1 / 19

Practical RSA vs. ECC Speed Comparisons

Practical RSA vs. ECC Speed Comparisons. Dr. Douglas A. Kuhlman Motorola Labs. Public Key Primitives. Key exchange: Share a “short” (128-256 bit) key between two parties (server and client) This key is used to encrypt all information passed during the session

shelley
Download Presentation

Practical RSA vs. ECC Speed Comparisons

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Practical RSA vs. ECCSpeed Comparisons Dr. Douglas A. Kuhlman Motorola Labs

  2. Public Key Primitives • Key exchange: Share a “short” (128-256 bit) key between two parties (server and client) • This key is used to encrypt all information passed during the session • Sign: The process of binding some piece of information to a specific entity • Verify: The process of validating a signature • Certificate: A signed binding of public information to a certain entity (an individual, company, or device)

  3. RSA Overview • Based on the difficulty of factoring n = pq, where p and q are very large primes • Public parameters: (n, e) • Private key: d (value s.t. ed = 1 (mod φ(n)) • Main strength parameter is |n|, the number of bits in n • |n| = 1024 fairly common

  4. ECC Overview • Based on more complicated mathematics • Public parameters: (E, P, Q) • Private key: a (value s.t aP = Q) • Main strength parameter is |E|, the number of bits in the order of E • |E| = 160/163 or 192 common

  5. Wireless Transport Layer Security (WTLS) Application (WAE) • Class 1 WTLS Implementation • No certificates exchanged in secure negotiation • Client and server set up secure tunnel anonymously • Secure session created, but who is talking to whom? • Class 2 WTLS Implementation • Server certificate sent to client during handshake • Client authenticates server • User (client) obtains server’s identity before wireless transaction (e.g. shopping with credit card) • Class 3 WTLS Implementation • Server & client certificates exchanged • Client authenticates server • Server authenticates client • High security transactions (e.g. wireless banking) • need client & server authentication Session (WSP) Transaction (WTP) Security (WTLS) Transport (WDP) WAP Stack

  6. WTLS Security Class 1 • Key exchange only • No infrastructure (PKI) needed • No way to authenticate server or client • Encrypts credit card number, but to whom are you are giving it? • Applications • When other methods of authentication are available • Telephone calls, visible results • When no infrastructure is available • Better than nothing • False sense of security?

  7. WTLS Security Class 2 • Key exchange, server signs, client verifies • Equivalent to HTML browser, authenticates server • Requires some PKI • Client must have a trusted root key • Server certificate must be signed by trusted authority • Possibly in a certificate tree • Server is responsible for keeping private key secret • Best for transactions where client identity can be verified through different means • Ship to credit card address • Client provides password/pin to server

  8. WTLS Security Class 3 • Key exchange, server and client sign and verify • Requires full PKI • Every server and client must have a certificate signed by a trusted authority • Server and client need to keep a key secret • Adds a higher level of trust for service providers by authenticating client • Stock purchases, banking • Electronic signature • Business approval signatures, access to medical data

  9. Public Key Options in WTLS Standard • RSA • Current wireline standard • Large key size (1024 bits) • Use of small exponent (65537 = 216 + 1) makes this fastest for WTLS class 2 • Elliptic curve • Small key size (163 bits) • Fastest for WTLS class 3 (signing) • Conceptually most difficult

  10. Elliptic Curves - WTLS Standard

  11. Execution time on a Cellular Phone • Processing power available for cryptographic functions: • Varies depending on system and manufacturer • 50% to 90% taken for call processing • Varies depending on signal conditions • More call processing needed under low signal conditions Total execution time for class 3 security functions can range from < 1sec for fast Elliptic Curve to > 10sec for RSA/DH implementations under weak signal conditions. Hardware support can increase speed up to 10 times

  12. RSA Implementation Techniques Used • Montgomery multiplication • Windowing for large exponent calculations • Chinese Remainder Theorem (CRT) for private key calculations • Small (216 + 1) public key • No hand-coded assembly language

  13. ECC Implementation Techniques Used • Projective points • Polynomial basis • Windowing/combing as appropriate • Some NAF forms, some not • No hand-coded assembly language used See http://cacr.math.uwaterloo.ca/~ajmeneze/publications/ecc2.ps for more details

  14. WAP WTLS Class 2 and Class 3Client Execution Time Comparison 10 9 8 7 Relative Times 6 Verify 5 Sign + Verify 4 3 2 1 0 Curve 3 Curve 5 RSA Comparison is from Motorola Labs using the best implementation available from several toolkits. RSA is 1024 bits with the client using a small exponent to encrypt the random secret.

  15. WAP WTLS Class 3Memory Size Comparison 60 50 40 Kbytes ROM 30 RAM 20 10 0 Curve 3 Curve 5 RSA Comparison is from Motorola Labs using the best implementation available from several toolkits.

  16. Other Algorithms • NTRU, Arithmetica, XTR, HECC, braid groups, etc. • Trying to get a foothold in standards/business • Only NTRU seems to be having any success • Questions of security • Hard to find/make good benchmarks • Biased sources • Algorithms change • Good optimization is a lengthy process

  17. Future Considerations • RSA has more momentum • Patent issues could loom large • Moore’s law and advances in algorithms suggest current key sizes will be inadequate in the future • Doubling an RSA or an ECC key size multiplies the processing time by ~8 • However, doubling an ECC key size adds more security than doubling an RSA key size • |E| = 320 probably more secure than |n| = 2048 • This implies ECC might have a future advantage

  18. Future Considerations (Cont) • Advances in factoring vs. advances in ECDLP • Both problems are pretty old mathematically • Businesses (with their $$$) have considered factoring longer • Community working on factoring appears to be larger • Took years of study before “good” factoring algorithms (EC, QS, NFS, GNFS) were found • Few real advances to date against ECC • Problems are related • Quantum algorithms exist for both • Very hard to predict

  19. Other Issues • Scaling of servers in class 2 is easier with ECC • Other speed/code size trade-offs are possible • Key generation easier for ECC (using standardized curves) • Signature sizes are smaller for ECC than with RSA

More Related