jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
393 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 28086a96d1
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '28086a96d1'
${ noResults }
ed448goldilocks/test/bench_decaf.cxx

458 lines
15 KiB
Raw Blame History 

  1. /**

  2.  * @file test_decaf.cxx

  3.  * @author Mike Hamburg

  4.  *

  5.  * @copyright

  6.  *   Copyright (c) 2015 Cryptography Research, Inc.  \n

  7.  *   Released under the MIT License.  See LICENSE.txt for license information.

  8.  *

  9.  * @brief C++ benchmarks, because that's easier.

  10.  */

  11. 

  12. #include <decaf.hxx>

  13. #include <decaf/shake.hxx>

  14. #include <decaf/sha512.hxx>

  15. #include <decaf/strobe.hxx>

  16. #include <decaf/spongerng.hxx>

  17. #include <decaf/crypto_255.h>

  18. #include <decaf/crypto_448.h>

  19. #include <decaf/crypto.hxx>

  20. #include <decaf/eddsa.hxx>

  21. #include <stdio.h>

  22. #include <sys/time.h>

  23. #include <assert.h>

  24. #include <stdint.h>

  25. #include <vector>

  26. #include <algorithm>

  27. 

  28. using namespace decaf;

  29. 

  30. 

  31. static __inline__ void __attribute__((unused)) ignore_result ( int result ) { (void)result; }

  32. static double now(void) {

  33.   struct timeval tv;

  34.   gettimeofday(&tv, NULL);

  35.   return tv.tv_sec + tv.tv_usec/1000000.0;

  36. }

  37. 

  38. // RDTSC from the chacha code

  39. #ifndef __has_builtin

  40. #define __has_builtin(X) 0

  41. #endif

  42. #if defined(__clang__) && __has_builtin(__builtin_readcyclecounter)

  43. #define rdtsc __builtin_readcyclecounter

  44. #else

  45. static inline uint64_t rdtsc(void) {

  46. # if defined(__x86_64__)

  47.     uint32_t lobits, hibits;

  48.     __asm__ __volatile__ ("rdtsc" : "=a"(lobits), "=d"(hibits));

  49.     return (lobits | ((uint64_t)(hibits) << 32));

  50. # elif defined(__i386__)

  51.     uint64_t __value;

  52.     __asm__ __volatile__ ("rdtsc" : "=A"(__value));

  53.     return __value;

  54. # else

  55.     return 0;

  56. # endif

  57. }

  58. #endif

  59. 

  60. static void printSI(double x, const char *unit, const char *spacer = " ") {

  61.     const char *small[] = {" ","m","ยต","n","p"};

  62.     const char *big[] = {" ","k","M","G","T"};

  63.     if (x < 1) {

  64.         unsigned di=0;

  65.         for (di=0; di<sizeof(small)/sizeof(*small)-1 && x && x < 1; di++) { 

  66.             x *= 1000.0;

  67.         }

  68.         printf("%6.2f%s%s%s", x, spacer, small[di], unit);

  69.     } else {

  70.         unsigned di=0;

  71.         for (di=0; di<sizeof(big)/sizeof(*big)-1 && x && x >= 1000; di++) { 

  72.             x /= 1000.0;

  73.         }

  74.         printf("%6.2f%s%s%s", x, spacer, big[di], unit);

  75.     }

  76. }

  77. 

  78. class Benchmark {

  79.     static const int NTESTS = 20, NSAMPLES=50, DISCARD=2;

  80.     static double totalCy, totalS;

  81. public:

  82.     int i, j, ntests, nsamples;

  83.     double begin;

  84.     uint64_t tsc_begin;

  85.     std::vector<double> times;

  86.     std::vector<uint64_t> cycles;

  87.     Benchmark(const char *s, double factor = 1) {

  88.         printf("%s:", s);

  89.         if (strlen(s) < 25) printf("%*s",int(25-strlen(s)),"");

  90.         fflush(stdout);

  91.         i = j = 0;

  92.         ntests = NTESTS * factor;

  93.         nsamples = NSAMPLES;

  94.         begin = now();

  95.         tsc_begin = rdtsc();

  96.         times = std::vector<double>(NSAMPLES);

  97.         cycles = std::vector<uint64_t>(NSAMPLES);

  98.     }

  99.     ~Benchmark() {

  100.         double tsc = 0;

  101.         double t = 0;

  102.         

  103.         std::sort(times.begin(), times.end());

  104.         std::sort(cycles.begin(), cycles.end());

  105.         

