
Remeasure performance
vpaprotsk Mar 29, 2024
dbe6cd3
remove trailing whitespace
vpaprotsk Apr 2, 2024
82b6dae
remove use of jdk.crypto.ec
vpaprotsk Apr 2, 2024
6f9ac04
Comments from Jatin and Tony
vpaprotsk Apr 15, 2024
c93a71f
Comments from Tony and Jatin
vpaprotsk Apr 24, 2024
a198450
whitespace
vpaprotsk Apr 25, 2024
8ff243a
Use AffinePoint to exit Montgomery domain
vpaprotsk May 6, 2024
1ecfdc4
whitespace
vpaprotsk May 9, 2024
83b2131
add message back
vpaprotsk May 10, 2024
8cd095d
whitespace
vpaprotsk May 10, 2024
5c360e3
comments from Sandhya
vpaprotsk May 17, 2024
df4fe6f
shenandoah verifier
vpaprotsk May 17, 2024
b1a3300
Merge remote-tracking branch 'origin/master' into ecc-montgomery
vpaprotsk May 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 8 additions & 6 deletions src/hotspot/cpu/x86/stubGenerator_x86_64_poly_mont.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -369,7 +369,7 @@ address StubGenerator::generate_intpoly_assign() {
__ negq(set);
__ kmovql(select, set);

// NOTE!! Allowed to branch on number of limbs;
// NOTE! Crypto code cannot branch on user input. However; allowed to branch on number of limbs;
// Number of limbs is a constant in each IntegerPolynomial (i.e. this side-channel branch leaks
// number of limbs which is not a secret)
__ cmpl(length, 5);
Expand All @@ -383,15 +383,17 @@ address StubGenerator::generate_intpoly_assign() {
__ cmpl(length, 19);
__ jcc(Assembler::equal, L_Length19);

// Default copy loop
__ bind(L_DefaultLoop);
// Default copy loop (UNLIKELY)
__ cmpl(length, 0);
__ jcc(Assembler::less, L_Done);
__ jcc(Assembler::lessEqual, L_Done);
__ bind(L_DefaultLoop);
assign_scalar(Address(aLimbs, 0), Address(bLimbs, 0), set, tmp, _masm);
__ subl(length, 16);
__ subl(length, 1);
__ lea(aLimbs, Address(aLimbs,8));
__ lea(bLimbs, Address(bLimbs,8));
__ jmp(L_DefaultLoop);
__ cmpl(length, 0);
__ jcc(Assembler::greater, L_DefaultLoop);
__ jmp(L_Done);

__ bind(L_Length5); // 1 + 4
assign_scalar(Address(aLimbs, 0), Address(bLimbs, 0), set, tmp, _masm);
Expand Down
42 changes: 20 additions & 22 deletions src/java.base/share/classes/sun/security/ec/ECOperations.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -202,23 +202,17 @@ public static boolean allZero(byte[] arr) {
* @return the product
*/
public MutablePoint multiply(AffinePoint affineP, byte[] s) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems like there could be some combining of both multiply(). If multiply(AffinePoint, ...) is called, it can call DefaultMultiplier with the affineP, but internally call the other multiply(ECPoint, ...) for the other situations. I'd rather not have two methods doing most of the same code, but different methods.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, they indeed look identical, didnt notice. Fixed. (repeated the same hashmap refactoring and didnt notice I produced identical code twice)

// Route to Basepoint and/or Montgomery pointMultiply as appropriate

ECPoint ecPoint = affineP.toECPoint();
PointMultiplier multiplier = null;
if (!(b.getField() instanceof IntegerMontgomeryFieldModuloP)) {
multiplier = new DefaultMultiplier(this, affineP);
} else if (ecPoint.equals(Secp256R1GeneratorMontgomeryMultiplier.generator)) {
// Lazy class loading upon function call (large static constant table)
multiplier = Secp256R1GeneratorMontgomeryMultiplier.multiplier;
} else {
// affineP is in residue domain, use ecPoint to get domain conversion
multiplier = new DefaultMontgomeryMultiplier(this, ecPoint);
}

return multiplier.pointMultiply(s);
return multiply(affineP.toECPoint(), s);
}

/**
* Multiply an affine ecpoint point by a scalar and return the result as a mutable
* point.
*
* @param affineP the point
* @param s the scalar as a little-endian array
* @return the product
*/
public MutablePoint multiply(ECPoint ecPoint, byte[] s) {
// Route to Basepoint and/or Montgomery pointMultiply as appropriate

Expand Down Expand Up @@ -285,8 +279,15 @@ private void setDouble(ProjectivePoint.Mutable p, MutableIntegerModuloP t0,

}

/*
* public Point addition. Used by ECDSAOperations
/**
* Adds second Mutable (Projective) point to first.
*
* Used by ECDSAOperations. This method constructs new temporaries each time
* it is called. For better efficiency, the (private) method that reuses temporaries
* should be used if more than one sum will be computed.
*
* @param p first point and result
* @param p2 second point to add
*/
public void setSum(MutablePoint p, MutablePoint p2) {
IntegerModuloP zero = p.getField().get0();
Expand Down Expand Up @@ -464,13 +465,11 @@ private static void lookup(

sealed static abstract class SmallWindowMultiplier implements PointMultiplier
permits DefaultMultiplier, DefaultMontgomeryMultiplier {
private final AffinePoint affineP;
private final ECOperations ecOps;
private final ProjectivePoint.Immutable[] pointMultiples;

protected SmallWindowMultiplier(ECOperations ecOps, AffinePoint affineP) {
this.ecOps = ecOps;
this.affineP = affineP;

// Precompute and cache point multiples
this.pointMultiples = new ProjectivePoint.Immutable[16];
Expand Down Expand Up @@ -555,6 +554,8 @@ sealed static abstract class P256LargeTableMultiplier implements PointMultiplier
private final ImmutableIntegerModuloP zero;
private final ImmutableIntegerModuloP one;
private final ECOperations secp256r1Ops;
private final ProjectivePoint.Immutable[][] points;
private final BigInteger[] base;

public ProjectivePoint.Mutable pointMultiply(byte[] s) {
MutableIntegerModuloP t0 = zero.mutable();
Expand Down Expand Up @@ -589,8 +590,6 @@ private static int bit(byte[] k, int i) {
return (k[i >> 3] >> (i & 0x07)) & 0x01;
}

private final ProjectivePoint.Immutable[][] points;

protected P256LargeTableMultiplier(ECOperations secp256r1Ops, IntegerFieldModuloP field, PointMultiplier smallTableMultiplier) {
zero = field.get0();
one = field.get1();
Expand Down Expand Up @@ -665,7 +664,6 @@ protected P256LargeTableMultiplier(ECOperations secp256r1Ops, IntegerFieldModulo
}
}

private final BigInteger[] base;
protected void verifyTables(PointMultiplier multiplier) {
for (int d = 0; d < 4; d++) {
for (int w = 0; w < 16; w++) {
Expand Down