Re: [Ace] Asymmetric signature performance

2017-02-08 Thread Michael StJohns 

On 2/8/2017 10:56 AM, Panos Kampanakis (pkampana) wrote:

One correction: 1024-bit RSA/DSA is not the same security level as 256-bit 
curve ECDSA or Ed25519.


But neither is a group symmetric key of any sized used for 
authentication/authorization.


The point is that weaker but good enough security on the asymmetric side 
is going to be a better solution than ANY group symmetric key.


NIST et al have given some guidance about key strengths and their uses 
with respect to the broadest set of threats and following the guidance 
is pretty much good engineering.  But, looking at something like RSA 
1024 bit (or the ECDSA equivalent of about 166 bits - I think that's the 
right number), and looking at the threat environment for the target 
application, and noting that it's trivial (protocol wise) to change out 
the size of the key (e.g. scale it) in higher threat environments, 
1024/166 bits may not be a bad choice for minimum security for non-man 
rated IOT control things.


Mike




To compare apples to apples you would need 3072-bit RSA/DSA sigs which ends up 
being far worse in terms of sig size and performance.

Agreed that symmetric group key auth has plenty of limitations.

Panos



-Original Message-
From: Ace [mailto:ace-boun...@ietf.org] On Behalf Of Michael StJohns
Sent: Tuesday, February 07, 2017 9:55 PM
To: ace@ietf.org
Subject: [Ace] Asymmetric signature performance

Hi -

This is sort of non-obvious, but one or two articles I read suggest that RSA 
1024 performance may be better than the ECDSA equivalent.

The tradeoff here is obviously the size of the signature and the transmission 
thereof, but...

While 1024 bits isn't an ideal security strength for RSA, using any asymmetric 
key system for source authentication in group systems is going to be much 
better than trying to pretend that symmetric group key systems have any 
authentication properties at all.

I saw a PPT presentation by Hannes that  didn't include any RSA performance 
numbers for the ARM processors even though the key sizes were compared. My 
guess is that someone has numbers for 1024 RSA signatures on the tiny ARM 
processors that might be useful to throw into the mix.

https://www.cryptopp.com/benchmarks.html has comparison values for a specific 
library.

What I'm suggesting is that we figure out how to meet the "can't cost anything" 
requirement with weaker asymmetric keys rather than accepting a low end fantasy of 
symmetric key multicast authentication.

Mike




___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace



___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

Re: [Ace] Asymmetric signature performance

2017-02-08 Thread Michael StJohns 

On 2/8/2017 8:19 AM, Mohit Sethi wrote:

Hi Mike

At least with our measurements on an 8-bit microprocessor platform, 
1024-bit RSA exponentiation was extremely slow. Please have a look at 
Table 1:


https://tools.ietf.org/html/draft-ietf-lwig-crypto-sensors-01


I look at Table 1 the first thing I see is that you're using the wrong 
abbreviation for time - (ms is milli second), what you want is micro 
seconds or (us).   Or are you actually trying to claim that a 1024 bit 
operation takes 199 seconds?   Or all of 3+ minutes? Or are you 
using an abacus and a monkey to do the math?


(And by the way - using "3" as the RSA exponent is just wrong).

Table 1 doesn't actually indicate whether this is a signing operation or 
a verification operation, or whether or not the summary function (SHA1 
or SHA256) is included.


If Table 2 and table 3 have the same mistakes in time abbreviation (and 
I'm not sure why they wouldn't), you're saying that you can do an ECDSA 
function in 2-6 milliseconds.   Which more than meets the requirements.






Also, a lot of research in the crypto community is now on faster and 
more efficient elliptic curves. For example, the Crypto Forum Research 
group at the IRTF is currently working on Edwards curve:

https://tools.ietf.org/html/draft-irtf-cfrg-eddsa-08


Aware of this along with Curve25519 and its ilk.  Most important thing 
would be to get the numbers for an ARM M0 or other tiny processor for these.





Hope this helps the discussion.

Thanks
Mohit

On 02/08/2017 04:55 AM, Michael StJohns wrote:

Hi -

This is sort of non-obvious, but one or two articles I read suggest 
that RSA 1024 performance may be better than the ECDSA equivalent.


The tradeoff here is obviously the size of the signature and the 
transmission thereof, but...


While 1024 bits isn't an ideal security strength for RSA, using any 
asymmetric key system for source authentication in group systems is 
going to be much better than trying to pretend that symmetric group 
key systems have any authentication properties at all.


I saw a PPT presentation by Hannes that  didn't include any RSA 
performance numbers for the ARM processors even though the key sizes 
were compared. My guess is that someone has numbers for 1024 RSA 
signatures on the tiny ARM processors that might be useful to throw 
into the mix.


https://www.cryptopp.com/benchmarks.html has comparison values for a 
specific library.


