blake and 256 bit advanced vector extensions
play

BLAKE and 256-bit advanced vector extensions Samuel Neves 1 - PowerPoint PPT Presentation

Sep 30, 2022 •581 likes •859 views

BLAKE and 256-bit advanced vector extensions Samuel Neves 1 Jean-Philippe Aumasson 2 1 University of Coimbra, Portugal 2 NAGRA, Switzerland The Third SHA-3 Candidate Conference 1 / 26 BLAKE Main bottleneck is the keyed permutation State:

  1. BLAKE and 256-bit advanced vector extensions Samuel Neves 1 Jean-Philippe Aumasson 2 1 University of Coimbra, Portugal 2 NAGRA, Switzerland The Third SHA-3 Candidate Conference 1 / 26

  2. BLAKE � Main bottleneck is the keyed permutation � State: 4 × 4 matrix of 32- or 64-bit words v 0 , . . . , v 15 G 0 ( v 0 , v 4 , v 8 , v 12 ) G 1 ( v 1 , v 5 , v 9 , v 13 ) G 2 ( v 2 , v 6 , v 10 , v 14 ) G 3 ( v 3 , v 7 , v 11 , v 15 ) G 4 ( v 0 , v 5 , v 10 , v 15 ) G 5 ( v 1 , v 6 , v 11 , v 12 ) G 6 ( v 2 , v 7 , v 8 , v 13 ) G 7 ( v 3 , v 4 , v 9 , v 14 ) � 14 (or 16) of these per compression � 4-way parallelism 2 / 26

  3. BLAKE BLAKE-256’s G i looks like this: � a ← a + b + ( m σ r [2 i ] ⊕ u σ r [2 i +1] ) d ← ( d ⊕ a ) » 16 c ← c + d b ← ( b ⊕ c ) » 12 a ← a + b + ( m σ r [2 i +1] ⊕ u σ r [2 i ] ) d ← ( d ⊕ a ) » 8 c ← c + d b ← ( b ⊕ c ) » 7 3 / 26

  4. BLAKE BLAKE-512’s G i looks like this: � a ← a + b + ( m σ r [2 i ] ⊕ u σ r [2 i +1] ) d ← ( d ⊕ a ) » 32 c ← c + d b ← ( b ⊕ c ) » 25 a ← a + b + ( m σ r [2 i +1] ⊕ u σ r [2 i ] ) d ← ( d ⊕ a ) » 16 c ← c + d b ← ( b ⊕ c ) » 11 4 / 26

  5. SIMD BLAKE Put v 0 , v 4 , v 8 , v 12 in SIMD register r0 � Put v 1 , v 5 , v 9 , v 13 in SIMD register r1 � . . . � Perform single G call over r0, r1, r2, r3 � Put v 4 , v 5 , v 10 , v 15 in SIMD register r0 � Put v 1 , v 6 , v 11 , v 12 in SIMD register r1 � . . . � Perform single G call over r0, r1, r2, r3 � 5 / 26

  6. Anatomy of SIMD BLAKE function R OUND ( r ) ; m σ r [2 i ] ⊕ u σ r [2 i +1] m 0 .. 3 = LoadMsg ( r ) state = G ( state, m 0 .. 1 ) ; G 0 , G 1 , G 2 , G 3 state = Diag ( state ) ; Diagonalize state = G ( state, m 2 .. 3 ) ; G 4 , G 5 , G 6 , G 7 state = Undiag ( state ) ; Undiagonalize end function 6 / 26

  7. Anatomy of SIMD BLAKE function R OUND ( r ) ; m σ r [2 i ] ⊕ u σ r [2 i +1] m 0 .. 3 = LoadMsg ( r ) state = G ( state, m 0 .. 1 ) ; G 0 , G 1 , G 2 , G 3 state = Diag ( state ) ; Diagonalize state = G ( state, m 2 .. 3 ) ; G 4 , G 5 , G 6 , G 7 state = Undiag ( state ) ; Undiagonalize end function 7 / 26

  8. Anatomy of SIMD BLAKE function R OUND ( r ) ; m σ r [2 i ] ⊕ u σ r [2 i +1] m 0 .. 3 = LoadMsg ( r ) state = G ( state, m 0 .. 1 ) ; G 0 , G 1 , G 2 , G 3 state = Diag ( state ) ; Diagonalize state = G ( state, m 2 .. 3 ) ; G 4 , G 5 , G 6 , G 7 state = Undiag ( state ) ; Undiagonalize end function 8 / 26

  9. Anatomy of SIMD BLAKE function R OUND ( r ) ; m σ r [2 i ] ⊕ u σ r [2 i +1] m 0 .. 3 = LoadMsg ( r ) state = G ( state, m 0 .. 1 ) ; G 0 , G 1 , G 2 , G 3 state = Diag ( state ) ; Diagonalize state = G ( state, m 2 .. 3 ) ; G 4 , G 5 , G 6 , G 7 state = Undiag ( state ) ; Undiagonalize end function 9 / 26

  10. Anatomy of SIMD BLAKE function R OUND ( r ) ; m σ r [2 i ] ⊕ u σ r [2 i +1] m 0 .. 3 = LoadMsg ( r ) state = G ( state, m 0 .. 1 ) ; G 0 , G 1 , G 2 , G 3 state = Diag ( state ) ; Diagonalize state = G ( state, m 2 .. 3 ) ; G 4 , G 5 , G 6 , G 7 state = Undiag ( state ) ; Undiagonalize end function 10 / 26

  11. Anatomy of SIMD BLAKE function R OUND ( r ) ; m σ r [2 i ] ⊕ u σ r [2 i +1] m 0 .. 3 = LoadMsg ( r ) state = G ( state, m 0 .. 1 ) ; G 0 , G 1 , G 2 , G 3 state = Diag ( state ) ; Diagonalize state = G ( state, m 2 .. 3 ) ; G 4 , G 5 , G 6 , G 7 state = Undiag ( state ) ; Undiagonalize end function 11 / 26

  12. Anatomy of SIMD BLAKE function R OUND ( r ) ; m σ r [2 i ] ⊕ u σ r [2 i +1] m 0 .. 3 = LoadMsg ( r ) state = G ( state, m 0 .. 1 ) ; G 0 , G 1 , G 2 , G 3 state = Diag ( state ) ; Diagonalize state = G ( state, m 2 .. 3 ) ; G 4 , G 5 , G 6 , G 7 state = Undiag ( state ) ; Undiagonalize end function 12 / 26

  13. Timeline of SIMD BLAKE BLAKE-256 BLAKE-512 2008 sse2 2008 sse2 2009 ssse3 2009 ssse3 2010 sse41 2011 vect128 2011 vect128 2012 sse41, avx, xop 2012 avx, xop 13 / 26

  14. AVX and XOP AVX � � Sandy Bridge, 2011 � Extends 128-bit XMM to 256-bit YMM registers � Non-destructive operations � Floating-point only XOP � � Bulldozer, 2011 � Integer rotations � Advanced byte shuffles � Integer MAD 14 / 26

  15. AVX2 AVX2 � Haswell, 2013 � Extends AVX to the integers � Gather/Scatter instructions � More cross-lane instructions � Useful new instructions: � VPERMD � VPERMQ � VPGATHERDD � VPGATHERDQ � 15 / 26

  16. BLAKE-512 and AVX2 AVX2 enables same SIMD strategy as � BLAKE-256 VPSHUFD → VPERMQ � Multi-op permutations → VPGATHERDQ � 16 / 26

  17. BLAKE-512 and AVX2: message load Option 1: Copy BLAKE-256’s approach � Up to 12 instructions per message load � Some useful SSE4.1 instructions still not in � AVX2 Option 2: Use VPGATHERDQ � vpcmpeqq ymm14, ymm14, ymm14 ; set mask to 1111..11 vmovdqa xmm8, [ perm + 00] ; permutation indices vpgatherdq ymm4, [ rsp + 8*xmm8] , ymm14 ; permute from stack . . . vpxor ymm4, ymm4, [ const_z + 00] ; xor with constant 17 / 26

