On Thu, Jan 24, 2013 at 8:38 AM, Niels Möller nisse@lysator.liu.se wrote:
Not for TLS. In TLS ECDHE is the primary application of elliptic curves. [...] Typically one uses ECDHE with RSA keys in TLS.
I see. What's the motivation, saving cycles in the key exchange, or smaller messages, or higher security, or something else?
If perfect forward secrecy is required then DHE is pretty inefficient on security levels of 96 bits or more. ECDHE provides a fast equivalent.
On matrix (Intel i5, 3.4 GHz): name size sign / ms verify / ms rsa 1024 6.3145 104.0742 rsa 2048 0.9555 29.4275 dsa 1024 11.1746 5.7460 ecdsa 192 2.1167 1.5355 ecdsa 224 1.2371 1.0234 ecdsa 256 1.3845 1.0182 ecdsa 384 0.6415 0.4751 ecdsa 521 0.2515 0.2037
I usually use the table of ECRYPT II, to compare equivalent security levels. http://www.keylength.com/en/3/ Otherwise the comparison may be unfair to ECDSA. RSA-1024 is used much even today but it is roughly equivalent to an ECDSA key of 144 bits.
For signing, plain DSA is currently fastest (I'd like to also include "DSA2", with 2048 bit p and 256 bit q, but my closest key generation programs didn't support that).
certtool does that.
I could set up a public repository for my work-in-progress code, if there's some interest.
Why not on the main repository as a branch?
regards, Nikos