Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Benchmarking: k256 falls short to fiat-crypto and crypto-bigint #846

Closed
ycscaly opened this issue Apr 13, 2023 · 7 comments
Closed

Benchmarking: k256 falls short to fiat-crypto and crypto-bigint #846

ycscaly opened this issue Apr 13, 2023 · 7 comments

Comments

@ycscaly
Copy link
Contributor

ycscaly commented Apr 13, 2023

fiat-crypto synthesizes field arithmetic, so it's all specialized to the properties of a particular field modulus.

There is a formal verification versus performance tradeoff, yes. We opt for better performance because that seems to interest our users more than formal verification.

Hopefully in the future fiat-crypto will improve performance and add features like lazy normalization.

I ran some benchmarking, and was really surprised at the results. I published the code so you can see that I haven't made any mistakes.

But results are (full trace is found in the readme file of the repo):

  • fiat-crypto field arithmetic is faster (add: 3.6ns vs 5.2ns, mul: 22ns vs 28ns) than k256
  • crypto-bigint::Residue arithmetic faster (add: 3.8ns vs 5.2ns, mul: 27ns vs 28ns) than k256 (but slower than fiat-crypto

How can this be explained? perhaps there's some error on my side?

Originally posted by @ycscaly in RustCrypto/crypto-bigint#158 (comment)
@ycscaly ycscaly changed the title > fiat-crypto synthesizes field arithmetic, so it's all specialized to the properties of a particular field modulus. Benchmarking: k256 falls short to fiat-crypto and crypto-bigint Apr 13, 2023
@tarcieri
Copy link
Member

cc @fjarri

@tarcieri
Copy link
Member

I don't think a whole lot of work has been done on optimizing the scalar field in k256. If either of these are faster it might be worth considering switching.

@fjarri
Copy link
Contributor

fjarri commented Apr 13, 2023

I don't think it is entirely correct to compare Residue and k256::Scalar multiplication, because for Residue you have to factor in conversion/retrieval time. I expect Residue would be faster when you have to do a long series of calculations, but Scalar is optimized for one-off operations.

@tarcieri
Copy link
Member

Aah yes, Residue and fiat-crypto are both using Montgomery form internally, and there's a penalty to convert in and out of Montgomery form

@ycscaly
Copy link
Contributor Author

ycscaly commented Apr 13, 2023

Aah yes, Residue and fiat-crypto are both using Montgomery form internally, and there's a penalty to convert in and out of Montgomery form

Convert from which form to Montgomery form?
And where does that penalty take place? When would I need to switch back?

@tarcieri
Copy link
Member

tarcieri commented Apr 13, 2023
edited
Loading

The other form is "canonical form" and is a normal integer.

The fiat-crypto methods are named: fiat_*_from_montgomery, fiat_*_to_montgomery

@ycscaly
Copy link
Contributor Author

ycscaly commented Apr 13, 2023

Thanks. I didn't know about these different forms, would research more.

I'll update my benchmarking code and update this issue accordingly, after-which I assume it could be closed.

@ycscaly ycscaly closed this as completed Nov 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tarcieri @fjarri @ycscaly