Received: by 2002:ab2:6c55:0:b0:1fd:c486:4f03 with SMTP id v21csp26198lqp;
        Tue, 11 Jun 2024 13:19:08 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCUkriD5LVFQjDbSV49LeHcTeqLOcTqBjN+D1ASNvBRPVXuS5TXhz2TIfnVWcvOMz6IkVE0aA6AiRpRHUX/ROOMtkF1sQQV8DaFM63Tw/A==
X-Google-Smtp-Source: AGHT+IE+H1dBwx/7YDa8Y5ovB7JYd1M5XjQbaBhlKb1mCappw2nmx6U11O1zyYih7npX4rXMjmcV
X-Received: by 2002:a17:906:c196:b0:a6f:1254:2cbe with SMTP id a640c23a62f3a-a6f34c5755amr265269366b.3.1718137148090;
        Tue, 11 Jun 2024 13:19:08 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1718137148; cv=pass;
        d=google.com; s=arc-20160816;
        b=fmyVnwBXNisT2TBhTjvOhjPBAoTYDy8rewygpvv/F524w6uzHINuAoqk+DXeBUOYWj
         qdqxNBtY/LbquM7R8+MFUsT3pgRJquWet3JySru5xDomPRMq+oft5J6yFdCzCrR3jGIe
         ojIrTuEpe7sxC6WpYLUGL6hX5kYavjjVvbMPIWo7WqfLLz249pui8XFpvUJ+cN7ZRLva
         ma9EQ8XKr/XBF3dKlRaAlIpCNuFCImlQidzj8eE6/Fkyt4L6g2FFtsXDBufo8bqzel7o
         VikpitFKHJGVzV7m7OToScx0uMpjCY1SovTUYgdO9BJLVoQZktYnZz/IDtzG09x9/vTN
         /kBQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=2dRPSCtDL4x6ugmBX20ku+4A8lZWr67P4sg3s+GA17o=;
        fh=WX5sgR3VQpLR5g6z+9pfvt88hmxQBAkmun/QVKBzADs=;
        b=L4w3WqdeF+DlCslvNsnbBfWXlXy29aQ2ayHLqLtm9tFWtDzQ07kn9NRDMPADut3d3Q
         9SYY3Ap+yhjqnVstkTTiYMYwzyGMxEubLtyFSH8gFs2iaykRzU1iUOuaqbkg5VT70VuN
         frIlIM4s4RT1WCLfiwAHc9kN8p3l5hcwZdcmlkZn/Sg4qfU3/yWpVlJza2mguwZnAf1K
         pxKUiHDRQfIWZgCYbvMddnwYodpGx0GhJiUTCm5ShsvEFwyAqTAAMyK7ANKapp6YY5it
         zR/a5LtU87j3n1m2+qpJ5hl7dJV8SqHyS4D/EdcXTx/80AN7Ar1EJJm3FTnRkeEmOKfW
         FVmw==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Tg4w6+Jd;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-crypto+bounces-4903-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-crypto+bounces-4903-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-crypto+bounces-4903-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249])
        by mx.google.com with ESMTPS id a640c23a62f3a-a6f10364267si347323766b.594.2024.06.11.13.19.08
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 11 Jun 2024 13:19:08 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-crypto+bounces-4903-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Tg4w6+Jd;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-crypto+bounces-4903-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-crypto+bounces-4903-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id CDA461F23F77
	for <linux.lists.archive@gmail.com>; Tue, 11 Jun 2024 20:19:07 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 9834113D615;
	Tue, 11 Jun 2024 20:19:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Tg4w6+Jd"
X-Original-To: linux-crypto@vger.kernel.org
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 48EFF12E61;
	Tue, 11 Jun 2024 20:19:00 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1718137141; cv=none; b=Dc3Ipx4aAB8RtTRoq+agM0Rq3pjM8PQfmAt3y9x7Hbl0yDRm5Y9rCtzWopCksAHfA+sAvC3M6u7WANsuCAw5g7ZB9HR7Q3ciZGbXupZfv2Ed+S2MN1vIWBy9zNRwInISnY7Njx+xsSP6BdW4BQO5/bQOJ6zBI3lJVlfOfMBq/cU=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1718137141; c=relaxed/simple;
	bh=gtTMkJYRvzc11WF2seK68wjURAdaNya0C5PddHKpdUM=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=j4pjcRsxja/dpEZIlpe8F9dCEVRpXHB7ATRTXFge6iKFemz+HKQF3xTD6WLj1DQQnBT42pe8gujseZNYM+Bw8ZquS1BUemu77NNnxoBITlOMIpjeWEh/1jSitG5nQUkI/a+lr4pB4SCBd+CzTpdYfywiurcFTVCg0X2y5GqMyEs=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Tg4w6+Jd; arc=none smtp.client-ip=10.30.226.201
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4F4D4C2BD10;
	Tue, 11 Jun 2024 20:19:00 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1718137140;
	bh=gtTMkJYRvzc11WF2seK68wjURAdaNya0C5PddHKpdUM=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=Tg4w6+JdHhFxJdi4TnsqqM/VB92iMDH+/U5LYjnE2oucxYyHNoYL6hd/t2ucaGpqi
	 MoMgRkjwlMDaMU/QbFTds8e7j2TTxvqa7GWcWpN0QZuhI4R7S15A4YpMi+GXeIkju8
	 ONuWoutk4kJTocbsp41zeLdPmpRfeldqNLgZ6RNufQ6kcR6Jo2FCvN2+7f0gd2ZktV
	 a+mLDeyfRdQtGhbuQI1i7YJoVZ38wME27wLvflfJjcFKA3eMCh/QrUUjWcRoymhZ4a
	 tPfpBeKRwt8nI9jOk4zvQl9T9nTOUaAl+M4rkU88SYx6HpP/b0s79oC+teD4onsnwP
	 xzSfHlcvR7rIw==
Date: Tue, 11 Jun 2024 13:18:58 -0700
From: Eric Biggers <ebiggers@kernel.org>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Ard Biesheuvel <ardb@kernel.org>,
	Steffen Klassert <steffen.klassert@secunet.com>,
	netdev@vger.kernel.org, linux-crypto@vger.kernel.org,
	fsverity@lists.linux.dev, dm-devel@lists.linux.dev, x86@kernel.org,
	linux-arm-kernel@lists.infradead.org,
	Sami Tolvanen <samitolvanen@google.com>,
	Bart Van Assche <bvanassche@acm.org>,
	Tim Chen <tim.c.chen@linux.intel.com>
Subject: Re: [PATCH v4 6/8] fsverity: improve performance by using
 multibuffer hashing
Message-ID: <20240611201858.GA128642@sol.localdomain>
References: <20240606052801.GA324380@sol.localdomain>
 <ZmFL-AXZ8lphOCUC@gondor.apana.org.au>
 <CAMj1kXHLt6v03qkpKfwbN34oyeeCnJb=tpG4GvTn6E1cJQRTOw@mail.gmail.com>
 <ZmFmiWZAposV5N1O@gondor.apana.org.au>
 <CAMj1kXFt_E9ghN7GfpYHR4-yaLsz_J-D1Nc3XsVqUamZ6yXHGQ@mail.gmail.com>
 <ZmFucW37DI6P6iYL@gondor.apana.org.au>
 <CAMj1kXEpw5b3Rpfe+sRKbQQqVfgWjO_GsGd-EyFvB4_8Bk8T0Q@mail.gmail.com>
 <ZmF-JHxCfMRuR05G@gondor.apana.org.au>
 <20240610164258.GA3269@sol.localdomain>
 <Zmhrh1nodUE-O6Jj@gondor.apana.org.au>
Precedence: bulk
X-Mailing-List: linux-crypto@vger.kernel.org
List-Id: <linux-crypto.vger.kernel.org>
List-Subscribe: <mailto:linux-crypto+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-crypto+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Zmhrh1nodUE-O6Jj@gondor.apana.org.au>

