One correction: 1024-bit RSA/DSA is not the same security level as 256-bit curve ECDSA or Ed25519. To compare apples to apples you would need 3072-bit RSA/DSA sigs which ends up being far worse in terms of sig size and performance.
Agreed that symmetric group key auth has plenty of limitations. Panos -----Original Message----- From: Ace [mailto:ace-boun...@ietf.org] On Behalf Of Michael StJohns Sent: Tuesday, February 07, 2017 9:55 PM To: ace@ietf.org Subject: [Ace] Asymmetric signature performance Hi - This is sort of non-obvious, but one or two articles I read suggest that RSA 1024 performance may be better than the ECDSA equivalent. The tradeoff here is obviously the size of the signature and the transmission thereof, but... While 1024 bits isn't an ideal security strength for RSA, using any asymmetric key system for source authentication in group systems is going to be much better than trying to pretend that symmetric group key systems have any authentication properties at all. I saw a PPT presentation by Hannes that didn't include any RSA performance numbers for the ARM processors even though the key sizes were compared. My guess is that someone has numbers for 1024 RSA signatures on the tiny ARM processors that might be useful to throw into the mix. https://www.cryptopp.com/benchmarks.html has comparison values for a specific library. What I'm suggesting is that we figure out how to meet the "can't cost anything" requirement with weaker asymmetric keys rather than accepting a low end fantasy of symmetric key multicast authentication. Mike _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace