ECC and RSA speed comparison

There has been a lot of discussion in the crypto community, especially those interested in the mobile space, about the implementation of ECC due to the smaller bit sizes for keys and the perceived speed increase.
I’ve never been that sure, and an early report that I had from a BouncyCastle user indicated that in the real world it was somewhat different. So, I decided to write some code to perform some comparative testing on the key generation and key exchange speeds of ECC and RSA.
I wanted to test the real world scenarios of public key usage, where public keys are created very sparsely compared with the key exchanges that actually occur using those keys. So, in a way, I’m comparing the effort used in an operational scenario that I have specified rather than a discrete individual operation.
The playing field is as follows;

  • BouncyCastle Java API’s version 1.23
  • RSA key sizes from 1024 – 2048 in steps of 256 bits
  • ECC key sizes, 190, 239 and 256 bits using the X.962 EC-DSA named curves prime190v1, prime239v1 and prime256v1.
  • Variable number of key exchanges for a key creation
  • ECC uses ECDH for key exchange
  • RSA uses an public key encrypt and a private key decrypt for key exchange
  • These scenarios do not perform signing or verification (which could be added)
  • Dell D600 Latitude with a 1.4Ghz Centrino and 512Mb of RAM

Also taking into account the following recommended key strength comparisons;

1024 160
2048 282
4096 409

The comparisons below are a rough interpolation of to provide comparable key strengths.
The following tables show the results, but these operational scenarios are based on a single key creation for multiple key exchanges where the multiple is 100-1000 key exchanges for each key creation. As this turns out to be the major determinant of difference between the ECC and RSA scenario speeds, this parameter should reflect your operational scenarios as closely as possible.
The numbers in the tables show a delta between start of scenario and end of scenario in milliseconds, so the smaller the number the better.

Algorithm Key Exchanges Delta
ECC (192, 239, 256) 1 96 162 182
RSA (1280, 1536, 1792) 1 995 2269 5713
ECC (192, 239, 256) 100 6329 10457 11652
RSA (1280, 1536, 1792) 100 5014 7300 12465
ECC (192, 239, 256) 500 30422 52527 57584
RSA (1280, 1536, 1792) 500 18423 30079 46924
ECC (192, 239, 256) 2500 153245 259025 288532
RSA (1280, 1536, 1792) 2500 86191 143894 219485

Note: As with all things, the usual caveats apply that I might have stuffed it all up and these are nothing more than random numbers, so do your own testing. If people want the source for these tests, then drop me an email.
What does this all mean ? Well, I’m not sure what it means to you, but what it means to me is that ECC is not a panacea, and that the comparative key strengths for RSA are better performers than their equivalent ECC key strengths. There are different considerations for each application, such as the size of the encrypted data and the memory use of the algorithms, and those are best left as an exercise for the reader.
Edit: 31st October 2006
Code available here


19 thoughts on “ECC and RSA speed comparison

  1. ECC and RSA speed comparison.

    I had an email discussion with Jon Eaves about his
    speed comparison of ECC-based key exchange scenario with a scenario based on RSA.
    His test is basically reflects PGP protocol and assumes that publc key is generated once and then reused for multiple

  2. Hi Jon,
    I’m doing something similar on the signature using RSA and ECC, and would like to make use of your source as reference. Would u please share the source for this with me ? Thanks.

  3. Hi Jon,
    I’m doing my master’s project in comparing ECC and RSA algorithms in terms of power consumption. I’m using a software for calculating the power but I need a source code for the cryptography algorithms. Would you please share the source for this with me. I would really apperciate that. Thanks.

  4. Hi,
    I need help, I try use C# bc release, I have only public key (byte[]) and private key (byte[]) and I can do not invoke RSA algorithm, because dont known How I can load my public and private keys?

  5. Hi jon, could you do for my homework for me…..i’m kidding. I’m doing my final year project on ECC vs RSA. nice work 🙂

  6. hi,
    i am doing my thesis of master on Wimax security.
    and i need to compare the performance between ECC and RSA,
    so could you please mail me the code,
    thanks alot

  7. As far as I can tell, the BC elliptic curve code uses affine coordinates throughout – so you have to do a field inversion as part of every point addition or doubling! It would therefore seem that you could get a gigantic improvement in performance by supporting eg Chudnovsky coordinates. Do you agree?

  8. Hello Mr. Jon Eaves
    I am doing my thesis of master on Wimax security.
    and I need to compare the performance between ECC and RSA,
    so could you please mail me the code, (preferably MATLAB code if exists.)
    thanks a lot.

  9. I know the post is old, but could someone enlighten me: Why would you compare ECDH with key exchange done with RSA? Shouldn’t it be compared with plain DH?

  10. @Ramarajan ( and all the others )

    Jon Eaves | October 31, 2006 10:50 AM
    Source now available – link on the main entry. Enjoy all.
    Can’t you just read instead of asking ( you la** ba** )

Comments are closed.