Effect of EC_GROUP_precompute_mult when doing signature verification (ECDSA_verify)
Hello list I became aware of EC_GROUP_precompute_mult when I had to generate a lot of public keys fast. It speeds up this process by about a factor of 5. So it's been very useful for me. I've been researching if EC_GROUP_precompute_mult has any effect when verifying ECDSA signatures using ECDSA_verify, and my results are somewhat inconclusive. I see a small speedup, around 2-5%, but I'm not sure what the reason is for this. I can see the code that verifies signatures uses EC_POINT_mul, but I don't see a significant speedup as I did when using it to just generate public keys (q and m set to NULL in EC_POINT_mul). I can see that in the OpenSSL signature verification code q and m are not NULL in EC_POINT_mul, so it makes sense why the speedup wouldn't be as great as when they are NULL (since precomputations are only made for the generator point of the curve). But I don't understand why the speedup becomes so small when q and m are set, as I still did see a 5x speedup (from roughly 1000 us per execution of EC_POINT_mul to roughly 200 us) when q and m are NULL. Should there, in theory, be any reason for EC_GROUP_precompute_mult to speed up signature verification? Thanks! /Rune __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Effect of EC_GROUP_precompute_mult when doing signature verification (ECDSA_verify)
On Tue, Oct 9, 2012 at 12:29 PM, Rune K. Svendsen runesv...@gmail.comwrote: I've been researching if EC_GROUP_precompute_mult has any effect when verifying ECDSA signatures using ECDSA_verify, and my results are somewhat inconclusive. I see a small speedup, around 2-5%, but I'm not sure what the reason is for this. I can see the code that verifies signatures uses EC_POINT_mul, but I don't see a significant speedup as I did when using it to just generate public keys (q and m set to NULL in EC_POINT_mul). I can see that in the OpenSSL signature verification code q and m are not NULL in EC_POINT_mul, so it makes sense why the speedup wouldn't be as great as when they are NULL (since precomputations are only made for the generator point of the curve). But I don't understand why the speedup becomes so small when q and m are set, as I still did see a 5x speedup (from roughly 1000 us per execution of EC_POINT_mul to roughly 200 us) when q and m are NULL. EC_GROUP_precompute_mult precomputation is based only on common group parameters, not on the specific key. It would be possible to speed up ECDSA verification similarly by doing something like that on a per-key level, but it would only help if you verify multiple signatures signed by the same key. That's why it is currently not supported by the OpenSSL API -- it would be a bit cumbersome to use properly. Bodo
