jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
386 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: f4558c1e13
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f4558c1e13'
${ noResults }
ed448goldilocks/test/bench_decaf.cxx

452 lines
15 KiB
Raw Blame History 

  1. /**

  2.  * @file test_decaf.cxx

  3.  * @author Mike Hamburg

  4.  *

  5.  * @copyright

  6.  *   Copyright (c) 2015 Cryptography Research, Inc.  \n

  7.  *   Released under the MIT License.  See LICENSE.txt for license information.

  8.  *

  9.  * @brief C++ benchmarks, because that's easier.

  10.  */

  11. 

  12. #include <decaf.hxx>

  13. #include <decaf/shake.hxx>

  14. #include <decaf/sha512.hxx>

  15. #include <decaf/strobe.hxx>

  16. #include <decaf/spongerng.hxx>

  17. #include <decaf/crypto_255.h>

  18. #include <decaf/crypto_448.h>

  19. #include <decaf/crypto.hxx>

  20. #include <decaf/eddsa.hxx>

  21. #include <stdio.h>

  22. #include <sys/time.h>

  23. #include <assert.h>

  24. #include <stdint.h>

  25. #include <vector>

  26. #include <algorithm>

  27. 

  28. using namespace decaf;

  29. 

  30. 

  31. static __inline__ void __attribute__((unused)) ignore_result ( int result ) { (void)result; }

  32. static double now(void) {

  33.   struct timeval tv;

  34.   gettimeofday(&tv, NULL);

  35.   return tv.tv_sec + tv.tv_usec/1000000.0;

  36. }

  37. 

  38. // RDTSC from the chacha code

  39. #ifndef __has_builtin

  40. #define __has_builtin(X) 0

  41. #endif

  42. #if defined(__clang__) && __has_builtin(__builtin_readcyclecounter)

  43. #define rdtsc __builtin_readcyclecounter

  44. #else

  45. static inline uint64_t rdtsc(void) {

  46.   u_int64_t out = 0;

  47. # if (defined(__i386__) || defined(__x86_64__))

  48.     __asm__ __volatile__ ("rdtsc" : "=A"(out));

  49. # endif

  50.   return out;

  51. }

  52. #endif

  53. 

  54. static void printSI(double x, const char *unit, const char *spacer = " ") {

  55.     const char *small[] = {" ","m","ยต","n","p"};

  56.     const char *big[] = {" ","k","M","G","T"};

  57.     if (x < 1) {

  58.         unsigned di=0;

  59.         for (di=0; di<sizeof(small)/sizeof(*small)-1 && x && x < 1; di++) { 

  60.             x *= 1000.0;

  61.         }

  62.         printf("%6.2f%s%s%s", x, spacer, small[di], unit);

  63.     } else {

  64.         unsigned di=0;

  65.         for (di=0; di<sizeof(big)/sizeof(*big)-1 && x && x >= 1000; di++) { 

  66.             x /= 1000.0;

  67.         }

  68.         printf("%6.2f%s%s%s", x, spacer, big[di], unit);

  69.     }

  70. }

  71. 

  72. class Benchmark {

  73.     static const int NTESTS = 20, NSAMPLES=50, DISCARD=2;

  74.     static double totalCy, totalS;

  75. public:

  76.     int i, j, ntests, nsamples;

  77.     double begin;

  78.     uint64_t tsc_begin;

  79.     std::vector<double> times;

  80.     std::vector<uint64_t> cycles;

  81.     Benchmark(const char *s, double factor = 1) {

  82.         printf("%s:", s);

  83.         if (strlen(s) < 25) printf("%*s",int(25-strlen(s)),"");

  84.         fflush(stdout);

  85.         i = j = 0;

  86.         ntests = NTESTS * factor;

  87.         nsamples = NSAMPLES;

  88.         begin = now();

  89.         tsc_begin = rdtsc();

  90.         times = std::vector<double>(NSAMPLES);

  91.         cycles = std::vector<uint64_t>(NSAMPLES);

  92.     }

  93.     ~Benchmark() {

  94.         double tsc = 0;

  95.         double t = 0;

  96.         

  97.         std::sort(times.begin(), times.end());

  98.         std::sort(cycles.begin(), cycles.end());

  99.         

  100.         for (int k=DISCARD; k<nsamples-DISCARD; k++) {

  101.             tsc += cycles[k];

  102.             t += times[k];

  103.         }

  104.         

  105.         totalCy += tsc;

  106.         totalS += t;

  107.         

