When the HSM2 got announced, there was the following statement made (source; emphasis mine):
In my experience performance for RSA-4096 has never been an issue. Initial key generation takes longer but daily signing and decryption takes about one second. A smaller model will come but no release date yet. Support for Curve 25519 will come in the next few years too (As of now, it’s supported by Nitrokey Start already).
That’s not the experience we’ve had with the HSM2.
Our setup is on Debian (bookworm) with OpenSC (0.23.0-0.3). Our application is to use
osslsigncode to code-sign some software. Anything below 250 ms would be great and anything “about a second” per signature would still be acceptable.
I am using
env PKCS11SPY=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so and passing
-pkcs11module /usr/lib/x86_64-linux-gnu/pkcs11/pkcs11-spy.so to it.
A test of twenty runs (plus initial warmups) with
hyperfine gives me a minimum of 6.5 s per signature and the size of the file to be signed doesn’t really affect the measured times much (not a surprise, because it’s only signing the – off-card generated – “PE hash”).
But the claim is that one signature should take 4100 ms (source).
Performance (without hashing): RSA-1024: 90 ms, RSA-1536: 150 ms, RSA-2048: 250 ms, RSA-3074: 1900 ms, RSA-4096: 4100 ms, ECDSA-256: 80 ms, ECDH-256: 90ms, ECDSA-512: 190 ms, ECDH-512: 290 ms
And the claim from the announcement even says “about one second”.
So I tried it out and indeed the
C_Initialize step alone takes roughly 3 s (just going by the timestamps
pkcs11-spy.so outputs). The actual signing then still takes up the remainder of the measured time, pretty much all of the other steps are not measurable in milliseconds, going by the results of
Is there anything one could do to cut down on this? Perhaps sidestep OpenSC altogether with an alternative PKCS#11 module?