ecmult: Refactor ecmult algo selection

Author: fjahr

src/bench_ecmult.c

@@ -19,6 +19,11 @@
 
 #define POINTS 32768
 
+/* Default memory limit (64 MB) */
+#define DEFAULT_MEM_LIMIT (64 * 1024 * 1024)
+/* Select bench algorithm automatically */
+#define BENCH_ALGO_AUTO (-1)
+
 static void help(char **argv, int default_iters) {
     printf("Benchmark EC multiplication algorithms\n");
     printf("\n");
@@ -30,23 +35,25 @@ static void help(char **argv, int default_iters) {
     printf("function name. The letter 'g' indicates that one of the points is the generator.\n");
     printf("The benchmarks are divided by the number of points.\n");
     printf("\n");
-    printf("default (ecmult_multi): picks pippenger_wnaf or strauss_wnaf depending on the\n");
-    printf("                        batch size\n");
-    printf("pippenger_wnaf:         for all batch sizes\n");
-    printf("strauss_wnaf:           for all batch sizes\n");
-    printf("simple:                 multiply and sum each point individually\n");
+    printf("default (auto):   automatically select best algorithm\n");
+    printf("pippenger_wnaf:   for all batch sizes\n");
+    printf("strauss_wnaf:     for all batch sizes\n");
+    printf("simple:           multiply and sum each point individually\n");
+    printf("\n");
 }
 
 typedef struct {
     /* Setup once in advance */
     secp256k1_context* ctx;
-    secp256k1_scratch_space* scratch;
     secp256k1_scalar* scalars;
     secp256k1_ge* pubkeys;
     secp256k1_gej* pubkeys_gej;
     secp256k1_scalar* seckeys;
     secp256k1_gej* expected_output;
-    secp256k1_ecmult_multi_func ecmult_multi;
+
+    /* Algorithm selection */
+    int forced_algo;
+    size_t mem_limit;
 
     /* Changes per benchmark */
     size_t count;
@@ -214,32 +221,54 @@ static void run_ecmult_bench(bench_data* data, int iters) {
     run_benchmark(str, bench_ecmult_1p_g, bench_ecmult_setup, bench_ecmult_1p_g_teardown, data, 10, 2*iters);
 }
 
-static int bench_ecmult_multi_callback(secp256k1_scalar* sc, secp256k1_ge* ge, size_t idx, void* arg) {
-    bench_data* data = (bench_data*)arg;
-    if (data->includes_g) ++idx;
-    if (idx == 0) {
-        *sc = data->scalars[data->offset1];
-        *ge = secp256k1_ge_const_g;
-    } else {
-        *sc = data->scalars[(data->offset1 + idx) % POINTS];
-        *ge = data->pubkeys[(data->offset2 + idx - 1) % POINTS];
-    }
-    return 1;
-}
-
 static void bench_ecmult_multi(void* arg, int iters) {
     bench_data* data = (bench_data*)arg;
 
     int includes_g = data->includes_g;
     int iter;
     int count = data->count;
+    size_t n_points = count - includes_g;
+    secp256k1_ecmult_multi_algo algo;
+    secp256k1_ge *points = NULL;
+    secp256k1_scalar *scalars = NULL;
+    size_t i;
     iters = iters / data->count;
 
+    if (n_points > 0) {
+        points = (secp256k1_ge *)malloc(n_points * sizeof(secp256k1_ge));
+        scalars = (secp256k1_scalar *)malloc(n_points * sizeof(secp256k1_scalar));
+        CHECK(points != NULL);
+        CHECK(scalars != NULL);
+    }
+
     for (iter = 0; iter < iters; ++iter) {
-        data->ecmult_multi(&data->ctx->error_callback, data->scratch, &data->output[iter], data->includes_g ? &data->scalars[data->offset1] : NULL, bench_ecmult_multi_callback, arg, count - includes_g);
+        const secp256k1_scalar *g_scalar_ptr = NULL;
+
+        if (includes_g) {
+            g_scalar_ptr = &data->scalars[data->offset1];
+        }
+
+        for (i = 0; i < n_points; ++i) {
+            size_t idx = includes_g ? i + 1 : i;
+            scalars[i] = data->scalars[(data->offset1 + idx) % POINTS];
+            points[i] = data->pubkeys[(data->offset2 + i) % POINTS];
+        }
+
+        if (data->forced_algo >= 0) {
+            algo = data->forced_algo;
+        } else {
+            algo = secp256k1_ecmult_multi_select(data->mem_limit, n_points);
+        }
+
+        CHECK(secp256k1_ecmult_multi_internal(&data->ctx->error_callback, algo, &data->output[iter], 
+                                              n_points, points, scalars, g_scalar_ptr));
+
         data->offset1 = (data->offset1 + count) % POINTS;
         data->offset2 = (data->offset2 + count - 1) % POINTS;
     }
+
+    free(points);
+    free(scalars);
 }
 
 static void bench_ecmult_multi_setup(void* arg) {
@@ -309,12 +338,12 @@ static void run_ecmult_multi_bench(bench_data* data, size_t count, int includes_
 int main(int argc, char **argv) {
     bench_data data;
     int i, p;
-    size_t scratch_size;
 
     int default_iters = 10000;
     int iters = get_iters(default_iters);
 
-    data.ecmult_multi = secp256k1_ecmult_multi_var;
+    data.forced_algo = BENCH_ALGO_AUTO;
+    data.mem_limit = DEFAULT_MEM_LIMIT;
 
     if (argc > 1) {
         if(have_flag(argc, argv, "-h")
@@ -324,12 +353,17 @@ int main(int argc, char **argv) {
             return EXIT_SUCCESS;
         } else if(have_flag(argc, argv, "pippenger_wnaf")) {
             printf("Using pippenger_wnaf:\n");
-            data.ecmult_multi = secp256k1_ecmult_pippenger_batch_single;
+            /* TODO: Make this a dynamic selection again */
+            data.forced_algo = SECP256K1_ECMULT_MULTI_ALGO_PIPPENGER_4;
         } else if(have_flag(argc, argv, "strauss_wnaf")) {
             printf("Using strauss_wnaf:\n");
-            data.ecmult_multi = secp256k1_ecmult_strauss_batch_single;
+            data.forced_algo = SECP256K1_ECMULT_MULTI_ALGO_STRAUSS;
         } else if(have_flag(argc, argv, "simple")) {
             printf("Using simple algorithm:\n");
+            data.forced_algo = SECP256K1_ECMULT_MULTI_ALGO_TRIVIAL;
+        } else if(have_flag(argc, argv, "auto")) {
+            printf("Using automatic algorithm selection:\n");
+            data.forced_algo = BENCH_ALGO_AUTO;
         } else {
             fprintf(stderr, "%s: unrecognized argument '%s'.\n\n", argv[0], argv[1]);
             help(argv, default_iters);
@@ -338,12 +372,6 @@ int main(int argc, char **argv) {
     }
 
     data.ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
-    scratch_size = secp256k1_strauss_scratch_size(POINTS) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT;
-    if (!have_flag(argc, argv, "simple")) {
-        data.scratch = secp256k1_scratch_space_create(data.ctx, scratch_size);
-    } else {
-        data.scratch = NULL;
-    }
 
     /* Allocate stuff */
     data.scalars = malloc(sizeof(secp256k1_scalar) * POINTS);
@@ -389,9 +417,6 @@ int main(int argc, char **argv) {
         printf("Skipping some benchmarks due to SECP256K1_BENCH_ITERS <= 2\n");
     }
 
-    if (data.scratch != NULL) {
-        secp256k1_scratch_space_destroy(data.ctx, data.scratch);
-    }
     secp256k1_context_destroy(data.ctx);
     free(data.scalars);
     free(data.pubkeys);

src/ecmult.h

@@ -9,7 +9,6 @@
 
 #include "group.h"
 #include "scalar.h"
-#include "scratch.h"
 
 #ifndef ECMULT_WINDOW_SIZE
 #  define ECMULT_WINDOW_SIZE 15
@@ -43,19 +42,84 @@
 /** Double multiply: R = na*A + ng*G */
 static void secp256k1_ecmult(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng);
 
-typedef int (secp256k1_ecmult_multi_callback)(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *data);
+/**
+ * Algorithm identifiers for multi-scalar multiplication.
+ *
+ * TRIVIAL:      Simple algorithm, no extra memory needed
+ * STRAUSS:      Strauss algorithm (efficient for small batches)
+ * PIPPENGER_n:  Pippenger algorithm with bucket window size n
+ */
+typedef enum {
+    SECP256K1_ECMULT_MULTI_ALGO_TRIVIAL = 0,
+    SECP256K1_ECMULT_MULTI_ALGO_STRAUSS = 1,
+    SECP256K1_ECMULT_MULTI_ALGO_PIPPENGER_1 = 2,
+    SECP256K1_ECMULT_MULTI_ALGO_PIPPENGER_2 = 3,
+    SECP256K1_ECMULT_MULTI_ALGO_PIPPENGER_3 = 4,
+    SECP256K1_ECMULT_MULTI_ALGO_PIPPENGER_4 = 5,
+    SECP256K1_ECMULT_MULTI_ALGO_PIPPENGER_5 = 6,
+    SECP256K1_ECMULT_MULTI_ALGO_PIPPENGER_6 = 7,
+    SECP256K1_ECMULT_MULTI_ALGO_PIPPENGER_7 = 8,
+    SECP256K1_ECMULT_MULTI_ALGO_PIPPENGER_8 = 9,
+    SECP256K1_ECMULT_MULTI_ALGO_PIPPENGER_9 = 10,
+    SECP256K1_ECMULT_MULTI_ALGO_PIPPENGER_10 = 11,
+    SECP256K1_ECMULT_MULTI_ALGO_PIPPENGER_11 = 12,
+    SECP256K1_ECMULT_MULTI_ALGO_PIPPENGER_12 = 13
+} secp256k1_ecmult_multi_algo;
+
+#define SECP256K1_ECMULT_MULTI_NUM_ALGOS 14
 
 /**
- * Multi-multiply: R = inp_g_sc * G + sum_i ni * Ai.
- * Chooses the right algorithm for a given number of points and scratch space
- * size. Resets and overwrites the given scratch space. If the points do not
- * fit in the scratch space the algorithm is repeatedly run with batches of
- * points. If no scratch space is given then a simple algorithm is used that
- * simply multiplies the points with the corresponding scalars and adds them up.
- * Returns: 1 on success (including when inp_g_sc is NULL and n is 0)
- *          0 if there is not enough scratch space for a single point or
- *          callback returns 0
+ * Calculate max batch size for a given memory limit.
+ *
+ * For each algorithm, memory usage is modeled as m(x) = A*x + B and
+ * running time as c(x) = C*x + D, where x is the batch size. This
+ * function finds the algorithm that minimizes time per operation
+ * C + D/x at the maximum batch size x = (mem_limit - B) / A.
+ *
+ * Returns: The optimal batch size, or 0 if memory is insufficient.
  */
-static int secp256k1_ecmult_multi_var(const secp256k1_callback* error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n);
+static size_t secp256k1_ecmult_multi_batch_size(size_t mem_limit);
+
+/**
+ * Select the best algorithm for a given batch size within the memory
+ * limit.
+ *
+ * Among algorithms that fit within mem_limit for the given batch_size,
+ * selects the one that minimizes time per operation C + D/batch_size.
+ *
+ * Returns: The optimal algorithm identifier.
+ */
+static secp256k1_ecmult_multi_algo secp256k1_ecmult_multi_select(
+    size_t mem_limit,
+    size_t batch_size
+);
+
+/**
+ * Multi-multiply: R = scalar_g * G + sum_i scalars[i] * points[i].
+ *
+ * Chooses the right algorithm for the given number of points.
+ *
+ * Returns: 1 on success, 0 on memory allocation failure.
+ */
+static int secp256k1_ecmult_multi(
+    const secp256k1_callback *error_callback,
+    secp256k1_gej *r,
+    size_t n_points,
+    const secp256k1_ge *points,
+    const secp256k1_scalar *scalars,
+    const secp256k1_scalar *scalar_g,
+    size_t mem_limit
+);
+
+/* Only for benchmarks and testing */
+static int secp256k1_ecmult_multi_internal(
+    const secp256k1_callback *error_callback,
+    secp256k1_ecmult_multi_algo algo,
+    secp256k1_gej *r,
+    size_t n_points,
+    const secp256k1_ge *points,
+    const secp256k1_scalar *scalars,
+    const secp256k1_scalar *scalar_g
+);
 
 #endif /* SECP256K1_ECMULT_H */