Hi Mike
At least with our measurements on an 8-bit microprocessor platform,
1024-bit RSA exponentiation was extremely slow. Please have a look at
Table 1:
https://tools.ietf.org/html/draft-ietf-lwig-crypto-sensors-01
Also, a lot of research in the crypto community is now on faster and
more efficient elliptic curves. For example, the Crypto Forum Research
group at the IRTF is currently working on Edwards curve:
https://tools.ietf.org/html/draft-irtf-cfrg-eddsa-08
Hope this helps the discussion.
Thanks
Mohit
On 02/08/2017 04:55 AM, Michael StJohns wrote:
Hi -
This is sort of non-obvious, but one or two articles I read suggest
that RSA 1024 performance may be better than the ECDSA equivalent.
The tradeoff here is obviously the size of the signature and the
transmission thereof, but...
While 1024 bits isn't an ideal security strength for RSA, using any
asymmetric key system for source authentication in group systems is
going to be much better than trying to pretend that symmetric group
key systems have any authentication properties at all.
I saw a PPT presentation by Hannes that didn't include any RSA
performance numbers for the ARM processors even though the key sizes
were compared. My guess is that someone has numbers for 1024 RSA
signatures on the tiny ARM processors that might be useful to throw
into the mix.
https://www.cryptopp.com/benchmarks.html has comparison values for a
specific library.
What I'm suggesting is that we figure out how to meet the "can't cost
anything" requirement with weaker asymmetric keys rather than
accepting a low end fantasy of symmetric key multicast authentication.
Mike
_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace
_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace
