dkimpy

Better signing performance

Bug #901591 reported by Petri Lehtinen
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dkimpy
Fix Released
Medium
Stuart Gathman

Bug Description

Attaching a patch that uses the Chinese remainder algorithm for computing RSA signatures. See http://en.wikipedia.org/wiki/RSA_(algorithm)#Using_the_Chinese_remainder_algorithm

The crypto module had to be refactored a bit. The algorithm uses all private key components, so the full key is passed, not just the exponent and the modulus. There are now separate functions for signing (decrypting) and verifying (encrypting), instead of the single perform_rsa(), because verifying cannot be made faster this way.

The patch also updates tests. I removed the perform_rsa() test because I think it's obsolete now. The many signing and verifying test cases cover the low-level RSA functionality anyway.

I did a simple benchmark, where a message is signed 100 times:

Without the patch:

$ time python dkim_performance.py
real 0m3.815s
user 0m3.784s
sys 0m0.024s

With the patch applied:

$ time python dkim_performance.py
real 0m1.339s
user 0m1.308s
sys 0m0.028s

That is, on my machine it's now about 2.8x faster.

Tags: patch
Revision history for this message
Petri Lehtinen (petri) wrote :
Revision history for this message
Martin Pool (mbp) wrote : Re: [Bug 901591] Re: Better signing performance

Thanks. That looks reasonable to me on a brief read through. I agree
that the other tests should give some assurance that the results are
the same.

Revision history for this message
Petri Lehtinen (petri) wrote :

Some background: I'm signing hundreds of thousands of emails a week, and this makes it much faster. I've used the patch in production for a week now and I'm very happy with the speed improvement it gives.

Revision history for this message
Scott Kitterman (kitterman) wrote :

What have you done to verify it still produces correct results as well?

Revision history for this message
Petri Lehtinen (petri) wrote :

First of all, pydkim's unit tests pass. The patch only touches the signature algorithm, so the verifying is done with the original RSA implementation.

I've also tested that signatures produced by pydkim still verify with pydkim by generating signatures for random data and verifying them, i.e. round-tripping works correctly.

And all test mails I send to GMail seem to verify correctly, according to GMail's Authentication-Results header that shows whether the DKIM verification passes or not.

Stuart Gathman (stuart-gathman)
Changed in dkimpy:
assignee: nobody → Stuart Gathman (stuart-gathman)
milestone: none → 0.5.1
importance: Undecided → Medium
Stuart Gathman (stuart-gathman)
Changed in dkimpy:
status: New → Fix Committed
Revision history for this message
Scott Kitterman (kitterman) wrote :

2012-02-03 Version 0.5.1
    - Rename tarball to dkimpy to avoid confusion with original project
    - Apply performance patch from <https://launchpad.net/bugs/901591>
    - save parsed signatures in DKIM object
    - do not require DNS/dnspython for signing

Changed in dkimpy:
milestone: 0.5.1 → none
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.