« Anne Applebaum on airport security | Main | Too good to print? »
June 17, 2005
Notes on the performance of encryption algorithms
I get asked a lot about the performance of encryption. Here are some microbenchmarks that should give you the feel of the situation. Obviously, real protocols behave differently, but these should give you a feel for the order of magnitude.Symmetric Encryption Algorithms
| Algorithm | Speed (MB/s) | DES | 67 | 3DES (EDE) | 24 | AES-128 | 69 | AES-256 | 55 | RC-4 | 125 |
Message Digests
| Algorithm | Speed (MB/s) | MD5 | 309 | HMAC-MD5 | 315 | SHA-1 | 116 |
Public Key Algorithms
| Algorithm | Private Key Ops/s | Public key ops/s | RSA-1024 | 245 | 4614 | RSA-2048 | 41 | 1411 | DSA-1024 | 495 | 410 |
All measurements taken using OpenSSL on a single-processor 3 GHz Pentium running FreeBSD.
The take home message here is that well designed communications security systems are fast enough for almost any practical Internet communications scenario and most Intranet ones. For the few cases where you actually need speeds that approach or exceed 1Gb/s, acceleration hardware is readily available.
Posted by ekr at June 17, 2005 9:43 AM | Filed under:
Comments
Interesting to compare different implementations. http://www.eskimo.com/~weidai/benchmarks.html show values for a 2.1 GHz machine using the Crypto++ library rather than OpenSSL. Some of the ratios are quite different - for example, OpenSSL apparently has DES as fast as AES-128 and faster than AES-256. Crypto++ in contrast has AES-256 twice as fast as DES and AES-128 3 times as fast (it is called Rijndael there). Also the ratio between the hash and the encryption algorithms is somewhat different as well.
Brian Gladman has a new hand-tuned AES assembly language implementation at http://fp.gladman.plus.com/AES/. He reaches 18.08 cycles per byte for AES-128 and 24.58 for AES-256. If I understand how to convert this to MB/sec on a 3 GHz machine (divide into 3000) these are speeds of 166 MB/sec for AES-128 and 122 MB/sec for AES-256. Pretty fast!
People sometimes ask, which is faster, SHA-1 or AES? The conventional wisdom is that the hash functions are faster. But with these highly optimized AES implementations, they are just as fast or even faster than typical SHA-1. Nobody cares to hand-optimize SHA-1 for some reason.
Posted by: Hal Finney at June 17, 2005 3:02 PM
EKR, it seems counterintuitive to me that the OpenSSL library implementation of HMAC-MD5 should have a superior benchmark to that of its implementaiton of MD5 (for those reading this who unfamiliar with HMAC-MD5, its definition implies performing MD5 on the entire message plus some additional overhead). Did you by any chance reverse the performance values for MD5 and HMAC-MD5?
Posted by: Richard Parker at June 18, 2005 12:37 AM
Even software can be much better:
Hand tuned assembly on a 3 GHz Pentium can do 128b aes at 1.5 Gbps!
Posted by: nicholas weaver at June 18, 2005 12:52 PM
Posted by: Dionisius at June 28, 2005 3:55 PM