using vector instructions
play

Using Vector Instructions Joppe W. Bos, Peter L. Montgomery, Daniel - PowerPoint PPT Presentation

Sep 30, 2023 β€’437 likes β€’649 views

Montgomery Multiplication Using Vector Instructions Joppe W. Bos, Peter L. Montgomery, Daniel Shumow, and Gregory M. Zaverucha SAC 2013 Motivation E.g. ECDSA, ECDH E.g. DH, ( ) Point DSA, RSA arithmetic or

  1. Montgomery Multiplication Using Vector Instructions Joppe W. Bos, Peter L. Montgomery, Daniel Shumow, and Gregory M. Zaverucha SAC 2013

  2. Motivation E.g. ECDSA, ECDH E.g. DH, 𝐹(𝐆 π‘ž ) Point DSA, RSA arithmetic 𝐆 π‘ž or 𝐚/π‘πš Montgomery Multiplication

  3. Motivation E.g. ECDSA, ECDH E.g. DH, 𝐹(𝐆 π‘ž ) Point DSA, RSA arithmetic 𝐆 π‘ž or 𝐚/π‘πš ECC often use primes of a Useful for special form: pairings NIST curves, Montgomery curve25519 Multiplication

  4. Modular Multiplication Compute 𝐷 = 𝐡 Γ— 𝐢 (mod 𝑁) 𝑆 = 𝐡 Γ— 𝐢 write 𝑆 = π‘Ÿ Γ— 𝑁 + 𝐷 such that 0 ≀ 𝐷 < 𝑁 Cost: One multiplication + one division with remainder

  5. Modular Multiplication Compute 𝐷 = 𝐡 Γ— 𝐢 (mod 𝑁) 𝑆 = 𝐡 Γ— 𝐢 write 𝑆 = π‘Ÿ Γ— 𝑁 + 𝐷 such that 0 ≀ 𝐷 < 𝑁 Cost: One multiplication + one division with remainder Montgomery (Math. Comp. 1985) observed that we can avoid the expensive division when M is odd 𝐡 2 if 𝐡 is even 𝐡 2 mod 𝑁 = 𝐡+𝑁 if 𝐡 is odd 2 A Γ— βˆ’π‘ βˆ’1 mod 2 32 ≑ 0 mod 2 32 , A + M Γ— precompute 𝜈 = βˆ’π‘ βˆ’1 mod 2 32

  6. Interleaved Montgomery Multiplication π‘œβˆ’1 𝑏 𝑗 , 𝐢 , 𝑁 , 𝜈 = βˆ’π‘ βˆ’1 mod 2 32 Input: 𝐡 = 𝑗=0 Output: 𝐷 = 𝐡𝐢2 βˆ’32π‘œ mod 𝑁 𝐷 = 0 for 𝑗 = 0 to π‘œ βˆ’ 1 do 𝐷 = 𝐷 + 𝑏 𝑗 𝐢 ( 1 Γ— π‘œ) limbs π‘Ÿ = 𝜈𝐷 mod 2 32 ( 1 Γ— 1) limb 𝐷 = (𝐷 + π‘Ÿπ‘)/ 2 32 ( 1 Γ— π‘œ) limbs If 𝐷 β‰₯ 𝑁 then 𝐷 = 𝐷 βˆ’ 𝑁

  7. Interleaved Montgomery Multiplication π‘œβˆ’1 𝑏 𝑗 , 𝐢 , 𝑁 , 𝜈 = βˆ’π‘ βˆ’1 mod 2 32 Input: 𝐡 = 𝑗=0 Output: 𝐷 = 𝐡𝐢2 βˆ’32π‘œ mod 𝑁 𝐷 = 0 2 Γ— (1 Γ— 1) limb for 𝑗 = 0 to π‘œ βˆ’ 1 do 𝐷 = 𝐷 + 𝑏 𝑗 𝐢 ( 1 Γ— π‘œ) limbs π‘Ÿ = (𝑑 0 + 𝑏 𝑗 𝑐 0 )𝜈 mod 2 32 π‘Ÿ = 𝜈𝐷 mod 2 32 ( 1 Γ— 1) limb 𝐷 = (𝐷 + 𝑏 𝑗 𝐢 + π‘Ÿπ‘)/ 2 32 𝐷 = (𝐷 + π‘Ÿπ‘)/ 2 32 ( 1 Γ— π‘œ) limbs If 𝐷 β‰₯ 𝑁 then 𝐷 = 𝐷 βˆ’ 𝑁 At the cost of one extra ( 1 Γ— 1) limb 2 Γ— (1 Γ— π‘œ) limbs multiplication the two ( 1 Γ— π‘œ) limbs multiplications become independent.

  8. Interleaved Montgomery Multiplication π‰πžπŸπ› π‘œβˆ’1 𝑏 𝑗 , 𝐢 , 𝑁 , 𝜈 = βˆ’π‘ βˆ’1 mod 2 32 Flip the sign of 𝜈 : 𝜈 = +𝑁 βˆ’1 mod 2 32 Input: 𝐡 = 𝑗=0 Output: 𝐷 = 𝐡𝐢2 βˆ’32π‘œ mod 𝑁 𝐷 = 0 2 Γ— (1 Γ— 1) limb for 𝑗 = 0 to π‘œ βˆ’ 1 do 𝐷 = 𝐷 + 𝑏 𝑗 𝐢 ( 1 Γ— π‘œ) limbs π‘Ÿ = (𝑑 0 + 𝑏 𝑗 𝑐 0 )𝜈 mod 2 32 π‘Ÿ = 𝜈𝐷 mod 2 32 ( 1 Γ— 1) limb 𝐷 = (𝐷 + 𝑏 𝑗 𝐢 + π‘Ÿπ‘)/ 2 32 𝐷 = (𝐷 + π‘Ÿπ‘)/ 2 32 ( 1 Γ— π‘œ) limbs If 𝐷 β‰₯ 𝑁 then 𝐷 = 𝐷 βˆ’ 𝑁 At the cost of one extra ( 1 Γ— 1) limb 2 Γ— (1 Γ— π‘œ) limbs multiplication the two ( 1 Γ— π‘œ) limbs multiplications become independent.

  9. 2-way SIMD Interleaved Montgomery Multiplication

  10. 2-way SIMD Interleaved Montgomery Multiplication Non-SIMD part 𝑒 𝑗 2 32𝑗 βˆ’ 𝑓 𝑗 2 32𝑗 𝐷 = 𝑗 𝑗 mod 2 32 π‘Ÿ = πœˆπ‘ 0 𝑏 π‘˜ + 𝜈 𝑒 0 βˆ’ 𝑓 0 πœˆπ‘ 0 𝑏 π‘˜ + πœˆπ‘‘ 0 mod 2 32 = = (𝑑 0 + 𝑏 π‘˜ 𝑐 0 )𝜈 mod 2 32

  11. Expected Performance Speedup Sequential Montgomery Multiplication Long Muls: 2π‘œ 2 Short Muls: π‘œ 2-way SIMD Montgomery Multiplication Long Muls: π‘œ 2 Short Muls: 2π‘œ

  12. Expected Performance Speedup Sequential Montgomery Multiplication Long Muls: 2π‘œ 2 Short Muls: π‘œ 2-way SIMD Montgomery Multiplication Long Muls: π‘œ 2 Short Muls: 2π‘œ Based on #multiplications only we expect: β€’ 32-bit 2-way SIMD to be at most 2x as fast as 32-bit sequential β€’ 32-bit 2-way SIMD to be approximately 2x as slow as 64-bit sequential

  14. Performance Results – x86 Intel Xeon E31230 (3.2 GHz) - PC Intel Atom Z2760 (1.8 GHz) - Tablet RSA Classic SIMD Ratio Classic SIMD Ratio enc 2048 181,412 414,787 0.44 2,583,643 1,601,878 1.61 dec 2048 4,928,633 12,211,700 0.40 80,204,317 52,000,367 1.54

  15. Performance Results - ARM Dell XPS 10 tablet (1.8 GHz) NVIDIA Tegra 4 (1.9 GHz) NVIDIA Tegra 3 T30 (1.4 GHz) Snapdragon S4 (dev board, Cortex-A15) (dev board, Cortex-A9) RSA Classic SIMD Ratio Classic SIMD Ratio Classic SIMD Ratio enc 1,087,318 710,910 1.53 725,336 712,542 1.02 872,468 1,358,955 0.64 2048 dec 34,769,147 21,478,047 1.62 23,177,617 22,812,040 1.02 27,547,434 47,205,919 0.58 2048

  16. Performance Results Compare to results from: eBACS: ECRYPT Benchmarking of Cryptographic Systems and OpenSSL Snapdragon S4 (1.8 GHz) vs Intel Atom Z2760 (1.8 GHz) Snapdragon S3 (1.78 GHz) - Tablet RSA Classic OpenSSL Classic OpenSSL enc 2048 1,087,318 609,593 2,583,643 2,323,800 dec 2048 34,769,147 39,746,105 80,204,317 75,871,800

  17. Can we do (asymptotically) better? What about faster multiplication methods (Karatsuba)? β€’ Incompatible with interleaved Montgomery multiplication β€’ Possible gain ([A]) on 32-bit platform for 1024-bit Montgomery multiplication Following the analysis from [A] (one level Karatsuba) for 32-bit platforms Sequential Karatsuba montmul Sequential Karatsuba reduces muls by 1.14x versus Sequential Karatsuba reduces adds by 1.18x Sequential interleaved montmul Sequential Karatsuba montmul SIMD interleaved reduces muls by 1.70x versus SIMD interleaved reduces adds by 1.67x SIMD interleaved montmul [A] J. GroßschΓ€dl, R. M. Avanzi, E. Savas, and S. Tillich. Energy-efficient software implementation of long integer modular arithmetic. CHES 2005

  18. Can we do (asymptotically) better? What about SIMD Karatsuba montmul versus SIMD interleaved montmul? β€’ SIMD Karatsuba, but how to GMP SIMD GMP SIMD calculate SIMD reduction? RSA-2048 enc RSA-2048 enc RSA-2048 dec RSA-2048 dec β€’ This approach is used in GMP Atom Z2760 2,184,436 1,601,878 37,070,875 52,000,367 β€’ GMP is not a crypto lib Intel Xeon E3-1230 695,861 414,787 11,929,868 12,211,700 (32-bit mode)

  19. Can we do (asymptotically) better? What about SIMD Karatsuba montmul versus SIMD interleaved montmul? β€’ SIMD Karatsuba, but how to GMP SIMD GMP SIMD calculate SIMD reduction? RSA-2048 enc RSA-2048 enc RSA-2048 dec RSA-2048 dec β€’ This approach is used in GMP Atom Z2760 2,184,436 1,601,878 37,070,875 52,000,367 β€’ GMP is not a crypto lib Intel Xeon E3-1230 695,861 414,787 11,929,868 12,211,700 (32-bit mode) Modular Squaring Modular Squaring β€’ Time(Montgomery squaring) β‰ˆ 0.80 Γ— Time(Montgomery Multiplication) [A] β€’ SIMD Montgomery squaring? β€’ We didn’t use this optimization [A] J. GroßschΓ€dl, R. M. Avanzi, E. Savas, and S. Tillich. Energy-efficient software implementation of long integer modular arithmetic. CHES 2005

  20. Conclusions οƒΌ Current vector instructions can be used to enhance the performance of Montgomery multiplication on modern embedded devices Examples: 32-bit x86 (SSE) and ARM (NEON) platforms οƒΌ Faster RSA-2048 on some tablets: performance on ARM differs significantly οƒΌ If future instruction set(s) support 64 Γ— 64 β†’ 128 -bit 2-way SIMD multipliers: enhance interleaved Montgomery multiplication performance Future work  Investigate SIMD Karatsuba + SIMD (?) Montgomery reduction  Investigate SIMD Montgomery squaring

Recommend

Software Vector Chaining M. Anton Ertl TU Wien Data Parallelism and SIMD instructions Data

Software Vector Chaining M. Anton Ertl TU Wien Data Parallelism and SIMD instructions Data

Software Vector Chaining M. Anton Ertl TU Wien Data Parallelism and SIMD instructions Data parallelism in programming problems Hardware provides SIMD instructions Cray-1 vector instructions, Intel/AMD SSE/AVX, ARM Neon/SVE vmulpd %ymm2,

377 views β€’ 10 slides
Optimizing multiplications with vector instructions Chitchanok Chuengsatiansup INRIA and ENS de

Optimizing multiplications with vector instructions Chitchanok Chuengsatiansup INRIA and ENS de

Optimizing multiplications with vector instructions Chitchanok Chuengsatiansup INRIA and ENS de Lyon 4 June 2018 Chitchanok Chuengsatiansup Optimizing multiplications with vector instructions 1 Introduction Current position: Postdoc (INRIA

1.32k views β€’ 82 slides
NOW Handout Page 1 1 Styles of Vector Architectures Components of Vector Processor Vector

NOW Handout Page 1 1 Styles of Vector Architectures Components of Vector Processor Vector

Alternative Model:Vector Processing EECS 252 Graduate Computer Vector processors have high-level operations that work on linear arrays of numbers: &quot;vectors&quot; Architecture SCALAR VECTOR (1 operation) (N operations) Lec 10

327 views β€’ 10 slides
Vector addition: The zero vector The D -vector whose entries are all zero is the zero vector ,

Vector addition: The zero vector The D -vector whose entries are all zero is the zero vector ,

