xref: /freebsd/contrib/bearssl/test/test_speed.c (revision 2aaf9152a852aba9eb2036b95f4948ee77988826)

/*
 * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
 *
 * Permission is hereby granted, free of charge, to any person obtaining
 * a copy of this software and associated documentation files (the
 * "Software"), to deal in the Software without restriction, including
 * without limitation the rights to use, copy, modify, merge, publish,
 * distribute, sublicense, and/or sell copies of the Software, and to
 * permit persons to whom the Software is furnished to do so, subject to
 * the following conditions:
 *
 * The above copyright notice and this permission notice shall be
 * included in all copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include "inner.h"

#define HASH_SIZE(cname)   br_ ## cname ## _SIZE

#define SPEED_HASH(Name, cname) \
static void \
test_speed_ ## cname(void) \
{ \
	unsigned char buf[8192]; \
	unsigned char tmp[HASH_SIZE(cname)]; \
	br_ ## cname ## _context mc; \
	int i; \
	long num; \
 \
	memset(buf, 'T', sizeof buf); \
	for (i = 0; i < 10; i ++) { \
		br_ ## cname ## _init(&mc); \
		br_ ## cname ## _update(&mc, buf, sizeof buf); \
		br_ ## cname ## _out(&mc, tmp); \
	} \
	num = 10; \
	for (;;) { \
		clock_t begin, end; \
		double tt; \
		long k; \
 \
		br_ ## cname ## _init(&mc); \
		begin = clock(); \
		for (k = num; k > 0; k --) { \
			br_ ## cname ## _update(&mc, buf, sizeof buf); \
		} \
		end = clock(); \
		br_ ## cname ## _out(&mc, tmp); \
		tt = (double)(end - begin) / CLOCKS_PER_SEC; \
		if (tt >= 2.0) { \
			printf("%-30s %8.2f MB/s\n", #Name, \
				((double)sizeof buf) * (double)num \
				/ (tt * 1000000.0)); \
			fflush(stdout); \
			return; \
		} \
		num <<= 1; \
	} \
}

#define BLOCK_SIZE(cname)   br_ ## cname ## _BLOCK_SIZE

#define SPEED_BLOCKCIPHER_CBC(Name, fname, cname, klen, dir) \
static void \
test_speed_ ## fname(void) \
{ \
	unsigned char key[klen]; \
	unsigned char buf[8192 - (8192 % BLOCK_SIZE(cname))]; \
	unsigned char iv[BLOCK_SIZE(cname)]; \
	const br_block_cbc ## dir ## _class *vt; \
	br_ ## cname ## _cbc ## dir ## _keys ec; \
	int i; \
	long num; \
 \
	memset(key, 'T', sizeof key); \
	memset(buf, 'P', sizeof buf); \
	memset(iv, 'X', sizeof iv); \
	vt = br_ ## cname ## _cbc ## dir ## _get_vtable(); \
	if (vt == NULL) { \
		printf("%-30s UNAVAILABLE\n", #Name); \
		fflush(stdout); \
		return; \
	} \
	for (i = 0; i < 10; i ++) { \
		vt->init(&ec.vtable, key, sizeof key); \
		vt->run(&ec.vtable, iv, buf, sizeof buf); \
	} \
	num = 10; \
	for (;;) { \
		clock_t begin, end; \
		double tt; \
		long k; \
 \
		vt->init(&ec.vtable, key, sizeof key); \
		begin = clock(); \
		for (k = num; k > 0; k --) { \
			vt->run(&ec.vtable, iv, buf, sizeof buf); \
		} \
		end = clock(); \
		tt = (double)(end - begin) / CLOCKS_PER_SEC; \
		if (tt >= 2.0) { \
			printf("%-30s %8.2f MB/s\n", #Name, \
				((double)sizeof buf) * (double)num \
				/ (tt * 1000000.0)); \
			fflush(stdout); \
			return; \
		} \
		num <<= 1; \
	} \
}

#define SPEED_BLOCKCIPHER_CTR(Name, fname, cname, klen) \
static void \
test_speed_ ## fname(void) \
{ \
	unsigned char key[klen]; \
	unsigned char buf[8192 - (8192 % BLOCK_SIZE(cname))]; \
	unsigned char iv[BLOCK_SIZE(cname) - 4]; \
	const br_block_ctr_class *vt; \
	br_ ## cname ## _ctr_keys ec; \
	int i; \
	long num; \
 \
	memset(key, 'T', sizeof key); \
	memset(buf, 'P', sizeof buf); \
	memset(iv, 'X', sizeof iv); \
	vt = br_ ## cname ## _ctr_get_vtable(); \
	if (vt == NULL) { \
		printf("%-30s UNAVAILABLE\n", #Name); \
		fflush(stdout); \
		return; \
	} \
	for (i = 0; i < 10; i ++) { \
		vt->init(&ec.vtable, key, sizeof key); \
		vt->run(&ec.vtable, iv, 1, buf, sizeof buf); \
	} \
	num = 10; \
	for (;;) { \
		clock_t begin, end; \
		double tt; \
		long k; \
 \
		vt->init(&ec.vtable, key, sizeof key); \
		begin = clock(); \
		for (k = num; k > 0; k --) { \
			vt->run(&ec.vtable, iv, 1, buf, sizeof buf); \
		} \
		end = clock(); \
		tt = (double)(end - begin) / CLOCKS_PER_SEC; \
		if (tt >= 2.0) { \
			printf("%-30s %8.2f MB/s\n", #Name, \
				((double)sizeof buf) * (double)num \
				/ (tt * 1000000.0)); \
			fflush(stdout); \
			return; \
		} \
		num <<= 1; \
	} \
}

#define SPEED_CHACHA20(Name, fname) \
static void \
test_speed_ ## fname(void) \
{ \
	br_chacha20_run bc; \
	unsigned char key[32]; \
	unsigned char buf[8192]; \
	unsigned char iv[12]; \
	int i; \
	long num; \
 \
	bc = br_ ## fname ## _get(); \
	if (bc == 0) { \
		printf("%-30s UNAVAILABLE\n", #Name); \
		fflush(stdout); \
		return; \
	} \
	memset(key, 'T', sizeof key); \
	memset(buf, 'P', sizeof buf); \
	memset(iv, 'X', sizeof iv); \
	for (i = 0; i < 10; i ++) { \
		bc(key, iv, i, buf, sizeof buf); \
	} \
	num = 10; \
	for (;;) { \
		clock_t begin, end; \
		double tt; \
		long k; \
 \
		begin = clock(); \
		for (k = num; k > 0; k --) { \
			bc(key, iv, (uint32_t)k, buf, sizeof buf); \
		} \
		end = clock(); \
		tt = (double)(end - begin) / CLOCKS_PER_SEC; \
		if (tt >= 2.0) { \
			printf("%-30s %8.2f MB/s\n", #Name, \
				((double)sizeof buf) * (double)num \
				/ (tt * 1000000.0)); \
			fflush(stdout); \
			return; \
		} \
		num <<= 1; \
	} \
}

SPEED_HASH(MD5, md5)
SPEED_HASH(SHA-1, sha1)
SPEED_HASH(SHA-256, sha256)
SPEED_HASH(SHA-512, sha512)

/*
 * There are no vtable selection functions for the portable implementations,
 * so we define some custom macros.
 */
#define br_aes_big_cbcenc_get_vtable()     (&br_aes_big_cbcenc_vtable)
#define br_aes_big_cbcdec_get_vtable()     (&br_aes_big_cbcdec_vtable)
#define br_aes_big_ctr_get_vtable()        (&br_aes_big_ctr_vtable)
#define br_aes_big_ctrcbc_get_vtable()     (&br_aes_big_ctrcbc_vtable)
#define br_aes_small_cbcenc_get_vtable()   (&br_aes_small_cbcenc_vtable)
#define br_aes_small_cbcdec_get_vtable()   (&br_aes_small_cbcdec_vtable)
#define br_aes_small_ctr_get_vtable()      (&br_aes_small_ctr_vtable)
#define br_aes_small_ctrcbc_get_vtable()   (&br_aes_small_ctrcbc_vtable)
#define br_aes_ct_cbcenc_get_vtable()      (&br_aes_ct_cbcenc_vtable)
#define br_aes_ct_cbcdec_get_vtable()      (&br_aes_ct_cbcdec_vtable)
#define br_aes_ct_ctr_get_vtable()         (&br_aes_ct_ctr_vtable)
#define br_aes_ct_ctrcbc_get_vtable()      (&br_aes_ct_ctrcbc_vtable)
#define br_aes_ct64_cbcenc_get_vtable()    (&br_aes_ct64_cbcenc_vtable)
#define br_aes_ct64_cbcdec_get_vtable()    (&br_aes_ct64_cbcdec_vtable)
#define br_aes_ct64_ctr_get_vtable()       (&br_aes_ct64_ctr_vtable)
#define br_aes_ct64_ctrcbc_get_vtable()    (&br_aes_ct64_ctrcbc_vtable)
#define br_chacha20_ct_get()               (&br_chacha20_ct_run)

#define SPEED_AES(iname) \
SPEED_BLOCKCIPHER_CBC(AES-128 CBC encrypt (iname), aes128_ ## iname ## _cbcenc, aes_ ## iname, 16, enc) \
SPEED_BLOCKCIPHER_CBC(AES-128 CBC decrypt (iname), aes128_ ## iname ## _cbcdec, aes_ ## iname, 16, dec) \
SPEED_BLOCKCIPHER_CBC(AES-192 CBC encrypt (iname), aes192_ ## iname ## _cbcenc, aes_ ## iname, 24, enc) \
SPEED_BLOCKCIPHER_CBC(AES-192 CBC decrypt (iname), aes192_ ## iname ## _cbcdec, aes_ ## iname, 24, dec) \
SPEED_BLOCKCIPHER_CBC(AES-256 CBC encrypt (iname), aes256_ ## iname ## _cbcenc, aes_ ## iname, 32, enc) \
SPEED_BLOCKCIPHER_CBC(AES-256 CBC decrypt (iname), aes256_ ## iname ## _cbcdec, aes_ ## iname, 32, dec) \
SPEED_BLOCKCIPHER_CTR(AES-128 CTR (iname), aes128_ ## iname ## _ctr, aes_ ## iname, 16) \
SPEED_BLOCKCIPHER_CTR(AES-192 CTR (iname), aes192_ ## iname ## _ctr, aes_ ## iname, 24) \
SPEED_BLOCKCIPHER_CTR(AES-256 CTR (iname), aes256_ ## iname ## _ctr, aes_ ## iname, 32)

SPEED_AES(big)
SPEED_AES(small)
SPEED_AES(ct)
SPEED_AES(ct64)
SPEED_AES(x86ni)
SPEED_AES(pwr8)

#define br_des_tab_cbcenc_get_vtable()     (&br_des_tab_cbcenc_vtable)
#define br_des_tab_cbcdec_get_vtable()     (&br_des_tab_cbcdec_vtable)
#define br_des_ct_cbcenc_get_vtable()      (&br_des_ct_cbcenc_vtable)
#define br_des_ct_cbcdec_get_vtable()      (&br_des_ct_cbcdec_vtable)

#define SPEED_DES(iname) \
SPEED_BLOCKCIPHER_CBC(DES CBC encrypt (iname), des_ ## iname ## _cbcenc, des_ ## iname, 8, enc) \
SPEED_BLOCKCIPHER_CBC(DES CBC decrypt (iname), des_ ## iname ## _cbcdec, des_ ## iname, 8, dec) \
SPEED_BLOCKCIPHER_CBC(3DES CBC encrypt (iname), 3des_ ## iname ## _cbcenc, des_ ## iname, 24, enc) \
SPEED_BLOCKCIPHER_CBC(3DES CBC decrypt (iname), 3des_ ## iname ## _cbcdec, des_ ## iname, 24, dec)

SPEED_DES(tab)
SPEED_DES(ct)

SPEED_CHACHA20(ChaCha20 (ct), chacha20_ct)
SPEED_CHACHA20(ChaCha20 (sse2), chacha20_sse2)

static void
test_speed_ghash_inner(char *name, br_ghash gh)
{
	unsigned char buf[8192], h[16], y[16];
	int i;
	long num;

	memset(buf, 'T', sizeof buf);
	memset(h, 'P', sizeof h);
	memset(y, 0, sizeof y);
	for (i = 0; i < 10; i ++) {
		gh(y, h, buf, sizeof buf);
	}
	num = 10;
	for (;;) {
		clock_t begin, end;
		double tt;
		long k;

		begin = clock();
		for (k = num; k > 0; k --) {
			gh(y, h, buf, sizeof buf);
		}
		end = clock();
		tt = (double)(end - begin) / CLOCKS_PER_SEC;
		if (tt >= 2.0) {
			printf("%-30s %8.2f MB/s\n", name,
				((double)sizeof buf) * (double)num
				/ (tt * 1000000.0));
			fflush(stdout);
			return;
		}
		num <<= 1;
	}
}

static void
test_speed_ghash_ctmul(void)
{
	test_speed_ghash_inner("GHASH (ctmul)", &br_ghash_ctmul);
}

static void
test_speed_ghash_ctmul32(void)
{
	test_speed_ghash_inner("GHASH (ctmul32)", &br_ghash_ctmul32);
}

static void
test_speed_ghash_ctmul64(void)
{
	test_speed_ghash_inner("GHASH (ctmul64)", &br_ghash_ctmul64);
}

static void
test_speed_ghash_pclmul(void)
{
	br_ghash gh;

	gh = br_ghash_pclmul_get();
	if (gh == 0) {
		printf("%-30s UNAVAILABLE\n", "GHASH (pclmul)");
		fflush(stdout);
	} else {
		test_speed_ghash_inner("GHASH (pclmul)", gh);
	}
}

static void
test_speed_ghash_pwr8(void)
{
	br_ghash gh;

	gh = br_ghash_pwr8_get();
	if (gh == 0) {
		printf("%-30s UNAVAILABLE\n", "GHASH (pwr8)");
		fflush(stdout);
	} else {
		test_speed_ghash_inner("GHASH (pwr8)", gh);
	}
}

static uint32_t
fake_chacha20(const void *key, const void *iv,
	uint32_t cc, void *data, size_t len)
{
	(void)key;
	(void)iv;
	(void)data;
	(void)len;
	return cc + (uint32_t)((len + 63) >> 6);
}

/*
 * To speed-test Poly1305, we run it with a do-nothing stub instead of
 * ChaCha20.
 */
static void
test_speed_poly1305_inner(char *name, br_poly1305_run pl)
{
	unsigned char buf[8192], key[32], iv[12], aad[13], tag[16];
	int i;
	long num;

	memset(key, 'K', sizeof key);
	memset(iv, 'I', sizeof iv);
	memset(aad, 'A', sizeof aad);
	memset(buf, 'T', sizeof buf);
	for (i = 0; i < 10; i ++) {
		pl(key, iv, buf, sizeof buf,
			aad, sizeof aad, tag, &fake_chacha20, 0);
	}
	num = 10;
	for (;;) {
		clock_t begin, end;
		double tt;
		long k;

		begin = clock();
		for (k = num; k > 0; k --) {
			pl(key, iv, buf, sizeof buf,
				aad, sizeof aad, tag, &fake_chacha20, 0);
		}
		end = clock();
		tt = (double)(end - begin) / CLOCKS_PER_SEC;
		if (tt >= 2.0) {
			printf("%-30s %8.2f MB/s\n", name,
				((double)sizeof buf) * (double)num
				/ (tt * 1000000.0));
			fflush(stdout);
			return;
		}
		num <<= 1;
	}
}

static void
test_speed_poly1305_ctmul(void)
{
	test_speed_poly1305_inner("Poly1305 (ctmul)", &br_poly1305_ctmul_run);
}

static void
test_speed_poly1305_ctmul32(void)
{
	test_speed_poly1305_inner("Poly1305 (ctmul32)",
		&br_poly1305_ctmul32_run);
}

static void
test_speed_poly1305_ctmulq(void)
{
	br_poly1305_run bp;

	bp = br_poly1305_ctmulq_get();
	if (bp == 0) {
		printf("%-30s UNAVAILABLE\n", "Poly1305 (ctmulq)");
	} else {
		test_speed_poly1305_inner("Poly1305 (ctmulq)", bp);
	}
}

static void
test_speed_poly1305_i15(void)
{
	test_speed_poly1305_inner("Poly1305 (i15)", &br_poly1305_i15_run);
}

static void
test_speed_eax_inner(char *name,
	const br_block_ctrcbc_class *vt, size_t key_len)
{
	unsigned char buf[8192], key[32], nonce[16], aad[16], tag[16];
	int i;
	long num;
	br_aes_gen_ctrcbc_keys ac;
	br_eax_context ec;

	if (vt == NULL) {
		printf("%-30s UNAVAILABLE\n", name);
		fflush(stdout);
		return;
	}
	memset(key, 'K', key_len);
	memset(nonce, 'N', sizeof nonce);
	memset(aad, 'A', sizeof aad);
	memset(buf, 'T', sizeof buf);
	for (i = 0; i < 10; i ++) {
		vt->init(&ac.vtable, key, key_len);
		br_eax_init(&ec, &ac.vtable);
		br_eax_reset(&ec, nonce, sizeof nonce);
		br_eax_aad_inject(&ec, aad, sizeof aad);
		br_eax_flip(&ec);
		br_eax_run(&ec, 1, buf, sizeof buf);
		br_eax_get_tag(&ec, tag);
	}
	num = 10;
	for (;;) {
		clock_t begin, end;
		double tt;
		long k;

		begin = clock();
		for (k = num; k > 0; k --) {
			vt->init(&ac.vtable, key, key_len);
			br_eax_init(&ec, &ac.vtable);
			br_eax_reset(&ec, nonce, sizeof nonce);
			br_eax_aad_inject(&ec, aad, sizeof aad);
			br_eax_flip(&ec);
			br_eax_run(&ec, 1, buf, sizeof buf);
			br_eax_get_tag(&ec, tag);
		}
		end = clock();
		tt = (double)(end - begin) / CLOCKS_PER_SEC;
		if (tt >= 2.0) {
			printf("%-30s %8.2f MB/s\n", name,
				((double)sizeof buf) * (double)num
				/ (tt * 1000000.0));
			fflush(stdout);
			return;
		}
		num <<= 1;
	}
}

#define SPEED_EAX(Algo, algo, keysize, impl) \
static void \
test_speed_eax_ ## algo ## keysize ## _ ## impl(void) \
{ \
	test_speed_eax_inner("EAX " #Algo "-" #keysize "(" #impl ")", \
		br_ ## algo ## _ ## impl ##  _ctrcbc_get_vtable() \
		, (keysize) >> 3); \
}

SPEED_EAX(AES, aes, 128, big)
SPEED_EAX(AES, aes, 128, small)
SPEED_EAX(AES, aes, 128, ct)
SPEED_EAX(AES, aes, 128, ct64)
SPEED_EAX(AES, aes, 128, x86ni)
SPEED_EAX(AES, aes, 128, pwr8)
SPEED_EAX(AES, aes, 192, big)
SPEED_EAX(AES, aes, 192, small)
SPEED_EAX(AES, aes, 192, ct)
SPEED_EAX(AES, aes, 192, ct64)
SPEED_EAX(AES, aes, 192, x86ni)
SPEED_EAX(AES, aes, 192, pwr8)
SPEED_EAX(AES, aes, 256, big)
SPEED_EAX(AES, aes, 256, small)
SPEED_EAX(AES, aes, 256, ct)
SPEED_EAX(AES, aes, 256, ct64)
SPEED_EAX(AES, aes, 256, x86ni)
SPEED_EAX(AES, aes, 256, pwr8)

static void
test_speed_shake_inner(int security_level)
{
	unsigned char buf[8192];
	br_shake_context sc;
	int i;
	long num;

	memset(buf, 'D', sizeof buf);
	br_shake_init(&sc, security_level);
	for (i = 0; i < 10; i ++) {
		br_shake_inject(&sc, buf, sizeof buf);
	}
	num = 10;
	for (;;) {
		clock_t begin, end;
		double tt;
		long k;

		begin = clock();
		for (k = num; k > 0; k --) {
			br_shake_inject(&sc, buf, sizeof buf);
		}
		end = clock();
		tt = (double)(end - begin) / CLOCKS_PER_SEC;
		if (tt >= 2.0) {
			printf("SHAKE%-3d (inject)              %8.2f MB/s\n",
				security_level,
				((double)sizeof buf) * (double)num
				/ (tt * 1000000.0));
			fflush(stdout);
			break;
		}
		num <<= 1;
	}

	br_shake_flip(&sc);
	for (i = 0; i < 10; i ++) {
		br_shake_produce(&sc, buf, sizeof buf);
	}

	num = 10;
	for (;;) {
		clock_t begin, end;
		double tt;
		long k;

		begin = clock();
		for (k = num; k > 0; k --) {
			br_shake_produce(&sc, buf, sizeof buf);
		}
		end = clock();
		tt = (double)(end - begin) / CLOCKS_PER_SEC;
		if (tt >= 2.0) {
			printf("SHAKE%-3d (produce)             %8.2f MB/s\n",
				security_level,
				((double)sizeof buf) * (double)num
				/ (tt * 1000000.0));
			fflush(stdout);
			break;
		}
		num <<= 1;
	}
}

static void
test_speed_shake128(void)
{
	test_speed_shake_inner(128);
}

static void
test_speed_shake256(void)
{
	test_speed_shake_inner(256);
}

static const unsigned char RSA_N[] = {
	0xE9, 0xF2, 0x4A, 0x2F, 0x96, 0xDF, 0x0A, 0x23,
	0x01, 0x85, 0xF1, 0x2C, 0xB2, 0xA8, 0xEF, 0x23,
	0xCE, 0x2E, 0xB0, 0x4E, 0x18, 0x31, 0x95, 0x5B,
	0x98, 0x2D, 0x9B, 0x8C, 0xE3, 0x1A, 0x2B, 0x96,
	0xB5, 0xC7, 0xEE, 0xED, 0x72, 0x43, 0x2D, 0xFE,
	0x7F, 0x61, 0x33, 0xEA, 0x14, 0xFC, 0xDE, 0x80,
	0x17, 0x42, 0xF0, 0xF3, 0xC3, 0xC7, 0x89, 0x47,
	0x76, 0x5B, 0xFA, 0x33, 0xC4, 0x8C, 0x94, 0xDE,
	0x6A, 0x75, 0xD8, 0x1A, 0xF4, 0x49, 0xBC, 0xF3,
	0xB7, 0x9E, 0x2C, 0x8D, 0xEC, 0x5A, 0xEE, 0xBF,
	0x4B, 0x5A, 0x7F, 0xEF, 0x21, 0x39, 0xDB, 0x1D,
	0x83, 0x5E, 0x7E, 0x2F, 0xAA, 0x5E, 0xBA, 0x28,
	0xC3, 0xA2, 0x53, 0x19, 0xFB, 0x2F, 0x78, 0x6B,
	0x14, 0x60, 0x49, 0x3C, 0xCC, 0x1B, 0xE9, 0x1E,
	0x3D, 0x10, 0xA4, 0xEB, 0x7F, 0x66, 0x98, 0xF6,
	0xC3, 0xAC, 0x35, 0xF5, 0x01, 0x84, 0xFF, 0x7D,
	0x1F, 0x72, 0xBE, 0xB4, 0xD1, 0x89, 0xC8, 0xDD,
	0x44, 0xE7, 0xB5, 0x2E, 0x2C, 0xE1, 0x85, 0xF5,
	0x15, 0x50, 0xA9, 0x08, 0xC7, 0x67, 0xD9, 0x2B,
	0x6C, 0x11, 0xB3, 0xEB, 0x28, 0x8D, 0xF4, 0xCC,
	0xE3, 0xC3, 0xC5, 0x04, 0x0E, 0x7C, 0x8D, 0xDB,
	0x39, 0x06, 0x6A, 0x74, 0x75, 0xDF, 0xA8, 0x0F,
	0xDA, 0x67, 0x5A, 0x73, 0x1E, 0xFD, 0x8E, 0x4C,
	0xEE, 0x17, 0xEE, 0x1E, 0x67, 0xDB, 0x98, 0x70,
	0x60, 0xF7, 0xB9, 0xB5, 0x1F, 0x19, 0x93, 0xD6,
	0x3F, 0x2F, 0x1F, 0xB6, 0x5B, 0x59, 0xAA, 0x85,
	0xBB, 0x25, 0xE4, 0x13, 0xEF, 0xE7, 0xB9, 0x87,
	0x9C, 0x3F, 0x5E, 0xE4, 0x08, 0xA3, 0x51, 0xCF,
	0x8B, 0xAD, 0xF4, 0xE6, 0x1A, 0x5F, 0x51, 0xDD,
	0xA8, 0xBE, 0xE8, 0xD1, 0x20, 0x19, 0x61, 0x6C,
	0x18, 0xAB, 0xCA, 0x0A, 0xD9, 0x82, 0xA6, 0x94,
	0xD5, 0x69, 0x2A, 0xF6, 0x43, 0x66, 0x31, 0x09
};

static const unsigned char RSA_E[] = {
	0x01, 0x00, 0x01
};

static const unsigned char RSA_P[] = {
	0xFD, 0x39, 0x40, 0x56, 0x20, 0x80, 0xC5, 0x81,
	0x4C, 0x5F, 0x0C, 0x1A, 0x52, 0x84, 0x03, 0x2F,
	0xCE, 0x82, 0xB0, 0xD8, 0x30, 0x23, 0x7F, 0x77,
	0x45, 0xC2, 0x01, 0xC4, 0x68, 0x96, 0x0D, 0xA7,
	0x22, 0xA9, 0x6C, 0xA9, 0x1A, 0x33, 0xE5, 0x2F,
	0xB5, 0x07, 0x9A, 0xF9, 0xEA, 0x33, 0xA5, 0xC8,
	0x96, 0x60, 0x6A, 0xCA, 0xEB, 0xE5, 0x6E, 0x09,
	0x46, 0x7E, 0x2D, 0xEF, 0x93, 0x7D, 0x56, 0xED,
	0x75, 0x70, 0x3B, 0x96, 0xC4, 0xD5, 0xDB, 0x0B,
	0x3F, 0x69, 0xDF, 0x06, 0x18, 0x76, 0xF4, 0xCF,
	0xF8, 0x84, 0x22, 0xDF, 0xBD, 0x71, 0x62, 0x7B,
	0x67, 0x99, 0xBC, 0x09, 0x95, 0x54, 0xA4, 0x98,
	0x83, 0xF5, 0xA9, 0xCF, 0x09, 0xA5, 0x1F, 0x61,
	0x25, 0xB4, 0x70, 0x6C, 0x91, 0xB8, 0xB3, 0xD0,
	0xCE, 0x9C, 0x45, 0x65, 0x9B, 0xEF, 0xD4, 0x70,
	0xBE, 0x86, 0xD2, 0x98, 0x5D, 0xEB, 0xE3, 0xFF
};

static const unsigned char RSA_Q[] = {
	0xEC, 0x82, 0xEE, 0x63, 0x5F, 0x40, 0x52, 0xDB,
	0x38, 0x7A, 0x37, 0x6A, 0x54, 0x5B, 0xD9, 0xA0,
	0x73, 0xB4, 0xBB, 0x52, 0xB2, 0x84, 0x07, 0xD0,
	0xCC, 0x82, 0x0D, 0x20, 0xB3, 0xFA, 0xD5, 0xB6,
	0x25, 0x92, 0x35, 0x4D, 0xB4, 0xC7, 0x36, 0x48,
	0xCE, 0x5E, 0x21, 0x4A, 0xA6, 0x74, 0x65, 0xF4,
	0x7D, 0x1D, 0xBC, 0x3B, 0xE2, 0xF4, 0x3E, 0x11,
	0x58, 0x10, 0x6C, 0x04, 0x46, 0x9E, 0x8D, 0x57,
	0xE0, 0x04, 0xE2, 0xEC, 0x47, 0xCF, 0xB3, 0x2A,
	0xFD, 0x4C, 0x55, 0x18, 0xDB, 0xDE, 0x3B, 0xDC,
	0xF4, 0x5B, 0xDA, 0xF3, 0x1A, 0xC8, 0x41, 0x6F,
	0x73, 0x3B, 0xFE, 0x3C, 0xA0, 0xDB, 0xBA, 0x6E,
	0x65, 0xA5, 0xE8, 0x02, 0xA5, 0x6C, 0xEA, 0x03,
	0xF6, 0x99, 0xF7, 0xCB, 0x4B, 0xB7, 0x11, 0x51,
	0x93, 0x88, 0x3F, 0xF9, 0x06, 0x85, 0xA9, 0x1E,
	0xCA, 0x64, 0xF8, 0x11, 0xA5, 0x1A, 0xCA, 0xF7
};

static const unsigned char RSA_DP[] = {
	0x77, 0x95, 0xE0, 0x02, 0x4C, 0x9B, 0x43, 0xAA,
	0xCA, 0x4C, 0x60, 0xC4, 0xD5, 0x8F, 0x2E, 0x8A,
	0x17, 0x36, 0xB5, 0x19, 0x83, 0xB2, 0x5F, 0xF2,
	0x0D, 0xE9, 0x8F, 0x38, 0x18, 0x44, 0x34, 0xF2,
	0x67, 0x76, 0x27, 0xB0, 0xBC, 0x85, 0x21, 0x89,
	0x24, 0x2F, 0x11, 0x4B, 0x51, 0x05, 0x4F, 0x17,
	0xA9, 0x9C, 0xA3, 0x12, 0x6D, 0xD1, 0x0D, 0xE4,
	0x27, 0x7C, 0x53, 0x69, 0x3E, 0xF8, 0x04, 0x63,
	0x64, 0x00, 0xBA, 0xC3, 0x7A, 0xF5, 0x9B, 0xDA,
	0x75, 0xFA, 0x23, 0xAF, 0x17, 0x42, 0xA6, 0x5E,
	0xC8, 0xF8, 0x6E, 0x17, 0xC7, 0xB9, 0x92, 0x4E,
	0xC1, 0x20, 0x63, 0x23, 0x0B, 0x78, 0xCB, 0xBA,
	0x93, 0x27, 0x23, 0x28, 0x79, 0x5F, 0x97, 0xB0,
	0x23, 0x44, 0x51, 0x8B, 0x94, 0x4D, 0xEB, 0xED,
	0x82, 0x85, 0x5E, 0x68, 0x9B, 0xF9, 0xE9, 0x13,
	0xCD, 0x86, 0x92, 0x52, 0x0E, 0x98, 0xE6, 0x35
};

static const unsigned char RSA_DQ[] = {
	0xD8, 0xDD, 0x71, 0xB3, 0x62, 0xBA, 0xBB, 0x7E,
	0xD1, 0xF9, 0x96, 0xE8, 0x83, 0xB3, 0xB9, 0x08,
	0x9C, 0x30, 0x03, 0x77, 0xDF, 0xC2, 0x9A, 0xDC,
	0x05, 0x39, 0xD6, 0xC9, 0xBE, 0xDE, 0x68, 0xA9,
	0xDD, 0x27, 0x84, 0x82, 0xDD, 0x19, 0xB1, 0x97,
	0xEE, 0xCA, 0x77, 0x22, 0x59, 0x20, 0xEF, 0xFF,
	0xCF, 0xDD, 0xBD, 0x24, 0xF8, 0x84, 0xD6, 0x88,
	0xD6, 0xC4, 0x30, 0x17, 0x77, 0x9D, 0x98, 0xA3,
	0x14, 0x01, 0xC7, 0x05, 0xBB, 0x0F, 0x23, 0x0D,
	0x6F, 0x37, 0x57, 0xEC, 0x34, 0x67, 0x41, 0x62,
	0xE8, 0x19, 0x75, 0xD9, 0x66, 0x1C, 0x6B, 0x8B,
	0xC3, 0x11, 0x26, 0x9C, 0xF7, 0x2E, 0xA3, 0x72,
	0xE8, 0xF7, 0xC8, 0x96, 0xEC, 0x92, 0xC2, 0xBD,
	0xA1, 0x98, 0x2A, 0x93, 0x99, 0xB8, 0xA2, 0x43,
	0xB7, 0xD0, 0xBE, 0x40, 0x1C, 0x8F, 0xE0, 0xB4,
	0x20, 0x07, 0x97, 0x43, 0xAE, 0xAD, 0xB3, 0x9F
};

static const unsigned char RSA_IQ[] = {
	0xB7, 0xE2, 0x60, 0xA9, 0x62, 0xEC, 0xEC, 0x0B,
	0x57, 0x02, 0x96, 0xF9, 0x36, 0x35, 0x2C, 0x37,
	0xAF, 0xC2, 0xEE, 0x71, 0x49, 0x26, 0x8E, 0x0F,
	0x27, 0xB1, 0xFA, 0x0F, 0xEA, 0xDC, 0xF0, 0x8B,
	0x53, 0x6C, 0xB2, 0x46, 0x27, 0xCD, 0x29, 0xA2,
	0x35, 0x0F, 0x5D, 0x8A, 0x3F, 0x20, 0x8C, 0x13,
	0x3D, 0xA1, 0xFF, 0x85, 0x91, 0x99, 0xE8, 0x50,
	0xED, 0xF1, 0x29, 0x00, 0xEE, 0x24, 0x90, 0xB5,
	0x5F, 0x3A, 0x74, 0x26, 0xD7, 0xA2, 0x24, 0x8D,
	0x89, 0x88, 0xD8, 0x35, 0x22, 0x22, 0x8A, 0x66,
	0x5D, 0x5C, 0xDE, 0x83, 0x8C, 0xFA, 0x27, 0xE6,
	0xB9, 0xEB, 0x72, 0x08, 0xCD, 0x53, 0x4B, 0x93,
	0x0F, 0xAD, 0xC3, 0xF8, 0x7C, 0xFE, 0x84, 0xD7,
	0x08, 0xF3, 0xBE, 0x3D, 0x60, 0x1E, 0x95, 0x8D,
	0x44, 0x5B, 0x65, 0x7E, 0xC1, 0x30, 0xC3, 0x84,
	0xC0, 0xB0, 0xFE, 0xBF, 0x28, 0x54, 0x1E, 0xC4
};

