IETF Logo Mail Archive

Re: [Cfrg] Validation performance Re: new curves vs. algorithms

Santosh Chokhani <SChokhani@cygnacom.com> Fri, 21 March 2014 17:56 UTC

Return-Path: <SChokhani@cygnacom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD3AC1A09C8 for <cfrg@ietfa.amsl.com>; Fri, 21 Mar 2014 10:56:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KarZbcyNT_dA for <cfrg@ietfa.amsl.com>; Fri, 21 Mar 2014 10:56:28 -0700 (PDT)
Received: from ipedge2.cygnacom.com (ipedge2.cygnacom.com [216.191.252.27]) by ietfa.amsl.com (Postfix) with ESMTP id 88DB71A08D1 for <Cfrg@irtf.org>; Fri, 21 Mar 2014 10:56:28 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.97,704,1389762000"; d="scan'208";a="563569"
Received: from unknown (HELO scygexch10.cygnacom.com) ([10.4.60.26]) by ipedge2.cygnacom.com with ESMTP; 21 Mar 2014 13:56:19 -0400
Received: from SCYGEXCH10.cygnacom.com ([::1]) by scygexch10.cygnacom.com ([::1]) with mapi id 14.02.0247.003; Fri, 21 Mar 2014 13:56:18 -0400
From: Santosh Chokhani <SChokhani@cygnacom.com>
To: Olafur Gudmundsson <ogud@ogud.com>, "Cfrg@irtf.org" <Cfrg@irtf.org>
Thread-Topic: [Cfrg] Validation performance Re: new curves vs. algorithms
Thread-Index: AQHPRSnQ38HyMKfrn0CppXvFYXhAAZrr0nFQ
Date: Fri, 21 Mar 2014 17:56:16 +0000
Message-ID: <4262AC0DB9856847A2D00EF817E81139173896@scygexch10.cygnacom.com>
References: <52D928A1.6070201@cs.tcd.ie> <3851D33B-3201-498C-84E1-AAD2FAA0418A@ogud.com>
In-Reply-To: <3851D33B-3201-498C-84E1-AAD2FAA0418A@ogud.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.60.117.6]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/rXMdtrHoI-CBIdm59XYvGo2mSpY
Subject: Re: [Cfrg] Validation performance Re: new curves vs. algorithms
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Mar 2014 17:56:31 -0000

You cannot expect EC to match RSA for public key operation performance given the typical 17 bit exponent for RSA public key.

The perform problem for EC and discrete logs in finite field gets worse for pubic key operations when taking PKI into consideration because of a number of certificates and their revocation status need to be checked (all use public key operations) before trust in a public key is established.

-----Original Message-----
From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Olafur Gudmundsson
Sent: Friday, March 21, 2014 1:20 PM
To: Cfrg@irtf.org
Subject: [Cfrg] Validation performance Re: new curves vs. algorithms


While we are it, here is another criteria to keep in mind when designing/recommending new curves. 
This relates to an old question I asked on CFRG in 2006 (wow that is a long time ago) in regards to using ECC in DNSSEC http://www.ietf.org/mail-archive/web/cfrg/current/msg01170.html

Since then DNSSEC has specified the use of 3 curves P256, P384[RFC6605] and ECC-GOST[RFC5933], none of these seems to be in wide spread use, as support is rolling out. 

What we have learned in the mean time (from DNS perspective), is verification time is the most critical part as the world wants happy eyeballs to work and any microseconds that verification takes add up.
Consider the case that most web pages have in excess of 50 links and many of those are unique and can not be reused by resolvers/validators. 

Fast signing is nice as that may enable on the fly signing off unique names. 

As for criteria I would propose the following, as starting point for discussion 
	verification time < verification of 2048 bit RSA signature
	signing time      <  signing with 1024  bit RSA key 

As an example comparing here is comparison of performance of RSA1024 and 2048 bit keys  vs NIST P256 and P384 on modern hardware, only relative performance should be derived. 

> OpenSSL> version
> OpenSSL 1.0.1 14 Mar 2012
> OpenSSL> speed rsa1024 rsa2048 ecdsap256 ecdsap384
> Doing 1024 bit private rsa's for 10s: 38935 1024 bit private RSA's in 
> 9.97s Doing 1024 bit public rsa's for 10s: 621683 1024 bit public 
> RSA's in 9.98s Doing 2048 bit private rsa's for 10s: 5792 2048 bit 
> private RSA's in 9.98s Doing 2048 bit public rsa's for 10s: 187826 
> 2048 bit public RSA's in 9.97s Doing 256 bit sign ecdsa's for 10s: 
> 58772 256 bit ECDSA signs in 9.98s Doing 256 bit verify ecdsa's for 
> 10s: 23120 256 bit ECDSA verify in 9.97s Doing 384 bit sign ecdsa's 
> for 10s: 34564 384 bit ECDSA signs in 9.97s Doing 384 bit verify 
> ecdsa's for 10s: 7695 384 bit ECDSA verify in 9.98s OpenSSL 1.0.1 14 
> Mar 2012 built on: Tue Jun  4 07:26:06 UTC 2013
> options:bn(64,64) rc4(8x,int) des(idx,cisc,16,int) aes(partial) 
> blowfish(idx)
> compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
>                   sign    verify    sign/s verify/s
> rsa 1024 bits 0.000256s 0.000016s   3905.2  62292.9
> rsa 2048 bits 0.001723s 0.000053s    580.4  18839.1
>                               sign    verify    sign/s verify/s
>  256 bit ecdsa (nistp256)   0.0002s   0.0004s   5889.0   2319.0
>  384 bit ecdsa (nistp384)   0.0003s   0.0013s   3466.8    771.0


As you can see these ECC curves verification performance SUCKS big time when we compare smallest sizes. 
I know the RSA code is much more mature than the ECC code but the verification code needs to improve by 25x For these curves Signing speeds meets the criteria. 

	Olafur 


_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email