github.com/ethereum/go-ethereum@v1.16.1/crypto/secp256k1/libsecp256k1/src/bench_ecmult.c (about) 1 /*********************************************************************** 2 * Copyright (c) 2017 Pieter Wuille * 3 * Distributed under the MIT software license, see the accompanying * 4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.* 5 ***********************************************************************/ 6 #include <stdio.h> 7 #include <stdlib.h> 8 9 #include "secp256k1.c" 10 #include "../include/secp256k1.h" 11 12 #include "util.h" 13 #include "hash_impl.h" 14 #include "field_impl.h" 15 #include "group_impl.h" 16 #include "scalar_impl.h" 17 #include "ecmult_impl.h" 18 #include "bench.h" 19 20 #define POINTS 32768 21 22 static void help(char **argv) { 23 printf("Benchmark EC multiplication algorithms\n"); 24 printf("\n"); 25 printf("Usage: %s <help|pippenger_wnaf|strauss_wnaf|simple>\n", argv[0]); 26 printf("The output shows the number of multiplied and summed points right after the\n"); 27 printf("function name. The letter 'g' indicates that one of the points is the generator.\n"); 28 printf("The benchmarks are divided by the number of points.\n"); 29 printf("\n"); 30 printf("default (ecmult_multi): picks pippenger_wnaf or strauss_wnaf depending on the\n"); 31 printf(" batch size\n"); 32 printf("pippenger_wnaf: for all batch sizes\n"); 33 printf("strauss_wnaf: for all batch sizes\n"); 34 printf("simple: multiply and sum each point individually\n"); 35 } 36 37 typedef struct { 38 /* Setup once in advance */ 39 secp256k1_context* ctx; 40 secp256k1_scratch_space* scratch; 41 secp256k1_scalar* scalars; 42 secp256k1_ge* pubkeys; 43 secp256k1_gej* pubkeys_gej; 44 secp256k1_scalar* seckeys; 45 secp256k1_gej* expected_output; 46 secp256k1_ecmult_multi_func ecmult_multi; 47 48 /* Changes per benchmark */ 49 size_t count; 50 int includes_g; 51 52 /* Changes per benchmark iteration, used to pick different scalars and pubkeys 53 * in each run. */ 54 size_t offset1; 55 size_t offset2; 56 57 /* Benchmark output. */ 58 secp256k1_gej* output; 59 } bench_data; 60 61 /* Hashes x into [0, POINTS) twice and store the result in offset1 and offset2. */ 62 static void hash_into_offset(bench_data* data, size_t x) { 63 data->offset1 = (x * 0x537b7f6f + 0x8f66a481) % POINTS; 64 data->offset2 = (x * 0x7f6f537b + 0x6a1a8f49) % POINTS; 65 } 66 67 /* Check correctness of the benchmark by computing 68 * sum(outputs) ?= (sum(scalars_gen) + sum(seckeys)*sum(scalars))*G */ 69 static void bench_ecmult_teardown_helper(bench_data* data, size_t* seckey_offset, size_t* scalar_offset, size_t* scalar_gen_offset, int iters) { 70 int i; 71 secp256k1_gej sum_output, tmp; 72 secp256k1_scalar sum_scalars; 73 74 secp256k1_gej_set_infinity(&sum_output); 75 secp256k1_scalar_set_int(&sum_scalars, 0); 76 for (i = 0; i < iters; ++i) { 77 secp256k1_gej_add_var(&sum_output, &sum_output, &data->output[i], NULL); 78 if (scalar_gen_offset != NULL) { 79 secp256k1_scalar_add(&sum_scalars, &sum_scalars, &data->scalars[(*scalar_gen_offset+i) % POINTS]); 80 } 81 if (seckey_offset != NULL) { 82 secp256k1_scalar s = data->seckeys[(*seckey_offset+i) % POINTS]; 83 secp256k1_scalar_mul(&s, &s, &data->scalars[(*scalar_offset+i) % POINTS]); 84 secp256k1_scalar_add(&sum_scalars, &sum_scalars, &s); 85 } 86 } 87 secp256k1_ecmult_gen(&data->ctx->ecmult_gen_ctx, &tmp, &sum_scalars); 88 CHECK(secp256k1_gej_eq_var(&tmp, &sum_output)); 89 } 90 91 static void bench_ecmult_setup(void* arg) { 92 bench_data* data = (bench_data*)arg; 93 /* Re-randomize offset to ensure that we're using different scalars and 94 * group elements in each run. */ 95 hash_into_offset(data, data->offset1); 96 } 97 98 static void bench_ecmult_gen(void* arg, int iters) { 99 bench_data* data = (bench_data*)arg; 100 int i; 101 102 for (i = 0; i < iters; ++i) { 103 secp256k1_ecmult_gen(&data->ctx->ecmult_gen_ctx, &data->output[i], &data->scalars[(data->offset1+i) % POINTS]); 104 } 105 } 106 107 static void bench_ecmult_gen_teardown(void* arg, int iters) { 108 bench_data* data = (bench_data*)arg; 109 bench_ecmult_teardown_helper(data, NULL, NULL, &data->offset1, iters); 110 } 111 112 static void bench_ecmult_const(void* arg, int iters) { 113 bench_data* data = (bench_data*)arg; 114 int i; 115 116 for (i = 0; i < iters; ++i) { 117 secp256k1_ecmult_const(&data->output[i], &data->pubkeys[(data->offset1+i) % POINTS], &data->scalars[(data->offset2+i) % POINTS]); 118 } 119 } 120 121 static void bench_ecmult_const_teardown(void* arg, int iters) { 122 bench_data* data = (bench_data*)arg; 123 bench_ecmult_teardown_helper(data, &data->offset1, &data->offset2, NULL, iters); 124 } 125 126 static void bench_ecmult_1p(void* arg, int iters) { 127 bench_data* data = (bench_data*)arg; 128 int i; 129 130 for (i = 0; i < iters; ++i) { 131 secp256k1_ecmult(&data->output[i], &data->pubkeys_gej[(data->offset1+i) % POINTS], &data->scalars[(data->offset2+i) % POINTS], NULL); 132 } 133 } 134 135 static void bench_ecmult_1p_teardown(void* arg, int iters) { 136 bench_data* data = (bench_data*)arg; 137 bench_ecmult_teardown_helper(data, &data->offset1, &data->offset2, NULL, iters); 138 } 139 140 static void bench_ecmult_0p_g(void* arg, int iters) { 141 bench_data* data = (bench_data*)arg; 142 int i; 143 144 for (i = 0; i < iters; ++i) { 145 secp256k1_ecmult(&data->output[i], NULL, &secp256k1_scalar_zero, &data->scalars[(data->offset1+i) % POINTS]); 146 } 147 } 148 149 static void bench_ecmult_0p_g_teardown(void* arg, int iters) { 150 bench_data* data = (bench_data*)arg; 151 bench_ecmult_teardown_helper(data, NULL, NULL, &data->offset1, iters); 152 } 153 154 static void bench_ecmult_1p_g(void* arg, int iters) { 155 bench_data* data = (bench_data*)arg; 156 int i; 157 158 for (i = 0; i < iters/2; ++i) { 159 secp256k1_ecmult(&data->output[i], &data->pubkeys_gej[(data->offset1+i) % POINTS], &data->scalars[(data->offset2+i) % POINTS], &data->scalars[(data->offset1+i) % POINTS]); 160 } 161 } 162 163 static void bench_ecmult_1p_g_teardown(void* arg, int iters) { 164 bench_data* data = (bench_data*)arg; 165 bench_ecmult_teardown_helper(data, &data->offset1, &data->offset2, &data->offset1, iters/2); 166 } 167 168 static void run_ecmult_bench(bench_data* data, int iters) { 169 char str[32]; 170 sprintf(str, "ecmult_gen"); 171 run_benchmark(str, bench_ecmult_gen, bench_ecmult_setup, bench_ecmult_gen_teardown, data, 10, iters); 172 sprintf(str, "ecmult_const"); 173 run_benchmark(str, bench_ecmult_const, bench_ecmult_setup, bench_ecmult_const_teardown, data, 10, iters); 174 /* ecmult with non generator point */ 175 sprintf(str, "ecmult_1p"); 176 run_benchmark(str, bench_ecmult_1p, bench_ecmult_setup, bench_ecmult_1p_teardown, data, 10, iters); 177 /* ecmult with generator point */ 178 sprintf(str, "ecmult_0p_g"); 179 run_benchmark(str, bench_ecmult_0p_g, bench_ecmult_setup, bench_ecmult_0p_g_teardown, data, 10, iters); 180 /* ecmult with generator and non-generator point. The reported time is per point. */ 181 sprintf(str, "ecmult_1p_g"); 182 run_benchmark(str, bench_ecmult_1p_g, bench_ecmult_setup, bench_ecmult_1p_g_teardown, data, 10, 2*iters); 183 } 184 185 static int bench_ecmult_multi_callback(secp256k1_scalar* sc, secp256k1_ge* ge, size_t idx, void* arg) { 186 bench_data* data = (bench_data*)arg; 187 if (data->includes_g) ++idx; 188 if (idx == 0) { 189 *sc = data->scalars[data->offset1]; 190 *ge = secp256k1_ge_const_g; 191 } else { 192 *sc = data->scalars[(data->offset1 + idx) % POINTS]; 193 *ge = data->pubkeys[(data->offset2 + idx - 1) % POINTS]; 194 } 195 return 1; 196 } 197 198 static void bench_ecmult_multi(void* arg, int iters) { 199 bench_data* data = (bench_data*)arg; 200 201 int includes_g = data->includes_g; 202 int iter; 203 int count = data->count; 204 iters = iters / data->count; 205 206 for (iter = 0; iter < iters; ++iter) { 207 data->ecmult_multi(&data->ctx->error_callback, data->scratch, &data->output[iter], data->includes_g ? &data->scalars[data->offset1] : NULL, bench_ecmult_multi_callback, arg, count - includes_g); 208 data->offset1 = (data->offset1 + count) % POINTS; 209 data->offset2 = (data->offset2 + count - 1) % POINTS; 210 } 211 } 212 213 static void bench_ecmult_multi_setup(void* arg) { 214 bench_data* data = (bench_data*)arg; 215 hash_into_offset(data, data->count); 216 } 217 218 static void bench_ecmult_multi_teardown(void* arg, int iters) { 219 bench_data* data = (bench_data*)arg; 220 int iter; 221 iters = iters / data->count; 222 /* Verify the results in teardown, to avoid doing comparisons while benchmarking. */ 223 for (iter = 0; iter < iters; ++iter) { 224 secp256k1_gej tmp; 225 secp256k1_gej_add_var(&tmp, &data->output[iter], &data->expected_output[iter], NULL); 226 CHECK(secp256k1_gej_is_infinity(&tmp)); 227 } 228 } 229 230 static void generate_scalar(uint32_t num, secp256k1_scalar* scalar) { 231 secp256k1_sha256 sha256; 232 unsigned char c[10] = {'e', 'c', 'm', 'u', 'l', 't', 0, 0, 0, 0}; 233 unsigned char buf[32]; 234 int overflow = 0; 235 c[6] = num; 236 c[7] = num >> 8; 237 c[8] = num >> 16; 238 c[9] = num >> 24; 239 secp256k1_sha256_initialize(&sha256); 240 secp256k1_sha256_write(&sha256, c, sizeof(c)); 241 secp256k1_sha256_finalize(&sha256, buf); 242 secp256k1_scalar_set_b32(scalar, buf, &overflow); 243 CHECK(!overflow); 244 } 245 246 static void run_ecmult_multi_bench(bench_data* data, size_t count, int includes_g, int num_iters) { 247 char str[32]; 248 size_t iters = 1 + num_iters / count; 249 size_t iter; 250 251 data->count = count; 252 data->includes_g = includes_g; 253 254 /* Compute (the negation of) the expected results directly. */ 255 hash_into_offset(data, data->count); 256 for (iter = 0; iter < iters; ++iter) { 257 secp256k1_scalar tmp; 258 secp256k1_scalar total = data->scalars[(data->offset1++) % POINTS]; 259 size_t i = 0; 260 for (i = 0; i + 1 < count; ++i) { 261 secp256k1_scalar_mul(&tmp, &data->seckeys[(data->offset2++) % POINTS], &data->scalars[(data->offset1++) % POINTS]); 262 secp256k1_scalar_add(&total, &total, &tmp); 263 } 264 secp256k1_scalar_negate(&total, &total); 265 secp256k1_ecmult(&data->expected_output[iter], NULL, &secp256k1_scalar_zero, &total); 266 } 267 268 /* Run the benchmark. */ 269 if (includes_g) { 270 sprintf(str, "ecmult_multi_%ip_g", (int)count - 1); 271 } else { 272 sprintf(str, "ecmult_multi_%ip", (int)count); 273 } 274 run_benchmark(str, bench_ecmult_multi, bench_ecmult_multi_setup, bench_ecmult_multi_teardown, data, 10, count * iters); 275 } 276 277 int main(int argc, char **argv) { 278 bench_data data; 279 int i, p; 280 size_t scratch_size; 281 282 int iters = get_iters(10000); 283 284 data.ecmult_multi = secp256k1_ecmult_multi_var; 285 286 if (argc > 1) { 287 if(have_flag(argc, argv, "-h") 288 || have_flag(argc, argv, "--help") 289 || have_flag(argc, argv, "help")) { 290 help(argv); 291 return EXIT_SUCCESS; 292 } else if(have_flag(argc, argv, "pippenger_wnaf")) { 293 printf("Using pippenger_wnaf:\n"); 294 data.ecmult_multi = secp256k1_ecmult_pippenger_batch_single; 295 } else if(have_flag(argc, argv, "strauss_wnaf")) { 296 printf("Using strauss_wnaf:\n"); 297 data.ecmult_multi = secp256k1_ecmult_strauss_batch_single; 298 } else if(have_flag(argc, argv, "simple")) { 299 printf("Using simple algorithm:\n"); 300 } else { 301 fprintf(stderr, "%s: unrecognized argument '%s'.\n\n", argv[0], argv[1]); 302 help(argv); 303 return EXIT_FAILURE; 304 } 305 } 306 307 data.ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE); 308 scratch_size = secp256k1_strauss_scratch_size(POINTS) + STRAUSS_SCRATCH_OBJECTS*16; 309 if (!have_flag(argc, argv, "simple")) { 310 data.scratch = secp256k1_scratch_space_create(data.ctx, scratch_size); 311 } else { 312 data.scratch = NULL; 313 } 314 315 /* Allocate stuff */ 316 data.scalars = malloc(sizeof(secp256k1_scalar) * POINTS); 317 data.seckeys = malloc(sizeof(secp256k1_scalar) * POINTS); 318 data.pubkeys = malloc(sizeof(secp256k1_ge) * POINTS); 319 data.pubkeys_gej = malloc(sizeof(secp256k1_gej) * POINTS); 320 data.expected_output = malloc(sizeof(secp256k1_gej) * (iters + 1)); 321 data.output = malloc(sizeof(secp256k1_gej) * (iters + 1)); 322 323 /* Generate a set of scalars, and private/public keypairs. */ 324 secp256k1_gej_set_ge(&data.pubkeys_gej[0], &secp256k1_ge_const_g); 325 secp256k1_scalar_set_int(&data.seckeys[0], 1); 326 for (i = 0; i < POINTS; ++i) { 327 generate_scalar(i, &data.scalars[i]); 328 if (i) { 329 secp256k1_gej_double_var(&data.pubkeys_gej[i], &data.pubkeys_gej[i - 1], NULL); 330 secp256k1_scalar_add(&data.seckeys[i], &data.seckeys[i - 1], &data.seckeys[i - 1]); 331 } 332 } 333 secp256k1_ge_set_all_gej_var(data.pubkeys, data.pubkeys_gej, POINTS); 334 335 336 print_output_table_header_row(); 337 /* Initialize offset1 and offset2 */ 338 hash_into_offset(&data, 0); 339 run_ecmult_bench(&data, iters); 340 341 for (i = 1; i <= 8; ++i) { 342 run_ecmult_multi_bench(&data, i, 1, iters); 343 } 344 345 /* This is disabled with low count of iterations because the loop runs 77 times even with iters=1 346 * and the higher it goes the longer the computation takes(more points) 347 * So we don't run this benchmark with low iterations to prevent slow down */ 348 if (iters > 2) { 349 for (p = 0; p <= 11; ++p) { 350 for (i = 9; i <= 16; ++i) { 351 run_ecmult_multi_bench(&data, i << p, 1, iters); 352 } 353 } 354 } 355 356 if (data.scratch != NULL) { 357 secp256k1_scratch_space_destroy(data.ctx, data.scratch); 358 } 359 secp256k1_context_destroy(data.ctx); 360 free(data.scalars); 361 free(data.pubkeys); 362 free(data.pubkeys_gej); 363 free(data.seckeys); 364 free(data.output); 365 free(data.expected_output); 366 367 return EXIT_SUCCESS; 368 }