search

open-quantum-safe / liboqs

C library for prototyping and experimenting with quantum-resistant cryptography
https://openquantumsafe.org/
Other
1.85k stars 453 forks source link

Adding a build variable to specify armv8 version #1185

Open Martyrshot opened 2 years ago

Martyrshot commented 2 years ago

As per a discussion on https://github.com/open-quantum-safe/liboqs/pull/1184#issuecomment-1026988491, it might be worth adding a build variable to liboqs that specifies the instruction set version when compiling for amv8. This would allow individuals to choose whether they want to be more backwards compatible and potentially lose some performance, or allowing additional instructions (potentially improving performance) at the cost of backwards compatibility.

Currently liboqs takes the approach of using whatever the compiler detects the cpu supports, with the exception of sha2 crypto extensions on Darwin when gcc11 is used (we opted for the backwards compatible approach).

Is adding a build variable like this worth it? I'm not exactly sure at this time, but I think it's worth a discussion.

baentsch commented 2 years ago

Reading that "sha2 crypto extensions on Darwin when gcc11 is used" is such an outlier makes me vote this "up" as a desirable feature. But then again, who uses gcc11 on ARM-Darwins?

vincentvbh commented 2 years ago

Hi, all,

I'm not sure if the following is helpful. According to https://developer.arm.com/documentation/101028/0010/Feature-test-macros, testing __ARM_FEATURE_CRYPTO already implies the existence of AES and SHA-2. I tested all the defines for crypto extensions with my Apple M1, and only find __ARM_FEATURE_CRYPTO and __ARM_FEATURE_FP16_FML defined. Since I just unified the code base for https://eprint.iacr.org/2021/986 targeting Cortex-A72 and Apple M1, the parallelized Keccak now tests for

(__APPLE__ && __ARM_FEATURE_CRYPTO) || (__ARM_FEATURE_SHA3).

If it passes, we choose https://github.com/bwesterb/armed-keccak, and it fails, then we choose the fips202x2 by https://github.com/cothan/kyber/blob/master/neon/fips202x2.c which does not use SHA-3 instructions.

Since I can't find documentation indicating the existence of SHA-3 instructions for Apple M1, and the crypto extension for SHA-3 instructions is only an optional extension, I think this is a reasonable test.

Best regards, Vincent Hwang