Re: [Ace] Asymmetric signature performance
Mohit Sethi <mohit.m.sethi@ericsson.com> Wed, 08 February 2017 18:34 UTC
Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91D05129D42 for <ace@ietfa.amsl.com>; Wed, 8 Feb 2017 10:34:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id glLw0xZwgYjl for <ace@ietfa.amsl.com>; Wed, 8 Feb 2017 10:34:40 -0800 (PST)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC366129D2F for <ace@ietf.org>; Wed, 8 Feb 2017 10:34:39 -0800 (PST)
X-AuditID: c1b4fb2d-fb9fc980000059d1-25-589b64bd1ffb
Received: from ESESSHC022.ericsson.se (Unknown_Domain [153.88.183.84]) by (Symantec Mail Security) with SMTP id F3.2C.22993.DB46B985; Wed, 8 Feb 2017 19:34:38 +0100 (CET)
Received: from nomadiclab.lmf.ericsson.se (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.86) with Microsoft SMTP Server id 14.3.319.2; Wed, 8 Feb 2017 19:34:04 +0100
Received: from nomadiclab.lmf.ericsson.se (localhost [127.0.0.1]) by nomadiclab.lmf.ericsson.se (Postfix) with ESMTP id 50227508C4; Wed, 8 Feb 2017 20:35:14 +0200 (EET)
Received: from [127.0.0.1] (localhost [127.0.0.1]) by nomadiclab.lmf.ericsson.se (Postfix) with ESMTP id E21DC4E94F; Wed, 8 Feb 2017 20:35:13 +0200 (EET)
To: Michael StJohns <mstjohns@comcast.net>, "ace@ietf.org" <ace@ietf.org>
References: <3c4e0f21-e2ad-85af-4761-e158e7fc45e8@comcast.net> <3fbffd36-f846-3f21-74b8-811e54715847@ericsson.com> <1fd13717-96d6-a7d3-6fec-86ff428967bc@comcast.net>
From: Mohit Sethi <mohit.m.sethi@ericsson.com>
Message-ID: <47c889ff-561d-26f8-8383-229953795e30@ericsson.com>
Date: Wed, 08 Feb 2017 20:34:03 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <1fd13717-96d6-a7d3-6fec-86ff428967bc@comcast.net>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: ClamAV using ClamSMTP
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrNLMWRmVeSWpSXmKPExsUyM2J7iO6+lNkRBofvM1t8/9bDbDFlXZYD k8fkx3MYPZYs+ckUwBTFZZOSmpNZllqkb5fAlXF7elbBPOWKbQ1TWRsYp8l0MXJySAiYSPTv vsPWxcjFISSwjlFi36seZpCEkMBWRolLS3UhEmsZJaYuncAO4cxjlOif/YwNpEpYwFiiefoy RhBbRMBT4uT+z4wQRSsZJc7vPgOWYBPQk+g8dxxsLK+AvcTi2TtYQGwWARWJ29PmsYPYogIR EvOfrmKCqBGUODnzCVgNJ1B974vrQMs4OJiB7Adby0DCzALaEssWvmaGeEFN4uq5TVBXq0ts 7TjAOIFRaBaSSbMQumch6V7AyLyKUbQ4tbg4N93IWC+1KDO5uDg/Ty8vtWQTIzCID275rbuD cfVrx0OMAhyMSjy8GzpnRQixJpYVV+YeYpTgYFYS4Z2TNDtCiDclsbIqtSg/vqg0J7X4EKM0 B4uSOK/ZyvvhQgLpiSWp2ampBalFMFkmDk6pBsYoaddCBY4ox9oN9aeaAyNdNF+t0T2fbcnY cyhx1omlJnYXg7w4FlivKVKw8e3Js2fflDFdP/hr7RzBhBciUms/JmZI2vaGtQekdMR8Nmiv jF/TduP2asczYvnvwwXPbLq7t6MmWfrs/Mzgym1VXD2sf1uPMyuslrThzHK2rF+0jvPwvoon SizFGYmGWsxFxYkADxXJsl4CAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/7hGeP6UPNGhBJIIqyXXGAuZR9a4>
Subject: Re: [Ace] Asymmetric signature performance
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2017 18:34:41 -0000
Hi Mike Reply inline. On 02/08/2017 07:10 PM, Michael StJohns wrote: > On 2/8/2017 8:19 AM, Mohit Sethi wrote: >> Hi Mike >> >> At least with our measurements on an 8-bit microprocessor platform, >> 1024-bit RSA exponentiation was extremely slow. Please have a look at >> Table 1: >> >> https://tools.ietf.org/html/draft-ietf-lwig-crypto-sensors-01 > > I look at Table 1 the first thing I see is that you're using the wrong > abbreviation for time - (ms is milli second), what you want is micro > seconds or (us). Or are you actually trying to claim that a 1024 bit > operation takes 199 seconds? Or all of 3+ minutes? Or are you > using an abacus and a monkey to do the math? It isn't the case of a wrong abbreviation. It actually took that long to do the exponentiation operation. We don't implement our own crypto and use existing libraries. In this case, we use the following library: http://emsign.nl/. The author of the library himself runs some initial measurements to find that 512-bit RSA exponentiation can take roughly 26 seconds. > > (And by the way - using "3" as the RSA exponent is just wrong). Agree. The point here was to see if we need to invest more time to get a secure and efficient RSA implementation working? What we concluded was that the performance of ECC is significantly better, at least for our platform with the libraries available. > > Table 1 doesn't actually indicate whether this is a signing operation > or a