DRAFT: Replace Field Arithmetic #1260

1. 
   dderjoel commented at 2:43 am on April 5, 2023: none

   So in this PR, the C implementation is replaced by the Fiat Cryptography C implementation and the x86-46 implementation is replaced with CryptOpt optimized versions.

   I’ll report the performance results soon.

   1. (this PR) ./configure (default) should use the optimized x86-asm
   2. (this PR) ./configure --with-x86=no should use the Fiat-C version
   3. (2bca0a5cbf756dd4ff1f0bda4585a7d3c64e1480) ./configure
   4. (2bca0a5cbf756dd4ff1f0bda4585a7d3c64e1480) ./configure --with-x86=no

   Is that all we need? I then run ./bench_internal, reporting the field_{mul,sqr} rows as well as ./bench_ecmult reporting the ecmult_{gen,const,1p,0p_g} rows.

2. Replace x86_64 field asm by CryptOpt output

   Co-authored-by: Tim Ruffing <crypto@timruffing.de>

   e2684293b1
3. replace 5x52_asm 99962042d5
4. add fiat-dettman C

   --with-asm=no on Intel i5-8265U (8) @ 3.900GHz
   
   Benchmark                     ,    Min(us)    ,    Avg(us)    ,    Max(us)
   
   scalar_add                    ,     0.00883   ,     0.00937   ,     0.0132
   scalar_negate                 ,     0.00338   ,     0.00341   ,     0.00357
   scalar_mul                    ,     0.0373    ,     0.0376    ,     0.0390
   scalar_split                  ,     0.169     ,     0.171     ,     0.183
   scalar_inverse                ,     1.74      ,     1.75      ,     1.76
   scalar_inverse_var            ,     1.24      ,     1.24      ,     1.26
   field_half                    ,     0.00281   ,     0.00284   ,     0.00294
   field_normalize               ,     0.00965   ,     0.00977   ,     0.0101
   field_normalize_weak          ,     0.00374   ,     0.00377   ,     0.00391
   field_sqr                     ,     0.0147    ,     0.0150    ,     0.0161
   field_mul                     ,     0.0192    ,     0.0195    ,     0.0209
   field_inverse                 ,     1.73      ,     1.73      ,     1.75
   field_inverse_var             ,     1.22      ,     1.24      ,     1.26
   field_is_square_var           ,     1.57      ,     1.58      ,     1.60
   field_sqrt                    ,     4.05      ,     4.10      ,     4.20
   group_double_var              ,     0.128     ,     0.129     ,     0.132
   group_add_var                 ,     0.307     ,     0.308     ,     0.312
   group_add_affine              ,     0.249     ,     0.252     ,     0.268
   group_add_affine_var          ,     0.223     ,     0.223     ,     0.227
   group_add_zinv_var            ,     0.244     ,     0.247     ,     0.254
   group_to_affine_var           ,     1.33      ,     1.33      ,     1.35
   wnaf_const                    ,     0.241     ,     0.246     ,     0.262
   ecmult_wnaf                   ,     0.538     ,     0.543     ,     0.554
   hash_sha256                   ,     0.275     ,     0.278     ,     0.292
   hash_hmac_sha256              ,     1.08      ,     1.09      ,     1.13
   hash_rfc6979_hmac_sha256      ,     5.96      ,     5.99      ,     6.17
   context_create                ,     0.576     ,     0.582     ,     0.601

   b0662a08ab
5. Merge branch 'bitcoin-core:master' into master e740fee7d1
6. 
   sipa commented at 1:25 am on April 6, 2023: contributor

   FWIW I opened this issue https://github.com/mit-plv/fiat-crypto/issues/1582 about an optimization currently present in the libsecp256k1 field C code, which isn’t in the fiat-crypto output (nor in the libsecp256k1 current asm code).
7. 
   real-or-random commented at 5:38 am on April 6, 2023: contributor

   Let me close this here for now. I opened #1261 to track integration of fiat-crypto + CryptOpt. :)
8. real-or-random marked this as a draft on Apr 6, 2023
9. real-or-random closed this on Apr 6, 2023

   ---

Contributors
dderjoel sipa real-or-random