What I'm suggesting is that we figure out how to meet the "can't cost 
anything" requirement with weaker asymmetric keys rather than 
accepting a low end fantasy of symmetric key multicast authentication.


Mike




___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace




___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

Re: [Ace] Asymmetric signature performance

2017-02-08 Thread Michael StJohns 

On 2/8/2017 7:56 AM, Somaraju Abhinav wrote:


Hi Mike,


the signature size of RSA is an issue even in the 1024 bit version. 
The main wireless protocol, 802.15.4 has a PHY/MAC packet size of 127 
bytes so we will have to fragment IP packets (Bluetooth LE is even 
smaller at just 27 bytes). This makes it very difficult to meet the 
time to light requirements. This is also a concern for the 70-80 byte 
overhead of ECC but we can probably just about manage.




I could have sworn this was going to be running over IPv6?   E.g. is 
this an "internet protocol" or are you just wrapping it up in IPV6 
packets for marketing?


Or is this yet another requirement - "Must not cause excessive IPv6 
fragmentation"? that needs to be stated.


You are specifying this as  group key multicast protocol on IPv6, but 
I'm finding it hard to figure out whether or not you expect this to work 
in anything except a single subnet, homogeneous transmission technology 
model.  If that's the case, why are we talking about this as an IETF task?


To put it another way - you can't have your cake and eat it too.  If 
this is an internet protocol, then it has to be able to work in the ... 
well.. internet.  If your target is closely connected nodes with 
identical transmission modes, then why not go get IEEE to standardize 
something?


Look - IP protocol is a pretty big hammer and there's this tendency to 
try and make everything look like a nail.  But some things are not nails 
and can never be made to be nails.  This lighting multicast, cheap, low 
latency, control system is really not looking like a nail.


Mike




Abhinav


*From:* Ace  on behalf of Michael StJohns 


*Sent:* Wednesday, February 8, 2017 3:55:22 AM
*To:* ace@ietf.org
*Subject:* [Ace] Asymmetric signature performance
Hi -

This is sort of non-obvious, but one or two articles I read suggest that
RSA 1024 performance may be better than the ECDSA equivalent.

The tradeoff here is obviously the size of the signature and the
transmission thereof, but...

While 1024 bits isn't an ideal security strength for RSA, using any
asymmetric key system for source authentication in group systems is
going to be much better than trying to pretend that symmetric group key
systems have any authentication properties at all.

I saw a PPT presentation by Hannes that  didn't include any RSA
performance numbers for the ARM processors even though the key sizes
were compared. My guess is that someone has numbers for 1024 RSA
signatures on the tiny ARM processors that might be useful to throw into
the mix.

https://www.cryptopp.com/benchmarks.html has comparison values for a
specific library.

What I'm suggesting is that we figure out how to meet the "can't cost
anything" requirement with weaker asymmetric keys rather than accepting
a low end fantasy of symmetric key multicast authentication.

Mike




___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace
 The contents 
of this e-mail and any attachments are confidential to the intended 
recipient. They may not be disclosed to or used by or copied in any 
way by anyone other than the intended recipient. If this e-mail is 
received in error, please immediately notify the sender and delete the 
e-mail and attached documents. Please note that neither the sender nor 
the sender's company accept any responsibility for viruses and it is 
your responsibility to scan or otherwise check this e-mail and any 
attachments. 



___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

Re: [Ace] Asymmetric signature performance

2017-02-08 Thread Derek Atkins 
Somaraju Abhinav  writes:

> Hi Mike,
>
> the signature size of RSA is an issue even in the 1024 bit version. The main
> wireless protocol, 802.15.4 has a PHY/MAC packet size of 127 bytes so we will
> have to fragment IP packets (Bluetooth LE is even smaller at just 27
> bytes). This makes it very difficult to meet the time to light requirements.
> This is also a concern for the 70-80 byte overhead of ECC but we can probably
> just about manage.

Is the concern the computation or the transmission time?  Even if you
have to fragment packets I would expect transmission time to be well
fast enough that computation is the major issue?

> Abhinav

-derek
-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant

___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

Re: [Ace] Asymmetric signature performance

2017-02-08 Thread Panos Kampanakis (pkampana) 
One correction: 1024-bit RSA/DSA is not the same security level as 256-bit 
curve ECDSA or Ed25519. To compare apples to apples you would need 3072-bit 
RSA/DSA sigs which ends up being far worse in terms of sig size and performance.

Agreed that symmetric group key auth has plenty of limitations. 

Panos



-Original Message-
From: Ace [mailto:ace-boun...@ietf.org] On Behalf Of Michael StJohns
Sent: Tuesday, February 07, 2017 9:55 PM
To: ace@ietf.org
Subject: [Ace] Asymmetric signature performance

Hi -

This is sort of non-obvious, but one or two articles I read suggest that RSA 
1024 performance may be better than the ECDSA equivalent.

