Re: [Cfrg] Not the same thread -> was Re: Rerun: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd)

Derek Atkins <derek@ihtfp.com> Thu, 26 February 2015 15:56 UTC

Return-Path: <derek@ihtfp.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA0CA1A03F9 for <cfrg@ietfa.amsl.com>; Thu, 26 Feb 2015 07:56:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.289
X-Spam-Level:
X-Spam-Status: No, score=-1.289 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_ORG=0.611] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7gs46BwK8-Qm for <cfrg@ietfa.amsl.com>; Thu, 26 Feb 2015 07:56:14 -0800 (PST)
Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG [204.107.200.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFEFA1A0173 for <cfrg@irtf.org>; Thu, 26 Feb 2015 07:56:13 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id A337DE2036; Thu, 26 Feb 2015 10:56:12 -0500 (EST)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 05895-05; Thu, 26 Feb 2015 10:56:10 -0500 (EST)
Received: from securerf.ihtfp.org (unknown [IPv6:fe80::ea2a:eaff:fe7d:235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mocana.ihtfp.org", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail2.ihtfp.org (Postfix) with ESMTPS id 38FF7E2035; Thu, 26 Feb 2015 10:56:10 -0500 (EST)
Received: (from warlord@localhost) by securerf.ihtfp.org (8.14.8/8.14.8/Submit) id t1QFu8o7029186; Thu, 26 Feb 2015 10:56:08 -0500
From: Derek Atkins <derek@ihtfp.com>
To: Mike Hamburg <mike@shiftleft.org>
References: <D1133BAF.5C3D2%paul@marvell.com> <54EE0D4D.2080009@shiftleft.org>
Date: Thu, 26 Feb 2015 10:56:07 -0500
In-Reply-To: <54EE0D4D.2080009@shiftleft.org> (Mike Hamburg's message of "Wed, 25 Feb 2015 09:58:37 -0800")
Message-ID: <sjm7fv4wtt4.fsf@securerf.ihtfp.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/yg0wVW9z-yFkLvt-HHGq8f8L57U>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Not the same thread -> was Re: Rerun: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Feb 2015 15:56:15 -0000

Mike Hamburg <mike@shiftleft.org> writes:

> Thanks, Paul.
>
> On 3.6GHz Haswell with OpenSSL 1.0.1f:
> RSA-2048: sign 1028us, verify 31us
> Ed448: sign 51us, verify 163us, dh 148us
> Ed480: sign 55us, verify 183us, dh 170us
> E-521: sign 79us, verify 256us, dh 241us

I asked this in the previous thread but it was lost, so I'll ask this
again in this thread: Why are you looking at RSA 2048 for this
comparison?  That's only a 2^112 work factor (C.f. Section 1 of
RFC4492).

If you want a 2^256 work factor you need to go up to RSA 15360.  If you
only want to get to 2^128 then you need to look at RSA 3072.

Let's at least compare apples to apples.

> On 1GHz Cortex A8 with OpenSSL 1.0.1f:
> RSA-2048: sign 39.8ms, verify 1.2ms
> Ed448: sign 0.7ms, verify 1.9ms, dh 1.9ms
>
> On both CPUs, the elliptic curves are slower than RSA for verification, but
> much faster for signing.  The Haswell core is about 5-8x faster for RSA verify,
> and 20x slower for signing.

But at quite different security levels, so it's not telling us anything
useful.  I think Ed448 is more like an RSA-4096 level (or possibly even
larger than that).

> The A8 is more favorable to EC, probably because OpenSSL (or this build of it)
> doesn't use NEON for RSA.  It is only 60% faster for RSA verification, and 57x
> slower for signing.  But client devices don't sign very often.

-derek

> -- Mike
>
> On 02/25/2015 08:47 AM, Paul Lambert wrote:
>
>     Could we please get some discipline on this list to not pollute
>     conversation threads – especially well formed threads asking for poll with
>     random questions, comments and rants.  
>    
>     Paul
>
>     From: Phillip Hallam-Baker <phill@hallambaker.com>
>     Date: Wednesday, February 25, 2015 at 8:22 AM
>     To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
>     Cc: "cfrg@irtf.org" <cfrg@irtf.org>
>     Subject: Re: [Cfrg] Rerun: Elliptic Curves - preferred curves around 256bit
>     work factor (ends on March 3rd)
>
>         Do we have figures for performance of these versus RSA2048?
>        
>         Yes, we get a reversal of the public/private speed advantage on
>         signature. And that in itself is a huge win on the server side 
>        
>         RSA signature verification takes 0.16 ms on a reasonably current
>         machine (signature is 6ms)
>        
>         http://www.cryptopp.com/benchmarks.html
>        
>         How much faster/slower one curve is over another matters much less to
>         me than whether the curve is faster or slower than what I am already
>         using. I am not going to be using P521 or P448 curves on a constrained
>         device, I will go for P255.
>        
>         If we had figures comparing the curve candidates to RSA it would
>         probably be illuminating.
>
>     _______________________________________________
>     Cfrg mailing list
>     Cfrg@irtf.org
>     http://www.irtf.org/mailman/listinfo/cfrg
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant