Intel ECC Optimizations #803

issue ddustin opened this issue on August 23, 2020

ddustin commented at 8:22 PM on August 23, 2020: none
Would implementing the Intel ECC optimizations using the PCLMULQDQ instruction make sense for libsecp256k1?

According to this document, the speed boost can be "up to 600x": https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/polynomial-multiplication-instructions-paper.pdf

Searching around Github I found an example that potentially could be used as a reference: https://github.com/wqweto/VbAsyncSocket/blob/4b7f4d8bc650688e2b6ad5460c997ed1df26d2e0/lib/thunks/gf128.c#L116-L165
1. Is using HW accelerated ECC safe?
2. Would it be worth doing?
Apologies if this has already been discussed and I missed it.
gmaxwell commented at 8:44 PM on August 23, 2020: contributor

PCLMULQDQ is not applicable to curves on a prime field, only ones on characteristic-2 fields (which I would avoid for cryptographic applications due to their worse security story, they also aren't widely used outside of some weird smartcard applications because of the history of aggressive patenting and enforcement).

So entirely not applicable here.

We do, however, use clmul in minisketch ( https://github.com/sipa/minisketch/ ), which uses a binary field.
gmaxwell commented at 8:45 AM on August 24, 2020: contributor

If you're interested in optimizations from more recent instructions, intel ADX instructions would be applicable. ( https://en.wikipedia.org/wiki/Intel_ADX ).
gmaxwell commented at 9:25 AM on August 26, 2020: contributor

I'm guessing this issue can be closed.
jonasnick closed this on Aug 26, 2020

Contributors

ddustin

gmaxwell