On Tue, Jun 11, 2024 at 11:21:43PM +0800, Herbert Xu wrote:
> 
> BTW, I found an old Intel paper that claims through their multi-
> buffer strategy they were able to make AES-CBC-XCBC beat AES-GCM.
> I wonder if we could still replicate this today:
> 
> https://github.com/intel/intel-ipsec-mb/wiki/doc/fast-multi-buffer-ipsec-implementations-ia-processors-paper.pdf

No, not even close.  Even assuming that the lack of parallelizability in AES-CBC
and AES-XCBC can be entirely compensated for via multibuffer crypto (which
really it can't -- consider single packets, for example), doing AES twice is
much more expensive than doing AES and GHASH.  GHASH is a universal hash
function, and computing a universal hash function is inherently cheaper than
computing a cryptographic hash function.  But also modern Intel CPUs have very
fast carryless multiplication, and it uses a different execution port from what
AES uses.  So the overhead of AES + GHASH over AES alone is very small.  By
doing AES twice, you'd be entirely bottlenecked by the ports that can execute
the AES instructions, while the other ports go nearly unused.  So it would
probably be approaching twice as slow as AES-GCM.

Westmere (2010) through Ivy Bridge (2012) are the only Intel CPUs where
multibuffer AES-CBC-XCBC could plausibly be faster than AES-GCM (given a
sufficiently large number of messages at once), due to the very slow pclmulqdq
instruction on those CPUs.  This is long since fixed, as pclmulqdq became much
faster in Haswell (2013), and faster still in Broadwell.  This is exactly what
that Intel paper shows; they show AES-GCM becoming fastest in "Gen 4", i.e.
Haswell.  The paper is from 2012, so of course they don't show anything after
that.  But AES-GCM has only pulled ahead even more since then.

In theory something like AES-CBC + SHA-256 could be slightly more competitive
than AES-CBC + AES-XCBC.  But it would still be worse than simply doing AES-GCM
-- which again, doesn't need multibuffer, and my recent patches have already
fully optimized for recent x86_64 CPUs.

- Eric