[botan-devel] Performance 1.8.12 vs 1.10.0

Jack Lloyd lloyd at randombit.net
Thu Jun 30 17:45:41 EDT 2011


On Thu, Jun 30, 2011 at 11:29:04PM +0200, Rickard Bellgrim wrote:
> > PK_Signer, by default, will test the signature to make sure it is valid, in order
> > to help prevent fault attacks. However, in 1.8 RSA already did this (because
> > RSA is very vulnerable to this problem, as a single error in a CRT-based RSA
> > signature lets someone easily factor the modulus), and anyway the public
> > RSA operation is very fast, so doesn't seem to explain a 3x slowdown.
> > However, you can eliminate this as a possibility by passing
> > DISABLE_FAULT_PROTECTION in the 4th argument to the PK_Signer
> > constructor, which is:
> >
> > If I'm right, I would expect a single-element cache would help out
> > significantly in this case (and would also help for 1.8, since there was plenty
> > of precomputation going on there as well). Let me know if this helps or not.
> > I'll try to find time to take a look at this more during this coming weekend.
> 
> Got around 3 sig/s better results with the single-element cache. Both for 1.8 and 1.10.
> 
> 2 threads, 10000 signatures per thread, 281.76 sig/s (RSA 1024 bits)
> 2 threads, 10000 signatures per thread, 92.76 sig/s (RSA 1024 bits)
> 
> The DISABLE_FAULT_PROTECTION gave another 14 sig/s for 1.10.
> 
> 2 threads, 10000 signatures per thread, 106.71 sig/s (RSA 1024 bits)

OK, so not either of those... interesting. FWIW, I see this on my
machine (i7-860, using one core):

1.8.12:
RSA-1024 1681 EMSA-PKCS1-v1_5(SHA-1) signature per second; 0.59 ms/op (8425 ops in 5010.12 ms)

1.10.0:
RSA-1024 1620 EMSA-PKCS1-v1_5(SHA-1) signature per second; 0.62 ms/op (8121 ops in 5011.06 ms)

So basically no real difference. Which is why this speed reduction you
are seeing is quite interesting/confusing. Is the code you are using
here available?  A small, self-contained test case would be ideal, of
course.

Thanks,
  Jack



More information about the botan-devel mailing list