Let's consider the CTR mode. For a faster encryption/decryption, is it preferable to use the decryption operation of AES, or its encryption ?
Asked
Active
Viewed 7,326 times
5 Answers
8
Given the choice, it is preferable to use the block encryption operation of AES, since it often faster than block decryption (never slower AFAIK). For this reason, AES-CTR is defined to use the block encryption operation of AES exclusively; that's both for AES-CTR encryption and AES-CTR decryption, which are the same operation except for IV generation/input.
AES block encryption is faster than AES block decryption because:
- MixColumns uses a matrix with smaller coefficients than InvMixColumns, thus is simpler to compute (that's particularly true for purely software implementations; hardware implementations sometime use the same number of cycles, including I believe Intel's AES-NI instructions).
- during encryption, subkeys are needed in the order they are produced from the key, but during decryption that order is reversed, therefore on implementations (including hardware) that start decryption with the pristine key as input, some preliminary work is necessary before decryption can start (there's no known shortcut).
Here is for example a crypto library performance report (single-thread, software AES) showing speed differences.
1
It is usually seen that decryption operations are slightly faster than encryption. But considering the working mode of AES, CTR uses same steps in both encryption and decryption. So It does not matter which one you use in CTR, both should give essentially same performance.
rijndael
- 471
- 1
- 6
- 15
1
The one you have in hardware.
Sometimes the hardware only supports block encryption (because it is sufficient for e.g. CTR), in which case that will be faster. If the hardware supports both, there is probably no difference. I doubt many implementations only support decryption, but if you have one that does, that would be faster.
The speed of raw encryption/decryption should not differ much if you have similar implementations of both. Every step of AES encryption has a counterpart in decryption that works the same, only with different numbers. (The same is not necessarily true for all ciphers.)
Any practical difference in encryption vs. decryption speed with AES is usually due to the mode of encryption used. For example, random IVs take time to generate during encryption but not decryption, while CBC and CFB modes are parallelizable during decryption but not encryption. None of that matters for which direction you should use in CTR mode.
otus
- 32,462
- 5
- 75
- 167
1
You should use the encryption mode for AES in CTR mode simply because everybody else does. Switching to another CTR implementation will be hell if you don't.
Maarten Bodewes
- 96,351
- 14
- 169
- 323
0
For CTR mode there shouldn't be any significant difference. However if you are looking at doing a performance test, it would be a good idea to consider the effect of system cache while measuring the encryption/decryption time. If your tests involved encrypting data in file, encryption requires disk reads. When you are performing the decryption operation there is a higher probability for the data to be still in cache memory and which would reduce the time to decrypt.
Here is a related answer to a similar question link
