Enable optimized 64bit elliptic curve code contributed by Google

Bug #1018522 reported by cc
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Fix Released
High
Dimitri John Ledkov
Precise
Fix Released
Low
Unassigned
Quantal
Fix Released
Low
Unassigned

Bug Description

[Impact]

 * Optional optimisations that are available, were not enabled at build time, thus reducing openssl performance of ecdsa for 224, 256, 521 bit.

 * This is an SRU as part of Hardware Enablement.

[Test Case]

* Compare `openssl speed` for ecdsa on amd64 platform. There should be noticeable improvement.
(Here is a sample from my machine, note that the below benchmarks were whilst the machine was under variable load)
Before:
Doing 224 bit sign ecdsa's for 10s: 24059 224 bit ECDSA signs in 9.95s
Doing 224 bit verify ecdsa's for 10s: 6197 224 bit ECDSA verify in 9.97s
Doing 256 bit sign ecdsa's for 10s: 20640 256 bit ECDSA signs in 9.94s
Doing 256 bit verify ecdsa's for 10s: 5222 256 bit ECDSA verify in 9.95s
Doing 521 bit sign ecdsa's for 10s: 5683 521 bit ECDSA signs in 9.97s
Doing 521 bit verify ecdsa's for 10s: 1137 521 bit ECDSA verify in 9.94s

After:
Doing 224 bit sign ecdsa's for 10s: 32087 224 bit ECDSA signs in 9.92s
Doing 224 bit verify ecdsa's for 10s: 15929 224 bit ECDSA verify in 9.94s
Doing 256 bit sign ecdsa's for 10s: 18875 256 bit ECDSA signs in 9.91s
Doing 256 bit verify ecdsa's for 10s: 7744 256 bit ECDSA verify in 9.94s
Doing 521 bit sign ecdsa's for 10s: 6587 521 bit ECDSA signs in 9.90s
Doing 521 bit verify ecdsa's for 10s: 3028 521 bit ECDSA verify in 9.85s

The almost threefold improvement in 224 & 521 verify is clearly visible.

[Regression Potential]

* This change affects only amd64 and only ecdsa.
* The test-suite passes correctly.

[Other Info]

This is to turn on the code contributed by Google for optimized 64bit implementations of elliptic curves.

From the OpenSSL changelog, http://www.openssl.org/news/changelog.html

Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
     line to include this in your build of OpenSSL, and run "make depend" (or
     "make update"). This enables the following EC_METHODs:

So it really is as simple as enabling an additional compile flag.

Related branches

Revision history for this message
cc (codecrumb) wrote :

This should be enabled in Precise and newer...

description: updated
Revision history for this message
cc (codecrumb) wrote :

Just checking in 3 months later. Any chance on getting some movement on this for the next Precise update?

It is a relatively quick change and will actually utilize the changes contributed by Google.

Revision history for this message
cc (codecrumb) wrote :

So I decided to measure the relative performance of enabling this and for various sizes, there is a marked improvement.

No enable-ec_nistp_64_gcc_128
                              sign verify sign/s verify/s
 160 bit ecdsa (secp160r1) 0.0001s 0.0005s 7889.4 2003.0
 192 bit ecdsa (nistp192) 0.0002s 0.0006s 6329.4 1666.1
 224 bit ecdsa (nistp224) 0.0002s 0.0008s 4867.4 1190.7
 256 bit ecdsa (nistp256) 0.0002s 0.0010s 4194.6 1015.7
 384 bit ecdsa (nistp384) 0.0005s 0.0022s 2134.0 456.3
 521 bit ecdsa (nistp521) 0.0009s 0.0049s 1096.0 205.3
 163 bit ecdsa (nistk163) 0.0004s 0.0017s 2660.8 583.8
 233 bit ecdsa (nistk233) 0.0007s 0.0023s 1437.2 444.0
 283 bit ecdsa (nistk283) 0.0011s 0.0048s 898.1 208.3
 409 bit ecdsa (nistk409) 0.0027s 0.0104s 376.0 95.7
 571 bit ecdsa (nistk571) 0.0059s 0.0232s 170.0 43.0
 163 bit ecdsa (nistb163) 0.0004s 0.0017s 2760.7 572.5
 233 bit ecdsa (nistb233) 0.0007s 0.0023s 1443.8 429.2
 283 bit ecdsa (nistb283) 0.0011s 0.0053s 898.5 187.8
 409 bit ecdsa (nistb409) 0.0027s 0.0116s 374.5 86.0
 571 bit ecdsa (nistb571) 0.0059s 0.0255s 169.5 39.2

