Journal of Cryptographic Engineering

, Volume 2, Issue 2, pp 77–89 | Cite as

High-speed high-security signatures

  • Daniel J. Bernstein
  • Niels Duif
  • Tanja Lange
  • Peter Schwabe
  • Bo-Yin Yang
Open Access
Regular Paper

Abstract

This paper shows that a $390 mass-market quad-core 2.4GHz Intel Westmere (Xeon E5620) CPU can create 109000 signatures per second and verify 71000 signatures per second on an elliptic curve at a 2128 security level. Public keys are 32 bytes, and signatures are 64 bytes. These performance figures include strong defenses against software side-channel attacks: there is no data flow from secret keys to array indices, and there is no data flow from secret keys to branch conditions.

Keywords

Elliptic curves Edwards curves Signatures Speed Software side channels Foolproof session keys 

References

  1. 1.
    (no editor): 17th annual symposium on foundations of computer science, IEEE Computer Society, 1976. MR 56:1766. See [65]Google Scholar
  2. 2.
    (no editor): Technical guideline TR-03111, elliptic curve cryptography (2009). URL:https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR03111/BSI-TR-03111_pdf.pdf?_blob=publicationFile. Citations in this document: §2
  3. 3.
    (no editor): SPEED: software performance enhancement for encryption and decryption, 2007. URL: http://www.hyperelliptic.org/SPEED. See [35]
  4. 4.
    (no editor): Proceedings of the 6th ACM symposium on information, computer and communications security, Hong Kong, March 22–24, 2011, Association for Computing Machinery, 2011. ISBN 978-1-4503-0564-8. See [71]Google Scholar
  5. 5.
    Abdalla, M., Barreto, P.S.L.M. (editors): Progress in cryptology—LATINCRYPT 2010, first international conference on cryptology and information security in Latin America, Puebla, Mexico, August 8–11, 2010, proceedings, Lecture Notes in Computer Science, 6212, Springer, 2010. ISBN 978-3-642-14711-1. See [60]Google Scholar
  6. 6.
    Abe, M. (editor): Advances in cryptology—ASIACRYPT 2010, 16th international conference on the theory and application of cryptology and information security, Singapore, December 5–9, 2010, proceedings, Lecture Notes in Computer Science, 6477, Springer, 2010. ISBN 978-3-642-17372-1. See [38]Google Scholar
  7. 7.
    Antipa, A., Brown, D.R.L., Gallant, R.P., Lambert, R.J., Struik, R., Vanstone, S.A.: Accelerated verification of ECDSA signatures, in SAC 2005 [70] (2006), 307–318. MR 2007d:94044. URL: http://www.cacr.math.uwaterloo.ca/techreports/2005/tech_reports2005.html. Citations in this document: §5, §5
  8. 8.
    Atluri, V., Jaeger, T. (program chairs): Proceedings of the 10th ACM conference on computer and communications security, ACM Press, 2003. ISBN 1-58113-738-9. See [47]Google Scholar
  9. 9.
    Barwood, G.: Digital signatures using elliptic curves, message 32f519ad. 19609226@news.dial.pipex.com posted to sci.crypt (1997). URL: http://groups.google.com/group/sci.crypt/msg/b28aba37180dd6c6. Citations in this document: §2
  10. 10.
    Bellare, M., Garay, J.A., Rabin, T.: Fast batch verification for modular exponentiation and digital signatures, in Eurocrypt ’98 [63] (1998), 236–250. URL: http://cseweb.ucsd.edu/~mihir/papers/batch.html. Citations in this document: §5, §5, §5, §5, §5
  11. 11.
    Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma, in CCS 2006 [45] (2006), 390–399. URL: http://cseweb.ucsd.edu/~mihir/papers/multisignatures.html. Citations in this document: §2
  12. 12.
    Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records, in PKC 2006 [82] (2006), 207–228. URL: http://cr.yp.to/papers.html#curve25519. Citations in this document: §1, §1, §2, §2, §2, §2, §3
  13. 13.