  18. BLAKE-512 and AVX2: G i vpaddq ymm0, ymm0, ymm4 ; a + ( m σ r [2 i ] ⊕ u σ r [2 i +1] ) vpaddq ymm0, ymm0, ymm1 ; a + b vpxor ymm3, ymm3, ymm0 ; d ⊕ a vpshufd ymm3, ymm3, 10110001b ; d » 32 vpaddq ymm2, ymm2, ymm3 ; c + d vpxor ymm1, ymm1, ymm2 ; b ⊕ c v p s l l q ymm8, ymm1, 64 − 25 ; v p sr l q ymm1, ymm1, 25 ; vpxor ymm1, ymm1, ymm8 ; b » 25 a + ( m σ r [2 i +1] ⊕ u σ r [2 i ] ) vpaddq ymm0, ymm0, ymm5 ; vpaddq ymm0, ymm0, ymm1 ; a + b vpxor ymm3, ymm3, ymm0 ; d ⊕ a vpshufb ymm3, ymm3, ymm15 ; d » 16 vpaddq ymm2, ymm2, ymm3 ; c + d vpxor ymm1, ymm1, ymm2 ; b ⊕ c vpsllq ymm8, ymm1, 64 − 11 ; vpsrlq ymm1, ymm1, 11 ; vpxor ymm1, ymm1, ymm8 ; b » 11 18 / 26

  19. BLAKE-512 and AVX2: performance Pessimistic assumptions � Message loading consumes 5 cycles � Single cycle operations, 3-cycle odd rotations � 6.63 cycles per byte � Optimistic � Message loading can be run fully in parallel � with G Single-cycle instructions, 3-cycle odd rotations � 4.00 cycles per byte � 19 / 26

  20. BLAKE-256 and AVX, XOP Non-destructive syntax greatly reduces µop � count AVX allows storing data in upper 128 bits of � YMM registers XOP adds native rotations(!) � VPPERM useful in message loads � 20 / 26

  21. BLAKE-256 and AVX2 Enables faster tree modes � Also useful for message loads in non-tree � mode vpcmpeqd ymm12, ymm12, ymm12 vmovdqa ymm8, [ perm + 00] vpgatherdd ymm4, [ymm8*4+ rsp ] , ymm12 vpcmpeqd ymm13, ymm13, ymm13 vmovdqa ymm9, [ perm + 32] vpgatherdd ymm6, [ymm9*4+ rsp ] , ymm13 vpxor ymm4, ymm4, [ const_z + 00] vpxor ymm6, ymm6, [ const_z + 32] 21 / 26

  22. BLAKE-256 and AVX2 Enables faster tree modes � Also useful for message loads in non-tree � mode vmovdqa ymm8, [ perm0 + 00] vmovdqa ymm9, [ perm0 + 32] vpermd ymm4, ymm8, ymm10 vpermd ymm5, ymm9, ymm11 vpblendd ymm4, ymm4, ymm5, 01111101b vmovdqa ymm8, [ perm0 + 64] vmovdqa ymm9, [ perm0 + 96] vpermd ymm6, ymm8, ymm10 vpermd ymm7, ymm9, ymm11 vpblendd ymm6, ymm6, ymm7, 00010100b vpxor ymm4, ymm4, [ const_z + 00] vpxor ymm6, ymm6, [ const_z + 32] 22 / 26

  23. BLAKE-256 and AVX2: performance Unlike BLAKE-512, marginal improvement � Two compression functions at nearly no � extra cost AVX and XOP have more direct effect � 23 / 26

  24. Message caching 10 distinct permutations � 14 (resp 16) rounds � Reuse permutations from r − 10 � Does not improve nor degrade performance � 24 / 26

  25. Results AVX � 7.62 cpb (Sandy Bridge) � AVX2 � We’ll only know in 2013 � Estimated to range from 4 to 6.63 cpb � 25 / 26

  26. Updated numbers ( 20120310 ) blake256 � mangetsu : 7.49 cpb � hydra6 : 11.83 cpb � blake512 � mangetsu : 5.64 cpb � hydra6 : 6.88 cpb � Compare to elroy (20110106) � blake256: 8.25 cpb � blake512: 7.93 cpb � 26 / 26

Recommend

Day 3 Advanced Vector Architectures Session A: Vector Instruction Execution Pipelines Break

Day 3 Advanced Vector Architectures Session A: Vector Instruction Execution Pipelines Break

Day 3 Advanced Vector Architectures Session A: Vector Instruction Execution Pipelines Break Session B: Vector Flag Processing & Vector Register Files Lunch Session C: Virtual Processor Caches Break Session D: Vector IRAM Vector

498 views • 22 slides
Canonical extensions of archimedean vector lattices with strong order unit Guram Bezhanishvili

Canonical extensions of archimedean vector lattices with strong order unit Guram Bezhanishvili

Canonical extensions of archimedean vector lattices with strong order unit Guram Bezhanishvili Patrick Morandi Bruce Olberding New Mexico State University, Las Cruces, New Mexico, USA TACL 26-30 June 2017 Canonical Extensions 1/26

1.18k views • 53 slides
Speeding Up Quantifjed Bit-Vector SMT Solvers by Bit-Width Reductions and Extensions Martin

Speeding Up Quantifjed Bit-Vector SMT Solvers by Bit-Width Reductions and Extensions Martin

Speeding Up Quantifjed Bit-Vector SMT Solvers by Bit-Width Reductions and Extensions Martin Jon , Jan Strejek Fondazione Bruno Kessler, Italy Faculty of Informatics, Masaryk University, Czech Republic In many software verifjcation

626 views • 36 slides
Affine Extensions of Integer Vector Addition Systems with States Michael Blondin 1 , Christoph

Affine Extensions of Integer Vector Addition Systems with States Michael Blondin 1 , Christoph

Affine Extensions of Integer Vector Addition Systems with States Michael Blondin 1 , Christoph Haase 2 and Filip Mazowiecki 3 1 Technische Universit at M unchen 2 University of Oxford 3 Universit e de Bordeaux Infinity 2018 Affine

1.18k views • 94 slides
Vector Extensions for Decision Support DBMS Acceleration Timothy Hayes, Oscar Palomar, Osman

Vector Extensions for Decision Support DBMS Acceleration Timothy Hayes, Oscar Palomar, Osman

Vector Extensions for Decision Support DBMS Acceleration Timothy Hayes, Oscar Palomar, Osman Unsal, Adrian Cristal & Mateo Valero Barcelona Supercomputing Center Presented by Timothy Hayes timothy.hayes@bsc.es Introduction Databases

390 views • 22 slides
Data-Level Parallelism Vector, SIMD, GPU 1 MO401 Tpicos IC-UNICAMP Vector

Data-Level Parallelism Vector, SIMD, GPU 1 MO401 Tpicos IC-UNICAMP Vector

MO401 IC-UNICAMP IC/Unicamp Prof Mario Crtes Captulo 4 Data-Level Parallelism Vector, SIMD, GPU 1 MO401 Tpicos IC-UNICAMP Vector architectures SIMD ISA extensions for multimedia GPU Detecting and enhancing loop level

1.07k views • 81 slides
ADVANCED MACHINE LEARNING Non-linear regression techniques (SVR and extensions, GPR, Gradient

ADVANCED MACHINE LEARNING Non-linear regression techniques (SVR and extensions, GPR, Gradient

ADVANCED MACHINE LEARNING ADVANCED MACHINE LEARNING Non-linear regression techniques (SVR and extensions, GPR, Gradient Boosting) 1 1 ADVANCED MACHINE LEARNING Regression: Principle N Map N-dim. input to a continuous

