1

I am using a cryptography system in which the Feistel structure and permutation cipher are combined. I am amazed by the result; decryption is so much faster than encryption. My system is working properly. Anyone can explain why this is happening. Why is decryption faster than encryption?

Dharmendra Thapa
  • 29
  • 1

2 Answers2

5

In CBC and CFB modes, decryption can be parallelized, but encryption cannot. That's the most common reason for decryption being faster than encryption.

But no, it is not faster to decrypt than to encrypt in all cryptography systems. The contrary is common in asymmetric cryptography (RSA encryption with the common $e=65537$ is much faster than decryption where the exponent is much larger and has more bits set), and also not unseen in symmetric cryptography. An example is the block cipher AES implemented in software, where decryption is somewhat slower than encryption, because the invMixColumns matrix as higher coefficients than MixColumns (and to a lesser degree because it's necessary to precompute subkeys).

ilkkachu
  • 912
  • 6
  • 13
fgrieu
  • 149,326
  • 13
  • 324
  • 622
2

There is a common design pattern in cryptography which yields slower decryption than encryption. In particular, given

  • a symmetric scheme $(\mathsf{KGen}_s, \mathsf{Enc}_s, \mathsf{Dec}_s)$,
  • asymmetric scheme $(\mathsf{KGen}_{as}, \mathsf{Enc}_{as}, \mathsf{Dec}_{as})$, and
  • random oracle $\mathsf{R}$ (often you need several, whatever).

One wants to build an IND-CCA KEM, where one doesn't initially assume the cryptosystems have IND-CCA-type security (and instead have IND-CPA-type security, though the actual story is more complex than this).

A common paradigm to do this is to

  • Deterministic Encryption: Set the encryption randomness to be $\mathsf{R}(m,\dots)$, where $\dots$ may contain fixed quantities that may be known to the decryptor (say the public key)

  • Reencryption: Have decryption recompute encryption using this deterministic randomness to "check" that the recieved ciphertext is the correct one, e.g. has not been modified.

There are many techniques to do this, see this for pointers. One way of viewing this is that decryption is "redoing" many parts of encryption (and sometimes key generation, I'll ignore that though). This can lead to decryption being slower. See page 17 of the Kyber reference for cycle counts suggesting this happens.

There are cryptosystems for which it is simpler to see that $\mathsf{Dec}$ is much slower than $\mathsf{Enc}$. The easiest example is ElGamal encryption. When used as an additively homomorphic cryptosystem, decryption involves computing a certain (restricted) form of discrete logarithm. The complexity of this discrete logarithm depends on the precise computation being done, but in the general case decryption can be quite hard.

Mark Schultz-Wu
  • 15,089
  • 1
  • 22
  • 53