Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Speed up large modular multiplication in base 2^8 without multiplier

Tags:

assembly

multiplication

micro-optimization

modular-arithmetic

riscv

I am currenty converting the nacl library to risc-v. I already have poly1305 working. I am trying to do this using the risc-v core instruction set, so I don't have a multiplier. The algorithm for Pol1305 is using at the moment ceil(m/16)*17*17 8-bit multiplications where m is the message length in bytes(multiplying two 2^130 integers in base 2^8 modulo 2^130-5). So I want to use a fast multiplication algorithm to keep it fast.

At the moment I have the shift-and-add algorithm working for the multiplication. However that takes 63 cycles for 8-bit values, since I need to avoid branching (timing side-channel) and thus some masking is involved which takes a few more cycles. 

    andi  t2, t0, 1     //t0 is the multiplier
    sub   t2, zero, t2  //creating a mask
    and   t3, t1, t2    //applying the mask to the multiplicand
    add   a0, a0, t3    //doing the add
    srli  t0, t0, 1     //shifting the multiplier
    slli  t1, t1, 1     //shifting the multiplicand

This is giving me valid results at 63 cycles per multiplication. The issue is that the total execution time of the program is 175219 cycles for a message of 131 bytes. Of this time 9*17*17*63 = 163863 cycles are used for multiplication. Which I would like to improve.

like image 713
Stefan vd Berg Avatar asked Nov 01 '19 14:11

Stefan vd Berg

1 Answers

Here is a little improved code. This is based on the algorithm shown in Patterson and Hennessy's textbook.

    // initialization
    add   a0, zero, t0  //copy multiplier to the product
    slli  t1, t1, 8     //shift the multiplicand to the left half of a 16bit register

    // repeat 8 times from here
    andi  t2, a0, 1     //the right half of a0 is the multiplier
    sub   t2, zero, t2  //creating a mask
    and   t3, t1, t2    //applying the mask to the multiplicand
    add   a0, a0, t3    //doing the add to the left half of the product
    srli  a0, a0, 1     //shifting the product
    // to here

Also, you can apply the loop-unfolding method by repeating the above code 8 times instead of looping by branch/jump.

On the algorithm level, Karatsuba algorithm can reduce the number of 8bit multiplications in multi-precision arithmetic.

like image 174
Hiroto Kagotani Avatar answered Sep 30 '22 01:09

Hiroto Kagotani
Sign in to Comment

Related questions

Calling JNI_CreateJavaVM crashes the program
Is there any good assembly generation module for Python?
shellcode: pass arguments to execve in x86_64 assembly
Intel MPX, BNDSTX, BNDLDX
Is it possible to use memory barriers only on the storing side
Native android development without any java?
Seg fault...on hello world
How do I convert a signed 8-bit byte to a signed 16-bit integer in assembly?
Is placing code and read-only data it uses right next to each other a good idea?
How can the timer interrupt be 0x08 if the first 32 interrupts are reserved for exceptions?
Why does using jmp prevent the Clang assembler from figuring out an absolute expression for .fill?
Any advantage of XOR AL,AL + MOVZX EAX, AL over XOR EAX,EAX?
Is there a way to get a nice output for the flags register using lldb?
Long nop instructions in nasm
Relocation R_X86_64_PC32 against symbol when calling function from inline assembly
The probability of selected EFLAGS bits
How read coprocessor registers in ARM architecture
Optimization of fenced memory stores on x86 CPU
Linking two or more assembly files
How does MIPS I handle branching on the previous ALU instruction without stalling?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!