blake and 256 bit advanced vector extensions
play

BLAKE and 256-bit advanced vector extensions Samuel Neves 1 - PowerPoint PPT Presentation

Sep 30, 2022 •581 likes •859 views

BLAKE and 256-bit advanced vector extensions Samuel Neves 1 Jean-Philippe Aumasson 2 1 University of Coimbra, Portugal 2 NAGRA, Switzerland The Third SHA-3 Candidate Conference 1 / 26 BLAKE Main bottleneck is the keyed permutation State:

  1. BLAKE and 256-bit advanced vector extensions Samuel Neves 1 Jean-Philippe Aumasson 2 1 University of Coimbra, Portugal 2 NAGRA, Switzerland The Third SHA-3 Candidate Conference 1 / 26

  2. BLAKE � Main bottleneck is the keyed permutation � State: 4 × 4 matrix of 32- or 64-bit words v 0 , . . . , v 15 G 0 ( v 0 , v 4 , v 8 , v 12 ) G 1 ( v 1 , v 5 , v 9 , v 13 ) G 2 ( v 2 , v 6 , v 10 , v 14 ) G 3 ( v 3 , v 7 , v 11 , v 15 ) G 4 ( v 0 , v 5 , v 10 , v 15 ) G 5 ( v 1 , v 6 , v 11 , v 12 ) G 6 ( v 2 , v 7 , v 8 , v 13 ) G 7 ( v 3 , v 4 , v 9 , v 14 ) � 14 (or 16) of these per compression � 4-way parallelism 2 / 26

  3. BLAKE BLAKE-256’s G i looks like this: � a ← a + b + ( m σ r [2 i ] ⊕ u σ r [2 i +1] ) d ← ( d ⊕ a ) » 16 c ← c + d b ← ( b ⊕ c ) » 12 a ← a + b + ( m σ r [2 i +1] ⊕ u σ r [2 i ] ) d ← ( d ⊕ a ) » 8 c ← c + d b ← ( b ⊕ c ) » 7 3 / 26

  4. BLAKE BLAKE-512’s G i looks like this: � a ← a + b + ( m σ r [2 i ] ⊕ u σ r [2 i +1] ) d ← ( d ⊕ a ) » 32 c ← c + d b ← ( b ⊕ c ) » 25 a ← a + b + ( m σ r [2 i +1] ⊕ u σ r [2 i ] ) d ← ( d ⊕ a ) » 16 c ← c + d b ← ( b ⊕ c ) » 11 4 / 26

  5. SIMD BLAKE Put v 0 , v 4 , v 8 , v 12 in SIMD register r0 � Put v 1 , v 5 , v 9 , v 13 in SIMD register r1 � . . . � Perform single G call over r0, r1, r2, r3 � Put v 4 , v 5 , v 10 , v 15 in SIMD register r0 � Put v 1 , v 6 , v 11 , v 12 in SIMD register r1 � . . . � Perform single G call over r0, r1, r2, r3 � 5 / 26

  6. Anatomy of SIMD BLAKE function R OUND ( r ) ; m σ r [2 i ] ⊕ u σ r [2 i +1] m 0 .. 3 = LoadMsg ( r ) state = G ( state, m 0 .. 1 ) ; G 0 , G 1 , G 2 , G 3 state = Diag ( state ) ; Diagonalize state = G ( state, m 2 .. 3 ) ; G 4 , G 5 , G 6 , G 7 state = Undiag ( state ) ; Undiagonalize end function 6 / 26

  7. Anatomy of SIMD BLAKE function R OUND ( r ) ; m σ r [2 i ] ⊕ u σ r [2 i +1] m 0 .. 3 = LoadMsg ( r ) state = G ( state, m 0 .. 1 ) ; G 0 , G 1 , G 2 , G 3 state = Diag ( state ) ; Diagonalize state = G ( state, m 2 .. 3 ) ; G 4 , G 5 , G 6 , G 7 state = Undiag ( state ) ; Undiagonalize end function 7 / 26

  8. Anatomy of SIMD BLAKE function R OUND ( r ) ; m σ r [2 i ] ⊕ u σ r [2 i +1] m 0 .. 3 = LoadMsg ( r ) state = G ( state, m 0 .. 1 ) ; G 0 , G 1 , G 2 , G 3 state = Diag ( state ) ; Diagonalize state = G ( state, m 2 .. 3 ) ; G 4 , G 5 , G 6 , G 7 state = Undiag ( state ) ; Undiagonalize end function 8 / 26

  9. Anatomy of SIMD BLAKE function R OUND ( r ) ; m σ r [2 i ] ⊕ u σ r [2 i +1] m 0 .. 3 = LoadMsg ( r ) state = G ( state, m 0 .. 1 ) ; G 0 , G 1 , G 2 , G 3 state = Diag ( state ) ; Diagonalize state = G ( state, m 2 .. 3 ) ; G 4 , G 5 , G 6 , G 7 state = Undiag ( state ) ; Undiagonalize end function 9 / 26

  10. Anatomy of SIMD BLAKE function R OUND ( r ) ; m σ r [2 i ] ⊕ u σ r [2 i +1] m 0 .. 3 = LoadMsg ( r ) state = G ( state, m 0 .. 1 ) ; G 0 , G 1 , G 2 , G 3 state = Diag ( state ) ; Diagonalize state = G ( state, m 2 .. 3 ) ; G 4 , G 5 , G 6 , G 7 state = Undiag ( state ) ; Undiagonalize end function 10 / 26

  11. Anatomy of SIMD BLAKE function R OUND ( r ) ; m σ r [2 i ] ⊕ u σ r [2 i +1] m 0 .. 3 = LoadMsg ( r ) state = G ( state, m 0 .. 1 ) ; G 0 , G 1 , G 2 , G 3 state = Diag ( state ) ; Diagonalize state = G ( state, m 2 .. 3 ) ; G 4 , G 5 , G 6 , G 7 state = Undiag ( state ) ; Undiagonalize end function 11 / 26

  12. Anatomy of SIMD BLAKE function R OUND ( r ) ; m σ r [2 i ] ⊕ u σ r [2 i +1] m 0 .. 3 = LoadMsg ( r ) state = G ( state, m 0 .. 1 ) ; G 0 , G 1 , G 2 , G 3 state = Diag ( state ) ; Diagonalize state = G ( state, m 2 .. 3 ) ; G 4 , G 5 , G 6 , G 7 state = Undiag ( state ) ; Undiagonalize end function 12 / 26

  13. Timeline of SIMD BLAKE BLAKE-256 BLAKE-512 2008 sse2 2008 sse2 2009 ssse3 2009 ssse3 2010 sse41 2011 vect128 2011 vect128 2012 sse41, avx, xop 2012 avx, xop 13 / 26

  14. AVX and XOP AVX � � Sandy Bridge, 2011 � Extends 128-bit XMM to 256-bit YMM registers � Non-destructive operations � Floating-point only XOP � � Bulldozer, 2011 � Integer rotations � Advanced byte shuffles � Integer MAD 14 / 26

  15. AVX2 AVX2 � Haswell, 2013 � Extends AVX to the integers � Gather/Scatter instructions � More cross-lane instructions � Useful new instructions: � VPERMD � VPERMQ � VPGATHERDD � VPGATHERDQ � 15 / 26

  16. BLAKE-512 and AVX2 AVX2 enables same SIMD strategy as � BLAKE-256 VPSHUFD → VPERMQ � Multi-op permutations → VPGATHERDQ � 16 / 26

  17. BLAKE-512 and AVX2: message load Option 1: Copy BLAKE-256’s approach � Up to 12 instructions per message load � Some useful SSE4.1 instructions still not in � AVX2 Option 2: Use VPGATHERDQ � vpcmpeqq ymm14, ymm14, ymm14 ; set mask to 1111..11 vmovdqa xmm8, [ perm + 00] ; permutation indices vpgatherdq ymm4, [ rsp + 8*xmm8] , ymm14 ; permute from stack . . . vpxor ymm4, ymm4, [ const_z + 00] ; xor with constant 17 / 26

