|
|
|
|
|
|
by agl
2994 days ago
|
|
|
It's possible that new primitives based on the same SI problem might have significant performance differences, but we're basing this on the NIST round one submissions. In that setting, there's been a decent amount of optimisation done already and the performance gap is two orders of magnitude. Since elliptic-curve implementation is pretty well studied, improvements might close that gap a little, but it's unlikely to make vast differences. So it's a balance between adding an extra ~1.5 kB to the transaction, verses that CPU difference. In different contexts those two costs will have different weights, of course, but my feeling is that in TLS, we probably want to pay for the extra bytes. |
|
|