Crandall primes #445
Open
Crandall primes #445
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… Prime fast reduction - closes #11
…t, renaming of lazy reduction both in Montgomery and Crandall to lazyReduction
…k1, failing edwards25519
Bench vs RustCrypto/elliptic-curveshttps://github.com/RustCrypto/elliptic-curves/ is the current record holder of https://programming-language-benchmarks.vercel.app/problem/secp256k1 We modify it to bench some of the internals Field implementationwith an extra fn bench_field_element_10adds<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) {
let x = test_field_element_x();
let y = test_field_element_y();
group.bench_function("10 adds", |b| b.iter(
|| {
&black_box(x) + &black_box(y);
&black_box(x) + &black_box(y);
&black_box(x) + &black_box(y);
&black_box(x) + &black_box(y);
&black_box(x) + &black_box(y);
&black_box(x) + &black_box(y);
&black_box(x) + &black_box(y);
&black_box(x) + &black_box(y);
&black_box(x) + &black_box(y);
&black_box(x) + &black_box(y)
}
));
}
EC implementation (projective with Renes2015 formulae)use criterion::{
black_box, criterion_group, criterion_main, measurement::Measurement, BenchmarkGroup, Criterion,
};
use k256::ProjectivePoint;
use elliptic_curve::{
rand_core::SeedableRng,
group::Group,
};
use rand_xorshift::XorShiftRng;
fn bench_ec_add<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) {
let mut rng = XorShiftRng::seed_from_u64(1234u64);
let p = ProjectivePoint::random(&mut rng);
let q = ProjectivePoint::random(&mut rng);
group.bench_function("EC Add", |b| {
b.iter(|| &black_box(p) + &black_box(q))
});
}
fn bench_ec_dbl<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) {
let mut rng = XorShiftRng::seed_from_u64(1234u64);
let p = ProjectivePoint::random(&mut rng);
group.bench_function("EC Dbl", |b| {
b.iter(|| black_box(p).double())
});
}
fn bench_ec(c: &mut Criterion) {
let mut group = c.benchmark_group("EC operations");
bench_ec_add(&mut group);
bench_ec_dbl(&mut group);
group.finish();
}
criterion_group!(benches, bench_ec);
criterion_main!(benches);
AnalysisThe fact that field operations are 1.7x to 2x faster BUT the elliptic curve operations are 0.85x slower is extremely suspicious. Especially when we implement the same formulae from Renes2015 paper. There might be useless copies or parameter passing overhead similar to #21 and #146 |
This was referenced Jul 27, 2024
Open
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This closes #11 for primes of form 2ᵐ-c (Crandall primes / pseudo-Mersenne primes), such as the one used for Curve25519 and secp256kq (Ethereum/ Bitcoin).
Bench Fp vs Constantine master
Previous
Current
Analysis
Bench EC vs Constantine master
Previous
Current
Analysis
Bench vs bitcoin/secp256k1
Analysis
The fact that field operations are 1.5x faster BUT the elliptic curve operations are sometimes slower is suspicious. We probably need to check the EC formulae
TODO
indicates in Theorem 4 that their partial reduction may grow by 1 bit if 256-bit.