With enable-ec_nistp_64_gcc_128
                              sign verify sign/s verify/s
 160 bit ecdsa (secp160r1) 0.0001s 0.0006s 7893.1 1791.3
 192 bit ecdsa (nistp192) 0.0002s 0.0006s 6287.6 1672.9
 224 bit ecdsa (nistp224) 0.0001s 0.0003s 7372.8 3263.7
 256 bit ecdsa (nistp256) 0.0002s 0.0006s 4320.8 1675.4
 384 bit ecdsa (nistp384) 0.0005s 0.0023s 2130.6 443.6
 521 bit ecdsa (nistp521) 0.0008s 0.0018s 1320.9 571.2
 163 bit ecdsa (nistk163) 0.0004s 0.0017s 2717.4 586.9
 233 bit ecdsa (nistk233) 0.0007s 0.0022s 1444.7 451.7
 283 bit ecdsa (nistk283) 0.0011s 0.0048s 898.3 206.3
 409 bit ecdsa (nistk409) 0.0027s 0.0104s 377.3 96.5
 571 bit ecdsa (nistk571) 0.0059s 0.0230s 168.3 43.5
 163 bit ecdsa (nistb163) 0.0004s 0.0017s 2759.1 574.6
 233 bit ecdsa (nistb233) 0.0007s 0.0023s 1459.6 435.0
 283 bit ecdsa (nistb283) 0.0011s 0.0053s 887.6 189.0
 409 bit ecdsa (nistb409) 0.0026s 0.0117s 379.3 85.7
 571 bit ecdsa (nistb571) 0.0059s 0.0259s 169.8 38.7

After conversing with Adam Langley, it seems does make sense to enable this. Attached is a patch to build/makefile.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "openssl patch" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openssl (Ubuntu):
status: New → Confirmed
Revision history for this message
Adam Langley (agl-chromium) wrote :

Bodo Moeller (from the OpenSSL core team, bodo AT openssl DOT org) had this to say when I asked him about this:

"The main (or maybe only) reason this is not enabled automatically is that the OpenSSL configure script is not clever enough to detect whether the compiler supports __uint128_t. If you can use this code, it is superior to the default in multiple regards (speed, and also security as the new implementations are secure against timing attacks)."

Changed in openssl (Ubuntu):
assignee: nobody → Dmitrijs Ledkovs (xnox)
Changed in openssl (Ubuntu Precise):
status: New → Confirmed
Changed in openssl (Ubuntu Quantal):
status: New → Confirmed
Changed in openssl (Ubuntu):
importance: Undecided → High
Changed in openssl (Ubuntu Precise):
importance: Undecided → Low
assignee: nobody → Dmitrijs Ledkovs (xnox)
Changed in openssl (Ubuntu Quantal):
importance: Undecided → Low
assignee: nobody → Dmitrijs Ledkovs (xnox)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 1.0.1c-4ubuntu7

---------------
openssl (1.0.1c-4ubuntu7) raring; urgency=low

  * Enable optimized 64bit elliptic curve code contributed by Google. (LP: #1018522)
 -- Dmitrijs Ledkovs <email address hidden> Thu, 07 Mar 2013 15:36:16 +0000

Changed in openssl (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Uploaded into quantal-proposed, unapproved queue. Pending members of SRU team to review, accept and publish it in the -proposed pocket.

Changed in openssl (Ubuntu Quantal):
assignee: Dmitrijs Ledkovs (xnox) → nobody
status: Confirmed → In Progress
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Uploaded into precise-proposed and quantal-proposed, unapproved queues. Pending members of SRU team to review, accept and publish it in the -proposed pocket.

Changed in openssl (Ubuntu Precise):
status: Confirmed → In Progress
assignee: Dmitrijs Ledkovs (xnox) → nobody
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello cc, or anyone else affected,

Accepted openssl into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/openssl/1.0.1c-3ubuntu2.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in openssl (Ubuntu Quantal):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello cc, or anyone else affected,

Accepted openssl into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in openssl (Ubuntu Precise):
status: In Progress → Fix Committed
Revision history for this message
Felix Geyer (debfx) wrote :

I can confirm that it significantly speeds up 224 and 521 bit ecdsa verify on precise/amd64.

tags: added: verification-done-precise
tags: added: verification-done-quantal
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 1.0.1-4ubuntu5.9

---------------
openssl (1.0.1-4ubuntu5.9) precise; urgency=low

  [ Dmitrijs Ledkovs ]
  * Enable arm assembly code. (LP: #1083498) (Closes: #676533)
  * Enable optimized 64bit elliptic curve code contributed by Google. (LP: #1018522)

  [ Marc Deslauriers ]
  * debian/patches/fix_key_decoding_deadlock.patch: Fix possible deadlock
    when decoding public keys. (LP: #1066032)
 -- Dmitrijs Ledkovs <email address hidden> Mon, 15 Apr 2013 13:44:50 +0100

Changed in openssl (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 1.0.1c-3ubuntu2.4

---------------
openssl (1.0.1c-3ubuntu2.4) quantal; urgency=low

  [ Dmitrijs Ledkovs ]
  * Enable arm assembly code. (LP: #1083498) (Closes: #676533)
  * Enable optimized 64bit elliptic curve code contributed by Google. (LP: #1018522)

  [ Marc Deslauriers ]
  * debian/patches/fix_key_decoding_deadlock.patch: Fix possible deadlock
    when decoding public keys. (LP: #1066032)
 -- Dmitrijs Ledkovs <email address hidden> Thu, 04 Apr 2013 12:15:11 +0100

Changed in openssl (Ubuntu Quantal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.