On Wed, Jan 4, 2023 at 11:34 PM Gareth Evans <donots...@fastmail.fm> wrote: > > > On 3 Jan 2023, at 22:07, Tom Browder <tom.brow...@gmail.com> wrote: > > I ... would like to access my home server from my laptop ... > > > > On 5 Jan 2023, at 04:13, Jeffrey Walton <noloa...@gmail.com> wrote: > > ... > > Avoiding the key exchange is a big win > > since those public key operations are so costly. > > Costly in what sense and circumstances?
Public key operations for key exchange dominate the cpu cost of a session. Key exchange is the limiting factor in how many connections a server can handle. It has always been this way, even for SSL/TLS and IPSec. In contrast, bulk encryption is cheap. Bulk encryption is the block or stream cipher, and the mac calculations. One of the reasons x25519 is so valuable is how efficient it is. Here are some benchmarks from Crypto++ on a Core i5 10th gen Ice Lake machine: Scheme | ms/op | megacycle/op ======================================== DH-2048 | 0.565 | 1.977 ECDH p256 | 0.456 | 1.595 x25519 | 0.039 | 0.138 In the numbers above, lower is better. x25519 is about 15x faster than DH over integers, and about 11x faster than DH over EC. Key exchange is measured in megacycles per operation. That is, how many million-cycles is needed for an operation. Here, the operation is exponentiation in a finite field. In contrast, bulk encryption is measured in cycles per byte. Jeff
