jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
328 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: a69002875c
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a69002875c'
${ noResults }
ed448goldilocks/test/bench_decaf.cxx

439 lines
14 KiB
Raw Blame History 

  1. /**

  2.  * @file test_decaf.cxx

  3.  * @author Mike Hamburg

  4.  *

  5.  * @copyright

  6.  *   Copyright (c) 2015 Cryptography Research, Inc.  \n

  7.  *   Released under the MIT License.  See LICENSE.txt for license information.

  8.  *

  9.  * @brief C++ benchmarks, because that's easier.

  10.  */

  11. 

  12. #include <decaf.hxx>

  13. #include <decaf/shake.hxx>

  14. #include <decaf/strobe.hxx>

  15. #include <decaf/spongerng.hxx>

  16. #include <decaf/crypto_255.h>

  17. #include <decaf/crypto_448.h>

  18. #include <decaf/crypto.hxx>

  19. #include <stdio.h>

  20. #include <sys/time.h>

  21. #include <assert.h>

  22. #include <stdint.h>

  23. #include <vector>

  24. #include <algorithm>

  25. 

  26. using namespace decaf;

  27. 

  28. 

  29. static __inline__ void __attribute__((unused)) ignore_result ( int result ) { (void)result; }

  30. static double now(void) {

  31.   struct timeval tv;

  32.   gettimeofday(&tv, NULL);

  33.   return tv.tv_sec + tv.tv_usec/1000000.0;

  34. }

  35. 

  36. // RDTSC from the chacha code

  37. #ifndef __has_builtin

  38. #define __has_builtin(X) 0

  39. #endif

  40. #if defined(__clang__) && __has_builtin(__builtin_readcyclecounter)

  41. #define rdtsc __builtin_readcyclecounter

  42. #else

  43. static inline uint64_t rdtsc(void) {

  44.   u_int64_t out = 0;

  45. # if (defined(__i386__) || defined(__x86_64__))

  46.     __asm__ __volatile__ ("rdtsc" : "=A"(out));

  47. # endif

  48.   return out;

  49. }

  50. #endif

  51. 

  52. static void printSI(double x, const char *unit, const char *spacer = " ") {

  53.     const char *small[] = {" ","m","µ","n","p"};

  54.     const char *big[] = {" ","k","M","G","T"};

  55.     if (x < 1) {

  56.         unsigned di=0;

  57.         for (di=0; di<sizeof(small)/sizeof(*small)-1 && x && x < 1; di++) { 

  58.             x *= 1000.0;

  59.         }

  60.         printf("%6.2f%s%s%s", x, spacer, small[di], unit);

  61.     } else {

  62.         unsigned di=0;

  63.         for (di=0; di<sizeof(big)/sizeof(*big)-1 && x && x >= 1000; di++) { 

  64.             x /= 1000.0;

  65.         }

  66.         printf("%6.2f%s%s%s", x, spacer, big[di], unit);

  67.     }

  68. }

  69. 

  70. class Benchmark {

  71.     static const int NTESTS = 20, NSAMPLES=50, DISCARD=2;

  72.     static double totalCy, totalS;

  73. public:

  74.     int i, j, ntests, nsamples;

  75.     double begin;

  76.     uint64_t tsc_begin;

  77.     std::vector<double> times;

  78.     std::vector<uint64_t> cycles;

  79.     Benchmark(const char *s, double factor = 1) {

  80.         printf("%s:", s);

  81.         if (strlen(s) < 25) printf("%*s",int(25-strlen(s)),"");

  82.         fflush(stdout);

  83.         i = j = 0;

  84.         ntests = NTESTS * factor;

  85.         nsamples = NSAMPLES;

  86.         begin = now();

  87.         tsc_begin = rdtsc();

  88.         times = std::vector<double>(NSAMPLES);

  89.         cycles = std::vector<uint64_t>(NSAMPLES);

  90.     }

  91.     ~Benchmark() {

  92.         double tsc = 0;

  93.         double t = 0;

  94.         

  95.         std::sort(times.begin(), times.end());

  96.         std::sort(cycles.begin(), cycles.end());

  97.         

  98.         for (int k=DISCARD; k<nsamples-DISCARD; k++) {

  99.             tsc += cycles[k];

  100.             t += times[k];

  101.         }

  102.         

  103.         totalCy += tsc;

  104.         totalS += t;

  105.         

  106.         t /= ntests*(nsamples-2*DISCARD);

  107.         tsc /= ntests*(nsamples-2*DISCARD);

  108.         

  109.         printSI(t,"s");

  110.         printf("    ");

  111.         printSI(1/t,"/s");

  112.         if (tsc) { printf("    "); printSI(tsc, "cy"); }

  113.         printf("\n");

  114.     }

  115.     inline bool iter() {

  116.         i++;

  117.         if (i >= ntests) {

  118.             uint64_t tsc = rdtsc() - tsc_begin;

  119.             double t = now() - begin;

  120.             begin += t;

  121.             tsc_begin += tsc;

  122.             assert(j >= 0 && j < nsamples);

  123.             cycles[j] = tsc;

  124.             times[j] = t;

  125.             

  126.             j++;

  127.             i = 0;

  128.         }

  129.         return j < nsamples;

  130.     }

  131.     static void calib() {

  132.         if (totalS && totalCy) {

  133.             const char *s = "Cycle calibration";

  134.             printf("%s:", s);

  135.             if (strlen(s) < 25) printf("%*s",int(25-strlen(s)),"");

  136.             printSI(totalCy / totalS, "Hz");

  137.             printf("\n");

  138.         }

  139.     }

  140. };

  141. 

  142. double Benchmark::totalCy = 0, Benchmark::totalS = 0;

  143. 

  144. 

  145. template<typename Group> struct Benches {

  146. 

  147. typedef typename Group::Scalar Scalar;

  148. typedef typename Group::Point Point;

  149. typedef typename Group::Precomputed Precomputed;

  150. 

  151. static void tdh (

  152.     SpongeRng &clientRng,

  153.     SpongeRng &serverRng,

  154.     Scalar x, const Block &gx,

  155.     Scalar y, const Block &gy

  156. ) {

  157.     /* "TripleDH".  A bit of a hack, really: the real TripleDH

  158.      * sends gx and gy and certs over the channel, but its goal

  159.      * is actually the opposite of STROBE in this case: it doesn't

  160.      * hash gx and gy into the session secret (only into the MAC

  161.      * and AD) because of IPR concerns.

  162.      */

  163.     Strobe client("example::tripleDH",Strobe::CLIENT), server("example::tripleDH",Strobe::SERVER);

  164.     

  165.     Scalar xe(clientRng);

  166.     SecureBuffer gxe((Precomputed::base() * xe).serialize());

  167.     client.send_plaintext(gxe);

  168.     server.recv_plaintext(gxe);

  169.     

  170.     Scalar ye(serverRng);

  171.     SecureBuffer gye((Precomputed::base() * ye).serialize());

  172.     server.send_plaintext(gye);

  173.     client.recv_plaintext(gye);

  174.     

  175.     Point pgxe(gxe);

  176.     server.dh_key(pgxe*ye);

  177.     SecureBuffer tag1 = server.produce_auth();

  178.     //SecureBuffer ct = server.encrypt(gy);

  179.     server.dh_key(pgxe*y);

  180.     SecureBuffer tag2 = server.produce_auth();

  181.     

  182.     Point pgye(gye);

  183.     client.dh_key(pgye*xe);

  184.     client.verify_auth(tag1);

  185.     client.dh_key(Point(gy) * xe);

  186.     client.verify_auth(tag2);

  187.     // ct = client.encrypt(gx);

  188.     client.dh_key(pgye * x);

  189.     tag1 = client.produce_auth();

  190.     client.respec(STROBE_KEYED_128);

  191.     

  192.     server.dh_key(Point(gx) * ye);

  193.     server.verify_auth(tag1);

  194.     server.respec(STROBE_KEYED_128);

  195. }

  196. 

  197. static void fhmqv (

  198.     SpongeRng &clientRng,

  199.     SpongeRng &serverRng,

  200.     Scalar x, const Block &gx,

  201.     Scalar y, const Block &gy

  202. ) {

  203.     /* Don't use this, it's probably patented */

  204.     Strobe client("example::fhmqv",Strobe::CLIENT), server("example::fhmqv",Strobe::SERVER);

  205.     

