jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
403 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 80c0bd5d7d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '80c0bd5d7d'
${ noResults }
ed448goldilocks/test/bench_decaf.cxx

459 lines
15 KiB
Raw Blame History 

  1. /**

  2.  * @file test_decaf.cxx

  3.  * @author Mike Hamburg

  4.  *

  5.  * @copyright

  6.  *   Copyright (c) 2015 Cryptography Research, Inc.  \n

  7.  *   Released under the MIT License.  See LICENSE.txt for license information.

  8.  *

  9.  * @brief C++ benchmarks, because that's easier.

  10.  */

  11. 

  12. #include <decaf.hxx>

  13. #include <decaf/shake.hxx>

  14. #include <decaf/sha512.hxx>

  15. #include <decaf/strobe.hxx>

  16. #include <decaf/spongerng.hxx>

  17. #include <decaf/crypto_255.h>

  18. #include <decaf/crypto_448.h>

  19. #include <decaf/crypto.hxx>

  20. #include <decaf/eddsa.hxx>

  21. #include <stdio.h>

  22. #include <sys/time.h>

  23. #include <assert.h>

  24. #include <stdint.h>

  25. #include <vector>

  26. #include <algorithm>

  27. 

  28. using namespace decaf;

  29. using namespace decaf::TOY;

  30. 

  31. 

  32. static __inline__ void __attribute__((unused)) ignore_result ( int result ) { (void)result; }

  33. static double now(void) {

  34.   struct timeval tv;

  35.   gettimeofday(&tv, NULL);

  36.   return tv.tv_sec + tv.tv_usec/1000000.0;

  37. }

  38. 

  39. // RDTSC from the chacha code

  40. #ifndef __has_builtin

  41. #define __has_builtin(X) 0

  42. #endif

  43. #if defined(__clang__) && __has_builtin(__builtin_readcyclecounter)

  44. #define rdtsc __builtin_readcyclecounter

  45. #else

  46. static inline uint64_t rdtsc(void) {

  47. # if defined(__x86_64__)

  48.     uint32_t lobits, hibits;

  49.     __asm__ __volatile__ ("rdtsc" : "=a"(lobits), "=d"(hibits));

  50.     return (lobits | ((uint64_t)(hibits) << 32));

  51. # elif defined(__i386__)

  52.     uint64_t __value;

  53.     __asm__ __volatile__ ("rdtsc" : "=A"(__value));

  54.     return __value;

  55. # else

  56.     return 0;

  57. # endif

  58. }

  59. #endif

  60. 

  61. static void printSI(double x, const char *unit, const char *spacer = " ") {

  62.     const char *small[] = {" ","m","ยต","n","p"};

  63.     const char *big[] = {" ","k","M","G","T"};

  64.     if (x < 1) {

  65.         unsigned di=0;

  66.         for (di=0; di<sizeof(small)/sizeof(*small)-1 && x && x < 1; di++) { 

  67.             x *= 1000.0;

  68.         }

  69.         printf("%6.2f%s%s%s", x, spacer, small[di], unit);

  70.     } else {

  71.         unsigned di=0;

  72.         for (di=0; di<sizeof(big)/sizeof(*big)-1 && x && x >= 1000; di++) { 

  73.             x /= 1000.0;

  74.         }

  75.         printf("%6.2f%s%s%s", x, spacer, big[di], unit);

  76.     }

  77. }

  78. 

  79. class Benchmark {

  80.     static const int NTESTS = 20, NSAMPLES=50, DISCARD=2;

  81.     static double totalCy, totalS;

  82. public:

  83.     int i, j, ntests, nsamples;

  84.     double begin;

  85.     uint64_t tsc_begin;

  86.     std::vector<double> times;

  87.     std::vector<uint64_t> cycles;

  88.     Benchmark(const char *s, double factor = 1) {

  89.         printf("%s:", s);

  90.         if (strlen(s) < 25) printf("%*s",int(25-strlen(s)),"");

  91.         fflush(stdout);

  92.         i = j = 0;

  93.         ntests = NTESTS * factor;

  94.         nsamples = NSAMPLES;

  95.         begin = now();

  96.         tsc_begin = rdtsc();

  97.         times = std::vector<double>(NSAMPLES);

  98.         cycles = std::vector<uint64_t>(NSAMPLES);

  99.     }

  100.     ~Benchmark() {

  101.         double tsc = 0;

  102.         double t = 0;

  103.         

  104.         std::sort(times.begin(), times.end());

  105.         std::sort(cycles.begin(), cycles.end());

  106.         

