Decryption slower in 1.1.1 branch?

Viktor Dukhovni openssl-users at dukhovni.org
Mon Jan 27 19:03:08 UTC 2020 

On Mon, Jan 27, 2020 at 06:20:27PM +0000, Dan Heinz wrote:

> I upgraded a library that used OpenSSL 1.0.2 to the OpenSSL 1.1.1d.
> On Windows, I have found that the time to decrypt had doubled.  After
> a bit of timestamp logging, I found the RSA_private_decrypt function
> is taking twice as long with 1.1.1d as it did with 1.0.2t.  This is
> being called from a Windows 64-bit DLL.

RSA is not intended for bulk data decryption, its intended uses are key
transport and signing.  Bulk data decryption is done via AES or similar.

> For example, decrypting 8680 bytes of data averages about .3 seconds
> with the OpenSSL 1.0.2t library (statically linked).  Decrypting the
> same data with the OpenSSL 1.1.1d library averages about .6 seconds.

Are you sure that's seconds and not milliseconds?  These are absurdly
long times, almost certainly dominated by factors other than the
encryption algorithms.  On my 2015 laptop (MacOS) I get:

  OpenSSL 1.0.2h:

    options:bn(64,64) rc4(ptr,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
    compiler: cc -I. -I.. -I../include  -fPIC -fno-common -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
                      sign    verify    sign/s verify/s
    rsa 2048 bits 0.000883s 0.000027s   1132.3  37397.7

    OpenSSL 1.1.1a:
    options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
    compiler: cc -fPIC -arch x86_64 -O3 -Wall -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM -D_REENTRANT -DNDEBUG -DOPENSSL_API_COMPAT=0x10100000L
                      sign    verify    sign/s verify/s
    rsa 2048 bits 0.000883s 0.000026s   1132.8  38377.8

Which shows an RSA 2048-bit signature (private key decrypt operation)
taking less than 1ms, and not materially different between 1.0.2 and
1.1.1.

> I'm wondering if perhaps my build configuration is incorrect or
> missing something for the 1.1.1d build.  Here are the configuration
> parameters for the 64-bit build:

There's probably a deeper issue with what you're doing, you need to be
much more specific about what you're measuring.  Is this SMIME?  CMS?
What is the RSA key size?  What is the bulk encryption cipher?

> Configure VC-WIN64A --prefix=%RootPath_ThirdParty%\%OPENSSL_VERSION%
> -DPURIFY -DOPENSSL_NO_COMP -D_USING_V110_SDK71_ no-shared no-asm
> no-idea no-mdc2 no-rc5 no-ssl2 no-ssl3 no-zlib no-comp no-pinshared

PURIFY must not be enabled in production builds, it is only for memory
allocation/safety debugging.  You've also disabled assembly
optimizations, which reduces side-channel resistance and hurts
performance.

> I logged things granular enough to see the speed difference was in
> RSA_private_decrypt, but I'm not sure why it is so much slower with
> 1.1.1d.  Any help or ideas would be appreciated!

At 600ms for 8KB, it is not plausible that the time is spend doing
cryptography.  That's barely fast enough to feed a 1980's modem.

-- 
    Viktor.

More information about the openssl-users mailing list