Hi Jay, Your question here well and truly distracted me for a while - have played with both RSA and hardware design in FPGAs before but hadn't thought of combining. After looking in to it, the reality is that RSA signing is insanely expensive - IMHO already about as cheap as it's going to get any time soon. A single 1024 bit signature requires an average of 1536 1024x1024-bit multiplications, up to 2048 if using path-independent code to prevent timing attacks. A 1024x1024 multiplication can be built up by accumulating the result of 1024 32x32 bit multiplications. That load can be divided between a number of multiplication units, but we're still talking 1,572,864 32-bit multiplications per signature. That's even before you add the modulo operation at the end of each of the 1024 bit multiplications. Tried to work out how much I could get out of an FPGA here. The one I have could probably handle about 150 signatures/second with its multipliers assuming optimal conditions. Top of the line FPGAs could do 5000 or so in a $1.5k acceleration card. HSMs are expensive for a reason. $5k a unit entirely reasonable for that sort of specialised hardware. If much more than that, you should start asking questions. Cheers, Tim On Tuesday 05 April 2011 09:50:00 Jay Daley wrote:
Hi
Is there anyone out there, academics perhaps, developing new crypto accelerator/HSM hardware with a focus on high performance (e.g. 10k+ RSA sigs per second)? The current market is pretty poor with largely over-priced and under-performing kit and I'm hoping that someone is plotting to revolutionise it with something new and looking for a partner.
cheers Jay