  206.     Scalar xe(clientRng);

  207.     client.send_plaintext(gx);

  208.     server.recv_plaintext(gx);

  209.     SecureBuffer gxe((Precomputed::base() * xe).serialize());

  210.     server.send_plaintext(gxe);

  211.     client.recv_plaintext(gxe);

  212. 

  213.     Scalar ye(serverRng);

  214.     server.send_plaintext(gy);

  215.     client.recv_plaintext(gy);

  216.     SecureBuffer gye((Precomputed::base() * ye).serialize());

  217.     server.send_plaintext(gye);

  218.     

  219.     Scalar schx(server.prng(Scalar::SER_BYTES));

  220.     Scalar schy(server.prng(Scalar::SER_BYTES));

  221.     Scalar yec = y + ye*schy;

  222.     server.dh_key(Point::double_scalarmul(Point(gx),yec,Point(gxe),yec*schx));

  223.     SecureBuffer as = server.produce_auth();

  224.     

  225.     client.recv_plaintext(gye);

  226.     Scalar cchx(client.prng(Scalar::SER_BYTES));

  227.     Scalar cchy(client.prng(Scalar::SER_BYTES));

  228.     Scalar xec = x + xe*schx;

  229.     client.dh_key(Point::double_scalarmul(Point(gy),xec,Point(gye),xec*schy));

  230.     client.verify_auth(as);

  231.     SecureBuffer ac = client.produce_auth();

  232.     client.respec(STROBE_KEYED_128);

  233.     

  234.     server.verify_auth(ac);

  235.     server.respec(STROBE_KEYED_128);

  236. }

  237. 

  238. static void spake2ee(

  239.     SpongeRng &clientRng,

  240.     SpongeRng &serverRng,

  241.     const Block &hashed_password,

  242.     bool aug

  243. ) {

  244.     Strobe client("example::spake2ee",Strobe::CLIENT), server("example::spake2ee",Strobe::SERVER);

  245.     

  246.     Scalar x(clientRng);

  247.     

  248.     SHAKE<256> shake;

  249.     shake.update(hashed_password);

  250.     SecureBuffer h0 = shake.output(Point::HASH_BYTES);

  251.     SecureBuffer h1 = shake.output(Point::HASH_BYTES);

  252.     SecureBuffer h2 = shake.output(Scalar::SER_BYTES);

  253.     Scalar gs(h2);

  254.     

  255.     Point hc = Point::from_hash(h0);

  256.     hc = Point::from_hash(h0); // double-count

  257.     Point hs = Point::from_hash(h1);

  258.     hs = Point::from_hash(h1); // double-count

  259.     

  260.     SecureBuffer gx((Precomputed::base() * x + hc).serialize());

  261.     client.send_plaintext(gx);

  262.     server.recv_plaintext(gx);

  263.     

  264.     Scalar y(serverRng);

  265.     SecureBuffer gy((Precomputed::base() * y + hs).serialize());

  266.     server.send_plaintext(gy);

  267.     client.recv_plaintext(gy);

  268.     

  269.     server.dh_key(h1);

  270.     server.dh_key((Point(gx) - hc)*y);

  271.     if(aug) {

  272.         /* This step isn't actually online but whatever, it's fastish */

  273.         SecureBuffer serverAug((Precomputed::base() * gs).serialize());

  274.         server.dh_key(Point(serverAug)*y);

  275.     }

  276.     SecureBuffer tag = server.produce_auth();

  277.     

  278.     client.dh_key(h1);

  279.     Point pgy(gy); pgy -= hs;

  280.     client.dh_key(pgy*x);

  281.     if (aug) client.dh_key(pgy * gs);

  282.     client.verify_auth(tag);    

  283.     tag = client.produce_auth();

  284.     client.respec(STROBE_KEYED_128);

  285.     /* A real protocol would continue with fork etc here... */

  286.     

  287.     server.verify_auth(tag);

  288.     server.respec(STROBE_KEYED_128);

  289. }

  290. 

  291. static void cfrg() {

  292.     SpongeRng rng(Block("bench_cfrg_crypto"),SpongeRng::DETERMINISTIC);

  293.     FixedArrayBuffer<Group::DhLadder::PUBLIC_BYTES> base(rng);

  294.     FixedArrayBuffer<Group::DhLadder::PRIVATE_BYTES> s1(rng);

  295.     for (Benchmark b("RFC 7748 keygen"); b.iter(); ) { Group::DhLadder::generate_key(s1); }

  296.     for (Benchmark b("RFC 7748 shared secret"); b.iter(); ) { Group::DhLadder::shared_secret(base,s1); }

  297. }

  298. 

  299. static void macro() {

  300.     printf("\nMacro-benchmarks for %s:\n", Group::name());

  301.     printf("CFRG crypto benchmarks:\n");

  302.     cfrg();

  303.     

  304.     printf("\nSample crypto benchmarks:\n");

  305.     SpongeRng rng(Block("macro rng seed"),SpongeRng::DETERMINISTIC);

  306.     PrivateKey<Group> s1((NOINIT())), s2(rng);

  307.     PublicKey<Group> p1((NOINIT())), p2(s2);

  308. 

  309.     SecureBuffer message = rng.read(5), sig, ss;

  310. 

  311.     for (Benchmark b("Create private key",1); b.iter(); ) {

  312.         s1 = PrivateKey<Group>(rng);

  313.         SecureBuffer bb = s1.serialize();

  314.     }

  315.     

  316.     for (Benchmark b("Sign",1); b.iter(); ) {

  317.         sig = s1.sign(message);

  318.     }

  319.     

  320.     p1 = s1.pub();

  321.     for (Benchmark b("Verify",1); b.iter(); ) {

  322.         rng.read(Buffer(message));

  323.         try { p1.verify(message, sig); } catch (CryptoException) {}

  324.     }

  325.     

  326.     for (Benchmark b("SharedSecret",1); b.iter(); ) {

  327.         ss = s1.sharedSecret(p2,32,true);

  328.     }

  329.     

  330.     printf("\nProtocol benchmarks:\n");

  331.     SpongeRng clientRng(Block("client rng seed"),SpongeRng::DETERMINISTIC);

  332.     SpongeRng serverRng(Block("server rng seed"),SpongeRng::DETERMINISTIC);

  333.     SecureBuffer hashedPassword(Block("hello world"));

  334.     for (Benchmark b("Spake2ee c+s",0.1); b.iter(); ) {

  335.         spake2ee(clientRng, serverRng, hashedPassword,false);

  336.     }

  337.     

  338.     for (Benchmark b("Spake2ee c+s aug",0.1); b.iter(); ) {

  339.         spake2ee(clientRng, serverRng, hashedPassword,true);

  340.     }

  341.     

  342.     Scalar x(clientRng);

  343.     SecureBuffer gx((Precomputed::base() * x).serialize());

  344.     Scalar y(serverRng);

  345.     SecureBuffer gy((Precomputed::base() * y).serialize());

  346.     

  347.     for (Benchmark b("FHMQV c+s",0.1); b.iter(); ) {

  348.         fhmqv(clientRng, serverRng,x,gx,y,gy);

  349.     }

  350.     

  351.     for (Benchmark b("TripleDH anon c+s",0.1); b.iter(); ) {

  352.         tdh(clientRng, serverRng, x,gx,y,gy);

  353.     }

  354. }

  355. 

  356. static void micro() {

  357.     SpongeRng rng(Block("per-curve-benchmarks"),SpongeRng::DETERMINISTIC);

  358.     Precomputed pBase;

  359.     Point p,q;

  360.     Scalar s(1),t(2);

  361.     SecureBuffer ep, ep2(Point::SER_BYTES*2);

  362.     

  363.     printf("\nMicro-benchmarks for %s:\n", Group::name());

  364.     for (Benchmark b("Scalar add", 1000); b.iter(); ) { s+=t; }

  365.     for (Benchmark b("Scalar times", 100); b.iter(); ) { s*=t; }

  366.     for (Benchmark b("Scalar inv", 1); b.iter(); ) { s.inverse(); }

  367.     for (Benchmark b("Point add", 100); b.iter(); ) { p += q; }

  368.     for (Benchmark b("Point double", 100); b.iter(); ) { p.double_in_place(); }

