Get the most out of your Centmin Mod LEMP stack
Become a Member

OpenSSL [PATCH]30-40% ECDSA performance improvement - OpenSSL 1.1

Discussion in 'CentOS, Redhat & Oracle Linux News' started by bassie, Jan 2, 2018.

  1. bassie

    bassie Active Member

    620
    136
    43
    Apr 29, 2016
    Ratings:
    +417
    Local Time:
    4:31 PM
    Happy new year starts with a gift.

    ECDSA could get faster.
    As can be read here OpenSSL - OpenSSL ECDSA Performance improvements
    An improvement of 30-40% is possible (depending on the hardware).

    Backport patch to improve ECDSA sign 30-40% at OpenSSL 1.1

    With this backport patch, OpenSSL 1.1 will have to be able to do the same.


    I am not active in software development, this is pure mathematics and algorithmics.
    The goal is twofold.

    First and foremost nothing more or less than that I have had fun, as this contribution is purely out of interest.
    Second. Freedom happiness. Do what you want with the patch.
    It is freely available at GitLab.
     
    • Informative Informative x 2
  2. eva2000

    eva2000 Administrator Staff Member

    31,638
    7,029
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,634
    Local Time:
    1:31 AM
    Nginx 1.13.x
    MariaDB 5.5
    Thanks @bassie for sharing.. definitely will check this out :)

    this patch is against OpenSSL 1.1.0 master branch or 1.1.0g ?
     
  3. eva2000

    eva2000 Administrator Staff Member

    31,638
    7,029
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,634
    Local Time:
    1:31 AM
    Nginx 1.13.x
    MariaDB 5.5
    On OVH Core i7 4790K 4C/8T server with CentOS 7.4 64bit and Centmin Mod 123.09beta01 LEMP stack

    With patch resulted in 43.4% faster ECDSA signs/s and 15.4% faster ECDSA verify/s :cool:

    OpenSSL 1.1.0g rsa 2048 signs/s rsa 2048 verify/s ecdsa 256bit signs/s ecdsa 256bit verify/s
    before patch 8278.4 181818.2 121212.1 43450.5
    after patch 8299.9 181818.2 173813.0 50157.2


    before ECDSA OpenSSL 1.1.0g backported patch
    Code (Text):
    openssl speed -multi 8 rsa2048 ecdsap256
    OpenSSL 1.1.0g  2 Nov 2017
    built on: reproducible build, date unspecified
    options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
    compiler: ccache gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/opt/openssl\"" -DENGINESDIR="\"/opt/openssl/lib/engines-1.1\""  -Wa,--noexecstack
                     sign    verify    sign/s verify/s
    rsa 2048 bits 0.000121s 0.000005s   8278.4 181818.2
                                 sign    verify    sign/s verify/s
     256 bit ecdsa (nistp256)   0.0000s   0.0000s 121212.1  43450.5
    

    after patch
    Code (Text):
    openssl speed -multi 8 rsa2048 ecdsap256
    OpenSSL 1.1.0g  2 Nov 2017
    built on: reproducible build, date unspecified
    options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
    compiler: ccache gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/opt/openssl\"" -DENGINESDIR="\"/opt/openssl/lib/engines-1.1\""  -Wa,--noexecstack
                     sign    verify    sign/s verify/s
    rsa 2048 bits 0.000120s 0.000005s   8299.9 181818.2
                                 sign    verify    sign/s verify/s
     256 bit ecdsa (nistp256)   0.0000s   0.0000s 173913.0  50157.2
    
     
  4. bassie

    bassie Active Member

    620
    136
    43
    Apr 29, 2016
    Ratings:
    +417
    Local Time:
    4:31 PM
    Nice benchmark :)
     
    • Like Like x 1
  5. bassie

    bassie Active Member

    620
    136
    43
    Apr 29, 2016
    Ratings:
    +417
    Local Time:
    4:31 PM
    [UPDATE]Patch has been updated to today's upstream code, January 5th.
    The patch has also been restructured.