verification operation, or whether or not the summary function > (SHA1 or SHA256) is included. We do write in the text that the numbers reflect the signing operation only. The time does not include the summary function. > > If Table 2 and table 3 have the same mistakes in time abbreviation > (and I'm not sure why they wouldn't), you're saying that you can do an > ECDSA function in 2-6 milliseconds. Which more than meets the > requirements. > > The best time with 163-bit koblitz curve was ~300 ms (for signing). I don't think it meets the requirements, but I definitely agree that we are getting quite better all the time. And bear in mind we use a 8-bit platform that not many deployments have. I think 32-bit is more common and cheaper because of economies of scale. > >> >> Also, a lot of research in the crypto community is now on faster and >> more efficient elliptic curves. For example, the Crypto Forum >> Research group at the IRTF is currently working on Edwards curve: >> https://tools.ietf.org/html/draft-irtf-cfrg-eddsa-08 > > Aware of this along with Curve25519 and its ilk. Most important thing > would be to get the numbers for an ARM M0 or other tiny processor for > these. In the draft, we also cite an implementation where the authors were able to do Ed25519 signing on the same 8-bit platform in ~1,5 seconds. Thanks Mohit > > >> >> Hope this helps the discussion. >> >> Thanks >> Mohit >> >> On 02/08/2017 04:55 AM, Michael StJohns wrote: >>> Hi - >>> >>> This is sort of non-obvious, but one or two articles I read suggest >>> that RSA 1024 performance may be better than the ECDSA equivalent. >>> >>> The tradeoff here is obviously the size of the signature and the >>> transmission thereof, but... >>> >>> While 1024 bits isn't an ideal security strength for RSA, using any >>> asymmetric key system for source authentication in group systems is >>> going to be much better than trying to pretend that symmetric group >>> key systems have any authentication properties at all. >>> >>> I saw a PPT presentation by Hannes that didn't include any RSA >>> performance numbers for the ARM processors even though the key sizes >>> were compared. My guess is that someone has numbers for 1024 RSA >>> signatures on the tiny ARM processors that might be useful to throw >>> into the mix. >>> >>> https://www.cryptopp.com/benchmarks.html has comparison values for a >>> specific library. >>> >>> What I'm suggesting is that we figure out how to meet the "can't >>> cost anything" requirement with weaker asymmetric keys rather than >>> accepting a low end fantasy of symmetric key multicast authentication. >>> >>> Mike >>> >>> >>> >>> >>> _______________________________________________ >>> Ace mailing list >>> Ace@ietf.org >>> https://www.ietf.org/mailman/listinfo/ace >> >
- [Ace] Asymmetric signature performance Michael StJohns
- Re: [Ace] Asymmetric signature performance Somaraju Abhinav
- Re: [Ace] Asymmetric signature performance Mohit Sethi
- Re: [Ace] Asymmetric signature performance Panos Kampanakis (pkampana)
- Re: [Ace] Asymmetric signature performance Derek Atkins
- Re: [Ace] Asymmetric signature performance Michael StJohns
- Re: [Ace] Asymmetric signature performance Michael StJohns
- Re: [Ace] Asymmetric signature performance Mohit Sethi
- Re: [Ace] Asymmetric signature performance Michael StJohns
- Re: [Ace] Asymmetric signature performance Somaraju Abhinav
- Re: [Ace] Asymmetric signature performance Carsten Bormann
- Re: [Ace] Asymmetric signature performance Panos Kampanakis (pkampana)
- Re: [Ace] Asymmetric signature performance Eliot Lear
- Re: [Ace] Asymmetric signature performance Derek Atkins
- Re: [Ace] Asymmetric signature performance Derek Atkins
- Re: [Ace] Asymmetric signature performance Derek Atkins
- Re: [Ace] Asymmetric signature performance Panos Kampanakis (pkampana)
- Re: [Ace] Asymmetric signature performance Derek Atkins
- [Ace] (confusing GNFS and SNFS) Re: Asymmetric si… Rene Struik
- Re: [Ace] Asymmetric signature performance Panos Kampanakis (pkampana)
- Re: [Ace] Asymmetric signature performance Mohit Sethi
- Re: [Ace] Asymmetric signature performance Joona Kannisto
- Re: [Ace] Asymmetric signature performance Derek Atkins