8371259: ML-DSA AVX2 and AVX512 intrinsics and improvements

[vpaprotsk]

• New AVX2 intrinsics are 1.6x-6.9x faster than Java baseline
  • SignatureBench.MLDSA is 1.2x-2.2x faster
  • Note: there is no AVX2-SHA3 intrinsics yet (Being reviewed AVX2 and AVX512 intrinsics for SHA3 vpaprotsk/jdk#7)
• AVX512 intrinsic improvements are 1.24x-1.5x faster then current version
  • SignatureBench.MLDSA is upto 5% faster, never slower

Note on intrinsic:

• The emitted (existing) AVX512 assembler was not "significantly" changed; mostly more efficient instruction selection and tighter register allocation, which allowed removal of NTT loop and stack spill.
• Code was refactored to allow reuse of same assembler (as possible) for AVX512 and AVX2

Tests and benchmarks:

• Added a fuzz test to ensure Java and intrinsic produces exactly same result
• Added benchmark to measure the performance of intrinsic itself

make test TEST="test/jdk/sun/security/provider/acvp/Launcher.java test/jdk/sun/security/provider/acvp/ML_DSA_Intrinsic_Test.java"
make test TEST="test/jdk/sun/security/provider/acvp/Launcher.java test/jdk/sun/security/provider/acvp/ML_DSA_Intrinsic_Test.java" JTREG="JAVA_OPTIONS=-XX:UseAVX=2"
make test TEST="micro:org.openjdk.bench.javax.crypto.full.SignatureBench.MLDSA" MICRO="JAVA_OPTIONS=-XX:+UnlockDiagnosticVMOptions -XX:+UseDilithiumIntrinsics;FORK=1"
make test TEST="micro:org.openjdk.bench.javax.crypto.full.SignatureBench.MLDSA" MICRO="JAVA_OPTIONS=-XX:+UnlockDiagnosticVMOptions -XX:-UseDilithiumIntrinsics;FORK=1"

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue

Issue

• JDK-8371259: ML-DSA AVX2 and AVX512 intrinsics and improvements (Enhancement - P4)

Reviewers

• Mark Powers (@mcpowers - Committer) Review applies to 6d3f7794
• Sandhya Viswanathan (@sviswa7 - Reviewer)
• Anthony Scarpino (@ascarpino - Reviewer) Review applies to b04f4f0d

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/28136/head:pull/28136
$ git checkout pull/28136

Update a local copy of the PR:
$ git checkout pull/28136
$ git pull https://git.openjdk.org/jdk.git pull/28136/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 28136

View PR using the GUI difftool:
$ git pr show -t 28136

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/28136.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back vpaprotski! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@vpaprotsk This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8371259: ML-DSA AVX2 and AVX512 intrinsics and improvements

Reviewed-by: sviswanathan, mpowers, ascarpino

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 1 new commit pushed to the master branch:

• 507a6d3: 8368001: java/text/Format/NumberFormat/NumberRoundTrip.java timed out

Please see this link for an up-to-date comparison between the source branch of this pull request and the master branch.
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[openjdk]

@vpaprotsk The following labels will be automatically applied to this pull request:

• hotspot
• security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing lists. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 05: Full - Incremental (bfc16f1f)
• 04: Full - Incremental (691e1dfc)
• 03: Full - Incremental (cefa021a)
• 02: Full - Incremental (b04f4f0d)
• 01: Full - Incremental (e9133401)
• 00: Full (6d3f7794)

[seanjmullan]

Nice speedup. This improvement seems worthy of a release note.

[jatin-bhateja]

/label add hotspot-compiler-dev

[openjdk]

@jatin-bhateja
The hotspot-compiler label was successfully added.

[vpaprotsk]

@ferakocz @ascarpino when you can spare some time, would appreciate a review (would like to get this into 26 if possible..)

[sviswa7]

Vector length 256 bit is supported by AVX=1.

[sviswa7]

Vector length 256 bit is supported by AVX=1.

[sviswa7]

what is the size-in-bits when size is 0 and 1? What is the difference between size 0 and size1? The overloading of size makes it confusing.

[sviswa7]

size 0 seems to be doing a different shuffle than what is described in the diagram.

[sviswa7]

Did you mean this to be //0b-1-3-1-3?

[sviswa7]

or 3-1-3-1.

[mcpowers]

You might want to have @kuksenko or @ericcaspole look at MLDSABench.java.

[mcpowers]

unused import statement

[mcpowers]

unused import

[mcpowers]

coeffs3 is written to but never read

[mcpowers]

2 lines commented out

[vpaprotsk]

This was useful during development and might be useful hint for debugging; instead of deleting, added a comment. Let me know if that works

[mcpowers]

This is line is useful. Not sure I would hide it at the bottom of the file.

[vpaprotsk]

I actually meant to delete it, but will move it to the top.

[mcpowers]

Copyright date.

[vpaprotsk]

That was some copy-paste! Thanks

[jatin-bhateja]

Minor initial comments

[jatin-bhateja]

Suggested change

	* Copyright (c) 2024, 2025, Oracle and/or its affiliates. All rights reserved.
	* Copyright (c) 2025, Oracle and/or its affiliates. All rights reserved.

[jatin-bhateja]

You can uses generators for randome initialization of array

[vpaprotsk]

I think you meant this?

        coeffs1 = rnd.ints(ML_DSA_N).toArray();
        coeffs2 = rnd.ints(ML_DSA_N).toArray();

Didn't know about this, thanks. It does work..

But the original purpose (perhaps misguided, but its done) was to 'factor out' the allocations; the outer loop runs many million times (I've left it running for 6+hours during development) and so I wanted a 'somewhat efficient' test.

In hindsight, these (1k) arrays could probably be stack allocated, but I did not want to depend on an optimization when I could just write it without allocations in the mainline

[jatin-bhateja]

Instead of high repetition count can you try tuning the tiered compilation threshold.

[vpaprotsk]

The purpose of the test is to test various (pseudo-random) values and compare the results to the java implementation of same code. A single run-though of the test doesn't always prove that there are no bugs.

A bit philosophical.. as is well known, when writing crypto, branches (conditional on secret) are disallowed; but e.g. carry propagation has the same 'conditional execution' effect. (Instead of "have you tested every branch direction" its "have you tested every carry") Besides a very careful range/overflow analysis (which I also did.. ntt functions skate very close to the int limit), exhaustive fuzz testing is the best method to find conditions that manual (range/overflow) analysis hasn't found; fuzz testing has very little math built in, so its also good at finding 'blind spots' I (and whomever has to review) might have not thought of..

[jatin-bhateja]

When you check for AVX512-VL you allow accessing 128/256 bit registers from the higher register bank [X/Y]MM(16-31)

But your assertions are nowhere checking this.

[vpaprotsk]

I believe those asserts are in vex_prefix_and_encode (

jdk/src/hotspot/cpu/x86/assembler_x86.cpp

Line 13164 in 6d3f779

assert(((!is_extended) || (!attributes->is_legacy_mode())),"XMM register should be 0-15");

) and vex_prefix (

jdk/src/hotspot/cpu/x86/assembler_x86.cpp

Line 13047 in 6d3f779

assert((!is_extended || (!attributes->is_legacy_mode())),"XMM register should be 0-15");

)

I also haven't found any other instruction that does this check so I could emulate the style.

[jatin-bhateja]

When you check for AVX512-VL you allow accessing 128/256 bit registers from the higher register bank [X/Y]MM(16-31)

But your assertions are nowhere checking this.

[jatin-bhateja]

Suggested change

	assert(VM_Version::supports_evex(), "");
	assert(vector_len == AVX_512 || VM_Version::supports_avx512vl), "");

[vpaprotsk]

Took the patch, but also kept the supports_evex() assert

[jatin-bhateja]

Same as above

[jatin-bhateja]

Indentation corretness

[kuksenko]

What is the reason to add a new microbenchmark?
We already have enough micros covering MLDSA:

org.openjdk.bench.javax.crypto.full.KeyPairGeneratorBench.MLDSA.generateKeyPair
org.openjdk.bench.javax.crypto.full.SignatureBench.MLDSA.sign
org.openjdk.bench.javax.crypto.full.SignatureBench.MLDSA.verify
org.openjdk.bench.javax.crypto.small.KeyPairGeneratorBench.MLDSA.generateKeyPair
org.openjdk.bench.javax.crypto.small.SignatureBench.MLDSA.sign
org.openjdk.bench.javax.crypto.small.SignatureBench.MLDSA.verify

[vpaprotsk]

What is the reason to add a new microbenchmark? We already have enough micros covering MLDSA:

org.openjdk.bench.javax.crypto.full.KeyPairGeneratorBench.MLDSA.generateKeyPair org.openjdk.bench.javax.crypto.full.SignatureBench.MLDSA.sign org.openjdk.bench.javax.crypto.full.SignatureBench.MLDSA.verify org.openjdk.bench.javax.crypto.small.KeyPairGeneratorBench.MLDSA.generateKeyPair org.openjdk.bench.javax.crypto.small.SignatureBench.MLDSA.sign org.openjdk.bench.javax.crypto.small.SignatureBench.MLDSA.verify

I can definitely remove it, got no strong attachment to it.. I did find it useful during development and thought it might be useful during review to verify performance.. but the usefulness of it beyond is indeed debatable.

