Nikos Mavrogiannopoulos n.mavrogiannopoulos@gmail.com writes:
Not for TLS. In TLS ECDHE is the primary application of elliptic curves. [...] Typically one uses ECDHE with RSA keys in TLS.
I see. What's the motivation, saving cycles in the key exchange, or smaller messages, or higher security, or something else?
Nevertheless, the method that you use for the timing sensitive parts of the code, doesn't need to match the optimized version.
If the performance penalty for the timing-resistant functions is more than, say, 10%, it would make some sense to include a seperate set of functions optimized for speed. But I think I want to do the timing-resistant things first.
Here are some benchmarks for my first working version (the unit is operations per millisecond):
On matrix (Intel i5, 3.4 GHz):
name size sign / ms verify / ms rsa 1024 6.3145 104.0742 rsa 2048 0.9555 29.4275 dsa 1024 11.1746 5.7460 ecdsa 192 2.1167 1.5355 ecdsa 224 1.2371 1.0234 ecdsa 256 1.3845 1.0182 ecdsa 384 0.6415 0.4751 ecdsa 521 0.2515 0.2037
On pandix (ARM Cortex A9, 1 GHz):
name size sign / ms verify / ms rsa 1024 0.2626 4.5527 rsa 2048 0.0392 1.2490 dsa 1024 0.4694 0.2377 ecdsa 192 0.1906 0.1445 ecdsa 224 0.1418 0.1058 ecdsa 256 0.1050 0.0796 ecdsa 384 0.0431 0.0327 ecdsa 521 0.0173 0.0135
For the verify operation, RSA is by far fastest. I benchmark RSA using a small public exponent, 65537, which I think is typical.
For signing, plain DSA is currently fastest (I'd like to also include "DSA2", with 2048 bit p and 256 bit q, but my closest key generation programs didn't support that).
Still, signing with 256-bit ecdsa is a bit faster than 2048 bit RSA.
When optimizing, I think one can aim for a factor 10 speedup for signing and maybe a factor 2 for verification (the higher potential for signing is that it uses point multiplication only with the fixed generator, which can be sped up a lot using some precomputed tables. Current code uses the binary algorithm I posted the other day, and no serious curve-specific optimizations.
I could set up a public repository for my work-in-progress code, if there's some interest.
Regards, /Niels