  18. BLAKE-512 and AVX2: G i vpaddq ymm0, ymm0, ymm4 ; a + ( m σ r [2 i ] ⊕ u σ r [2 i +1] ) vpaddq ymm0, ymm0, ymm1 ; a + b vpxor ymm3, ymm3, ymm0 ; d ⊕ a vpshufd ymm3, ymm3, 10110001b ; d » 32 vpaddq ymm2, ymm2, ymm3 ; c + d vpxor ymm1, ymm1, ymm2 ; b ⊕ c v p s l l q ymm8, ymm1, 64 − 25 ; v p sr l q ymm1, ymm1, 25 ; vpxor ymm1, ymm1, ymm8 ; b » 25 a + ( m σ r [2 i +1] ⊕ u σ r [2 i ] ) vpaddq ymm0, ymm0, ymm5 ; vpaddq ymm0, ymm0, ymm1 ; a + b vpxor ymm3, ymm3, ymm0 ; d ⊕ a vpshufb ymm3, ymm3, ymm15 ; d » 16 vpaddq ymm2, ymm2, ymm3 ; c + d vpxor ymm1, ymm1, ymm2 ; b ⊕ c vpsllq ymm8, ymm1, 64 − 11 ; vpsrlq ymm1, ymm1, 11 ; vpxor ymm1, ymm1, ymm8 ; b » 11 18 / 26

  19. BLAKE-512 and AVX2: performance Pessimistic assumptions � Message loading consumes 5 cycles � Single cycle operations, 3-cycle odd rotations � 6.63 cycles per byte � Optimistic � Message loading can be run fully in parallel � with G Single-cycle instructions, 3-cycle odd rotations � 4.00 cycles per byte � 19 / 26

  20. BLAKE-256 and AVX, XOP Non-destructive syntax greatly reduces µop � count AVX allows storing data in upper 128 bits of � YMM registers XOP adds native rotations(!) � VPPERM useful in message loads � 20 / 26

  21. BLAKE-256 and AVX2 Enables faster tree modes � Also useful for message loads in non-tree � mode vpcmpeqd ymm12, ymm12, ymm12 vmovdqa ymm8, [ perm + 00] vpgatherdd ymm4, [ymm8*4+ rsp ] , ymm12 vpcmpeqd ymm13, ymm13, ymm13 vmovdqa ymm9, [ perm + 32] vpgatherdd ymm6, [ymm9*4+ rsp ] , ymm13 vpxor ymm4, ymm4, [ const_z + 00] vpxor ymm6, ymm6, [ const_z + 32] 21 / 26

  22. BLAKE-256 and AVX2 Enables faster tree modes � Also useful for message loads in non-tree � mode vmovdqa ymm8, [ perm0 + 00] vmovdqa ymm9, [ perm0 + 32] vpermd ymm4, ymm8, ymm10 vpermd ymm5, ymm9, ymm11 vpblendd ymm4, ymm4, ymm5, 01111101b vmovdqa ymm8, [ perm0 + 64] vmovdqa ymm9, [ perm0 + 96] vpermd ymm6, ymm8, ymm10 vpermd ymm7, ymm9, ymm11 vpblendd ymm6, ymm6, ymm7, 00010100b vpxor ymm4, ymm4, [ const_z + 00] vpxor ymm6, ymm6, [ const_z + 32] 22 / 26

  23. BLAKE-256 and AVX2: performance Unlike BLAKE-512, marginal improvement � Two compression functions at nearly no � extra cost AVX and XOP have more direct effect � 23 / 26

  24. Message caching 10 distinct permutations � 14 (resp 16) rounds � Reuse permutations from r − 10 � Does not improve nor degrade performance � 24 / 26

  25. Results AVX � 7.62 cpb (Sandy Bridge) � AVX2 � We’ll only know in 2013 � Estimated to range from 4 to 6.63 cpb � 25 / 26

