Performance metrices of cryptographic algorithms

Question

I'm a beginner and working on cryptography performance metrics.

• My question is that what are the important metrics to check the performance of Cryptography Algorithms.

Answer 1

Criteria for evaluation of Cryptography Algorithms:

• Having public specification (the only secret is the key).
• Patent status.
• What it aims at: block cipher (DES, AES..), cipher, message digest, MAC, proof of origin, signature, key establishment, TRNG, PRNG.
• Requirements for and limitations of the algorithm itself.
  • Randomness requirements;
  • Requirements to validate the input parameters (e.g. public key for ECDH).
• Being symmetric (block ciphers, SHA) or asymmetric (RSA, ECDSA, ECDH).
• Security under some threat model:
  • Resistance to key recovery (bounded at least by key size);
  • Block size (for block ciphers);
  • Resistance to pure cryptanalytic attacks;
  • Resistance to side-channel leakage (with many subdivisions);
  • Resistance to fault injection.
• Complexity and familiarity / learning curve to use the algorithm.
• Parameter sizes:
  • Output size (overhead / expansion ratio);
  • Encoded (public) key size;
  • Accepted input sizes;
• Speed (often very platform-dependent):
  • Cycles/byte averages for large messages or multiple uses with the same key;
  • Time to setup a new key;
  • Time versus size.
• Memory footprint:
  • Code;
  • RAM per running instance.
• Availability of a version with suitable characteristics as above on a given platform.
• Acceptance by security authorities.

_{Note: fell free to restructure / add to the list, this is a community wiki.}

Answer 2

The SUPERCOP page lists the following criteria:

Hashing

• Time to hash a very short packet of data.

• Time to hash a typical-size Internet packet.

• Time to hash a long message.

• Length of the hash output.

Symmetric encryption

• Time to encrypt a very short packet of data using a secret key and a nonce.

• Time to encrypt a typical-size Internet packet.

• Time to encrypt a long message.

• Length of the secret key.

• Length of the nonce.

• Time for authenticated encryption of a short packet of data.

• Time for authenticated encryption of a typical-size Internet packet.

• Time for authenticated encryption of a long message.

Asymmetric algorithms

• Time to generate a key pair (a private key and a corresponding public key).

• Length of the private key.

• Length of the public key.

• Time to generate a shared secret from a private key and another user's public key.

• Length of the shared secret.

• Time to encrypt a message using a public key.

• Length of the encrypted message.

• Time to decrypt a message using a private key.

• Time to sign a message using a private key.

• Length of the signed message.

• Time to verify a signed message using a public key.

MACs

Curiously, MACs do not appear to be measured with SUPERCOP. AEAD schemes may include them, but there is not standalone category for measuring MACs. Some relevant metrics might be:

• Key size
• Time to evaluate on small messages
• Time to evaluate on large messages

Other metrics

Another standard metric (as mentioned in another answer) is cycles per byte. This is a measurement of how many CPU cycles it took to perform the operation per each byte of input.

I suspect that power consumption may also be a relevant metric, considering the prevalence of mobile/IoT devices.

Throughput is a common metric, which is the amount of data per unit of time (e.g. second) that a system can process.

As mentioned in the other answer (again), many of these metrics will be platform dependent.

Note

The above includes metrics used for asymmetric algorithms and hashing, but the question mentions interest in DES, AES, etc and so may only be interested in symmetric encryption algorithms or all of the above - it is not clear.