- Public key encryption: 2048bit RSA can achieve up to about 200k encryptions per second on a high end cpu [1]. ElGamal-like encryption schemes using elliptic curve cryptography can get to about 100k encryptions [2].
- Public key signatures: RSA is hopelessly slow for good keys. There is no reason to use strong keys for this case, though. If you reuse primes you can use a 1000 primes to generate a million RSA modules (you need two primes per public key), effectively eliminating the costly prime search. Using elliptic key cryptography the key generation step is dirt cheap: With ed25519 you get 200k key generations per second [3]
I guess there's still the solution to only accept message from trusted keys but that means that 1- we have to be able to detect signature-rings from spammers in the graph (that clearly should not be a big problem), and 2- that there is an easy and realistic way to have a legitimate key in the trusted network before it can be used to sends emails…
Anyway, all that is very interesting from a theoretical point of view, but we are far from being in a world where end-to-end crypto is massively used.
The problem with Web-of-Trust is that once you try to roll it out mainstream, most people will just click "accept" or "I trust this key" without thinking about it. Instead of "signature-rings from spammers" you would have spammers duping less-aware real people into trusting their keys.
That said, it would seem to be a longer feedback loop to get a number of actual people to open emails and trust their keys.
> most people will just click "accept" or "I trust this key" without thinking about it
What if they don't have to do that because it's transparently done for them when they use the "flag as spam", "not spam", and "reply" buttons for instance?
You could set up your MUA today so that anyone you've already emailed with gets put in a priority folder. No need to mess with end to end encryption just for that functionality.
Theoretically, any spammer could research you enough to send to mail purporting to be from your friends, but realistically no one would bother.
- Public key encryption: 2048bit RSA can achieve up to about 200k encryptions per second on a high end cpu [1]. ElGamal-like encryption schemes using elliptic curve cryptography can get to about 100k encryptions [2].
- Public key signatures: RSA is hopelessly slow for good keys. There is no reason to use strong keys for this case, though. If you reuse primes you can use a 1000 primes to generate a million RSA modules (you need two primes per public key), effectively eliminating the costly prime search. Using elliptic key cryptography the key generation step is dirt cheap: With ed25519 you get 200k key generations per second [3]
[1] http://bench.cr.yp.to/results-encrypt.html [2] http://bench.cr.yp.to/results-dh.html [3] http://bench.cr.yp.to/results-sign.html
Formula used for each of the above numbers: 3500x10^6/[median for Intel Xeon E3]x4