Ding, ding. It’s ECC v RSA

Public key encryption continues it strive to be the foundation of a new world. It is the core answer to many security problems, such as in…

Ding, ding. Round 1. It’s ECC v RSA

Public key encryption continues its strive to be the foundation of a new world. It is the core answer to many security problems, such as in proving identity and in creating a more trustworthy world. But should we use RSA or ECC?

Well, let’s put them head-to-head on my desktop (Macbook Pro), my iPad, and on my mobile phone (Samsung S9+). For this we will run all the code in the browser using JavaScript. There will be no back-end calls here, and all the maths will be computed in the browser.

And let’s be fair with them and use equivalent security levels. For ECC, 160 bit keys are equivalent to 1,204 bit RSA keys:

So let’s try creating a 160-bit ECC key pair and a 1,024 bit RSA key pair.

ECC

For ECC we can create a random number and G point, and multiply them together to get a public key value. If I run on my Samsung S9+, I get a time of 113ms [here]:

Whereas if I run on my desktop with Firefox, the time is 15ms [here]:

Now let’s generate an ECC on an iPad and we see a time of 64ms:

RSA

And now we can try for RSA with 1,024 bit RSA keys. This time on my desktop I get a time of 134ms [here]:

And now on my Samsung S9+ it takes 403ms [here]:

And on my iPad I get a time of 578ms:

And so let’s summarise the results :

ECC Desktop: 15ms Samsung S9+: 113ms iPad: 64ms

RSA Desktop: 134ms Samsung S9+: 403ms iPad: 578ms

We can see for key generation, that ECC is nearly nine time faster for a desktop computer and iPad, and over three times faster with the mobile phone test. So, like it or not, RSA is not winning in the public key space, as it is just too computationally expensive. The longer it takes to compute things, the more battery drain there is likely to be. And so ECC wins against RSA, and with RSA moving to 4K keys, we see a public key encryption method which will struggle in an IoT era. For just now, it is ECC that wins with a knock-out in the first round.

But, wait! Let’s try 2,048 bit RSA keys against 256-bit ECC. On a desktop, 2K RSA keys takes massive 1.2 seconds [here]:

Whereas ECC does 256-bit keys in just 37ms [here]:

This is over 30 times faster! RSA is knocked out with the first punch.