Slowdown after switch to crypto-bigint
#490
Comments
|
So one difference that I see is that |
|
Yeah, that's one difference: However, that could also be a clue to the slowdown, namely there may be places where fixed-but-dynamic precision That's my best guess anyway. I'm not sure to sleuth out exactly where that might be happening other than tediously going through line-by-line and comparing the implementations or otherwise looking for unnecessary leading zeros (via e.g. |
|
The difference comes from the fact that we now do a lot of operation over numbers twice as large as they need to be, at least that is what I remember when I last checked. if each prime has x bits, we end up doing operations on numbers of the size of 2x bits in a bunch of places, when often times something much smaller would suffice. |
|
Yep, I just reached that conclusion as well. There are several instances of exponentiation modulo |
|
Btw if anyone wants to deal with this issue, feel free, I don't think I will have enough free time in the coming weeks. |
|
Hello. Are there any updates on this? I have noticed that it affects my code a lot. |
|
Someone still needs to investigate and find where values are overly wide. That's something I've put on the backburner until we get the rest of the latest releases out |
Fixes #490 - Bump `crypto-bigint` dependency to the current trunk. - Use the width of a single prime instead of the full modulus where possible. Brings `bench_rsa_2048_pkcsv1_decrypt` to pre-`crypto-bigint` values. - Add a check to `RsaPrivateKey::from_components()` to ensure consistency between the primes and the modulus. - Remove zero padding limbs from the primes and the modulus in `RsaPrivateKey::from_components()`. - Add a check to `rsa_decrypt()` to ensure the bit precision of the ciphertext is the same as that of the modulus. Notes: - `bench_rsa_2048_pkcsv1_sign_blinded` can be restored to the original performance by using variable-time inversion in `algorithms::rsa::blind()` (as it was during `num-bigint` times), but it seems to me that the blinding factor must be kept secret, so we have to use the constant-time inversion. This leads to about 5x slowdown compared to pre-`crypto-bigint` performance. - The changes in test vectors are due to RustCrypto/crypto-bigint#781 ### Possible further improvements - Keep precomputed values as `Odd`/`NonZero` as appropriate. - If RustCrypto/crypto-bigint#811 is fixed, resizing integers for the purposes of division can be avoided.
Uh oh!
There was an error while loading. Please reload this page.
Benchmarks slowed down several times after #394. What could be the reason?
Performance improvements for boxed uints (RustCrypto/crypto-bigint#777) and the corresponding changes in
crypto-primes(entropyxyz/crypto-primes#78) don't really change the results much according to my tests.signtest time is split ~50/50 between Montgomery exponentiation (with all the time spent inalmost_montgomery_mul(), the lowest level function) andBoxedUint::inv_mod();decryptis almost exclusively exponentiation. Both of these are the calls inRSAitself;crypto-primescalls take negligible time.So it seems that either these two functions are somehow much slower than
num-bigint(possible, yet unlikely, and straightforward to test), or somehow #394 changed the algorithm to apply them more times than necessary.The text was updated successfully, but these errors were encountered: