Monday, July 27, 2009

Some quick notes on RSA1024 signing performance

Just so this does not get lost - I've been doing some RSA1024 signing experiments because of my 'DNSSEC on PowerDNS' experiment, and the results were at first confusing.

For starters, friends of mine with Apple OS X reported very low numbers from the version of OpenSSL that ships with OS X (intel). The command to have OpenSSL perform speed tests is: 'openssl speed rsa1024'. Numbers were around half those reported on identical machines running a 32-bit Ubuntu.

Much investigations ensued, and conclusions are:
  • Apple ships a version of OpenSSL that misses certain optimizations. If you need performance for your applications, investigate which OpenSSL library they link against, and possibly investigate how to recompile or relink.
  • Go 64-bit, in a hurry. Twice as many bits appear to deliver over twice as much performance.
  • A modern Core2 based CPU running 64 bits code maxes out at about 1500 RSA1024 signatures/second/core, based on OpenSSL 1.0 beta 3, or Botan linked against GnuMP 4
  • Non-beta OpenSSLs are quite a bit slower, but not dramatically so
  • More naive code, that is not as highly optimized (like the otherwise excellent PolarSSL), will deliver around 1200 RSA1024 signatures/second/core (64 bits)
  • These numbers scale linearly with the number of cores involved - my 600 euro PC delivers 6000 signatures/second ('0.10 euro/signature/second').
It also looks like no worthwhile general purpose RSA hardware accelerators are available for use from Linux - Sun ships one, but its performance is not stellar (a lot more than 0.10 euro/signature/second), but it is not cheap, plus it is only officially supported on Sun hardware. If anyone has better ideas, please let me know!

PS: Why RSA1024? Because this is what DNSSEC is about for the foreseeable future..

Tuesday, July 14, 2009

So, why did I move my blog?

Aesthetically, I liked my old blog. The design was clean, it was 100% under my control, but that last part also turned out to be a problem. When spammers discovered, they filled it with junk. Junk which was sometimes filtered out, sometimes not, but in any case clogged my poor server. We are talking gigabytes of spam here, literally.

So eventually I caved. If Linus Torvalds can host his blog on, it must surely be good enough for me.

The old blog postings are still available here:
Be sure to add the '/index.html', because shortly, without it will forward you to this site.

So, welcome back dear readers, and I hope to entertain you with things I can't bring myself to shut up about.

This is the new location of Bert Hubert's blog!

This is the new location of Bert Hubert's blog!