Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

There's no good reason at all, which is why RSA-3072 is the rarely seen "oddball".


> There's no good reason at all

Operations per second?

* https://wiki.strongswan.org/projects/strongswan/wiki/PublicK...

Running MacPorts-installed `openssl speed rsa` on an Apple M4 (non-Pro):

    version: 3.4.0
    built on: Tue Dec  3 14:33:57 2024 UTC
    options: bn(64,64)
    compiler: /usr/bin/clang -fPIC -arch arm64 -pipe -Os -isysroot/Library/Developer/CommandLineTools/SDKs/MacOSX15.sdk -arch arm64 -isysroot /Library/Developer/CommandLineTools/SDKs/MacOSX15.sdk -DL_ENDIAN -DOPENSSL_PIC -D_REENTRANT -DOPENSSL_BUILDING_OPENSSL -DZLIB -DNDEBUG -I/opt/local/include -isysroot/Library/Developer/CommandLineTools/SDKs/MacOSX15.sdk
    CPUINFO: OPENSSL_armcap=0x87d
                       sign    verify    encrypt   decrypt   sign/s verify/s  encr./s  decr./s
    rsa   512 bits 0.000012s 0.000001s 0.000001s 0.000016s  80317.8 973378.4 842915.2  64470.9
    rsa  1024 bits 0.000056s 0.000003s 0.000003s 0.000060s  17752.4 381404.1 352224.8  16594.4
    rsa  2048 bits 0.000334s 0.000008s 0.000009s 0.000343s   2994.9 117811.8 113258.1   2915.6
    rsa  3072 bits 0.000982s 0.000018s 0.000019s 0.000989s   1018.4  54451.6  53334.8   1011.3
    rsa  4096 bits 0.002122s 0.000031s 0.000032s 0.002129s    471.3  31800.6  31598.7    469.8
    rsa  7680 bits 0.016932s 0.000104s 0.000107s 0.017048s     59.1   9585.7   9368.4     58.7
    rsa 15360 bits 0.089821s 0.000424s 0.000425s 0.090631s     11.1   2357.4   2355.5     11.0
(Assuming you have to stick with RSA and not go over to EC.)


These are contrived benchmarks at the extreme end of things. In real world usage the difference is drowned-out by the delays of so many other things happening in order to complete a handshake and key exchange. The mildly higher performance of RSA 3072 versus RSA 4096 wasn't even a big bonus during the CPU performances we had 15 years ago.


It's roughly half as fast as 4096, which sounds bad until you realize that 3072 is already 20% as fast as 2048, 3% as fast as 1024, and 1% as fast as 512. In terms of performance tradeoff it's downright mild compared to the other steps up.


If I could waive a magic wand and get a 40-100% performance boost on a service by changing 3-4 characters (s/4096/3072/) why wouldn't I take it? (Assuming I need security go to beyond RSA 2028.)


Its not a 40-100% performance boost overall, its just during one specific step that is a very small part of the entire overall system.


Well, in typical use cases RSA usage is very limited (eg some operations during TLS handshake), so the 40-100% boost wouldn’t be across the board, but likely shave some milliseconds per connection.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: