[openssl-dev] [openssl.org #3810] [PATCH] Improved P256 ECC performance by means of a dedicated function for modular inversion modulo the P256 group order
Andy Polyakov via RT
rt at openssl.org
Mon Dec 21 12:26:32 UTC 2015
Hi,
> This patch is a contribution to OpenSSL.
>
> It concerns the P256 ECC implementation.
>
> The patch improves upon our previous submission, by providing a dedicated function to perform modular inversion modulo the P256 group order.
>
> Results:
> The performance improvements, for single threaded applications, compared to the current (development) version of OpenSSL are as follows.
>
> (measured by "openssl speed" utility)
>
>
> On Architecture Codename Haswell:
> ECDSA sign: 1.28X
> ECDSA verify: 1.10X
>
> On Architecture Broadwell:
> ECDSA sign: 1.42X
> ECDSA verify: 1.18X
>
> We license the whole submission under BSD license.
>
> Developers and authors:
> ***************************************************************************
> Shay Gueron (1, 2), and Vlad Krasnov (3)
> (1) University of Haifa, Israel
> (2) Intel Corporation, Israel Development Center, Haifa, Israel
> (3) CloudFlare, Inc.
> ***************************************************************************
Attached is version refactored for updated layout. It's few percent
faster than original (for several small reasons, e.g. avoiding excessive
%rip-relative addressing because it doesn't fuse, optimizing
back-to-back value passing through registers in squaring) and probably
more readable (for example squaring uses $acc6 and $acc7). Then I've got
nervous around possibility of unaccounted carry and rearranged reduction
step in manner that precludes it. To be more specific here is fragment
of original reduction step:
mov 8*1+.Lord(%rip), $t4
mul $t0
add $t1, $acc1
adc \$0, $t3
add $t4, $acc1
mov $t0, $t1
adc $t3, $acc2
adc \$0, $t1
sub $t0, $acc2
sbb \$0, $t1
Concern was that if $t0 happens to be all-ones, then you risk
unaccounted carry in last adc above. Well, upon closer look concern
appears to be false, but as it's a bit counter-intuitive alternative is
provided anyway.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecp_nistz256_inv_ord.diff
Type: text/x-patch
Size: 38647 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151221/56ed6df4/attachment-0001.bin>
More information about the openssl-dev
mailing list