constantine/benchmarks/bench_fields_template.nim

# Constantine
# Copyright (c) 2018-2019    Status Research & Development GmbH
# Copyright (c) 2020-Present Mamy André-Ratsimbazafy
# Licensed and distributed under either of
#   * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
#   * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
# at your option. This file may not be copied, modified, or distributed except according to those terms.

# ############################################################
#
#             Benchmark of finite fields
#
# ############################################################

import
  # Internals
  ../constantine/config/[curves, common],
  ../constantine/arithmetic,
  ../constantine/towers,
  # Helpers
  ../helpers/[prng_unsafe, static_for],
  ./platforms,
  # Standard library
  std/[monotimes, times, strformat, strutils, macros]

var rng: RngState
let seed = uint32(getTime().toUnix() and (1'i64 shl 32 - 1)) # unixTime mod 2^32
rng.seed(seed)
echo "bench xoshiro512** seed: ", seed

# warmup
proc warmup*() =
  # Warmup - make sure cpu is on max perf
  let start = cpuTime()
  var foo = 123
  for i in 0 ..< 300_000_000:
    foo += i*i mod 456
    foo = foo mod 789

  # Compiler shouldn't optimize away the results as cpuTime rely on sideeffects
  let stop = cpuTime()
  echo &"Warmup: {stop - start:>4.4f} s, result {foo} (displayed to avoid compiler optimizing warmup away)\n"

warmup()

when defined(gcc):
  echo "\nCompiled with GCC"
elif defined(clang):
  echo "\nCompiled with Clang"
elif defined(vcc):
  echo "\nCompiled with MSVC"
elif defined(icc):
  echo "\nCompiled with ICC"
else:
  echo "\nCompiled with an unknown compiler"

echo "Optimization level => "
echo "  no optimization: ", not defined(release)
echo "  release: ", defined(release)
echo "  danger: ", defined(danger)
echo "  inline assembly: ", UseX86ASM

when (sizeof(int) == 4) or defined(Constantine32):
  echo "⚠️ Warning: using Constantine with 32-bit limbs"
else:
  echo "Using Constantine with 64-bit limbs"

when SupportsCPUName:
  echo "Running on ", cpuName(), ""

when SupportsGetTicks:
  echo "\n⚠️ Cycles measurements are approximate and use the CPU nominal clock: Turbo-Boost and overclocking will skew them."
  echo "i.e. a 20% overclock will be about 20% off (assuming no dynamic frequency scaling)"

echo "\n=================================================================================================================\n"

proc separator*() =
  echo "-".repeat(145)

proc report(op, field: string, start, stop: MonoTime, startClk, stopClk: int64, iters: int) =
  let ns = inNanoseconds((stop-start) div iters)
  let throughput = 1e9 / float64(ns)
  when SupportsGetTicks:
    echo &"{op:<50} {field:<18} {throughput:>15.3f} ops/s     {ns:>9} ns/op     {(stopClk - startClk) div iters:>9} CPU cycles (approx)"
  else:
    echo &"{op:<50} {field:<18} {throughput:>15.3f} ops/s     {ns:>9} ns/op"

proc notes*() =
  echo "Notes:"
  echo "  - Compilers:"
  echo "    Compilers are severely limited on multiprecision arithmetic."
  echo "    Inline Assembly is used by default (nimble bench_fp)."
  echo "    Bench without assembly can use \"nimble bench_fp_gcc\" or \"nimble bench_fp_clang\"."
  echo "    GCC is significantly slower than Clang on multiprecision arithmetic due to catastrophic handling of carries."
  echo "  - The simplest operations might be optimized away by the compiler."
  echo "  - Fast Squaring and Fast Multiplication are possible if there are spare bits in the prime representation (i.e. the prime uses 254 bits out of 256 bits)"

macro fixFieldDisplay(T: typedesc): untyped =
  # At compile-time, enums are integers and their display is buggy
  # we get the Curve ID instead of the curve name.
  let instantiated = T.getTypeInst()
  var name = $instantiated[1][0] # Fp
  name.add "[" & $Curve(instantiated[1][1].intVal) & "]"
  result = newLit name

template bench(op: string, T: typedesc, iters: int, body: untyped): untyped =
  let start = getMonotime()
  when SupportsGetTicks:
    let startClk = getTicks()
  for _ in 0 ..< iters:
    body
  when SupportsGetTicks:
    let stopClk = getTicks()
  let stop = getMonotime()

  when not SupportsGetTicks:
    let startClk = -1'i64
    let stopClk = -1'i64

  report(op, fixFieldDisplay(T), start, stop, startClk, stopClk, iters)

proc addBench*(T: typedesc, iters: int) =
  var x = rng.random_unsafe(T)
  let y = rng.random_unsafe(T)
  bench("Addition", T, iters):
    x += y

proc subBench*(T: typedesc, iters: int) =
  var x = rng.random_unsafe(T)
  let y = rng.random_unsafe(T)
  preventOptimAway(x)
  bench("Substraction", T, iters):
    x -= y

proc negBench*(T: typedesc, iters: int) =
  var r: T
  let x = rng.random_unsafe(T)
  bench("Negation", T, iters):
    r.neg(x)

proc mulBench*(T: typedesc, iters: int) =
  var r: T
  let x = rng.random_unsafe(T)
  let y = rng.random_unsafe(T)
  preventOptimAway(r)
  bench("Multiplication", T, iters):
    r.prod(x, y)

proc sqrBench*(T: typedesc, iters: int) =
  var r: T
  let x = rng.random_unsafe(T)
  preventOptimAway(r)
  bench("Squaring", T, iters):
    r.square(x)

proc invBench*(T: typedesc, iters: int) =
  var r: T
  let x = rng.random_unsafe(T)
  preventOptimAway(r)
  bench("Inversion (constant-time Euclid)", T, iters):
    r.inv(x)

proc powFermatInversionBench*(T: typedesc, iters: int) =
  let x = rng.random_unsafe(T)
  bench("Inversion via exponentiation p-2 (Little Fermat)", T, iters):
    var r = x
    r.powUnsafeExponent(T.C.getInvModExponent())

proc sqrtBench*(T: typedesc, iters: int) =
  let x = rng.random_unsafe(T)
  bench("Square Root + square check (constant-time)", T, iters):
    var r = x
    discard r.sqrt_if_square()

proc powBench*(T: typedesc, iters: int) =
  let x = rng.random_unsafe(T)
  let exponent = rng.random_unsafe(BigInt[T.C.getCurveOrderBitwidth()])
  bench("Exp curve order (constant-time) - " & $exponent.bits & "-bit", T, iters):
    var r = x
    r.pow(exponent)

proc powUnsafeBench*(T: typedesc, iters: int) =
  let x = rng.random_unsafe(T)
  let exponent = rng.random_unsafe(BigInt[T.C.getCurveOrderBitwidth()])
  bench("Exp curve order (Leak exponent bits) - " & $exponent.bits & "-bit", T, iters):
    var r = x
    r.powUnsafeExponent(exponent)
30% faster constant-time inversion 2020-03-20 22:03:52 +00:00			`# Constantine`
			`# Copyright (c) 2018-2019 Status Research & Development GmbH`
			`# Copyright (c) 2020-Present Mamy André-Ratsimbazafy`
			`# Licensed and distributed under either of`
			`# * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).`
			`# * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).`
			`# at your option. This file may not be copied, modified, or distributed except according to those terms.`

			`# ############################################################`
			`#`
			`# Benchmark of finite fields`
			`#`
			`# ############################################################`

