Browser: (best effort detection)
The library is designed with pre-computation in mind all the way up to the highest abstraction layer. Combined with a web worker as in this benchmark, such computations can be done in the background.
The running times include the cost of generating random exponents, which gives an upper bound of the running time of the actual exponentiation.
The running time of modular exponentiation is increased by almost factor of 8 when the bit size of the modulus is doubled as expected from a relatively naive implementation. A similar behavior can be seen in the elliptic curves with growing field size, but with a slightly smaller factor.
Here zero gives plain exponentiation for easy reference.
The running time of encryption grows linearly with the width, so the values for greater widths are readily extrapolated from the given numbers.
This is only benchmarked for the purpose of comparison. It is not CCA2 secure or even non-malleable, and should therefore not be used unless other equivalent mechanisms are in place.
This is the simplest cryptosystem, which is non-malleable in a standard heuristic sense, i.e., it is the El Gamal cryptosystem with proof of knowledge of the randomness turned non-interactive using the Fiat-Shamir heuristic. This is not provably secure in the random oracle model, but likely to be secure.
This is the Naor-Yung cryptosystem, which is provably CCA2 secure with the Fiat-Shamir heuristic in the random oracle model.