From: Eric Biggers <ebiggers@kernel.org>
To: David Howells <dhowells@redhat.com>
Cc: linux-crypto@vger.kernel.org,
Herbert Xu <herbert@gondor.apana.org.au>,
Luis Chamberlain <mcgrof@kernel.org>,
Petr Pavlu <petr.pavlu@suse.com>,
Daniel Gomez <da.gomez@kernel.org>,
Sami Tolvanen <samitolvanen@google.com>,
"Jason A . Donenfeld" <Jason@zx2c4.com>,
Ard Biesheuvel <ardb@kernel.org>,
Stephan Mueller <smueller@chronox.de>,
Lukas Wunner <lukas@wunner.de>,
Ignat Korchagin <ignat@cloudflare.com>,
keyrings@vger.kernel.org, linux-modules@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/4] lib/crypto: Add ML-DSA verification support
Date: Fri, 21 Nov 2025 00:09:43 +0000 [thread overview]
Message-ID: <20251121000943.GC3532564@google.com> (raw)
In-Reply-To: <2590973.1763629800@warthog.procyon.org.uk>
On Thu, Nov 20, 2025 at 09:10:00AM +0000, David Howells wrote:
> Eric Biggers <ebiggers@kernel.org> wrote:
>
> > - Is about 600 lines of source code instead of 4800.
>
> There's less shareable code for other algos that I'm sure people are going to
> ask for, but that's probably fine.
The "advanced" verification features that people could conceivably want
in the future (public key preloading, nonempty contexts, HashML-DSA,
external mu, incremental message hashing) would all be fairly
straightforward to add, in the event that that they ever become needed.
Signing support would of course be challenging. But that's expected,
and we should try to keep that out of the kernel anyway.
> > - Generates about 4 KB of object code instead of 28 KB.
> > - Uses 9-13 KB of memory to verify a signature instead of 31-84 KB.
>
> That's definitely good.
>
> > - Is 3-5% faster, depending on the ML-DSA parameter set.
>
> That's not quite what I see. For Leancrypto:
>
> # benchmark_mldsa44: 8672 ops/s
> # benchmark_mldsa65: 5470 ops/s
> # benchmark_mldsa87: 3350 ops/s
>
> For your implementation:
>
> # benchmark_mldsa44: 8707 ops/s
> # benchmark_mldsa65: 5423 ops/s
> # benchmark_mldsa87: 3352 ops/s
>
> This may reflect differences in CPU (mine's an i3-4170).
>
> The numbers are pretty stable with the cpu frequency governor set to
> performance and without rebooting betweentimes.
>
> Interesting that your mldsa44 is consistently faster, but your mldsa65 is
> consistently slower. mldsa87 is consistently about the same.
>
> I don't think the time differences are particularly significant.
Sure, I had just tested one CPU. Slightly different results on
different CPUs are expected. It's also expected that the ops/s for
verification in a loop is still in roughly the same ballpark as your
integration of leancrypto (or the Dilithium reference code which
leancrypto seems to be based on, for that matter). There aren't too
many ways to implement the most time-consuming parts. Generally,
arch-optimized code would be needed to do significantly better.
Of course, the greatly reduced icache and dcache usage is much more
important for performance. But that doesn't show up in the "just verify
the same signature in a loop repeatedly" benchmark.
I'll clarify that part of the commit message accordingly.
- Eric
next prev parent reply other threads:[~2025-11-21 0:09 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-20 0:36 [PATCH 0/4] lib/crypto: ML-DSA verification support Eric Biggers
2025-11-20 0:36 ` [PATCH 1/4] lib/crypto: Add " Eric Biggers
2025-11-20 8:14 ` David Howells
2025-11-21 2:15 ` Eric Biggers
2025-11-20 9:10 ` David Howells
2025-11-21 0:09 ` Eric Biggers [this message]
2025-11-20 13:55 ` David Howells
2025-11-21 0:50 ` Eric Biggers
2025-11-21 12:41 ` David Howells
2025-11-21 17:14 ` Eric Biggers
2025-11-21 17:41 ` David Howells
2025-11-25 4:29 ` Eric Biggers
2025-11-21 21:39 ` David Howells
2025-11-21 22:23 ` Eric Biggers
2025-11-21 22:29 ` Lukas Wunner
2025-11-21 22:48 ` Eric Biggers
2025-11-29 20:00 ` Becker, Hanno
2025-11-30 0:19 ` Eric Biggers
2025-11-30 1:05 ` Jason A. Donenfeld
2025-11-30 7:15 ` Becker, Hanno
2025-11-30 19:06 ` Eric Biggers
2025-11-20 0:36 ` [PATCH 2/4] lib/crypto: tests: Add KUnit tests for ML-DSA Eric Biggers
2025-11-20 2:29 ` Elliott, Robert (Servers)
2025-11-20 0:36 ` [PATCH 3/4] lib/crypto: tests: Add ML-DSA-65 test cases Eric Biggers
2025-11-20 0:36 ` [PATCH 4/4] lib/crypto: tests: Add ML-DSA-87 " Eric Biggers
2025-11-20 8:11 ` [PATCH 0/4] lib/crypto: ML-DSA verification support David Howells
2025-11-21 6:16 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251121000943.GC3532564@google.com \
--to=ebiggers@kernel.org \
--cc=Jason@zx2c4.com \
--cc=ardb@kernel.org \
--cc=da.gomez@kernel.org \
--cc=dhowells@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=ignat@cloudflare.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-modules@vger.kernel.org \
--cc=lukas@wunner.de \
--cc=mcgrof@kernel.org \
--cc=petr.pavlu@suse.com \
--cc=samitolvanen@google.com \
--cc=smueller@chronox.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).