News, tips, partners, and perspectives for the Oracle Solaris operating system

SPARC T4 Digest and Crypto Optimizations in Solaris 11.1

SPARC T4 microprocessor

In a previous article I mentioned SPARC T4 processor optimizations added to OpenSSL. The SPARC T4 processor supports new instructions to assist AES, RSA, SHA, and other crypto and hash algorithms. These optimizations were added in Oracle Solaris 11 using a new OpenSSL "t4 engine". The OpenSSL t4 engine would automatically detect if it's running on a SPARC T4 platform and engage it's optimized crypto algorithms without manual intervention (either from the CLI or API). Optimizations supported were several AES modes, including AES-CBC, AES-CBC, and AES-ECB, and AES-CFB128.

Oracle Solaris 11.1 adds T4 optimization for SHA-2, SHA-1, and MD5 digest algorithms.
Although use of SHA-1 and MD5 is no longer recommended, its use is still required by standard protocols such as HTTPS/SSL.
Solaris 11.1 also adds T4 optimization for RSA, DSA, and DES-3 crypto algorithms.

Digest Algorithms

SHA-256 Performance on T4
This graph shows the dramatic performance improvement in SHA-256 using T4 hardware crypto (4x for 1K data, 8x for 8K data) over the previous C implementation. SHA-256 is performed by a single, new instruction "sha256". The context and data are loaded in SPARC %f floating point registers and the results are placed in the same fp registers.

All measurements here were taken on Oracle Solaris 11.1 running on a SPARC T4-1 with 2.8GHz CPUs. The commands used to measure were:

openssl speed -evp {sha1,sha256,sha512}

Note that no special flag is required to use the optimized OpenSSL t4 engine. T4 hardware is automatically detected and used.
Not shown are results for MD5, SHA-224, and SHA-384, which give results similar to SHA-1, SHA-256, and SHA-512.

SHA-512 Performance on T4
It's counter-intuitive, but you can get better performance by using SHA-512 instead of SHA-256? Why? Because SHA-512 can exploit 64-bit arithmetic and use only 62.5% of the rounds required by SHA-256. Furthermore, SHA-512 provides more security with it's longer digest value.

If you require SHA-256-length results consider using the new SHA512/256 truncated digest algorithm, where the SHA-512 digest result is truncated to a 256-bit digest (for details see FIPS PUB 180-4 (March 2012)). Truncated SHA-512 hash operations are available in Solaris 11.1

SHA-1 Performance on T4
SHA-1 is the classical SHA digest algorithm, although it's no longer recommended for use. Both SHA-1 and MD5 are optimized in SPARC T4 for legacy applications that still use these digest algorithms.
The performance gain shown here is over the previous SPARC assembly implementation.

Crypto Algorithms

RSA Performance on T4
The chart here shows RSA-1024 signing improves by 5.8x and RSA verification impoves by 2.8x.
This was measured with openssl speed rsa

DSA Performance on T4
The less-popular DSA signing algorithm improves by about 5x for signing and verification.
This was measured with openssl speed dsa

DES3-CBC performance
Finally, for those still using Triple DES, DES-3 CBC mode improves by an incredible 10x when using T4 hardware crypto.
This was measured with
openssl speed -evp des3


The optimized SHA-1 and SHA-2 hash algorithms are available in OpenSSL on SPARC T4 running Oracle Solaris, the Solaris libmd(3LIB) library, and industry-standard libpkcs11(3LIB) library.
The optimized AES, DES3, RSA, and DSA algorithms are available through libpkcs11.
Additionally, these algorithms are all available as Solaris kernel modules for authors of kernel module and device drivers.

The AES optimizations were introduced in Solaris 11 in 2011.
The SHA-1, SHA-256, SHA-384, SHA512, and MD5 optimizations are available in Solaris 11 SRU2 and Solaris 11.1.
The RSA, DSA, and SHA-224 optimizations are available in Solaris 11.1

Source code download
Oracle Solaris Source code for all of this is available for download from

Object code download
Oracle Solaris object code is available for download from


Further information

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.