jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
276 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: a3b094eb99
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a3b094eb99'
${ noResults }
ed448goldilocks/test/bench_decaf.cxx

497 lines
16 KiB
Raw Blame History 

  1. /**

  2.  * @file test_decaf.cxx

  3.  * @author Mike Hamburg

  4.  *

  5.  * @copyright

  6.  *   Copyright (c) 2015 Cryptography Research, Inc.  \n

  7.  *   Released under the MIT License.  See LICENSE.txt for license information.

  8.  *

  9.  * @brief C++ benchmarks, because that's easier.

  10.  */

  11. 

  12. #include <decaf.hxx>

  13. #include <decaf/shake.hxx>

  14. #include <decaf/crypto_255.h>

  15. #include <decaf/crypto_448.h>

  16. #include <decaf/crypto.hxx>

  17. #include <stdio.h>

  18. #include <sys/time.h>

  19. #include <assert.h>

  20. #include <stdint.h>

  21. #include <vector>

  22. #include <algorithm>

  23. 

  24. using namespace decaf;

  25. 

  26. 

  27. static __inline__ void __attribute__((unused)) ignore_result ( int result ) { (void)result; }

  28. static double now(void) {

  29.   struct timeval tv;

  30.   gettimeofday(&tv, NULL);

  31.   return tv.tv_sec + tv.tv_usec/1000000.0;

  32. }

  33. 

  34. // RDTSC from the chacha code

  35. #ifndef __has_builtin

  36. #define __has_builtin(X) 0

  37. #endif

  38. #if defined(__clang__) && __has_builtin(__builtin_readcyclecounter)

  39. #define rdtsc __builtin_readcyclecounter

  40. #else

  41. static inline uint64_t rdtsc(void) {

  42.   u_int64_t out = 0;

  43. # if (defined(__i386__) || defined(__x86_64__))

  44.     __asm__ __volatile__ ("rdtsc" : "=A"(out));

  45. # endif

  46.   return out;

  47. }

  48. #endif

  49. 

  50. static void printSI(double x, const char *unit, const char *spacer = " ") {

  51.     const char *small[] = {" ","m","ยต","n","p"};

  52.     const char *big[] = {" ","k","M","G","T"};

  53.     if (x < 1) {

  54.         unsigned di=0;

  55.         for (di=0; di<sizeof(small)/sizeof(*small)-1 && x && x < 1; di++) { 

  56.             x *= 1000.0;

  57.         }

  58.         printf("%6.2f%s%s%s", x, spacer, small[di], unit);

  59.     } else {

  60.         unsigned di=0;

  61.         for (di=0; di<sizeof(big)/sizeof(*big)-1 && x && x >= 1000; di++) { 

  62.             x /= 1000.0;

  63.         }

  64.         printf("%6.2f%s%s%s", x, spacer, big[di], unit);

  65.     }

  66. }

  67. 

  68. class Benchmark {

  69.     static const int NTESTS = 20, NSAMPLES=50, DISCARD=2;

  70.     static double totalCy, totalS;

  71. public:

  72.     int i, j, ntests, nsamples;

  73.     double begin;

  74.     uint64_t tsc_begin;

  75.     std::vector<double> times;

  76.     std::vector<uint64_t> cycles;

  77.     Benchmark(const char *s, double factor = 1) {

  78.         printf("%s:", s);

  79.         if (strlen(s) < 25) printf("%*s",int(25-strlen(s)),"");

  80.         fflush(stdout);

  81.         i = j = 0;

  82.         ntests = NTESTS * factor;

  83.         nsamples = NSAMPLES;

  84.         begin = now();

  85.         tsc_begin = rdtsc();

  86.         times = std::vector<double>(NSAMPLES);

  87.         cycles = std::vector<uint64_t>(NSAMPLES);

  88.     }

  89.     ~Benchmark() {

  90.         double tsc = 0;

  91.         double t = 0;

  92.         

  93.         std::sort(times.begin(), times.end());

  94.         std::sort(cycles.begin(), cycles.end());

  95.         

  96.         for (int k=DISCARD; k<nsamples-DISCARD; k++) {

  97.             tsc += cycles[k];

  98.             t += times[k];

  99.         }

  100.         

  101.         totalCy += tsc;

  102.         totalS += t;

  103.         

  104.         t /= ntests*(nsamples-2*DISCARD);

  105.         tsc /= ntests*(nsamples-2*DISCARD);

  106.         

  107.         printSI(t,"s");

  108.         printf("    ");

  109.         printSI(1/t,"/s");

  110.         if (tsc) { printf("    "); printSI(tsc, "cy"); }

  111.         printf("\n");

  112.     }

  113.     inline bool iter() {

  114.         i++;

  115.         if (i >= ntests) {

  116.             uint64_t tsc = rdtsc() - tsc_begin;

  117.             double t = now() - begin;

  118.             begin += t;

  119.             tsc_begin += tsc;

  120.             assert(j >= 0 && j < nsamples);

  121.             cycles[j] = tsc;

  122.             times[j] = t;

  123.             

  124.             j++;

  125.             i = 0;

  126.         }

  127.         return j < nsamples;

  128.     }

  129.     static void calib() {

  130.         if (totalS && totalCy) {

  131.             const char *s = "Cycle calibration";

  132.             printf("%s:", s);

  133.             if (strlen(s) < 25) printf("%*s",int(25-strlen(s)),"");

  134.             printSI(totalCy / totalS, "Hz");

  135.             printf("\n");

  136.         }

  137.     }

  138. };

  139. 

  140. double Benchmark::totalCy = 0, Benchmark::totalS = 0;

  141. 

  142. 

  143. template<typename Group> struct Benches {

  144. 

  145. typedef typename Group::Scalar Scalar;

  146. typedef typename Group::Point Point;

  147. typedef typename Group::Precomputed Precomputed;

  148. 

  149. static void tdh (

  150.     SpongeRng &clientRng,

  151.     SpongeRng &serverRng,

  152.     Scalar x, const Block &gx,

  153.     Scalar y, const Block &gy

  154. ) {

  155.     /* "TripleDH".  A bit of a hack, really: the real TripleDH

  156.      * sends gx and gy and certs over the channel, but its goal

  157.      * is actually the opposite of STROBE in this case: it doesn't

  158.      * hash gx and gy into the session secret (only into the MAC

  159.      * and AD) because of IPR concerns.

  160.      */

  161.     Strobe client("example::tripleDH",Strobe::CLIENT), server("example::tripleDH",Strobe::SERVER);

  162.     

  163.     Scalar xe(clientRng);

  164.     SecureBuffer gxe((Precomputed::base() * xe).serialize());

  165.     client.send_plaintext(gxe);

  166.     server.recv_plaintext(gxe);

  167.     

  168.     Scalar ye(serverRng);

  169.     SecureBuffer gye((Precomputed::base() * ye).serialize());

  170.     server.send_plaintext(gye);

  171.     client.recv_plaintext(gye);

  172.     

  173.     Point pgxe(gxe);

  174.     server.dh_key(pgxe*ye);

  175.     SecureBuffer tag1 = server.produce_auth();

  176.     //SecureBuffer ct = server.encrypt(gy);

  177.     server.dh_key(pgxe*y);

  178.     SecureBuffer tag2 = server.produce_auth();

  179.     

  180.     Point pgye(gye);

  181.     client.dh_key(pgye*xe);

  182.     client.verify_auth(tag1);

  183.     client.dh_key(Point(gy) * xe);

  184.     client.verify_auth(tag2);

  185.     // ct = client.encrypt(gx);

  186.     client.dh_key(pgye * x);

  187.     tag1 = client.produce_auth();

  188.     client.respec(STROBE_KEYED_128);

  189.     

  190.     server.dh_key(Point(gx) * ye);

  191.     server.verify_auth(tag1);

  192.     server.respec(STROBE_KEYED_128);

  193. }

  194. 

  195. static void fhmqv (

  196.     SpongeRng &clientRng,

  197.     SpongeRng &serverRng,

  198.     Scalar x, const Block &gx,

  199.     Scalar y, const Block &gy

  200. ) {

  201.     /* Don't use this, it's probably patented */

  202.     Strobe client("example::fhmqv",Strobe::CLIENT), server("example::fhmqv",Strobe::SERVER);

  203.     

  204.     Scalar xe(clientRng);

  205.     client.send_plaintext(gx);

  206.     server.recv_plaintext(gx);

  207.     SecureBuffer gxe((Precomputed::base() * xe).serialize());

  208.     server.send_plaintext(gxe);

  209.     client.recv_plaintext(gxe);

  210. 

  211.     Scalar ye(serverRng);

  212.     server.send_plaintext(gy);

  213.     client.recv_plaintext(gy);

  214.     SecureBuffer gye((Precomputed::base() * ye).serialize());

  215.     server.send_plaintext(gye);

  216.     

  217.     Scalar schx(server.prng(Scalar::SER_BYTES));

  218.     Scalar schy(server.prng(Scalar::SER_BYTES));

  219.     Scalar yec = y + ye*schy;

  220.     server.dh_key(Point::double_scalarmul(Point(gx),yec,Point(gxe),yec*schx));

  221.     SecureBuffer as = server.produce_auth();

  222.     

  223.     client.recv_plaintext(gye);

  224.     Scalar cchx(client.prng(Scalar::SER_BYTES));

  225.     Scalar cchy(client.prng(Scalar::SER_BYTES));

  226.     Scalar xec = x + xe*schx;

  227.     client.dh_key(Point::double_scalarmul(Point(gy),xec,Point(gye),xec*schy));

  228.     client.verify_auth(as);

  229.     SecureBuffer ac = client.produce_auth();

  230.     client.respec(STROBE_KEYED_128);

  231.     

  232.     server.verify_auth(ac);

  233.     server.respec(STROBE_KEYED_128);

  234. }

  235. 

  236. static void spake2ee(

  237.     SpongeRng &clientRng,

  238.     SpongeRng &serverRng,

  239.     const Block &hashed_password,

  240.     bool aug

  241. ) {

  242.     Strobe client("example::spake2ee",Strobe::CLIENT), server("example::spake2ee",Strobe::SERVER);

  243.     

  244.     Scalar x(clientRng);

  245.     

  246.     SHAKE<256> shake;

  247.     shake.update(hashed_password);

  248.     SecureBuffer h0 = shake.output(Point::HASH_BYTES);

  249.     SecureBuffer h1 = shake.output(Point::HASH_BYTES);

  250.     SecureBuffer h2 = shake.output(Scalar::SER_BYTES);

  251.     Scalar gs(h2);

  252.     

  253.     Point hc = Point::from_hash(h0);

  254.     hc = Point::from_hash(h0); // double-count

  255.     Point hs = Point::from_hash(h1);

  256.     hs = Point::from_hash(h1); // double-count

  257.     

  258.     SecureBuffer gx((Precomputed::base() * x + hc).serialize());

  259.     client.send_plaintext(gx);

  260.     server.recv_plaintext(gx);

  261.     

  262.     Scalar y(serverRng);

  263.     SecureBuffer gy((Precomputed::base() * y + hs).serialize());

  264.     server.send_plaintext(gy);

  265.     client.recv_plaintext(gy);

  266.     

  267.     server.dh_key(h1);

  268.     server.dh_key((Point(gx) - hc)*y);

  269.     if(aug) {

  270.         /* This step isn't actually online but whatever, it's fastish */

  271.         SecureBuffer serverAug((Precomputed::base() * gs).serialize());

  272.         server.dh_key(Point(serverAug)*y);

  273.     }

  274.     SecureBuffer tag = server.produce_auth();

  275.     

  276.     client.dh_key(h1);

  277.     Point pgy(gy); pgy -= hs;

  278.     client.dh_key(pgy*x);

  279.     if (aug) client.dh_key(pgy * gs);

  280.     client.verify_auth(tag);    

  281.     tag = client.produce_auth();

  282.     client.respec(STROBE_KEYED_128);

  283.     /* TODO: fork... */

  284.     

  285.     server.verify_auth(tag);

  286.     server.respec(STROBE_KEYED_128);

  287. }

  288. 

  289. static void macro() {

  290.     printf("\nMacro-benchmarks for %s:\n", Group::name());

  291.     printf("Crypto benchmarks:\n");

  292.     SpongeRng rng(Block("macro rng seed"));

  293.     PublicKey<Group> p1((NOINIT())), p2((NOINIT()));

  294.     PrivateKey<Group> s1((NOINIT())), s2((NOINIT()));

  295. 

  296.     SecureBuffer message = rng.read(5), sig;

  297. 

  298.     for (Benchmark b("Create private key",1); b.iter(); ) {

  299.         s1 = PrivateKey<Group>(rng);

  300.         SecureBuffer bb = s1.serialize();

  301.     }

  302.     

  303.     for (Benchmark b("Sign",1); b.iter(); ) {

  304.         sig = s1.sign(message);

  305.     }

  306.     

  307.     p1 = s1.pub();

  308.     for (Benchmark b("Verify",1); b.iter(); ) {

  309.         rng.read(Buffer(message));

  310.         try { p1.verify(message, sig); } catch (CryptoException) {}

  311.     }

  312.     

  313.     printf("\nProtocol benchmarks:\n");

  314.     SpongeRng clientRng(Block("client rng seed"));

  315.     SpongeRng serverRng(Block("server rng seed"));

  316.     SecureBuffer hashedPassword(Block("hello world"));

  317.     for (Benchmark b("Spake2ee c+s",0.1); b.iter(); ) {

  318.         spake2ee(clientRng, serverRng, hashedPassword,false);

  319.     }

  320.     

  321.     for (Benchmark b("Spake2ee c+s aug",0.1); b.iter(); ) {

  322.         spake2ee(clientRng, serverRng, hashedPassword,true);

  323.     }

  324.     

  325.     Scalar x(clientRng);

  326.     SecureBuffer gx((Precomputed::base() * x).serialize());

  327.     Scalar y(serverRng);

  328.     SecureBuffer gy((Precomputed::base() * y).serialize());

  329.     

  330.     for (Benchmark b("FHMQV c+s",0.1); b.iter(); ) {

  331.         fhmqv(clientRng, serverRng,x,gx,y,gy);

  332.     }

  333.     

  334.     for (Benchmark b("TripleDH anon c+s",0.1); b.iter(); ) {

  335.         tdh(clientRng, serverRng, x,gx,y,gy);

  336.     }

  337. }

  338. 

  339. static void micro() {

  340.     SpongeRng rng(Block("per-curve-benchmarks"));

  341.     Precomputed pBase;

  342.     Point p,q;

  343.     Scalar s(1),t(2);

  344.     SecureBuffer ep, ep2(Point::SER_BYTES*2);

  345.     