  108.         t /= ntests*(nsamples-2*DISCARD);

  109.         tsc /= ntests*(nsamples-2*DISCARD);

  110.         

  111.         printSI(t,"s");

  112.         printf("    ");

  113.         printSI(1/t,"/s");

  114.         if (tsc) { printf("    "); printSI(tsc, "cy"); }

  115.         printf("\n");

  116.     }

  117.     inline bool iter() {

  118.         i++;

  119.         if (i >= ntests) {

  120.             uint64_t tsc = rdtsc() - tsc_begin;

  121.             double t = now() - begin;

  122.             begin += t;

  123.             tsc_begin += tsc;

  124.             assert(j >= 0 && j < nsamples);

  125.             cycles[j] = tsc;

  126.             times[j] = t;

  127.             

  128.             j++;

  129.             i = 0;

  130.         }

  131.         return j < nsamples;

  132.     }

  133.     static void calib() {

  134.         if (totalS && totalCy) {

  135.             const char *s = "Cycle calibration";

  136.             printf("%s:", s);

  137.             if (strlen(s) < 25) printf("%*s",int(25-strlen(s)),"");

  138.             printSI(totalCy / totalS, "Hz");

  139.             printf("\n");

  140.         }

  141.     }

  142. };

  143. 

  144. double Benchmark::totalCy = 0, Benchmark::totalS = 0;

  145. 

  146. 

  147. template<typename Group> struct Benches {

  148. 

  149. typedef typename Group::Scalar Scalar;

  150. typedef typename Group::Point Point;

  151. typedef typename Group::Precomputed Precomputed;

  152. 

  153. static void tdh (

  154.     SpongeRng &clientRng,

  155.     SpongeRng &serverRng,

  156.     Scalar x, const Block &gx,

  157.     Scalar y, const Block &gy

  158. ) {

  159.     /* "TripleDH".  A bit of a hack, really: the real TripleDH

  160.      * sends gx and gy and certs over the channel, but its goal

  161.      * is actually the opposite of STROBE in this case: it doesn't

  162.      * hash gx and gy into the session secret (only into the MAC

  163.      * and AD) because of IPR concerns.

  164.      */

  165.     Strobe client("example::tripleDH",Strobe::CLIENT), server("example::tripleDH",Strobe::SERVER);

  166.     

  167.     Scalar xe(clientRng);

  168.     SecureBuffer gxe((Precomputed::base() * xe).serialize());

  169.     client.send_plaintext(gxe);

  170.     server.recv_plaintext(gxe);

  171.     

  172.     Scalar ye(serverRng);

  173.     SecureBuffer gye((Precomputed::base() * ye).serialize());

  174.     server.send_plaintext(gye);

  175.     client.recv_plaintext(gye);

  176.     

  177.     Point pgxe(gxe);

  178.     server.dh_key(pgxe*ye);

  179.     SecureBuffer tag1 = server.produce_auth();

  180.     //SecureBuffer ct = server.encrypt(gy);

  181.     server.dh_key(pgxe*y);

  182.     SecureBuffer tag2 = server.produce_auth();

  183.     

  184.     Point pgye(gye);

  185.     client.dh_key(pgye*xe);

  186.     client.verify_auth(tag1);

  187.     client.dh_key(Point(gy) * xe);

  188.     client.verify_auth(tag2);

  189.     // ct = client.encrypt(gx);

  190.     client.dh_key(pgye * x);

  191.     tag1 = client.produce_auth();

  192.     client.respec(STROBE_KEYED_128);

  193.     

  194.     server.dh_key(Point(gx) * ye);

  195.     server.verify_auth(tag1);

  196.     server.respec(STROBE_KEYED_128);

  197. }

  198. 

  199. static void fhmqv (

  200.     SpongeRng &clientRng,

  201.     SpongeRng &serverRng,

  202.     Scalar x, const Block &gx,

  203.     Scalar y, const Block &gy

  204. ) {

  205.     /* Don't use this, it's probably patented */

  206.     Strobe client("example::fhmqv",Strobe::CLIENT), server("example::fhmqv",Strobe::SERVER);

  207.     

  208.     Scalar xe(clientRng);

  209.     client.send_plaintext(gx);

  210.     server.recv_plaintext(gx);

  211.     SecureBuffer gxe((Precomputed::base() * xe).serialize());

  212.     server.send_plaintext(gxe);

  213.     client.recv_plaintext(gxe);

  214. 

  215.     Scalar ye(serverRng);

  216.     server.send_plaintext(gy);

  217.     client.recv_plaintext(gy);

  218.     SecureBuffer gye((Precomputed::base() * ye).serialize());

  219.     server.send_plaintext(gye);

  220.     

  221.     Scalar schx(server.prng(Scalar::SER_BYTES));

  222.     Scalar schy(server.prng(Scalar::SER_BYTES));

  223.     Scalar yec = y + ye*schy;

  224.     server.dh_key(Point::double_scalarmul(Point(gx),yec,Point(gxe),yec*schx));

  225.     SecureBuffer as = server.produce_auth();

  226.     

  227.     client.recv_plaintext(gye);

  228.     Scalar cchx(client.prng(Scalar::SER_BYTES));

  229.     Scalar cchy(client.prng(Scalar::SER_BYTES));

  230.     Scalar xec = x + xe*schx;

  231.     client.dh_key(Point::double_scalarmul(Point(gy),xec,Point(gye),xec*schy));

  232.     client.verify_auth(as);

  233.     SecureBuffer ac = client.produce_auth();

  234.     client.respec(STROBE_KEYED_128);

  235.     

  236.     server.verify_auth(ac);

  237.     server.respec(STROBE_KEYED_128);

  238. }

  239. 

  240. static void spake2ee(

  241.     SpongeRng &clientRng,

  242.     SpongeRng &serverRng,

  243.     const Block &hashed_password,

  244.     bool aug

  245. ) {

  246.     Strobe client("example::spake2ee",Strobe::CLIENT), server("example::spake2ee",Strobe::SERVER);

  247.     

  248.     Scalar x(clientRng);

  249.     

  250.     SHAKE<256> shake;

  251.     shake.update(hashed_password);

  252.     SecureBuffer h0 = shake.output(Point::HASH_BYTES);

  253.     SecureBuffer h1 = shake.output(Point::HASH_BYTES);

  254.     SecureBuffer h2 = shake.output(Scalar::SER_BYTES);

  255.     Scalar gs(h2);

  256.     

  257.     Point hc = Point::from_hash(h0);

  258.     hc = Point::from_hash(h0); // double-count

  259.     Point hs = Point::from_hash(h1);

  260.     hs = Point::from_hash(h1); // double-count

  261.     

  262.     SecureBuffer gx((Precomputed::base() * x + hc).serialize());

  263.     client.send_plaintext(gx);

  264.     server.recv_plaintext(gx);

  265.     

  266.     Scalar y(serverRng);

  267.     SecureBuffer gy((Precomputed::base() * y + hs).serialize());

  268.     server.send_plaintext(gy);

  269.     client.recv_plaintext(gy);

  270.     

  271.     server.dh_key(h1);

  272.     server.dh_key((Point(gx) - hc)*y);

  273.     if(aug) {

  274.         /* This step isn't actually online but whatever, it's fastish */

  275.         SecureBuffer serverAug((Precomputed::base() * gs).serialize());

  276.         server.dh_key(Point(serverAug)*y);

  277.     }

  278.     SecureBuffer tag = server.produce_auth();

  279.     

  280.     client.dh_key(h1);

  281.     Point pgy(gy); pgy -= hs;

  282.     client.dh_key(pgy*x);

  283.     if (aug) client.dh_key(pgy * gs);

  284.     client.verify_auth(tag);    

  285.     tag = client.produce_auth();

  286.     client.respec(STROBE_KEYED_128);

  287.     /* A real protocol would continue with fork etc here... */

  288.     

  289.     server.verify_auth(tag);

  290.     server.respec(STROBE_KEYED_128);

  291. }

  292. 

  293. static void cfrg() {

  294.     SpongeRng rng(Block("bench_cfrg_crypto"),SpongeRng::DETERMINISTIC);

  295.     FixedArrayBuffer<Group::DhLadder::PUBLIC_BYTES> base(rng);

  296.     FixedArrayBuffer<Group::DhLadder::PRIVATE_BYTES> s1(rng);

  297.     for (Benchmark b("RFC 7748 keygen"); b.iter(); ) { Group::DhLadder::generate_key(s1); }

  298.     for (Benchmark b("RFC 7748 shared secret"); b.iter(); ) { Group::DhLadder::shared_secret(base,s1); }

  299. 

  300.     FixedArrayBuffer<EdDSA<Group>::PrivateKey::SER_BYTES> e1(rng);

  301.     typename EdDSA<Group>::PublicKey pub((NOINIT()));

  302.     typename EdDSA<Group>::PrivateKey priv((NOINIT()));

  303.     SecureBuffer sig;

  304.     for (Benchmark b("EdDSA keygen"); b.iter(); ) { priv = e1; }

  305.     for (Benchmark b("EdDSA sign"); b.iter(); ) { sig = priv.sign(Block(NULL,0)); }

  306.     pub = priv;

  307.     for (Benchmark b("EdDSA verify"); b.iter(); ) { pub.verify(sig,Block(NULL,0)); }

  308. }

  309. 

  310. static void macro() {

  311.     printf("\nMacro-benchmarks for %s:\n", Group::name());

  312.     printf("CFRG crypto benchmarks:\n");

  313.     cfrg();

  314.     

  315.     printf("\nSample crypto benchmarks:\n");

  316.     SpongeRng rng(Block("macro rng seed"),SpongeRng::DETERMINISTIC);

  317.     PrivateKey<Group> s1((NOINIT())), s2(rng);

  318.     PublicKey<Group> p1((NOINIT())), p2(s2);

  319. 

  320.     SecureBuffer message = rng.read(5), sig, ss;

  321. 

  322.     for (Benchmark b("Create private key",1); b.iter(); ) {

  323.         s1 = PrivateKey<Group>(rng);

  324.         SecureBuffer bb = s1.serialize();

  325.     }

  326.     

  327.     for (Benchmark b("Sign",1); b.iter(); ) {

  328.         sig = s1.sign(message);

  329.     }

  330.     

  331.     p1 = s1.pub();

  332.     for (Benchmark b("Verify",1); b.iter(); ) {

  333.         rng.read(Buffer(message));

  334.         try { p1.verify(message, sig); } catch (CryptoException) {}

  335.     }

  336.     

  337.     for (Benchmark b("SharedSecret",1); b.iter(); ) {

  338.         ss = s1.shared_secret(p2,32,true);

  339.     }

  340.     

  341.     printf("\nProtocol benchmarks:\n");

  342.     SpongeRng clientRng(Block("client rng seed"),SpongeRng::DETERMINISTIC);

  343.     SpongeRng serverRng(Block("server rng seed"),SpongeRng::DETERMINISTIC);

  344.     SecureBuffer hashedPassword(Block("hello world"));

  345.     for (Benchmark b("Spake2ee c+s",0.1); b.iter(); ) {

  346.         spake2ee(clientRng, serverRng, hashedPassword,false);

  347.     }

  348.     

  349.     for (Benchmark b("Spake2ee c+s aug",0.1); b.iter(); ) {

  350.         spake2ee(clientRng, serverRng, hashedPassword,true);

  351.     }

  352.     

  353.     Scalar x(clientRng);

  354.     SecureBuffer gx((Precomputed::base() * x).serialize());

  355.     Scalar y(serverRng);

  356.     SecureBuffer gy((Precomputed::base() * y).serialize());

  357.     

  358.     for (Benchmark b("FHMQV c+s",0.1); b.iter(); ) {

  359.         fhmqv(clientRng, serverRng,x,gx,y,gy);

  360.     }

  361.     

  362.     for (Benchmark b("TripleDH anon c+s",0.1); b.iter(); ) {

  363.         tdh(clientRng, serverRng, x,gx,y,gy);

  364.     }

  365. }

  366. 

  367. static void micro() {

  368.     SpongeRng rng(Block("per-curve-benchmarks"),SpongeRng::DETERMINISTIC);

  369.     Precomputed pBase;

  370.     Point p,q;

  371.     Scalar s(1),t(2);

  372.     SecureBuffer ep, ep2(Point::SER_BYTES*2);

  373.     

  374.     printf("\nMicro-benchmarks for %s:\n", Group::name());

  375.     for (Benchmark b("Scalar add", 1000); b.iter(); ) { s+=t; }

  376.     for (Benchmark b("Scalar times", 100); b.iter(); ) { s*=t; }

  377.     for (Benchmark b("Scalar inv", 1); b.iter(); ) { s.inverse(); }

  378.     for (Benchmark b("Point add", 100); b.iter(); ) { p += q; }

  379.     for (Benchmark b("Point double", 100); b.iter(); ) { p.double_in_place(); }