static const br_rsa_public_key RSA_PK = {
	(void *)RSA_N, sizeof RSA_N,
	(void *)RSA_E, sizeof RSA_E
};

static const br_rsa_private_key RSA_SK = {
	2048,
	(void *)RSA_P, sizeof RSA_P,
	(void *)RSA_Q, sizeof RSA_Q,
	(void *)RSA_DP, sizeof RSA_DP,
	(void *)RSA_DQ, sizeof RSA_DQ,
	(void *)RSA_IQ, sizeof RSA_IQ
};

static void
test_speed_rsa_inner(char *name,
	br_rsa_public fpub, br_rsa_private fpriv, br_rsa_keygen kgen)
{
	unsigned char tmp[sizeof RSA_N];
	int i;
	long num;
	/*
	br_hmac_drbg_context rng;
	*/
	br_aesctr_drbg_context rng;
	const br_block_ctr_class *ictr;

	memset(tmp, 'R', sizeof tmp);
	tmp[0] = 0;
	for (i = 0; i < 10; i ++) {
		if (!fpriv(tmp, &RSA_SK)) {
			abort();
		}
	}
	num = 10;
	for (;;) {
		clock_t begin, end;
		double tt;
		long k;

		begin = clock();
		for (k = num; k > 0; k --) {
			fpriv(tmp, &RSA_SK);
		}
		end = clock();
		tt = (double)(end - begin) / CLOCKS_PER_SEC;
		if (tt >= 2.0) {
			printf("%-30s %8.2f priv/s\n", name,
				(double)num / tt);
			fflush(stdout);
			break;
		}
		num <<= 1;
	}
	for (i = 0; i < 10; i ++) {
		if (!fpub(tmp, sizeof tmp, &RSA_PK)) {
			abort();
		}
	}
	num = 10;
	for (;;) {
		clock_t begin, end;
		double tt;
		long k;

		begin = clock();
		for (k = num; k > 0; k --) {
			fpub(tmp, sizeof tmp, &RSA_PK);
		}
		end = clock();
		tt = (double)(end - begin) / CLOCKS_PER_SEC;
		if (tt >= 2.0) {
			printf("%-30s %8.2f pub/s\n", name,
				(double)num / tt);
			fflush(stdout);
			break;
		}
		num <<= 1;
	}

	if (kgen == 0) {
		printf("%-30s KEYGEN UNAVAILABLE\n", name);
		fflush(stdout);
		return;
	}
	/*
	br_hmac_drbg_init(&rng, &br_sha256_vtable, "RSA keygen seed", 15);
	*/
	ictr = br_aes_x86ni_ctr_get_vtable();
	if (ictr == NULL) {
		ictr = br_aes_pwr8_ctr_get_vtable();
		if (ictr == NULL) {
#if BR_64
			ictr = &br_aes_ct64_ctr_vtable;
#else
			ictr = &br_aes_ct_ctr_vtable;
#endif
		}
	}
	br_aesctr_drbg_init(&rng, ictr, "RSA keygen seed", 15);

	num = 10;
	for (;;) {
		clock_t begin, end;
		double tt;
		long k;

		begin = clock();
		for (k = num; k > 0; k --) {
			br_rsa_private_key sk;
			unsigned char kbuf[BR_RSA_KBUF_PRIV_SIZE(1024)];

			kgen(&rng.vtable, &sk, kbuf, NULL, NULL, 1024, 0);
		}
		end = clock();
		tt = (double)(end - begin) / CLOCKS_PER_SEC;
		if (tt >= 10.0) {
			printf("%-30s %8.2f kgen[1024]/s\n", name,
				(double)num / tt);
			fflush(stdout);
			break;
		}
		num <<= 1;
	}

	num = 10;
	for (;;) {
		clock_t begin, end;
		double tt;
		long k;

		begin = clock();
		for (k = num; k > 0; k --) {
			br_rsa_private_key sk;
			unsigned char kbuf[BR_RSA_KBUF_PRIV_SIZE(2048)];

			kgen(&rng.vtable, &sk, kbuf, NULL, NULL, 2048, 0);
		}
		end = clock();
		tt = (double)(end - begin) / CLOCKS_PER_SEC;
		if (tt >= 10.0) {
			printf("%-30s %8.2f kgen[2048]/s\n", name,
				(double)num / tt);
			fflush(stdout);
			break;
		}
		num <<= 1;
	}
}

static void
test_speed_rsa_i15(void)
{
	test_speed_rsa_inner("RSA i15",
		&br_rsa_i15_public, &br_rsa_i15_private, &br_rsa_i15_keygen);
}

static void
test_speed_rsa_i31(void)
{
	test_speed_rsa_inner("RSA i31",
		&br_rsa_i31_public, &br_rsa_i31_private, &br_rsa_i31_keygen);
}

static void
test_speed_rsa_i32(void)
{
	test_speed_rsa_inner("RSA i32",
		&br_rsa_i32_public, &br_rsa_i32_private, 0);
}

static void
test_speed_rsa_i62(void)
{
	br_rsa_public pub;
	br_rsa_private priv;
	br_rsa_keygen kgen;

	pub = br_rsa_i62_public_get();
	priv = br_rsa_i62_private_get();
	kgen = br_rsa_i62_keygen_get();
	if (pub) {
		test_speed_rsa_inner("RSA i62", pub, priv, kgen);
	} else {
		printf("%-30s UNAVAILABLE\n", "RSA i62");
	}
}

static void
test_speed_ec_inner_1(const char *name,
	const br_ec_impl *impl, const br_ec_curve_def *cd)
{
	unsigned char bx[80], U[160];
	uint32_t x[22], n[22];
	size_t nlen, ulen;
	int i;
	long num;

	nlen = cd->order_len;
	br_i31_decode(n, cd->order, nlen);
	memset(bx, 'T', sizeof bx);
	br_i31_decode_reduce(x, bx, sizeof bx, n);
	br_i31_encode(bx, nlen, x);
	ulen = cd->generator_len;
	memcpy(U, cd->generator, ulen);
	for (i = 0; i < 10; i ++) {
		impl->mul(U, ulen, bx, nlen, cd->curve);
	}
	num = 10;
	for (;;) {
		clock_t begin, end;
		double tt;
		long k;

		begin = clock();
		for (k = num; k > 0; k --) {
			impl->mul(U, ulen, bx, nlen, cd->curve);
		}
		end = clock();
		tt = (double)(end - begin) / CLOCKS_PER_SEC;
		if (tt >= 2.0) {
			printf("%-30s %8.2f mul/s\n", name,
				(double)num / tt);
			fflush(stdout);
			break;
		}
		num <<= 1;
	}
}

static void
test_speed_ec_inner_2(const char *name,
	const br_ec_impl *impl, const br_ec_curve_def *cd)
{
	unsigned char bx[80], U[160];
	uint32_t x[22], n[22];
	size_t nlen;
	int i;
	long num;

	nlen = cd->order_len;
	br_i31_decode(n, cd->order, nlen);
	memset(bx, 'T', sizeof bx);
	br_i31_decode_reduce(x, bx, sizeof bx, n);
	br_i31_encode(bx, nlen, x);
	for (i = 0; i < 10; i ++) {
		impl->mulgen(U, bx, nlen, cd->curve);
	}
	num = 10;
	for (;;) {
		clock_t begin, end;
		double tt;
		long k;

		begin = clock();
		for (k = num; k > 0; k --) {
			impl->mulgen(U, bx, nlen, cd->curve);
		}
		end = clock();
		tt = (double)(end - begin) / CLOCKS_PER_SEC;
		if (tt >= 2.0) {
			printf("%-30s %8.2f mul/s\n", name,
				(double)num / tt);
			fflush(stdout);
			break;
		}
		num <<= 1;
	}
}

static void
test_speed_ec_inner(const char *name,
	const br_ec_impl *impl, const br_ec_curve_def *cd)
{
	char tmp[50];

	test_speed_ec_inner_1(name, impl, cd);
	sprintf(tmp, "%s (FP)", name);
	test_speed_ec_inner_2(tmp, impl, cd);
}

static void
test_speed_ec_p256_m15(void)
{
	test_speed_ec_inner("EC p256_m15",
		&br_ec_p256_m15, &br_secp256r1);
}

static void
test_speed_ec_p256_m31(void)
{
	test_speed_ec_inner("EC p256_m31",
		&br_ec_p256_m31, &br_secp256r1);
}

static void
test_speed_ec_p256_m62(void)
{
	const br_ec_impl *ec;

	ec = br_ec_p256_m62_get();
	if (ec != NULL) {
		test_speed_ec_inner("EC p256_m62", ec, &br_secp256r1);
	} else {
		printf("%-30s UNAVAILABLE\n", "EC p256_m62");
	}
}

static void
test_speed_ec_p256_m64(void)
{
	const br_ec_impl *ec;

	ec = br_ec_p256_m64_get();
	if (ec != NULL) {
		test_speed_ec_inner("EC p256_m64", ec, &br_secp256r1);
	} else {
		printf("%-30s UNAVAILABLE\n", "EC p256_m64");
	}
}

static void
test_speed_ec_prime_i15(void)
{
	test_speed_ec_inner("EC prime_i15 P-256",
		&br_ec_prime_i15, &br_secp256r1);
	test_speed_ec_inner("EC prime_i15 P-384",
		&br_ec_prime_i15, &br_secp384r1);
	test_speed_ec_inner("EC prime_i15 P-521",
		&br_ec_prime_i15, &br_secp521r1);
}

static void
test_speed_ec_prime_i31(void)
{
	test_speed_ec_inner("EC prime_i31 P-256",
		&br_ec_prime_i31, &br_secp256r1);
	test_speed_ec_inner("EC prime_i31 P-384",
		&br_ec_prime_i31, &br_secp384r1);
	test_speed_ec_inner("EC prime_i31 P-521",
		&br_ec_prime_i31, &br_secp521r1);
}

static void
test_speed_ec_c25519_i15(void)
{
	test_speed_ec_inner("EC c25519_i15",
		&br_ec_c25519_i15, &br_curve25519);
}

static void
test_speed_ec_c25519_i31(void)
{
	test_speed_ec_inner("EC c25519_i31",
		&br_ec_c25519_i31, &br_curve25519);
}

static void
test_speed_ec_c25519_m15(void)
{
	test_speed_ec_inner("EC c25519_m15",
		&br_ec_c25519_m15, &br_curve25519);
}

static void
test_speed_ec_c25519_m31(void)
{
	test_speed_ec_inner("EC c25519_m31",
		&br_ec_c25519_m31, &br_curve25519);
}

static void
test_speed_ec_c25519_m62(void)
{
	const br_ec_impl *ec;

	ec = br_ec_c25519_m62_get();
	if (ec != NULL) {
		test_speed_ec_inner("EC c25519_m62", ec, &br_curve25519);
	} else {
		printf("%-30s UNAVAILABLE\n", "EC c25519_m62");
	}
}

static void
test_speed_ec_c25519_m64(void)
{
	const br_ec_impl *ec;

	ec = br_ec_c25519_m64_get();
	if (ec != NULL) {
		test_speed_ec_inner("EC c25519_m64", ec, &br_curve25519);
	} else {
		printf("%-30s UNAVAILABLE\n", "EC c25519_m64");
	}
}

static void
test_speed_ecdsa_inner(const char *name,
	const br_ec_impl *impl, const br_ec_curve_def *cd,
	br_ecdsa_sign sign, br_ecdsa_vrfy vrfy)
{
	unsigned char bx[80], U[160], hv[32], sig[160];
	uint32_t x[22], n[22];
	size_t nlen, ulen, sig_len;
	int i;
	long num;
	br_ec_private_key sk;
	br_ec_public_key pk;

	nlen = cd->order_len;
	br_i31_decode(n, cd->order, nlen);
	memset(bx, 'T', sizeof bx);
	br_i31_decode_reduce(x, bx, sizeof bx, n);
	br_i31_encode(bx, nlen, x);
	ulen = cd->generator_len;
	memcpy(U, cd->generator, ulen);
	impl->mul(U, ulen, bx, nlen, cd->curve);
	sk.curve = cd->curve;
	sk.x = bx;
	sk.xlen = nlen;
	pk.curve = cd->curve;
	pk.q = U;
	pk.qlen = ulen;

	memset(hv, 'H', sizeof hv);
	sig_len = sign(impl, &br_sha256_vtable, hv, &sk, sig);
	if (vrfy(impl, hv, sizeof hv, &pk, sig, sig_len) != 1) {
		fprintf(stderr, "self-test sign/verify failed\n");
		exit(EXIT_FAILURE);
	}

	for (i = 0; i < 10; i ++) {
		hv[1] ++;
		sign(impl, &br_sha256_vtable, hv, &sk, sig);
		vrfy(impl, hv, sizeof hv, &pk, sig, sig_len);
	}

	num = 10;
	for (;;) {
		clock_t begin, end;
		double tt;
		long k;

		begin = clock();
		for (k = num; k > 0; k --) {
			hv[1] ++;
			sig_len = sign(impl, &br_sha256_vtable, hv, &sk, sig);
		}
		end = clock();
		tt = (double)(end - begin) / CLOCKS_PER_SEC;
		if (tt >= 2.0) {
			printf("%-30s %8.2f sign/s\n", name,
				(double)num / tt);
			fflush(stdout);
			break;
		}
		num <<= 1;
	}

	num = 10;
	for (;;) {
		clock_t begin, end;
		double tt;
		long k;

		begin = clock();
		for (k = num; k > 0; k --) {
			vrfy(impl, hv, sizeof hv, &pk, sig, sig_len);
		}
		end = clock();
		tt = (double)(end - begin) / CLOCKS_PER_SEC;
		if (tt >= 2.0) {
			printf("%-30s %8.2f verify/s\n", name,
				(double)num / tt);
			fflush(stdout);
			break;
		}
		num <<= 1;
	}
}

static void
test_speed_ecdsa_p256_m15(void)
{
	test_speed_ecdsa_inner("ECDSA m15 P-256",
		&br_ec_p256_m15, &br_secp256r1,
		&br_ecdsa_i15_sign_asn1,
		&br_ecdsa_i15_vrfy_asn1);
}

static void
test_speed_ecdsa_p256_m31(void)
{
	test_speed_ecdsa_inner("ECDSA m31 P-256",
		&br_ec_p256_m31, &br_secp256r1,
		&br_ecdsa_i31_sign_asn1,
		&br_ecdsa_i31_vrfy_asn1);
}

static void
test_speed_ecdsa_p256_m62(void)
{
	const br_ec_impl *ec;

	ec = br_ec_p256_m62_get();
	if (ec != NULL) {
		test_speed_ecdsa_inner("ECDSA m62 P-256",
			ec, &br_secp256r1,
			&br_ecdsa_i31_sign_asn1,
			&br_ecdsa_i31_vrfy_asn1);
	} else {
		printf("%-30s UNAVAILABLE\n", "ECDSA m62 P-256");
	}
}

static void
test_speed_ecdsa_p256_m64(void)
{
	const br_ec_impl *ec;

	ec = br_ec_p256_m64_get();
	if (ec != NULL) {
		test_speed_ecdsa_inner("ECDSA m64 P-256",
			ec, &br_secp256r1,
			&br_ecdsa_i31_sign_asn1,
			&br_ecdsa_i31_vrfy_asn1);
	} else {
		printf("%-30s UNAVAILABLE\n", "ECDSA m64 P-256");
	}
}

static void
test_speed_ecdsa_i15(void)
{
	test_speed_ecdsa_inner("ECDSA i15 P-256",
		&br_ec_prime_i15, &br_secp256r1,
		&br_ecdsa_i15_sign_asn1,
		&br_ecdsa_i15_vrfy_asn1);
	test_speed_ecdsa_inner("ECDSA i15 P-384",
		&br_ec_prime_i15, &br_secp384r1,
		&br_ecdsa_i15_sign_asn1,
		&br_ecdsa_i15_vrfy_asn1);
	test_speed_ecdsa_inner("ECDSA i15 P-521",
		&br_ec_prime_i15, &br_secp521r1,
		&br_ecdsa_i15_sign_asn1,
		&br_ecdsa_i15_vrfy_asn1);
}

static void
test_speed_ecdsa_i31(void)
{
	test_speed_ecdsa_inner("ECDSA i31 P-256",
		&br_ec_prime_i31, &br_secp256r1,
		&br_ecdsa_i31_sign_asn1,
		&br_ecdsa_i31_vrfy_asn1);
	test_speed_ecdsa_inner("ECDSA i31 P-384",
		&br_ec_prime_i31, &br_secp384r1,
		&br_ecdsa_i31_sign_asn1,
		&br_ecdsa_i31_vrfy_asn1);
	test_speed_ecdsa_inner("ECDSA i31 P-521",
		&br_ec_prime_i31, &br_secp521r1,
		&br_ecdsa_i31_sign_asn1,
		&br_ecdsa_i31_vrfy_asn1);
}

static void
test_speed_i31(void)
{
	static const unsigned char bp[] = {
		/* A 521-bit prime integer (order of the P-521 curve). */
		0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
		0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
		0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
		0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
		0xFF, 0xFA, 0x51, 0x86, 0x87, 0x83, 0xBF, 0x2F,
		0x96, 0x6B, 0x7F, 0xCC, 0x01, 0x48, 0xF7, 0x09,
		0xA5, 0xD0, 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C,
		0x47, 0xAE, 0xBB, 0x6F, 0xB7, 0x1E, 0x91, 0x38,
		0x64, 0x09
	};

	unsigned char tmp[60 + sizeof bp];
	uint32_t p[20], x[20], y[20], z[20], uu[60], p0i;
	int i;
	long num;

	br_i31_decode(p, bp, sizeof bp);
	p0i = br_i31_ninv31(p[1]);
	memset(tmp, 'T', sizeof tmp);
	br_i31_decode_reduce(x, tmp, sizeof tmp, p);
	memset(tmp, 'U', sizeof tmp);
	br_i31_decode_reduce(y, tmp, sizeof tmp, p);

	for (i = 0; i < 10; i ++) {
		br_i31_to_monty(x, p);
	}
	num = 10;
	for (;;) {
		clock_t begin, end;
		double tt;
		long k;

		begin = clock();
		for (k = num; k > 0; k --) {
			br_i31_to_monty(x, p);
		}
		end = clock();
		tt = (double)(end - begin) / CLOCKS_PER_SEC;
		if (tt >= 2.0) {
			printf("%-30s %8.2f ops/s\n", "i31 to_monty",
				(double)num / tt);
			fflush(stdout);
			break;
		}
		num <<= 1;
	}

	for (i = 0; i < 10; i ++) {
		br_i31_from_monty(x, p, p0i);
	}
	num = 10;
	for (;;) {
		clock_t begin, end;
		double tt;
		long k;

		begin = clock();
		for (k = num; k > 0; k --) {
			br_i31_from_monty(x, p, p0i);
		}
		end = clock();
		tt = (double)(end - begin) / CLOCKS_PER_SEC;
		if (tt >= 2.0) {
			printf("%-30s %8.2f ops/s\n", "i31 from_monty",
				(double)num / tt);
			fflush(stdout);
			break;
		}
		num <<= 1;
	}

	for (i = 0; i < 10; i ++) {
		br_i31_montymul(z, x, y, p, p0i);
	}
	num = 10;
	for (;;) {
		clock_t begin, end;
		double tt;
		long k;

		begin = clock();
		for (k = num; k > 0; k --) {
			br_i31_montymul(z, x, y, p, p0i);
		}
		end = clock();
		tt = (double)(end - begin) / CLOCKS_PER_SEC;
		if (tt >= 2.0) {
			printf("%-30s %8.2f ops/s\n", "i31 montymul",
				(double)num / tt);
			fflush(stdout);
			break;
		}
		num <<= 1;
	}

	for (i = 0; i < 10; i ++) {
		br_i31_moddiv(x, y, p, p0i, uu);
	}
	num = 10;
	for (;;) {
		clock_t begin, end;
		double tt;
		long k;

		begin = clock();
		for (k = num; k > 0; k --) {
			br_i31_moddiv(x, y, p, p0i, uu);
		}
		end = clock();
		tt = (double)(end - begin) / CLOCKS_PER_SEC;
		if (tt >= 2.0) {
			printf("%-30s %8.2f ops/s\n", "i31 moddiv",
				(double)num / tt);
			fflush(stdout);
			break;
		}
		num <<= 1;
	}
}

#if 0

static unsigned char P2048[] = {
	0xFD, 0xB6, 0xE0, 0x3E, 0x00, 0x49, 0x4C, 0xF0, 0x69, 0x3A, 0xDD, 0x7D,
	0xF8, 0xA2, 0x41, 0xB0, 0x6C, 0x67, 0xC5, 0xBA, 0xB8, 0x46, 0x80, 0xF5,
	0xBF, 0xAB, 0x98, 0xFC, 0x84, 0x73, 0xA5, 0x63, 0xC9, 0x52, 0x12, 0xDA,
	0x4C, 0xC1, 0x5B, 0x9D, 0x8D, 0xDF, 0xCD, 0xFE, 0xC5, 0xAD, 0x5A, 0x6F,
	0xDD, 0x02, 0xD9, 0xEC, 0x71, 0xEF, 0xEB, 0xB6, 0x95, 0xED, 0x94, 0x25,
	0x0E, 0x63, 0xDD, 0x6A, 0x52, 0xC7, 0x93, 0xAF, 0x85, 0x9D, 0x2C, 0xBE,
	0x5C, 0xBE, 0x35, 0xD8, 0xDD, 0x39, 0xEF, 0x1B, 0xB1, 0x49, 0x67, 0xB2,
	0x33, 0xC9, 0x7C, 0xE1, 0x51, 0x79, 0x51, 0x59, 0xCA, 0x6E, 0x2A, 0xDF,
	0x0D, 0x76, 0x1C, 0xE7, 0xA5, 0xC0, 0x1E, 0x6C, 0x56, 0x3A, 0x32, 0xE5,
	0xB5, 0xC5, 0xD4, 0xDB, 0xFE, 0xFF, 0xF8, 0xF2, 0x96, 0xA9, 0xC9, 0x65,
	0x59, 0x9E, 0x01, 0x79, 0x9D, 0x38, 0x68, 0x0F, 0xAD, 0x43, 0x3A, 0xD6,
	0x84, 0x0A, 0xE2, 0xEF, 0x96, 0xC1, 0x6D, 0x89, 0x74, 0x19, 0x63, 0x82,
	0x3B, 0xA0, 0x9C, 0xBA, 0x78, 0xDE, 0xDC, 0xC2, 0xE7, 0xD4, 0xFA, 0xD6,
	0x19, 0x21, 0x29, 0xAE, 0x5E, 0xF4, 0x38, 0x81, 0xC6, 0x9E, 0x0E, 0x3C,
	0xCD, 0xC0, 0xDC, 0x93, 0x5D, 0xFD, 0x9A, 0x5C, 0xAB, 0x54, 0x1F, 0xFF,
	0x9C, 0x12, 0x1B, 0x4C, 0xDF, 0x2D, 0x9C, 0x85, 0xF9, 0x68, 0x15, 0x89,
	0x42, 0x9B, 0x6C, 0x45, 0x89, 0x3A, 0xBC, 0xE9, 0x19, 0x91, 0xBE, 0x0C,
	0xEF, 0x90, 0xCC, 0xF6, 0xD6, 0xF0, 0x3D, 0x5C, 0xF5, 0xE5, 0x0F, 0x2F,
	0x02, 0x8A, 0x83, 0x4B, 0x93, 0x2F, 0x14, 0x12, 0x1F, 0x56, 0x9A, 0x12,
	0x58, 0x88, 0xAE, 0x60, 0xB8, 0x5A, 0xE4, 0xA1, 0xBF, 0x4A, 0x81, 0x84,
	0xAB, 0xBB, 0xE4, 0xD0, 0x1D, 0x41, 0xD9, 0x0A, 0xAB, 0x1E, 0x47, 0x5B,
	0x31, 0xAC, 0x2B, 0x73
};

static unsigned char G2048[] = {
	0x02
};

static void
test_speed_modpow(void)
{
	uint32_t mx[65], mp[65], me[65], t1[65], t2[65], len;
	unsigned char e[64];
	int i;
	long num;

	len = br_int_decode(mp, sizeof mp / sizeof mp[0],
		P2048, sizeof P2048);
	if (len != 65) {
		abort();
	}
	memset(e, 'P', sizeof e);
	if (!br_int_decode(me, sizeof me / sizeof me[0], e, sizeof e)) {
		abort();
	}
	if (!br_modint_decode(mx, mp, G2048, sizeof G2048)) {
		abort();
	}
	for (i = 0; i < 10; i ++) {
		br_modint_to_monty(mx, mp);
		br_modint_montypow(mx, me, mp, t1, t2);
		br_modint_from_monty(mx, mp);
	}
	num = 10;
	for (;;) {
		clock_t begin, end;
		double tt;
		long k;

		begin = clock();
		for (k = num; k > 0; k --) {
			br_modint_to_monty(mx, mp);
			br_modint_montypow(mx, me, mp, t1, t2);
			br_modint_from_monty(mx, mp);
		}
		end = clock();
		tt = (double)(end - begin) / CLOCKS_PER_SEC;
		if (tt >= 2.0) {
			printf("%-30s %8.2f exp/s\n", "pow[2048:256]",
				(double)num / tt);
			fflush(stdout);
			return;
		}
		num <<= 1;
	}
}

static void
test_speed_moddiv(void)
{
	uint32_t mx[65], my[65], mp[65], t1[65], t2[65], t3[65], len;
	unsigned char x[255], y[255];
	int i;
	long num;

	len = br_int_decode(mp, sizeof mp / sizeof mp[0],
		P2048, sizeof P2048);
	if (len != 65) {
		abort();
	}
	memset(x, 'T', sizeof x);
	memset(y, 'P', sizeof y);
	if (!br_modint_decode(mx, mp, x, sizeof x)) {
		abort();
	}
	if (!br_modint_decode(my, mp, y, sizeof y)) {
		abort();
	}
	for (i = 0; i < 10; i ++) {
		br_modint_div(mx, my, mp, t1, t2, t3);
	}
	num = 10;
	for (;;) {
		clock_t begin, end;
		double tt;
		long k;

		begin = clock();
		for (k = num; k > 0; k --) {
			br_modint_div(mx, my, mp, t1, t2, t3);
		}
		end = clock();
		tt = (double)(end - begin) / CLOCKS_PER_SEC;
		if (tt >= 2.0) {
			printf("%-30s %8.2f div/s\n", "div[2048]",
				(double)num / tt);
			fflush(stdout);
			return;
		}
		num <<= 1;
	}
}
#endif

#define STU(x)   { test_speed_ ## x, #x }

static const struct {
	void (*fn)(void);
	char *name;
} tfns[] = {
	STU(md5),
	STU(sha1),
	STU(sha256),
	STU(sha512),

	STU(aes128_big_cbcenc),
	STU(aes128_big_cbcdec),
	STU(aes192_big_cbcenc),
	STU(aes192_big_cbcdec),
	STU(aes256_big_cbcenc),
	STU(aes256_big_cbcdec),
	STU(aes128_big_ctr),
	STU(aes192_big_ctr),
	STU(aes256_big_ctr),

	STU(aes128_small_cbcenc),
	STU(aes128_small_cbcdec),
	STU(aes192_small_cbcenc),
	STU(aes192_small_cbcdec),
	STU(aes256_small_cbcenc),
	STU(aes256_small_cbcdec),
	STU(aes128_small_ctr),
	STU(aes192_small_ctr),
	STU(aes256_small_ctr),

	STU(aes128_ct_cbcenc),
	STU(aes128_ct_cbcdec),
	STU(aes192_ct_cbcenc),
	STU(aes192_ct_cbcdec),
	STU(aes256_ct_cbcenc),
	STU(aes256_ct_cbcdec),
	STU(aes128_ct_ctr),
	STU(aes192_ct_ctr),
	STU(aes256_ct_ctr),

	STU(aes128_ct64_cbcenc),
	STU(aes128_ct64_cbcdec),
	STU(aes192_ct64_cbcenc),
	STU(aes192_ct64_cbcdec),
	STU(aes256_ct64_cbcenc),
	STU(aes256_ct64_cbcdec),
	STU(aes128_ct64_ctr),
	STU(aes192_ct64_ctr),
	STU(aes256_ct64_ctr),

	STU(aes128_x86ni_cbcenc),
	STU(aes128_x86ni_cbcdec),
	STU(aes192_x86ni_cbcenc),
	STU(aes192_x86ni_cbcdec),
	STU(aes256_x86ni_cbcenc),
	STU(aes256_x86ni_cbcdec),
	STU(aes128_x86ni_ctr),
	STU(aes192_x86ni_ctr),
	STU(aes256_x86ni_ctr),

	STU(aes128_pwr8_cbcenc),
	STU(aes128_pwr8_cbcdec),
	STU(aes192_pwr8_cbcenc),
	STU(aes192_pwr8_cbcdec),
	STU(aes256_pwr8_cbcenc),
	STU(aes256_pwr8_cbcdec),
	STU(aes128_pwr8_ctr),
	STU(aes192_pwr8_ctr),
	STU(aes256_pwr8_ctr),

	STU(des_tab_cbcenc),
	STU(des_tab_cbcdec),
	STU(3des_tab_cbcenc),
	STU(3des_tab_cbcdec),

	STU(des_ct_cbcenc),
	STU(des_ct_cbcdec),
	STU(3des_ct_cbcenc),
	STU(3des_ct_cbcdec),

	STU(chacha20_ct),
	STU(chacha20_sse2),

	STU(ghash_ctmul),
	STU(ghash_ctmul32),
	STU(ghash_ctmul64),
	STU(ghash_pclmul),
	STU(ghash_pwr8),

	STU(poly1305_ctmul),
	STU(poly1305_ctmul32),
	STU(poly1305_ctmulq),
	STU(poly1305_i15),

	STU(eax_aes128_big),
	STU(eax_aes192_big),
	STU(eax_aes256_big),
	STU(eax_aes128_small),
	STU(eax_aes192_small),
	STU(eax_aes256_small),
	STU(eax_aes128_ct),
	STU(eax_aes192_ct),
	STU(eax_aes256_ct),
	STU(eax_aes128_ct64),
	STU(eax_aes192_ct64),
	STU(eax_aes256_ct64),
	STU(eax_aes128_x86ni),
	STU(eax_aes192_x86ni),
	STU(eax_aes256_x86ni),
	STU(eax_aes128_pwr8),
	STU(eax_aes192_pwr8),
	STU(eax_aes256_pwr8),

	STU(shake128),
	STU(shake256),

	STU(rsa_i15),
	STU(rsa_i31),
	STU(rsa_i32),
	STU(rsa_i62),
	STU(ec_prime_i15),
	STU(ec_prime_i31),
	STU(ec_p256_m15),
	STU(ec_p256_m31),
	STU(ec_p256_m62),
	STU(ec_p256_m64),
	STU(ec_c25519_i15),
	STU(ec_c25519_i31),
	STU(ec_c25519_m15),
	STU(ec_c25519_m31),
	STU(ec_c25519_m62),
	STU(ec_c25519_m64),
	STU(ecdsa_p256_m15),
	STU(ecdsa_p256_m31),
	STU(ecdsa_p256_m62),
	STU(ecdsa_p256_m64),
	STU(ecdsa_i15),
	STU(ecdsa_i31),

	STU(i31)
};

static int
eq_name(const char *s1, const char *s2)
{
	for (;;) {
		int c1, c2;

		for (;;) {
			c1 = *s1 ++;
			if (c1 >= 'A' && c1 <= 'Z') {
				c1 += 'a' - 'A';
			} else {
				switch (c1) {
				case '-': case '_': case '.': case ' ':
					continue;
				}
			}
			break;
		}
		for (;;) {
			c2 = *s2 ++;
			if (c2 >= 'A' && c2 <= 'Z') {
				c2 += 'a' - 'A';
			} else {
				switch (c2) {
				case '-': case '_': case '.': case ' ':
					continue;
				}
			}
			break;
		}
		if (c1 != c2) {
			return 0;
		}
		if (c1 == 0) {
			return 1;
		}
	}
}

int
main(int argc, char *argv[])
{
	size_t u;

	if (argc <= 1) {
		printf("usage: testspeed all | name...\n");
		printf("individual test names:\n");
		for (u = 0; u < (sizeof tfns) / (sizeof tfns[0]); u ++) {
			printf("   %s\n", tfns[u].name);
		}
	} else {
		for (u = 0; u < (sizeof tfns) / (sizeof tfns[0]); u ++) {
			int i;

			for (i = 1; i < argc; i ++) {
				if (eq_name(argv[i], tfns[u].name)
					|| eq_name(argv[i], "all"))
				{
					tfns[u].fn();
					break;
				}
			}
		}
	}
	return 0;
}