[tahoe-dev] why hyperelliptic curves?
Adam Langley
agl at imperialviolet.org
Fri Sep 11 10:37:44 PDT 2009
Zooko writes:
> Crowley's argument in favor of a security proof appeals to me. AGL's
> implementation thereof, rwb0fuz, has excellent verification speed [6]
> -- almost 1/100 the cost of ecdsa-192 or hector! However, it costs
> 2.5 times as much as ecdsa-192 or 11 times as much as hector to sign,
> and it costs 100 times as much as ecdsa-192 or 500 times as much as
> hector generate a new keypair (using the benchmarks on the Intel Atom
> chip in 64-bit mode).
Yes, rwb0fuz was designed for DNSSEC, where signing happens offline
and verifications out number signings by millions to one. Generating a
key pair is the same process as generating an RSA key pair (i.e. not
cheap!). They could be precomputed, however. Since I didn't care about
signing speed when I was writing it, I'm sure some gains could be made
there. However, the gains, I expect, would be on the order of 10-20%.
As a lower bound, it's not going to be faster than RSA signing. Given
the ECRYPT benchmarks[1], that suggests, at most, a 30% speedup.
[1] http://bench.cr.yp.to/results-sign.html
AGL
--
Adam Langley agl at imperialviolet.org http://www.imperialviolet.org
More information about the tahoe-dev
mailing list