[Cryptech Tech] Happier RSA timing numbers

Russ Housley housley at vigilsec.com
Fri May 25 15:39:10 UTC 2018


> On May 24, 2018, at 11:42 AM, Rob Austein <sra at hactrn.net> wrote:
> 
> On Thu, 24 May 2018 11:14:12 -0400, Russ Housley wrote:
>> 
>> Am I reading this correctly?  I am seeing both wrap and unwrap.  I
>> expected to see an unwrap, private key operation, overwrite the
>> memory where the key was stored.  This would save a whole bunch of
>> AES operations.
> 
> The profiling code can't tell the difference between the setup portion
> of the tests and the tests proper, so it also reports on wrap
> operations during the test setup: initial loading of test keys into
> the keystore, and because this is RSA, subsequent update of each key
> to add the "speedup factors" computed by Pavel's modexp core (see
> archived mail for details, short version is that Pavel noticed that
> the bulk of the modexp computation is a "precomputation" stage which
> takes only the key as input and doesn't care about the message, so the
> first time we use a key after generating or loading it we update the
> keystore to retain the result of the precomputation -- think of this
> as weird extra key components specific to our Verilog implementation).
> 
> So yeah, you see both wrap and unwrap, but it's mostly unwrap.  The
> numbers reflect this: out of 6000552 calls to do_block(), 37122 came
> from hal_aes_keywrap() while 5963430 came from hal_aes_keyunwrap().

I recall that we talked about computing the values that are needed for the speedup, and then storing them with the private key.  So, there should be at most one wrap.

Russ



More information about the Tech mailing list