On Tue, 2019-12-03 at 08:59 +0100, Nikos Mavrogiannopoulos wrote:
On Mon, Dec 2, 2019 at 9:47 PM Niels Möller nisse@lysator.liu.se wrote:
name size sign/ms verify/ms rsa 2048 0.8881 27.1422rsa (openssl) 2048 1.4249 45.2295
rsa-tr 2048 0.4257 29.1152rsa-tr (openssl) 2048 1.3735 46.1692
The above explains why Nettle's rsa-tr is much slower than the non- tr version. But it's disappointing that there also looks like a pretty large general slowdown.
I think most of the running time for RSA operations, except for modular inversion, are in wel-tuned GMP functions. For best speed, make sure GMP is either compiled with --enable-fat, or configured for the machine it's running on, and use a recent version. To track down any problems, it's important to know more precisely what processor it's running on and how gmp was configured.
That seemed trivial before I wrote this email, but that was actually the case. The fedora maintainer had removed the --enable-fat option in a seemingly unrelated commit. I've reported it at: https://bugzilla.redhat.com/show_bug.cgi?id=1779060
Hmm even after --enable-fat was given to gmp not much has changed.
My CPU is Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz and that's what I see:
1. gmp without --enable-fat rsa 2048 0.8881 27.1422
2. gmp with --enable-fat rsa 2048 1.0973 40.4561
3. gmp with --enable-fat compiled outside distribution (as ./configure --enable-fat) rsa 2048 1.5127 53.6693
The corresponding value on that cpu for openssl's RSA is: rsa (openssl) 2048 1.9212 61.4107
So it may be that it is quite hard to get good values out of gmp without having a custom compilation. In particular I see that locally I have: -mtune=skylake -march=broadwell -fomit-frame-pointer
while fedora sets: -mtune=generic and the --enable-fat is not sufficient to overcome this.
regards, Nikos