perf(runtime): reduce fixed overhead without changing security semantics (P1-P8)

Remove waste around mandatory crypto work while preserving all security
invariants from doc 16, 17, and 19. No phases removed, no branch shapes
changed, no crypto semantics altered.

- P1: replace heap alloc in verify_bb_mac with stack buffer (VM_MAX_BB_INSN_CAP)
- P2: replace O(n) find_bb_index with O(1) dense vector lookup
- P3: hash exec.regs[] directly, eliminating 128-byte copy per instruction
- P4: preexpand BLAKE3 [K||K] key once for Phase F + Phase G
- P5: precompute bb_end_ip at load time
- P6: pre-decode bb_enc_seed as uint64_t at load time
- P7: build siphash_expand message prefix once outside 8-iteration loop
- P8: hoist ORAM temp buffers out of 64-line loop, reuse keystream buffer

Author: scc-tw

common/include/vm/vm_context.hpp

@@ -25,6 +25,11 @@ constexpr uint8_t VM_BYTE_LANES = 8;
 /// Maximum nesting depth for shadow stack.
 constexpr uint8_t VM_MAX_NESTING = 8;
 
+/// Compile-time upper bound on instructions per basic block.
+/// Used for stack-allocated MAC scratch buffers (avoids heap allocation on hot path).
+/// Blobs exceeding this limit are rejected at load time.
+constexpr uint32_t VM_MAX_BB_INSN_CAP = 1024;
+
 /// Forward declaration for platform-specific native context.
 struct NativeContext;
 
@@ -46,6 +51,14 @@ struct BBMetadata {
     uint16_t live_regs_bitmap;
     uint8_t  bb_enc_seed[8];
     uint8_t  epoch_seed[32];
+
+    // ── Derived fields (computed once at blob load, avoid repeated work) ──
+
+    /// entry_ip + insn_count_in_bb — avoids repeated addition on hot path.
+    uint32_t bb_end_ip = 0;
+
+    /// bb_enc_seed decoded as native uint64_t — avoids repeated memcpy.
+    uint64_t bb_enc_seed_u64 = 0;
 };
 
 /// Epoch checkpoint for shadow stack (CALL_VM / RET_VM).

common/include/vm/vm_crypto.hpp

@@ -160,6 +160,10 @@ inline void sip_round(uint64_t& v0, uint64_t& v1,
 ///
 /// Each output word: SipHash(key, nonce || line || sub_index)
 ///
+/// Optimization (P7): the 24-byte message prefix (nonce || line) is built once;
+/// only the final 8-byte sub_index is overwritten per iteration.  This avoids
+/// rebuilding the fixed 16-byte prefix 8 times.  Output is identical.
+///
 /// @param key    16-byte ORAM key
 /// @param nonce  ORAM nonce
 /// @param line   cache line index
@@ -168,12 +172,14 @@ inline void siphash_expand(const uint8_t key[16],
                            uint64_t nonce,
                            uint64_t line,
                            uint64_t out[8]) noexcept {
+    // Build the fixed prefix once: nonce(8) || line(8)
+    uint8_t msg[24];
+    std::memcpy(msg,     &nonce, 8);
+    std::memcpy(msg + 8, &line,  8);
+
     for (uint64_t i = 0; i < 8; ++i) {
-        // Build a 24-byte message: nonce(8) || line(8) || sub_index(8)
-        uint8_t msg[24];
-        std::memcpy(msg,      &nonce, 8);
-        std::memcpy(msg + 8,  &line,  8);
-        std::memcpy(msg + 16, &i,     8);
+        // Only overwrite the sub_index portion
+        std::memcpy(msg + 16, &i, 8);
         out[i] = siphash_2_4(key, msg, 24);
     }
 }
@@ -234,6 +240,41 @@ void blake3_keyed_128(const uint8_t key128[16],
                       const uint8_t* data, size_t data_len,
                       uint8_t* out, size_t out_len) noexcept;
 
+/// Pre-expand a 128-bit key to a 256-bit BLAKE3 key: [K || K].
+///
+/// This avoids repeating the expansion when the same 128-bit key is used
+/// for multiple BLAKE3 calls within a single instruction (Phase F + Phase G).
+///
+/// @param key128    16-byte source key
+/// @param out256    32-byte output (caller must zero after use)
+void blake3_preexpand_128(const uint8_t key128[16],
+                          uint8_t out256[32]) noexcept;
+
+/// BLAKE3 keyed hash using an already-expanded 256-bit key.
+///
+/// Same as blake3_keyed_128 but skips the [K||K] expansion step.
+///
+/// @param expanded_key  32-byte pre-expanded key (from blake3_preexpand_128)
+/// @param data          input data
+/// @param data_len      length of input data
+/// @param out           output buffer for hash
+/// @param out_len       number of output bytes
+void blake3_keyed_preexpanded(const uint8_t expanded_key[32],
+                              const uint8_t* data, size_t data_len,
+                              uint8_t* out, size_t out_len) noexcept;
+
+/// Fingerprint all 16 encoded registers using a pre-expanded BLAKE3 key.
+///
+/// Same as blake3_keyed_fingerprint but avoids redundant key expansion
+/// when the caller has already called blake3_preexpand_128.
+///
+/// @param expanded_key  32-byte pre-expanded key
+/// @param encoded_regs  array of 16 × uint64_t encoded register values
+/// @param out128        16-byte output fingerprint
+void blake3_keyed_fingerprint_preexpanded(const uint8_t expanded_key[32],
+                                          const uint64_t encoded_regs[16],
+                                          uint8_t out128[16]) noexcept;
+
 /// Fingerprint all 16 encoded registers using BLAKE3_KEYED_128.
 ///
 /// WHY FINGERPRINT ALL REGISTERS:

common/src/vm/vm_crypto.cpp

@@ -22,19 +22,39 @@ void blake3_keyed_hash(const uint8_t key[32], const uint8_t* data, size_t data_l
     blake3_hasher_finalize(&hasher, out, out_len);
 }
 
+void blake3_preexpand_128(const uint8_t key128[16],
+                          uint8_t out256[32]) noexcept {
+    std::memcpy(out256, key128, 16);
+    std::memcpy(out256 + 16, key128, 16);
+}
+
+void blake3_keyed_preexpanded(const uint8_t expanded_key[32],
+                              const uint8_t* data, size_t data_len,
+                              uint8_t* out, size_t out_len) noexcept {
+    blake3_hasher hasher;
+    blake3_hasher_init_keyed(&hasher, expanded_key);
+    blake3_hasher_update(&hasher, data, data_len);
+    blake3_hasher_finalize(&hasher, out, out_len);
+}
+
+void blake3_keyed_fingerprint_preexpanded(const uint8_t expanded_key[32],
+                                          const uint64_t encoded_regs[16],
+                                          uint8_t out128[16]) noexcept {
+    blake3_keyed_preexpanded(expanded_key,
+                             reinterpret_cast<const uint8_t*>(encoded_regs),
+                             16 * sizeof(uint64_t),
+                             out128, 16);
+}
+
 void blake3_keyed_128(const uint8_t key128[16],
                       const uint8_t* data, size_t data_len,
                       uint8_t* out, size_t out_len) noexcept {
     // Extend 128-bit key to 256-bit by repeating: [K || K].
     // Security level remains 128-bit (matching Speck64/128 key size).
     uint8_t extended[32];
-    std::memcpy(extended, key128, 16);
-    std::memcpy(extended + 16, key128, 16);
+    blake3_preexpand_128(key128, extended);
 
-    blake3_hasher hasher;
-    blake3_hasher_init_keyed(&hasher, extended);
-    blake3_hasher_update(&hasher, data, data_len);
-    blake3_hasher_finalize(&hasher, out, out_len);
+    blake3_keyed_preexpanded(extended, data, data_len, out, out_len);
 
     // Zero the extended key — prevent the redundant copy from persisting
     // in stack memory after this function returns.

runtime/include/vm_engine.hpp

@@ -70,6 +70,9 @@ using Common::VM::Crypto::FPE_Encode;
 using Common::VM::Crypto::FPE_Decode;
 using Common::VM::Crypto::blake3_keyed_128;
 using Common::VM::Crypto::blake3_keyed_fingerprint;
+using Common::VM::Crypto::blake3_preexpand_128;
+using Common::VM::Crypto::blake3_keyed_preexpanded;
+using Common::VM::Crypto::blake3_keyed_fingerprint_preexpanded;
 using Common::VM::secure_zero;
 using Common::VM::opcode_writes_reg;
 

runtime/include/vm_state.hpp

@@ -41,6 +41,7 @@
 #include <cstdint>
 #include <cstddef>
 #include <cstring>
+#include <type_traits>
 #include <vector>
 
 namespace VMPilot::Runtime {
@@ -130,6 +131,13 @@ struct VmImmutable {
     /// verify_bb_mac always iterates max_bb_insn_count times, with dummy
     /// SipHash iterations for indices beyond the actual BB.
     uint32_t max_bb_insn_count = 0;
+
+    /// O(1) bb_id -> bb_metadata index lookup table.
+    ///
+    /// Dense vector sized to max_bb_id + 1, filled with UINT32_MAX (invalid).
+    /// Replaces the linear scan in find_bb_index() — same semantics, O(1) cost.
+    /// Built once during VmEngine::create().
+    std::vector<uint32_t> bb_id_to_index;
 };
 
 // ─────────────────────────────────────────────────────────────────────────────
@@ -233,6 +241,16 @@ static_assert(alignof(VmExecution) >= 64,
 static_assert(offsetof(VmExecution, regs) == 0,
               "regs must be at offset 0 (first cache line)");
 
+// Verify RegVal layout is compatible with uint64_t for direct fingerprinting (P3).
+// This allows blake3_keyed_fingerprint to hash exec.regs[] directly without
+// copying into a temporary uint64_t[16] array.
+static_assert(sizeof(RegVal) == sizeof(uint64_t),
+              "RegVal must be 8 bytes for direct fingerprint hashing");
+static_assert(std::is_standard_layout<RegVal>::value,
+              "RegVal must be standard layout for safe reinterpret_cast");
+static_assert(sizeof(VmExecution::regs) == VM_REG_COUNT * sizeof(uint64_t),
+              "regs array must be tightly packed (no padding)");
+
 // ─────────────────────────────────────────────────────────────────────────────
 // VmEpoch — per-BB opcode permutation, trivially copyable
 // ─────────────────────────────────────────────────────────────────────────────

runtime/src/oram_strategies.cpp

@@ -40,18 +40,22 @@ static uint64_t oram_access_impl(VmOramState& state, uint64_t addr,
 
     uint64_t read_result = 0;
 
+    // P8: hoist temporary buffers out of the loop to reduce stack churn.
+    // Reuse a single keystream buffer for both old and new expansions
+    // (old_ks is consumed before new_ks is computed, so they can share).
+    alignas(64) uint64_t words[8];
+    uint64_t ks[8];
+
     for (uint32_t line = 0; line < VM_ORAM_NUM_LINES; ++line) {
         uint8_t* line_ptr = state.workspace + line * VM_ORAM_LINE_SIZE;
 
         // 1. Load 64 bytes
-        uint64_t words[8];
         std::memcpy(words, line_ptr, 64);
 
         // 2. Decrypt with old nonce
-        uint64_t old_ks[8];
-        siphash_expand(state.key, old_nonce, line, old_ks);
+        siphash_expand(state.key, old_nonce, line, ks);
         for (int i = 0; i < 8; ++i)
-            words[i] ^= old_ks[i];
+            words[i] ^= ks[i];
 
         // 3. Branchless read + conditional write
         const bool is_target_line = (line == target_line);
@@ -70,11 +74,10 @@ static uint64_t oram_access_impl(VmOramState& state, uint64_t addr,
             words[w] = (written & w_sel) | (words[w] & ~w_sel);
         }
 
-        // 4. Re-encrypt with fresh nonce
-        uint64_t new_ks[8];
-        siphash_expand(state.key, state.nonce, line, new_ks);
+        // 4. Re-encrypt with fresh nonce (reuse ks buffer)
+        siphash_expand(state.key, state.nonce, line, ks);
         for (int i = 0; i < 8; ++i)
-            words[i] ^= new_ks[i];
+            words[i] ^= ks[i];
 
         // 5. Store back
         std::memcpy(line_ptr, words, 64);

runtime/src/pipeline.cpp

@@ -30,7 +30,6 @@
 #include <vm/secure_zero.hpp>
 
 #include <cstring>
-#include <vector>
 
 namespace VMPilot::Runtime::pipeline {
 
@@ -63,13 +62,13 @@ static uint64_t update_enc_state_impl(uint64_t enc_state,
     return siphash_2_4(key, msg, 8);
 }
 
-/// Find BB index by bb_id (linear search -- v1 simplicity).
+/// Find BB index by bb_id — O(1) dense vector lookup (P2).
+/// Returns -1 for unknown bb_id (same semantics as the original linear scan).
 static int find_bb_index(const VmImmutable& imm, uint32_t bb_id) noexcept {
-    for (size_t i = 0; i < imm.bb_metadata.size(); ++i) {
-        if (imm.bb_metadata[i].bb_id == bb_id)
-            return static_cast<int>(i);
-    }
-    return -1;
+    if (bb_id >= imm.bb_id_to_index.size())
+        return -1;
+    uint32_t idx = imm.bb_id_to_index[bb_id];
+    return (idx == UINT32_MAX) ? -1 : static_cast<int>(idx);
 }
 
 // ---------------------------------------------------------------------------
@@ -318,9 +317,8 @@ enter_basic_block(VmExecution& exec,
     const BBMetadata& target = imm.bb_metadata[static_cast<size_t>(bb_idx)];
 
     // 2. Use pre-derived bb_enc_seed from BBMetadata (no stored_seed needed)
-    uint64_t enc_seed_u64 = 0;
-    std::memcpy(&enc_seed_u64, target.bb_enc_seed, 8);
-    exec.enc_state = enc_seed_u64;
+    // P6: pre-decoded at load time, avoids repeated memcpy
+    exec.enc_state = target.bb_enc_seed_u64;
 
     // 3. Reset instruction tracking
     exec.insn_index_in_bb = 0;
@@ -460,12 +458,8 @@ verify_bb_mac(const VmImmutable& imm,
     const uint32_t real_count = bb.insn_count_in_bb;
     const uint32_t padded_count = imm.max_bb_insn_count;
 
-    // Derive bb_enc_seed for this BB
-    uint8_t enc_seed_bytes[8];
-    std::memcpy(enc_seed_bytes, bb.bb_enc_seed, 8);
-
-    uint64_t enc_state = 0;
-    std::memcpy(&enc_state, enc_seed_bytes, 8);
+    // P6: use pre-decoded enc_state (no memcpy needed)
+    uint64_t enc_state = bb.bb_enc_seed_u64;
 
     // Re-decrypt all instructions in this BB + dummy iterations for padding.
     //
@@ -479,8 +473,10 @@ verify_bb_mac(const VmImmutable& imm,
     auto insns = imm.blob.instructions();
     const uint32_t total_insn_count = imm.blob.header().insn_count;
 
-    // Stack buffer for MAC computation (only real instructions contribute)
-    std::vector<uint8_t> plaintext_bytes(real_count * 8);
+    // P1: stack-allocated scratch buffer (no heap allocation on hot path).
+    // Sized to compile-time cap; blobs exceeding VM_MAX_BB_INSN_CAP are
+    // rejected at load time.
+    uint8_t plaintext_bytes[VM_MAX_BB_INSN_CAP * 8];
 
     for (uint32_t j = 0; j < padded_count; ++j) {
         const bool is_real = (j < real_count);
@@ -496,7 +492,7 @@ verify_bb_mac(const VmImmutable& imm,
 
         // Only write real plaintext to MAC buffer
         if (is_real)
-            std::memcpy(plaintext_bytes.data() + j * 8, &plain, 8);
+            std::memcpy(plaintext_bytes + j * 8, &plain, 8);
 
         // Always check REKEY (dummy iterations: sem_op won't match REKEY)
         VmInsn vinst{};
@@ -526,8 +522,8 @@ verify_bb_mac(const VmImmutable& imm,
     // MAC is computed over REAL instructions only (matches blob builder)
     uint8_t computed_mac[8];
     blake3_keyed_hash(imm.integrity_key,
-                      plaintext_bytes.data(),
-                      plaintext_bytes.size(),
+                      plaintext_bytes,
+                      static_cast<size_t>(real_count) * 8,
                       computed_mac, 8);
 
     // Compare with stored MAC (constant-time)
@@ -556,13 +552,8 @@ void replay_enc_state(VmExecution& exec, const VmEpoch& epoch,
 
     const auto& bb = imm.bb_metadata[exec.current_bb_index];
 
-    // Derive bb_enc_seed from scratch (enter_basic_block already set enc_state,
-    // but we need the seed for the keystream replay).
-    uint8_t enc_seed_bytes[8];
-    std::memcpy(enc_seed_bytes, bb.bb_enc_seed, 8);
-
-    uint64_t es = 0;
-    std::memcpy(&es, enc_seed_bytes, 8);
+    // P6: use pre-decoded enc_seed (no memcpy needed)
+    uint64_t es = bb.bb_enc_seed_u64;
 
     // Replay SipHash chain: decrypt each instruction [0..target_insn_idx) and
     // advance enc_state, handling REKEY mutations along the way.