    Bernstein, D.J., Birkner, P., Joye, M., Lange, T., Peters, C.: Twisted Edwards curves, in Africacrypt 2008 [78] (2008), 389–405. URL: http://eprint.iacr.org/2008/013. Citations in this document: §2, §2, §4
  14. 14.
    Bernstein, D.J., Lange, T.: Faster addition and doubling on elliptic curves, in Asiacrypt 2007 [49] (2007), 29–50. URL: http://eprint.iacr.org/2007/286. Citations in this document: §2, §2
  15. 15.
    Bernstein, D.J., Lange, T. (editors): eBACS: ECRYPT Benchmarking of Cryptographic Systems, accessed 19 September 2011 (2011). URL: http://bench.cr.yp.to. Citations in this document: §1
  16. 16.
    Blakley, G.R., Chaum, D. (editors): Advances in cryptology, proceedings of CRYPTO ’84, Santa Barbara, California, USA, August 19–22, 1984, proceedings, Lecture Notes in Computer Science, 196, Springer, Berlin, 1985. ISBN 3-540-15658-5. MR 86j:94003. See [32]Google Scholar
  17. 17.
    Bos, J.W.: High-performance modular multiplication on the Cell processor, in WAIFI 2010 [39] (2010), 7–24. Citations in this document: §3Google Scholar
  18. 18.
    Brassard, G. (editor): Advances in cryptology—CRYPTO ’89, 9th annual international cryptology conference, Santa Barbara, California, USA, August 20–24, 1989, proceedings, Lecture Notes in Computer Science, 435, Springer, Berlin, 1990. ISBN 3-540-97317-6. MR 91b:94002. See [73]Google Scholar
  19. 19.
    Brickell, E.F., Gordon, D.M., McCurley, K.S., Wilson, D.B.: Fast exponentiation with precomputation (extended abstract), in Eurocrypt ’92 [72] (1993), 200–207; see also newer version [20]. URL: http://cr.yp.to/bib/entries.html#1993/brickell-exp. Citations in this document: §4
  20. 20.
    Brickell, E.F., Gordon, D.M., McCurley, K.S., Wilson, D.B.: Fast exponentiation with precomputation: algorithms and lower bounds (1995); see also older version [19]. URL: http://research.microsoft.com/~dbwilson/bgmw/
  21. 21.
    Brown, M., Hankerson, D., López, J., Menezes, A.: Software implementation of the NIST elliptic curves over prime fields (2000); see also newer version [22]. URL: http://www.cacr.math.uwaterloo.ca/techreports/2000/corr2000-56.ps. Citations in this document: §1, §1
  22. 22.
    Brown, M., Hankerson, D., López, J., Menezes, A.: Software implementation of the NIST elliptic curves over prime fields, in CT-RSA 2001 [57] (2001), 250–265; see also older version [21]. MR 1907102Google Scholar
  23. 23.
    Brumley, B.B., Hakala, R.M.: Cache-timing template attacks, in Asiacrypt 2009 [54] (2009), 667–684. Citations in this document: §1Google Scholar
  24. 24.
    “Bushing”, Hector Martin “marcan” Cantero, Segher Boessenkool, Sven Peter, PS3 epic fail (2010). URL: http://events.ccc.de/congress/2010/Fahrplan/attachments/1780_27c3_console_hacking_2010.pdf. Citations in this document: §2
  25. 25.
    Carlsson S.: Average-case results on heapsort. BIT 27, 2–17 (1987) Citations in this document: §5MathSciNetMATHCrossRefGoogle Scholar
  26. 26.
    Costigan, N., Schwabe, P.: Fast elliptic-curve cryptography on the Cell Broadband Engine, in Africacrypt 2009 [69] (2009), 368–385. URL: http://cryptojedi.org/users/peter/#celldh. Citations in this document: §3
  27. 27.
    de Rooij, P.: Efficient exponentiation using precomputation and vector addition chains, in Eurocrypt ’94 [28] (1995), 389–399. MR 1479665. Citations in this document: §5Google Scholar
  28. 28.
    De Santis, A. (editor): Advances in cryptology—EUROCRYPT ’94, workshop on the theory and application of cryptographic techniques, Perugia, Italy, May 9–12, 1994, proceedings, Lecture Notes in Computer Science, 950, Springer, Berlin, 1995. ISBN 3-540-60176-7. MR 98h:94001. See [27], [59]Google Scholar
  29. 29.
    Desmedt, Y. (editor): Advances in cryptology—CRYPTO ’94, 14th annual international cryptology conference, Santa Barbara, California, USA, August 21–25, 1994, proceedings, Lecture Notes in Computer Science, 839, Springer, Berlin, 1994. ISBN 3-540-58333-5. See [50]Google Scholar
