IETF Logo Mail Archive

Re: [Ace] Asymmetric signature performance

Mohit Sethi <mohit.m.sethi@ericsson.com> Wed, 08 February 2017 18:34 UTC

Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91D05129D42 for <ace@ietfa.amsl.com>; Wed, 8 Feb 2017 10:34:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id glLw0xZwgYjl for <ace@ietfa.amsl.com>; Wed, 8 Feb 2017 10:34:40 -0800 (PST)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC366129D2F for <ace@ietf.org>; Wed, 8 Feb 2017 10:34:39 -0800 (PST)
X-AuditID: c1b4fb2d-fb9fc980000059d1-25-589b64bd1ffb
Received: from ESESSHC022.ericsson.se (Unknown_Domain [153.88.183.84]) by (Symantec Mail Security) with SMTP id F3.2C.22993.DB46B985; Wed, 8 Feb 2017 19:34:38 +0100 (CET)
Received: from nomadiclab.lmf.ericsson.se (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.86) with Microsoft SMTP Server id 14.3.319.2; Wed, 8 Feb 2017 19:34:04 +0100
Received: from nomadiclab.lmf.ericsson.se (localhost [127.0.0.1]) by nomadiclab.lmf.ericsson.se (Postfix) with ESMTP id 50227508C4; Wed, 8 Feb 2017 20:35:14 +0200 (EET)
Received: from [127.0.0.1] (localhost [127.0.0.1]) by nomadiclab.lmf.ericsson.se (Postfix) with ESMTP id E21DC4E94F; Wed, 8 Feb 2017 20:35:13 +0200 (EET)
To: Michael StJohns <mstjohns@comcast.net>, "ace@ietf.org" <ace@ietf.org>
References: <3c4e0f21-e2ad-85af-4761-e158e7fc45e8@comcast.net> <3fbffd36-f846-3f21-74b8-811e54715847@ericsson.com> <1fd13717-96d6-a7d3-6fec-86ff428967bc@comcast.net>
From: Mohit Sethi <mohit.m.sethi@ericsson.com>
Message-ID: <47c889ff-561d-26f8-8383-229953795e30@ericsson.com>
Date: Wed, 08 Feb 2017 20:34:03 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <1fd13717-96d6-a7d3-6fec-86ff428967bc@comcast.net>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: ClamAV using ClamSMTP
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrNLMWRmVeSWpSXmKPExsUyM2J7iO6+lNkRBofvM1t8/9bDbDFlXZYD k8fkx3MYPZYs+ckUwBTFZZOSmpNZllqkb5fAlXF7elbBPOWKbQ1TWRsYp8l0MXJySAiYSPTv vsPWxcjFISSwjlFi36seZpCEkMBWRolLS3UhEmsZJaYuncAO4cxjlOif/YwNpEpYwFiiefoy RhBbRMBT4uT+z4wQRSsZJc7vPgOWYBPQk+g8dxxsLK+AvcTi2TtYQGwWARWJ29PmsYPYogIR EvOfrmKCqBGUODnzCVgNJ1B974vrQMs4OJiB7Adby0DCzALaEssWvmaGeEFN4uq5TVBXq0ts 7TjAOIFRaBaSSbMQumch6V7AyLyKUbQ4tbg4N93IWC+1KDO5uDg/Ty8vtWQTIzCID275rbuD cfVrx0OMAhyMSjy8GzpnRQixJpYVV+YeYpTgYFYS4Z2TNDtCiDclsbIqtSg/vqg0J7X4EKM0 B4uSOK/ZyvvhQgLpiSWp2ampBalFMFkmDk6pBsYoaddCBY4ox9oN9aeaAyNdNF+t0T2fbcnY cyhx1omlJnYXg7w4FlivKVKw8e3Js2fflDFdP/hr7RzBhBciUms/JmZI2vaGtQekdMR8Nmiv jF/TduP2asczYvnvwwXPbLq7t6MmWfrs/Mzgym1VXD2sf1uPMyuslrThzHK2rF+0jvPwvoon SizFGYmGWsxFxYkADxXJsl4CAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/7hGeP6UPNGhBJIIqyXXGAuZR9a4>
Subject: Re: [Ace] Asymmetric signature performance
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2017 18:34:41 -0000

Hi Mike

Reply inline.


