Re: [Ace] Asymmetric signature performance
On 2/8/2017 10:56 AM, Panos Kampanakis (pkampana) wrote: One correction: 1024-bit RSA/DSA is not the same security level as 256-bit curve ECDSA or Ed25519. But neither is a group symmetric key of any sized used for authentication/authorization. The point is that weaker but good enough security on the asymmetric side is going to be a better solution than ANY group symmetric key. NIST et al have given some guidance about key strengths and their uses with respect to the broadest set of threats and following the guidance is pretty much good engineering. But, looking at something like RSA 1024 bit (or the ECDSA equivalent of about 166 bits - I think that's the right number), and looking at the threat environment for the target application, and noting that it's trivial (protocol wise) to change out the size of the key (e.g. scale it) in higher threat environments, 1024/166 bits may not be a bad choice for minimum security for non-man rated IOT control things. Mike To compare apples to apples you would need 3072-bit RSA/DSA sigs which ends up being far worse in terms of sig size and performance. Agreed that symmetric group key auth has plenty of limitations. Panos -Original Message- From: Ace [mailto:ace-boun...@ietf.org] On Behalf Of Michael StJohns Sent: Tuesday, February 07, 2017 9:55 PM To: ace@ietf.org Subject: [Ace] Asymmetric signature performance Hi - This is sort of non-obvious, but one or two articles I read suggest that RSA 1024 performance may be better than the ECDSA equivalent. The tradeoff here is obviously the size of the signature and the transmission thereof, but... While 1024 bits isn't an ideal security strength for RSA, using any asymmetric key system for source authentication in group systems is going to be much better than trying to pretend that symmetric group key systems have any authentication properties at all. I saw a PPT presentation by Hannes that didn't include any RSA performance numbers for the ARM processors even though the key sizes were compared. My guess is that someone has numbers for 1024 RSA signatures on the tiny ARM processors that might be useful to throw into the mix. https://www.cryptopp.com/benchmarks.html has comparison values for a specific library. What I'm suggesting is that we figure out how to meet the "can't cost anything" requirement with weaker asymmetric keys rather than accepting a low end fantasy of symmetric key multicast authentication. Mike ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
Re: [Ace] Asymmetric signature performance
On 2/8/2017 8:19 AM, Mohit Sethi wrote: Hi Mike At least with our measurements on an 8-bit microprocessor platform, 1024-bit RSA exponentiation was extremely slow. Please have a look at Table 1: https://tools.ietf.org/html/draft-ietf-lwig-crypto-sensors-01 I look at Table 1 the first thing I see is that you're using the wrong abbreviation for time - (ms is milli second), what you want is micro seconds or (us). Or are you actually trying to claim that a 1024 bit operation takes 199 seconds? Or all of 3+ minutes? Or are you using an abacus and a monkey to do the math? (And by the way - using "3" as the RSA exponent is just wrong). Table 1 doesn't actually indicate whether this is a signing operation or a verification operation, or whether or not the summary function (SHA1 or SHA256) is included. If Table 2 and table 3 have the same mistakes in time abbreviation (and I'm not sure why they wouldn't), you're saying that you can do an ECDSA function in 2-6 milliseconds. Which more than meets the requirements. Also, a lot of research in the crypto community is now on faster and more efficient elliptic curves. For example, the Crypto Forum Research group at the IRTF is currently working on Edwards curve: https://tools.ietf.org/html/draft-irtf-cfrg-eddsa-08 Aware of this along with Curve25519 and its ilk. Most important thing would be to get the numbers for an ARM M0 or other tiny processor for these. Hope this helps the discussion. Thanks Mohit On 02/08/2017 04:55 AM, Michael StJohns wrote: Hi - This is sort of non-obvious, but one or two articles I read suggest that RSA 1024 performance may be better than the ECDSA equivalent. The tradeoff here is obviously the size of the signature and the transmission thereof, but... While 1024 bits isn't an ideal security strength for RSA, using any asymmetric key system for source authentication in group systems is going to be much better than trying to pretend that symmetric group key systems have any authentication properties at all. I saw a PPT presentation by Hannes that didn't include any RSA performance numbers for the ARM processors even though the key sizes were compared. My guess is that someone has numbers for 1024 RSA signatures on the tiny ARM processors that might be useful to throw into the mix. https://www.cryptopp.com/benchmarks.html has comparison values for a specific library. What I'm suggesting is that we figure out how to meet the "can't cost anything" requirement with weaker asymmetric keys rather than accepting a low end fantasy of symmetric key multicast authentication. Mike ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
