Verificatum JavaScript Cryptographic Library
Browser: (best effort detection)

Each benchmark computes at least samples of the measured quantity and takes the average. The running time of the layout engine is not included in the running time. Note that benchmarks give different results using different JavaScript engines and that other factors may influence the results. In particular, the last measurements may not reflect actual running time (it would be faster), since the garbage collection is poor on some platforms. Thus, interpret the results with care and investigate the particular case you are interested in before drawing any hard conclusions.

The library is designed with pre-computation in mind all the way up to the highest abstraction layer. Combined with a web worker as in this benchmark, such computations can be done in the background.


The running times include the cost of generating random exponents, which gives an upper bound of the running time of the actual exponentiation.

The running time of modular exponentiation is increased by almost factor of 8 when the bit size of the modulus is doubled as expected from a relatively naive implementation. A similar behavior can be seen in the elliptic curves with growing field size, but with a slightly smaller factor.

Standard Multiplicative Groups


Standard Elliptic Curves


Fixed-basis Exponentiation for Selected Groups

Here zero gives plain exponentiation for easy reference.


Encryption over Selected Groups

The running time of encryption grows linearly with the width, so the values for greater widths are readily extrapolated from the given numbers.

El Gamal Encryption (ms / ciphertext)

This is only benchmarked for the purpose of comparison. It is not CCA2 secure or even non-malleable, and should therefore not be used unless other equivalent mechanisms are in place.


El Gamal Encryption with Label and ZKPoK (ms / ciphertext)

This is the simplest cryptosystem, which is non-malleable in a standard heuristic sense, i.e., it is the El Gamal cryptosystem with proof of knowledge of the randomness turned non-interactive using the Fiat-Shamir heuristic. This is not provably secure in the random oracle model, but likely to be secure.


Naor-Yung with Label and ZKPoK (ms / ciphertext)

This is the Naor-Yung cryptosystem, which is provably CCA2 secure with the Fiat-Shamir heuristic in the random oracle model.