			`import`
			`# Internals`
Assembly backend (#69) * Proof-of-Concept Assembly code generator * Tag inline per procedure so we can easily track the tradeoff on tower fields * Implement Assembly for modular addition (but very curious off-by-one) * Fix off-by one for moduli with non msb set * Stash (super fast) alternative but still off by carry * Fix GCC optimizing ASM away * Save 1 register to allow compiling for BLS12-381 (in the GMP test) * The compiler cannot find enough registers if the ASM file is not compiled with -O3 * Add modsub * Add field negation * Implement no-carry Assembly optimized field multiplication * Expose UseX86ASM to the EC benchmark * omit frame pointer to save registers instead of hardcoding -O3. Also ensure early clobber constraints for Clang * Prepare for assembly fallback * Implement fallback for CPU that don't support ADX and BMI2 * Add CPU runtime detection * Update README closes #66 * Remove commented out code 2020-07-24 20:02:30 +00:00			`../constantine/config/[curves, common],`
30% faster constant-time inversion 2020-03-20 22:03:52 +00:00			`../constantine/arithmetic,`
Refactor: Higher-Kinded Tower of Extension Fields (#25) * Mention that the inverse of 0 is 0 (TODO tests) * Introduce "Higher-Kinded tower extensions" * rename isCOmplexExtension -> fromComplexExtension * update benchmarks with the new tower scheme * Try to recover some speed on mul/squaring for an optimal tower (but this was not it) 2020-04-14 00:05:42 +00:00			`../constantine/towers,`
30% faster constant-time inversion 2020-03-20 22:03:52 +00:00			`# Helpers`
benchmarking skips cycle counting for ARM 2020-04-15 19:24:18 +00:00			`../helpers/[prng_unsafe, static_for],`
			`./platforms,`
30% faster constant-time inversion 2020-03-20 22:03:52 +00:00			`# Standard library`
			`std/[monotimes, times, strformat, strutils, macros]`

			`var rng: RngState`
			`let seed = uint32(getTime().toUnix() and (1'i64 shl 32 - 1)) # unixTime mod 2^32`
			`rng.seed(seed)`
Benchmark template for 𝔽p, 𝔽p2, 𝔽p6 2020-03-21 01:31:31 +00:00			`echo "bench xoshiro512** seed: ", seed`
30% faster constant-time inversion 2020-03-20 22:03:52 +00:00
			`# warmup`
			`proc warmup*() =`
			`# Warmup - make sure cpu is on max perf`
			`let start = cpuTime()`
			`var foo = 123`
			`for i in 0 ..< 300_000_000:`
			`foo += i*i mod 456`
			`foo = foo mod 789`

			`# Compiler shouldn't optimize away the results as cpuTime rely on sideeffects`
			`let stop = cpuTime()`
			`echo &"Warmup: {stop - start:>4.4f} s, result {foo} (displayed to avoid compiler optimizing warmup away)\n"`

			`warmup()`

			`when defined(gcc):`
			`echo "\nCompiled with GCC"`
			`elif defined(clang):`
			`echo "\nCompiled with Clang"`
			`elif defined(vcc):`
			`echo "\nCompiled with MSVC"`
			`elif defined(icc):`
			`echo "\nCompiled with ICC"`
			`else:`
			`echo "\nCompiled with an unknown compiler"`

Assembly backend (#69) * Proof-of-Concept Assembly code generator * Tag inline per procedure so we can easily track the tradeoff on tower fields * Implement Assembly for modular addition (but very curious off-by-one) * Fix off-by one for moduli with non msb set * Stash (super fast) alternative but still off by carry * Fix GCC optimizing ASM away * Save 1 register to allow compiling for BLS12-381 (in the GMP test) * The compiler cannot find enough registers if the ASM file is not compiled with -O3 * Add modsub * Add field negation * Implement no-carry Assembly optimized field multiplication * Expose UseX86ASM to the EC benchmark * omit frame pointer to save registers instead of hardcoding -O3. Also ensure early clobber constraints for Clang * Prepare for assembly fallback * Implement fallback for CPU that don't support ADX and BMI2 * Add CPU runtime detection * Update README closes #66 * Remove commented out code 2020-07-24 20:02:30 +00:00			`echo "Optimization level => "`
			`echo " no optimization: ", not defined(release)`
			`echo " release: ", defined(release)`
			`echo " danger: ", defined(danger)`
			`echo " inline assembly: ", UseX86ASM`
benchmarking skips cycle counting for ARM 2020-04-15 19:24:18 +00:00
			`when (sizeof(int) == 4) or defined(Constantine32):`
			`echo "⚠️ Warning: using Constantine with 32-bit limbs"`
			`else:`
			`echo "Using Constantine with 64-bit limbs"`

			`when SupportsCPUName:`
			`echo "Running on ", cpuName(), ""`

			`when SupportsGetTicks:`
			`echo "\n⚠️ Cycles measurements are approximate and use the CPU nominal clock: Turbo-Boost and overclocking will skew them."`
			`echo "i.e. a 20% overclock will be about 20% off (assuming no dynamic frequency scaling)"`

			`echo "\n=================================================================================================================\n"`
30% faster constant-time inversion 2020-03-20 22:03:52 +00:00
Add EC bench on G1 + Add throughput to benches 2020-04-15 17:38:02 +00:00			`proc separator*() =`
Implement fused sqrt invsqrt on Fp: Accelerate sqrt on Fp2 by 20% (hashToG2 and property-based testing bottleneck, 4 times slower than inversion and 87 times slower than Fp2 multiplication) 2020-06-17 20:44:52 +00:00			`echo "-".repeat(145)`
Add EC bench on G1 + Add throughput to benches 2020-04-15 17:38:02 +00:00
30% faster constant-time inversion 2020-03-20 22:03:52 +00:00			`proc report(op, field: string, start, stop: MonoTime, startClk, stopClk: int64, iters: int) =`
Add EC bench on G1 + Add throughput to benches 2020-04-15 17:38:02 +00:00			`let ns = inNanoseconds((stop-start) div iters)`
			`let throughput = 1e9 / float64(ns)`
Fix benchmark on ARM (#31) 2020-06-04 20:09:30 +00:00			`when SupportsGetTicks:`
Implement fused sqrt invsqrt on Fp: Accelerate sqrt on Fp2 by 20% (hashToG2 and property-based testing bottleneck, 4 times slower than inversion and 87 times slower than Fp2 multiplication) 2020-06-17 20:44:52 +00:00			`echo &"{op:<50} {field:<18} {throughput:>15.3f} ops/s {ns:>9} ns/op {(stopClk - startClk) div iters:>9} CPU cycles (approx)"`
Fix benchmark on ARM (#31) 2020-06-04 20:09:30 +00:00			`else:`
Implement fused sqrt invsqrt on Fp: Accelerate sqrt on Fp2 by 20% (hashToG2 and property-based testing bottleneck, 4 times slower than inversion and 87 times slower than Fp2 multiplication) 2020-06-17 20:44:52 +00:00			`echo &"{op:<50} {field:<18} {throughput:>15.3f} ops/s {ns:>9} ns/op"`
30% faster constant-time inversion 2020-03-20 22:03:52 +00:00
Assembly backend (#69) * Proof-of-Concept Assembly code generator * Tag inline per procedure so we can easily track the tradeoff on tower fields * Implement Assembly for modular addition (but very curious off-by-one) * Fix off-by one for moduli with non msb set * Stash (super fast) alternative but still off by carry * Fix GCC optimizing ASM away * Save 1 register to allow compiling for BLS12-381 (in the GMP test) * The compiler cannot find enough registers if the ASM file is not compiled with -O3 * Add modsub * Add field negation * Implement no-carry Assembly optimized field multiplication * Expose UseX86ASM to the EC benchmark * omit frame pointer to save registers instead of hardcoding -O3. Also ensure early clobber constraints for Clang * Prepare for assembly fallback * Implement fallback for CPU that don't support ADX and BMI2 * Add CPU runtime detection * Update README closes #66 * Remove commented out code 2020-07-24 20:02:30 +00:00			`proc notes*() =`
			`echo "Notes:"`
			`echo " - Compilers:"`
			`echo " Compilers are severely limited on multiprecision arithmetic."`
			`echo " Inline Assembly is used by default (nimble bench_fp)."`
			`echo " Bench without assembly can use \"nimble bench_fp_gcc\" or \"nimble bench_fp_clang\"."`
			`echo " GCC is significantly slower than Clang on multiprecision arithmetic due to catastrophic handling of carries."`
			`echo " - The simplest operations might be optimized away by the compiler."`
			`echo " - Fast Squaring and Fast Multiplication are possible if there are spare bits in the prime representation (i.e. the prime uses 254 bits out of 256 bits)"`

30% faster constant-time inversion 2020-03-20 22:03:52 +00:00			`macro fixFieldDisplay(T: typedesc): untyped =`
			`# At compile-time, enums are integers and their display is buggy`
			`# we get the Curve ID instead of the curve name.`
			`let instantiated = T.getTypeInst()`
			`var name = $instantiated[1][0] # Fp`
			`name.add "[" & $Curve(instantiated[1][1].intVal) & "]"`
			`result = newLit name`

			`template bench(op: string, T: typedesc, iters: int, body: untyped): untyped =`
			`let start = getMonotime()`
Fix benchmark on ARM (#31) 2020-06-04 20:09:30 +00:00			`when SupportsGetTicks:`
			`let startClk = getTicks()`
30% faster constant-time inversion 2020-03-20 22:03:52 +00:00			`for _ in 0 ..< iters:`
			`body`
Fix benchmark on ARM (#31) 2020-06-04 20:09:30 +00:00			`when SupportsGetTicks:`
			`let stopClk = getTicks()`
30% faster constant-time inversion 2020-03-20 22:03:52 +00:00			`let stop = getMonotime()`

Fix benchmark on ARM (#31) 2020-06-04 20:09:30 +00:00			`when not SupportsGetTicks:`
			`let startClk = -1'i64`
			`let stopClk = -1'i64`

30% faster constant-time inversion 2020-03-20 22:03:52 +00:00			`report(op, fixFieldDisplay(T), start, stop, startClk, stopClk, iters)`

Benchmark template for 𝔽p, 𝔽p2, 𝔽p6 2020-03-21 01:31:31 +00:00			`proc addBench*(T: typedesc, iters: int) =`
Implement constant-time `div2` on finite and extension fields 2020-04-15 00:12:45 +00:00			`var x = rng.random_unsafe(T)`
			`let y = rng.random_unsafe(T)`
Benchmark template for 𝔽p, 𝔽p2, 𝔽p6 2020-03-21 01:31:31 +00:00			`bench("Addition", T, iters):`
30% faster constant-time inversion 2020-03-20 22:03:52 +00:00			`x += y`

Benchmark template for 𝔽p, 𝔽p2, 𝔽p6 2020-03-21 01:31:31 +00:00			`proc subBench*(T: typedesc, iters: int) =`
Implement constant-time `div2` on finite and extension fields 2020-04-15 00:12:45 +00:00			`var x = rng.random_unsafe(T)`
			`let y = rng.random_unsafe(T)`
30% faster constant-time inversion 2020-03-20 22:03:52 +00:00			`preventOptimAway(x)`
Benchmark template for 𝔽p, 𝔽p2, 𝔽p6 2020-03-21 01:31:31 +00:00			`bench("Substraction", T, iters):`
30% faster constant-time inversion 2020-03-20 22:03:52 +00:00			`x -= y`

Benchmark template for 𝔽p, 𝔽p2, 𝔽p6 2020-03-21 01:31:31 +00:00			`proc negBench*(T: typedesc, iters: int) =`
30% faster constant-time inversion 2020-03-20 22:03:52 +00:00			`var r: T`
Implement constant-time `div2` on finite and extension fields 2020-04-15 00:12:45 +00:00			`let x = rng.random_unsafe(T)`
Benchmark template for 𝔽p, 𝔽p2, 𝔽p6 2020-03-21 01:31:31 +00:00			`bench("Negation", T, iters):`
30% faster constant-time inversion 2020-03-20 22:03:52 +00:00			`r.neg(x)`