906 views • 89 slides
Modelling Dependent Credit Risks Advanced Mathematical Methods for Finance with Extensions of

Modelling Dependent Credit Risks Advanced Mathematical Methods for Finance with Extensions of

Workshop and Mid-Term Conference on Modelling Dependent Credit Risks Advanced Mathematical Methods for Finance with Extensions of CreditRisk + (Mid-Term AMaMeF Meeting 2007) and Application to Operational Risk September 1823, 2007, Vienna,

361 views • 21 slides
NOW Handout Page 1 1 Styles of Vector Architectures Components of Vector Processor Vector

NOW Handout Page 1 1 Styles of Vector Architectures Components of Vector Processor Vector

Alternative Model:Vector Processing EECS 252 Graduate Computer Vector processors have high-level operations that work on linear arrays of numbers: "vectors" Architecture SCALAR VECTOR (1 operation) (N operations) Lec 10

327 views • 10 slides
CS654 Advanced Computer Architecture Lec 12 Vector Wrap-up and Multiprocessor Introduction

CS654 Advanced Computer Architecture Lec 12 Vector Wrap-up and Multiprocessor Introduction

CS654 Advanced Computer Architecture Lec 12 Vector Wrap-up and Multiprocessor Introduction Peter Kemper Adapted from the slides of EECS 252 by Prof. David Patterson Electrical Engineering and Computer Sciences University of California,

988 views • 71 slides
Preparation Interrogating African American Rene Blake, renee.blake@nyu.edu New York

Preparation Interrogating African American Rene Blake, renee.blake@nyu.edu New York

Coding for Sociolinguistic Archive Preparation Interrogating African American Rene Blake, renee.blake@nyu.edu New York University LSA 2012 Portland, Oregon Wednesday, January 4, 2012 Social and linguistic heterogeneity of the

328 views • 16 slides
Vector addition: The zero vector The D -vector whose entries are all zero is the zero vector ,

Vector addition: The zero vector The D -vector whose entries are all zero is the zero vector ,

Vector addition: The zero vector The D -vector whose entries are all zero is the zero vector , written 0 D or just 0 v + 0 = v Vector addition: Vector addition is associative and commutative I Associativity ( x + y ) + z = x + ( y + z ) I

476 views • 36 slides
Support Vector Machines (I): Overview and Linear SVM LING 572 Advanced Statistical Techniques

Support Vector Machines (I): Overview and Linear SVM LING 572 Advanced Statistical Techniques

Support Vector Machines (I): Overview and Linear SVM LING 572 Advanced Statistical Techniques for NLP February 13 2020 1 Why another learning method? Based on some beautifully simple ideas (Schlkopf, 1998) Maximum margin

891 views • 64 slides
ECON 950 Winter 2020 Prof. James MacKinnon 12. Support Vector Machines These notes are based

ECON 950 Winter 2020 Prof. James MacKinnon 12. Support Vector Machines These notes are based

ECON 950 Winter 2020 Prof. James MacKinnon 12. Support Vector Machines These notes are based on Chapter 9 of ISLR. Support vector machines are a popular method for classification problems where there are two classes. There are extensions

499 views • 16 slides
Lecture 1.1: Vector spaces Matthew Macauley Department of Mathematical Sciences Clemson

Lecture 1.1: Vector spaces Matthew Macauley Department of Mathematical Sciences Clemson

Lecture 1.1: Vector spaces Matthew Macauley Department of Mathematical Sciences Clemson University http://www.math.clemson.edu/~macaule/ Math 4340, Advanced Engineering Mathematics M. Macauley (Clemson) Lecture 1.1: Vector spaces Advanced

225 views • 6 slides
Matrix Arithmetic (Multidimensional Math) Shaina Race, PhD Institute for Advanced Analytics.

Matrix Arithmetic (Multidimensional Math) Shaina Race, PhD Institute for Advanced Analytics.

Matrix Arithmetic (Multidimensional Math) Shaina Race, PhD Institute for Advanced Analytics. Element-wise Operations T ABLE OF C ONTENTS Linear Combinations of Matrices and Vectors. Vector Multiplication Inner products and Matrix-Vector

1.19k views • 78 slides
Support Vector Machines (II): Non-linear SVMs LING 572 Advanced Statistical Methods for NLP

Support Vector Machines (II): Non-linear SVMs LING 572 Advanced Statistical Methods for NLP

Support Vector Machines (II): Non-linear SVMs LING 572 Advanced Statistical Methods for NLP February 18, 2020 1 Based on F. Xia 18 Outline Linear SVM Maximizing the margin Soft margin Nonlinear SVM Kernel

460 views • 30 slides
Blake F. Richetta Senior Vice President, sonnen Inc. Blake.R@sonnen-batterie.com Why Energy

Blake F. Richetta Senior Vice President, sonnen Inc. Blake.R@sonnen-batterie.com Why Energy

1 The Leader in Grid Tied Residential Energy Storage Blake F. Richetta Senior Vice President, sonnen Inc. Blake.R@sonnen-batterie.com Why Energy Storage? #1. Solve a Problem: The inherent challenge presented to the power grid, as a result of

765 views • 23 slides
Product Ads Sitelink Extensions xo group; Jam & Toast, Feb 2012 1 xo group; Jam &

Product Ads Sitelink Extensions xo group; Jam & Toast, Feb 2012 1 xo group; Jam &

Sitelink Extensions Product Ads Location Extensions Call Extensions Product Ads Sitelink Extensions xo group; Jam & Toast, Feb 2012 1 xo group; Jam & Toast, Feb 2012. PRNewswire.com, The Knot 2014 Real Weddings Study, March 2015.

629 views • 51 slides
Lecture 14 The C++ Memory model Implementing synchronization SSE vector processing (SIMD

Lecture 14 The C++ Memory model Implementing synchronization SSE vector processing (SIMD

Lecture 14 The C++ Memory model Implementing synchronization SSE vector processing (SIMD Multimedia Extensions) Announcements No section this Friday 2 Scott B. Baden / CSE 160 / Wi '16 Todays lecture C++ memory modelcontinued

696 views • 35 slides
B = Y Z Z Z where y z 1 1 y z

B = Y Z Z Z where y z 1 1 y z

ARMAX Models Vector (multivariate) regression: output vector y t, 1 y t, 2 y t = . . . y t,k input vector z t, 1 z t, 2 z t = . . .

419 views • 12 slides
Superposition: Extensions Extensions and improvements: simplification techniques, selection

Superposition: Extensions Extensions and improvements: simplification techniques, selection

Superposition: Extensions Extensions and improvements: simplification techniques, selection functions (when, what), redundancy for inferences, constraint reasoning, decidable first-order fragments. 554 Theory Reasoning Superposition vs.

278 views • 17 slides
Advanced Algorithms (IV) Chihao Zhang Shanghai Jiao Tong University Mar. 18, 2019 Advanced

Advanced Algorithms (IV) Chihao Zhang Shanghai Jiao Tong University Mar. 18, 2019 Advanced

Advanced Algorithms (IV) Chihao Zhang Shanghai Jiao Tong University Mar. 18, 2019 Advanced Algorithms (IV) 1/11 Review n u v E w T u w v s.t. w u u max V w T u w u u V Advanced Algorithms (IV) e Vector Program MaxCut Integer

606 views • 39 slides
NOW Handout Page 1 1 Vector Programming Model Scalar Registers Vector Registers r15 v15 #

NOW Handout Page 1 1 Vector Programming Model Scalar Registers Vector Registers r15 v15 #

Definition of a supercomputer: Fastest machine in world at given task A device to turn a compute-bound problem into an I/O bound problem Any machine costing $30M+ Any machine designed by Seymour Cray COSC 5351 Advanced Computer

510 views • 10 slides

More recommend