[Cryptech Tech] Aes keywrap core ready for test and benchmarking

Paul Selkirk paul at psgd.org
Wed Aug 29 20:25:11 UTC 2018

Below are results from running sw/pkcs11/scripts/time-signature.py, both
with software keywrap and with the keywrap core.

Key sizes are in bytes, measured in hal_aes_keyunwrap. (RSA keys have
some extra pre-calculated goop intended to speed up subsequent
operations, so are bigger than you might otherwise expect.) Times are in
seconds, measured as the mean of 100 signing operations.

In these tests, keys are stored in the volatile (RAM-based) keystore, so
we're not dealing with slow flash I/O. Also, the message being signed is
only 26 characters, so there's not much efficiency left to be squeezed out.

                size    software    core        diff
  rsa_1024      2720    0.263219    0.239734    0.023485    8.92%
  rsa_2048      3304    0.370340    0.341877    0.028463    7.68%
  rsa_4096      4456    0.974781    0.936191    0.038590    3.95%
  ecdsa_p256     152    0.230199    0.227110    0.003089    1.34%
  ecdsa_p384     200    0.259258    0.257391    0.001867    0.72%
  ecdsa_p521     256    3.576458    3.573875    0.002583    0.44%

So even though we saw a 5x speedup in keywrap, the real-world effect is
at best a 9% speedup in signing, because keywrap is a small fraction of
the overall signing operation.

However, if we can get the keywrap core to read the KEK directly from
the MKM, and keep it off the CPU/out of RAM, that will be a major
security boost, independent of any modest efficiency gains.


More information about the Tech mailing list