elliptic, P224 vs P256 vs P384

[pmo...@uber.com]

bearing in mind that i'm not a crypto guy, just someone who's interested in ecdsa keys for ssh auth (and yeah, I know that I can't use curve P224 for ssh), the performance difference between generating keys on the P256 and P224 curves is so large that I just want to verify that this is expected.

building/running https://github.com/pmoody-/sandbox/blob/master/ecdsa/ecdsa.go, when I test on my macbook (10.11, early 2015 macbook pro, core i7), I see:

pmoody@perdido 12:51 load:1.53 procs:324 (master ☡=) last:2  ~/g/s/g/p/s/ecdsa

$ ./ecdsa -curve 224 -timeout 2s

2016/03/21 12:51:57 completed 1601, 800.5/sec

pmoody@perdido 12:51 load:1.60 procs:326 (master ☡=) last:0  ~/g/s/g/p/s/ecdsa

$ ./ecdsa -curve 256 -timeout 2s

2016/03/21 12:52:02 completed 93921, 46960.5/sec

pmoody@perdido 12:52 load:1.63 procs:328 (master ☡=) last:0  ~/g/s/g/p/s/ecdsa

$ ./ecdsa -curve 384 -timeout 2s

2016/03/21 12:54:31 completed 341, 170.5/sec

nearly 47k keys per second? Can that be right?

so, sorry for the noobish question, but does the complexity of generating elliptic curve keys just not scale the way that rsa keys have lead me to believe they might? and that massive increase in keys/sec for keys on P256, is that just a matter of my cpu being very very efficient at the particulars of the operations required for P256 keys?

Cheers,

peter

[andrey mirtchovski]

P256 is the only one with an assembly implementation if you look in
the sources (go/src/crypto/elliptic). you can use the benchmarks in
the test file to measure on the spot:

$ go test -test.bench=B*
BenchmarkBaseMult224-4 2000 1135730 ns/op
BenchmarkBaseMultP256-4 100000 20964 ns/op
BenchmarkBaseMultP384-4 500 3667692 ns/op
BenchmarkScalarMultP224-4 1000 1230706 ns/op
BenchmarkScalarMultP256-4 20000 83872 ns/op
BenchmarkScalarMultP384-4 200 5970908 ns/op
PASS
ok crypto/elliptic 12.991s

[Peter Moody]

ah perfect, that makes sense.

thanks!