AES performance when using FIPS 2.0 Object Module

John Foley | 11 May 2012 14:23
AES performance when using FIPS 2.0 Object Module

Is AES performance expected to be much lower when using the FIPS 2.0
Object Module?  Below are the speed results when using AES-128-CBC with
and w/o the FIPS module.  The host system is 32-bit Linux using gcc
4.4.3.  The host system does not have AES-NI support.  No additional
config arguments were used other than 'fipscanisteronly' for building
the FIPS module and 'fips' for building 1.0.1b. 

$ ./openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 13734067 aes-128-cbc's in 2.98s
Doing aes-128-cbc for 3s on 64 size blocks: 4149906 aes-128-cbc's in 2.95s
Doing aes-128-cbc for 3s on 256 size blocks: 1084643 aes-128-cbc's in 2.99s
Doing aes-128-cbc for 3s on 1024 size blocks: 278767 aes-128-cbc's in 2.98s
Doing aes-128-cbc for 3s on 8192 size blocks: 34952 aes-128-cbc's in 2.99s
OpenSSL 1.0.1b-fips 26 Apr 2012
built on: Fri May 11 08:04:08 EDT 2012
options:bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) aes(partial)
idea(int) blowfish(idx)
compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
-Wa,--noexecstack -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall
-DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
-DOPENSSL_BN_ASM_GF2m -I/usr/local/ssl/fips-2.0/include -DSHA1_ASM
-DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM
-DWHIRLPOOL_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192
bytes
aes-128-cbc      73739.96k    90031.86k    92865.76k    95791.08k   
95761.47k

$ ./openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 36109363 aes-128-cbc's in 2.96s
Doing aes-128-cbc for 3s on 64 size blocks: 11241446 aes-128-cbc's in 2.97s
Doing aes-128-cbc for 3s on 256 size blocks: 2840087 aes-128-cbc's in 2.96s
Doing aes-128-cbc for 3s on 1024 size blocks: 706161 aes-128-cbc's in 2.97s
Doing aes-128-cbc for 3s on 8192 size blocks: 90698 aes-128-cbc's in 2.97s
OpenSSL 1.0.1b 26 Apr 2012
built on: Fri May 11 08:14:14 EDT 2012
options:bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) aes(partial)
idea(int) blowfish(idx)
compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
-Wa,--noexecstack -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall
-DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
-DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192
bytes
aes-128-cbc     195185.75k   242239.91k   245629.15k   243471.00k  
250167.68k
Attachment (foleyj.vcf): text/x-vcard, 136 bytes