Some quick notes on RSA1024 signing performance

Jul 27, 2009

Just so this does not get lost – I’ve been doing some RSA1024 signing experiments because of my ‘DNSSEC on PowerDNS’ experiment, and the results were at first confusing.

For starters, friends of mine with Apple OS X reported very low numbers from the version of OpenSSL that ships with OS X (intel). The command to have OpenSSL perform speed tests is: ‘openssl speed rsa1024’. Numbers were around half those reported on identical machines running a 32-bit Ubuntu.

Much investigations ensued, and conclusions are:

  • Apple ships a version of OpenSSL that misses certain optimizations. If you need performance for your applications, investigate which OpenSSL library they link against, and possibly investigate how to recompile or relink.
  • Go 64-bit, in a hurry. Twice as many bits appear to deliver over twice as much performance.
  • A modern Core2 based CPU running 64 bits code maxes out at about 1500 RSA1024 signatures/second/core, based on OpenSSL 1.0 beta 3, or Botan linked against GnuMP 4
  • Non-beta OpenSSLs are quite a bit slower, but not dramatically so
  • More naive code, that is not as highly optimized (like the otherwise excellent PolarSSL), will deliver around 1200 RSA1024 signatures/second/core (64 bits)
  • These numbers scale linearly with the number of cores involved – my 600 euro PC delivers 6000 signatures/second (‘0.10 euro/signature/second’).

It also looks like no worthwhile general purpose RSA hardware accelerators are available for use from Linux – Sun ships one, but its performance is not stellar (a lot more than 0.10 euro/signature/second), but it is not cheap, plus it is only officially supported on Sun hardware. If anyone has better ideas, please let me know!

PS: Why RSA1024? Because this is what DNSSEC is about for the foreseeable future..

About the author

Bert Hubert

Bert Hubert

Principal, PowerDNS

Related Articles

Introducing the new PowerDNS website

Dear powerdns.com visitors, The powerdns.com website, maintained and occasionally updated by the PowerDNS Engineering team,...

Robert Brandt 06/6/23

A surprising discovery on converting IPv6 addresses: we no...

Yesterday, we were contacted by PowerDNS user James Baer who noted strange crashes in PowerDNS (on Linux) upon adding...

Bert Hubert 05/4/14

DNS: Your customer’s gateway to the Internet

PowerDNS and Dovecot joined the Open-Xchange family at WorldWostingDay 2015 in Rust

Bert Hubert 05/5/15

When DNS is cool and when it is not

Whenever massive query rates are desired for globally distributed data, with high redundancy and built in positive and...

Bert Hubert 11/4/09