Re: [Ace] Asymmetric signature performance
On 2/8/2017 7:56 AM, Somaraju Abhinav wrote: Hi Mike, the signature size of RSA is an issue even in the 1024 bit version. The main wireless protocol, 802.15.4 has a PHY/MAC packet size of 127 bytes so we will have to fragment IP packets (Bluetooth LE is even smaller at just 27 bytes). This makes it very difficult to meet the time to light requirements. This is also a concern for the 70-80 byte overhead of ECC but we can probably just about manage. I could have sworn this was going to be running over IPv6? E.g. is this an "internet protocol" or are you just wrapping it up in IPV6 packets for marketing? Or is this yet another requirement - "Must not cause excessive IPv6 fragmentation"? that needs to be stated. You are specifying this as group key multicast protocol on IPv6, but I'm finding it hard to figure out whether or not you expect this to work in anything except a single subnet, homogeneous transmission technology model. If that's the case, why are we talking about this as an IETF task? To put it another way - you can't have your cake and eat it too. If this is an internet protocol, then it has to be able to work in the ... well.. internet. If your target is closely connected nodes with identical transmission modes, then why not go get IEEE to standardize something? Look - IP protocol is a pretty big hammer and there's this tendency to try and make everything look like a nail. But some things are not nails and can never be made to be nails. This lighting multicast, cheap, low latency, control system is really not looking like a nail. Mike Abhinav *From:* Aceon behalf of Michael StJohns *Sent:* Wednesday, February 8, 2017 3:55:22 AM *To:* ace@ietf.org *Subject:* [Ace] Asymmetric signature performance Hi - This is sort of non-obvious, but one or two articles I read suggest that RSA 1024 performance may be better than the ECDSA equivalent. The tradeoff here is obviously the size of the signature and the transmission thereof, but... While 1024 bits isn't an ideal security strength for RSA, using any asymmetric key system for source authentication in group systems is going to be much better than trying to pretend that symmetric group key systems have any authentication properties at all. I saw a PPT presentation by Hannes that didn't include any RSA performance numbers for the ARM processors even though the key sizes were compared. My guess is that someone has numbers for 1024 RSA signatures on the tiny ARM processors that might be useful to throw into the mix. https://www.cryptopp.com/benchmarks.html has comparison values for a specific library. What I'm suggesting is that we figure out how to meet the "can't cost anything" requirement with weaker asymmetric keys rather than accepting a low end fantasy of symmetric key multicast authentication. Mike ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace The contents of this e-mail and any attachments are confidential to the intended recipient. They may not be disclosed to or used by or copied in any way by anyone other than the intended recipient. If this e-mail is received in error, please immediately notify the sender and delete the e-mail and attached documents. Please note that neither the sender nor the sender's company accept any responsibility for viruses and it is your responsibility to scan or otherwise check this e-mail and any attachments. ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
Re: [Ace] Asymmetric signature performance
Somaraju Abhinavwrites: > Hi Mike, > > the signature size of RSA is an issue even in the 1024 bit version. The main > wireless protocol, 802.15.4 has a PHY/MAC packet size of 127 bytes so we will > have to fragment IP packets (Bluetooth LE is even smaller at just 27 > bytes). This makes it very difficult to meet the time to light requirements. > This is also a concern for the 70-80 byte overhead of ECC but we can probably > just about manage. Is the concern the computation or the transmission time? Even if you have to fragment packets I would expect transmission time to be well fast enough that computation is the major issue? > Abhinav -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
Re: [Ace] Asymmetric signature performance