Vector addition: The zero vector The D -vector whose entries are all zero is the zero vector , written 0 D or just 0 v + 0 = v Vector addition: Vector addition is associative and commutative I Associativity ( x + y ) + z = x + ( y + z ) I

476 views β€’ 36 slides
Day 3 Advanced Vector Architectures Session A: Vector Instruction Execution Pipelines Break

Day 3 Advanced Vector Architectures Session A: Vector Instruction Execution Pipelines Break

Day 3 Advanced Vector Architectures Session A: Vector Instruction Execution Pipelines Break Session B: Vector Flag Processing &amp; Vector Register Files Lunch Session C: Virtual Processor Caches Break Session D: Vector IRAM Vector

498 views β€’ 22 slides
Outline 2.1 Assembly language program structure 2.2 Data transfer instructions 2.3 Arithmetic

Outline 2.1 Assembly language program structure 2.2 Data transfer instructions 2.3 Arithmetic

Outline 2.1 Assembly language program structure 2.2 Data transfer instructions 2.3 Arithmetic instructions 2.4 Branch and loop instructions 2.5 Shift and rotate instructions 2.6 Boolean logic instructions 2.7 Bit test and manipulate

337 views β€’ 23 slides
B = Y Z Z Z where y z 1 1 y z

B = Y Z Z Z where y z 1 1 y z

ARMAX Models Vector (multivariate) regression: output vector y t, 1 y t, 2 y t = . . . y t,k input vector z t, 1 z t, 2 z t = . . .

419 views β€’ 12 slides
CSE 143 Class Vector: Interface class Vector { public: Dynamic Memory In Classes Vector ( );

CSE 143 Class Vector: Interface class Vector { public: Dynamic Memory In Classes Vector ( );

CSE 143 Class Vector: Interface class Vector { public: Dynamic Memory In Classes Vector ( ); bool isEmpty( ); [Chapter 4, p 156-157] int length ( ); void vectorInsert (int newPosition, Item newItem); Item vectorDelete (int position);

293 views β€’ 7 slides
Vector fields we describe these as vector valued functions that (1) depend on n variables and

Vector fields we describe these as vector valued functions that (1) depend on n variables and

Vector fields we describe these as vector valued functions that (1) depend on n variables and (2) have n components. 1 At each point (x,y) there is a vector. Nearbottom currents in Long Island Sound 2 Hurricanetype wind pattern in 3D

484 views β€’ 31 slides
Vector Functions A vector function is simply a function whose codomain is R n . In other words,

Vector Functions A vector function is simply a function whose codomain is R n . In other words,

Vector Functions A vector function is simply a function whose codomain is R n . In other words, rather than taking on real values, it takeson vector values. We will often use the notation x = x ( t ) to denote a vector function. Note: The text

522 views β€’ 4 slides
I can represent the multiplication visually by drawing the vector. National 5 Slides WB 29th Jan

I can represent the multiplication visually by drawing the vector. National 5 Slides WB 29th Jan

National 5 Slides WB 29th Jan Vectors Continued Starter 1) Find the magnitude of the vector b . 3 b = 7 -2 2) If a = find the value of a + b . 8 Multiplying a Vector Today we are learning... How to multiply a vector by a scalar. I will

508 views β€’ 9 slides
vector class homogeneous aggregate with random access templated class: Vector&lt;int&gt;

vector class homogeneous aggregate with random access templated class: Vector&lt;int&gt;

vector class homogeneous aggregate with random access templated class: Vector&lt;int&gt; iv; Vector&lt;string&gt; sv; accessible using #include vector.h construct by specifying # elements (initial value) access with indexes

394 views β€’ 10 slides
STL and Example Review &lt;vector&gt; Declaration: std::vector&lt;T&gt;vec = {initializer

STL and Example Review &lt;vector&gt; Declaration: std::vector&lt;T&gt;vec = {initializer

STL and Example Review &lt;vector&gt; Declaration: std::vector&lt;T&gt;vec = {initializer list} Access and modify: vec[index] = value Assignment of whole array: new_vec = vec Find size: vec.size() Extend: vec.push_back(val) How

384 views β€’ 10 slides
Uzbekistan General Exhibition Shipping Instructions 2019 Shipping Instructions for

Uzbekistan General Exhibition Shipping Instructions 2019 Shipping Instructions for

Uzbekistan General Exhibition Shipping Instructions 2019 Shipping Instructions for Consignments Sent Direct To Tashkent As the official logistics, site handling and customs clearance agent, appointed by the organizer ITECA Exhibitions / ITE

422 views β€’ 8 slides
Matrix and Vector Operations Matrix and Vector Operations 1 / 21 Matrix and Vector Operations

Matrix and Vector Operations Matrix and Vector Operations 1 / 21 Matrix and Vector Operations

Matrix and Vector Operations Matrix and Vector Operations 1 / 21 Matrix and Vector Operations Dimensions length and size functions length - returns the number of elements in a vector size - returns the number of rows and columns in a vector or

588 views β€’ 22 slides
Basic Assembly Instructions SE 2XA3 Term I, 2020/21 Outline Basic instructions Addition,

Basic Assembly Instructions SE 2XA3 Term I, 2020/21 Outline Basic instructions Addition,

Basic Assembly Instructions SE 2XA3 Term I, 2020/21 Outline Basic instructions Addition, Subtraction, Move Multiplication Division FLAGS register Jump Instructions Conditional constructs Loop constructs using RCX General loops Basic

454 views β€’ 26 slides
Basic Assembly Instructions CS 2XA3 Term I, 2020/21 Outline Basic instructions Addition,

Basic Assembly Instructions CS 2XA3 Term I, 2020/21 Outline Basic instructions Addition,

Basic Assembly Instructions CS 2XA3 Term I, 2020/21 Outline Basic instructions Addition, Subtraction, Move Multiplication Division FLAGS register Jump Instructions Conditional constructs Loop constructs using RCX General loops Basic

524 views β€’ 26 slides
MOTIVATIONAL ELEMENTS IN USER INSTRUCTIONS Joyce Karreman User instructions Goal of user

MOTIVATIONAL ELEMENTS IN USER INSTRUCTIONS Joyce Karreman User instructions Goal of user

MOTIVATIONAL ELEMENTS IN USER INSTRUCTIONS Joyce Karreman User instructions Goal of user instructions? Instrumental versus rhetorical discourse. Moore (1997, p.166): Rhetorical communications and salespeople may persuade consumers to buy

460 views β€’ 26 slides
Instructions for Oral Presentation Accommodations Use the instructions and examples below and on

Instructions for Oral Presentation Accommodations Use the instructions and examples below and on

Instructions for Oral Presentation Accommodations Use the instructions and examples below and on the following pages when providing oral presentation of an assessment to eligible students who have the accommodation documented in an IEP or Section

337 views β€’ 10 slides
Vector/Axial-vector Technical stuff: - use POWHEG-BOX process of pp--&gt;DM DM 1j at NLO (need

Vector/Axial-vector Technical stuff: - use POWHEG-BOX process of pp--&gt;DM DM 1j at NLO (need

Vector/Axial-vector Technical stuff: - use POWHEG-BOX process of pp--&gt;DM DM 1j at NLO (need to check how sufficient this will be for - vector coupling to both SM and DM multijet+Met processes) - axial vector coupling to both SM and DM -

74 views β€’ 4 slides
TABLE OF CONTENTS: Intended Use Instructions

TABLE OF CONTENTS: Intended Use Instructions

T H E C I T Y 2 S L I D E Assembly &amp; Installation Instructions IMPORTANT These instructions must remain with the slide owner! Visit inter-fab.com to view our installation help video. (Video does NOT replace installation

316 views β€’ 20 slides
What is a What are Support Vector Machines Support Vector Machine? Used For? An optimally

What is a What are Support Vector Machines Support Vector Machine? Used For? An optimally

What is a What are Support Vector Machines Support Vector Machine? Used For? An optimally defined surface Classification Typically nonlinear in the input space Regression and data-fitting Linear in a higher dimensional

577 views β€’ 8 slides
Pipelining and Vector Processing Chapter 8 S. Dandamudi Outline Basic concepts Vector

Pipelining and Vector Processing Chapter 8 S. Dandamudi Outline Basic concepts Vector

Pipelining and Vector Processing Chapter 8 S. Dandamudi Outline Basic concepts Vector processors Handling resource Architecture conflicts Advantages Data hazards Cray X-MP Handling branches Vector length

904 views β€’ 88 slides
Vector Field Topology 8-1 Ronald Peikert SciVis 2007 - Vector Field Topology Vector fields as

Vector Field Topology 8-1 Ronald Peikert SciVis 2007 - Vector Field Topology Vector fields as

Vector Field Topology 8-1 Ronald Peikert SciVis 2007 - Vector Field Topology Vector fields as ODEs What are conditions for existence and uniqueness of streamlines? For the initial value problem ( ) ( ) ( ) ( ) i = = x t x x t

740 views β€’ 43 slides

More recommend