On Mon, 2019-12-02 at 13:24 +0100, Nikos Mavrogiannopoulos wrote:
Hi, I got pinged by someone testing the performance of TLS handshakes and it seems that gnutls/nettle with RSA is significantly slower than openssl. On the other hand, secp256r1 and ed25519 are faster. (btw. both openssl and gnutls/nettle are slower than rusttls).
FYI last time I checked rusttls it does not employ any countermeasure, not even blinding, easy to be fast that way.
Nevertheless the RSA caught my attention because I had the impression that nettle was at some point equivalent if not faster. I see that the hogweed benchmark values in nettle show a 3x difference in signing for the TR version and ~2x for the unprotected. Going back to 3.1 did not affect that. Was that always the case? If not any ideas what could have caused that? Did we miss some optimizations? (from a quick review of openssl' RSA code, I see that smooth CRT RSA was added relatively recently, but could that get such a big performance benefit?)
Would you be able to measure OpenSSL's RSA from a release before the smooth CRt was added ?
name size sign/ms verify/ms rsa 2048 0.8881 27.1422rsa (openssl) 2048 1.4249 45.2295
rsa-tr 2048 0.4257 29.1152rsa-tr (openssl) 2048 1.3735 46.1692
regards, Nikos _______________________________________________ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs