Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Formal verification: resurrect fiat-crypto with formally verified assembly #430

Merged
merged 1 commit into from
Jul 15, 2024
Merged

Formal verification: resurrect fiat-crypto with formally verified assembly #430

merged 1 commit into from
Jul 15, 2024

Conversation

mratsim
Copy link
Owner

@mratsim mratsim commented Jul 15, 2024
edited
Loading

This PR resurrects the old formally verified fiat-crypto backend from fafebac

This is to explore formally verified and correct-by-construction EVM / Ethereum with the push from the Ethereum Foundation.

Note: assembly files must be named .S instead of .asm or the Nim compiler (or gcc) doesn't want to compile them properly.

Performance

Unfortunately autogenerated assembly from CryptOpt is still significantly lagging behind Constantine's

AMD Ryzen 7840U (laptop 15W to 30W CPU)

Warmup: 0.7911 s, result 224 (displayed to avoid compiler optimizing warmup away)


⚠️ Measurements are approximate and use the CPU nominal clock: Turbo-Boost and overclocking will skew them.
==========================================================================================================

Addition        FiatCrypto[BLS12_381]         5 ns        18 cycles
Substraction    FiatCrypto[BLS12_381]         5 ns        18 cycles
Negation        FiatCrypto[BLS12_381]         4 ns        15 cycles
Multiplication  fiat_bls12_381_fp_mul        49 ns       161 cycles
Multiplication  cryptopt_bls12_381_fp_mul_18980        32 ns       108 cycles
Multiplication  cryptopt_bls12_381_fp_mul_18433        34 ns       113 cycles
Squaring        FiatCrypto[BLS12_381]        45 ns       148 cycles

Addition                                                               Fp[BLS12_381]        500000000.000 ops/s             2 ns/op             7 CPU cycles (approx)
Substraction                                                           Fp[BLS12_381]        500000000.000 ops/s             2 ns/op             7 CPU cycles (approx)
Negation                                                               Fp[BLS12_381]       1000000000.000 ops/s             1 ns/op             6 CPU cycles (approx)
Conditional Copy                                                       Fp[BLS12_381]       1000000000.000 ops/s             1 ns/op             4 CPU cycles (approx)
Division by 2                                                          Fp[BLS12_381]        200000000.000 ops/s             5 ns/op            18 CPU cycles (approx)
Multiplication                                                         Fp[BLS12_381]         43478260.870 ops/s            23 ns/op            78 CPU cycles (approx)
Squaring                                                               Fp[BLS12_381]         41666666.667 ops/s            24 ns/op            79 CPU cycles (approx)
--------
Multiplication 2x unreduced                                            Fp[BLS12_381]         83333333.333 ops/s            12 ns/op            41 CPU cycles (approx)
Squaring 2x unreduced                                                  Fp[BLS12_381]        125000000.000 ops/s             8 ns/op            29 CPU cycles (approx)
Redc 2x                                                                Fp[BLS12_381]         71428571.429 ops/s            14 ns/op            47 CPU cycles (approx)
--------
Linear combination                                                     Fp[BLS12_381]         26315789.474 ops/s            38 ns/op           127 CPU cycles (approx)
--------
BigInt <- field conversion                                             Fp[BLS12_381]         71428571.429 ops/s            14 ns/op            48 CPU cycles (approx)
BigInt -> field conversion                                             Fp[BLS12_381]         24390243.902 ops/s            41 ns/op           135 CPU cycles (approx)
--------
Inversion (constant-time)                                              Fp[BLS12_381]           498256.104 ops/s          2007 ns/op          6609 CPU cycles (approx)
Inversion (variable-time)                                              Fp[BLS12_381]           751879.699 ops/s          1330 ns/op          4380 CPU cycles (approx)
isSquare (constant-time)                                               Fp[BLS12_381]           569800.570 ops/s          1755 ns/op          5779 CPU cycles (approx)
Square Root (constant-time p ≡ 3 (mod 4) with addition chain)          Fp[BLS12_381]            92876.382 ops/s         10767 ns/op         35464 CPU cycles (approx)
Fused SquareRoot+Division+isSquare sqrt(u/v)                           Fp[BLS12_381]            91340.884 ops/s         10948 ns/op         36059 CPU cycles (approx)
Exp curve order (constant-time) - 255-bit                              Fp[BLS12_381]            88589.653 ops/s         11288 ns/op         37178 CPU cycles (approx)
Exp by curve order (vartime) - 255-bit                                 Fp[BLS12_381]           112145.340 ops/s          8917 ns/op         29370 CPU cycles (approx)

23ns in Constantine vs 32ns for CryptOpt for Fp mul :/.

@mratsim mratsim merged commit cc0be17 into master Jul 15, 2024
24 checks passed
@mratsim mratsim deleted the formal-verif branch July 15, 2024 19:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
correctness 🛂 performance 🏁
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mratsim