[stipes]

Down-thread [1], someone claims to have found SRP to be about 172 times slower than SHA1 on CPU due to the modular exponentiation and other overhead.

Some numbers run by zaroth (down-thread) [2] show that we could see 100k 1024-bit modular exponentiations per second on a new Intel Core i7 with the cryptography extensions. A 2011 implementation paper [3] had about 20k 1024-bit RSA decryptions per second on a GTX260 using Montgomery exponentiation, so it doesn't seem like using the GPU has that much benefit for performing modular exponentiation. I haven't had time to figure out an estimated price/attempt for SRP, so it's hard to compare to the existing SHA1 figures [4].

Still, if we take the 100k/second figure for modular exponentiation (extrapolated from the number of cycles per 1024-bit modexp on a Core i7), versus the 5B/s for SHA1 on a single GPU, being 50000 times slower than the best SHA1 speeds seems pretty good to me.

1. http://news.ycombinator.com/item?id=4365079

2. http://www.opine.me/blizzards-battle-net-hack/

3. http://trone.di.fc.ul.pt/images/e/e2/ASAP11-paper.pdf

4. http://golubev.com/gpuest.htm