Call ret

[bgregoir]

Work in progress

[bgregoir]

The pull request is ready for review.
We should certainly add some explanation in the change log

[vbgl]

Please drop these changes.

[bgregoir]

done.
If I remember well we discussed the possibility that the ci has an intermediate entry (i.e separating the proofs).

[vbgl]

Is this comment needed?

[bgregoir]

done

[vbgl]

This change is surprising.

[bgregoir]

done

[vbgl]

This does not look good.

[bgregoir]

done

[vbgl]

Please clean the comments away.

[bgregoir]

done

[vbgl]

Will this be fixed before or after merging this PR?

[bgregoir]

This one was already fixed, I forgot to remove the comment

[vbgl]

I’m going to rebase…

[vbgl]

CI is happy. Let’s wait for feedback from Jasmin users.

[tfaoliveira]

CI is happy. Let’s wait for feedback from Jasmin users.

@vbgl @bgregoir, I did some experiments on libjade. I explain the procedure first, and then the results.

1. compile libjade with Jasmin main and Jasmin call ret
2. for some number of times (I choose 32 because it was roughly the time of getting a coffee)
   2.1 for each implementation that uses non-inline functions (kyber, x25519, shake256)
   2.1.1 run the corresponding bench for libjade-jasmin-main and libjade-jasmin-call-ret; for instance, for x25519, scalarmult is run 2K times, 3 times; the bench executable reports the best median from the 3 loops;
   2.1.2 register the difference, in %

The benchmark settings (number of iterations, etc) are in libjade/bench/common. The remaining scripts that I used for this task are not. When I get some time to test and clean them, I can push them. The CPU is a Skylake.

The results of scalarmult ref4 (~ amd64-64) and ref5 (~ amd64-51) are quite stable at a negative overhead. x25519 ref4 implementation usually runs at roughly 129500 cycles on said CPU. A -0.1% difference means ~ -130 cycles. This implementation does ~25 function calls (just for the inversion).

For shake256, IIRC, only Keccakf is non-inline. The reported value for each run is the average of the overheads for: 32 bytes of output and 0, 32, 128, 1024, and 16384 bytes of input;

There seems to be a bit of overhead for shake. Next, you can take a look at the number of cycles (for outlen=32 and inlen=16384) from libjade-jasmin-main and libjade-jasmin-call-ret, for a second entire run where I also registered individual results and not just the average (which means that the following values were not used to produce the previous plot).

32,16384,160086,160700,0.38
32,16384,160076,160728,0.41
32,16384,160172,160682,0.32
32,16384,160328,160714,0.24
32,16384,160080,160726,0.40
32,16384,160082,160724,0.40
32,16384,160086,160754,0.42
32,16384,160308,160810,0.31
32,16384,160468,160806,0.21
32,16384,160102,160754,0.41
32,16384,160370,160754,0.24
32,16384,160118,160746,0.39
32,16384,160116,160694,0.36
32,16384,160042,160728,0.43
32,16384,160178,160696,0.32
32,16384,160096,160754,0.41
32,16384,160124,160686,0.35
32,16384,160132,160700,0.35
32,16384,160244,160762,0.32
32,16384,160070,160656,0.37
32,16384,160104,160726,0.39
32,16384,160078,160694,0.38
32,16384,160112,160788,0.42
32,16384,160066,160672,0.38
32,16384,160150,160776,0.39
32,16384,160186,160774,0.37
32,16384,160092,160706,0.38
32,16384,160106,160756,0.41
32,16384,160082,160702,0.39
32,16384,160090,160700,0.38
32,16384,160166,160710,0.34
32,16384,160480,160746,0.17

For Kyber the results are the following (a little bit noisy at the moment; I think I would need to swap the random bytes implementation/shuffle the order of Kyber executions to get slightly stable results; I also cannot provide much insight about how many function calls are done given that I only know the implementation superficially).

Overall I think this change in the compiler does not affect performance significantly so I would say that it would be nice to have it merged.

[bgregoir]

On my side, the PR is ready to merge.

[vbgl]

CI: https://gitlab.com/jasmin-lang/jasmin/-/pipelines/751942335

Do we want to run some benchmarks?

[vbgl]

CI is happy. I recommend to merge now and polish later.