Benchmark template for 𝔽p, 𝔽p2, 𝔽p6 2020-03-21 01:31:31 +00:00			`proc mulBench*(T: typedesc, iters: int) =`
30% faster constant-time inversion 2020-03-20 22:03:52 +00:00			`var r: T`
Implement constant-time `div2` on finite and extension fields 2020-04-15 00:12:45 +00:00			`let x = rng.random_unsafe(T)`
			`let y = rng.random_unsafe(T)`
30% faster constant-time inversion 2020-03-20 22:03:52 +00:00			`preventOptimAway(r)`
Benchmark template for 𝔽p, 𝔽p2, 𝔽p6 2020-03-21 01:31:31 +00:00			`bench("Multiplication", T, iters):`
30% faster constant-time inversion 2020-03-20 22:03:52 +00:00			`r.prod(x, y)`

Benchmark template for 𝔽p, 𝔽p2, 𝔽p6 2020-03-21 01:31:31 +00:00			`proc sqrBench*(T: typedesc, iters: int) =`
30% faster constant-time inversion 2020-03-20 22:03:52 +00:00			`var r: T`
Implement constant-time `div2` on finite and extension fields 2020-04-15 00:12:45 +00:00			`let x = rng.random_unsafe(T)`
30% faster constant-time inversion 2020-03-20 22:03:52 +00:00			`preventOptimAway(r)`
Benchmark template for 𝔽p, 𝔽p2, 𝔽p6 2020-03-21 01:31:31 +00:00			`bench("Squaring", T, iters):`
30% faster constant-time inversion 2020-03-20 22:03:52 +00:00			`r.square(x)`

Benchmark template for 𝔽p, 𝔽p2, 𝔽p6 2020-03-21 01:31:31 +00:00			`proc invBench*(T: typedesc, iters: int) =`
30% faster constant-time inversion 2020-03-20 22:03:52 +00:00			`var r: T`
Implement constant-time `div2` on finite and extension fields 2020-04-15 00:12:45 +00:00			`let x = rng.random_unsafe(T)`
30% faster constant-time inversion 2020-03-20 22:03:52 +00:00			`preventOptimAway(r)`
Implement fused sqrt invsqrt on Fp: Accelerate sqrt on Fp2 by 20% (hashToG2 and property-based testing bottleneck, 4 times slower than inversion and 87 times slower than Fp2 multiplication) 2020-06-17 20:44:52 +00:00			`bench("Inversion (constant-time Euclid)", T, iters):`
30% faster constant-time inversion 2020-03-20 22:03:52 +00:00			`r.inv(x)`
Implement fused sqrt invsqrt on Fp: Accelerate sqrt on Fp2 by 20% (hashToG2 and property-based testing bottleneck, 4 times slower than inversion and 87 times slower than Fp2 multiplication) 2020-06-17 20:44:52 +00:00
			`proc powFermatInversionBench*(T: typedesc, iters: int) =`
			`let x = rng.random_unsafe(T)`
			`bench("Inversion via exponentiation p-2 (Little Fermat)", T, iters):`
			`var r = x`
			`r.powUnsafeExponent(T.C.getInvModExponent())`

			`proc sqrtBench*(T: typedesc, iters: int) =`
			`let x = rng.random_unsafe(T)`
			`bench("Square Root + square check (constant-time)", T, iters):`
			`var r = x`
			`discard r.sqrt_if_square()`

			`proc powBench*(T: typedesc, iters: int) =`
			`let x = rng.random_unsafe(T)`
			`let exponent = rng.random_unsafe(BigInt[T.C.getCurveOrderBitwidth()])`
			`bench("Exp curve order (constant-time) - " & $exponent.bits & "-bit", T, iters):`
			`var r = x`
			`r.pow(exponent)`

			`proc powUnsafeBench*(T: typedesc, iters: int) =`
			`let x = rng.random_unsafe(T)`
			`let exponent = rng.random_unsafe(BigInt[T.C.getCurveOrderBitwidth()])`
			`bench("Exp curve order (Leak exponent bits) - " & $exponent.bits & "-bit", T, iters):`
			`var r = x`
			`r.powUnsafeExponent(exponent)`