Bash script to plot openssl speed results.
openssl speed
results (easily)On Debian/Ubuntu:
sudo apt install gnuplot git openssl make gcc gcc-mingw-w64-x86-64
openssl
is needed if you use the openssl command in the PATH.make gcc
are needed if youmake
openssl commands from the source code.gcc-mingw-w64-x86-64
is needed if you make openssl.exe with MinGW.
On macOS
Command Line Tools by entering on a terminal a command it provides, such as
gcc
Homebrew, then
brew install gnuplot coreutils
coreutils
is needed to userealpath
command.
Chang the shell to Bash
chsh -s /bin/bash
Download scripts:
git clone https://github.com/KazKobara/plot_openssl_speed.git
cd plot_openssl_speed
Help and usage:
./plot_openssl_speed_all.sh -h
openssl speed
with openssl command in PATH./plot_openssl_speed_all.sh -s 1
- The option ‘
-s 1
’ is to set the measuring time to 1 second to speed up and grab the rough trend. Remove it for accurate measurements.- The following graphs are obtained without ‘
-s 1
’.- The script ignores ‘
-s 1
’ against LibreSSL since itsopenssl speed
does not support-seconds
option and causes an error at least at 2.8.3.
The measurement results (graph files *.png
and their data files *.dat
) are stored in the directories displayed at the end of the output message as follows:
Results are in:
./tmp/default_openssl_1.1.1f/graphs/
For WSL (Windows Subsystem for Linux),
/home/
directory ofUbuntu-20.04
is accessible using File Explore on Windows OS with the following address:
\\wsl$\Ubuntu-20.04\home\
Example of graph list (openssl 1.1.1f in PATH):
Example of graph list (LibreSSL 2.8.3 in PATH):
The following command graphs the speed of openssl command compiled from the source code taged as openssl-3.0.7
, and openssl.exe command cross-compiled by MinGW (x86_64-w64-mingw32-gcc):
./plot_openssl_speed_all.sh -s 1 openssl-3.0.7 openssl-3.0.7-mingw
- By adding
-mingw
after the tag-name, openssl.exe is cross-compiled by Mingw-w64, and then the results are added on WSL. The other computational environment requires Windows binary executable environment.- openssl-3.0.5, shown as an example below, includes vulnerabilities. So use a fixed or latest OpenSSL (or its alternative).
Example of graph list (openssl-3.0.5 from source):
The processing speed may vary depending on the environment. The above and the following graphs show the results in the following computational environment.
Be careful not to use broken or insufficient-security-level algorithms even if they are faster than the other.
Theoretically, the larger the size, the slower the processing speed, but in practice, some counterexamples exist.
The first examples show the former cases.
The parameter a
in the line graphs denotes the reduction rate of the processing speed when the size becomes twice where the size is the bit length of the underlying finite field or ring.
RSA:
ECDH (NIST curve over an extension field of Z2):
ECDH (Brainpool r1 over a prime field):
The next figures show the counter examples.
ECDSA/ECDH (NIST curve over a prime field, OpenSSL 3.0.5):
ECDSA (NIST curve over a prime field, LibreSSL 2.8.3):
256-bit is by far faster than the smaller sizes 192-bit and 224-bit, especially for OpenSSL.
It does not mean that 256-bit is exceptional in theory,
but the assembly implementation has tuned it up, since adding ./config
to -UECP_NISTZ256_ASM
will remove this advantage.
(The processing speed of 384-bit and 521-bit may also be improved in the future depending on the necessity, I think.)
API difference:
When the script invokes the crypt-algorithm with a low-level API, it appends -no-evp
to the crypt-algorithm name. No difference between APIs.
Low-level APIs are deprecated at OpenSSL 3.
