PublicKeySpeed » History » Version 9

« Previous - Version 9/30 (diff) - Next » - Current version
Andreas Steffen, 10.06.2009 09:38
refer directly to section 8. Security Considerations


Speed comparison of public key algorithms

32bit, User-Mode-Linux on a Core2Duo T9400 (one core)

Public Key Signature

Key type Strength* Operations/s gmp gcrypt openssl
RSA 512 50 bits sign 3'791 1'831 2'105
RSA 768 62 bits sign 1'519 709 810
RSA 1024 73 bits sign 713 292 485
RSA 1536 89 bits sign 240 102 184
RSA 2048 103 bits sign 110 47 93
ECDSA 256 128 bits sign N/A N/A 522
ECDSA 384 192 bits sign N/A N/A 226
ECDSA 521 260 bits sign N/A N/A 109
RSA 512 50 bits verify 29'630 16'667 25'806
RSA 768 62 bits verify 18'182 10'714 15'385
RSA 1024 73 bits verify 11'765 6'897 11'111
RSA 1536 89 bits verify 5'882 3'774 5'882
RSA 2048 103 bits verify 3'571 2'326 3'704
ECDSA 256 128 bits verify N/A N/A 440
ECDSA 384 192 bits verify N/A N/A 180
ECDSA 521 260 bits verify N/A N/A 90

* = cryptographic strength estimates according to RFC 3766

Diffie-Hellman Key Exchange

DH group Strength Operations/s gmp gcrypt openssl gmp* gcrypt* openssl*
MODP 768 62 bits A=g^a mod p 368 243 212 741 531 319
MODP 1024 73 bits A=g^a mod p 196 125 136 494 388 272
MODP 1536 89 bits A=g^a mod p 68 45 62 308 220 196
MODP 2048 103 bits A=g^a mod p 31 21 28 149 98 116
ECP 192 96 bits A=g^a mod p N/A N/A 166 - - -
ECP 224 112 bits A=g^a mod p N/A N/A 157 - - -
ECP 256 128 bits A=g^a mod p N/A N/A 148 - - -
ECP 384 192 bits A=g^a mod p N/A N/A 91 - - -
ECP 521 260 bits A=g^a mod p N/A N/A 63 - - -
MODP 768 62 bits S=B^a mod p 448 190 290 1176 496 541
MODP 1024 73 bits S=B^a mod p 213 89 167 727 320 440
MODP 1536 89 bits S=B^a mod p 71 31 64 385 175 286
MODP 2048 103 bits S=B^a mod p 32 13 30 164 71 141
ECP 192 96 bits S=B^a mod p N/A N/A 171 - - -
ECP 224 112 bits S=B^a mod p N/A N/A 162 - - -
ECP 256 128 bits S=B^a mod p N/A N/A 152 - - -
ECP 384 192 bits S=B^a mod p N/A N/A 91 - - -
ECP 521 260 bits S=B^a mod p N/A N/A 65 - - -

* = using reduced exponent size (libstrongswan.dh_exponent_ansi_x9_42 = no) as recommended by RFC3526

64bit under VirtualBox, Core2Duo T9400 (one core):

Public Key Signature

Key type Strength* Operations/s gmp gcrypt openssl
RSA 512 50 bits sign 13'082 3'530 7'478
RSA 768 62 bits sign 5'523 1'603 3'154
RSA 1024 73 bits sign 2'742 766 1'577
RSA 1536 89 bits sign 937 285 555
RSA 2048 103 bits sign 433 133 258
ECDSA 256 128 bits sign N/A N/A 1'267
ECDSA 384 192 bits sign N/A N/A 577
ECDSA 521 260 bits sign N/A N/A 291
RSA 512 50 bits verify 103'733 36'197 5'9598
RSA 768 62 bits verify 61'520 25'411 35'704
RSA 1024 73 bits verify 41'377 16'098 26'314
RSA 1536 89 bits verify 22'148 10'941 13'607
RSA 2048 103 bits verify 13'500 6'524 8'345
ECDSA 256 128 bits verify N/A N/A 1'143
ECDSA 384 192 bits verify N/A N/A 508
ECDSA 512 260 bits verify N/A N/A 255

* = cryptographic strength estimates according to RFC 3766

Diffie-Hellman Key Exchange

DH group Strength Operations/s gmp gcrypt openssl gmp* gcrypt* openssl*
MODP 768 62 bits A=g^a mod p 1'853 790 1'088 5'622 2'151 2'656
MODP 1024 73 bits A=g^a mod p 862 347 491 3'523 1'352 1'689
MODP 1536 89 bits A=g^a mod p 269 135 168 1'612 776 837
MODP 2048 103 bits A=g^a mod p 117 55 73 689 298 362
ECP 192 96 bits A=g^a mod p N/A N/A 1'699 - - -
ECP 224 112 bits A=g^a mod p N/A N/A 1'494 - - -
ECP 256 128 bits A=g^a mod p N/A N/A 1'298 - - -
ECP 384 192 bits A=g^a mod p N/A N/A 591 - - -
ECP 521 260 bits A=g^a mod p N/A N/A 306 - - -
MODP 768 62 bits S=B^a mod p 1'882 595 1'191 5'737 1'779 3'280
MODP 1024 73 bits S=B^a mod p 869 274 535 3'431 1'035 1'928
MODP 1536 89 bits S=B^a mod p 278 98 174 1'648 571 900
MODP 2048 103 bits S=B^a mod p 122 38 74 660 214 380
ECP 192 96 bits S=B^a mod p N/A N/A 1'727 - - -
ECP 224 112 bits S=B^a mod p N/A N/A 1'589 - - -
ECP 256 128 bits S=B^a mod p N/A N/A 1'423 - - -
ECP 384 192 bits S=B^a mod p N/A N/A 609 - - -
ECP 521 260 bits S=B^a mod p N/A N/A 313 - - -

* = using reduced exponent size (libstrongswan.dh_exponent_ansi_x9_42 = no) as recommended by RFC3526