On Thu, 15 Oct 2009, Jack Lloyd wrote:
> Even plain DSA would be much more space efficient on the signature
> side - a DSA key with p=2048 bits, q=256 bits is much stronger than a
> 1024 bit RSA key, and the signatures would be half the size. And NIST
> allows (2048,224) DSA parameters as well, if saving an extra 8 bytes
> is really that important.
>
> Given that they are attempted to optimize for minimal packet size, the
> choice of RSA for signatures actually seems quite bizarre.

Maybe they try to optimize for verification time.

$ openssl speed
[...]
                  sign    verify    sign/s verify/s
rsa  512 bits 0.000823s 0.000069s   1215.2  14493.7
rsa 1024 bits 0.004074s 0.000200s    245.4   5008.0
rsa 2048 bits 0.024338s 0.000663s     41.1   1507.5
rsa 4096 bits 0.159841s 0.002361s      6.3    423.6
                  sign    verify    sign/s verify/s
dsa  512 bits 0.000651s 0.000765s   1535.2   1306.6
dsa 1024 bits 0.001922s 0.002322s    520.3    430.7
dsa 2048 bits 0.006447s 0.007551s    155.1    132.4


-- 
Regards,
ASK

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to