You might notice its a lot more 'granular'; it measures the performance of the intrinsics themselves, not the ("10-level deep") "wrappers". That said, those "wrappers" is what actual user will see and what we should be measuring.

This new benchmark is only useful to another intrinsic developer.. (but it should already be usable by other platforms not just Intel?)

[kuksenko]

What is the reason to add a new microbenchmark? We already have enough micros covering MLDSA:
org.openjdk.bench.javax.crypto.full.KeyPairGeneratorBench.MLDSA.generateKeyPair org.openjdk.bench.javax.crypto.full.SignatureBench.MLDSA.sign org.openjdk.bench.javax.crypto.full.SignatureBench.MLDSA.verify org.openjdk.bench.javax.crypto.small.KeyPairGeneratorBench.MLDSA.generateKeyPair org.openjdk.bench.javax.crypto.small.SignatureBench.MLDSA.sign org.openjdk.bench.javax.crypto.small.SignatureBench.MLDSA.verify

I can definitely remove it, got no strong attachment to it.. I did find it useful during development and thought it might be useful during review to verify performance.. but the usefulness of it beyond is indeed debatable.

You might notice its a lot more 'granular'; it measures the performance of the intrinsics themselves, not the ("10-level deep") "wrappers". That said, those "wrappers" is what actual user will see and what we should be measuring.

This new benchmark is only useful to another intrinsic developer.. (but it should already be usable by other platforms not just Intel?)

I understand your reasons. The question is whether you'll need the microbenchmark in the future. If no (or probably no), please remove the micro.
If needed, please move it from the "org.openjdk.bench.javax.crypto.full" package to "org.openjdk.bench.javax.crypto". It is supposed to have only public API micros in packages "small" and "full"

[sviswa7]

Is the fixme a leftover?

[vpaprotsk]

Yes. Removed. (I think I was considering merging this instruction with the storeXmm, but there really isnt a good way to do that)

[sviswa7]

Looks good to me.

[vpaprotsk]

I understand your reasons. The question is whether you'll need the microbenchmark in the future. If no (or probably no), please remove the micro. If needed, please move it from the "org.openjdk.bench.javax.crypto.full" package to "org.openjdk.bench.javax.crypto". It is supposed to have only public API micros in packages "small" and "full"

@kuksenko I decided to just remove it. If anyone wants it back, its in my git history (I usually keep my branches after merge..)

[iwanowww]

If anyone wants it back, its in my git history (I usually keep my branches after merge..)

You could put a comment with the link into JBS issue to make it easier to discover later. (Or just attach the source file there.)

[vpaprotsk]

@iwanowww thanks for the suggestion! attached to JBS.

@mcpowers would you mind running your internal test suite for this PR? I am thinking of integrating early next week, if no objections; getting close to the release deadline, dont want to cut it even closer..

[mcpowers]

Always faster and never slower:

SignatureBench.MLDSA with +UseDilithiumIntrinsics shows an average 1.61% improvement across all algorithms and data sizes.
Measuring SignatureBench.MLDSA against a baseline build without the fix, shows an average 2.24% improvement across all algorithms and data sizes.

There's nothing special about my benchmark. It's the one in OpenJDK (javax.crypto.full.SignatureBench).

Flags:               fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb cat_l3 cdp_l3 invpcid_single ssbd mba ibrs ibpb stibp ibrs_enhanced fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid cqm mpx rdt_a avx512f avx512dq rdseed adx smap clflushopt clwb intel_pt avx512cd avx512bw avx512vl xsaveopt xsavec xgetbv1 xsaves cqm_llc cqm_occup_llc cqm_mbm_total cqm_mbm_local dtherm ida arat pln pts hwp hwp_act_window hwp_epp hwp_pkg_req pku ospke avx512_vnni md_clear flush_l1d arch_capabilities

[ferakocz]

Good work! I just found a few typos in the comments.

[ferakocz]

Typo: respectivelly -> respectively

[vpaprotsk]

done

[ferakocz]

Typo: scratch2 -> scratch

[vpaprotsk]

I think I meant "the scratch2" register here.. reworded, please double check if its clearer..

[ferakocz]

Typo: unnecessary '*' at the end

[ferakocz]

Typo: into output register -> into an output register

[vpaprotsk]

used 'the' to be 'specific'.. (I think the lack of articles was causing the confusion.. "the scratch2 register is combined with the output register into scratch.. or something..) Also reworded step 4?

[ferakocz]

Typo: unnecessary '(*' at the beginning

[vpaprotsk]

This was my attempt to add a note to second step.. spelled out "Note"? or can just remove, since swapping only happens on second step..

[ferakocz]

appart -> apart

[vpaprotsk]

Thanks! Looks like I've always misspelled that word! :)

[ferakocz]

appart -> apart

[vpaprotsk]

done

[ferakocz]

appart -> apart

[vpaprotsk]

done

[ferakocz]

appart -> apart

[vpaprotsk]

done

[ferakocz]

substration -> subtraction (I know this was in my own comment :-( )

[vpaprotsk]

done (funny, thats exactly how I say "substraction" in my head too :D )

[vpaprotsk]

SignatureBench.MLDSA with +UseDilithiumIntrinsics shows an average 1.61% improvement across all algorithms and data sizes. Measuring SignatureBench.MLDSA against a baseline build without the fix, shows an average 2.24% improvement across all algorithms and data sizes.

Need bit of clarification.. (I think you are saying there is a regression?).

• +UseDilithiumIntrinsics should be redundant (i.e. vm_version_x86.cpp should automatically detect and turn the feature on).
  • So if I read correctly.. the baseline measured is already has the original intrinsics (implicitly) enabled..
    • therefore there is a 2.24% noise in the benchmark?

In my measurements for AVX512 parts, I had seen between 0%->6% across SignatureBench.MLDSA
- (some variation on desktop-vs-server parts..)
- SignatureBench.MLDSA.verify was worse, only 0->2% depending on keysize (iirc, bigger portion of benchmark was in SHA3 instead)
- SignatureBench.MLDSA.sign was better, 4-6% (also depending on datasize)

That is also why I had included the other (deleted) microbenchmark.. SignatureBench.MLDSA has a lot of 'other things' (e.g. SHA3) also happening, so the AVX512 intrinsic changes were harder to differentiate from noise..
- I had measured ~25%-50% improvement on purely the 5 intrinsics changed..

Hence the claim 'never worse'.. A more precise claim..:
- "New intrinsics seem to be better, but (at least for AVX512) existing intrinsics were already plenty good for MLDSA"

[mcpowers]

The 2.24% improvement is the difference between +UseDilithiumIntrinsics and -UseDilithiumIntrinsics. I just repeated the testing that you documented in the description section of this PR on a different machine.

My baseline is simply a build without your changes. I compared this with a build containing your changes and see a 2.24% improvement.

Verification showed the least amount of improvement (same as what you observed).

"never worse" is just my way of saying "always faster".

[vpaprotsk]

@mcpowers Thanks for tests!

@ferakocz thanks for the review! I think I took them all in, except for the montMul comment section.. Not quite what I meant so tried to reword.. see if it helps any?

[vpaprotsk]

done

[vpaprotsk]

I think I meant "the scratch2" register here.. reworded, please double check if its clearer..

[vpaprotsk]

This was my attempt to add a note to second step.. spelled out "Note"? or can just remove, since swapping only happens on second step..

[vpaprotsk]

used 'the' to be 'specific'.. (I think the lack of articles was causing the confusion.. "the scratch2 register is combined with the output register into scratch.. or something..) Also reworded step 4?

[vpaprotsk]

done

[vpaprotsk]

done

[vpaprotsk]

done

[vpaprotsk]

done

[vpaprotsk]

done (funny, thats exactly how I say "substraction" in my head too :D )

[vpaprotsk]

done

[jatin-bhateja]

Very nice work @vpaprotsk ,
Please also add in comments the links to original reference implimentation of stub.

[jatin-bhateja]

Add long constant suffix

[jatin-bhateja]

Constant suffix

[jatin-bhateja]

Suggested change

	int vector_len, MacroAssembler *_masm, int regCnt = -1, int memStep = -1) {
	int vector_len, MacroAssembler *_masm, int regCnt = -1, int memStep = -1) {

[jatin-bhateja]

Suggested change

	int vector_len, MacroAssembler *_masm, int regCnt = -1, int memStep = -1) {
	int vector_len, MacroAssembler *_masm, int regCnt = -1, int memStep = -1) {

[jatin-bhateja]

Fix indentation

[jatin-bhateja]

Fix indentation

[jatin-bhateja]

64 bit constant suffix

[jatin-bhateja]

Fix indentation