  107.         for (int k=DISCARD; k<nsamples-DISCARD; k++) {

  108.             tsc += cycles[k];

  109.             t += times[k];

  110.         }

  111.         

  112.         totalCy += tsc;

  113.         totalS += t;

  114.         

  115.         t /= ntests*(nsamples-2*DISCARD);

  116.         tsc /= ntests*(nsamples-2*DISCARD);

  117.         

  118.         printSI(t,"s");

  119.         printf("    ");

  120.         printSI(1/t,"/s");

  121.         if (tsc) { printf("    "); printSI(tsc, "cy"); }

  122.         printf("\n");

  123.     }

  124.     inline bool iter() {

  125.         i++;

  126.         if (i >= ntests) {

  127.             uint64_t tsc = rdtsc() - tsc_begin;

  128.             double t = now() - begin;

  129.             begin += t;

  130.             tsc_begin += tsc;

  131.             assert(j >= 0 && j < nsamples);

  132.             cycles[j] = tsc;

  133.             times[j] = t;

  134.             

  135.             j++;

  136.             i = 0;

  137.         }

  138.         return j < nsamples;

  139.     }

  140.     static void calib() {

  141.         if (totalS && totalCy) {

  142.             const char *s = "Cycle calibration";

  143.             printf("%s:", s);

  144.             if (strlen(s) < 25) printf("%*s",int(25-strlen(s)),"");

  145.             printSI(totalCy / totalS, "Hz");

  146.             printf("\n");

  147.         }

  148.     }

  149. };

  150. 

  151. double Benchmark::totalCy = 0, Benchmark::totalS = 0;

  152. 

  153. 

  154. template<typename Group> struct Benches {

  155. 

  156. typedef typename Group::Scalar Scalar;

  157. typedef typename Group::Point Point;

  158. typedef typename Group::Precomputed Precomputed;

  159. 

  160. static void tdh (

  161.     SpongeRng &clientRng,

  162.     SpongeRng &serverRng,

  163.     Scalar x, const Block &gx,

  164.     Scalar y, const Block &gy

  165. ) {

  166.     /* "TripleDH".  A bit of a hack, really: the real TripleDH

  167.      * sends gx and gy and certs over the channel, but its goal

  168.      * is actually the opposite of STROBE in this case: it doesn't

  169.      * hash gx and gy into the session secret (only into the MAC

  170.      * and AD) because of IPR concerns.

  171.      */

  172.     Strobe client("example::tripleDH",Strobe::CLIENT), server("example::tripleDH",Strobe::SERVER);

  173.     

  174.     Scalar xe(clientRng);

  175.     SecureBuffer gxe((Precomputed::base() * xe).serialize());

  176.     client.send_plaintext(gxe);

  177.     server.recv_plaintext(gxe);

  178.     

  179.     Scalar ye(serverRng);

  180.     SecureBuffer gye((Precomputed::base() * ye).serialize());

  181.     server.send_plaintext(gye);

  182.     client.recv_plaintext(gye);

  183.     

  184.     Point pgxe(gxe);

  185.     server.dh_key(pgxe*ye);

  186.     SecureBuffer tag1 = server.produce_auth();

  187.     //SecureBuffer ct = server.encrypt(gy);

  188.     server.dh_key(pgxe*y);

  189.     SecureBuffer tag2 = server.produce_auth();

  190.     

  191.     Point pgye(gye);

  192.     client.dh_key(pgye*xe);

  193.     client.verify_auth(tag1);

  194.     client.dh_key(Point(gy) * xe);

  195.     client.verify_auth(tag2);

  196.     // ct = client.encrypt(gx);

  197.     client.dh_key(pgye * x);

  198.     tag1 = client.produce_auth();

  199.     client.respec(STROBE_KEYED_128);

  200.     

  201.     server.dh_key(Point(gx) * ye);

  202.     server.verify_auth(tag1);

  203.     server.respec(STROBE_KEYED_128);

  204. }

  205. 

  206. static void fhmqv (

  207.     SpongeRng &clientRng,

  208.     SpongeRng &serverRng,

  209.     Scalar x, const Block &gx,

  210.     Scalar y, const Block &gy

  211. ) {

  212.     /* Don't use this, it's probably patented */

  213.     Strobe client("example::fhmqv",Strobe::CLIENT), server("example::fhmqv",Strobe::SERVER);

  214.     

