Digital Signature - RSA vs ECDSA
A common way to validate the integrity of data and authenticate its creator is to use digital signatures. This method represents an improvement from a simple checksum, which can be used only for integrity checks.
For authentication, digital-signature algorithms use public-key cryptography with a public-private key pair. The private key is kept secret by its owner and used to create a digital signature. The public key can be shared, and it is used to verify that data has been signed with the private key, created by the private key's owner (authentication), and not modified (integrity).
There are two major public-key algorithms used for digital signatures: RSA and ECDSA. What are the differences between RSA and ECDSA? Which algorithm should be used in embedded systems?
Comparison
Security level
To compare different cryptographic algorithms, the level of security that each algorithm provides should be known. Various research has been conducted and papers have been written on the subject of algorithm security (e.g., How long it would take until the algorithms could be broken [with reasonable resources]?). Security level is measured in bits, and it usually corresponds to a symmetric key cipher of that size. With variable key length, RSA and ECDSA can achieve virtually any security level.
The table below describes the security level of common key lengths, which are used for further comparison:
| Security level | RSA | ECDSA |
|---|---|---|
| 80 bits | 1024 bits | 160 bits |
| 112 bits | 2048 bits | 224 bits |
| 128 bits | 3072 bits | 256 bits |
| 192 bits | 7680 bits | 384 bits |
| 256 bits | 15360 bits | 512 bits |
Resource use
In an embedded system, implementation of RSA requires less code ROM (flash) and marginally less dynamic memory (RAM) than ECDSA. For most applications, a public key is also stored in ROM. ECDSA keys are significantly smaller than RSA keys at the same security level, and the savings increase with higher levels.
The same applies for signatures, which are stored or transmitted. Although ECDSA signatures are twice the size of the key, ECDSA can save on storage and bandwidth compared to RSA.
| RSA | ECDSA | |
|---|---|---|
| Resource Use | ||
| ROM Use | 6 KiB | 10 KiB |
| RAM Use | 3.0 KiB | 3.2 KiB |
| Key Store | 1 * Key length | 1 * Key length |
| Signature Store | 1 * Key length | 2 * Key length |
Performance
Performance with regard to signing and verifying data is different for both RSA and ECDSA algorithms. (EC)DSA performs different operations for signing and verification, while RSA can benefit from using a much smaller public exponent for verification. In embedded systems, the most common use for digital signatures is verification of data.
RSA performs significantly faster with the security levels currently in use, but performance degrades approximately exponentially as key lengths increase. ECDSA signature verification is a slower process, but it can be faster than RSA at higher security levels.
| RSA | ECDSA | |
|---|---|---|
| Verification performance | ||
| 80 bit | 2.18 ms (1024 bit) | 43.45 ms (P-192) |
| 112 bit | 7.40 ms (2048 bit) | 53.87 ms (P-224) |
| 128 bit | 15.89 ms (3072 bit) | 78.70 ms (P-256) |
| 192 bit | 92.94 ms (8192 bit) | 129.17 ms (P-384) |
| 256 bit | 333.19 ms (16384 bit) | 145.68 ms (P-521) |
Conclusion
For memory use and computation, as of today, and for at least the next ten years, the cost of using RSA at recommended security levels is lower than that of its ECDSA equivalent.
Since security level requirements steadily rise, there will be a breakeven at which ECDSA becomes more efficient for signature verification. For storage requirements, this means a security level of approximately 160 bits, and for computation, a speed a level of approximately 200 bits.
Notes
All resource-use and performance values have been measured with emCrypt, on a Cortex-M7 microcontroller at 200 MHz.