Comparison among truncated versions:
sha512-224
, sha512-256
, and sha384
are truncated versions of sha512
, so they show almost the same performance.sha224
is a truncated version of sha256
, so they show almost the same performance, too.Comparison between sha256
and sha512
:
sha256
and sha512
. Hence, the figure indicates that one sha256
compression function is faster than that of sha512
.sha512
is faster than sha256
since the number of sha512
compression-function executions is around half of sha256
where the input bit length of sha256
and sha512
compression functions are 512-bits and 1024-bits, respectively.SHA-3:
sha3-*
.SHA-2
, SHA-3
(sha3-*
) are slower due to the larger security margin [[kec17]].In theory:
AES-*-GCM
and AES-*-CCM
must be slower than the same key-length AES-*-CTR
since they are AES-*-CTR
with their integrity check.AES-*-CCM
must also be slower than AES-*-CBC
, which is shown in the upper left corner in the above graph list, since the integrity check of AES-*-CCM
uses the similar algorithm to AES-*-CBC
.AES-128-*
must be around 1.4 times faster than AES-256-*
since the number of their rounds are 10 and 14, respectively.Counter example:
aes-128-gcm
of LibreSSL (at least 2.8.3) is by far faster than the others.As shown on the right side of aes128-cbc.png
, aes-128-cbc-no-evp
(128-bit key AES with the legacy mode of operation, CBC) called by way of the low-level API is slower in OpenSSL 1.1.1 than the high-level API and OpenSSL 3.0.5.
Low-level APIs are deprecated at OpenSSL 3.
Ubuntu 20.04 seems to have tuned the NISTP224 curve up a little (other than the NISTP256 curve) in their default OpenSSL 1.1.1f.
Edit the crypt-algorithm names and the PNG file names in the following area of ‘## Edit crypt-algorithms below ##
’ in ./plot_openssl_speed_all.sh
:
####################################################################
##### Edit crypt-algorithms (and output graph file name) below #####
### Asymmetric-key algorithms:
### - All the supported algorithms:
${PLOT_SCRIPT} -o "./${GRA_DIR}/rsa.png" rsa
${PLOT_SCRIPT} -o "./${GRA_DIR}/dsa.png" eddsa ecdsa dsa
For example, changing it as follows saves a graph of measurement results of all the supported eddsa
and ecdsa
digital signatures in ed_ecdsa.png
and its data file in ed_ecdsa.dat
:
${PLOT_SCRIPT} -o "./${GRA_DIR}/ed_ecdsa.png" eddsa ecdsa
As you can see from the above, plot_openssl_speed_all.sh
is a wrapper of ${PLOT_SCRIPT}
(plot_openssl_speed.sh
), and you can directly run it as follows:
./plot_openssl_speed.sh -o "./tmp/default_openssl_1.1.1f/graphs/ed_ecdsa.png" eddsa ecdsa
where:
- ‘_1.1.1f’ to be changed to the version of the openssl command in PATH.
- cf.
./plot_openssl_speed.sh -h
for the usage.
One can specify the path to the openssl command with -p
option as follows:
./plot_openssl_speed.sh -p "./tmp/openssl-3.0.7/apps/openssl" -o "./tmp/openssl-3.0.7/graphs/ed_ecdsa.png" eddsa ecdsa
If it encounters the following errors:
error while loading shared libraries:
symbol lookup error:
add the path to the shared library to LD_LIBRARY_PATH
(DYLD_LIBRARY_PATH
for macOS) as follows:
(export LD_LIBRARY_PATH=./tmp/openssl-3.0.7${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}; ./plot_openssl_speed.sh -p "./tmp/openssl-3.0.7/apps/openssl" -o "./tmp/openssl-3.0.7/graphs/ed_ecdsa.png" eddsa ecdsa)
The command ldd
(or otool -L
on macOS) shows a list of used shared libraries.
$ ldd ./tmp/openssl-3.0.7/apps/openssl
libssl.so.3 => not found
libcrypto.so.3 => not found
The above scripts also save data, corresponding to the graphs, in files that replaced .png with .dat in the PNG file names. You can create a new data file by combining the contents of them or by editing them.
You can plot the graph of the edited data file by specifying no crypt-algorithms to the argument (without running openssl speed
):
./plot_openssl_speed.sh -d "data_file_to_graph" -o "output_graph_file.png"
The data file name is given by any of the following ways:
-d
option-d
option:
-o "output_graph_file.png"
is given, output_graph_file.dat
is used as the data file.graph.dat
is used as the data file regarding that the default file graph.png
is given to -o
.You can find the default file names in the ‘Usage’ shown by:
plot_openssl_speed.sh -h
If
data_file_to_graph
is different fromoutput_graph_file.dat
, which is the file name replaced.png
with.dat
inoutput_graph_file.png
, thedata_file_to_graph
is copied to theoutput_graph_file.dat
so that anyone can know thatoutput_graph_file.dat
is the data file ofoutput_graph_file.png
.
openssl speed
outputs some of the crypt-algorithm names in multiple columns, the data file generated by plot_openssl_speed.sh
automatically aligns them only in the first column.TABLE_TYPE
’s.Crypt-algorithms given to the arguments of
plot_openssl_speed.sh
shall be chosen from the sameTABLE_TYPE
’s. Otherwise, it ignores consecutive algorithms with differentTABLE_TYPE
’s.
For symmetric-key cryptographies, hash functions, HMACs.
Example:
# type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-ccm 202973.97k 588256.58k 1065011.71k 1314283.52k 1346633.73k 1381728.26k
hmac(sha512) 23408.12k 90165.99k 249721.98k 538953.37k 756375.73k 782985.02k
sha256 30840.78k 88357.72k 199311.27k 292801.60k 334301.56k 319321.27k
For digital signatures. It graphs the values in the fourth and fifth columns.
Example:
# sign verify sign/s verify/s
rsa4096 0.003922s 0.000061s 255.0 16471.0
dsa2048 0.000296s 0.000219s 3383.0 4557.0
ecdsa(nistp256) 0.0000s 0.0001s 43201.0 15221.0
EdDSA(Ed25519) 0.0000s 0.0001s 24010.0 8805.0
For Diffie-Hellman key exchange. It graphs the values in the third column.
Example:
# op op/s
ffdh4096 0.0129s 77.8
ecdh(nistp256) 0.0000s 20643.0
$ cat /etc/os-release | awk '/^PRETTY/ {print substr($0,13)}'
"Ubuntu 20.04.4 LTS"
$ uname -srm
Linux 5.10.102.1-microsoft-standard-WSL2 x86_64
$ cat /proc/cpuinfo | grep -m 1 "model name" | awk '$1="";$2="";$3=""; {print substr($0,4)}'
Intel(R) Core(TM) i7-10810U CPU @ 1.10GHz
Version and configurations of the openssl command in the PATH:
$ openssl version -a
OpenSSL 1.1.1f 31 Mar 2020
built on: Mon Jul 4 11:24:28 2022 UTC
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-51ig8V/openssl-1.1.1f=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
Version and configurations of openssl-3.0.5:
$ (export LD_LIBRARY_PATH=./tmp/openssl-3.0.5${LD_LIBRARY_PATH:+:$LD_LIBRARY
_PATH}; ./tmp/openssl-3.0.5/apps/openssl version -a )
OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
built on: Wed Jul 13 10:43:30 2022 UTC
platform: linux-x86_64
options: bn(64,64)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -fstack-protector-strong -fstack-clash-protection -fcf-protection -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG
$ gnuplot -V
gnuplot 5.2 patchlevel 8
$ uname -srm
Darwin 21.5.0 x86_64
$ sysctl machdep.cpu.brand_string
machdep.cpu.brand_string: Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz
$ openssl version -a
LibreSSL 2.8.3
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
$ gnuplot -V
gnuplot 5.4 patchlevel 3
Either add the folder of libssp-0.dll
to the Windows environment PATH, or run the following commands on a WSL Debian/Ubuntu terminal:
sudo apt install gcc-mingw-w64-x86-64
bash
export MINGW_GCC_VER=$(/usr/bin/x86_64-w64-mingw32-gcc-posix --version | awk '/x86_64-w64-mingw32-gcc-posix/ {print substr($3,1,index($3,"-")-1)}')
cp -p "/usr/lib/gcc/x86_64-w64-mingw32/${MINGW_GCC_VER}-posix/libssp-0.dll" .
exit
Change the options and/or crypt-algorithms given to openssl speed
.
Some versions of openssl commands do not support them.
[kec17]: https://keccak.team/2017/is_sha3_slow.html (TeamKeccak “Is SHA-3 slow?”)