using vector instructions
play

Using Vector Instructions Joppe W. Bos, Peter L. Montgomery, Daniel - PowerPoint PPT Presentation

Sep 30, 2023 β€’437 likes β€’649 views

Montgomery Multiplication Using Vector Instructions Joppe W. Bos, Peter L. Montgomery, Daniel Shumow, and Gregory M. Zaverucha SAC 2013 Motivation E.g. ECDSA, ECDH E.g. DH, ( ) Point DSA, RSA arithmetic or

  1. Montgomery Multiplication Using Vector Instructions Joppe W. Bos, Peter L. Montgomery, Daniel Shumow, and Gregory M. Zaverucha SAC 2013

  2. Motivation E.g. ECDSA, ECDH E.g. DH, 𝐹(𝐆 π‘ž ) Point DSA, RSA arithmetic 𝐆 π‘ž or 𝐚/π‘πš Montgomery Multiplication

  3. Motivation E.g. ECDSA, ECDH E.g. DH, 𝐹(𝐆 π‘ž ) Point DSA, RSA arithmetic 𝐆 π‘ž or 𝐚/π‘πš ECC often use primes of a Useful for special form: pairings NIST curves, Montgomery curve25519 Multiplication

  4. Modular Multiplication Compute 𝐷 = 𝐡 Γ— 𝐢 (mod 𝑁) 𝑆 = 𝐡 Γ— 𝐢 write 𝑆 = π‘Ÿ Γ— 𝑁 + 𝐷 such that 0 ≀ 𝐷 < 𝑁 Cost: One multiplication + one division with remainder

  5. Modular Multiplication Compute 𝐷 = 𝐡 Γ— 𝐢 (mod 𝑁) 𝑆 = 𝐡 Γ— 𝐢 write 𝑆 = π‘Ÿ Γ— 𝑁 + 𝐷 such that 0 ≀ 𝐷 < 𝑁 Cost: One multiplication + one division with remainder Montgomery (Math. Comp. 1985) observed that we can avoid the expensive division when M is odd 𝐡 2 if 𝐡 is even 𝐡 2 mod 𝑁 = 𝐡+𝑁 if 𝐡 is odd 2 A Γ— βˆ’π‘ βˆ’1 mod 2 32 ≑ 0 mod 2 32 , A + M Γ— precompute 𝜈 = βˆ’π‘ βˆ’1 mod 2 32

  6. Interleaved Montgomery Multiplication π‘œβˆ’1 𝑏 𝑗 , 𝐢 , 𝑁 , 𝜈 = βˆ’π‘ βˆ’1 mod 2 32 Input: 𝐡 = 𝑗=0 Output: 𝐷 = 𝐡𝐢2 βˆ’32π‘œ mod 𝑁 𝐷 = 0 for 𝑗 = 0 to π‘œ βˆ’ 1 do 𝐷 = 𝐷 + 𝑏 𝑗 𝐢 ( 1 Γ— π‘œ) limbs π‘Ÿ = 𝜈𝐷 mod 2 32 ( 1 Γ— 1) limb 𝐷 = (𝐷 + π‘Ÿπ‘)/ 2 32 ( 1 Γ— π‘œ) limbs If 𝐷 β‰₯ 𝑁 then 𝐷 = 𝐷 βˆ’ 𝑁

  7. Interleaved Montgomery Multiplication π‘œβˆ’1 𝑏 𝑗 , 𝐢 , 𝑁 , 𝜈 = βˆ’π‘ βˆ’1 mod 2 32 Input: 𝐡 = 𝑗=0 Output: 𝐷 = 𝐡𝐢2 βˆ’32π‘œ mod 𝑁 𝐷 = 0 2 Γ— (1 Γ— 1) limb for 𝑗 = 0 to π‘œ βˆ’ 1 do 𝐷 = 𝐷 + 𝑏 𝑗 𝐢 ( 1 Γ— π‘œ) limbs π‘Ÿ = (𝑑 0 + 𝑏 𝑗 𝑐 0 )𝜈 mod 2 32 π‘Ÿ = 𝜈𝐷 mod 2 32 ( 1 Γ— 1) limb 𝐷 = (𝐷 + 𝑏 𝑗 𝐢 + π‘Ÿπ‘)/ 2 32 𝐷 = (𝐷 + π‘Ÿπ‘)/ 2 32 ( 1 Γ— π‘œ) limbs If 𝐷 β‰₯ 𝑁 then 𝐷 = 𝐷 βˆ’ 𝑁 At the cost of one extra ( 1 Γ— 1) limb 2 Γ— (1 Γ— π‘œ) limbs multiplication the two ( 1 Γ— π‘œ) limbs multiplications become independent.

