Performance - GlaSSLess

Overview

GlaSSLess provides significant performance advantages for asymmetric cryptography operations while JDK implementations excel at small-data symmetric operations due to HotSpot intrinsics.

Where GlaSSLess Excels

Operation	Typical Speedup
ECDH Key Agreement	~6x faster
Ed25519 Signing	~8x faster
Ed25519 Verification	~5-6x faster
EC Key Generation (P-256/P-384)	~2-3x faster
Ed25519/X25519 Key Generation	~2-5x faster
SecureRandom (large buffers)	~10-25x faster
SHA3/SHAKE (large data)	~1.5-2x faster

Operation

Typical Speedup

ECDH Key Agreement

~6x faster

Ed25519 Signing

~8x faster

Ed25519 Verification

~5-6x faster

EC Key Generation (P-256/P-384)

~2-3x faster

Ed25519/X25519 Key Generation

~2-5x faster

SecureRandom (large buffers)

~10-25x faster

SHA3/SHAKE (large data)

~1.5-2x faster

Where JDK Excels

Operation	JDK Advantage
SHA-256/SHA-512 (small data <1KB)	~4-6x faster
HMAC (small data <1KB)	~4-8x faster
SecureRandom (small buffers <64B)	~2x faster

Operation

JDK Advantage

SHA-256/SHA-512 (small data <1KB)

~4-6x faster

HMAC (small data <1KB)

~4-8x faster

SecureRandom (small buffers <64B)

~2x faster

NOTE	For large data (16KB+), symmetric operation performance converges between implementations.

Hybrid Mode Recommendation

For optimal performance, consider enabling hybrid mode which delegates JDK-optimized operations while using GlaSSLess for operations where OpenSSL excels:

glassless.hybrid.enabled=true

In hybrid mode, GlaSSLess automatically delegates SHA-256, SHA-512, HMAC-SHA256, HMAC-SHA512, SecureRandom, and ML-KEM operations to the JDK provider, while continuing to provide:

Asymmetric operations (ECDH, ECDSA, EdDSA, RSA) where GlaSSLess is significantly faster
Post-quantum signatures (ML-DSA, SLH-DSA) which are only available in GlaSSLess
Large-data symmetric operations where performance is comparable

See Hybrid Mode Configuration for details.

Benchmark Results

Test Environment

Property	Value
CPU	AMD Ryzen 9 9900X 12-Core Processor
Java	OpenJDK 25
OpenSSL	OpenSSL 3.5.3

Property

Value

CPU

AMD Ryzen 9 9900X 12-Core Processor

Java

OpenJDK 25

OpenSSL

OpenSSL 3.5.3

Key Operations Comparison

Category	Operation	GlaSSLess	JDK	BC FIPS	NSS
Key Agreement	ECDH	19.25	3.07	4.12	-
Key Encapsulation	ML-KEM-768 Encaps	37.13	59.06	-	-
Key Encapsulation	ML-KEM-768 Decaps	20.83	51.49	-	-
Key Generation	ML-KEM-768	24.24	52.08	-	-
Key Generation	EC P-256	33.29	17.74	2.33	17.86
Digest	SHA-256 (64B)	2616	15119	8238	-
MAC	HMAC-SHA256 (64B)	797	6214	2444	-

Scores in ops/ms. Higher is better. "-" indicates no data available.

GlaSSLess vs JDK Speedups

Category	Operation	Speedup
Key Agreement	ECDH	6.3x faster
Key Generation	EC P-256	1.9x faster
Key Encapsulation	ML-KEM-768 Encaps	1.7x slower
Key Encapsulation	ML-KEM-768 Decaps	2.5x slower
Key Generation	ML-KEM-768	2x slower
Digest	SHA-256 (64B)	5x slower

MessageDigest Benchmarks

Provider	Algorithm	Data Size	Score	Error	Unit
glassless	SHA-256	64B	2616	±978	ops/ms
jdk	SHA-256	64B	15119	±1105	ops/ms
glassless	SHA-256	1MB	1.9	±0.03	ops/ms
jdk	SHA-256	1MB	2.62	±0	ops/ms
glassless	SHA-512	64B	2116	±340	ops/ms
jdk	SHA-512	64B	8509	±127	ops/ms

Provider

Algorithm

Data Size

Score

Error

Unit

glassless

SHA-256

64B

2616

±978

ops/ms

jdk

SHA-256

64B

15119

±1105

ops/ms

glassless

SHA-256

1MB

1.9

±0.03

ops/ms

jdk

SHA-256

1MB

2.62

±0

ops/ms

glassless

SHA-512

64B

2116

±340

ops/ms

jdk

SHA-512

64B

8509

±127

ops/ms

Key Agreement Benchmarks

Provider	Algorithm	Score	Error	Unit
glassless	ECDH	19.25	±0.16	ops/ms
jdk	ECDH	3.07	±0.04	ops/ms
bcFips	ECDH	4.12	±0.04	ops/ms

Provider

Algorithm

Score

Error

Unit

glassless

ECDH

19.25

±0.16

ops/ms

jdk

ECDH

3.07

±0.04

ops/ms

bcFips

ECDH

4.12

±0.04

ops/ms

Key Encapsulation (ML-KEM) Benchmarks

Provider	Operation	Algorithm	Score	Error	Unit
glassless	KeyGen	ML-KEM-768	24.24	±0.46	ops/ms
jdk	KeyGen	ML-KEM-768	52.08	±0.26	ops/ms
glassless	Encapsulate	ML-KEM-768	37.13	±0.92	ops/ms
jdk	Encapsulate	ML-KEM-768	59.06	±0.40	ops/ms
glassless	Decapsulate	ML-KEM-768	20.83	±0.24	ops/ms
jdk	Decapsulate	ML-KEM-768	51.49	±0.49	ops/ms

Provider

Operation

Algorithm

Score

Error

Unit

glassless

KeyGen

ML-KEM-768

24.24

±0.46

ops/ms

jdk

KeyGen

ML-KEM-768

52.08

±0.26

ops/ms

glassless

Encapsulate

ML-KEM-768

37.13

±0.92

ops/ms

jdk

Encapsulate

ML-KEM-768

59.06

±0.40

ops/ms

glassless

Decapsulate

ML-KEM-768

20.83

±0.24

ops/ms

jdk

Decapsulate

ML-KEM-768

51.49

±0.49

ops/ms

Key Pair Generator Benchmarks

Provider	Algorithm	Score	Error	Unit
glassless	EC P-256	33.29	±1.02	ops/ms
jdk	EC P-256	17.74	±0.56	ops/ms
glassless	EC P-384	6.49	±0.10	ops/ms
jdk	EC P-384	2.03	±0.05	ops/ms
glassless	RSA-2048	0.04	±0.01	ops/ms
jdk	RSA-2048	0.02	±0.01	ops/ms

Provider

Algorithm

Score

Error

Unit

glassless

EC P-256

33.29

±1.02

ops/ms

jdk

EC P-256

17.74

±0.56

ops/ms

glassless

EC P-384

6.49

±0.10

ops/ms

jdk

EC P-384

2.03

±0.05

ops/ms

glassless

RSA-2048

0.04

±0.01

ops/ms

jdk

RSA-2048

0.02

±0.01

ops/ms

SecureRandom Benchmarks

Provider	Buffer Size	Score	Error	Unit
glassless	16B	4799	±224	ops/ms
jdk	16B	10423	±197	ops/ms
glassless	1KB	3016	±69	ops/ms
jdk	1KB	236	±25	ops/ms
glassless	4KB	1361	±20	ops/ms
jdk	4KB	61	±5	ops/ms

Provider

Buffer Size

Score

Error

Unit

glassless

16B

4799

±224

ops/ms

jdk

16B

10423

±197

ops/ms

glassless

1KB

3016

±69

ops/ms

jdk

1KB

236

±25

ops/ms

glassless

4KB

1361

±20

ops/ms

jdk

4KB

61

±5

ops/ms

Running Benchmarks

JMH microbenchmarks compare performance between JDK and GlaSSLess implementations:

# Run all benchmarks (~12 minutes)
mvn test -Pbenchmarks

# Generate detailed performance report
./scripts/generate-performance-report.sh

# Run specific benchmark class
mvn test -Pbenchmarks -Dexec.args=".*MessageDigestBenchmark.*"

Benchmark Categories

Benchmark	Algorithms	Data Sizes
MessageDigestBenchmark	SHA-256, SHA-512, SHA3-256	64B, 1KB, 16KB, 1MB
CipherBenchmark	AES/GCM, AES/CBC, ChaCha20-Poly1305	64B, 1KB, 16KB, 1MB
MacBenchmark	HmacSHA256, HmacSHA512, HmacSHA3-256	64B, 1KB, 16KB, 1MB
SignatureBenchmark	SHA256withECDSA, SHA384withECDSA, Ed25519	-
KeyAgreementBenchmark	ECDH, X25519	-
KEMBenchmark	ML-KEM-512, ML-KEM-768, ML-KEM-1024	-
KeyPairGeneratorBenchmark	EC P-256/P-384, RSA-2048/4096, Ed25519, X25519	-
SecureRandomBenchmark	NativePRNG	16B to 4KB
HybridModeBenchmark	Mixed workload comparing JDK vs GlaSSLess vs hybrid	-

Benchmark

Algorithms

Data Sizes

MessageDigestBenchmark

SHA-256, SHA-512, SHA3-256

64B, 1KB, 16KB, 1MB

CipherBenchmark

AES/GCM, AES/CBC, ChaCha20-Poly1305

64B, 1KB, 16KB, 1MB

MacBenchmark

HmacSHA256, HmacSHA512, HmacSHA3-256

64B, 1KB, 16KB, 1MB

SignatureBenchmark

SHA256withECDSA, SHA384withECDSA, Ed25519

-

KeyAgreementBenchmark

ECDH, X25519

-

KEMBenchmark

ML-KEM-512, ML-KEM-768, ML-KEM-1024

-

KeyPairGeneratorBenchmark

EC P-256/P-384, RSA-2048/4096, Ed25519, X25519

-

SecureRandomBenchmark

NativePRNG

16B to 4KB

HybridModeBenchmark

Mixed workload comparing JDK vs GlaSSLess vs hybrid

-

Hybrid Mode Benchmark

The HybridModeBenchmark demonstrates the performance benefit of hybrid mode by comparing:

JDK-optimized operations : SHA-256, HMAC-SHA256, SecureRandom (small data)
GlaSSLess-optimized operations : ECDH, Ed25519, EC key generation
Mixed workloads : Combined operations showing overall benefit

Run the hybrid mode benchmark:

mvn test -Pbenchmarks -Djmh.include=HybridModeBenchmark

JDK-Optimized Operations

These operations are faster with JDK's HotSpot intrinsics. In hybrid mode, they are delegated to JDK.

Operation	JDK (ops/ms)	GlaSSLess (ops/ms)	JDK Advantage
SHA-256 (64B)	14,512	2,546	5.7x faster
HMAC-SHA256 (64B)	6,040	615	9.8x faster
SecureRandom (32B)	5,958	4,229	1.4x faster
ML-KEM-768 Encapsulate	54.7	35.5	1.5x faster

GlaSSLess-Optimized Operations

These operations are faster with OpenSSL. In hybrid mode, GlaSSLess continues to provide them.

Operation	GlaSSLess (ops/ms)	JDK (ops/ms)	GlaSSLess Advantage
ECDH Key Agreement	12.6	2.4	5.2x faster
Ed25519 Signing	25.0	3.2	7.9x faster
EC P-256 Key Generation	31.2	16.5	1.9x faster

Mixed Workload Results

The mixed workload benchmark combines SHA-256 digest, HMAC-SHA256, and Ed25519 signing to simulate real-world usage patterns.

Mode	Throughput (ops/ms)	vs JDK	vs GlaSSLess
Hybrid	26.5	8.4x faster	1.05x faster
GlaSSLess	25.2	8.0x faster	-
JDK	3.2	-	8.0x slower

Key findings:

Hybrid mode delivers the best overall performance by using each provider for what it does best
Ed25519 signing dominates the mixed workload (being ~8x faster in GlaSSLess), making both hybrid and GlaSSLess modes significantly outperform pure JDK
For workloads with more symmetric operations, hybrid mode provides even greater advantage over pure GlaSSLess
Hybrid mode is automatically disabled in FIPS mode to ensure compliance

Results are saved to target/jmh-results.json.

Notes

Throughput is measured in operations per millisecond (ops/ms). Higher is better.
Error shows the 99.9% confidence interval.
Provider characteristics :
- JDK : Benefits from HotSpot intrinsics for SHA-256, SHA-512, AES, and other common algorithms
- GlaSSLess (OpenSSL) : Excels at asymmetric cryptography; FFM call overhead affects small-data operations
- BC FIPS : FIPS 140-2 certified; pure Java implementation with some native acceleration
- NSS : Mozilla's Network Security Services via SunPKCS11; requires system NSS libraries
Post-Quantum Cryptography : ML-KEM is available in both JDK 24+ and GlaSSLess (OpenSSL 3.5+). ML-DSA and SLH-DSA require OpenSSL 3.5+ and are currently only available in GlaSSLess.
For large data sizes (16KB+), performance typically converges between implementations.