Chacha20-Poly1305: use string instead of cstruct

mirage / mirage-crypto

Cryptographic primitives for OCaml, in OCaml (also used in MirageOS)

ISC License

77 stars 43 forks source link

Chacha20-Poly1305: use string instead of cstruct #203

Closed hannesm closed 9 months ago

hannesm commented 9 months ago

Performance improvement around 2.5x

Worth to gather some more statistics hereof, and the question how to move forward - I can see two ways:

preserve old API, add some functions (adds noise)
first reimplement stuff without Cstruct, preserve old API, then cut a release where the API doesn't include cstruct

WDYT?

main branch (28f8cde5ff3197e6383a935037725ab34ab32485) 16: 11.686102 MB/s (2318663 iters in 3.028 s) 64: 44.914143 MB/s (2248341 iters in 3.055 s) 256: 111.408313 MB/s (1464243 iters in 3.209 s) 1024: 190.362636 MB/s (530561 iters in 2.722 s) 8192: 235.326363 MB/s (81843 iters in 2.717 s)

this PR (with using the ad-hoc API enc_auth_str): 16: 26.288283 MB/s (5247580 iters in 3.046 s) 64: 99.922308 MB/s (4995212 iters in 3.051 s) 256: 204.388046 MB/s (2405283 iters in 2.873 s) 1024: 278.060783 MB/s (863503 iters in 3.033 s) 8192: 294.746967 MB/s (113552 iters in 3.010 s)

hannesm commented 9 months ago

note this could be split into pieces, such as introducing the xor_into_bytes function, then moving poly1305 to string, then adding macl, then moving chacha to string. on a separate note, in C we directly cast to uint32_t * to avoid shifting and reading byte-wise (this could also be done in a separate commit).

~~EDIT: ah, the big endian (s390x) fails due to that...~~ fixed in the following commits

palainp commented 9 months ago

Neat! Thanks for that! Here are my results (I confirm the x2 improvement on smallest sizes, and improvement everywhere!):

head 16: 10.119168 MB/s (1347821 iters in 2.032 s) 64: 38.610391 MB/s (1286782 iters in 2.034 s) 256: 94.388170 MB/s (778949 iters in 2.015 s) 1024: 144.286801 MB/s (296597 iters in 2.007 s) 8192: 179.547401 MB/s (45952 iters in 1.999 s)
this pr 16: 20.138118 MB/s (4008503 iters in 3.037 s) 64: 74.277972 MB/s (3603763 iters in 2.961 s) 256: 142.762819 MB/s (1758954 iters in 3.008 s) 1024: 182.994248 MB/s (562805 iters in 3.003 s) 8192: 189.376331 MB/s (72417 iters in 2.987 s)

hannesm commented 9 months ago

with @reynir suggested changes 1e1d179

[chacha20-poly1305] 16: 27.772872 MB/s (5554249 iters in 3.052 s) 64: 105.891640 MB/s (5228603 iters in 3.014 s) 256: 211.486396 MB/s (2608886 iters in 3.012 s) 1024: 281.579622 MB/s (886396 iters in 3.074 s) 8192: 299.032280 MB/s (116109 iters in 3.033 s)

hannesm commented 9 months ago

I wondered about the CI failure, and the Bytes.unsafe_blit_string is only available from OCaml 4.09 on (fine with me to bump the lower OCaml bound)