  369.     for (Benchmark b("Point scalarmul"); b.iter(); ) { p * s; }

  370.     for (Benchmark b("Point encode"); b.iter(); ) { ep = p.serialize(); }

  371.     for (Benchmark b("Point decode"); b.iter(); ) { p = Point(ep); }

  372.     for (Benchmark b("Point create/destroy"); b.iter(); ) { Point r; }

  373.     for (Benchmark b("Point hash nonuniform"); b.iter(); ) { Point::from_hash(ep); }

  374.     for (Benchmark b("Point hash uniform"); b.iter(); ) { Point::from_hash(ep2); }

  375.     for (Benchmark b("Point unhash nonuniform"); b.iter(); ) { ignore_result(p.invert_elligator(ep,0)); }

  376.     for (Benchmark b("Point unhash uniform"); b.iter(); ) { ignore_result(p.invert_elligator(ep2,0)); }

  377.     for (Benchmark b("Point steg"); b.iter(); ) { p.steg_encode(rng); }

  378.     for (Benchmark b("Point double scalarmul"); b.iter(); ) { Point::double_scalarmul(p,s,q,t); }

  379.     for (Benchmark b("Point dual scalarmul"); b.iter(); ) { p.dual_scalarmul(p,q,s,t); }

  380.     for (Benchmark b("Point precmp scalarmul"); b.iter(); ) { pBase * s; }

  381.     for (Benchmark b("Point double scalarmul_v"); b.iter(); ) {

  382.         s = Scalar(rng);

  383.         t = Scalar(rng);

  384.         p.non_secret_combo_with_base(s,t);

  385.     }

  386. }

  387. 

  388. }; /* template <typename group> struct Benches */

  389. 

  390. int main(int argc, char **argv) {

  391.     

  392.     bool micro = false;

  393.     if (argc >= 2 && !strcmp(argv[1], "--micro"))

  394.         micro = true;

  395. 

  396.     SpongeRng rng(Block("micro-benchmarks"),SpongeRng::DETERMINISTIC);

  397.     if (micro) {

  398.         printf("\nMicro-benchmarks:\n");

  399.         SHAKE<128> shake1;

  400.         SHAKE<256> shake2;

  401.         SHA3<512> sha5;

  402.         Strobe strobe("example::bench",Strobe::CLIENT);

  403.         unsigned char b1024[1024] = {1};

  404.         for (Benchmark b("SHAKE128 1kiB", 30); b.iter(); ) { shake1 += Buffer(b1024,1024); }

  405.         for (Benchmark b("SHAKE256 1kiB", 30); b.iter(); ) { shake2 += Buffer(b1024,1024); }

  406.         for (Benchmark b("SHA3-512 1kiB", 30); b.iter(); ) { sha5 += Buffer(b1024,1024); }

  407.         strobe.dh_key(Buffer(b1024,1024));

  408.         strobe.respec(STROBE_128);

  409.         for (Benchmark b("STROBE128 1kiB", 10); b.iter(); ) {

  410.             strobe.encrypt_no_auth(Buffer(b1024,1024),Buffer(b1024,1024));

  411.         }

  412.         strobe.respec(STROBE_256);

  413.         for (Benchmark b("STROBE256 1kiB", 10); b.iter(); ) {

  414.             strobe.encrypt_no_auth(Buffer(b1024,1024),Buffer(b1024,1024));

  415.         }

  416.         strobe.respec(STROBE_KEYED_128);

  417.         for (Benchmark b("STROBEk128 1kiB", 10); b.iter(); ) {

  418.             strobe.encrypt_no_auth(Buffer(b1024,1024),Buffer(b1024,1024));

  419.         }

  420.         strobe.respec(STROBE_KEYED_256);

  421.         for (Benchmark b("STROBEk256 1kiB", 10); b.iter(); ) {

  422.             strobe.encrypt_no_auth(Buffer(b1024,1024),Buffer(b1024,1024));

  423.         }

  424.         

  425.         Benches<IsoEd25519>::micro();

  426.         Benches<Ed448Goldilocks>::micro();

  427.     }

  428. 

  429.     Benches<IsoEd25519>::macro();

  430.     Benches<Ed448Goldilocks>::macro();

  431. 

  432.     

  433.     printf("\n");

  434.     Benchmark::calib();

  435.     printf("\n");

  436.     

  437.     return 0;

  438. }