I'm signing very small messages using RSA, and the signature and public key are added to every message, which requires a lot of space compared to the actual content.
I'm considering switching to ECDSA, would this require less space with the same level of encryption? And is the verification performance in the same range as RSA?
I'm considering switching to ECDSA, would this require less space with the same level of encryption?
The answer to that question is yes, both ECDSA signatures and public keys are much smaller than RSA signatures and public keys of similar security levels. If you compare a 192-bit ECDSA curve compared to a 1k RSA key (which are roughly the same security level; the 192-bit ECDSA curve is probably a bit stronger); then the RSA signature and public key can be expressed in 128 bytes each (assuming that you'll willing to use a space-saving format for the public key, rather than using the standard PKCS format); the ECDSA signature would be 48 bytes, and the public key would be 25 bytes.
As you increase the required security level, the advantage tilts even more radically towards ECDSA; that's because you have to increase the RSA modulus size far faster than the ECDSA curve size to increase the security level.
And is the verification performance in the same range as RSA?
Well, no, ECDSA signature verification is slower than RSA (for reasonable security levels). That is the one place that RSA shines; you can verify RSA signatures rather faster than you can verify an ECDSA signature. According to this web page, on their test environment, 2k RSA signature verification took 0.16msec, while 256-bit ECDSA signature verification took 8.53msec (see the page for the details on the platform they were testing it). Now to be fair, this isn't quite an apples-to-apples comparison (256-bit ECDSA is probably a bit stronger than 2k RSA), but even if the difference isn't quite 50x, RSA is still faster.
I do have one question, though. You mention that you are including the RSA public key along with the signed message. Does that mean that the verifier uses that public key to verify the message? If so, how do you know that someone who wants to forge a message won't just provide his own public key along with the signature (signed using his private key)? That is, how does the receiver know that the public key he sees in the message is the one that was sent?
For a 128 bit security level, you need 256 bit ECC. Compressed public keys need about 32 bytes, and signatures use 64 bytes.
The verification time depends a lot on the choice of curve, representation and implementation. Ed25519 Is supposed to be one of the fastest versions, especially if you use batch verification. But I'm not sure if it's possible to create a windows build of the optimized version.
