Re: [PATCH v2 4/4] crypto: x86/sha256-ni - simplify do_4rounds

From: Stefan Kanthak
Date: Mon Apr 15 2024 - 20:20:17 EST


"Eric Biggers" <ebiggers@xxxxxxxxxx> wrote:

> On Tue, Apr 16, 2024 at 12:04:56AM +0200, Stefan Kanthak wrote:
>> "Eric Biggers" <ebiggers@xxxxxxxxxx> wrote:
>>
>> > On Mon, Apr 15, 2024 at 10:41:07PM +0200, Stefan Kanthak wrote:
>> [...]
>> >> At last the final change: write the macro straightforward and SIMPLE,
>> >> closely matching NIST.FIPS.180-4.pdf and their order of operations.
>> >>
>> >> @@ ...
>> >> +.macro sha256 m0 :req, m1 :req, m2 :req, m3 :req
>> >> +.if \@ < 4
>> >> + movdqu \@*16(DATA_PTR), \m0
>> >> + pshufb SHUF_MASK, \m0 # \m0 = {w(\@*16), w(\@*16+1), w(\@*16+2), w(\@*16+3)}
>> >> +.else
>> >> + # \m0 = {w(\@*16-16), w(\@*16-15), w(\@*16-14), w(\@*16-13)}
>> >> + # \m1 = {w(\@*16-12), w(\@*16-11), w(\@*16-10), w(\@*16-9)}
>> >> + # \m2 = {w(\@*16-8), w(\@*16-7), w(\@*16-6), w(\@*16-5)}
>> >> + # \m3 = {w(\@*16-4), w(\@*16-3), w(\@*16-2), w(\@*16-1)}
>> >> + sha256msg1 \m1, \m0
>> >> + movdqa \m3, TMP
>> >> + palignr $4, \m2, TMP
>> >> + paddd TMP, \m0
>> >> + sha256msg2 \m3, \m0 # \m0 = {w(\@*16), w(\@*16+1), w(\@*16+2), w(\@*16+3)}
>> >> +.endif
>> >> + movdqa (\@-8)*16(SHA256CONSTANTS), MSG
>> >> + paddd \m0, MSG
>> >> + sha256rnds2 STATE0, STATE1 # STATE1 = {f', e', b', a'}
>> >> + punpckhqdq MSG, MSG
>> >> + sha256rnds2 STATE1, STATE0 # STATE0 = {f", e", b", a"},
>> >> + # STATE1 = {h", g", d", c"}
>> >> +.endm
>> >>
>> >> JFTR: you may simplify this further using .altmacro and generate \m0 to \m3
>> >> as MSG%(4-\@&3), MSG%(5-\@&3), MSG%(6-\@&3) and MSG%(7-\@&3) within
>> >> the macro, thus getting rid of its 4 arguments.
>> >>
>> >> @@ ...
>> >> +.rept 4 # 4*4*4 rounds
>> >> + sha256 MSG0, MSG1, MSG2, MSG3
>> >> + sha256 MSG1, MSG2, MSG3, MSG0
>> >> + sha256 MSG2, MSG3, MSG0, MSG1
>> >> + sha256 MSG3, MSG0, MSG1, MSG2
>> >> +.endr
>> >
>> > Could you please send a real patch, following
>> > Documentation/process/submitting-patches.rst? It's hard to understand what
>> > you're proposing here.
>>
>> 1) I replace your macro (which unfortunately follows Tim Chens twisted code)
>> COMPLETELY with a clean and simple implementation: message schedule first,
>> update of state variables last.
>> You don't need ".if \i >= 12 && \i < 60"/".if \i >= 4 && \i < 52" at all!
>
> It's probably intentional that the code does the message schedule computations a
> bit ahead of time. This might improve performance by reducing the time spent
> waiting for the message schedule.

While this is a valid point, Intel states in
<https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sha-extensions.html>
only for SHA-1:

| In other words, the rounds processing is the critical path and the latency of
| sha1rnds4 determines the performance of SHA-1 calculations.

For SHA-256 no such explicit statement is given: did the authors consider it not
worthwhile?

JFTR: while Tim Chen's code (following the paper) executes 3 instructions and 1
sha256msg2 between every 2 sha256rnds2, my macro executes them back to back,
so my code would be slower if their latency determines performance.

> It would be worth trying a few different variants on different CPUs and seeing
> how they actually perform in practice, though.

Right. I noticed no difference on Zen2+ and Zen3; Intel CPUs with SHA-NI are not
available to me (I didn't bother to use __asm__ on Compiler Explorer).

Stefan