Re: [TLS] New Version Notification for draft-sheffer-tls-bcp-00.txt

Yoav Nir <ynir@checkpoint.com> Mon, 09 September 2013 19:06 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 379ED21E80AE for <tls@ietfa.amsl.com>; Mon, 9 Sep 2013 12:06:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.555
X-Spam-Level:
X-Spam-Status: No, score=-5.555 tagged_above=-999 required=5 tests=[AWL=-2.444, BAYES_00=-2.599, FB_WORD1_END_DOLLAR=3.294, FB_WORD2_END_DOLLAR=3.294, J_CHICKENPOX_33=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2G97GSoJ1LsU for <tls@ietfa.amsl.com>; Mon, 9 Sep 2013 12:06:43 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id C550821E80AB for <tls@ietf.org>; Mon, 9 Sep 2013 12:06:39 -0700 (PDT)
Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r89J6F3s022778; Mon, 9 Sep 2013 22:06:15 +0300
X-CheckPoint: {522E1C27-0-1B221DC2-1FFFF}
Received: from DAG-EX10.ad.checkpoint.com ([169.254.3.173]) by IL-EX10.ad.checkpoint.com ([169.254.2.246]) with mapi id 14.02.0347.000; Mon, 9 Sep 2013 22:06:15 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: =?iso-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
Thread-Topic: [TLS] New Version Notification for draft-sheffer-tls-bcp-00.txt
Thread-Index: AQHOrY+nTAtWeByYw0au+1HiAvNaZQ==
Date: Mon, 9 Sep 2013 19:06:14 +0000
Message-ID: <DA6B4D59-2FF2-489F-8E54-FF685EE372AB@checkpoint.com>
References: <9A043F3CF02CD34C8E74AC1594475C7344731843@uxcn10-6.UoA.auckland.ac.nz> <522DF7BF.7080608@stroeder.com>
In-Reply-To: <522DF7BF.7080608@stroeder.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.20.77]
x-kse-antivirus-interceptor-info: protection disabled
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <D6DA583561E4B647B6FE79ACB00AB256@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] New Version Notification for draft-sheffer-tls-bcp-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Sep 2013 19:06:49 -0000

On Sep 9, 2013, at 7:30 PM, Michael Ströder <michael@stroeder.com> wrote:

> Peter Gutmann wrote:
>> Why at least 2048 bits?  What's wrong with 1280, or 1536, which will be quite
>> a lot faster.
> 
> I vaguely remember that you brought up your doubts about bigger key-lengths
> already somewhere else quite a while ago.
> 
> Do you have numbers about the relative and absolute performance impact?
> Personally I don't see performance problems but I can't prove my position with
> numbers.

OpenSSL (probably either the most common or second most common library for such things) does not have a speed test for D-H, but the DSA numbers should pretty much match, no?

MBA-2:tmp synp$ openssl speed dsa1024 dsa2048
Doing 1024 bit sign dsa's for 10s: 21689 1024 bit DSA signs in 9.65s
Doing 1024 bit verify dsa's for 10s: 18913 1024 bit DSA verify in 9.74s
Doing 2048 bit sign dsa's for 10s: 6803 2048 bit DSA signs in 9.63s
Doing 2048 bit verify dsa's for 10s: 5668 2048 bit DSA verify in 9.82s
OpenSSL 1.0.1e 11 Feb 2013
built on: Tue Feb 26 05:00:07 PST 2013
options:bn(64,64) rc4(ptr,char) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) 
compiler: /usr/bin/clang -fPIC -fno-common -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
                  sign    verify    sign/s verify/s
dsa 1024 bits 0.000445s 0.000515s   2247.6   1941.8
dsa 2048 bits 0.001416s 0.001733s    706.4    577.2

So it makes sense that with 1280 or 1536 the result would be somewhere in the middle.

Yoav