[Cryptech Tech] Happier RSA timing numbers

Joachim Strömbergson joachim.strombergson at assured.se
Tue May 22 12:39:13 UTC 2018

Previous message (by thread): [Cryptech Tech] Happier RSA timing numbers
Next message (by thread): [Cryptech Tech] Happier RSA timing numbers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aloha!

Rob Austein wrote:
> So out of 291 seconds spent signing stuff in this test run, we spent 
> 38 seconds on the actual signatures (including ASN.1, blinding,
> modexp including FMC I/O, and other arithmetic), spent more than
> twice that just on FMC I/O talking to the AES cores, and 110 seconds
> waiting for the AES core.  At least that's what the profiler thinks
> happened.

So those 110 seconds should drop down to 30-ish.

I'm curious of the FMC I/O numbers. Could we improve that by transfer
whole keys to be wrapped/unwrapped in a single batch and then have the
AES core operate independently in a local buffer? (A bit like having a
streaming interface).

Looking at the code for aes_keywrap in:
https://trac.cryptech.is/browser/sw/libhal/aes_keywrap.c

The inner processing loop is at line number 199 (or 207). And there we:

1 move a single block to the core, Four write operations.
2 call AES next. One write operation
3 wait for AES ready. Spinning, reading a number of words.
4 move single block from the core Four read operations.

So at least 10 FMC accesses, but probably more since the AES core is
probably not done when the first read happens. The unsuccessful ready
read operations does not cost any performance though.

With 2048 bit key to be wrapped, this happens 16-ish times with a few
cycles/block just for next/ready. With larger keys this would of course
increase.

With a streaming interface this could be optimized to allow the code to
simply write all blocks as a sequence of words, wait for ready once and
then read out the result. Possibly having to initially write the number
of blocks to process.

This at least looks like a possible optimization. Not a fundamental
improvement though. The AES core latency is more important and the
optimizations done should hopefully show this in the next profiling.

The operations performed in 209-212 could also be moved to HW and be
performed in parallel.

- -- 
Med vänlig hälsning, Yours

Joachim Strömbergson - Assured AB
========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJbBA9xAAoJEF3cfFQkIuyNCl8P/0D2uyBT8SLchntlIdO7tWcT
8PU/e6X4xYfJpY3AECHqoK/oViHKpxu+VTsnIjRRqKN1KCPxUBJMcF5fTRrnQbyC
58Ji5eEXK06qDQ4ADySfrl6EDxfLQHlCUJG/5ZpVL9n+HXyOG9kfExAkKX1HsP7y
fniZovKMi9XztjOQb0QQPmzDU6QpkhvsQY1vtCuRerMmuRp5Gp5LdkkSHF4rwcUe
F094YfYsmRlz2iQJQoJd1ufVBVIhqI0JXRumJX2birDDQEacZTgNi5IzdIimalsM
xM0YymGVK0fhhHCTAYPaDvPR7WHkNd2lWcTSmCmRZ/ZGkDuzdgjw+cJTpsNlmHUl
WOgz5tlIICVF/3etZmVZHM948t8NKO7kd/TRIqm+ExF5Nj6KqEFyfUe7PJSCE2OC
TaDdyjBGi2Hh//LxIZQtCK56r4XUGtotsOPHFF7Pawg+FEK/rMrrcKFmv/O1YZdp
dYKGok6OxVxFcRZIIqOcIBVvlGhFgV7AxtF6xLnvjIQF8y+nw7CnovVDBEpA0V38
vUQjVHycmEBvbIQhlGsKKzGUOLYB+rfo/r/Azs2mOT0aK13+Un4/b0ve1HwDwK47
+8dvvO26A8NXY4pwgF8mVcLoyIDCag63pGO7/IreRAWaTGXOeE2RGO5fZg0K+ZbG
pGBlrQ7a0d7Yhj5WlR7q
=Yhov
-----END PGP SIGNATURE-----

Previous message (by thread): [Cryptech Tech] Happier RSA timing numbers
Next message (by thread): [Cryptech Tech] Happier RSA timing numbers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Tech mailing list