On 02/08/2017 07:10 PM, Michael StJohns wrote:
> On 2/8/2017 8:19 AM, Mohit Sethi wrote:
>> Hi Mike
>>
>> At least with our measurements on an 8-bit microprocessor platform, 
>> 1024-bit RSA exponentiation was extremely slow. Please have a look at 
>> Table 1:
>>
>> https://tools.ietf.org/html/draft-ietf-lwig-crypto-sensors-01
>
> I look at Table 1 the first thing I see is that you're using the wrong 
> abbreviation for time - (ms is milli second), what you want is micro 
> seconds or (us).   Or are you actually trying to claim that a 1024 bit 
> operation takes 199 seconds?   Or all of 3+ minutes?     Or are you 
> using an abacus and a monkey to do the math?
It isn't the case of a wrong abbreviation. It actually took that long to 
do the exponentiation operation. We don't implement our own crypto and 
use existing libraries. In this case, we use the following library: 
http://emsign.nl/. The author of the library himself runs some initial 
measurements to find that 512-bit RSA exponentiation can take roughly 26 
seconds.
>
> (And by the way - using "3" as the RSA exponent is just wrong).
Agree. The point here was to see if we need to invest more time to get a 
secure and efficient RSA implementation working? What we concluded was 
that the performance of ECC is significantly better, at least for our 
platform with the libraries available.
>
> Table 1 doesn't actually indicate whether this is a signing operation 
> or a verification operation, or whether or not the summary function 
> (SHA1 or SHA256) is included.
We do write in the text that the numbers reflect the signing operation 
only. The time does not include the summary function.
>
> If Table 2 and table 3 have the same mistakes in time abbreviation 
> (and I'm not sure why they wouldn't), you're saying that you can do an 
> ECDSA function in 2-6 milliseconds.   Which more than meets the 
> requirements.
>
>
The best time with 163-bit koblitz curve was ~300 ms (for signing). I 
don't think it meets the requirements, but I definitely agree that we 
are getting quite better all the time. And bear in mind we use a 8-bit 
platform that not many deployments have. I think 32-bit is more common 
and cheaper because of economies of scale.
>
>>
>> Also, a lot of research in the crypto community is now on faster and 
>> more efficient elliptic curves. For example, the Crypto Forum 
>> Research group at the IRTF is currently working on Edwards curve:
>> https://tools.ietf.org/html/draft-irtf-cfrg-eddsa-08
>
> Aware of this along with Curve25519 and its ilk.  Most important thing 
> would be to get the numbers for an ARM M0 or other tiny processor for 
> these.
In the draft, we also cite an implementation where the authors were able 
to do Ed25519 signing on the same 8-bit platform in ~1,5 seconds.

Thanks
Mohit
>
>
>>
>> Hope this helps the discussion.
>>
>> Thanks
>> Mohit
>>
>> On 02/08/2017 04:55 AM, Michael StJohns wrote:
>>> Hi -
>>>
>>> This is sort of non-obvious, but one or two articles I read suggest 
>>> that RSA 1024 performance may be better than the ECDSA equivalent.
>>>
>>> The tradeoff here is obviously the size of the signature and the 
>>> transmission thereof, but...
>>>
>>> While 1024 bits isn't an ideal security strength for RSA, using any 
>>> asymmetric key system for source authentication in group systems is 
>>> going to be much better than trying to pretend that symmetric group 
>>> key systems have any authentication properties at all.
>>>
>>> I saw a PPT presentation by Hannes that  didn't include any RSA 
>>> performance numbers for the ARM processors even though the key sizes 
>>> were compared. My guess is that someone has numbers for 1024 RSA 
>>> signatures on the tiny ARM processors that might be useful to throw 
>>> into the mix.
>>>
>>> https://www.cryptopp.com/benchmarks.html has comparison values for a 
>>> specific library.
>>>
>>> What I'm suggesting is that we figure out how to meet the "can't 
>>> cost anything" requirement with weaker asymmetric keys rather than 
>>> accepting a low end fantasy of symmetric key multicast authentication.
>>>
>>> Mike
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Ace mailing list
>>> Ace@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ace
>>
>

v2.23.0 | Report a Bug | By Email