IETF Logo Mail Archive

Re: [Cfrg] Not the same thread -> was Re: Rerun: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd)

Mike Hamburg <mike@shiftleft.org> Wed, 25 February 2015 17:58 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F80F1A0016 for <cfrg@ietfa.amsl.com>; Wed, 25 Feb 2015 09:58:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.556
X-Spam-Level: *
X-Spam-Status: No, score=1.556 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bc8Z26dKog4z for <cfrg@ietfa.amsl.com>; Wed, 25 Feb 2015 09:58:38 -0800 (PST)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D96FC1A0277 for <cfrg@irtf.org>; Wed, 25 Feb 2015 09:58:38 -0800 (PST)
Received: from [192.168.1.102] (unknown [192.168.1.1]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id F1DED3AA12; Wed, 25 Feb 2015 09:56:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1424887005; bh=krU/hYldOo5DyfZGIHCpKYPApJpHYqextr49No34FbY=; h=Date:From:To:CC:Subject:References:In-Reply-To:From; b=dpx/a1M9ZwtqLHwaRnLgmmE7HkiSQFzOhliQc+mtMLg92KIiso3qZXUlGck9igvCI sSiXS92lWWl0fHzLl2jP60zqEbN+LNF+N02ACYjo/AVInx7KoWeey0hrnyWRQhtYU7 ZE6pBVg20LPLiqwmUn9/r2sJi5yZfRjQLF9ENJZ0=
Message-ID: <54EE0D4D.2080009@shiftleft.org>
Date: Wed, 25 Feb 2015 09:58:37 -0800
From: Mike Hamburg <mike@shiftleft.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Paul Lambert <paul@marvell.com>, Phillip Hallam-Baker <phill@hallambaker.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <D1133BAF.5C3D2%paul@marvell.com>
In-Reply-To: <D1133BAF.5C3D2%paul@marvell.com>
Content-Type: multipart/alternative; boundary="------------030606010705010703010104"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/x7pTNIgJhAkaY5uMAhbhjTJDD4k>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Not the same thread -> was Re: Rerun: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Feb 2015 17:58:40 -0000

Thanks, Paul.

On 3.6GHz Haswell with OpenSSL 1.0.1f:
RSA-2048: sign 1028us, verify 31us
Ed448: sign 51us, verify 163us, dh 148us
Ed480: sign 55us, verify 183us, dh 170us
E-521: sign 79us, verify 256us, dh 241us

On 1GHz Cortex A8 with OpenSSL 1.0.1f:
RSA-2048: sign 39.8ms, verify 1.2ms
Ed448: sign 0.7ms, verify 1.9ms, dh 1.9ms

On both CPUs, the elliptic curves are slower than RSA for verification, 
but much faster for signing.  The Haswell core is about 5-8x faster for 
RSA verify, and 20x slower for signing.

The A8 is more favorable to EC, probably because OpenSSL (or this build 
of it) doesn't use NEON for RSA.  It is only 60% faster for RSA 
verification, and 57x slower for signing.  But client devices don't sign 
very often.

-- Mike

On 02/25/2015 08:47 AM, Paul Lambert wrote:
>
> Could we please get some discipline on this list to not pollute 
> conversation threads – especially well formed threads asking for poll 
> with random questions, comments and rants.
>
> Paul
>
>
> From: Phillip Hallam-Baker <phill@hallambaker.com 
> <mailto:phill@hallambaker.com>>
> Date: Wednesday, February 25, 2015 at 8:22 AM
> To: Stephen Farrell <stephen.farrell@cs.tcd.ie 
> <mailto:stephen.farrell@cs.tcd.ie>>
> Cc: "cfrg@irtf.org <mailto:cfrg@irtf.org>" <cfrg@irtf.org 
> <mailto:cfrg@irtf.org>>
> Subject: Re: [Cfrg] Rerun: Elliptic Curves - preferred curves around 
> 256bit work factor (ends on March 3rd)
>
>     Do we have figures for performance of these versus RSA2048?
>
>     Yes, we get a reversal of the public/private speed advantage on
>     signature. And that in itself is a huge win on the server side
>
>     RSA signature verification takes 0.16 ms on a reasonably current
>     machine (signature is 6ms)
>
>     http://www.cryptopp.com/benchmarks.html
>
>     How much faster/slower one curve is over another matters much less
>     to me than whether the curve is faster or slower than what I am
>     already using. I am not going to be using P521 or P448 curves on a
>     constrained device, I will go for P255.
>
>     If we had figures comparing the curve candidates to RSA it would
>     probably be illuminating.
>
>
>
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email