Nikos Mavrogiannopoulos n.mavrogiannopoulos@gmail.com writes:
I got pinged by someone testing the performance of TLS handshakes and it seems that gnutls/nettle with RSA is significantly slower than openssl.
To quote the NEWS file for Nettle-3.4.1:
Performance regression:
* All RSA private key operations employing RSA blinding, i.e., rsa_decrypt_tr, rsa_*_sign_tr, the new rsa_sec_decrypt, and rsa_compute_root_tr, are significantly slower. This is because (i) RSA blinding now use side-channel silent operations, (ii) blinding includes a modular inversion, and (iii) side-channel silent modular inversion, implemented as mpn_sec_invert, is very expensive. A 60% slowdown for 2048-bit RSA keys have been measured.
name size sign/ms verify/ms rsa 2048 0.8881 27.1422rsa (openssl) 2048 1.4249 45.2295
rsa-tr 2048 0.4257 29.1152rsa-tr (openssl) 2048 1.3735 46.1692
The above explains why Nettle's rsa-tr is much slower than the non-tr version. But it's disappointing that there also looks like a pretty large general slowdown.
I think most of the running time for RSA operations, except for modular inversion, are in wel-tuned GMP functions. For best speed, make sure GMP is either compiled with --enable-fat, or configured for the machine it's running on, and use a recent version. To track down any problems, it's important to know more precisely what processor it's running on and how gmp was configured.
For what it's worth, this is what I get on the laptop (quite old, "U4100 @ 1.30GHz" according to /proc/cpuinfo, should probably be "SU4100", detected as core2-pc-linux-gnu by gmp) I'm sitting in front of right now:
$ ../examples/hogweed-benchmark rsa name size sign/ms verify/ms rsa 2048 0.2106 7.2703 rsa-tr 2048 0.1158 6.8202 rsa (openssl) 2048 0.2024 6.4992 rsa-tr (openssl) 2048 0.1959 6.4983
So here, Nettle is slightly faster except for side-channel silent signing. It's a bit odd that *verify* for rsa-tr appears slower than the non-tr, since no secrets are involved, and the same function is called. May be a problem in the benchmark program.
Is "Smooth CRT" something that I should look up?
Regards, /Niels