VAMPIRE

eBACS: ECRYPT Benchmarking of Cryptographic Systems

ECRYPT II

SUPERCOP

The latest release of SUPERCOP measures the performance of hash functions, secret-key stream ciphers, public-key encryption systems, public-key signature systems, and public-key secret-sharing systems. SUPERCOP integrates and improves upon

• STVL's benchmarking suite for stream ciphers submitted to eSTREAM, the ECRYPT Stream Cipher Project (which finished in April 2008);
• VAMPIRE's BATMAN (Benchmarking of Asymmetric Tools on Multiple Architectures, Non-interactively) suite for public-key systems submitted to the eBATS (ECRYPT Benchmarking of Asymmetric Systems) project; and
• additional tools developed for VAMPIRE's new eBASH (ECRYPT Benchmarking of All Submitted Hashes) project.

Specifically, SUPERCOP measures cryptographic primitives according to several criteria:

• Time to hash a very short packet of data.
• Time to hash a typical-size Internet packet.
• Time to hash a long message.
• Length of the hash output.
• Time to encrypt a very short packet of data using a secret key and a nonce.
• Time to encrypt a typical-size Internet packet.
• Time to encrypt a long message.
• Length of the secret key.
• Length of the nonce.
• Time to generate a key pair (a private key and a corresponding public key).
• Length of the private key.
• Length of the public key.
• Time to generate a shared secret from a private key and another user's public key.
• Length of the shared secret.
• Time to encrypt a message using a public key.
• Length of the encrypted message.
• Time to decrypt a message using a private key.
• Time to sign a message using a private key.
• Length of the signed message.
• Time to verify a signed message using a public key.

Contributing computer time to benchmarking

To collect measurements, simply download, unpack, and run SUPERCOP:

     wget http://hyperelliptic.org/ebats/supercop-20141124.tar.bz2
     bunzip2 < supercop-20141124.tar.bz2 | tar -xf -
     cd supercop-20141124
     nohup sh do &

Multiple computers that share filesystems can run SUPERCOP in the same directory. Each computer will create its own subdirectory of bench, labelled by the computer's name, and will perform all work inside that subdirectory.

Alternative: Incremental benchmarks

     wget http://hyperelliptic.org/ebats/supercop-20141124.tar.bz2
     bunzip2 < supercop-20141124.tar.bz2 | tar -xf -
     cd supercop-20141124
     nohup sh data-do &

The disadvantage of this method is that it consumes extra disk space (typically 20 gigabytes or more, and many inodes). The big advantage of this method is incrementality: an updated version of SUPERCOP will automatically reuse most of the work from the supercop-20141124 run, benchmarking only new code and changed code, so the new benchmark run will finish much more quickly. (However, if an OS update has changed the compiler version, everything will be automatically re-benchmarked.)

Another advantage of this method is parallelizability: on (e.g.) a 4-core machine you can run

     nohup sh data-do 4 &

Reducing randomness in benchmarks

To detect randomness, SUPERCOP runs each computation several times within the measuring program, runs the measuring program several times, and records all of the resulting measurements. Medians and quartiles are reported on the web pages, and any severe discrepancies are flagged in red. (There are a few cryptographic operations whose running time is intrinsically random; RSA key generation is the classic example. In theory SUPERCOP could perform these computations enough times to see that their time follows a stable distribution, and could then remove the red flags.)

You can take several steps to reduce randomness:

• Turn off hyperthreading. On typical Linux machines hyperthreading is indicated by dashes or commas in the files in /sys/devices/system/cpu/cpu*/topology/thread_siblings_list: for example, if cpu2 and cpu6 both say 2,6 then they are actually one physical core running two threads. If the kernel is new enough to support "CPU hotplugging" then the system administrator can type (e.g.)

       echo 0 > /sys/devices/system/cpu/cpu6/online
  

  to turn off cpu6. This effect disappears at the next boot; for a longer-lasting effect the system administrator can disable hyperthreading in the BIOS.
• Turn off overclocking (e.g., Turbo Boost) and underclocking. On typical Linux machines the system administrator can set a fixed frequency of (e.g.) 2GHz by typing

       for i in /sys/devices/system/cpu/cpu*/cpufreq
       do
         echo userspace > $i/scaling_governor
         echo 2000000 > $i/scaling_setspeed
       done
  

  You can see the available frequencies listed in /sys/devices/system/cpu/cpu0/cpufreq/scaling_available_frequencies. When the top two frequencies are separated by just 1000, the larger is Turbo Boost; use the smaller. These effects also disappear at the next boot; for a longer-lasting effect the system administrator can disable overclocking and underclocking in the BIOS.
• Run benchmarks while the computer is idle. This is much less important for SUPERCOP than it is for most benchmarking tools: a typical cryptographic operation measured by SUPERCOP completes much more quickly than an operating-system clock tick, and medians filter out occasional interruptions. However, reliably measuring very long operations requires the computer to be idle.

Some machines have high-precision cycle counters that can only be enabled by the kernel and that are disabled by default. On these machines you can improve benchmark quality by enabling the cycle counters. Details depend on the machine:

• Sharp NetWalker PC-Z1, 800MHz Freescale i.MX515 (ARM Cortex A8), Ubuntu 9.04
• SheevaPlug, 1200MHz Marvell Kirkwood 88F6281 (ARM926EJ-S), Ubuntu 9.04
• Nokia N810, 400MHz TI OMAP 2420 (ARM1136J), Maemo Diablo

Database format

The database, in uncompressed form, consists of a series of database entries. Each database entry is a line consisting of the following space-separated words:

1. SUPERCOP version; e.g., 20100702.
2. Computer name; e.g., utrecht. There is a separate page providing more information about the computers: e.g., utrecht's CPU is a 2400MHz Intel Core 2 Quad Q6600 (6fb). Benchmarks on multiple-CPU machines use just one CPU, and benchmarks on multiple-core CPUs use just one core.
3. Application Binary Interface (ABI); e.g., amd64. On a computer that supports multiple incompatible ABIs (e.g., 32-bit x86 and 64-bit amd64), SUPERCOP automatically collects separate measurements for each ABI. Beware that the ABI names are not standardized.
4. Benchmark start date; e.g., 20100703.
5. Operation (type of primitive) measured; e.g., crypto_hash.
6. Primitive measured; e.g., sha256.
7. Additional words giving details of the measurements.

SUPERCOP automatically tries all available implementations of each primitive, and many compilers for each implementation, to select the fastest combination of implementation and compiler. Each try produces a database entry with the following words:

1. SUPERCOP version.
2. Computer name.
3. ABI.
4. Benchmark start date.
5. Operation measured.
6. Primitive measured.
7. The word try.
8. A checksum of various outputs of the implementation; e.g., 86df8bd202b2a2b5fdc04a7f50a591e43a345849c12fef08d487109648a08e05.
9. The word ok if the checksum is correct, or fails if the checksum is incorrect, or unknown if the correct checksum is not known. An implementation+compiler combination that produces an incorrect checksum is skipped.
10. The number of cycles used for a typical cryptographic operation; e.g., 35289. This is actually the median of many measurements. SUPERCOP selects the implementation+compiler combination that minimizes this number. For example, for hash functions, SUPERCOP selects the implementation+compiler combination that minimizes the time to hash 1536 bytes.
11. The number of cycles used for computing the checksum; e.g., 220716990.
12. The number of cycles per second; e.g., 2405453000.
13. The implementation used; e.g., crypto_hash/sha256/openssl.
14. The compiler used; e.g., gcc_-m64_-march=k8_-O3_-fomit-frame-pointer.

If a compiler issues an error message (or a warning or any other output), SUPERCOP produces a database entry with the following words:

1. SUPERCOP version.
2. Computer name.
3. ABI.
4. Benchmark start date.
5. Operation measured.
6. Primitive measured.
7. The word fromcompiler.
8. The implementation used; e.g., crypto_hash/shavite3512/lower-mem.
9. The compiler used; e.g., gcc_-march=nocona_-Os_-fomit-frame-pointer.
10. The file being compiled; e.g., SHAvite3.c.
11. One or more words of output repeating the error message: e.g., portable.h:109:2: warning: #warning NEITHER NESSIE_LITTLE_ENDIAN NOR NESSIE_BIG_ENDIAN ARE DEFINED!!!!! Several error messages will produce several database entries (in the same order).

If an implementation fails to run (for example, because it uses machine instructions not supported by the CPU), SUPERCOP produces a database entry with the following words:

1. SUPERCOP version.
2. Computer name.
3. ABI.
4. Benchmark start date.
5. Operation measured.
6. Primitive measured.
7. The word tryfails.
8. The implementation used; e.g., crypto_hash/fugue256/SSE4.1.
9. The compiler used; e.g., gcc_-m64_-march=core2_-msse4_-O3_-fomit-frame-pointer.
10. One or more words of output describing the failure; e.g., Illegal instruction. Several lines of output will produce several database entries (in the same order).

SUPERCOP then measures the performance of the selected implementation and compiler on a wider variety of specific operations; for example, hash functions are selected on the basis of 1536-byte hashing, but are then measured for hashing 0 bytes, 1 byte, 2 bytes, 3 bytes, etc. Each specific operation produces a database entry with the following words:

1. SUPERCOP version.
2. Computer name.
3. ABI.
4. Benchmark start date.
5. Operation measured.
6. Primitive measured.
7. One of the following words:
   • cycles: generating a shared secret (crypto_dh), hashing (crypto_hash), encrypting a message under a public key (crypto_encrypt), signing a message (crypto_sign), or generating a stream from a secret key (crypto_stream);
   • afternm_cycles: currently undocumented;
   • base_cycles: currently undocumented;
   • beforenm_cycles: currently undocumented;
   • keypair_cycles: generating a key pair (crypto_dh_keypair or crypto_encrypt_keypair or crypto_sign_keypair);
   • forgery_open_afternm_cycles: currently undocumented;
   • forgery_open_cycles: currently undocumented;
   • open_afternm_cycles: currently undocumented;
   • open_cycles: decrypting a message (crypto_encrypt_open) or verifying a signed message (crypto_sign_open);
   • verify_cycles: currently undocumented;
   • xor_cycles: encrypting a message under a secret key (crypto_stream_xor);
   • bytes: the length of an encrypted or signed message;
   • beforenmbytes: currently undocumented;
   • boxzerobytes: currently undocumented;
   • bssbytes: the number of bytes in the bss section;
   • constbytes: currently undocumented;
   • databytes: the number of bytes in the data section;
   • inputbytes: currently undocumented;
   • keybytes: currently undocumented;
   • noncebytes: currently undocumented;
   • open_bytes: the length of a decrypted or verified message;
   • outputbytes: currently undocumented;
   • publickeybytes: currently undocumented;
   • scalarbytes: currently undocumented;
   • secretkeybytes: currently undocumented;
   • statebytes: currently undocumented;
   • textbytes: the number of bytes in the text section;
   • zerobytes: currently undocumented.
8. The number of original message bytes hashed, encrypted, etc.; e.g., 96.
9. The median of many successive measurements; e.g., 3159.
10. The first measurement; e.g., 4131.
11. The second measurement; e.g., 3222.
12. ...
13. The last measurement; e.g., 3159.

SUPERCOP also records the selected implementation in a separate database entry with the following words:

1. SUPERCOP version.
2. Computer name.
3. ABI.
4. Benchmark start date.
5. Operation measured.
6. Primitive measured.
7. The word implementation.
8. The implementation used; e.g., crypto_hash/sha256/openssl.
9. The implementation version (the CRYPTO_VERSION macro) or - if no version number is defined by the implementation.

SUPERCOP also records the selected compiler in a separate database entry with the following words:

1. SUPERCOP version.
2. Computer name.
3. ABI.
4. Benchmark start date.
5. Operation measured.
6. Primitive measured.
7. The word compiler.
8. The compiler used; e.g., g++_-m64_-march=nocona_-O2_-fomit-frame-pointer.
9. The compiler version; e.g., 4.3.3.

SUPERCOP also records the CPU identifier in a separate database entry with the following words:

1. SUPERCOP version.
2. Computer name.
3. ABI.
4. Benchmark start date.
5. Operation measured.
6. Primitive measured.
7. The word cpuid.
8. The CPU identifier; e.g., GenuineIntel-000006fb-bfebfbff_.

SUPERCOP also records the number of CPU cycles per second in a separate database entry with the following words:

1. SUPERCOP version.
2. Computer name.
3. ABI.
4. Benchmark start date.
5. Operation measured.
6. Primitive measured.
7. The word cpucycles_persecond.
8. The number of CPU cycles per second; e.g., 2394000000.

SUPERCOP also records the cycle-counting mechanism in a separate database entry with the following words:

1. SUPERCOP version.
2. Computer name.
3. ABI.
4. Benchmark start date.
5. Operation measured.
6. Primitive measured.
7. The word cpucycles_implementation.
8. The mechanism; e.g., amd64cpuinfo.

Version