Does the carry-less multiplication instruction run in constant time? Said differently, is the time it takes to execute independent of its arguments?
Related Questions in ASSEMBLY
- Is there some way to use printf to print a horizontal list of decrementing hex digits in NASM assembly on Linux
- How to call a C language function from x86 assembly code?
- Binary Bomb Phase 2 - Decoding Assembly
- AVR Assembly Clock Cycle
- Understanding the differences between mov and lea instructions in x86 assembly
- ARM Assembly code is not executing in Vitis IDE
- Which version of ARM does the M1 chip run on?
- Why would %rbp not be equal to the value of %rsp, which is 0x28?
- Move immediate 8-bit value into RSI, RDI, RSP or RBP
- Unable to run get .exe file from assembly NASM
- DOSbox automatically freezes and crashes without any prompt warnings
- Load function written in amd64 assembly into memory and call it
- link.exe unresolved external symbol _mainCRTStartup
- x86 Wrote a boot loader that prints a message to the screen but the characters are completely different to what I expected
- running an imf file using dosbox in parallel to a game
Related Questions in X86
- How to call a C language function from x86 assembly code?
- the difference between two style of inline ASM
- Understanding the differences between mov and lea instructions in x86 assembly
- ARM Assembly code is not executing in Vitis IDE
- x86 - compare numbers and push the result onto the stack
- Seeking for the the method for adding the DL (data register) value to DX register
- link.exe unresolved external symbol _mainCRTStartup
- x86 Wrote a boot loader that prints a message to the screen but the characters are completely different to what I expected
- How does CPU tell between MMIO(Memory Mapped IO) and normal memory access in x86 architecture
- Why do register arg values need to be re-assigned in NASM after an int 0x80 system call?
- Why does LLVM-MCA measure an execution stall?
- Why does shr eax, 32 not do anything?
- Evaluating this in Assembly (A % B) % (C % D)
- Understanding throughput of simd sum implementation x86
- Making portable execution errors
Related Questions in MICRO-OPTIMIZATION
- What is causing the store latency in this program?
- Fast BCD addition
- Why is `if x is None: pass` faster than `x is None` alone?
- Optimized 53->32 bit modulo computation on 32-bit processors
- x86 assembly abs() implementation? (revisited)
- How to group static/global variables together for improved cache locality in C++
- Why doesn't the C++ standard library utilize likely/unlikely attributes?
- LEA vs MOV imm64 for loading address-constant into register
- How to zero certain bytes of a register?
- Can packing variables or parameters into structures/unions introduce unforseen performance penalties?
- Controlling class member layout AND destructor order
- Is making a temporary variable or incrementing faster?
- How can I perform a branchless conditional arithmetic operation in C?
- In c++ what is the importance in terms of performance of using 'else' in situations where it doesn't change the flow of the program?
- What are the pros and cons of int, unsigned int, uint_fastN_t, and int_fastN_t?
Related Questions in GALOIS-FIELD
- I am supposed to add two polynomials: x8+x5+x3+x2+1 and x6+x5+x3+x2+x and do mod (x8+x6+x5+x+1). I need help in finding the modulus
- How can I generate more Subkeys from an existing MasterKey, without invalidating already issued subkeys using Shamir Secret Sharing in Java?
- Galois Reed Solomon
- In python, how to find a primitive element of finite field?
- Generate all binary strings/patterns of a given length which are unique even when rotated
- Is there a way to Forward Error Correct (FEC RS) an Alphabet of 36 chars?
- The function np.dot multiplies the GF4 field matrices for a very long time
- How to get the vector representation of a polynomial in GF(2)[x]?
- Power of 3 of a Binary Number in GF(2^6) in VHDL?
- How to perform reduced row echelon form on a non-square GF matrix (GF(2^8)) in matlab
- Is there an efficient algorithm to compute the Jacobsthal matrix or quadratic character in GF(q)?
- Galois field calculator GF(2^4) GF(2^8)
- How to write a polynomial in x**3 instead of x using Polynomial
- modulo reduction in field of non primitive order
- how to caculate in GF(2^8) in Python?
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
According to https://agner.org/optimize/ and
PCLMULQDQhas fixed latency on any given CPU. (http://www.uops.info/table.html doesn't list a latency for it, but has good stuff for most instructions).There's no reason to expect it to be data-dependent- typically only division / sqrt has data-dependent performance in modern high-performance CPUs. Regular multiply doesn't: instead they just make it fast for the general case with lots of hardware parallelism inside the execution unit.
Out-of-order instruction scheduling is a lot easier when uops have fixed latency, and so is building fully-pipelined execution units for them. The scheduler (reservation station) can avoid having 2 operations finish at the same time on the same port and create a write-back conflict. Or worse, in the same execution unit and cause stalls within it. This is why fixed-latency is very common.
(A microcoded multi-uop
pclmulqdqwith branching could potentially have variable latency, or more plausibly latency that depends on the immediate operand: maybe an extra shuffle uop or two when the immediate is non-zero. So the fixed-latency of a single uop argument doesn't necessarily apply to a micro-coded instruction, butpclmuqdqis still simple enough that you wouldn't expect it to actually branch internally the wayrep movsbhas to.)As @fuz points out, PCLMUL was made for crypto, so data-dependent performance would make it vulnerable to timing attacks. So there's a very strong reason to make PCLMUL constant time. (Or at worst, dependent on the immediate, but not the register/memory sources. e.g. an immediate other than
0could cost extra shift uops to get the high halves of the sources fed to a 64x64 => 128 carryless-multiply unit.)Numbers from Agner Fog's tables
On Intel since Broadwell,
pclmuludqis 1 uop. On Skylake, it's 7 cycle latency, 1 per clock throughput. (So you need to keep 7 independent PCLMUL operations in flight to saturate the execution unit on port 5). Broadwell has 5 cycle latency. With a memory source operand, it's 1 extra uop.On Haswell, it's 3 uops (2p0 p5) with 7 cycle latency and one per 2 clock throughput.
On Sandybridge/IvyBridge it's 18 uops, 14c latency, one per 8 clock throughput.
On Westmere (2nd Gen Nehalem) it's 12c latency, one per 8c throughput. (Unknown number of uops, neither Agner Fog nor uops.info has it. But we can safely assume it's microcoded.) This was the first generation to support the instruction- one of the very few differences from Nehalem to Westmere.
On Ryzen it's 4 uops, 4c latency, one per 2 clock throughput. http://instlatx64.atw.hu/ shows it 4.5 cycle latency. I'm not sure what the difference is between their testing and Agner's.
On Piledriver it's 5 uops, 12c latency, one per 7 clock throughput.
On Jaguar it's 1 uop, 3c latency, one per 1 clock throughput!
On Silvermont it's 8 uops, 10c latency/throughput. Goldmont = 3 uops, 6c lat / 3c tput.
See also What considerations go into predicting latency for operations on modern superscalar processors and how can I calculate them by hand? and Agner Fog's optimization guide to understand how latency and throughput (and front-end bottlenecks) matter for performance on out-of-order CPUs, depending on the surrounding code.