One correction: 1024-bit RSA/DSA is not the same security level as 256-bit curve ECDSA or Ed25519. To compare apples to apples you would need 3072-bit RSA/DSA sigs which ends up being far worse in terms of sig size and performance. Agreed that symmetric group key auth has plenty of limitations. Panos -Original Message- From: Ace [mailto:ace-boun...@ietf.org] On Behalf Of Michael StJohns Sent: Tuesday, February 07, 2017 9:55 PM To: ace@ietf.org Subject: [Ace] Asymmetric signature performance Hi - This is sort of non-obvious, but one or two articles I read suggest that RSA 1024 performance may be better than the ECDSA equivalent. The tradeoff here is obviously the size of the signature and the transmission thereof, but... While 1024 bits isn't an ideal security strength for RSA, using any asymmetric key system for source authentication in group systems is going to be much better than trying to pretend that symmetric group key systems have any authentication properties at all. I saw a PPT presentation by Hannes that didn't include any RSA performance numbers for the ARM processors even though the key sizes were compared. My guess is that someone has numbers for 1024 RSA signatures on the tiny ARM processors that might be useful to throw into the mix. https://www.cryptopp.com/benchmarks.html has comparison values for a specific library. What I'm suggesting is that we figure out how to meet the "can't cost anything" requirement with weaker asymmetric keys rather than accepting a low end fantasy of symmetric key multicast authentication. Mike ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
Re: [Ace] Asymmetric signature performance
Hi Mike At least with our measurements on an 8-bit microprocessor platform, 1024-bit RSA exponentiation was extremely slow. Please have a look at Table 1: https://tools.ietf.org/html/draft-ietf-lwig-crypto-sensors-01 Also, a lot of research in the crypto community is now on faster and more efficient elliptic curves. For example, the Crypto Forum Research group at the IRTF is currently working on Edwards curve: https://tools.ietf.org/html/draft-irtf-cfrg-eddsa-08 Hope this helps the discussion. Thanks Mohit On 02/08/2017 04:55 AM, Michael StJohns wrote: Hi - This is sort of non-obvious, but one or two articles I read suggest that RSA 1024 performance may be better than the ECDSA equivalent. The tradeoff here is obviously the size of the signature and the transmission thereof, but... While 1024 bits isn't an ideal security strength for RSA, using any asymmetric key system for source authentication in group systems is going to be much better than trying to pretend that symmetric group key systems have any authentication properties at all. I saw a PPT presentation by Hannes that didn't include any RSA performance numbers for the ARM processors even though the key sizes were compared. My guess is that someone has numbers for 1024 RSA signatures on the tiny ARM processors that might be useful to throw into the mix. https://www.cryptopp.com/benchmarks.html has comparison values for a specific library. What I'm suggesting is that we figure out how to meet the "can't cost anything" requirement with weaker asymmetric keys rather than accepting a low end fantasy of symmetric key multicast authentication. Mike ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
Re: [Ace] Asymmetric signature performance
Hi Mike, the signature size of RSA is an issue even in the 1024 bit version. The main wireless protocol, 802.15.4 has a PHY/MAC packet size of 127 bytes so we will have to fragment IP packets (Bluetooth LE is even smaller at just 27 bytes). This makes it very difficult to meet the time to light requirements. This is also a concern for the 70-80 byte overhead of ECC but we can probably just about manage. Abhinav From: Aceon behalf of Michael StJohns Sent: Wednesday, February 8, 2017 3:55:22 AM To: ace@ietf.org Subject: [Ace] Asymmetric signature performance Hi - This is sort of non-obvious, but one or two articles I read suggest that RSA 1024 performance may be better than the ECDSA equivalent. The tradeoff here is obviously the size of the signature and the transmission thereof, but... While 1024 bits isn't an ideal security strength for RSA, using any asymmetric key system for source authentication in group systems is going to be much better than trying to pretend that symmetric group key systems have any authentication properties at all. I saw a PPT presentation by Hannes that didn't include any RSA performance numbers for the ARM processors even though the key sizes were compared. My guess is that someone has numbers for 1024 RSA signatures on the tiny ARM processors that might be useful to throw into the mix. https://www.cryptopp.com/benchmarks.html has comparison values for a specific library. What I'm suggesting is that we figure out how to meet the "can't cost anything" requirement with weaker asymmetric keys rather than accepting a low end fantasy of symmetric key multicast authentication. Mike ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace The contents of this e-mail and any attachments are confidential to the intended recipient. They may not be disclosed to or used by or copied in any way by anyone other than the intended recipient. If this e-mail is received in error, please immediately notify the sender and delete the e-mail and attached documents. Please note that neither the sender nor the sender's company accept any responsibility for viruses and it is your responsibility to scan or otherwise check this e-mail and any attachments. ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace