Skip to content

Crandall primes#445

Merged
mratsim merged 16 commits intomasterfrom
crandall-primes
Dec 3, 2024
Merged

Crandall primes#445
mratsim merged 16 commits intomasterfrom
crandall-primes

Conversation

@mratsim
Copy link
Owner

@mratsim mratsim commented Jul 27, 2024
edited
Loading

This closes #11 for primes of form 2ᵐ-c (Crandall primes / pseudo-Mersenne primes), such as the one used for Curve25519 and secp256kq (Ethereum/ Bitcoin).

Bench Fp vs Constantine master

Previous

image
image

Current

image
image

Analysis

  • Fp[Edwards25519] mul 1.27x improvement
  • Fp[Edwards25519] square 1.43x improvement
  • Fp[Secp256k1] mul 1.94x improvement
  • Fp[Secp256k1] square 1.28x improvement

Bench EC vs Constantine master

Previous

image

Current

image

Analysis

  • EC add projective constant-time improved by 1.36x
  • EC add jacobian constant-time improved by 1.34x
  • EC add projective vartime improved by 1.24x
  • EC add jacobian vartime improved by 1.37x
  • EC dbl projective constant-time improved by 1.31x
  • EC dbl jacobian constant-time improved by 1.06x

Bench vs bitcoin/secp256k1

image

  • field_sqr 12.4ns vs 8ns -> 1.55x
  • field_mul 15.8ns vs 10ns -> 1.58x
  • field_inv_ct 1410ns vs 1203ns -> 1.17x
  • field_inv_vt 820ns vs 848ns -> 0.97x
  • EC add jacobian var 247ns vs 97ns -> 2.55x
  • EC dbl jacobian var 97.8ns vs 145 -> 0.67x
  • EC mixed add ct 189ns vs 225ns -> 0.84x
  • EC mixed add var 173ns vs 98ns -> 1.77x

image

  • EC scalar-mul ct 28100ns vs 40196 ns -> 0.70x

Analysis

The fact that field operations are 1.5x faster BUT the elliptic curve operations are sometimes slower is suspicious. We probably need to check the EC formulae

TODO

  • fix windows
  • bound checks for lazy reduce and lazy reduced field exponentiation for 256-bit as eprint/iacr 2018/985
    indicates in Theorem 4 that their partial reduction may grow by 1 bit if 256-bit.
  • optimize EC impl to avoid if/else check for ADX and limit input/output movement
  • optimized mixed add

@mratsim
Copy link
Owner Author

mratsim commented Jul 27, 2024
edited
Loading

Bench vs RustCrypto/elliptic-curves

https://github.com/RustCrypto/elliptic-curves/ is the current record holder of https://programming-language-benchmarks.vercel.app/problem/secp256k1

We modify it to bench some of the internals

Field implementation

cargo bench --features expose-field -- field

with an extra

fn bench_field_element_10adds<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) {
    let x = test_field_element_x();
    let y = test_field_element_y();
    group.bench_function("10 adds", |b| b.iter(
        || {
            &black_box(x) + &black_box(y);
            &black_box(x) + &black_box(y);
            &black_box(x) + &black_box(y);
            &black_box(x) + &black_box(y);
            &black_box(x) + &black_box(y);
            &black_box(x) + &black_box(y);
            &black_box(x) + &black_box(y);
            &black_box(x) + &black_box(y);
            &black_box(x) + &black_box(y);
            &black_box(x) + &black_box(y)
        }
    ));
}

image

  • 10 adds: 25ns vs 12ns - 2.08x
  • mul (partially normalized in k256): 17.825ns vs 10ns - 1.78x
  • sqr (partially normalized in k256): 13.846ns vs 8ns - 1.73x

EC implementation (projective with Renes2015 formulae)

use criterion::{
    black_box, criterion_group, criterion_main, measurement::Measurement, BenchmarkGroup, Criterion,
};
use k256::ProjectivePoint;
use elliptic_curve::{
    rand_core::SeedableRng,
    group::Group,
};
use rand_xorshift::XorShiftRng;

fn bench_ec_add<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) {
    let mut rng = XorShiftRng::seed_from_u64(1234u64);
    let p = ProjectivePoint::random(&mut rng);
    let q = ProjectivePoint::random(&mut rng);
    group.bench_function("EC Add", |b| {
        b.iter(|| &black_box(p) + &black_box(q))
    });
}

fn bench_ec_dbl<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) {
    let mut rng = XorShiftRng::seed_from_u64(1234u64);
    let p = ProjectivePoint::random(&mut rng);
    group.bench_function("EC Dbl", |b| {
        b.iter(|| black_box(p).double())
    });
}

fn bench_ec(c: &mut Criterion) {
    let mut group = c.benchmark_group("EC operations");
    bench_ec_add(&mut group);
    bench_ec_dbl(&mut group);
    group.finish();
}

criterion_group!(benches, bench_ec);
criterion_main!(benches);

image

  • EC add proj ct: 195.83ns vs 232ns - 0.84x
  • EC dbl proj ct: 130.83ns vs 153ns - 0.86x

Analysis

The fact that field operations are 1.7x to 2x faster BUT the elliptic curve operations are 0.85x slower is extremely suspicious. Especially when we implement the same formulae from Renes2015 paper.

There might be useless copies or parameter passing overhead similar to #21 and #146

This was referenced Jul 27, 2024
Open
Closed
@mratsim mratsim mentioned this pull request Nov 27, 2024
Merged
mratsim added 16 commits December 3, 2024 11:04
@mratsim
feat(special primes accel): Support Crandall primes / Pseudo-Mersenne…
34bc1c0 
… Prime fast reduction - closes #11
@mratsim
feat(special primes accel): refactoring: p-1 support ompiles on 64-bi…
d004d8d 
…t, renaming of lazy reduction both in Montgomery and Crandall to lazyReduction
@mratsim
feat(special primes accel): support 32-bit
3b1eb30
@mratsim
chore: lazyReduction->lazyReduce
bcb35f5
@mratsim
fix: fp mulsquare test
d1dacc4
@mratsim
feat: Crandall exponentiation
0c30b28
@mratsim
feat: initial commit assembly for Crandall reduction, passing secp256…
195ace0 
…k1, failing edwards25519
@mratsim
feat(asm-crandall): actually use the assembly
b2e1fe3
@mratsim
feat(asm-crandall): fix sqrt test and short immediate
20f3c0f
@mratsim
feat(crandall reduction): x86-adx reduction
cb93c2d
@mratsim
feat(crandall reduction): add final reduce, deactivate adx partial re…
d896514 
…duce temporarily
@mratsim
feat(crandall reduction): fix adx partial reduce
d5ceb2d
@mratsim
feat(crandall reduction): prevent asm for mul on 32-bit
758d9d6
@mratsim
feat(bench): check overhead of field calls
b48a69e
@mratsim
feat(crandall reduction): prevent asm for mul on 32-bit reloaded
cba2139
@mratsim
crandall-primes: reactivate tests for secp256k1
4488f94
@mratsim mratsim linked an issue Dec 3, 2024 that may be closed by this pull request
Windows: Secp256k1 tests assembly test frozen #448
Closed
@mratsim mratsim merged commit 585f803 into master Dec 3, 2024
@mratsim mratsim deleted the crandall-primes branch December 3, 2024 12:22
@mratsim mratsim mentioned this pull request Dec 12, 2024
Merged
13 tasks
This was referenced Aug 7, 2025
Closed
Merged
Open
@mratsim mratsim mentioned this pull request Sep 1, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

performance 🏁

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Windows: Secp256k1 tests assembly test frozen Finite field computation for moduli of special form

1 participant

@mratsim