Welcome to Centmin Mod Community
Become a Member

OpenSSL [PATCH]50% ECDHX 25519 performance improvement - OpenSSL 1.1

Discussion in 'CentOS, Redhat & Oracle Linux News' started by bassie, Jan 2, 2018.

Tags:
  1. bassie

    bassie Active Member

    906
    216
    43
    Apr 29, 2016
    Ratings:
    +640
    Local Time:
    11:34 AM
    Ecdhx 25519 could also get faster.
    As an extra New Year's gift next to [PATCH]ECDSA sign faster by 30-40% - OpenSSL 1.1
    An improvement of 50% "double" is possible (depending on the hardware).

    Backport patch "double" ecdhx25519 performance at OpenSSL 1.1

    With this backport patch, OpenSSL 1.1 will have to be able to do the same.

    I am not active in software development, this is pure mathematics and algorithmics.
    The goal is twofold.

    First and foremost nothing more or less than that I have had fun, as this contribution is purely out of interest.
    Second. Freedom happiness. Do what you want with the patch.
    It is freely available at GitLab.
     
    • Informative Informative x 1
  2. eva2000

    eva2000 Administrator Staff Member

    35,617
    7,844
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,093
    Local Time:
    7:34 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Thanks @bassie for sharing.. didn't see this change so thanks for heads up :)

    is ECDHX 25519 different from ECDH 25519?

    this patch is against OpenSSL 1.1.0 master branch or 1.1.0g ?
     
  3. eva2000

    eva2000 Administrator Staff Member

    35,617
    7,844
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,093
    Local Time:
    7:34 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  4. bassie

    bassie Active Member

    906
    216
    43
    Apr 29, 2016
    Ratings:
    +640
    Local Time:
    11:34 AM
  5. eva2000

    eva2000 Administrator Staff Member

    35,617
    7,844
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,093
    Local Time:
    7:34 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    it's discussed in issue tracker at [rt.openssl.org #4683] [BUG] Failure running openssl speed ecdh in master branch · Issue #2532 · openssl/openssl · GitHub

    and

    when i run ecdh test on openssl 1.1.0g
    Code (Text):
    openssl speed -multi 8 ecdh
    OpenSSL 1.1.0g  2 Nov 2017
    built on: reproducible build, date unspecified
    options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
    compiler: ccache gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/opt/openssl\"" -DENGINESDIR="\"/opt/openssl/lib/engines-1.1\""  -Wa,--noexecstack
                                 op      op/s
     160 bit ecdh (secp160r1)   0.0000s  26594.3
     192 bit ecdh (nistp192)   0.0000s  22031.5
     224 bit ecdh (nistp224)   0.0000s  57971.0
     256 bit ecdh (nistp256)   0.0000s  62500.0
     384 bit ecdh (nistp384)   0.0001s   7348.2
     521 bit ecdh (nistp521)   0.0001s   8090.0
     163 bit ecdh (nistk163)   0.0000s  21888.7
     233 bit ecdh (nistk233)   0.0001s  17062.9
     283 bit ecdh (nistk283)   0.0001s   9780.1
     409 bit ecdh (nistk409)   0.0002s   6466.6
     571 bit ecdh (nistk571)   0.0004s   2842.7
     163 bit ecdh (nistb163)   0.0000s  20958.9
     233 bit ecdh (nistb233)   0.0001s  16318.7
     283 bit ecdh (nistb283)   0.0001s   9243.3
     409 bit ecdh (nistb409)   0.0002s   6086.6
     571 bit ecdh (nistb571)   0.0004s   2640.4
     253 bit ecdh (X25519)   0.0000s      inf
    
     
  6. bassie

    bassie Active Member

    906
    216
    43
    Apr 29, 2016
    Ratings:
    +640
    Local Time:
    11:34 AM
    For the global readers over here.
    This has nothing to do with the patch.

    With or without the ECDHX 25519 enhancement patch you couldn't test X25519 on OpenSSL 1.1 before, now or in the future (tests below).

    The command "openssl speed ecdhx25519" could result in an error "ECDH failure".
    And/or "0.0000s inf" if tested with the global parameter "openssl speed ecdh".
    In other words you can't test X25519 as it is "Skipped for X25519" (see github link in @eva2000 's post).

    The OpenSSL team considers this as a function not bug or anything else,
    so no fixe will be issued for OpenSSL 1.1 in the feature.
    Once again it has never worked before and never will be on OpenSSL 1.1.

    In addition to that.
    The ECDH speed test suite on OpenSSL 1.1.1dev "moved the ECDH speed tests to use the higher level EVP API".

    Test results

    OpenSSL 1.1g with and without patch:
    OpenSSL 1.1.1dev 3 January 2018:
     
    Last edited: Jan 3, 2018
    • Informative Informative x 1
  7. eva2000

    eva2000 Administrator Staff Member

    35,617
    7,844
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,093
    Local Time:
    7:34 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    cheers !
     
  8. bassie

    bassie Active Member

    906
    216
    43
    Apr 29, 2016
    Ratings:
    +640
    Local Time:
    11:34 AM
  9. eva2000

    eva2000 Administrator Staff Member

    35,617
    7,844
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,093
    Local Time:
    7:34 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    looks like patch doesn't work with OpenSSL 1.1.1-pre1 but luckily 123.09beta01 only patches with OpenSSL 1.1.0g right now
    Code (Text):
    patch -p1 < /usr/local/src/centminmod/patches/openssl/OpenSSL1.1g-double-performance-ecdhx-25519.patch
    patching file crypto/ec/curve25519.c
    Hunk #1 FAILED at 1.
    Hunk #2 FAILED at 7.
    Hunk #3 FAILED at 3230.
    patch unexpectedly ends in middle of line
    Hunk #4 succeeded at 3850 with fuzz 2 (offset 484 lines).
    3 out of 4 hunks FAILED -- saving rejects to file crypto/ec/curve25519.c.rej
    patch failed, revert patch /usr/local/src/centminmod/patches/openssl/OpenSSL1.1g-double-performance-ecdhx-25519.patch
     
  10. eva2000

    eva2000 Administrator Staff Member

    35,617
    7,844
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,093
    Local Time:
    7:34 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Ah i see this patch is not needed for OpenSSL 1.1.1-pre1 or 1.1.1 as the patch has been committed
     
  11. bassie

    bassie Active Member

    906
    216
    43
    Apr 29, 2016
    Ratings:
    +640
    Local Time:
    11:34 AM
    Of course
     
    • Like Like x 1
..