  106.         for (int k=DISCARD; k<nsamples-DISCARD; k++) {

  107.             tsc += cycles[k];

  108.             t += times[k];

  109.         }

  110.         

  111.         totalCy += tsc;

  112.         totalS += t;

  113.         

  114.         t /= ntests*(nsamples-2*DISCARD);

  115.         tsc /= ntests*(nsamples-2*DISCARD);

  116.         

  117.         printSI(t,"s");

  118.         printf("    ");

  119.         printSI(1/t,"/s");

  120.         if (tsc) { printf("    "); printSI(tsc, "cy"); }

  121.         printf("\n");

  122.     }

  123.     inline bool iter() {

  124.         i++;

  125.         if (i >= ntests) {

  126.             uint64_t tsc = rdtsc() - tsc_begin;

  127.             double t = now() - begin;

  128.             begin += t;

  129.             tsc_begin += tsc;

  130.             assert(j >= 0 && j < nsamples);

  131.             cycles[j] = tsc;

  132.             times[j] = t;

  133.             

  134.             j++;

  135.             i = 0;

  136.         }

  137.         return j < nsamples;

  138.     }

  139.     static void calib() {

  140.         if (totalS && totalCy) {

  141.             const char *s = "Cycle calibration";

  142.             printf("%s:", s);

  143.             if (strlen(s) < 25) printf("%*s",int(25-strlen(s)),"");

  144.             printSI(totalCy / totalS, "Hz");

  145.             printf("\n");

  146.         }

  147.     }

  148. };

  149. 

  150. double Benchmark::totalCy = 0, Benchmark::totalS = 0;

  151. 

  152. 

  153. template<typename Group> struct Benches {

  154. 

  155. typedef typename Group::Scalar Scalar;

  156. typedef typename Group::Point Point;

  157. typedef typename Group::Precomputed Precomputed;

  158. 

  159. static void tdh (

  160.     SpongeRng &clientRng,

  161.     SpongeRng &serverRng,

  162.     Scalar x, const Block &gx,

  163.     Scalar y, const Block &gy

  164. ) {

  165.     /* "TripleDH".  A bit of a hack, really: the real TripleDH

  166.      * sends gx and gy and certs over the channel, but its goal

  167.      * is actually the opposite of STROBE in this case: it doesn't

  168.      * hash gx and gy into the session secret (only into the MAC

  169.      * and AD) because of IPR concerns.

  170.      */

  171.     Strobe client("example::tripleDH",Strobe::CLIENT), server("example::tripleDH",Strobe::SERVER);

  172.     

  173.     Scalar xe(clientRng);

  174.     SecureBuffer gxe((Precomputed::base() * xe).serialize());

  175.     client.send_plaintext(gxe);

  176.     server.recv_plaintext(gxe);

  177.     

  178.     Scalar ye(serverRng);

  179.     SecureBuffer gye((Precomputed::base() * ye).serialize());

  180.     server.send_plaintext(gye);

  181.     client.recv_plaintext(gye);

  182.     

  183.     Point pgxe(gxe);

  184.     server.dh_key(pgxe*ye);

  185.     SecureBuffer tag1 = server.produce_auth();

  186.     //SecureBuffer ct = server.encrypt(gy);

  187.     server.dh_key(pgxe*y);

  188.     SecureBuffer tag2 = server.produce_auth();

  189.     

  190.     Point pgye(gye);

  191.     client.dh_key(pgye*xe);

  192.     client.verify_auth(tag1);

  193.     client.dh_key(Point(gy) * xe);

  194.     client.verify_auth(tag2);

  195.     // ct = client.encrypt(gx);

  196.     client.dh_key(pgye * x);

  197.     tag1 = client.produce_auth();

  198.     client.respec(STROBE_KEYED_128);

  199.     

  200.     server.dh_key(Point(gx) * ye);

  201.     server.verify_auth(tag1);

  202.     server.respec(STROBE_KEYED_128);

  203. }

  204. 

  205. static void fhmqv (

  206.     SpongeRng &clientRng,

  207.     SpongeRng &serverRng,

  208.     Scalar x, const Block &gx,

  209.     Scalar y, const Block &gy

  210. ) {

  211.     /* Don't use this, it's probably patented */

  212.     Strobe client("example::fhmqv",Strobe::CLIENT), server("example::fhmqv",Strobe::SERVER);

  213.     