  380.     for (Benchmark b("Point scalarmul"); b.iter(); ) { p * s; }

  381.     for (Benchmark b("Point encode"); b.iter(); ) { ep = p.serialize(); }

  382.     for (Benchmark b("Point decode"); b.iter(); ) { p = Point(ep); }

  383.     for (Benchmark b("Point create/destroy"); b.iter(); ) { Point r; }

  384.     for (Benchmark b("Point hash nonuniform"); b.iter(); ) { Point::from_hash(ep); }

  385.     for (Benchmark b("Point hash uniform"); b.iter(); ) { Point::from_hash(ep2); }

  386.     for (Benchmark b("Point unhash nonuniform"); b.iter(); ) { ignore_result(p.invert_elligator(ep,0)); }

  387.     for (Benchmark b("Point unhash uniform"); b.iter(); ) { ignore_result(p.invert_elligator(ep2,0)); }

  388.     for (Benchmark b("Point steg"); b.iter(); ) { p.steg_encode(rng); }

  389.     for (Benchmark b("Point double scalarmul"); b.iter(); ) { Point::double_scalarmul(p,s,q,t); }

  390.     for (Benchmark b("Point dual scalarmul"); b.iter(); ) { p.dual_scalarmul(p,q,s,t); }

  391.     for (Benchmark b("Point precmp scalarmul"); b.iter(); ) { pBase * s; }

  392.     for (Benchmark b("Point double scalarmul_v"); b.iter(); ) {

  393.         s = Scalar(rng);

  394.         t = Scalar(rng);

  395.         p.non_secret_combo_with_base(s,t);

  396.     }

  397. }

  398. 

  399. }; /* template <typename group> struct Benches */

  400. 

  401. template <typename Group> struct Macro { static void run() { Benches<Group>::macro(); } };

  402. template <typename Group> struct Micro { static void run() { Benches<Group>::micro(); } };

  403. 

  404. int main(int argc, char **argv) {

  405.     

  406.     bool micro = false;

  407.     if (argc >= 2 && !strcmp(argv[1], "--micro"))

  408.         micro = true;

  409. 

  410.     SpongeRng rng(Block("micro-benchmarks"),SpongeRng::DETERMINISTIC);

  411.     if (micro) {

  412.         printf("\nMicro-benchmarks:\n");

  413.         SHAKE<128> shake1;

  414.         SHAKE<256> shake2;

  415.         SHA3<512> sha5;

  416.         SHA512 sha2;

  417.         Strobe strobe("example::bench",Strobe::CLIENT);

  418.         unsigned char b1024[1024] = {1};

  419.         for (Benchmark b("SHAKE128 1kiB", 30); b.iter(); ) { shake1 += Buffer(b1024,1024); }

  420.         for (Benchmark b("SHAKE256 1kiB", 30); b.iter(); ) { shake2 += Buffer(b1024,1024); }

  421.         for (Benchmark b("SHA3-512 1kiB", 30); b.iter(); ) { sha5 += Buffer(b1024,1024); }

  422.         for (Benchmark b("SHA512 1kiB", 30); b.iter(); ) { sha2 += Buffer(b1024,1024); }

  423.         strobe.dh_key(Buffer(b1024,1024));

  424.         strobe.respec(STROBE_128);

  425.         for (Benchmark b("STROBE128 1kiB", 10); b.iter(); ) {

  426.             strobe.encrypt_no_auth(Buffer(b1024,1024),Buffer(b1024,1024));

  427.         }

  428.         strobe.respec(STROBE_256);

  429.         for (Benchmark b("STROBE256 1kiB", 10); b.iter(); ) {

  430.             strobe.encrypt_no_auth(Buffer(b1024,1024),Buffer(b1024,1024));

  431.         }

  432.         strobe.respec(STROBE_KEYED_128);

  433.         for (Benchmark b("STROBEk128 1kiB", 10); b.iter(); ) {

  434.             strobe.encrypt_no_auth(Buffer(b1024,1024),Buffer(b1024,1024));

  435.         }

  436.         strobe.respec(STROBE_KEYED_256);

  437.         for (Benchmark b("STROBEk256 1kiB", 10); b.iter(); ) {

  438.             strobe.encrypt_no_auth(Buffer(b1024,1024),Buffer(b1024,1024));

  439.         }

  440.         

  441.         run_for_all_curves<Micro>();

  442.     }

  443.     

  444.     run_for_all_curves<Macro>();

  445.     

  446.     printf("\n");

  447.     Benchmark::calib();

  448.     printf("\n");

  449.     

  450.     return 0;

  451. }