Re: [Cfrg] Not the same thread -> was Re: Rerun: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd)
Derek Atkins <derek@ihtfp.com> Thu, 26 February 2015 15:56 UTC
Return-Path: <derek@ihtfp.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA0CA1A03F9 for <cfrg@ietfa.amsl.com>; Thu, 26 Feb 2015 07:56:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.289
X-Spam-Level:
X-Spam-Status: No, score=-1.289 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_ORG=0.611] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7gs46BwK8-Qm for <cfrg@ietfa.amsl.com>; Thu, 26 Feb 2015 07:56:14 -0800 (PST)
Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG [204.107.200.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFEFA1A0173 for <cfrg@irtf.org>; Thu, 26 Feb 2015 07:56:13 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id A337DE2036; Thu, 26 Feb 2015 10:56:12 -0500 (EST)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 05895-05; Thu, 26 Feb 2015 10:56:10 -0500 (EST)
Received: from securerf.ihtfp.org (unknown [IPv6:fe80::ea2a:eaff:fe7d:235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mocana.ihtfp.org", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail2.ihtfp.org (Postfix) with ESMTPS id 38FF7E2035; Thu, 26 Feb 2015 10:56:10 -0500 (EST)
Received: (from warlord@localhost) by securerf.ihtfp.org (8.14.8/8.14.8/Submit) id t1QFu8o7029186; Thu, 26 Feb 2015 10:56:08 -0500
From: Derek Atkins <derek@ihtfp.com>
To: Mike Hamburg <mike@shiftleft.org>
References: <D1133BAF.5C3D2%paul@marvell.com> <54EE0D4D.2080009@shiftleft.org>
Date: Thu, 26 Feb 2015 10:56:07 -0500
In-Reply-To: <54EE0D4D.2080009@shiftleft.org> (Mike Hamburg's message of "Wed, 25 Feb 2015 09:58:37 -0800")
Message-ID: <sjm7fv4wtt4.fsf@securerf.ihtfp.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/yg0wVW9z-yFkLvt-HHGq8f8L57U>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Not the same thread -> was Re: Rerun: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Feb 2015 15:56:15 -0000
Mike Hamburg <mike@shiftleft.org> writes: > Thanks, Paul. > > On 3.6GHz Haswell with OpenSSL 1.0.1f: > RSA-2048: sign 1028us, verify 31us > Ed448: sign 51us, verify 163us, dh 148us > Ed480: sign 55us, verify 183us, dh 170us > E-521: sign 79us, verify 256us, dh 241us I asked this in the previous thread but it was lost, so I'll ask this again in this thread: Why are you looking at RSA 2048 for this comparison? That's only a 2^112 work factor (C.f. Section 1 of RFC4492). If you want a 2^256 work factor you need to go up to RSA 15360. If you only want to get to 2^128 then you need to look at RSA 3072. Let's at least compare apples to apples. > On 1GHz Cortex A8 with OpenSSL 1.0.1f: > RSA-2048: sign 39.8ms, verify 1.2ms > Ed448: sign 0.7ms, verify 1.9ms, dh 1.9ms > > On both CPUs, the elliptic curves are slower than RSA for verification, but > much faster for signing. The Haswell core is about 5-8x faster for RSA verify, > and 20x slower for signing. But at quite different security levels, so it's not telling us anything useful. I think Ed448 is more like an RSA-4096 level (or possibly even larger than that). > The A8 is more favorable to EC, probably because OpenSSL (or this build of it) > doesn't use NEON for RSA. It is only 60% faster for RSA verification, and 57x > slower for signing. But client devices don't sign very often. -derek > -- Mike > > On 02/25/2015 08:47 AM, Paul Lambert wrote: > > Could we please get some discipline on this list to not pollute > conversation threads – especially well formed threads asking for poll with > random questions, comments and rants. > > Paul > > From: Phillip Hallam-Baker <phill@hallambaker.com> > Date: Wednesday, February 25, 2015 at 8:22 AM > To: Stephen Farrell <stephen.farrell@cs.tcd.ie> > Cc: "cfrg@irtf.org" <cfrg@irtf.org> > Subject: Re: [Cfrg] Rerun: Elliptic Curves - preferred curves around 256bit > work factor (ends on March 3rd) > > Do we have figures for performance of these versus RSA2048? > > Yes, we get a reversal of the public/private speed advantage on > signature. And that in itself is a huge win on the server side > > RSA signature verification takes 0.16 ms on a reasonably current > machine (signature is 6ms) > > http://www.cryptopp.com/benchmarks.html > > How much faster/slower one curve is over another matters much less to > me than whether the curve is faster or slower than what I am already > using. I am not going to be using P521 or P448 curves on a constrained > device, I will go for P255. > > If we had figures comparing the curve candidates to RSA it would > probably be illuminating. > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg -- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant
- [Cfrg] Not the same thread -> was Re: Rerun: Elli… Paul Lambert
- Re: [Cfrg] Not the same thread -> was Re: Rerun: … Mike Hamburg
- Re: [Cfrg] Not the same thread -> was Re: Rerun: … Phillip Hallam-Baker
- Re: [Cfrg] Not the same thread -> was Re: Rerun: … Phillip Hallam-Baker
- Re: [Cfrg] Not the same thread -> was Re: Rerun: … Ilari Liusvaara
- Re: [Cfrg] Not the same thread -> was Re: Rerun: … Michael Hamburg
- Re: [Cfrg] Not the same thread -> was Re: Rerun: … Derek Atkins
- Re: [Cfrg] Not the same thread -> was Re: Rerun: … Phillip Hallam-Baker
- Re: [Cfrg] Not the same thread -> was Re: Rerun: … Watson Ladd
- Re: [Cfrg] Not the same thread -> was Re: Rerun: … Derek Atkins
- Re: [Cfrg] Not the same thread -> was Re: Rerun: … Phillip Hallam-Baker