Introduction

Usage of different elliptic curves has a high impact on the performance of ECDSA / ECDHE / ECDH operations. Each type of curve was designed with a different primary goal in mind. And these have their reflection in the performance of the specific curves.

The following numbers, measured with mbed TLS 2.0 on a 2 GHz Core i7, are only indicative of the relative speed of the various curves. Of course the absolute value will depend on your platform. Also, these numbers use the default settings for speed-memory trade-offs, see this article.

ECDSA Performance

NIST Curve Performance

ECDSA-secp521r1          :     549 sign/s
ECDSA-secp384r1          :     859 sign/s
ECDSA-secp256r1          :    1148 sign/s
ECDSA-secp224r1          :    1707 sign/s
ECDSA-secp192r1          :    2190 sign/s
ECDSA-secp521r1          :     151 verify/s
ECDSA-secp384r1          :     233 verify/s
ECDSA-secp256r1          :     333 verify/s
ECDSA-secp224r1          :     491 verify/s
ECDSA-secp192r1          :     670 verify/s

Brainpool Curve Performance

ECDSA-brainpoolP512r1    :      65 sign/s
ECDSA-brainpoolP384r1    :     126 sign/s
ECDSA-brainpoolP256r1    :     203 sign/s
ECDSA-brainpoolP512r1    :      15 verify/s
ECDSA-brainpoolP384r1    :      28 verify/s
ECDSA-brainpoolP256r1    :      52 verify/s

ECDHE Performance

NIST Curve Performance

ECDHE-secp521r1          :     157 handshake/s
ECDHE-secp384r1          :     248 handshake/s
ECDHE-secp256r1          :     334 handshake/s
ECDHE-secp224r1          :     511 handshake/s
ECDHE-secp192r1          :     716 handshake/s

Brainpool Curve Performance

ECDHE-brainpoolP512r1    :      15 handshake/s
ECDHE-brainpoolP384r1    :      28 handshake/s
ECDHE-brainpoolP256r1    :      52 handshake/s

Why are NIST curves faster than Brainpool curves

The Brainpool curves use random primes, as opposed to the quasi-Mersenne primes used by the NIST curves. The result is that there is no fast reduction possible for the Brainpool curves. This has major consequences for the performance of the different curves.

Can't you optimize Brainpool curves to be as fast as the NIST curves?

Short answer: Unfortunately that is not possible.

The choice for Brainpool using random primes was a design decision, aimed at:

  1. avoiding possible patent issues with fast reduction algorithms
  2. avoiding potential security issues with non-random primes

Anyway, a Brainpool curve performance similar to the NIST curve performance is not going to happen.

Curve25519 support

High-performance alternatives which, like the Brainpool curves, cannot be suspected of malicious manipulation, are the curves/protocols designed by Bernstein & al, such as Curve25519 for key exchange and Ed25519 for signatures.

Unfortunately, they use slightly different data structures/representations than the other curves, so their use with TLS and PKIX is not standardized yet. We do support basic Curve25519 arithmetic and will implement its use in TLS / PKIX as soon as a standard is out. (We are actually taking an active part in creating such a standard.)

Did this help?