There has been a lot of discussion in the crypto community, especially those interested in the mobile space, about the implementation of ECC due to the smaller bit sizes for keys and the perceived speed increase.
I’ve never been that sure, and an early report that I had from a BouncyCastle user indicated that in the real world it was somewhat different. So, I decided to write some code to perform some comparative testing on the key generation and key exchange speeds of ECC and RSA.
I wanted to test the real world scenarios of public key usage, where public keys are created very sparsely compared with the key exchanges that actually occur using those keys. So, in a way, I’m comparing the effort used in an operational scenario that I have specified rather than a discrete individual operation.
The playing field is as follows;
- BouncyCastle Java API’s version 1.23
- RSA key sizes from 1024 – 2048 in steps of 256 bits
- ECC key sizes, 190, 239 and 256 bits using the X.962 EC-DSA named curves prime190v1, prime239v1 and prime256v1.
- Variable number of key exchanges for a key creation
- ECC uses ECDH for key exchange
- RSA uses an public key encrypt and a private key decrypt for key exchange
- These scenarios do not perform signing or verification (which could be added)
- Dell D600 Latitude with a 1.4Ghz Centrino and 512Mb of RAM
Also taking into account the following recommended key strength comparisons;
The comparisons below are a rough interpolation of to provide comparable key strengths.
The following tables show the results, but these operational scenarios are based on a single key creation for multiple key exchanges where the multiple is 100-1000 key exchanges for each key creation. As this turns out to be the major determinant of difference between the ECC and RSA scenario speeds, this parameter should reflect your operational scenarios as closely as possible.
The numbers in the tables show a delta between start of scenario and end of scenario in milliseconds, so the smaller the number the better.
|ECC (192, 239, 256)||1||96||162||182|
|RSA (1280, 1536, 1792)||1||995||2269||5713|
|ECC (192, 239, 256)||100||6329||10457||11652|
|RSA (1280, 1536, 1792)||100||5014||7300||12465|
|ECC (192, 239, 256)||500||30422||52527||57584|
|RSA (1280, 1536, 1792)||500||18423||30079||46924|
|ECC (192, 239, 256)||2500||153245||259025||288532|
|RSA (1280, 1536, 1792)||2500||86191||143894||219485|
Note: As with all things, the usual caveats apply that I might have stuffed it all up and these are nothing more than random numbers, so do your own testing. If people want the source for these tests, then drop me an email.
What does this all mean ? Well, I’m not sure what it means to you, but what it means to me is that ECC is not a panacea, and that the comparative key strengths for RSA are better performers than their equivalent ECC key strengths. There are different considerations for each application, such as the size of the encrypted data and the memory use of the algorithms, and those are best left as an exercise for the reader.
Edit: 31st October 2006
Code available here