question about signing performance

Question

question about signing performance

wez opened this issue a year ago · 3 comments

In my application, a single private key is loaded and used to calculate DKIM signatures for a large number of messages.

Comparing the signing performance against a ring based implementation, the rsa crate is ~3x slower than the ring implementation. That seems to line up with the commentary in #144

Looking at the perf data for signing I was a bit surprised to see encryption and decryption both showing up
in the trace; I've included an abridged view of the relevant parts here:

--99.01%--rsa::key::RsaPrivateKey::sign
          |
           --99.01%--<rsa::pkcs1v15::Pkcs1v15Sign as rsa::traits::padding::SignatureScheme>::sign (inlined)
                     |
                      --99.01%--rsa::pkcs1v15::sign (inlined)
                                |
                                 --98.97%--rsa::algorithms::rsa::rsa_decrypt_and_check (inlined)
                                           |
                                           |--87.35%--rsa::algorithms::rsa::rsa_decrypt (inlined)
                                           |          |
                                           |           --87.11%--num_bigint_dig::biguint::BigUint::modpow
                                           |
                                            --11.62%--rsa::algorithms::rsa::rsa_encrypt (inlined)
                                                      |
                                                       --11.62%--num_bigint_dig::biguint::BigUint::modpow
                                                                 |
                                                                  --11.61%--num_bigint_dig::biguint::monty::monty_modpow

I don't really know anything about RSA in particular, so I don't know if that is expected and the terminology is a bit misleading, or is somehow a redundant sanity check that perhaps isn't needed?

I can see from the readme that making it fast is for a later phase of development, but I wonder if there are any recommendations for more efficient usage in repeated signing scenarios such as mine?

Answer 1 · 2023-06-16T00:04:00.000Z

The "decrypt" operation in use here is actually just the description of the private key half of the RSA cryptosystem. In this case it's being used to produce a signature. The terminology is a bit confusing (although relatively standard when describing RSA) in that you don't think of decryption as being the first operation you perform, but really the public and private key operations are reciprocals of each other.

The corresponding "encrypt" operation is the public key component. In this case it's being used to verify the signature was generated correctly.

Answer 2 · 2023-06-16T03:19:49.000Z

Thanks; so it sounds like there is no low hanging fruit and improved performance will be part of a later phase.

Answer 3 · 2023-06-16T12:13:54.000Z

Nope, those are all the core mathematical operations of RSA.

It's possible we'll be able to improve performance with a hypothetical migration to crypto-bigint