Table 3 (decryption) from link [2] shows that it took 1.265 seconds for 233 bit ECC and 0.031 seconds for 2240 bit RSA to encrypt something. The associated comment was:
>We noted that the encryption by the RSA algorithm is faster than the one with ECC algorithm.
While we are here, I will point out that the performance was almost the same for the same key lengths in the encryption case.
So ECC seems to be faster for key generation but overall slower for everything else.
Those numbers are clearly nonsense; notice how the smaller ones don't even scale with key size, while they obviously should to some extent. That paper is flawed. They obviously made a mistake.
71000 signature verifications per second and 109000 signature generations per second on a quad-core machine. That is much, much faster than RSA.
It's well established that ECC is much faster than RSA in general. I suspect I know what happened. DSA signature schemes require randomness to generate signatures, unlike RSA. They probably were using an entropy-constrained random number generator. That bottlenecked ECDSA through no fault of the algorithm. Ed25519 does not suffer from this issue, since it is constructed in a way that requires no external source of randomness (the random part is substituted with a deterministic hash of the key and input).
If you want to prove that ed25519 is generally faster than RSA for signatures I think you would have to find a benchmark that supports your contention.
That one has ed25519 signing 60x faster than RSA-2048. Verification is a bit slower with ed25519 (RSA is very asymmetric there due to the low hamming weight public exponents), but considering the difference in security level, it basically works out to about the same.
So signature verification is about the same for EC vs RSA, while EC is much faster than RSA for signature generation, and ridiculously faster for key generation. EC certainly isn't significantly slower than RSA for any equivalent operation, and definitely not by 40x like the paper you linked claims. That is just wrong.
It is fairly well accepted that RSA is faster than most curve based things for signature verification and your sources support that?
This is all in response to another user who said:
> There is a massive performance difference—not just size, but computation as well.
... and we don't know exactly what they meant by that, but I was pointing out that it was not that simple...
Asymmetrical performance is normally not very important in most systems due to the use of symmetric stuff to do all the heavy lifting. The exception would be if you were doing some sort of forward secrecy scheme that involved forgetting the private key for each and every message. There the speed of ECDHE is helpful vs the slow key generation of RSA. However, the Signal Protocol shows us we can use a hash ratchet for such short cycle forward secrecy schemes so that key generation speed does not have to be a significant issue.
>We noted that the encryption by the RSA algorithm is faster than the one with ECC algorithm.
While we are here, I will point out that the performance was almost the same for the same key lengths in the encryption case.
So ECC seems to be faster for key generation but overall slower for everything else.