wolfSSL Intel QuickAssist (QAT) Performance Improvements

wolfSSL’s asynchronous crypto offloads public-key, cipher, and hashing work to Intel QuickAssist (QAT) hardware. This update (PR #10772) makes that offload use every QAT device in a multi-adapter system, and hardens it for multi-process and CI use.

The problem: idle devices

Each worker thread binds to one QAT crypto instance, and the driver hands back instances grouped by device (all of device 0, then device 1, and so on). The per-thread round-robin then piled any thread count below the total instance count onto the first device(s), leaving the rest idle. On a 3-device, 18-instance system, you needed 13+ threads before the third adapter did any work.

The fix: interleave instances across devices

wolfCrypt now reorders the instance list so consecutive threads land on different devices (dev0, dev1, dev2, dev0, …). Even modest thread counts spread evenly across every adapter. It is on by default, single-device configs are unaffected, and it can be disabled with QAT_NO_DEV_INTERLEAVE.

The numbers (3x Intel C62x, host i9-14900K, 18 instances)

  • At mid-thread counts the previously-starved device joins in: +35% RSA-2048 throughput at 16 threads, with full device balance and no regression at the high end.
  • Peak aggregated public-key throughput at -threads 18 (hardware):
algorithm HW ops/sec
RSA-2048 private 76,865
ECDSA-256 sign 45,152
ECDHE-256 agree 100,514
DH-2048 agree 141,390

Async TLS, and a path to FIPS 140-3

During a TLS 1.3 handshake wolfSSL hands the public-key work — key exchange and signatures — to QAT asynchronously, so the calling thread keeps serving other connections instead of blocking on crypto, lifting overall connection throughput.

On the certification side, the QuickAssist card can act as Processor Algorithm Acceleration (PAA) for the wolfCrypt FIPS 140-3 module. This does not reuse QAT’s own hardware certificates; instead it opens a path to a new wolfCrypt FIPS 140-3 certification that covers QAT-accelerated crypto. No such certificate exists today, but this work makes it achievable.

Production-ready, and backed by wolfSSL

Beyond raw speed, this release hardens QAT for real deployments: multi-process workloads, a CI-verified green make check, and new post-quantum (ML-KEM) regression coverage. That reliability is the point. wolfSSL pairs a compact, high-performance TLS 1.3 / DTLS 1.3 stack with FIPS 140-3 validated crypto, broad hardware and OS support, and 24/7 commercial support direct from the engineering team that writes the code.

Ready to build? Enable it with –enable-asynccrypt –with-intelqa, and reach us at support@wolfssl.com or fips@wolfssl.com.

If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 415 245 8247.

Download wolfSSL Now