  26. Updated numbers ( 20120310 ) blake256 � mangetsu : 7.49 cpb � hydra6 : 11.83 cpb � blake512 � mangetsu : 5.64 cpb � hydra6 : 6.88 cpb � Compare to elroy (20110106) � blake256: 8.25 cpb � blake512: 7.93 cpb � 26 / 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Day 3 Advanced Vector Architectures Session A: Vector Instruction Execution Pipelines Break

Day 3 Advanced Vector Architectures Session A: Vector Instruction Execution Pipelines Break

Day 3 Advanced Vector Architectures Session A: Vector Instruction Execution Pipelines Break Session B: Vector Flag Processing & Vector Register Files Lunch Session C: Virtual Processor Caches Break Session D: Vector IRAM Vector

498 views • 22 slides
Canonical extensions of archimedean vector lattices with strong order unit Guram Bezhanishvili

Canonical extensions of archimedean vector lattices with strong order unit Guram Bezhanishvili

Canonical extensions of archimedean vector lattices with strong order unit Guram Bezhanishvili Patrick Morandi Bruce Olberding New Mexico State University, Las Cruces, New Mexico, USA TACL 26-30 June 2017 Canonical Extensions 1/26

1.18k views • 53 slides
Speeding Up Quantifjed Bit-Vector SMT Solvers by Bit-Width Reductions and Extensions Martin

Speeding Up Quantifjed Bit-Vector SMT Solvers by Bit-Width Reductions and Extensions Martin

Speeding Up Quantifjed Bit-Vector SMT Solvers by Bit-Width Reductions and Extensions Martin Jon , Jan Strejek Fondazione Bruno Kessler, Italy Faculty of Informatics, Masaryk University, Czech Republic In many software verifjcation

626 views • 36 slides
Affine Extensions of Integer Vector Addition Systems with States Michael Blondin 1 , Christoph

Affine Extensions of Integer Vector Addition Systems with States Michael Blondin 1 , Christoph

Affine Extensions of Integer Vector Addition Systems with States Michael Blondin 1 , Christoph Haase 2 and Filip Mazowiecki 3 1 Technische Universit at M unchen 2 University of Oxford 3 Universit e de Bordeaux Infinity 2018 Affine

1.18k views • 94 slides
Vector Extensions for Decision Support DBMS Acceleration Timothy Hayes, Oscar Palomar, Osman

Vector Extensions for Decision Support DBMS Acceleration Timothy Hayes, Oscar Palomar, Osman

Vector Extensions for Decision Support DBMS Acceleration Timothy Hayes, Oscar Palomar, Osman Unsal, Adrian Cristal & Mateo Valero Barcelona Supercomputing Center Presented by Timothy Hayes timothy.hayes@bsc.es Introduction Databases

390 views • 22 slides
Data-Level Parallelism Vector, SIMD, GPU 1 MO401 Tpicos IC-UNICAMP Vector

Data-Level Parallelism Vector, SIMD, GPU 1 MO401 Tpicos IC-UNICAMP Vector

MO401 IC-UNICAMP IC/Unicamp Prof Mario Crtes Captulo 4 Data-Level Parallelism Vector, SIMD, GPU 1 MO401 Tpicos IC-UNICAMP Vector architectures SIMD ISA extensions for multimedia GPU Detecting and enhancing loop level

1.07k views • 81 slides
ADVANCED MACHINE LEARNING Non-linear regression techniques (SVR and extensions, GPR, Gradient

ADVANCED MACHINE LEARNING Non-linear regression techniques (SVR and extensions, GPR, Gradient

ADVANCED MACHINE LEARNING ADVANCED MACHINE LEARNING Non-linear regression techniques (SVR and extensions, GPR, Gradient Boosting) 1 1 ADVANCED MACHINE LEARNING Regression: Principle N Map N-dim. input to a continuous

906 views • 89 slides
Modelling Dependent Credit Risks Advanced Mathematical Methods for Finance with Extensions of

Modelling Dependent Credit Risks Advanced Mathematical Methods for Finance with Extensions of

Workshop and Mid-Term Conference on Modelling Dependent Credit Risks Advanced Mathematical Methods for Finance with Extensions of CreditRisk + (Mid-Term AMaMeF Meeting 2007) and Application to Operational Risk September 1823, 2007, Vienna,

361 views • 21 slides
NOW Handout Page 1 1 Styles of Vector Architectures Components of Vector Processor Vector

NOW Handout Page 1 1 Styles of Vector Architectures Components of Vector Processor Vector

Alternative Model:Vector Processing EECS 252 Graduate Computer Vector processors have high-level operations that work on linear arrays of numbers: "vectors" Architecture SCALAR VECTOR (1 operation) (N operations) Lec 10

327 views • 10 slides
CS654 Advanced Computer Architecture Lec 12 Vector Wrap-up and Multiprocessor Introduction

CS654 Advanced Computer Architecture Lec 12 Vector Wrap-up and Multiprocessor Introduction

CS654 Advanced Computer Architecture Lec 12 Vector Wrap-up and Multiprocessor Introduction Peter Kemper Adapted from the slides of EECS 252 by Prof. David Patterson Electrical Engineering and Computer Sciences University of California,

988 views • 71 slides
Preparation Interrogating African American Rene Blake, renee.blake@nyu.edu New York

Preparation Interrogating African American Rene Blake, renee.blake@nyu.edu New York

Coding for Sociolinguistic Archive Preparation Interrogating African American Rene Blake, renee.blake@nyu.edu New York University LSA 2012 Portland, Oregon Wednesday, January 4, 2012 Social and linguistic heterogeneity of the

328 views • 16 slides
Vector addition: The zero vector The D -vector whose entries are all zero is the zero vector ,

Vector addition: The zero vector The D -vector whose entries are all zero is the zero vector ,

Vector addition: The zero vector The D -vector whose entries are all zero is the zero vector , written 0 D or just 0 v + 0 = v Vector addition: Vector addition is associative and commutative I Associativity ( x + y ) + z = x + ( y + z ) I

476 views • 36 slides
Support Vector Machines (I): Overview and Linear SVM LING 572 Advanced Statistical Techniques

Support Vector Machines (I): Overview and Linear SVM LING 572 Advanced Statistical Techniques

Support Vector Machines (I): Overview and Linear SVM LING 572 Advanced Statistical Techniques for NLP February 13 2020 1 Why another learning method? Based on some beautifully simple ideas (Schlkopf, 1998) Maximum margin

891 views • 64 slides
ECON 950 Winter 2020 Prof. James MacKinnon 12. Support Vector Machines These notes are based

ECON 950 Winter 2020 Prof. James MacKinnon 12. Support Vector Machines These notes are based

ECON 950 Winter 2020 Prof. James MacKinnon 12. Support Vector Machines These notes are based on Chapter 9 of ISLR. Support vector machines are a popular method for classification problems where there are two classes. There are extensions

499 views • 16 slides
Lecture 1.1: Vector spaces Matthew Macauley Department of Mathematical Sciences Clemson

Lecture 1.1: Vector spaces Matthew Macauley Department of Mathematical Sciences Clemson

Lecture 1.1: Vector spaces Matthew Macauley Department of Mathematical Sciences Clemson University http://www.math.clemson.edu/~macaule/ Math 4340, Advanced Engineering Mathematics M. Macauley (Clemson) Lecture 1.1: Vector spaces Advanced

225 views • 6 slides
Matrix Arithmetic (Multidimensional Math) Shaina Race, PhD Institute for Advanced Analytics.

Matrix Arithmetic (Multidimensional Math) Shaina Race, PhD Institute for Advanced Analytics.