  8. Interleaved Montgomery Multiplication π‰πžπŸπ› π‘œβˆ’1 𝑏 𝑗 , 𝐢 , 𝑁 , 𝜈 = βˆ’π‘ βˆ’1 mod 2 32 Flip the sign of 𝜈 : 𝜈 = +𝑁 βˆ’1 mod 2 32 Input: 𝐡 = 𝑗=0 Output: 𝐷 = 𝐡𝐢2 βˆ’32π‘œ mod 𝑁 𝐷 = 0 2 Γ— (1 Γ— 1) limb for 𝑗 = 0 to π‘œ βˆ’ 1 do 𝐷 = 𝐷 + 𝑏 𝑗 𝐢 ( 1 Γ— π‘œ) limbs π‘Ÿ = (𝑑 0 + 𝑏 𝑗 𝑐 0 )𝜈 mod 2 32 π‘Ÿ = 𝜈𝐷 mod 2 32 ( 1 Γ— 1) limb 𝐷 = (𝐷 + 𝑏 𝑗 𝐢 + π‘Ÿπ‘)/ 2 32 𝐷 = (𝐷 + π‘Ÿπ‘)/ 2 32 ( 1 Γ— π‘œ) limbs If 𝐷 β‰₯ 𝑁 then 𝐷 = 𝐷 βˆ’ 𝑁 At the cost of one extra ( 1 Γ— 1) limb 2 Γ— (1 Γ— π‘œ) limbs multiplication the two ( 1 Γ— π‘œ) limbs multiplications become independent.

  9. 2-way SIMD Interleaved Montgomery Multiplication

  10. 2-way SIMD Interleaved Montgomery Multiplication Non-SIMD part 𝑒 𝑗 2 32𝑗 βˆ’ 𝑓 𝑗 2 32𝑗 𝐷 = 𝑗 𝑗 mod 2 32 π‘Ÿ = πœˆπ‘ 0 𝑏 π‘˜ + 𝜈 𝑒 0 βˆ’ 𝑓 0 πœˆπ‘ 0 𝑏 π‘˜ + πœˆπ‘‘ 0 mod 2 32 = = (𝑑 0 + 𝑏 π‘˜ 𝑐 0 )𝜈 mod 2 32

  11. Expected Performance Speedup Sequential Montgomery Multiplication Long Muls: 2π‘œ 2 Short Muls: π‘œ 2-way SIMD Montgomery Multiplication Long Muls: π‘œ 2 Short Muls: 2π‘œ

  12. Expected Performance Speedup Sequential Montgomery Multiplication Long Muls: 2π‘œ 2 Short Muls: π‘œ 2-way SIMD Montgomery Multiplication Long Muls: π‘œ 2 Short Muls: 2π‘œ Based on #multiplications only we expect: β€’ 32-bit 2-way SIMD to be at most 2x as fast as 32-bit sequential β€’ 32-bit 2-way SIMD to be approximately 2x as slow as 64-bit sequential

  14. Performance Results – x86 Intel Xeon E31230 (3.2 GHz) - PC Intel Atom Z2760 (1.8 GHz) - Tablet RSA Classic SIMD Ratio Classic SIMD Ratio enc 2048 181,412 414,787 0.44 2,583,643 1,601,878 1.61 dec 2048 4,928,633 12,211,700 0.40 80,204,317 52,000,367 1.54

  15. Performance Results - ARM Dell XPS 10 tablet (1.8 GHz) NVIDIA Tegra 4 (1.9 GHz) NVIDIA Tegra 3 T30 (1.4 GHz) Snapdragon S4 (dev board, Cortex-A15) (dev board, Cortex-A9) RSA Classic SIMD Ratio Classic SIMD Ratio Classic SIMD Ratio enc 1,087,318 710,910 1.53 725,336 712,542 1.02 872,468 1,358,955 0.64 2048 dec 34,769,147 21,478,047 1.62 23,177,617 22,812,040 1.02 27,547,434 47,205,919 0.58 2048

  16. Performance Results Compare to results from: eBACS: ECRYPT Benchmarking of Cryptographic Systems and OpenSSL Snapdragon S4 (1.8 GHz) vs Intel Atom Z2760 (1.8 GHz) Snapdragon S3 (1.78 GHz) - Tablet RSA Classic OpenSSL Classic OpenSSL enc 2048 1,087,318 609,593 2,583,643 2,323,800 dec 2048 34,769,147 39,746,105 80,204,317 75,871,800

  17. Can we do (asymptotically) better? What about faster multiplication methods (Karatsuba)? β€’ Incompatible with interleaved Montgomery multiplication β€’ Possible gain ([A]) on 32-bit platform for 1024-bit Montgomery multiplication Following the analysis from [A] (one level Karatsuba) for 32-bit platforms Sequential Karatsuba montmul Sequential Karatsuba reduces muls by 1.14x versus Sequential Karatsuba reduces adds by 1.18x Sequential interleaved montmul Sequential Karatsuba montmul SIMD interleaved reduces muls by 1.70x versus SIMD interleaved reduces adds by 1.67x SIMD interleaved montmul [A] J. GroßschΓ€dl, R. M. Avanzi, E. Savas, and S. Tillich. Energy-efficient software implementation of long integer modular arithmetic. CHES 2005

  18. Can we do (asymptotically) better? What about SIMD Karatsuba montmul versus SIMD interleaved montmul? β€’ SIMD Karatsuba, but how to GMP SIMD GMP SIMD calculate SIMD reduction? RSA-2048 enc RSA-2048 enc RSA-2048 dec RSA-2048 dec β€’ This approach is used in GMP Atom Z2760 2,184,436 1,601,878 37,070,875 52,000,367 β€’ GMP is not a crypto lib Intel Xeon E3-1230 695,861 414,787 11,929,868 12,211,700 (32-bit mode)

  19. Can we do (asymptotically) better? What about SIMD Karatsuba montmul versus SIMD interleaved montmul? β€’ SIMD Karatsuba, but how to GMP SIMD GMP SIMD calculate SIMD reduction? RSA-2048 enc RSA-2048 enc RSA-2048 dec RSA-2048 dec β€’ This approach is used in GMP Atom Z2760 2,184,436 1,601,878 37,070,875 52,000,367 β€’ GMP is not a crypto lib Intel Xeon E3-1230 695,861 414,787 11,929,868 12,211,700 (32-bit mode) Modular Squaring Modular Squaring β€’ Time(Montgomery squaring) β‰ˆ 0.80 Γ— Time(Montgomery Multiplication) [A] β€’ SIMD Montgomery squaring? β€’ We didn’t use this optimization [A] J. GroßschΓ€dl, R. M. Avanzi, E. Savas, and S. Tillich. Energy-efficient software implementation of long integer modular arithmetic. CHES 2005

  20. Conclusions οƒΌ Current vector instructions can be used to enhance the performance of Montgomery multiplication on modern embedded devices Examples: 32-bit x86 (SSE) and ARM (NEON) platforms οƒΌ Faster RSA-2048 on some tablets: performance on ARM differs significantly οƒΌ If future instruction set(s) support 64 Γ— 64 β†’ 128 -bit 2-way SIMD multipliers: enhance interleaved Montgomery multiplication performance Future work  Investigate SIMD Karatsuba + SIMD (?) Montgomery reduction  Investigate SIMD Montgomery squaring

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Software Vector Chaining M. Anton Ertl TU Wien Data Parallelism and SIMD instructions Data

Software Vector Chaining M. Anton Ertl TU Wien Data Parallelism and SIMD instructions Data

Software Vector Chaining M. Anton Ertl TU Wien Data Parallelism and SIMD instructions Data parallelism in programming problems Hardware provides SIMD instructions Cray-1 vector instructions, Intel/AMD SSE/AVX, ARM Neon/SVE vmulpd %ymm2,

377 views β€’ 10 slides
Optimizing multiplications with vector instructions Chitchanok Chuengsatiansup INRIA and ENS de

Optimizing multiplications with vector instructions Chitchanok Chuengsatiansup INRIA and ENS de

Optimizing multiplications with vector instructions Chitchanok Chuengsatiansup INRIA and ENS de Lyon 4 June 2018 Chitchanok Chuengsatiansup Optimizing multiplications with vector instructions 1 Introduction Current position: Postdoc (INRIA

1.32k views β€’ 82 slides
NOW Handout Page 1 1 Styles of Vector Architectures Components of Vector Processor Vector

NOW Handout Page 1 1 Styles of Vector Architectures Components of Vector Processor Vector

Alternative Model:Vector Processing EECS 252 Graduate Computer Vector processors have high-level operations that work on linear arrays of numbers: &quot;vectors&quot; Architecture SCALAR VECTOR (1 operation) (N operations) Lec 10

327 views β€’ 10 slides
Vector addition: The zero vector The D -vector whose entries are all zero is the zero vector ,

Vector addition: The zero vector The D -vector whose entries are all zero is the zero vector ,

Vector addition: The zero vector The D -vector whose entries are all zero is the zero vector , written 0 D or just 0 v + 0 = v Vector addition: Vector addition is associative and commutative I Associativity ( x + y ) + z = x + ( y + z ) I

