[PATCH] Optimize RISC-V mpn_add_n/mpn_sub_n

Torbjörn Granlund tg at gmplib.org
Wed Jun 3 13:01:55 CEST 2026 

Unfortunately, I don't think we should make GMP leak side-channel
information.  We have some interfaces in GMP which claim to leak less,
and these interfaces depend on that lower level interfaces (such as
mpn_add_n) do not leak.

I am aware of that there is some Alpha code, for the EV6, which leaks,
presumably using the same trick as your code.  I have meant to fix that,
but as it feels extremely unlikely that somebody runs Alpha hardware for
security sensitive things now, it has low priority.

  gmp-6.3 vs patch cycles/limb:
                 addition    subtraction
                 gmp  patch| gmp  patch
  XuanTie-C908:  4.90 4.64 | 4.92 4.85 (dual-issue in-order)
  SpacemiT-X60:  4.78 4.20 | 4.78 4.28 (dual-issue in-order)
  SpacemiT-A100: 6.04 4.04 | 5.04 4.30 (dual-issue in-order)
  XuanTie-C910:  3.59 2.79 | 3.36 2.79 (3-wide out-of-order)
  SpacemiT-X100: 3.31 2.32 | 2.39 2.31 (4-wide out-of-order)
  RTL simulation of open-source processors:
  RocketChip:    9.33 8.32 | 9.34 8.32 (1-issue in-order)
  Shuttle:       5.57 4.82 | 5.62 4.59 (2-issue in-order)
  Shuttle3:      4.34 3.82 | 4.33 4.07 (3-issue in-order)
  MediumBoomV3:  4.78 4.20 | 4.78 4.19 (2-wide out-of-order)
  LargeBoomV3:   4.03 3.04 | 4.03 3.04 (3-wide out-of-order)
  MegaBoomV3:    3.03 2.11 | 2.37 2.11 (4-wide out-of-order)
  XiangShan
  KunminghuV3:   3.01 1.08 | 2.03 1.08 (8-wide out-of-order)

I cannot help noticing how outrageously slow RISC CPUs are for bignum
arithmetic.  It is sad that such an outdated ISA was introduced in the
21 century!

If you can improve the GMP performance on RISC-V CPUs without causing
leakage, that wouod be a welcome contribution!

  One thing to note is that on the very wide x86 and Arm
  processors, carry-setting ALU instructions usually only have
  half the throughput of regular ALU instructions.

I am not sure that is still true.  It is possible to create code which
runs sequences of adc/adox/adcx at a thoughput of 2 per cycle, at least
on Amd silicon.  (Of course one needs to break CF dependencies, else 1
per cycle will be the limit!)



-- 
Torbjörn
Please encrypt, key id 0xC8601622

More information about the gmp-devel mailing list