Actually benchmark RSA verification with a fresh key.

https://boringssl-review.googlesource.com/10522 didn't actually do what
it was supposed to do. In fact, it appears, not paying attention to it,
we've managed to make RSA verify slower than ECDSA verify. Oops.

Did 32000 RSA 2048 verify (same key) operations in 1016746us (31473.0 ops/sec)
Did 5525 RSA 2048 verify (fresh key) operations in 1067209us (5177.1 ops/sec)
Did 8957 ECDSA P-256 verify operations in 1078570us (8304.5 ops/sec)

The difference is in setting up the BN_MONT_CTX, either computing R^2 or n0.
I'm guessing R^2. The current algorithm needs to be constant-time, but we can
split out a variable-time one if necessary.

Change-Id: Ie064a0e464aaa803815b56a6734bc9e2becef1a7
Reviewed-on: https://boringssl-review.googlesource.com/27244
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
David Benjamin 2018-04-09 20:17:20 -04:00 committed by CQ bot account: commit-bot@chromium.org
parent bb2e1e1eea
commit f11ea19043

View File

@ -167,6 +167,17 @@ static bool SpeedRSA(const std::string &key_name, RSA *key,
} }
results.Print(key_name + " signing"); results.Print(key_name + " signing");
if (!TimeFunction(&results,
[key, &fake_sha256_hash, &sig, sig_len]() -> bool {
return RSA_verify(NID_sha256, fake_sha256_hash,
sizeof(fake_sha256_hash), sig.get(), sig_len, key);
})) {
fprintf(stderr, "RSA_verify failed.\n");
ERR_print_errors_fp(stderr);
return false;
}
results.Print(key_name + " verify (same key)");
if (!TimeFunction(&results, if (!TimeFunction(&results,
[key, &fake_sha256_hash, &sig, sig_len]() -> bool { [key, &fake_sha256_hash, &sig, sig_len]() -> bool {
// Usually during RSA verification we have to parse an RSA key from a // Usually during RSA verification we have to parse an RSA key from a
@ -185,13 +196,14 @@ static bool SpeedRSA(const std::string &key_name, RSA *key,
return false; return false;
} }
return RSA_verify(NID_sha256, fake_sha256_hash, return RSA_verify(NID_sha256, fake_sha256_hash,
sizeof(fake_sha256_hash), sig.get(), sig_len, key); sizeof(fake_sha256_hash), sig.get(), sig_len,
verify_key.get());
})) { })) {
fprintf(stderr, "RSA_verify failed.\n"); fprintf(stderr, "RSA_verify failed.\n");
ERR_print_errors_fp(stderr); ERR_print_errors_fp(stderr);
return false; return false;
} }
results.Print(key_name + " verify"); results.Print(key_name + " verify (fresh key)");
return true; return true;
} }