The tradeoff here is obviously the size of the signature and the transmission 
thereof, but...

While 1024 bits isn't an ideal security strength for RSA, using any asymmetric 
key system for source authentication in group systems is going to be much 
better than trying to pretend that symmetric group key systems have any 
authentication properties at all.

I saw a PPT presentation by Hannes that  didn't include any RSA performance 
numbers for the ARM processors even though the key sizes were compared. My 
guess is that someone has numbers for 1024 RSA signatures on the tiny ARM 
processors that might be useful to throw into the mix.

https://www.cryptopp.com/benchmarks.html has comparison values for a specific 
library.

What I'm suggesting is that we figure out how to meet the "can't cost anything" 
requirement with weaker asymmetric keys rather than accepting a low end fantasy 
of symmetric key multicast authentication.

Mike




___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

Re: [Ace] Asymmetric signature performance

2017-02-08 Thread Mohit Sethi 

Hi Mike

At least with our measurements on an 8-bit microprocessor platform, 
1024-bit RSA exponentiation was extremely slow. Please have a look at 
Table 1:


https://tools.ietf.org/html/draft-ietf-lwig-crypto-sensors-01

Also, a lot of research in the crypto community is now on faster and 
more efficient elliptic curves. For example, the Crypto Forum Research 
group at the IRTF is currently working on Edwards curve:

https://tools.ietf.org/html/draft-irtf-cfrg-eddsa-08

Hope this helps the discussion.

Thanks
Mohit

On 02/08/2017 04:55 AM, Michael StJohns wrote:

Hi -

This is sort of non-obvious, but one or two articles I read suggest 
that RSA 1024 performance may be better than the ECDSA equivalent.


The tradeoff here is obviously the size of the signature and the 
transmission thereof, but...


While 1024 bits isn't an ideal security strength for RSA, using any 
asymmetric key system for source authentication in group systems is 
going to be much better than trying to pretend that symmetric group 
key systems have any authentication properties at all.


I saw a PPT presentation by Hannes that  didn't include any RSA 
performance numbers for the ARM processors even though the key sizes 
were compared. My guess is that someone has numbers for 1024 RSA 
signatures on the tiny ARM processors that might be useful to throw 
into the mix.


https://www.cryptopp.com/benchmarks.html has comparison values for a 
specific library.


What I'm suggesting is that we figure out how to meet the "can't cost 
anything" requirement with weaker asymmetric keys rather than 
accepting a low end fantasy of symmetric key multicast authentication.


Mike




___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace


___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

Re: [Ace] Asymmetric signature performance

2017-02-08 Thread Somaraju Abhinav 
Hi Mike,


the signature size of RSA is an issue even in the 1024 bit version. The main 
wireless protocol, 802.15.4 has a PHY/MAC packet size of 127 bytes so we will 
have to fragment IP packets (Bluetooth LE is even smaller at just 27 bytes). 
This makes it very difficult to meet the time to light requirements. This is 
also a concern for the 70-80 byte overhead of ECC but we can probably just 
about manage.


Abhinav


From: Ace  on behalf of Michael StJohns 

Sent: Wednesday, February 8, 2017 3:55:22 AM
To: ace@ietf.org
Subject: [Ace] Asymmetric signature performance

Hi -

This is sort of non-obvious, but one or two articles I read suggest that
RSA 1024 performance may be better than the ECDSA equivalent.

The tradeoff here is obviously the size of the signature and the
transmission thereof, but...

While 1024 bits isn't an ideal security strength for RSA, using any
asymmetric key system for source authentication in group systems is
going to be much better than trying to pretend that symmetric group key
systems have any authentication properties at all.

I saw a PPT presentation by Hannes that  didn't include any RSA
performance numbers for the ARM processors even though the key sizes
were compared. My guess is that someone has numbers for 1024 RSA
signatures on the tiny ARM processors that might be useful to throw into
the mix.

https://www.cryptopp.com/benchmarks.html has comparison values for a
specific library.

What I'm suggesting is that we figure out how to meet the "can't cost
anything" requirement with weaker asymmetric keys rather than accepting
a low end fantasy of symmetric key multicast authentication.

Mike




___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace
 The contents of this 
e-mail and any attachments are confidential to the intended recipient. They may 
not be disclosed to or used by or copied in any way by anyone other than the 
intended recipient. If this e-mail is received in error, please immediately 
notify the sender and delete the e-mail and attached documents. Please note 
that neither the sender nor the sender's company accept any responsibility for 
viruses and it is your responsibility to scan or otherwise check this e-mail 
and any attachments.
___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace