RFR(L): 8069539: RSA acceleration
Andrew Haley
aph at redhat.com
Fri May 8 17:19:07 UTC 2015
On 05/08/2015 05:38 PM, Florian Weimer wrote:
> On 05/08/2015 05:59 PM, Andrew Haley wrote:
>> Here is a prototype of what I propose:
>>
>> http://cr.openjdk.java.net/~aph/rsa-1/
>>
>> It is a JNI version of the fast algorithm I think we should use for
>> RSA. It doesn't use any intrinsics. But with it, RSA is already twice
>> as fast as the code we have now for 1024-bit keys, and almost three
>> times as fast for 2048-bit keys!
>>
>> This code (montgomery_multiply) is designed to be as easy as I can
>> possibly make it to translate into a hand-coded intrinsic. It will
>> then offer better performance still, with the JNI overhead gone and
>> with some carefully hand-tweaked memory accesses. It has a very
>> regular structure which should make it fairly easy to turn into a
>> software pipeline with overlapped fetching and multiplication,
>> although this will perhaps be difficult on register-starved machines
>> like the x86.
>
> Do we want to add side-channel protection as part of this effort
> (against timing attacks and cache-flushing attacks)?
I wouldn't have thought so. It might make sense to add an optional
path without key-dependent branches, but not as a part of this effort:
the goals are completely orthogonal.
Andrew.
More information about the hotspot-compiler-dev
mailing list