  215.     Scalar xe(clientRng);

  216.     client.send_plaintext(gx);

  217.     server.recv_plaintext(gx);

  218.     SecureBuffer gxe((Precomputed::base() * xe).serialize());

  219.     server.send_plaintext(gxe);

  220.     client.recv_plaintext(gxe);

  221. 

  222.     Scalar ye(serverRng);

  223.     server.send_plaintext(gy);

  224.     client.recv_plaintext(gy);

  225.     SecureBuffer gye((Precomputed::base() * ye).serialize());

  226.     server.send_plaintext(gye);

  227.     

  228.     Scalar schx(server.prng(Scalar::SER_BYTES));

  229.     Scalar schy(server.prng(Scalar::SER_BYTES));

  230.     Scalar yec = y + ye*schy;

  231.     server.dh_key(Point::double_scalarmul(Point(gx),yec,Point(gxe),yec*schx));

  232.     SecureBuffer as = server.produce_auth();

  233.     

  234.     client.recv_plaintext(gye);

  235.     Scalar cchx(client.prng(Scalar::SER_BYTES));

  236.     Scalar cchy(client.prng(Scalar::SER_BYTES));

  237.     Scalar xec = x + xe*schx;

  238.     client.dh_key(Point::double_scalarmul(Point(gy),xec,Point(gye),xec*schy));

  239.     client.verify_auth(as);

  240.     SecureBuffer ac = client.produce_auth();

  241.     client.respec(STROBE_KEYED_128);

  242.     

  243.     server.verify_auth(ac);

  244.     server.respec(STROBE_KEYED_128);

  245. }

  246. 

  247. static void spake2ee(

  248.     SpongeRng &clientRng,

  249.     SpongeRng &serverRng,

  250.     const Block &hashed_password,

  251.     bool aug

  252. ) {

  253.     Strobe client("example::spake2ee",Strobe::CLIENT), server("example::spake2ee",Strobe::SERVER);

  254.     

  255.     Scalar x(clientRng);

  256.     

  257.     SHAKE<256> shake;

  258.     shake.update(hashed_password);

  259.     SecureBuffer h0 = shake.output(Point::HASH_BYTES);

  260.     SecureBuffer h1 = shake.output(Point::HASH_BYTES);

  261.     SecureBuffer h2 = shake.output(Scalar::SER_BYTES);

  262.     Scalar gs(h2);

  263.     

  264.     Point hc = Point::from_hash(h0);

  265.     hc = Point::from_hash(h0); // double-count

  266.     Point hs = Point::from_hash(h1);

  267.     hs = Point::from_hash(h1); // double-count

  268.     

  269.     SecureBuffer gx((Precomputed::base() * x + hc).serialize());

  270.     client.send_plaintext(gx);

  271.     server.recv_plaintext(gx);

  272.     

  273.     Scalar y(serverRng);

  274.     SecureBuffer gy((Precomputed::base() * y + hs).serialize());

  275.     server.send_plaintext(gy);

  276.     client.recv_plaintext(gy);

  277.     

  278.     server.dh_key(h1);

  279.     server.dh_key((Point(gx) - hc)*y);

  280.     if(aug) {

  281.         /* This step isn't actually online but whatever, it's fastish */

  282.         SecureBuffer serverAug((Precomputed::base() * gs).serialize());

  283.         server.dh_key(Point(serverAug)*y);

  284.     }

  285.     SecureBuffer tag = server.produce_auth();

  286.     

  287.     client.dh_key(h1);

  288.     Point pgy(gy); pgy -= hs;

  289.     client.dh_key(pgy*x);

  290.     if (aug) client.dh_key(pgy * gs);

  291.     client.verify_auth(tag);    

  292.     tag = client.produce_auth();

  293.     client.respec(STROBE_KEYED_128);

  294.     /* A real protocol would continue with fork etc here... */

  295.     

  296.     server.verify_auth(tag);

  297.     server.respec(STROBE_KEYED_128);

  298. }

  299. 

  300. static void cfrg() {

  301.     SpongeRng rng(Block("bench_cfrg_crypto"),SpongeRng::DETERMINISTIC);

  302.     FixedArrayBuffer<Group::DhLadder::PUBLIC_BYTES> base(rng);

  303.     FixedArrayBuffer<Group::DhLadder::PRIVATE_BYTES> s1(rng);

  304.     for (Benchmark b("RFC 7748 keygen"); b.iter(); ) { Group::DhLadder::generate_key(s1); }

  305.     for (Benchmark b("RFC 7748 shared secret"); b.iter(); ) { Group::DhLadder::shared_secret(base,s1); }

  306. 