  346.     printf("\nMicro-benchmarks for %s:\n", Group::name());

  347.     for (Benchmark b("Scalar add", 1000); b.iter(); ) { s+=t; }

  348.     for (Benchmark b("Scalar times", 100); b.iter(); ) { s*=t; }

  349.     for (Benchmark b("Scalar inv", 1); b.iter(); ) { s.inverse(); }

  350.     for (Benchmark b("Point add", 100); b.iter(); ) { p += q; }

  351.     for (Benchmark b("Point double", 100); b.iter(); ) { p.double_in_place(); }

  352.     for (Benchmark b("Point scalarmul"); b.iter(); ) { p * s; }

  353.     for (Benchmark b("Point encode"); b.iter(); ) { ep = p.serialize(); }

  354.     for (Benchmark b("Point decode"); b.iter(); ) { p = Point(ep); }

  355.     for (Benchmark b("Point create/destroy"); b.iter(); ) { Point r; }

  356.     for (Benchmark b("Point hash nonuniform"); b.iter(); ) { Point::from_hash(ep); }

  357.     for (Benchmark b("Point hash uniform"); b.iter(); ) { Point::from_hash(ep2); }

  358.     for (Benchmark b("Point unhash nonuniform"); b.iter(); ) { ignore_result(p.invert_elligator(ep,0)); }

  359.     for (Benchmark b("Point unhash uniform"); b.iter(); ) { ignore_result(p.invert_elligator(ep2,0)); }

  360.     for (Benchmark b("Point steg"); b.iter(); ) { p.steg_encode(rng); }

  361.     for (Benchmark b("Point double scalarmul"); b.iter(); ) { Point::double_scalarmul(p,s,q,t); }

  362.     for (Benchmark b("Point dual scalarmul"); b.iter(); ) { p.dual_scalarmul(p,q,s,t); }

  363.     for (Benchmark b("Point precmp scalarmul"); b.iter(); ) { pBase * s; }

  364.     for (Benchmark b("Point double scalarmul_v"); b.iter(); ) {

  365.         s = Scalar(rng);

  366.         t = Scalar(rng);

  367.         p.non_secret_combo_with_base(s,t);

  368.     }

  369. }

  370. 

  371. }; /* template <typename group> struct Benches */

  372. 

  373. int main(int argc, char **argv) {

  374.     

  375.     bool micro = false;

  376.     if (argc >= 2 && !strcmp(argv[1], "--micro"))

  377.         micro = true;

  378. 

  379.     decaf_255_symmetric_key_t r1,r2;

  380.     memset(r1,1,sizeof(r1));

  381.     memset(r2,2,sizeof(r2)); 

  382.     

  383.     unsigned char umessage[] = {1,2,3,4,5};

  384.     size_t lmessage = sizeof(umessage);

  385. 

  386. 

  387.     SpongeRng rng(Block("micro-benchmarks"));

  388.     if (micro) {

  389.         printf("\nMicro-benchmarks:\n");

  390.         SHAKE<128> shake1;

  391.         SHAKE<256> shake2;

  392.         SHA3<512> sha5;

  393.         Strobe strobe("example::bench",Strobe::CLIENT);

  394.         unsigned char b1024[1024] = {1};

  395.         for (Benchmark b("SHAKE128 1kiB", 30); b.iter(); ) { shake1 += Buffer(b1024,1024); }

  396.         for (Benchmark b("SHAKE256 1kiB", 30); b.iter(); ) { shake2 += Buffer(b1024,1024); }

  397.         for (Benchmark b("SHA3-512 1kiB", 30); b.iter(); ) { sha5 += Buffer(b1024,1024); }

  398.         strobe.dh_key(Buffer(b1024,1024));

  399.         strobe.respec(STROBE_128);

  400.         for (Benchmark b("STROBE128 1kiB", 10); b.iter(); ) {

  401.             strobe.encrypt_no_auth(Buffer(b1024,1024),Buffer(b1024,1024));

  402.         }

  403.         strobe.respec(STROBE_256);

  404.         for (Benchmark b("STROBE256 1kiB", 10); b.iter(); ) {

  405.             strobe.encrypt_no_auth(Buffer(b1024,1024),Buffer(b1024,1024));

  406.         }

  407.         strobe.respec(STROBE_KEYED_128);

  408.         for (Benchmark b("STROBEk128 1kiB", 10); b.iter(); ) {

  409.             strobe.encrypt_no_auth(Buffer(b1024,1024),Buffer(b1024,1024));

  410.         }

  411.         strobe.respec(STROBE_KEYED_256);

  412.         for (Benchmark b("STROBEk256 1kiB", 10); b.iter(); ) {

  413.             strobe.encrypt_no_auth(Buffer(b1024,1024),Buffer(b1024,1024));

  414.         }

  415.         

  416.         Benches<IsoEd25519>::micro();

  417.         Benches<Ed448Goldilocks>::micro();

  418.     }

  419. 

  420.     {

  421.         decaf_255_public_key_t p1,p2;

  422.         decaf_255_private_key_t s1,s2;

  423.         decaf_255_signature_t sig1;

  424.         unsigned char ss[32];

  425.     

  426.         printf("\nMacro-benchmarks for IsoEd25519:\n");

  427.         for (Benchmark b("Keygen"); b.iter(); ) {

  428.             decaf_255_derive_private_key(s1,r1);

  429.         }

  430.     

  431.         decaf_255_private_to_public(p1,s1);

  432.         decaf_255_derive_private_key(s2,r2);

  433.         decaf_255_private_to_public(p2,s2);

  434.     

  435.         for (Benchmark b("Shared secret"); b.iter(); ) {

  436.             decaf_bool_t ret = decaf_255_shared_secret(ss,sizeof(ss),s1,p2,1);

  437.             ignore_result(ret);

  438.             assert(ret);

  439.         }

  440.     

  441.         for (Benchmark b("Sign"); b.iter(); ) {

  442.             decaf_255_sign(sig1,s1,umessage,lmessage);

  443.         }

  444.     

  445.         for (Benchmark b("Verify"); b.iter(); ) {

  446.             decaf_bool_t ret = decaf_255_verify(sig1,p1,umessage,lmessage);

  447.             rng.read(Buffer(umessage,lmessage));

  448.             // umessage[0]++;

  449.             // umessage[1]^=umessage[0];

  450.             ignore_result(ret);

  451.         }

  452.     }

  453. 

  454.     {

  455.         decaf_448_public_key_t p1,p2;

  456.         decaf_448_private_key_t s1,s2;

  457.         decaf_448_signature_t sig1;

  458.         unsigned char ss[32];

  459.     

  460.         printf("\nMacro-benchmarks for Ed448-Goldilocks:\n");

  461.         for (Benchmark b("Keygen"); b.iter(); ) {

  462.             decaf_448_derive_private_key(s1,r1);

  463.         }

  464.     

  465.         decaf_448_private_to_public(p1,s1);

  466.         decaf_448_derive_private_key(s2,r2);

  467.         decaf_448_private_to_public(p2,s2);

  468.     

  469.         for (Benchmark b("Shared secret"); b.iter(); ) {

  470.             decaf_bool_t ret = decaf_448_shared_secret(ss,sizeof(ss),s1,p2,1);

  471.             ignore_result(ret);

  472.             assert(ret);

  473.         }

  474.     

  475.         for (Benchmark b("Sign"); b.iter(); ) {

  476.             decaf_448_sign(sig1,s1,umessage,lmessage);

  477.         }

  478.     

  479.         for (Benchmark b("Verify"); b.iter(); ) {

  480.             decaf_bool_t ret = decaf_448_verify(sig1,p1,umessage,lmessage);

  481.             rng.read(Buffer(umessage,lmessage));

  482.             // umessage[0]++;

  483.             // umessage[1]^=umessage[0];

  484.             ignore_result(ret);

  485.         }

  486.     }

  487.     

  488.     Benches<IsoEd25519>::macro();

  489.     Benches<Ed448Goldilocks>::macro();

  490.     

  491.     printf("\n");

  492.     Benchmark::calib();

  493.     printf("\n");

  494.     

  495.     return 0;

  496. }