Is there some rough analysis or estimation of how much overhead in bytes an encryption using a public key could add to the final object?
4
- @ArtemS.Tashkinov: Without the public key. You mean that if I have e.g. 10MB of data to encrypt the output size after the encryption is also 10MB?Jim– Jim2023-03-28 20:01:05 +00:00Commented Mar 28, 2023 at 20:01
- This depends on the used algorithm and padding. I expect a constant factor of the plain text size (magnitude 1.5)guidot– guidot2023-03-29 12:22:45 +00:00Commented Mar 29, 2023 at 12:22
- @mentallurg: Recommendation of minimum amount of padding to be used for RSA is around 40%.guidot– guidot2023-03-30 11:13:23 +00:00Commented Mar 30, 2023 at 11:13
- @mentallurg: You are repeating yourself (cf. your existing answer) and you don't have to convince me.guidot– guidot2023-03-30 14:25:35 +00:00Commented Mar 30, 2023 at 14:25
Add a comment |
1 Answer
Public key encryption vs. hybrid encryption
For public key encryption, the length of the data to encrypt as well as the length of the encryption result cannot be bigger than the key length. For instance, for a 2048 bit key the length of the data cannot be bigger than 2048 bits, i.e. 256 bytes. For RSA, padding is needed, like OAEP. For RSA key of 2048 bits = 256 bytes, with OAEP and SHA1, the maximal data length to encrypt is 214 bytes. See many good answers about RSA encryption here.
A naive approach would be to split the file into such small chunks and encrypt each of them. But them other problems would come. For instance, we would need to make sure that the encrypted message was not modified, namely, that no blocks were added, no blocks were removed.
Besides, encryption operations mean basically multiplication and modulo and are relatively slow.
That's why plain public key encryption is not used to encrypt relatively big files. Instead, usually a hybrid encryption is used. Data are encrypted with a symmetric algorithm. The symmetric key is encrypted with a public key. To decrypt such message, first the symmetric key is decrypted using private key. Then the data are decrypted using the symmetric algorithm.
Symmetric algorithms like AES, ChaCha20, ThreeFish in their core part don't change data size during encryption. But usually an IV (initialization vector) is needed and padding. For instance, AES CTR uses usually 128 bit = 16 bytes IV.
The widely used symmetric algorithms like AES are faster than public key algorithms. Furthermore, many CPUs support AES natively, which means even higher performance.
Overhead for hybrid encryption
Suppose we use RSA 2048 bits with AES-256 and GCM mode. The overhead will be:
- AES-256 key encrypted with RSA: 256 bytes
- AES padding, if data length is not multiple of 16: 0 to 15 bytes
- Initialization vector for AES: 16 bytes
- GCM authentication tag: 16 bytes
Thus the total overhead is 288 - 303 bytes, no matter how long are the data that need to be encrypted.
Overhead for symmetric encryption
If you decide to use symmetric encryption, let say AES-256 and GCM mode, the overhead will be:
- Initialization vector for AES: 16 bytes
- AES padding, if data length is not multiple of 16: 0 to 15 bytes
- GCM authentication tag: 16 bytes
Thus the total overhead will be 32 - 47 bytes, no matter how long are the data that need to be encrypted.
- Actually I am interested only in public key encryption as the use case is for encrypt once and store and not encrypt/decrypt over e.g. a connection. So based on your first paragraph I am not sure what you mean. Does it mean that e.g. if I have 10MB of data to encrypt the encrypted output is also 10MB?Jim– Jim2023-03-28 20:00:23 +00:00Commented Mar 28, 2023 at 20:00
- @Jim: I have updated the answer. Please reload the page, if you have it open.mentallurg– mentallurg2023-03-28 22:18:15 +00:00Commented Mar 28, 2023 at 22:18
- Thank you providing lots of details. I am not clear though if using public key encryption increases the size of the object. From your first paragraph I think it does not?Jim– Jim2023-03-30 09:04:37 +00:00Commented Mar 30, 2023 at 9:04
- Public key encryption does increase the data size. For RSA 2048 bits key and OAEP the encrypted size is always 256 bytes. Means, if you encrypt 1 byte, the encryption result will be 256 byte long. If you encrypt 214 bytes, the encryption result will be also 256 bytes long. But you cannot encrypt more than 214 bytes in this case.mentallurg– mentallurg2023-03-30 10:36:03 +00:00Commented Mar 30, 2023 at 10:36
- Any good encryption scheme should increase data size, because 1) It should use some random data. Otherwise the same data encrypted with the same key will always produce the same result, which will break confidentiality; 2) It should use authentication tag. In case of AES GCM it is usually 16 bytes.mentallurg– mentallurg2023-03-30 10:45:21 +00:00Commented Mar 30, 2023 at 10:45