Decryption slower in 1.1.1 branch?

Dan Heinz dheinz at
Tue Jan 28 18:24:06 UTC 2020

Thank you for the information, Victor.

>> I upgraded a library that used OpenSSL 1.0.2 to the OpenSSL 1.1.1d.
>> On Windows, I have found that the time to decrypt had doubled.  After 
>> a bit of timestamp logging, I found the RSA_private_decrypt function 
>> is taking twice as long with 1.1.1d as it did with 1.0.2t.  This is 
>> being called from a Windows 64-bit DLL.

>RSA is not intended for bulk data decryption, its intended uses are key transport and signing.  Bulk data decryption is done via AES or similar.

>> For example, decrypting 8680 bytes of data averages about .3 seconds 
>> with the OpenSSL 1.0.2t library (statically linked).  Decrypting the 
>> same data with the OpenSSL 1.1.1d library averages about .6 seconds.

>Are you sure that's seconds and not milliseconds?  These are absurdly long times, almost certainly dominated by factors other than the encryption algorithms.  On my 2015 laptop (MacOS) I get:

Yes, it is seconds.  
Our library source is cross-platform and I tested on Linux with execution times around 20 milliseconds.  This was with a static build rather than shared on Linux.  I'm running the Linux tests on a VM on the same machine I am testing the Windows builds.  Yet, the Windows build is much slower.  Same source code.  That's why I initially thought it was something in my OpenSSL configure parameters.

While I'm ok with the execution speed with OpenSSL 1.0.2, I'd like to figure out why the times doubled with OpenSSL 1.1.1.  

I'm logging times before and after the calls to RSA_private_decrypt.  With OpenSSL 1.0.2 it takes on average about 4-8 milliseconds for each RSA_private_decrypt call.  With OpenSSL 1.1.1d, it takes 10-15 milliseconds for each RSA_private_decrypt call.  No code changes other than what was needed such as changing the direct calls to the RSA structure fields.

>> I'm wondering if perhaps my build configuration is incorrect or 
>> missing something for the 1.1.1d build.  Here are the configuration 
>> parameters for the 64-bit build:

>There's probably a deeper issue with what you're doing, you need to be much more specific about what you're measuring.  Is this SMIME?  CMS?
>What is the RSA key size?  What is the bulk encryption cipher?

The data being decrypted is local on the client machine and is just an XML file. 
RSA key is 1024 bits.  
I'm using OAEP padding.

> Configure VC-WIN64A --prefix=%RootPath_ThirdParty%\%OPENSSL_VERSION%
> -DPURIFY -DOPENSSL_NO_COMP -D_USING_V110_SDK71_ no-shared no-asm 
> no-idea no-mdc2 no-rc5 no-ssl2 no-ssl3 no-zlib no-comp no-pinshared

>PURIFY must not be enabled in production builds, it is only for memory allocation/safety debugging.  You've also disabled assembly optimizations, which reduces side-channel resistance and hurts performance.

Thank you for the information.  I removed it from the configuration parameters.  I didn't really notice a difference in execution time though.  I also removed the no-asm parameter, setup nasm, and rebuilt with no noticeable changes.  

> I logged things granular enough to see the speed difference was in 
> RSA_private_decrypt, but I'm not sure why it is so much slower with 
> 1.1.1d.  Any help or ideas would be appreciated!

>At 600ms for 8KB, it is not plausible that the time is spend doing cryptography.  That's barely fast enough to feed a 1980's modem.

I would expect the execution times to be more in line with what I saw with Linux for both 1.0.2 and 1.1.1.  But even so, I do not understand why just upgrading to 1.1.1 causes the RSA_private_decrypt calls to double in execution time from what they were with 1.0.2?

More information about the openssl-users mailing list