  30. 30.
    Dubois, V., Fouque, P.-A., Shamir, A., Stern, J.: Practical cryptanalysis of SFLASH, in Crypto 2007 [55] (2007), 1–12. URL: http://eprint.iacr.org/2007/141. Citations in this document: §1
  31. 31.
    Duif, N.: Smart card implementation of a digital signature scheme for Twisted Edwards curves, M.A. thesis, Technische Universiteit Eindhoven, 2011. URL: http://www.nielsduif.nl/2011_05_20_report_final.pdf. Citations in this document: §4
  32. 32.
    ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms, in Crypto ’84 [16] (1985), 10–18; see also newer version [33]. MR 87b:94037Google Scholar
  33. 33.
    ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms, IEEE Transactions on Information Theory 31 (1985), 469–472; see also older version [32]. ISSN 0018-9448. MR 86j:94045. Citations in this document: §2, §2, §2, §2, §2Google Scholar
  34. 34.
    Galbraith, S., Lin, X., Scott, M.: Endomorphisms for faster elliptic curve cryptography on a large class of curves, in Eurocrypt 2009 [43] (2009), 518–535. URL: http://eprint.iacr.org/2008/194. Citations in this document: §1, §1, §1
  35. 35.
    Gaudry, P., Thomé, E.: The mpFq library and implementing curvebased key exchanges, in SPEED [3] (2007), 49–64. URL: http://www.loria.fr/~gaudry/papers.en.html. Citations in this document: §1
  36. 36.
    Gligoroski, D., Odegøard, R.S., Jensen, R.E., Perret, L., Faugère, J.-C., Knapskog, S.J., Markovski, S.: The digital signature scheme MQQ-SIG (2010). URL: http://eprint.iacr.org/2010/527.pdf.Citations in this document: §1
  37. 37.
    Goh, E.-J., Jarecki, S., Katz, J., Wang, N.: Efficient signature schemes with tight reductions to the Diffie–Hellman problems, Journal of Cryptology 20 (2007), 493–514. URL: http://www.cs.umd.edu/~jkatz/papers.html. See [47]
  38. 38.
    Granger, R.: On the static Diffie–Hellman problem on elliptic curves over extension fields, in Asiacrypt 2010 [6] (2010), 283–302. URL: http://eprint.iacr.org/2010/177. Citations in this document: §1
  39. 39.
    Hasan, M.A., Helleseth, T. (editors): Arithmetic of finite fields, third international workshop, WAIFI 2010, Istanbul, Turkey, June 27–30, 2010, proceedings, Lecture Notes in Computer Science, 6087, Springer, 2010. ISBN 978-3-642-13796- 9. See [17]Google Scholar
  40. 40.
    Hisil, H.: Elliptic curves, group law, and efficient computation, Ph.D. thesis, Queensland University of Technology, 2010. URL: http://eprints.qut.edu.au/33233. Citations in this document: §1
  41. 41.
    Hisil, H., Wong, K.K.-H., Carter, G., Dawson, E.: Twisted Edwards curves revisited, in Asiacrypt 2008 [64] (2008), 326–343. URL: http://eprint.iacr.org/2008/522. Citations in this document: §4, §4, §4
  42. 42.
    Hu, Z., Longa, P., Xu, M.: Implementing 4-dimensional GLV method on GLS elliptic curves with j-invariant 0, 15 June 2011 version, accessed 11 July 2011 (2011). URL: http://eprint.iacr.org/2011/315. Citations in this document: §1, §1, §1, §1
  43. 43.
    Joux, A. (editor): Advances in cryptology—EUROCRYPT 2009, 28th annual international conference on the theory and applications of cryptographic techniques, Cologne, Germany, April 26–30, 2009, proceedings, Lecture Notes in Computer Science, 5479, Springer, 2009. ISBN 978-3-642-01000-2. See [34]Google Scholar
  44. 44.
    Joux, A., Vitse, V.: Elliptic curve discrete logarithm problem over small degree extension fields. Application to the static Diffie–Hellman problem on \({E(\mathbf{F}_{{q}^{5}})}\) (2010). URL: http://eprint.iacr.org/2010/157. Citations in this document: §1
  45. 45.
