Zooko writes: > Crowley's argument in favor of a security proof appeals to me. AGL's > implementation thereof, rwb0fuz, has excellent verification speed [6] > -- almost 1/100 the cost of ecdsa-192 or hector! However, it costs > 2.5 times as much as ecdsa-192 or 11 times as much as hector to sign, > and it costs 100 times as much as ecdsa-192 or 500 times as much as > hector generate a new keypair (using the benchmarks on the Intel Atom > chip in 64-bit mode).
Yes, rwb0fuz was designed for DNSSEC, where signing happens offline and verifications out number signings by millions to one. Generating a key pair is the same process as generating an RSA key pair (i.e. not cheap!). They could be precomputed, however. Since I didn't care about signing speed when I was writing it, I'm sure some gains could be made there. However, the gains, I expect, would be on the order of 10-20%. As a lower bound, it's not going to be faster than RSA signing. Given the ECRYPT benchmarks[1], that suggests, at most, a 30% speedup. [1] http://bench.cr.yp.to/results-sign.html AGL -- Adam Langley [email protected] http://www.imperialviolet.org _______________________________________________ tahoe-dev mailing list [email protected] http://allmydata.org/cgi-bin/mailman/listinfo/tahoe-dev