    Backport patch update 30-40% ECDSA performance improvement - OpenSSL 1.1

    Changelog [PATCH] OpenSSL1.1g - 30-40% ECDSA performance improvement
    * Fri, 5 Jan 2018 20:45:22 +0100
    - Rebuilt to host the new upstream code (5 Jan 2018).

    ECDSA performance improvements using an old i3:

    Code:
                                  sign    verify    sign/s verify/s
     256 bit ecdsa (nistp256)   0.0000s   0.0000s  56444.1  24023.7
    
                                  sign    verify    sign/s verify/s
     256 bit ecdsa (nistp256)   0.0000s   0.0000s  81862.6  27645.4
     
    • Informative Informative x 1
  6. eva2000

    eva2000 Administrator Staff Member

    31,638
    7,029
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,634
    Local Time:
    1:31 AM
    Nginx 1.13.x
    MariaDB 5.5
    thanks for the update :D

    looks good enabling optional ECDSA and ECDHX 25519 performance patches via persistent config file /etc/centminmod/custom_config.inc set variables PRIOR to centmin.sh menu option 4 runs
    Code (Text):
    OPENSSLECDSA_PATCH='y'
    OPENSSLECDHX_PATCH='y'
    

    at end of nginx update runs via centmin.sh menu option 4 should get a list of log files for the run and one is log file for openssl patches
    Code (Text):
    log files saved at /root/centminlogs
    -rw-r--r--  1 root root 1.6K Jan  5 06:57 patch_opensslpatches_050118-065726.log
    -rw-r--r--  1 root root   44 Jan  5 06:58 centminmod_opensslinstalltime_050118-065726.log
    -rw-r--r--  1 root root    8 Jan  5 06:58 patch_patchnginx_050118-065726.log
    -rw-r--r--  1 root root 1.6K Jan  5 06:58 nginx-configure-050118-065726.log
    -rw-r--r--  1 root root  26K Jan  5 06:59 nginx_autoconf.err.050118-065726.log
    -rw-r--r--  1 root root 2.8M Jan  5 06:59 centminmod_123.09beta01.b011_050118-065726_nginx_upgrade.log
    
    *************************************************
    * nginx updated
    *************************************************
       _   _         _                _   _             _         _             _ 
      | \ | |  __ _ (_) _ __  __  __ | | | | _ __    __| |  __ _ | |_  ___   __| |
      |  \| | / _` || || '_ \ \ \/ / | | | || '_ \  / _` | / _` || __|/ _ \ / _` |
      | |\  || (_| || || | | | >  <  | |_| || |_) || (_| || (_| || |_|  __/| (_| |
      |_| \_| \__, ||_||_| |_|/_/\_\  \___/ | .__/  \__,_| \__,_| \__|\___| \__,_|
              |___/                         |_|                                   
    
    Total Nginx Upgrade Time: 99.531088158 seconds at /root/centminlogs/patch_opensslpatches_050118-065726.log
    

    contents of log
    Code (Text):
    cat /root/centminlogs/patch_opensslpatches_050118-065726.log
    
    ######################################################################
    Patching OpenSSL 1.1.0g
    ######################################################################
    30-40% performance improvement patch for ECDSA
    https://community.centminmod.com/posts/57725/
    ######################################################################
    /svr-setup/openssl-1.1.0g /svr-setup/openssl-1.1.0g
    patch -p1 < /usr/local/src/centminmod/patches/openssl/OpenSSL1.1g-improve-ECDSA-sign-30-40.patch
    patching file ECDSA-PATCH-CHANGELOG
    patching file crypto/ec/asm/ecp_nistz256-armv8.pl
    patching file crypto/ec/asm/ecp_nistz256-x86_64.pl
    patching file crypto/ec/ec_err.c
    patching file crypto/ec/ec_lcl.h
    patching file crypto/ec/ec_lib.c
    patching file crypto/ec/ecdsa_ossl.c
    patching file crypto/ec/ecp_nistz256.c
    patching file crypto/perlasm/x86_64-xlate.pl
    patching file include/openssl/ec.h
    patch unexpectedly ends in middle of line
    Hunk #1 succeeded at 1389 with fuzz 1.
    /svr-setup/openssl-1.1.0g
    
    
    ######################################################################
    Patching OpenSSL 1.1.0g
    ######################################################################
    ECDHX 25519 performance patch
    https://community.centminmod.com/posts/57726/
    ######################################################################
    /svr-setup/openssl-1.1.0g /svr-setup/openssl-1.1.0g
    patch -p1 < /usr/local/src/centminmod/patches/openssl/OpenSSL1.1g-double-performance-ecdhx-25519.patch
    patching file crypto/ec/curve25519.c
    /svr-setup/openssl-1.1.0g
    
    
     
  7. eva2000

    eva2000 Administrator Staff Member

    31,638
    7,029
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,634
    Local Time:
    1:31 AM
    Nginx 1.13.x
    MariaDB 5.5
    retesting openssl 1.1.0g after latest Kernel KPTI patch fixes to see impact on performance

    Code (Text):
    OpenSSL 1.1.0g  2 Nov 2017
    built on: reproducible build, date unspecified
    options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
    compiler: ccache gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/opt/openssl\"" -DENGINESDIR="\"/opt/openssl/lib/engines-1.1\""  -Wa,--noexecstack
                      sign    verify    sign/s verify/s
    rsa 2048 bits 0.000120s 0.000005s   8300.9 181818.2
                                  sign    verify    sign/s verify/s
     256 bit ecdsa (nistp256)   0.0000s   0.0000s 170212.8  50000.0
    


    OpenSSL 1.1.0g rsa 2048 signs/s rsa 2048 verify/s ecdsa 256bit signs/s ecdsa 256bit verify/s
    before cloudflare patch 8278.4 181818.2 121212.1 43450.5
    after cloudflare patch 8299.9 181818.2 173813.0 50157.2
    cloudflare + kernel KPTI patch 8300.9 181818.2 170212.8 50000.0
     
  8. bassie

    bassie Active Member

    620
    136
    43
    Apr 29, 2016
    Ratings:
    +417
    Local Time:
    4:31 PM
    • Informative Informative x 1
  9. eva2000

    eva2000 Administrator Staff Member

    31,638
    7,029
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,634
    Local Time:
    1:31 AM
    Nginx 1.13.x
    MariaDB 5.5
    much appreciated.. updated in 123.09beta01 now :D
     
  10. RoldanLT

    RoldanLT Well-Known Member

    4,020
    971
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,340
    Local Time:
    11:31 PM
    1.11
    10.2
    So to enable this I need to set:
    Code:
    OPENSSLECDSA_PATCH='y'
    OPENSSLECDHX_PATCH='y'
    LIBRESSL_SWITCH='n'
    
    That's all?
     
  11. eva2000

    eva2000 Administrator Staff Member

    31,638
    7,029
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,634
    Local Time:
    1:31 AM
    Nginx 1.13.x
    MariaDB 5.5
    yup set via persistent config file /etc/centminmod/custom_config.inc set variables PRIOR to centmin.sh menu option 4 runs
     
    • Informative Informative x 1
  12. RoldanLT

    RoldanLT Well-Known Member

    4,020
    971
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,340
    Local Time:
    11:31 PM
    1.11
    10.2
    No 1.0.2n support? :)
     
  13. eva2000

    eva2000 Administrator Staff Member

    31,638
    7,029
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,634
    Local Time:
    1:31 AM
    Nginx 1.13.x
    MariaDB 5.5
    patch is only for 1.1.0g
     
    • Like Like x 1