Matrix Arithmetic (Multidimensional Math) Shaina Race, PhD Institute for Advanced Analytics. Element-wise Operations T ABLE OF C ONTENTS Linear Combinations of Matrices and Vectors. Vector Multiplication Inner products and Matrix-Vector

1.19k views • 78 slides
9M 2014 Financial results presentation Conference call and Q&A 12th November 2014 Event: 9M

9M 2014 Financial results presentation Conference call and Q&A 12th November 2014 Event: 9M

9M 2014 Financial results presentation Conference call and Q&A 12th November 2014 Event: 9M 2014 Financial results presentation Date: 12th November 2014 Speakers: Mr. Claudio Albertini, CEO Mr. Daniele Cabuli, COO O PERATOR : G OOD

215 views • 10 slides
Q1 2018 Earnings Call Transcript May 10, 2018 The Stars Group Q1 2018 Conference Call Transcript

Q1 2018 Earnings Call Transcript May 10, 2018 The Stars Group Q1 2018 Conference Call Transcript

Q1 2018 Earnings Call Transcript May 10, 2018 The Stars Group Q1 2018 Conference Call Transcript C O R P O R A T E P A R T I C I P A N T S Rafael (Rafi) Ashkenazi, Chief Executive Officer Brian Kyle, Chief Financial Officer Marlon Goldstein,

343 views • 22 slides
1 Operator: Good morning and welcome to the Henkel conference call. With us today are Hans Van

1 Operator: Good morning and welcome to the Henkel conference call. With us today are Hans Van

Commented Slides / Earnings Conference Call Q1 2016 May 19, 2016 Participants Henkel representatives Hans Van Bylen; Henkel; CEO Carsten Knobel; Henkel; CFO & Investor Relations Team Participants Active in Q&A session Hermine de

906 views • 44 slides
Nomad Foods Limited Second Quarter 2020 Earnings Conference Call August 6, 2020 Nomad Foods

Nomad Foods Limited Second Quarter 2020 Earnings Conference Call August 6, 2020 Nomad Foods

Nomad Foods Limited Second Quarter 2020 Earnings Conference Call August 6, 2020 Nomad Foods Limited Second Quarter 2020 Earnings Conference Call, August 6, 2020 C O R P O R A T E P A R T I C I P A N T S Taposh Bari, Head of Investor

363 views • 20 slides
RWC Enhanced Income Fund F E B R U A R Y 2 0 1 4 RWC Yields are low across all asset classes 8

RWC Enhanced Income Fund F E B R U A R Y 2 0 1 4 RWC Yields are low across all asset classes 8

For Professional Investors and Advisers Only RWC Enhanced Income Fund F E B R U A R Y 2 0 1 4 RWC Yields are low across all asset classes 8 7 6 5 Yield (%) 4 3 RPI, 2.6% 2 1 0 Base Rates UK 2 Year Barclays Capital UK 10 Year

493 views • 35 slides
Canacol Energy Ltd. Third Quarter 2019 Earnings Conference Call November 8, 2019 at 11:30 a.m.

Canacol Energy Ltd. Third Quarter 2019 Earnings Conference Call November 8, 2019 at 11:30 a.m.

Canacol Energy Ltd. Third Quarter 2019 Earnings Conference Call November 8, 2019 at 11:30 a.m. Eastern CORPORATE PARTICIPANTS Charle Gamba, President and Chief Executive Officer Jason Bednar, Chief Financial Officer Ravi Sharma, Chief Operating

474 views • 15 slides
Becoming the Worlds Leader in Low Cost Solar Grade Silicon Metal Polysilicon TSX-V: HPQ

Becoming the Worlds Leader in Low Cost Solar Grade Silicon Metal Polysilicon TSX-V: HPQ

HPQ - SILICON R E S O U R C E S Becoming the Worlds Leader in Low Cost Solar Grade Silicon Metal Polysilicon TSX-V: HPQ DISCLAIMERS HPQ - SILICON R E S O U R C E S This presenta,on includes certain

630 views • 26 slides
Trademark Bullying: Latest Developments Cease and Desist and Litigation Tactics in the Battle for

Trademark Bullying: Latest Developments Cease and Desist and Litigation Tactics in the Battle for

Presenting a live 90-minute webinar with interactive Q&A Trademark Bullying: Latest Developments Cease and Desist and Litigation Tactics in the Battle for Brand Protection WEDNESDAY, APRIL 11, 2013 1pm Eastern | 12pm Central | 11am

880 views • 30 slides

More recommend