Performance regression in ECDSA P256 signature verification
Categories
(NSS :: Libraries, defect, P3)
Tracking
(firefox-esr115 unaffected, firefox122 wontfix, firefox123 wontfix, firefox124 wontfix)
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox122 | --- | wontfix |
| firefox123 | --- | wontfix |
| firefox124 | --- | wontfix |
People
(Reporter: michel, Unassigned)
References
(Regression)
Details
(Keywords: regression)
Attachments
(1 file)
|
5.42 KB,
text/x-c++src
|
Details |
Hello,
I noticed that ECDSA P256 signature verification is slower in 3.96.1 than it was in 3.87.1. I used a modified benchmark program from https://bugzilla.mozilla.org/show_bug.cgi?id=1355993 for testing and got such results:
On a Raspberry Pi 4 Model B Rev 1.2:
NSS 3.87.1:
0.013146: generated key pair...
0.001784: signed hash...
160.013659: verified 100000 signature(s)
Speed is: 624.946649 verify/s
NSS 3.96.1:
0.005695: generated key pair...
0.000891: signed hash...
204.357193: verified 100000 signature(s)
Speed is: 489.339272 verify/s
On Intel Core i5-1135G7:
NSS 3.87.1:
0.002965: generated key pair...
0.000336: signed hash...
78.274145: verified 100000 signature(s)
Speed is: 1277.561064 verify/s
NSS 3.96.1:
0.005208: generated key pair...
0.000796: signed hash...
90.071228: verified 100000 signature(s)
Speed is: 1110.232448 verify/s
It also seems to be significantly slower than OpenSSL:
On a Raspberry Pi 4 Model B Rev 1.2:
$ openssl speed ecdsap256
Doing 256 bits sign ecdsa's for 10s: 80258 256 bits ECDSA signs in 9.78s
Doing 256 bits verify ecdsa's for 10s: 28606 256 bits ECDSA verify in 9.98s
version: 3.0.11
built on: Fri Oct 27 12:40:12 2023 UTC
options: bn(64,64)
compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -DOPENSSL_TLS_SECURITY_LEVEL=2 -Wa,--noexecstack -g -O2 -ffile-prefix-map=/build/openssl-5naemp/openssl-3.0.11=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
CPUINFO: OPENSSL_armcap=0x81
sign verify sign/s verify/s
256 bits ecdsa (nistp256) 0.0001s 0.0003s 8206.3 2866.3
On Intel Core i5-1135G7:
$ openssl speed ecdsap256
Doing 256 bits sign ecdsa's for 10s: 296234 256 bits ECDSA signs in 9.98s
Doing 256 bits verify ecdsa's for 10s: 98773 256 bits ECDSA verify in 10.00s
version: 3.1.4
built on: Sat Nov 25 20:35:59 2023 UTC
options: bn(64,64)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -DOPENSSL_TLS_SECURITY_LEVEL=2 -Wa,--noexecstack -g -O2 -ffile-prefix-map=/build/reproducible-path/openssl-3.1.4=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
CPUINFO: OPENSSL_ia32cap=0x7ffaf3bfffebffff:0x18c05fdef3bfa7eb
sign verify sign/s verify/s
256 bits ecdsa (nistp256) 0.0000s 0.0001s 29682.8 9877.3
|
||
Comment 1•1 year ago
|
||
:nkulatova, since you are the author of the regressor, bug 1615555, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
|
|
||
Comment 2•1 year ago
|
||
Set release status flags based on info from the regressing bug 1615555
|
||
Updated•1 year ago
|
|
||
Comment 3•1 year ago
|
||
We switched to a new formally verified P-256 implementation in 3.94. There are some performance improvements planned for later this year.
Description
•