  214.     Scalar xe(clientRng);

  215.     client.send_plaintext(gx);

  216.     server.recv_plaintext(gx);

  217.     SecureBuffer gxe((Precomputed::base() * xe).serialize());

  218.     server.send_plaintext(gxe);

  219.     client.recv_plaintext(gxe);

  220. 

  221.     Scalar ye(serverRng);

  222.     server.send_plaintext(gy);

  223.     client.recv_plaintext(gy);

  224.     SecureBuffer gye((Precomputed::base() * ye).serialize());

  225.     server.send_plaintext(gye);

  226.     

  227.     Scalar schx(server.prng(Scalar::SER_BYTES));

  228.     Scalar schy(server.prng(Scalar::SER_BYTES));

  229.     Scalar yec = y + ye*schy;

  230.     server.dh_key(Point::double_scalarmul(Point(gx),yec,Point(gxe),yec*schx));

  231.     SecureBuffer as = server.produce_auth();

  232.     

  233.     client.recv_plaintext(gye);

  234.     Scalar cchx(client.prng(Scalar::SER_BYTES));

  235.     Scalar cchy(client.prng(Scalar::SER_BYTES));

  236.     Scalar xec = x + xe*schx;

  237.     client.dh_key(Point::double_scalarmul(Point(gy),xec,Point(gye),xec*schy));

  238.     client.verify_auth(as);

  239.     SecureBuffer ac = client.produce_auth();

  240.     client.respec(STROBE_KEYED_128);

  241.     

  242.     server.verify_auth(ac);

  243.     server.respec(STROBE_KEYED_128);

  244. }

  245. 

  246. static void spake2ee(

  247.     SpongeRng &clientRng,

  248.     SpongeRng &serverRng,

  249.     const Block &hashed_password,

  250.     bool aug

  251. ) {

  252.     Strobe client("example::spake2ee",Strobe::CLIENT), server("example::spake2ee",Strobe::SERVER);

  253.     

  254.     Scalar x(clientRng);

  255.     

  256.     SHAKE<256> shake;

  257.     shake.update(hashed_password);

  258.     SecureBuffer h0 = shake.output(Point::HASH_BYTES);

  259.     SecureBuffer h1 = shake.output(Point::HASH_BYTES);

  260.     SecureBuffer h2 = shake.output(Scalar::SER_BYTES);

  261.     Scalar gs(h2);

  262.     

  263.     Point hc = Point::from_hash(h0);

  264.     hc = Point::from_hash(h0); // double-count

  265.     Point hs = Point::from_hash(h1);

  266.     hs = Point::from_hash(h1); // double-count

  267.     

  268.     SecureBuffer gx((Precomputed::base() * x + hc).serialize());

  269.     client.send_plaintext(gx);

  270.     server.recv_plaintext(gx);

  271.     

  272.     Scalar y(serverRng);

  273.     SecureBuffer gy((Precomputed::base() * y + hs).serialize());

  274.     server.send_plaintext(gy);

  275.     client.recv_plaintext(gy);

  276.     

  277.     server.dh_key(h1);

  278.     server.dh_key((Point(gx) - hc)*y);

  279.     if(aug) {

  280.         /* This step isn't actually online but whatever, it's fastish */

  281.         SecureBuffer serverAug((Precomputed::base() * gs).serialize());

  282.         server.dh_key(Point(serverAug)*y);

  283.     }

  284.     SecureBuffer tag = server.produce_auth();

  285.     

  286.     client.dh_key(h1);

  287.     Point pgy(gy); pgy -= hs;

  288.     client.dh_key(pgy*x);

  289.     if (aug) client.dh_key(pgy * gs);

  290.     client.verify_auth(tag);    

  291.     tag = client.produce_auth();

  292.     client.respec(STROBE_KEYED_128);

  293.     /* A real protocol would continue with fork etc here... */

  294.     

  295.     server.verify_auth(tag);

  296.     server.respec(STROBE_KEYED_128);

  297. }

  298. 

  299. static void cfrg() {

  300.     SpongeRng rng(Block("bench_cfrg_crypto"),SpongeRng::DETERMINISTIC);

  301.     FixedArrayBuffer<Group::DhLadder::PUBLIC_BYTES> base(rng);

  302.     FixedArrayBuffer<Group::DhLadder::PRIVATE_BYTES> s1(rng);

  303.     for (Benchmark b("RFC 7748 keygen"); b.iter(); ) { Group::DhLadder::generate_key(s1); }

  304.     for (Benchmark b("RFC 7748 shared secret"); b.iter(); ) { Group::DhLadder::shared_secret(base,s1); }

  305. 

  306.     FixedArrayBuffer<EdDSA<Group>::PrivateKey::SER_BYTES> e1(rng);

  307.     typename EdDSA<Group>::PublicKey pub((NOINIT()));

  308.     typename EdDSA<Group>::PrivateKey priv((NOINIT()));

  309.     SecureBuffer sig;

  310.     for (Benchmark b("EdDSA keygen"); b.iter(); ) { priv = e1; }

  311.     for (Benchmark b("EdDSA sign"); b.iter(); ) { sig = priv.sign(Block(NULL,0)); }

  312.     pub = priv;

  313.     for (Benchmark b("EdDSA verify"); b.iter(); ) { pub.verify(sig,Block(NULL,0)); }

  314. }

  315. 

  316. static void macro() {

  317.     printf("\nMacro-benchmarks for %s:\n", Group::name());

  318.     printf("CFRG crypto benchmarks:\n");

  319.     cfrg();

  320.     

  321.     printf("\nSample crypto benchmarks:\n");

  322.     SpongeRng rng(Block("macro rng seed"),SpongeRng::DETERMINISTIC);

  323.     PrivateKey<Group> s1((NOINIT())), s2(rng);

  324.     PublicKey<Group> p1((NOINIT())), p2(s2);

  325. 

  326.     SecureBuffer message = rng.read(5), sig, ss;

  327. 

  328.     for (Benchmark b("Create private key",1); b.iter(); ) {

  329.         s1 = PrivateKey<Group>(rng);

  330.         SecureBuffer bb = s1.serialize();

  331.     }

  332.     

  333.     for (Benchmark b("Sign",1); b.iter(); ) {

  334.         sig = s1.sign(message);

  335.     }

  336.     

  337.     p1 = s1.pub();

  338.     for (Benchmark b("Verify",1); b.iter(); ) {

  339.         rng.read(Buffer(message));

  340.         try { p1.verify(message, sig); } catch (CryptoException) {}

  341.     }

  342.     

  343.     for (Benchmark b("SharedSecret",1); b.iter(); ) {

  344.         ss = s1.shared_secret(p2,32,true);

  345.     }

  346.     

  347.     printf("\nProtocol benchmarks:\n");

  348.     SpongeRng clientRng(Block("client rng seed"),SpongeRng::DETERMINISTIC);

  349.     SpongeRng serverRng(Block("server rng seed"),SpongeRng::DETERMINISTIC);

  350.     SecureBuffer hashedPassword(Block("hello world"));

  351.     for (Benchmark b("Spake2ee c+s",0.1); b.iter(); ) {

  352.         spake2ee(clientRng, serverRng, hashedPassword,false);

  353.     }

  354.     

  355.     for (Benchmark b("Spake2ee c+s aug",0.1); b.iter(); ) {

  356.         spake2ee(clientRng, serverRng, hashedPassword,true);

  357.     }

  358.     

  359.     Scalar x(clientRng);

  360.     SecureBuffer gx((Precomputed::base() * x).serialize());

  361.     Scalar y(serverRng);

  362.     SecureBuffer gy((Precomputed::base() * y).serialize());

  363.     

  364.     for (Benchmark b("FHMQV c+s",0.1); b.iter(); ) {

  365.         fhmqv(clientRng, serverRng,x,gx,y,gy);

  366.     }

  367.     

  368.     for (Benchmark b("TripleDH anon c+s",0.1); b.iter(); ) {

  369.         tdh(clientRng, serverRng, x,gx,y,gy);

  370.     }

  371. }

  372. 

  373. static void micro() {

  374.     SpongeRng rng(Block("per-curve-benchmarks"),SpongeRng::DETERMINISTIC);

  375.     Precomputed pBase;

  376.     Point p,q;

  377.     Scalar s(1),t(2);

  378.     SecureBuffer ep, ep2(Point::SER_BYTES*2);

  379.     

  380.     printf("\nMicro-benchmarks for %s:\n", Group::name());

  381.     for (Benchmark b("Scalar add", 1000); b.iter(); ) { s+=t; }

  382.     for (Benchmark b("Scalar times", 100); b.iter(); ) { s*=t; }

  383.     for (Benchmark b("Scalar inv", 1); b.iter(); ) { s.inverse(); }

  384.     for (Benchmark b("Point add", 100); b.iter(); ) { p += q; }

  385.     for (Benchmark b("Point double", 100); b.iter(); ) { p.double_in_place(); }

  386.     for (Benchmark b("Point scalarmul"); b.iter(); ) { p * s; }

  387.     for (Benchmark b("Point encode"); b.iter(); ) { ep = p.serialize(); }

  388.     for (Benchmark b("Point decode"); b.iter(); ) { p = Point(ep); }

  389.     for (Benchmark b("Point create/destroy"); b.iter(); ) { Point r; }

  390.     for (Benchmark b("Point hash nonuniform"); b.iter(); ) { Point::from_hash(ep); }

  391.     for (Benchmark b("Point hash uniform"); b.iter(); ) { Point::from_hash(ep2); }

  392.     for (Benchmark b("Point unhash nonuniform"); b.iter(); ) { ignore_result(p.invert_elligator(ep,0)); }

  393.     for (Benchmark b("Point unhash uniform"); b.iter(); ) { ignore_result(p.invert_elligator(ep2,0)); }

  394.     for (Benchmark b("Point steg"); b.iter(); ) { p.steg_encode(rng); }

  395.     for (Benchmark b("Point double scalarmul"); b.iter(); ) { Point::double_scalarmul(p,s,q,t); }

  396.     for (Benchmark b("Point dual scalarmul"); b.iter(); ) { p.dual_scalarmul(p,q,s,t); }

  397.     for (Benchmark b("Point precmp scalarmul"); b.iter(); ) { pBase * s; }

  398.     for (Benchmark b("Point double scalarmul_v"); b.iter(); ) {

  399.         s = Scalar(rng);

  400.         t = Scalar(rng);

  401.         p.non_secret_combo_with_base(s,t);

  402.     }

  403. }

  404. 

  405. }; /* template <typename group> struct Benches */

  406. 

  407. template <typename Group> struct Macro { static void run() { Benches<Group>::macro(); } };

  408. template <typename Group> struct Micro { static void run() { Benches<Group>::micro(); } };

  409. 

  410. int main(int argc, char **argv) {

  411.     

  412.     bool micro = false;

  413.     if (argc >= 2 && !strcmp(argv[1], "--micro"))

  414.         micro = true;

  415. 

  416.     SpongeRng rng(Block("micro-benchmarks"),SpongeRng::DETERMINISTIC);

  417.     if (micro) {

  418.         printf("\nMicro-benchmarks:\n");

  419.         SHAKE<128> shake1;

  420.         SHAKE<256> shake2;

  421.         SHA3<512> sha5;

  422.         SHA512 sha2;

  423.         Strobe strobe("example::bench",Strobe::CLIENT);

  424.         unsigned char b1024[1024] = {1};

  425.         for (Benchmark b("SHAKE128 1kiB", 30); b.iter(); ) { shake1 += Buffer(b1024,1024); }

  426.         for (Benchmark b("SHAKE256 1kiB", 30); b.iter(); ) { shake2 += Buffer(b1024,1024); }

  427.         for (Benchmark b("SHA3-512 1kiB", 30); b.iter(); ) { sha5 += Buffer(b1024,1024); }

  428.         for (Benchmark b("SHA512 1kiB", 30); b.iter(); ) { sha2 += Buffer(b1024,1024); }

  429.         strobe.dh_key(Buffer(b1024,1024));

  430.         strobe.respec(STROBE_128);

  431.         for (Benchmark b("STROBE128 1kiB", 10); b.iter(); ) {

  432.             strobe.encrypt_no_auth(Buffer(b1024,1024),Buffer(b1024,1024));

  433.         }

  434.         strobe.respec(STROBE_256);

  435.         for (Benchmark b("STROBE256 1kiB", 10); b.iter(); ) {

  436.             strobe.encrypt_no_auth(Buffer(b1024,1024),Buffer(b1024,1024));

  437.         }

  438.         strobe.respec(STROBE_KEYED_128);

  439.         for (Benchmark b("STROBEk128 1kiB", 10); b.iter(); ) {

  440.             strobe.encrypt_no_auth(Buffer(b1024,1024),Buffer(b1024,1024));

  441.         }

  442.         strobe.respec(STROBE_KEYED_256);

  443.         for (Benchmark b("STROBEk256 1kiB", 10); b.iter(); ) {

  444.             strobe.encrypt_no_auth(Buffer(b1024,1024),Buffer(b1024,1024));

  445.         }

  446.         

  447.         run_for_all_curves<Micro>();

  448.     }

  449.     

  450.     run_for_all_curves<Macro>();

  451.     

  452.     printf("\n");

  453.     Benchmark::calib();

  454.     printf("\n");

  455.     

  456.     return 0;

  457. }