Google Git
Sign in
boringssl / boringssl.git / f11ea19043f2b3ee42e4a76d0645914347e1a36e^! / .
commitf11ea19043f2b3ee42e4a76d0645914347e1a36e[log] [tgz]
authorDavid Benjamin <davidben@google.com>Mon Apr 09 20:17:20 2018 -0400
committerCQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>Tue Apr 10 00:58:31 2018 +0000
tree0a8dde8d7d4f9cad5e551c297f12fde034f42f86
parentbb2e1e1eea7d70492e52878d03f427abc27e358c [diff]
Actually benchmark RSA verification with a fresh key.

https://boringssl-review.googlesource.com/10522 didn't actually do what
it was supposed to do. In fact, it appears, not paying attention to it,
we've managed to make RSA verify slower than ECDSA verify. Oops.

Did 32000 RSA 2048 verify (same key) operations in 1016746us (31473.0 ops/sec)
Did 5525 RSA 2048 verify (fresh key) operations in 1067209us (5177.1 ops/sec)
Did 8957 ECDSA P-256 verify operations in 1078570us (8304.5 ops/sec)

The difference is in setting up the BN_MONT_CTX, either computing R^2 or n0.
I'm guessing R^2. The current algorithm needs to be constant-time, but we can
split out a variable-time one if necessary.

Change-Id: Ie064a0e464aaa803815b56a6734bc9e2becef1a7
Reviewed-on: https://boringssl-review.googlesource.com/27244
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

diff --git a/tool/speed.cc b/tool/speed.cc
index 9c499cb..d95fa9e 100644
--- a/tool/speed.cc
+++ b/tool/speed.cc

@@ -169,6 +169,17 @@
 
   if (!TimeFunction(&results,
                     [key, &fake_sha256_hash, &sig, sig_len]() -> bool {
+        return RSA_verify(NID_sha256, fake_sha256_hash,
+                          sizeof(fake_sha256_hash), sig.get(), sig_len, key);
+      })) {
+    fprintf(stderr, "RSA_verify failed.\n");
+    ERR_print_errors_fp(stderr);
+    return false;
+  }
+  results.Print(key_name + " verify (same key)");
+
+  if (!TimeFunction(&results,
+                    [key, &fake_sha256_hash, &sig, sig_len]() -> bool {
         // Usually during RSA verification we have to parse an RSA key from a
         // certificate or similar, in which case we'd need to construct a new
         // RSA key, with a new |BN_MONT_CTX| for the public modulus. If we were
@@ -185,13 +196,14 @@
           return false;
         }
         return RSA_verify(NID_sha256, fake_sha256_hash,
-                          sizeof(fake_sha256_hash), sig.get(), sig_len, key);
+                          sizeof(fake_sha256_hash), sig.get(), sig_len,
+                          verify_key.get());
       })) {
     fprintf(stderr, "RSA_verify failed.\n");
     ERR_print_errors_fp(stderr);
     return false;
   }
-  results.Print(key_name + " verify");
+  results.Print(key_name + " verify (fresh key)");
 
   return true;
 }