[L4R5ZI] Local benchmarks for SHA3/SHAKE input & output sizes as required by ML-KEM #62

jschneider-bensch · 2025-04-04T12:01:16Z

As a prerequisite for optimizing in SHA-3 it will be good to focus on the exact input/output sizes that matter in ML-KEM.

This PR can serve as a basis for that, and also includes a small utility for switching on the hardware RNG on the L4R5ZI.

Note that the functions under test are #[inline(never)] here at the moment, so as to get sensible cycle measurements. It shouldn't get merged as is for that reason.

Fixes #53

@karthikbhargavan

This is taken from mainline libcrux at commit 2adf9e447257ca4d57c1f40aa4f6f761070a27c0 by @karthikbhargavan.

jschneider-bensch · 2025-04-04T12:22:39Z

The version of SHA-3 in this branch as of 72450ba has the flat state due to @karthikbhargavan, but no further modifications. These are the numbers we get for that:

[END_MEASUREMENT SHA3-512 (G_INPUT_SIZE_1)] : + 19273
[END_MEASUREMENT SHA3-512 (G_INPUT_SIZE_2)] : + 19319
[END_MEASUREMENT SHA3-256 (H_INPUT_RANDOMNESS_SIZE)] : + 19957
[END_MEASUREMENT SHA3-256 (H_INPUT_CIPHERTEXT_SIZE_512)] : + 120231
[END_MEASUREMENT SHA3-256 (H_INPUT_CIPHERTEXT_SIZE_768)] : + 180137
[END_MEASUREMENT SHA3-256 (H_INPUT_CIPHERTEXT_SIZE_1024)] : + 240395
[END_MEASUREMENT SHA3-256 (H_INPUT_PUBLIC_KEY_SIZE_512)] : + 120275
[END_MEASUREMENT SHA3-256 (H_INPUT_PUBLIC_KEY_SIZE_768)] : + 180331
[END_MEASUREMENT SHA3-256 (H_INPUT_PUBLIC_KEY_SIZE_1024)] : + 240394
[END_MEASUREMENT SHAKE256 (PRF_KDF)] : + 20420
[END_MEASUREMENT SHAKE256 (PRF_IMPLICIT_REJECTION_SHARED_SECRET_512)] : + 118592
[END_MEASUREMENT SHAKE256 (PRF_IMPLICIT_REJECTION_SHARED_SECRET_768)] : + 177299
[END_MEASUREMENT SHAKE256 (PRF_IMPLICIT_REJECTION_SHARED_SECRET_1024)] : + 236233
[END_MEASUREMENT SHAKE256 (PRF_ETA2_RANDOMNESS_512)] : + 20520
[END_MEASUREMENT SHAKE256 (PRF_ETA2_RANDOMNESS_768)] : + 20520
[END_MEASUREMENT SHAKE256 (PRF_ETA2_RANDOMNESS_1024)] : + 20520
[END_MEASUREMENT SHAKE256 (PRF_ETA1_RANDOMNESS_512)] : + 39896
[END_MEASUREMENT SHAKE256 (PRF_ETA1_RANDOMNESS_768)] : + 20520
[END_MEASUREMENT SHAKE256 (PRF_ETA1_RANDOMNESS_1024)] : + 20521
[END_MEASUREMENT SHAKE128 Init] : + 241
[END_MEASUREMENT SHAKE128 Absorb final] : + 19819
[END_MEASUREMENT SHAKE128 Squeeze one block] : + 19865
[END_MEASUREMENT SHAKE128 Squeeze first three blocks] : + 39074

jschneider-bensch · 2025-04-04T13:51:42Z

I have a PR for the pqm4 bindings of the FIPS202 API here. It also runs the same benchmarks as I have here using the pqm4 bindings.

Running these we get:

[END_MEASUREMENT libcrux SHA3-512 (G_INPUT_SIZE_1)] : + 19276
[END_MEASUREMENT PQM4 SHA3-512 (G_INPUT_SIZE_1)] : + 11067
[END_MEASUREMENT PQM4 SHA3-512 (G_INPUT_SIZE_1)] : + 11282
[END_MEASUREMENT libcrux SHA3-256 (H_INPUT_RANDOMNESS_SIZE)] : + 19959
[END_MEASUREMENT PQM4 SHA3-256 (H_INPUT_RANDOMNESS_SIZE)] : + 10887
[END_MEASUREMENT libcrux SHA3-256 (H_INPUT_CIPHERTEXT_SIZE_512)] : + 120227
[END_MEASUREMENT PQM4 SHA3-256 (H_INPUT_CIPHERTEXT_SIZE_512)] : + 65539
[END_MEASUREMENT libcrux SHA3-256 (H_INPUT_CIPHERTEXT_SIZE_768)] : + 180141
[END_MEASUREMENT PQM4 SHA3-256 (H_INPUT_CIPHERTEXT_SIZE_768)] : + 97482
[END_MEASUREMENT libcrux SHA3-256 (H_INPUT_CIPHERTEXT_SIZE_1024)] : + 240397
[END_MEASUREMENT PQM4 SHA3-256 (H_INPUT_CIPHERTEXT_SIZE_1024)] : + 130562
[END_MEASUREMENT libcrux SHA3-256 (H_INPUT_PUBLIC_KEY_SIZE_512)] : + 120277
[END_MEASUREMENT PQM4 SHA3-256 (H_INPUT_PUBLIC_KEY_SIZE_512)] : + 65757
[END_MEASUREMENT libcrux SHA3-256 (H_INPUT_PUBLIC_KEY_SIZE_768)] : + 180333
[END_MEASUREMENT PQM4 SHA3-256 (H_INPUT_PUBLIC_KEY_SIZE_768)] : + 98159
[END_MEASUREMENT PQM4 SHA3-256 (H_INPUT_PUBLIC_KEY_SIZE_1024)] : + 130562
[END_MEASUREMENT libcrux SHAKE256 (PRF_KDF)] : + 20422
[END_MEASUREMENT PQM4 SHAKE256 (PRF_KDF))] : + 11120
[END_MEASUREMENT libcrux SHAKE256 (PRF_IMPLICIT_REJECTION_SHARED_SECRET_512)] : + 118592
[END_MEASUREMENT PQM4 SHAKE256 (PRF_IMPLICIT_REJECTION_SHARED_SECRET_512))] : + 65767
[END_MEASUREMENT libcrux SHAKE256 (PRF_IMPLICIT_REJECTION_SHARED_SECRET_768)] : + 177300
[END_MEASUREMENT PQM4 SHAKE256 (PRF_IMPLICIT_REJECTION_SHARED_SECRET_768))] : + 97735
[END_MEASUREMENT SHAKE256 (PRF_IMPLICIT_REJECTION_SHARED_SECRET_1024)] : + 236236
[END_MEASUREMENT libcrux SHAKE256 (PRF_ETA2_RANDOMNESS_512)] : + 20523
[END_MEASUREMENT PQM4 SHAKE256 (PRF_ETA2_RANDOMNESS_512))] : + 11518
[END_MEASUREMENT libcrux SHAKE256 (PRF_ETA2_RANDOMNESS_768)] : + 20522
[END_MEASUREMENT PQM4 SHAKE256 (PRF_ETA2_RANDOMNESS_768))] : + 11519
[END_MEASUREMENT libcrux SHAKE256 (PRF_ETA2_RANDOMNESS_1024)] : + 20524
[END_MEASUREMENT PQM4 SHAKE256 (PRF_ETA2_RANDOMNESS_1024))] : + 11517
[END_MEASUREMENT libcrux SHAKE256 (PRF_ETA1_RANDOMNESS_512)] : + 39899
[END_MEASUREMENT PQM4 SHAKE256 (PRF_ETA1_RANDOMNESS_512))] : + 21808
[END_MEASUREMENT libcrux SHAKE256 (PRF_ETA1_RANDOMNESS_768)] : + 20523
[END_MEASUREMENT PQM4 SHAKE256 (PRF_ETA1_RANDOMNESS_768))] : + 11518
[END_MEASUREMENT PQM4 SHAKE256 (PRF_ETA1_RANDOMNESS_1024))] : + 11519
[END_MEASUREMENT libcrux SHAKE128 Init] : + 241
[END_MEASUREMENT PQM4 SHAKE128 Init] : + 268
[END_MEASUREMENT libcrux SHAKE128 Absorb final] : + 19820
[END_MEASUREMENT PQM4 SHAKE128 Absorb final] : + 657
[END_MEASUREMENT libcrux SHAKE128 Squeeze one block] : + 19865
[END_MEASUREMENT PQM4 SHAKE128 Squeeze one block] : + 10962
[END_MEASUREMENT libcrux SHAKE128 Squeeze first three blocks] : + 39066
[END_MEASUREMENT PQM4 SHAKE128 Squeeze first three blocks] : + 32715

(Some lines are lost, looks like)

PQM4 SHA3/SHAKE benchmarks for ML-KEM

jschneider-bensch added 4 commits April 4, 2025 10:50

Flat state SHA3

6f5d960

This is taken from mainline libcrux at commit 2adf9e447257ca4d57c1f40aa4f6f761070a27c0 by @karthikbhargavan.

Cycle benchmarks for SHA3 as used in ML-KEM

2cb1319

Enable hardware RNG for realistic inputs

4aa59b4

Never inline functions under test

72450ba

jschneider-bensch changed the base branch from main to jonas/clock-setup April 4, 2025 12:05

jschneider-bensch added 2 commits April 4, 2025 14:25

Bindings for pqm4 FIPS202 API

3ce53cc

Run SHA3 benchmarks for PQM4

aa08cdb

Merge pull request #63 from cryspen/jonas/pqm4-fips202

caf5179

PQM4 SHA3/SHAKE benchmarks for ML-KEM

Base automatically changed from jonas/clock-setup to main April 10, 2025 09:52

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[L4R5ZI] Local benchmarks for SHA3/SHAKE input & output sizes as required by ML-KEM #62

[L4R5ZI] Local benchmarks for SHA3/SHAKE input & output sizes as required by ML-KEM #62

Uh oh!

jschneider-bensch commented Apr 4, 2025

Uh oh!

jschneider-bensch commented Apr 4, 2025 •

edited

Loading

Uh oh!

jschneider-bensch commented Apr 4, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

[L4R5ZI] Local benchmarks for SHA3/SHAKE input & output sizes as required by ML-KEM #62

Are you sure you want to change the base?

[L4R5ZI] Local benchmarks for SHA3/SHAKE input & output sizes as required by ML-KEM #62

Uh oh!

Conversation

jschneider-bensch commented Apr 4, 2025

Uh oh!

jschneider-bensch commented Apr 4, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jschneider-bensch commented Apr 4, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

jschneider-bensch commented Apr 4, 2025 •

edited

Loading