On 2/8/2017 8:19 AM, Mohit Sethi wrote:
Hi Mike
At least with our measurements on an 8-bit microprocessor platform,
1024-bit RSA exponentiation was extremely slow. Please have a look at
Table 1:
https://tools.ietf.org/html/draft-ietf-lwig-crypto-sensors-01
I look at Table 1 the first thing I see is that you're using the wrong
abbreviation for time - (ms is milli second), what you want is micro
seconds or (us). Or are you actually trying to claim that a 1024 bit
operation takes 199 seconds? Or all of 3+ minutes? Or are you
using an abacus and a monkey to do the math?
(And by the way - using "3" as the RSA exponent is just wrong).
Table 1 doesn't actually indicate whether this is a signing operation or
a verification operation, or whether or not the summary function (SHA1
or SHA256) is included.
If Table 2 and table 3 have the same mistakes in time abbreviation (and
I'm not sure why they wouldn't), you're saying that you can do an ECDSA
function in 2-6 milliseconds. Which more than meets the requirements.
Also, a lot of research in the crypto community is now on faster and
more efficient elliptic curves. For example, the Crypto Forum Research
group at the IRTF is currently working on Edwards curve:
https://tools.ietf.org/html/draft-irtf-cfrg-eddsa-08
Aware of this along with Curve25519 and its ilk. Most important thing
would be to get the numbers for an ARM M0 or other tiny processor for these.
Hope this helps the discussion.
Thanks
Mohit
On 02/08/2017 04:55 AM, Michael StJohns wrote:
Hi -
This is sort of non-obvious, but one or two articles I read suggest
that RSA 1024 performance may be better than the ECDSA equivalent.
The tradeoff here is obviously the size of the signature and the
transmission thereof, but...
While 1024 bits isn't an ideal security strength for RSA, using any
asymmetric key system for source authentication in group systems is
going to be much better than trying to pretend that symmetric group
key systems have any authentication properties at all.
I saw a PPT presentation by Hannes that didn't include any RSA
performance numbers for the ARM processors even though the key sizes
were compared. My guess is that someone has numbers for 1024 RSA
signatures on the tiny ARM processors that might be useful to throw
into the mix.
https://www.cryptopp.com/benchmarks.html has comparison values for a
specific library.
What I'm suggesting is that we figure out how to meet the "can't cost
anything" requirement with weaker asymmetric keys rather than
accepting a low end fantasy of symmetric key multicast authentication.
Mike
_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace
_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace