Re: AES performance when using FIPS 2.0 Object Module
On Fri, May 11, 2012, John Foley wrote: Thanks for the information, that explains it. The vpaes-x86 module isn't included in the FIPS module. In the unlreleased OpenSSL 1.0.2 I've just committed a change that no longer redirects all cipher and digests operations to the FIPS module outside FIPS mode: the result should be no performance penalty using the FIPS capable OpenSSL outside FIPS mode. It's experimental and I'd be interested in any problems. See: http://cvs.openssl.org/chngview?cn=22573 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
AES performance when using FIPS 2.0 Object Module
Is AES performance expected to be much lower when using the FIPS 2.0 Object Module? Below are the speed results when using AES-128-CBC with and w/o the FIPS module. The host system is 32-bit Linux using gcc 4.4.3. The host system does not have AES-NI support. No additional config arguments were used other than 'fipscanisteronly' for building the FIPS module and 'fips' for building 1.0.1b. $ ./openssl speed -evp aes-128-cbc Doing aes-128-cbc for 3s on 16 size blocks: 13734067 aes-128-cbc's in 2.98s Doing aes-128-cbc for 3s on 64 size blocks: 4149906 aes-128-cbc's in 2.95s Doing aes-128-cbc for 3s on 256 size blocks: 1084643 aes-128-cbc's in 2.99s Doing aes-128-cbc for 3s on 1024 size blocks: 278767 aes-128-cbc's in 2.98s Doing aes-128-cbc for 3s on 8192 size blocks: 34952 aes-128-cbc's in 2.99s OpenSSL 1.0.1b-fips 26 Apr 2012 built on: Fri May 11 08:04:08 EDT 2012 options:bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) aes(partial) idea(int) blowfish(idx) compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -I/usr/local/ssl/fips-2.0/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes256 bytes 1024 bytes 8192 bytes aes-128-cbc 73739.96k90031.86k92865.76k95791.08k 95761.47k $ ./openssl speed -evp aes-128-cbc Doing aes-128-cbc for 3s on 16 size blocks: 36109363 aes-128-cbc's in 2.96s Doing aes-128-cbc for 3s on 64 size blocks: 11241446 aes-128-cbc's in 2.97s Doing aes-128-cbc for 3s on 256 size blocks: 2840087 aes-128-cbc's in 2.96s Doing aes-128-cbc for 3s on 1024 size blocks: 706161 aes-128-cbc's in 2.97s Doing aes-128-cbc for 3s on 8192 size blocks: 90698 aes-128-cbc's in 2.97s OpenSSL 1.0.1b 26 Apr 2012 built on: Fri May 11 08:14:14 EDT 2012 options:bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) aes(partial) idea(int) blowfish(idx) compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes256 bytes 1024 bytes 8192 bytes aes-128-cbc 195185.75k 242239.91k 245629.15k 243471.00k 250167.68k attachment: foleyj.vcf
Re: AES performance when using FIPS 2.0 Object Module
Is AES performance expected to be much lower when using the FIPS 2.0 Object Module? Which CPU? You said it's non-AES-NI-capable, but is it SSSE3-capable? If yes, then see related note at http://www.mail-archive.com/openssl-dev@openssl.org/msg29827.html. Below are the speed results when using AES-128-CBC with and w/o the FIPS module. The host system is 32-bit Linux using gcc 4.4.3. The host system does not have AES-NI support. No additional config arguments were used other than 'fipscanisteronly' for building the FIPS module and 'fips' for building 1.0.1b. $ ./openssl speed -evp aes-128-cbc OpenSSL 1.0.1b-fips 26 Apr 2012 type 16 bytes 64 bytes256 bytes 1024 bytes 8192 bytes aes-128-cbc 73739.96k90031.86k92865.76k95791.08k 95761.47k $ ./openssl speed -evp aes-128-cbc OpenSSL 1.0.1b 26 Apr 2012 compiler: gcc ... -DVPAES_ASM ... type 16 bytes 64 bytes256 bytes 1024 bytes 8192 bytes aes-128-cbc 195185.75k 242239.91k 245629.15k 243471.00k 250167.68k Ratio suggests that it's Nehalem core... __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: AES performance when using FIPS 2.0 Object Module
Thanks for the information, that explains it. The vpaes-x86 module isn't included in the FIPS module. The CPU information is: model name: Intel(R) Core(TM) i7 CPU Q 720 @ 1.60GHz On 05/11/2012 09:07 AM, Andy Polyakov wrote: Is AES performance expected to be much lower when using the FIPS 2.0 Object Module? Which CPU? You said it's non-AES-NI-capable, but is it SSSE3-capable? If yes, then see related note at http://www.mail-archive.com/openssl-dev@openssl.org/msg29827.html. Below are the speed results when using AES-128-CBC with and w/o the FIPS module. The host system is 32-bit Linux using gcc 4.4.3. The host system does not have AES-NI support. No additional config arguments were used other than 'fipscanisteronly' for building the FIPS module and 'fips' for building 1.0.1b. $ ./openssl speed -evp aes-128-cbc OpenSSL 1.0.1b-fips 26 Apr 2012 type 16 bytes 64 bytes256 bytes 1024 bytes 8192 bytes aes-128-cbc 73739.96k90031.86k92865.76k95791.08k 95761.47k $ ./openssl speed -evp aes-128-cbc OpenSSL 1.0.1b 26 Apr 2012 compiler: gcc ... -DVPAES_ASM ... type 16 bytes 64 bytes256 bytes 1024 bytes 8192 bytes aes-128-cbc 195185.75k 242239.91k 245629.15k 243471.00k 250167.68k Ratio suggests that it's Nehalem core... __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org attachment: foleyj.vcf
