Exactly how slow is asymmetric encryption?

Question

I'm currently doing a project on RSA, and have just come across this website.

https://www.namecheap.com/support/knowledgebase/article.aspx/798/67/what-is-an-rsa-key-used-for

On here, it says that

Since encrypted data transmission takes too much time in case of asymmetric encryption, this kind of encryption is used for a secure symmetric key exchange that is used for actual transmitted data encryption and decryption.

Now I was not aware that this was the case, so my question is, does this mean that asymmetric encryption is relatively slow compared to symmetric encryption, or is it impractically slow to be implemented in things like SSL?

Also, out of curiosity, exactly how much slower is it in terms of a time value?

Update:

Another question, why do the primes have to be far apart? I guess since the numbers used are so big they are far apart anyway, but is this a prerequisite for RSA, or just a fact that holds due to the size of the numbers?

Thanks

It is not a good idea to ask two unrelated questions in the same CSE question. Your second question was covered there in detail. In a nutshell: RSA primes should be far apart in order to prevent Fermat factoring of the public modulus, but that happens naturally, with overwhelming odds, when choosing the primes at random in a suitably large interval. — fgrieu, Nov 23 '15 at 15:36
Related question over at SecSE: 2014-05-08: Asymmetric vs symmetric encryption benchmarks — StackzOfZtuff, Nov 25 '15 at 14:37

score 4 · Accepted Answer · answered Nov 23 '15 at 15:28

4

Yes, asymmetric encryption is slow compared to symmetric encryption.

With symmetric ciphers, encryption and decryption speed can be several gigabytes per seconds on a common PC core; see these benchmarks.

With RSA encryption, on comparable hardware, we are talking tens of thousands encryptions per second, and only few hundreds of decryption per seconds, for common key sizes, and small messages (like 1 bit to 250 bytes, way enough for a session keys and authenticators); see these benchmarks.

Pure asymmetric encryption would often be like 3 to 5 decimal orders of magnitude slower than symmetric encryption is. That's the main reason why in practice, when enciphering messages that could be over what fits the capacity of a single asymmetric encryption, we use hybrid encryption.

answered Nov 23 '15 at 15:28

fgrieu

140,762
12
307
587

1

Ah okay that clears it up, thanks! Can I ask, why is it that decryption is so much slower than encryption? The process is essentially the same isnt it? – Ali Nov 23 '15 at 17:04
1

@Ali: in RSA, the public exponent (used for encryption) can be (and typically is) small, e.g. 1 to 5 decimal digits, when the private exponent (used for decryption) must be large, like hundreds of decimal digits. All things being equal, time is roughly proportional to the size of the exponent. There are other differences between RSA encryption vs decryption, but the bulk of the performance difference comes from that. – fgrieu Nov 23 '15 at 17:21
2

@Ali: also, that speed difference between encryption and decryption is specific to RSA (and related schemes, such as Rabin); other methods have different tradeoffs. – poncho Nov 23 '15 at 18:06
@fgrieu Yeah though it might be something like that, thanks for clearing it up. Also do you have anything to offer in regards to my second question? Why do the primes have to be far apart? – Ali Nov 23 '15 at 18:24
Another data point: on my Intel Core i7-4400U laptop using OpenSSL 1.0.2d, AES-128 encryption is 366 times faster than RSA-2048 encryption when operating on 2048-bit blocks of data. – rmalayter Nov 23 '15 at 18:47
@rmalayter: I fear there are two issues with your data point: 1) If you encipher a 2048-bit block of data using RSA-2048, and can consistently revert the encryption including for an all-1 plaintext, most likely you are using hybrid encryption (other options involve RSA encryption using some weird non-standard multiblock mode). 2) when using AES-128 to encipher a mere 2048-bit block (only 16 AES blocks), likely various overhead (like program launch, key setup, file opening..) dominates what's timed, rather then actual encryption. – fgrieu Nov 24 '15 at 09:45
@fgrieu, I suppose it depends on what "openssl speed" tests. I think OpenSSL speed does a signature (in RSA, this is encryption with the private key) of random data with appropriate padding. So 2048 bits of plaintext are being transformed into 2048 bits of ciphertext in the RSA case. I agree that the overhead will dominate in the AES case with such small blocks, but that is actually common (e.g. per-packet or per-record in TLS). RSA cannot encyrpt more than the keylength, so the comparison is fair. Think "RSA in ECB mode" – rmalayter Nov 24 '15 at 17:48
@rmalayter: so what you think you timed is more like: AES-128 encryption of a 2048-bit block was 366 times faster than a single RSA-2048 decryption would have been. Since RSA encryption can be like two decimal orders of magnitude faster than RSA decryption, the difference matters (it says that we can encipher or check a signature with RSA at only a few times the cost of AES-128 encryption of 256 bytes including overhead). [Nitpick: the correct vocabulary is that RSA signature generation involves modular exponentiation (not encryption) with the private key, as RSA decryption does]. – fgrieu Nov 24 '15 at 18:31

Exactly how slow is asymmetric encryption?

1 Answers1

Linked