Werner Koch wrote:
DSA 100 times sign verify
-----------------------------
DSA 1024/160 910ms 430ms
DSA 2048/224 1560ms 1890ms
DSA 3072/256 3610ms 4380ms
(The numbers for sign are not very reliable because it employs the
RNG and I could not adjust for it)
3072 takes more more than double the time of 2048 which is not too
bad. Compared to 1024 this is a real slowdown and would make key
signature verification a very time consuming operation. On slow
machines (embedded devices, older hardware) this would be very
annoying.
Ah, ok, so this last point about slow / small hardware
platforms makes sense. So we might be tempted to suggest
that implementations SHOULD verify any of the three lengths,
and let them choose which length to deliver for signing
beyond the MUST of 1024/160.
(Which is after all a minor side discussion in Hal's
thread of whether to wait or not.)
iang