commit 9b708ad8e1a3fb29b81d7e722d70a4226e2acf7a
author Filippo Valsorda <filippo@golang.org> Tue Jul 09 20:38:07 2019 -0400
committer Filippo Valsorda <filippo@golang.org> Mon Nov 11 21:36:26 2019 +0000
tree 548ac5a33973a14fffe1ee0396db74c79cbb7936
parent 85e5e33df3ab4a4c7fcfc67d04bbeb97fc2d8e89

internal/chacha20: cache first round across XORKeyStream invocations

name                old speed     new speed     delta
ChaCha20/64-4       428MB/s ± 1%  432MB/s ± 1%    ~     (p=0.089 n=10+10)
ChaCha20/256-4      497MB/s ± 1%  507MB/s ± 2%  +1.94%  (p=0.000 n=9+10)
ChaCha20/10x25-4    273MB/s ± 1%  285MB/s ± 3%  +4.37%  (p=0.000 n=10+10)
ChaCha20/4096-4     495MB/s ± 1%  508MB/s ± 1%  +2.51%  (p=0.000 n=8+10)
ChaCha20/100x40-4   407MB/s ± 1%  439MB/s ± 1%  +7.92%  (p=0.000 n=9+9)
ChaCha20/65536-4    521MB/s ± 2%  537MB/s ± 1%  +3.00%  (p=0.000 n=10+10)
ChaCha20/1000x65-4  498MB/s ± 2%  521MB/s ± 2%  +4.70%  (p=0.000 n=10+10)

Curiously, even if we omit the critical s.precompDone = true step, we
see a significant performance improvement across the board, maybe due to
reduced register pressure. (See below. Actually using the precomputed
values only impacts the 10x25, 100x40 and 1000x65 benchmarks, as
expected.)

name                old speed     new speed     delta
ChaCha20/64-4       428MB/s ± 1%  428MB/s ± 1%    ~     (p=0.912 n=10+10)
ChaCha20/256-4      497MB/s ± 1%  510MB/s ± 1%  +2.64%  (p=0.000 n=9+10)
ChaCha20/10x25-4    273MB/s ± 1%  277MB/s ± 2%  +1.36%  (p=0.003 n=10+10)
ChaCha20/4096-4     495MB/s ± 1%  507MB/s ± 2%  +2.28%  (p=0.000 n=8+10)
ChaCha20/100x40-4   407MB/s ± 1%  418MB/s ± 1%  +2.69%  (p=0.000 n=9+10)
ChaCha20/65536-4    521MB/s ± 2%  536MB/s ± 1%  +2.76%  (p=0.000 n=10+8)
ChaCha20/1000x65-4  498MB/s ± 2%  519MB/s ± 1%  +4.15%  (p=0.000 n=10+9)

Updates golang/go#24485

Change-Id: I117fab938787819aae1cc4371354888701e4e54b
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/185440
Reviewed-by: Michael Munday <mike.munday@ibm.com>