Want to subscribe to topics you're interested in?
Become a Member

OpenSSL [PATCH]50% ECDHX 25519 performance improvement - OpenSSL 1.1

Discussion in 'CentOS, Redhat & Oracle Linux News' started by buik, Jan 2, 2018.

Tags:
  1. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    1:04 PM
    Ecdhx 25519 could also get faster.
    As an extra New Year's gift next to [PATCH]ECDSA sign faster by 30-40% - OpenSSL 1.1
    An improvement of 50% "double" is possible (depending on the hardware).

    Backport patch "double" ecdhx25519 performance at OpenSSL 1.1

    With this backport patch, OpenSSL 1.1 will have to be able to do the same.

    I am not active in software development, this is pure mathematics and algorithmics.
    The goal is twofold.

    First and foremost nothing more or less than that I have had fun, as this contribution is purely out of interest.
    Second. Freedom happiness. Do what you want with the patch.
    It is freely available at GitLab.

     
  2. eva2000

    eva2000 Administrator Staff Member

    54,601
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    10:04 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Thanks @bassie for sharing.. didn't see this change so thanks for heads up :)

    is ECDHX 25519 different from ECDH 25519?

    this patch is against OpenSSL 1.1.0 master branch or 1.1.0g ?
     
  3. eva2000

    eva2000 Administrator Staff Member

    54,601
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    10:04 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  4. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    1:04 PM
  5. eva2000

    eva2000 Administrator Staff Member

    54,601
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    10:04 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    it's discussed in issue tracker at [rt.openssl.org #4683] [BUG] Failure running openssl speed ecdh in master branch · Issue #2532 · openssl/openssl · GitHub

    and

    when i run ecdh test on openssl 1.1.0g
    Code (Text):
    openssl speed -multi 8 ecdh
    OpenSSL 1.1.0g  2 Nov 2017
    built on: reproducible build, date unspecified
    options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
    compiler: ccache gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/opt/openssl\"" -DENGINESDIR="\"/opt/openssl/lib/engines-1.1\""  -Wa,--noexecstack
                                 op      op/s
     160 bit ecdh (secp160r1)   0.0000s  26594.3
     192 bit ecdh (nistp192)   0.0000s  22031.5
     224 bit ecdh (nistp224)   0.0000s  57971.0
     256 bit ecdh (nistp256)   0.0000s  62500.0
     384 bit ecdh (nistp384)   0.0001s   7348.2
     521 bit ecdh (nistp521)   0.0001s   8090.0
     163 bit ecdh (nistk163)   0.0000s  21888.7
     233 bit ecdh (nistk233)   0.0001s  17062.9
     283 bit ecdh (nistk283)   0.0001s   9780.1
     409 bit ecdh (nistk409)   0.0002s   6466.6
     571 bit ecdh (nistk571)   0.0004s   2842.7
     163 bit ecdh (nistb163)   0.0000s  20958.9
     233 bit ecdh (nistb233)   0.0001s  16318.7
     283 bit ecdh (nistb283)   0.0001s   9243.3
     409 bit ecdh (nistb409)   0.0002s   6086.6
     571 bit ecdh (nistb571)   0.0004s   2640.4
     253 bit ecdh (X25519)   0.0000s      inf
    
     
  6. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    1:04 PM
    For the global readers over here.
    This has nothing to do with the patch.

    With or without the ECDHX 25519 enhancement patch you couldn't test X25519 on OpenSSL 1.1 before, now or in the future (tests below).

    The command "openssl speed ecdhx25519" could result in an error "ECDH failure".
    And/or "0.0000s inf" if tested with the global parameter "openssl speed ecdh".
    In other words you can't test X25519 as it is "Skipped for X25519" (see github link in @eva2000 's post).

    The OpenSSL team considers this as a function not bug or anything else,
    so no fixe will be issued for OpenSSL 1.1 in the feature.
    Once again it has never worked before and never will be on OpenSSL 1.1.

    In addition to that.
    The ECDH speed test suite on OpenSSL 1.1.1dev "moved the ECDH speed tests to use the higher level EVP API".

    Test results

    OpenSSL 1.1g with and without patch:
    OpenSSL 1.1.1dev 3 January 2018:
     
    Last edited: Jan 3, 2018
  7. eva2000

    eva2000 Administrator Staff Member

    54,601
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    10:04 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    cheers !
     
  8. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    1:04 PM
  9. eva2000

    eva2000 Administrator Staff Member

    54,601
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    10:04 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    looks like patch doesn't work with OpenSSL 1.1.1-pre1 but luckily 123.09beta01 only patches with OpenSSL 1.1.0g right now
    Code (Text):
    patch -p1 < /usr/local/src/centminmod/patches/openssl/OpenSSL1.1g-double-performance-ecdhx-25519.patch
    patching file crypto/ec/curve25519.c
    Hunk #1 FAILED at 1.
    Hunk #2 FAILED at 7.
    Hunk #3 FAILED at 3230.
    patch unexpectedly ends in middle of line
    Hunk #4 succeeded at 3850 with fuzz 2 (offset 484 lines).
    3 out of 4 hunks FAILED -- saving rejects to file crypto/ec/curve25519.c.rej
    patch failed, revert patch /usr/local/src/centminmod/patches/openssl/OpenSSL1.1g-double-performance-ecdhx-25519.patch
     
  10. eva2000

    eva2000 Administrator Staff Member

    54,601
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    10:04 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Ah i see this patch is not needed for OpenSSL 1.1.1-pre1 or 1.1.1 as the patch has been committed
     
  11. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    1:04 PM
    Of course