  307.     FixedArrayBuffer<EdDSA<Group>::PrivateKey::SER_BYTES> e1(rng);

  308.     typename EdDSA<Group>::PublicKey pub((NOINIT()));

  309.     typename EdDSA<Group>::PrivateKey priv((NOINIT()));

  310.     SecureBuffer sig;

  311.     for (Benchmark b("EdDSA keygen"); b.iter(); ) { priv = e1; }

  312.     for (Benchmark b("EdDSA sign"); b.iter(); ) { sig = priv.sign(Block(NULL,0)); }

  313.     pub = priv;

  314.     for (Benchmark b("EdDSA verify"); b.iter(); ) { pub.verify(sig,Block(NULL,0)); }

  315. }

  316. 

  317. static void macro() {

  318.     printf("\nMacro-benchmarks for %s:\n", Group::name());

  319.     printf("CFRG crypto benchmarks:\n");

  320.     cfrg();

  321.     

  322.     printf("\nToy crypto benchmarks:\n");

  323.     SpongeRng rng(Block("macro rng seed"),SpongeRng::DETERMINISTIC);

  324.     PrivateKey<Group> s1((NOINIT())), s2(rng);

  325.     PublicKey<Group> p1((NOINIT())), p2(s2);

  326. 

  327.     SecureBuffer message = rng.read(5), sig, ss;

  328. 

  329.     for (Benchmark b("Create private key",1); b.iter(); ) {

  330.         s1 = PrivateKey<Group>(rng);

  331.         SecureBuffer bb = s1.serialize();

  332.     }

  333.     

  334.     for (Benchmark b("Sign",1); b.iter(); ) {

  335.         sig = s1.sign(message);

  336.     }

  337.     

  338.     p1 = s1.pub();

  339.     for (Benchmark b("Verify",1); b.iter(); ) {

  340.         rng.read(Buffer(message));

  341.         try { p1.verify(message, sig); } catch (CryptoException) {}

  342.     }

  343.     

  344.     for (Benchmark b("SharedSecret",1); b.iter(); ) {

  345.         ss = s1.shared_secret(p2,32,true);

  346.     }

  347.     

  348.     printf("\nToy protocol benchmarks:\n");

  349.     SpongeRng clientRng(Block("client rng seed"),SpongeRng::DETERMINISTIC);

  350.     SpongeRng serverRng(Block("server rng seed"),SpongeRng::DETERMINISTIC);

  351.     SecureBuffer hashedPassword(Block("hello world"));

  352.     for (Benchmark b("Spake2ee c+s",0.1); b.iter(); ) {

  353.         spake2ee(clientRng, serverRng, hashedPassword,false);

  354.     }

  355.     

  356.     for (Benchmark b("Spake2ee c+s aug",0.1); b.iter(); ) {

  357.         spake2ee(clientRng, serverRng, hashedPassword,true);

  358.     }

  359.     

  360.     Scalar x(clientRng);

  361.     SecureBuffer gx((Precomputed::base() * x).serialize());

  362.     Scalar y(serverRng);

  363.     SecureBuffer gy((Precomputed::base() * y).serialize());

  364.     

  365.     for (Benchmark b("FHMQV c+s",0.1); b.iter(); ) {

  366.         fhmqv(clientRng, serverRng,x,gx,y,gy);

  367.     }

  368.     

  369.     for (Benchmark b("TripleDH anon c+s",0.1); b.iter(); ) {

  370.         tdh(clientRng, serverRng, x,gx,y,gy);

  371.     }

  372. }

  373. 

  374. static void micro() {

  375.     SpongeRng rng(Block("per-curve-benchmarks"),SpongeRng::DETERMINISTIC);

  376.     Precomputed pBase;

  377.     Point p,q;

  378.     Scalar s(1),t(2);

  379.     SecureBuffer ep, ep2(Point::SER_BYTES*2);

  380.     

  381.     printf("\nMicro-benchmarks for %s:\n", Group::name());

  382.     for (Benchmark b("Scalar add", 1000); b.iter(); ) { s+=t; }

  383.     for (Benchmark b("Scalar times", 100); b.iter(); ) { s*=t; }

  384.     for (Benchmark b("Scalar inv", 1); b.iter(); ) { s.inverse(); }

  385.     for (Benchmark b("Point add", 100); b.iter(); ) { p += q; }

  386.     for (Benchmark b("Point double", 100); b.iter(); ) { p.double_in_place(); }

  387.     for (Benchmark b("Point scalarmul"); b.iter(); ) { p * s; }

  388.     for (Benchmark b("Point encode"); b.iter(); ) { ep = p.serialize(); }

  389.     for (Benchmark b("Point decode"); b.iter(); ) { p = Point(ep); }

  390.     for (Benchmark b("Point create/destroy"); b.iter(); ) { Point r; }

  391.     for (Benchmark b("Point hash nonuniform"); b.iter(); ) { Point::from_hash(ep); }

  392.     for (Benchmark b("Point hash uniform"); b.iter(); ) { Point::from_hash(ep2); }

  393.     for (Benchmark b("Point unhash nonuniform"); b.iter(); ) { ignore_result(p.invert_elligator(ep,0)); }

  394.     for (Benchmark b("Point unhash uniform"); b.iter(); ) { ignore_result(p.invert_elligator(ep2,0)); }

  395.     for (Benchmark b("Point steg"); b.iter(); ) { p.steg_encode(rng); }

  396.     for (Benchmark b("Point double scalarmul"); b.iter(); ) { Point::double_scalarmul(p,s,q,t); }

  397.     for (Benchmark b("Point dual scalarmul"); b.iter(); ) { p.dual_scalarmul(p,q,s,t); }

  398.     for (Benchmark b("Point precmp scalarmul"); b.iter(); ) { pBase * s; }

  399.     for (Benchmark b("Point double scalarmul_v"); b.iter(); ) {

  400.         s = Scalar(rng);

  401.         t = Scalar(rng);

  402.         p.non_secret_combo_with_base(s,t);

  403.     }

  404. }

  405. 

  406. }; /* template <typename group> struct Benches */

  407. 

  408. template <typename Group> struct Macro { static void run() { Benches<Group>::macro(); } };

  409. template <typename Group> struct Micro { static void run() { Benches<Group>::micro(); } };

  410. 

  411. int main(int argc, char **argv) {

  412.     

  413.     bool micro = false;

  414.     if (argc >= 2 && !strcmp(argv[1], "--micro"))

  415.         micro = true;

  416. 

  417.     SpongeRng rng(Block("micro-benchmarks"),SpongeRng::DETERMINISTIC);

  418.     if (micro) {

  419.         printf("\nMicro-benchmarks:\n");

  420.         SHAKE<128> shake1;

  421.         SHAKE<256> shake2;

  422.         SHA3<512> sha5;

  423.         SHA512 sha2;

  424.         Strobe strobe("example::bench",Strobe::CLIENT);

  425.         unsigned char b1024[1024] = {1};

  426.         for (Benchmark b("SHAKE128 1kiB", 30); b.iter(); ) { shake1 += Buffer(b1024,1024); }

  427.         for (Benchmark b("SHAKE256 1kiB", 30); b.iter(); ) { shake2 += Buffer(b1024,1024); }

  428.         for (Benchmark b("SHA3-512 1kiB", 30); b.iter(); ) { sha5 += Buffer(b1024,1024); }

  429.         for (Benchmark b("SHA512 1kiB", 30); b.iter(); ) { sha2 += Buffer(b1024,1024); }

  430.         strobe.dh_key(Buffer(b1024,1024));

  431.         strobe.respec(STROBE_128);

  432.         for (Benchmark b("STROBE128 1kiB", 10); b.iter(); ) {

  433.             strobe.encrypt_no_auth(Buffer(b1024,1024),Buffer(b1024,1024));

  434.         }

  435.         strobe.respec(STROBE_256);

  436.         for (Benchmark b("STROBE256 1kiB", 10); b.iter(); ) {

  437.             strobe.encrypt_no_auth(Buffer(b1024,1024),Buffer(b1024,1024));

  438.         }

  439.         strobe.respec(STROBE_KEYED_128);

  440.         for (Benchmark b("STROBEk128 1kiB", 10); b.iter(); ) {

  441.             strobe.encrypt_no_auth(Buffer(b1024,1024),Buffer(b1024,1024));

  442.         }

  443.         strobe.respec(STROBE_KEYED_256);

  444.         for (Benchmark b("STROBEk256 1kiB", 10); b.iter(); ) {

  445.             strobe.encrypt_no_auth(Buffer(b1024,1024),Buffer(b1024,1024));

  446.         }

  447.         

  448.         run_for_all_curves<Micro>();

  449.     }

  450.     

  451.     run_for_all_curves<Macro>();

  452.     

  453.     printf("\n");

  454.     Benchmark::calib();

  455.     printf("\n");

  456.     

  457.     return 0;

  458. }