On Thu, 15 Oct 2009, Jack Lloyd wrote: > Even plain DSA would be much more space efficient on the signature > side - a DSA key with p=2048 bits, q=256 bits is much stronger than a > 1024 bit RSA key, and the signatures would be half the size. And NIST > allows (2048,224) DSA parameters as well, if saving an extra 8 bytes > is really that important. > > Given that they are attempted to optimize for minimal packet size, the > choice of RSA for signatures actually seems quite bizarre.

Maybe they try to optimize for verification time. $ openssl speed [...] sign verify sign/s verify/s rsa 512 bits 0.000823s 0.000069s 1215.2 14493.7 rsa 1024 bits 0.004074s 0.000200s 245.4 5008.0 rsa 2048 bits 0.024338s 0.000663s 41.1 1507.5 rsa 4096 bits 0.159841s 0.002361s 6.3 423.6 sign verify sign/s verify/s dsa 512 bits 0.000651s 0.000765s 1535.2 1306.6 dsa 1024 bits 0.001922s 0.002322s 520.3 430.7 dsa 2048 bits 0.006447s 0.007551s 155.1 132.4 -- Regards, ASK --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com