476 views β€’ 36 slides
Day 3 Advanced Vector Architectures Session A: Vector Instruction Execution Pipelines Break

Day 3 Advanced Vector Architectures Session A: Vector Instruction Execution Pipelines Break

Day 3 Advanced Vector Architectures Session A: Vector Instruction Execution Pipelines Break Session B: Vector Flag Processing &amp; Vector Register Files Lunch Session C: Virtual Processor Caches Break Session D: Vector IRAM Vector

498 views β€’ 22 slides
Outline 2.1 Assembly language program structure 2.2 Data transfer instructions 2.3 Arithmetic

Outline 2.1 Assembly language program structure 2.2 Data transfer instructions 2.3 Arithmetic

Outline 2.1 Assembly language program structure 2.2 Data transfer instructions 2.3 Arithmetic instructions 2.4 Branch and loop instructions 2.5 Shift and rotate instructions 2.6 Boolean logic instructions 2.7 Bit test and manipulate

337 views β€’ 23 slides
B = Y Z Z Z where y z 1 1 y z

B = Y Z Z Z where y z 1 1 y z

ARMAX Models Vector (multivariate) regression: output vector y t, 1 y t, 2 y t = . . . y t,k input vector z t, 1 z t, 2 z t = . . .

419 views β€’ 12 slides
CSE 143 Class Vector: Interface class Vector { public: Dynamic Memory In Classes Vector ( );

CSE 143 Class Vector: Interface class Vector { public: Dynamic Memory In Classes Vector ( );

CSE 143 Class Vector: Interface class Vector { public: Dynamic Memory In Classes Vector ( ); bool isEmpty( ); [Chapter 4, p 156-157] int length ( ); void vectorInsert (int newPosition, Item newItem); Item vectorDelete (int position);

293 views β€’ 7 slides
Vector fields we describe these as vector valued functions that (1) depend on n variables and

Vector fields we describe these as vector valued functions that (1) depend on n variables and

Vector fields we describe these as vector valued functions that (1) depend on n variables and (2) have n components. 1 At each point (x,y) there is a vector. Nearbottom currents in Long Island Sound 2 Hurricanetype wind pattern in 3D

484 views β€’ 31 slides
Vector Functions A vector function is simply a function whose codomain is R n . In other words,

Vector Functions A vector function is simply a function whose codomain is R n . In other words,

Vector Functions A vector function is simply a function whose codomain is R n . In other words, rather than taking on real values, it takeson vector values. We will often use the notation x = x ( t ) to denote a vector function. Note: The text

522 views β€’ 4 slides
I can represent the multiplication visually by drawing the vector. National 5 Slides WB 29th Jan

I can represent the multiplication visually by drawing the vector. National 5 Slides WB 29th Jan

National 5 Slides WB 29th Jan Vectors Continued Starter 1) Find the magnitude of the vector b . 3 b = 7 -2 2) If a = find the value of a + b . 8 Multiplying a Vector Today we are learning... How to multiply a vector by a scalar. I will

508 views β€’ 9 slides
vector class homogeneous aggregate with random access templated class: Vector&lt;int&gt;

vector class homogeneous aggregate with random access templated class: Vector&lt;int&gt;

vector class homogeneous aggregate with random access templated class: Vector&lt;int&gt; iv; Vector&lt;string&gt; sv; accessible using #include vector.h construct by specifying # elements (initial value) access with indexes

394 views β€’ 10 slides
STL and Example Review &lt;vector&gt; Declaration: std::vector&lt;T&gt;vec = {initializer

STL and Example Review &lt;vector&gt; Declaration: std::vector&lt;T&gt;vec = {initializer

STL and Example Review &lt;vector&gt; Declaration: std::vector&lt;T&gt;vec = {initializer list} Access and modify: vec[index] = value Assignment of whole array: new_vec = vec Find size: vec.size() Extend: vec.push_back(val) How

384 views β€’ 10 slides
Uzbekistan General Exhibition Shipping Instructions 2019 Shipping Instructions for

Uzbekistan General Exhibition Shipping Instructions 2019 Shipping Instructions for

Uzbekistan General Exhibition Shipping Instructions 2019 Shipping Instructions for Consignments Sent Direct To Tashkent As the official logistics, site handling and customs clearance agent, appointed by the organizer ITECA Exhibitions / ITE

422 views β€’ 8 slides
Matrix and Vector Operations Matrix and Vector Operations 1 / 21 Matrix and Vector Operations

Matrix and Vector Operations Matrix and Vector Operations 1 / 21 Matrix and Vector Operations

Matrix and Vector Operations Matrix and Vector Operations 1 / 21 Matrix and Vector Operations Dimensions length and size functions length - returns the number of elements in a vector size - returns the number of rows and columns in a vector or

588 views β€’ 22 slides
Basic Assembly Instructions SE 2XA3 Term I, 2020/21 Outline Basic instructions Addition,

Basic Assembly Instructions SE 2XA3 Term I, 2020/21 Outline Basic instructions Addition,

Basic Assembly Instructions SE 2XA3 Term I, 2020/21 Outline Basic instructions Addition, Subtraction, Move Multiplication Division FLAGS register Jump Instructions Conditional constructs Loop constructs using RCX General loops Basic

454 views β€’ 26 slides
I-vector representation based on GMM and DNN for audio classification Najim Dehak Center for

I-vector representation based on GMM and DNN for audio classification Najim Dehak Center for

I-vector representation based on GMM and DNN for audio classification Najim Dehak Center for Language and Speech Processing Electrical Computer Engineering Department Johns Hopkins University Thanks to Patrick Cardinal, Lukas Burget, Fred

885 views β€’ 77 slides
Attention Graham Neubig Site https://phontron.com/class/nn4nlp2017/ Encoder-decoder Models

Attention Graham Neubig Site https://phontron.com/class/nn4nlp2017/ Encoder-decoder Models

CS11-747 Neural Networks for NLP Attention Graham Neubig Site https://phontron.com/class/nn4nlp2017/ Encoder-decoder Models (Sutskever et al. 2014) Encoder kono eiga ga kirai &lt;/s&gt; LSTM LSTM LSTM LSTM LSTM I hate this movie

823 views β€’ 35 slides
Fisher Vector image representation Machine Learning and Category Representation 2014-2015 Jakob

Fisher Vector image representation Machine Learning and Category Representation 2014-2015 Jakob

Fisher Vector image representation Machine Learning and Category Representation 2014-2015 Jakob Verbeek, January 9, 2015 Course website: http://lear.inrialpes.fr/~verbeek/MLCR.14.15 A brief recap on kernel methods A way to achieve non-linear

891 views β€’ 34 slides
i-vector space for speaker recognition Timur Pekhovsky Sergey Novoselov Aleksey Sholokhov Oleg

i-vector space for speaker recognition Timur Pekhovsky Sergey Novoselov Aleksey Sholokhov Oleg

This work was financially supported by the Ministry of Education and Science of the Russian Federation (14.578.21.0126 (RFMEFI57815X0126) On autoencoders in the i-vector space for speaker recognition Timur Pekhovsky Sergey Novoselov

524 views β€’ 27 slides
CS 103 Unit 12 Slides Standard Template Library Vectors &amp; Deques Mark Redekopp 2 Templates

CS 103 Unit 12 Slides Standard Template Library Vectors &amp; Deques Mark Redekopp 2 Templates

1 CS 103 Unit 12 Slides Standard Template Library Vectors &amp; Deques Mark Redekopp 2 Templates struct IntItem { Weve built a list to store int val; IntItem *next; integers }; But what if we want a list of class ListInt{

499 views β€’ 11 slides
15-388/688 - Practical Data Science: Matrices, vectors, and linear algebra J. Zico Kolter

15-388/688 - Practical Data Science: Matrices, vectors, and linear algebra J. Zico Kolter

15-388/688 - Practical Data Science: Matrices, vectors, and linear algebra J. Zico Kolter Carnegie Mellon University Fall 2019 1 Outline Matrices and vectors Basics of linear algebra Libraries for matrices and vectors Sparse matrices 2

356 views β€’ 31 slides
Class 7: Vector and scalar, components Vector operations in components Multiplying a vector with a

Class 7: Vector and scalar, components Vector operations in components Multiplying a vector with a

Class 7: Vector and scalar, components Vector operations in components Multiplying a vector with a scalar: y x component y component A+ B A A x A y mA mA x mA y Addition of vectors: x component y component A A x A y B B x B y

278 views β€’ 8 slides
Chapter 3: Logical Time Ajay Kshemkalyani and Mukesh Singhal Distributed Computing: Principles,

Chapter 3: Logical Time Ajay Kshemkalyani and Mukesh Singhal Distributed Computing: Principles,

Chapter 3: Logical Time Ajay Kshemkalyani and Mukesh Singhal Distributed Computing: Principles, Algorithms, and Systems Cambridge University Press A. Kshemkalyani and M. Singhal (Distributed Computing) Logical Time CUP 2008 1 / 67

906 views β€’ 67 slides

More recommend