Wallet can now optionally use supercop ASM for x86-64

Default behavior is to use amd64-51-30k when targeting amd64 architecture. `-DWALLET_CRYPTO` can be used to optionally disable or enable amd64-51-30k or amd64-64-24. See `src/wallet/crypto/README.md` for more info.
monero-project · Aug 22, 2017 · 8f38b22 · 8f38b22
1 parent 674c7e7
commit 8f38b22
Show file tree

Hide file tree

Showing 21 changed files with 4,887 additions and 15 deletions.
diff --git a/src/cryptonote_basic/cryptonote_format_utils.cpp b/src/cryptonote_basic/cryptonote_format_utils.cpp
@@ -489,13 +489,6 @@ namespace cryptonote
     return pk == out_key.key;
   }
   //---------------------------------------------------------------
-  bool is_out_to_acc_precomp(const crypto::public_key& spend_public_key, const txout_to_key& out_key, const crypto::key_derivation& derivation, size_t output_index)
-  {
-    crypto::public_key pk;
-    derive_public_key(derivation, output_index, spend_public_key, pk);
-    return pk == out_key.key;
-  }
-  //---------------------------------------------------------------
   bool lookup_acc_outs(const account_keys& acc, const transaction& tx, std::vector<size_t>& outs, uint64_t& money_transfered)
   {
     crypto::public_key tx_pub_key = get_tx_pub_key_from_extra(tx);

diff --git a/src/cryptonote_basic/cryptonote_format_utils.h b/src/cryptonote_basic/cryptonote_format_utils.h
@@ -70,7 +70,6 @@ namespace cryptonote
   bool get_payment_id_from_tx_extra_nonce(const blobdata& extra_nonce, crypto::hash& payment_id);
   bool get_encrypted_payment_id_from_tx_extra_nonce(const blobdata& extra_nonce, crypto::hash8& payment_id);
   bool is_out_to_acc(const account_keys& acc, const txout_to_key& out_key, const crypto::public_key& tx_pub_key, size_t output_index);
-  bool is_out_to_acc_precomp(const crypto::public_key& spend_public_key, const txout_to_key& out_key, const crypto::key_derivation& derivation, size_t output_index);
   bool lookup_acc_outs(const account_keys& acc, const transaction& tx, const crypto::public_key& tx_pub_key, std::vector<size_t>& outs, uint64_t& money_transfered);
   bool lookup_acc_outs(const account_keys& acc, const transaction& tx, std::vector<size_t>& outs, uint64_t& money_transfered);
   bool get_tx_fee(const transaction& tx, uint64_t & fee);

diff --git a/src/wallet/CMakeLists.txt b/src/wallet/CMakeLists.txt
@@ -28,6 +28,8 @@
 
 # include (${PROJECT_SOURCE_DIR}/cmake/libutils.cmake)
 
+add_subdirectory(crypto)
+
 set(CMAKE_ARCHIVE_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/lib)
 
 set(wallet_sources
@@ -83,6 +85,7 @@ target_link_libraries(wallet
     ${Boost_THREAD_LIBRARY}
     ${Boost_REGEX_LIBRARY}
   PRIVATE
+    wallet-crypto
     ${EXTRA_LIBRARIES})
 add_dependencies(wallet version)
 
@@ -143,3 +146,4 @@ if (BUILD_GUI_DEPS)
     install(FILES ${wallet_api_headers}
         DESTINATION include/wallet)
 endif()
+
diff --git a/src/wallet/api/wallet_manager.cpp b/src/wallet/api/wallet_manager.cpp
@@ -37,6 +37,7 @@
 #include "common/updates.h"
 #include "version.h"
 #include "net/http_client.h"
+#include "wallet/crypto/import.h"
 
 #include <boost/filesystem.hpp>
 #include <boost/regex.hpp>
@@ -256,7 +257,7 @@ bool WalletManagerImpl::checkPayment(const std::string &address_text, const std:
   }
 
   crypto::key_derivation derivation;
-  if (!crypto::generate_key_derivation(address.m_view_public_key, tx_key, derivation))
+  if (!tools::wallet_only::generate_key_derivation(address.m_view_public_key, tx_key, derivation))
   {
     error = tr("failed to generate key derivation from supplied parameters");
     return false;
@@ -270,7 +271,7 @@ bool WalletManagerImpl::checkPayment(const std::string &address_text, const std:
         continue;
       const cryptonote::txout_to_key tx_out_to_key = boost::get<cryptonote::txout_to_key>(tx.vout[n].target);
       crypto::public_key pubkey;
-      derive_public_key(derivation, n, address.m_spend_public_key, pubkey);
+      tools::wallet_only::derive_public_key(derivation, n, address.m_spend_public_key, pubkey);
       if (pubkey == tx_out_to_key.key)
       {
         uint64_t amount;
@@ -285,7 +286,7 @@ bool WalletManagerImpl::checkPayment(const std::string &address_text, const std:
             rct::key Ctmp;
             //rct::key amount_key = rct::hash_to_scalar(rct::scalarmultKey(rct::pk2rct(address.m_view_public_key), rct::sk2rct(tx_key)));
             crypto::key_derivation derivation;
-            bool r = crypto::generate_key_derivation(address.m_view_public_key, tx_key, derivation);
+            bool r = tools::wallet_only::generate_key_derivation(address.m_view_public_key, tx_key, derivation);
             if (!r)
             {
               LOG_ERROR("Failed to generate key derivation to decode rct output " << n);

diff --git a/src/wallet/crypto/CMakeLists.txt b/src/wallet/crypto/CMakeLists.txt
@@ -0,0 +1,30 @@
+
+set(WALLET_CRYPTO_CHOICES "none" "auto" "amd64-51-30k" "amd64-64-24k")
+set(WALLET_CRYPTO "auto" CACHE STRING "Select a wallet import performance mode")
+
+if (${WALLET_CRYPTO} STREQUAL "auto")
+  if (UNIX AND CMAKE_SYSTEM_PROCESSOR MATCHES "amd64.*|AMD64.*|x86_64.*")
+    message("Wallet import performance - using \"amd64-51-30k\"")
+    set(WALLET_CRYPTO "amd64-51-30k")
+  else ()
+    message("Wallet import performance disabled - no improvements for platform")
+    set(WALLET_CRYPTO "none")
+  endif ()
+endif ()
+
+list(FIND WALLET_CRYPTO_CHOICES ${WALLET_CRYPTO} CHOICE_FOUND)
+if (CHOICE_FOUND LESS 0)
+  message(FATAL_ERROR "Invalid WALLET_CRYPTO option ${WALLET_CRYPTO}")
+endif ()
+
+string(REPLACE "-" "_" WALLET_CRYPTO_NAMESPACE "${WALLET_CRYPTO}")
+if (NOT ${WALLET_CRYPTO} STREQUAL "none")
+  include("${CMAKE_CURRENT_SOURCE_DIR}/${WALLET_CRYPTO}.cmake")
+endif ()
+
+configure_file("${CMAKE_CURRENT_SOURCE_DIR}/import.h.in" "${CMAKE_CURRENT_SOURCE_DIR}/import.h")
+add_library(wallet-crypto INTERFACE)
+if (WALLET_CRYPTO_LIBS)
+  target_link_libraries(wallet-crypto INTERFACE ${WALLET_CRYPTO_LIBS})
+endif ()
+
diff --git a/src/wallet/crypto/README.md b/src/wallet/crypto/README.md
@@ -0,0 +1,52 @@
+# Monero Wallet Performance Crypto
+## Usage
+
+Monero wallet import performance is toggled with `-DWALLET_CRYPTO=`. The
+following options are valid strings for the option:
+  - *`none`* uses the standard default monero (ref10) implementation
+  - *`auto`* uses `amd64-51-30k` when targeting amd64, and `none` otherwise.
+    This is the default.
+  - *`amd64-51-30k`* uses amd64-51-30k code from supercop
+  - *`amd64-64-24k`* uses amd64-64-24k code from supercop
+
+##  How it Works
+
+CMake generates `src/wallet/crypto/import.h` based on user configuration. The
+header file always _aliases_ `generate_key_derivation` and `derive_public_key`
+in the `tools::wallet_only` namespace. So when the performance code is disabled,
+the default functions are called (via aliasing) for identical performance and
+behavior. If performance is enabled, it aliases the enabled function. This
+_could_ allow multiple performance implementations to be simultaneously
+compiled into the program (in fact it was designed this way). The original
+crypto functions are *never* modified.
+
+## Implementations
+### `amd64-51-30k`
+
+The code from supercop (`src/wallet/crypto/ed25519/amd64-51-30k`) is untouched
+with the exception that it is made position independent. Additionally, the
+following additions were "necessary":
+  - *`unpack_vartime`* - the supercop version automatically negates the x-pos.
+  - *`monero_scalarmult`* - the supercop version does not do strict ECDH - only
+    base multiplication and double (i.e. a*B + c*G).
+  - *`crypto_sign_ed25519_amd64_51_30k_batch_choose_tp`* - the default version
+    did not use `z` for space savings. This meant multiple inversions in the
+    pre-compuation stage OR a non-constant adaption of the double scalar code.
+    The first option was implemented - a modified ASM that "selects" the `z`
+    from the pre-computation stage so that only a single inversion is done at
+    the end and constant time behavior is maintained.
+
+### `amd64-64-24k`
+
+The code from supercop (`src/wallet/crypto/ed25519/amd64-64-24k`) is completely
+with the exception that is it made position independent. See
+(amd64-51-30 section)[#amd64-51-30k] for other changes made.
+
+## Future Directions
+### Scalar Multiplication
+
+It _might_ be faster to convert to the montgomery curve to use supercop
+scalarmult code for the ECDH step, but the performance could be tight since it
+has to convert back to edwards curve after completion. Lots of investigation is
+needed, because the conversion back is going to need y-point recovery (all of
+the code uses `X/Z` only for computing the ECDH).