1

It might sound like a weird comparison, but which one is faster, If I were to generate a CSPRNG every time or to sign(private encrypt) a data?

Buzz LIghtyear
  • 133
  • 4

2 Answers2

2

It costs a median of about 300 cycles on a modern x86 system to compute the ChaCha pseudorandom function, generating 64 bytes of output from a 32-byte reusable key and a 16-byte input.

It costs a median of about 50000 cycles on a modern x86 system to compute a 64-byte Ed25519 signature.

These numbers are from https://bench.cr.yp.to/. The fastest signature schemes reported there still cost over 1000 cycles.

But what on earth are you doing where there is any question of whether you should use a PRNG or a public-key signature? This is like going to a bicycle shop and asking whether you should buy a wheel or a handlebar. You should identify what your application's goals, threat model, and security needs are first before you try picking the fastest handlebar for your bicycle.

If I screw up my eyes and stand on my head and take your inquiry to mean that you want some properties of a pseudorandom function and some properties of a signature, maybe you want a VRF—but causing onlookers to have to stand on their heads is no way to build a secure system!

P.S. Signature is a fundamentally different concept from ‘encrypting with the private key’.

Squeamish Ossifrage
  • 49,816
  • 3
  • 122
  • 230
1

Symmetric algorithms are generally faster than the asymmetric ones you seem to want to use for signing - as you talk about a private key and don't mention a MAC. RSA private key operations are exceptionally slow if you look at the generic set of crypto primitives found in most libraries; only RSA key pair generation is much slower. CSPRNG's are generally build from symmetric primitives (the dual-ECC one is not used that much anymore).

Of course we should only compare primitives with on the same kind of platform and at the same security level.

In the end you want to test; it's the only way to be sure.

In practice the CSPRNG could still be slower if:

  • the CSPRNG includes the seeding;
  • retrieving the seed blocks;
  • the signature generation doesn't depend on a random value (RSA PKCS#1 v1.5 signatures are deterministic) or doesn't block itself.

If you go for signature generation you may want to consider ECDSA rather than RSA; it's much faster at the same security level (and probably any level on most platforms).

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323