[Botan-devel] RSA, DSA in Botan and OpenSSL on x86-64

Jack Lloyd lloyd at randombit.net
Thu Aug 28 12:14:32 EDT 2008


Botan 1.7.9 vs OpenSSL 0.9.8 and 0.9.9 20080828 snapshot

Using GCC 4.3.1 on a Gentoo Linux / Intel Core2 Q6600 system, here are
the numbers for 1.7.9's RSA benchmarks:

RSA-512: 57175.48 ops / second (public operation)
RSA-512: 3777.23 ops / second (private operation)
RSA-1024: 21788.16 ops / second (public operation)
RSA-1024: 1017.99 ops / second (private operation)
RSA-1536: 10439.18 ops / second (public operation)
RSA-1536: 337.14 ops / second (private operation)
RSA-2048: 6951.47 ops / second (public operation)
RSA-2048: 179.62 ops / second (private operation)
RSA-3072: 3203.75 ops / second (public operation)
RSA-3072: 56.95 ops / second (private operation)
RSA-4096: 2018.24 ops / second (public operation)
RSA-4096: 28.63 ops / second (private operation)

and here is OpenSSL 0.9.8g:

                  sign    verify    sign/s verify/s
rsa  512 bits 0.000316s 0.000021s   3169.1  47169.7
rsa 1024 bits 0.001190s 0.000057s    840.3  17568.6
rsa 2048 bits 0.006596s 0.000177s    151.6   5660.8
rsa 4096 bits 0.041750s 0.000602s     24.0   1660.0

and here is OpenSSL's latest snapshot:

                  sign    verify    sign/s verify/s
rsa  512 bits 0.000169s 0.000014s   5902.6  69430.1
rsa 1024 bits 0.000826s 0.000043s   1210.3  23227.1
rsa 2048 bits 0.005165s 0.000152s    193.6   6587.9
rsa 4096 bits 0.036473s 0.000577s     27.4   1733.1

So, for RSA Botan is substantially faster than 0.9.8g and reasonably
competetive with OpenSSL mainline (and even edging to the lead at 4k
bits, it seems?)

Botan does not fare as well on DSA:

DSA-512: 2359.91 ops / second (public operation)
DSA-512: 2496.38 ops / second (private operation)
DSA-768: 1296.52 ops / second (public operation)
DSA-768: 2004.09 ops / second (private operation)
DSA-1024: 964.75 ops / second (public operation)
DSA-1024: 1515.44 ops / second (private operation)
DSA-2048: 207.53 ops / second (public operation)
DSA-2048: 385.54 ops / second (private operation)
DSA-3072: 96.51 ops / second (public operation)
DSA-3072: 185.14 ops / second (private operation)

0.9.8g:
                  sign    verify    sign/s verify/s
dsa  512 bits 0.000220s 0.000234s   4553.9   4281.4
dsa 1024 bits 0.000553s 0.000636s   1807.4   1572.2
dsa 2048 bits 0.001721s 0.002034s    581.1    491.7

0.9.9-20080828:

                  sign    verify    sign/s verify/s
dsa  512 bits 0.000166s 0.000169s   6041.4   5927.1
dsa 1024 bits 0.000443s 0.000495s   2255.3   2018.7
dsa 2048 bits 0.001500s 0.001796s    666.5    556.9

Profiling shows 38.8% of all runtime for a large RSA/DSA/DH run is in
bigint_mul_add_words (and that is with the x86-64 assembly version).
Which is quite a hotspot, but of course this function is used for both
Karatsuba multiplication and Montgomery reduction. In any case it
seems like there should certainly be room for optimization, especially
in assembly; even a small speedup in bigint_mul_add_words could have
major impact.

-Jack



More information about the botan-devel mailing list