Optimize SM2 on aarch64

[xu-yi-zhou]

This patch optimizes SM2 for ARM processor using A64 instruction and precomputation table, which can speed up SM2 sign about 10 times and SM2 verify about 3 times. A new configure option no-sm2-precomp has been added to disable the precomputed table for point multiplicatin of the base point.

Perf data on Kunpeng-920 2.6GHz hardware looks like this:

	sign	verify	sign/s	verify/s
Before	0.0004s	0.0004s	2438.2	2460.9
After	0.0000s	0.0001s	27137.4	7434.0
After (no-sm2-precomp)	0.0001s	0.0002s	7745.5	4411.2

Signed-off-by: Xu Yizhou xuyizhou1@huawei.com

Checklist

• documentation is added or updated

[zzl360]

any benchmark data?

[xu-yi-zhou]

Hi @zzl360, I've updated the benchmark data.

Hi @paulidale @t8m @tom-cosgrove-arm, could you please review it?

[paulidale]

Some nits.

That's quite a performance boost and one large file.

[xu-yi-zhou]

Hi @InfoHunter, could you please review this patch?

[xu-yi-zhou]

ping for review

[t8m]

I wonder if this optimization should be excluded if OPENSSL_SMALL_FOOTPRINT is defined. Given the large table size.

[paulidale]

I wonder if this optimization should be excluded if OPENSSL_SMALL_FOOTPRINT is defined. Given the large table size.

It would be a bonus but aarch64 isn't normally associated with small devices.

[openssl-machine]

This PR is in a state where it requires action by @openssl/otc but the last update was 30 days ago

[tom-cosgrove-arm]

(As I understand it, @docularxu is still reviewing, and there should be an update to the PR from the OP)

[tom-cosgrove-arm]

(removed the stalled label as the PR has been updated)

[docularxu]

I'm from Linaro and specializing in Arm platform optimization. The latest version from @xu-yi-zhou effectively addresses the concerns I had previously raised. Also, I verified this version on Apple silicon M2, and the results align with the performance improvements mentioned earlier:

which can speed up SM2 sign about 10 times and SM2 verify about 3 times.

With these, I would recommend merging this patch into the master branch.

[xu-yi-zhou]

Hi all,

I'm thinking about whether to implement constant-time point multiplication and modular inversion to avoid side channel attack.

I'm trying the following to fix side channel,

• implement constant-time ecp_sm2p256_point_double, ecp_sm2p256_point_add_affine and ecp_sm2p256_point_add
• ignore the check for index in ecp_sm2p256_point_G_mul_by_scalar and ecp_sm2p256_point_P_mul_by_scalar

After these changes, the performance of sign is reduced by 2% (27137.4->26641.9) and the one of verify is reduced by 6% (7434.0->6973.9).

If the side channel protection is necessary, I still need to implement a gather method for precomputed table like ecp_nistz256_gather_w7, ecp_nistz256_gather_w5 to avoid memory access patterns, a constant time BN_MOD_INV for modular inversion. I'm not sure how much performance will decrease.

Welcome to discsuss.

[mspncp]

With these, I would recommend merging this patch into the master branch.

By-the-way: thank you @docularxu for investing your time and sharing your valuable opinion. Your help is very much appreciated!

[InfoHunter]

Hi all,

I'm thinking about whether to implement constant-time point multiplication and modular inversion to avoid side channel attack.

I'm trying the following to fix side channel,

• implement constant-time ecp_sm2p256_point_double, ecp_sm2p256_point_add_affine and ecp_sm2p256_point_add
• ignore the check for index in ecp_sm2p256_point_G_mul_by_scalar and ecp_sm2p256_point_P_mul_by_scalar

After these changes, the performance of sign is reduced by 2% (27137.4->26641.9) and the one of verify is reduced by 6% (7434.0->6973.9).

If the side channel protection is necessary, I still need to implement a gather method for precomputed table like ecp_nistz256_gather_w7, ecp_nistz256_gather_w5 to avoid memory access patterns, a constant time BN_MOD_INV for modular inversion. I'm not sure how much performance will decrease.

Welcome to discsuss.

Yes, I consider anti-side-channel should be a 'must' stuff prior to performance.

[xu-yi-zhou]

We need compile-time config option for this that is on by default. The increased size of libcrypto also needs to be documented in CHANGES.md.

OK, I will do that as soon as possible.

[xu-yi-zhou]

Hi all, I'm trying to add an option enable-sm2-precomp to enable the precomputed table. Do I need to add this option in .github/workflows/*.yml?

[t8m]

Yes, please. Add no-sm2-precomp to run-checker-daily.yml. Although it won't test much as this is arm specific and run-checker-daily runs on x86_64, it will at least test the disable-ability of the option.

[tom-cosgrove-arm]

OTC: We need compile-time config option for this that is on by default. The increased size of libcrypto also needs to be documented in CHANGES.md.

My understanding of this request is that the large table would be included in default AArch64 builds, but can be disabled for smaller builds by configuring with no-sm2-precomp.

This seems to only use the large table if enable-sm2-precomp is given - @t8m is that what you wanted?

[xu-yi-zhou]

@tom-cosgrove-arm I think you are right, and I also forgot to add the increased size of libcrypto in CHANGES.md, I will fix these.

[t8m]

A few more nits

[beldmit]

LGTM

[openssl-machine]

This pull request is ready to merge

[t8m]

Merged to master branch. Thank you for your contribution.

[sususu98]

This patch optimizes SM2 for ARM processor using A64 instruction and precomputation table, which can speed up SM2 sign about 10 times and SM2 verify about 3 times. A new configure option no-sm2-precomp has been added to disable the precomputed table for point multiplicatin of the base point.

Perf data on Kunpeng-920 2.6GHz hardware looks like this:

sign verify sign/s verify/s
Before 0.0004s 0.0004s 2438.2 2460.9
After 0.0000s 0.0001s 27137.4 7434.0
After (no-sm2-precomp) 0.0001s 0.0002s 7745.5 4411.2
Signed-off-by: Xu Yizhou xuyizhou1@huawei.com

Checklist

• documentation is added or updated

Hello, I tested using the default compilation options on Kunpeng-920 2.6GHz hardware and obtained a signature performance of 25057 times/s and a signature verification performance of 7042 times/s. May I ask if you added other options to the data obtained during compilation

[xu-yi-zhou]

Hello, I tested using the default compilation options on Kunpeng-920 2.6GHz hardware and obtained a signature performance of 25057 times/s and a signature verification performance of 7042 times/s. May I ask if you added other options to the data obtained during compilation

no other options, try using the taskset command to bind the CPU while testing?