LibreServer Blog / Cryptography matters

Epicyon now uses the python3-cryptography library for its http and jsonLD signatures. I did a side by side test of httpsig.py using either pycryptodome or python3-cryptography, and the latter turned out to be about 18 times faster. This made the switch-over into an easy decision, and it will help with running the system on low power single board computers, since the signature checks are the most computationally demanding aspect. Every time a post arrives in your inbox its signature gets checked to verify that it was really sent by its claimed author, so if you are following a few people and that's happening regularly then this adds up to a lot of cryptographic operations.

Side note: Cryptographic signature checking ensures that ActivityPub does not suffer from the spoofing problems which bedevilled email and other forms of unverified communications in previous decades.

Why is there such a speed difference? In pycryptodome the RSA algorithm is implemented in Python. in python3-cryptography those operations are really just a wrapper around OpenSSL, which is written in C and assembly. The lower level languages are closer to the metal and tend to be a lot faster because there are fewer layers of abstraction.

There is also an added benefit that this reduces overall complexity and attack surface. Most web servers will already be using OpenSSL anyway, so dropping pycryptodome means one less set of cryptographic code implementation. OpenSSL is also so critical to the overall functioning of the internet that if there are any bugs they're likely to get fixed fairly quickly. There was the heartbleed incident some years ago, but since then the project has received more support and a lot of former problems have been cleaned up.

So if you are already running an instance of Epicyon then make sure that you have python3-cryptography installed before doing an upgrade. On Freedombone that is all handled automatically.