[Cryptech Tech] Happier RSA timing numbers

[Rob Austein]

On Thu, 24 May 2018 11:14:12 -0400, Russ Housley wrote:
> 
> Am I reading this correctly?  I am seeing both wrap and unwrap.  I
> expected to see an unwrap, private key operation, overwrite the
> memory where the key was stored.  This would save a whole bunch of
> AES operations.

The profiling code can't tell the difference between the setup portion
of the tests and the tests proper, so it also reports on wrap
operations during the test setup: initial loading of test keys into
the keystore, and because this is RSA, subsequent update of each key
to add the "speedup factors" computed by Pavel's modexp core (see
archived mail for details, short version is that Pavel noticed that
the bulk of the modexp computation is a "precomputation" stage which
takes only the key as input and doesn't care about the message, so the
first time we use a key after generating or loading it we update the
keystore to retain the result of the precomputation -- think of this
as weird extra key components specific to our Verilog implementation).

So yeah, you see both wrap and unwrap, but it's mostly unwrap.  The
numbers reflect this: out of 6000552 calls to do_block(), 37122 came
from hal_aes_keywrap() while 5963430 came from hal_aes_keyunwrap().