    Juels, A., Wright, R.N., De Capitani di Vimercati, S. (editors): Proceedings of the 13th ACM conference on computer and communications security, CCS 2006, Alexandria, VA, USA, October 30–November 3, 2006, Association for Computing Machinery, (2006). See [11]Google Scholar
  46. 46.
    Käsper, E.: Fast elliptic curve cryptography in OpenSSL, in 2nd Workshop on Real-Life Cryptographic Protocols and Standardization (RLCPS 2011), to appear (2011). Citations in this document: §1, §1Google Scholar
  47. 47.
    Katz, J., Wang, N.: Efficiency improvements for signature schemes with tight security reductions, in CCS 2003 [8] (2003), 155–164; portions incorporated into [37]. URL: http://www.cs.umd.edu/~jkatz/papers.html. Citations in this document: §2
  48. 48.
    Knuth, D.E.: The art of computer programming, volume 3: sorting and searching, 2nd edition, Addison-Wesley, Reading, 1998. ISBN 0-201-89685-0. Citations in this document: §5Google Scholar
  49. 49.
    Kurosawa, K. (editor): Advances in cryptology—ASIACRYPT 2007, 13th international conference on the theory and application of cryptology and information security, Kuching, Malaysia, December 2–6, 2007, proceedings, Lecture Notes in Computer Science, 4833, Springer, 2007. ISBN 978-3-540-76899-9. See [14]Google Scholar
  50. 50.
    Lim, C.H., Lee, P.J.: More flexible exponentiation with precomputation, in [29] (1994), 95–107. Citations in this document: §4Google Scholar
  51. 51.
    Longa, P.: Speed benchmarks for elliptic curve scalar multiplication, accessed 11 July 2011 (2011). URL: http://www.patricklonga.bravehost.com/speed_ecc.html. Citations in this document: §1, §1
  52. 52.
    Longa, P., Gebotys, C.H.: Efficient techniques for high-speed elliptic curve cryptography, in CHES 2010 [53] (2010), 80–94. Citations in this document: §1, §1, §1Google Scholar
  53. 53.
    Mangard, S., Standaert, F.-X. (editors): Cryptographic hardware and embedded systems, CHES 2010, 12th international workshop, Santa Barbara, CA, USA, August 17–20, 2010, proceedings, Lecture Notes in Computer Science, 6225, Springer, 2010. ISBN 978-3-642-15030-2. See [52]Google Scholar
  54. 54.
    Matsui, M. (editor): Advances in cryptology—ASIACRYPT 2009, 15th international conference on the theory and application of cryptology and information security, Tokyo, Japan, December 6–10, 2009, proceedings, Lecture Notes in Computer Science, 5912, Springer, 2009. ISBN 978-3-642-10365-0. See [23]Google Scholar
  55. 55.
    Menezes, A. (editor): Advances in cryptology—CRYPTO 2007, 27th annual international cryptology conference, Santa Barbara, CA, USA, August 19–23, 2007, proceedings, Lecture Notes in Computer Science, 4622, Springer, 2007. ISBN 978-3-540-74142-8. See [30]Google Scholar
  56. 56.
    M’Raïhi, D., Naccache, D., Pointcheval, D., Vaudenay, S.: Computational alternatives to random number generators, in SAC ’98 [77] (1999), 72–80. URL: http://www.di.ens.fr/~pointche/Documents/Papers/1998_sac.pdf. Citations in this document: §2
  57. 57.
    Naccache, D. (editor): Topics in cryptology—CT-RSA 2001: the cryptographers’ track at RSA Conference 2001, San Francisco, CA, USA, April 2001, proceedings, Lecture Notes in Computer Science, 2020, Springer, 2001. ISBN 3-540-41898-9. MR 2003a:94039. See [22]Google Scholar
  58. 58.
    Naccache, D., M’Raïhi, D., Levy-dit-Vehel, F.: Patent application WO/1998/051038: pseudo-random generator based on a hash coding function for cryptographic systems requiring random drawing (1997). URL: http://www.wipo.int/pctdb/en/ia.jsp?IA=FR1998000901. Citations in this document: §2
  59. 59.
    Naccache, D., M’Raïhi, D., Vaudenay, S., Raphaeli, D.: Can D.S.A. be improved? Complexity trade-offs with the digital signature standard, in Eurocrypt ’94 [28] (1994). Citations in this document: §5, §5, §5, §5, §5, §5, §5Google Scholar
  60. 60.
    Naehrig, M., Niederhagen, R., Schwabe, P.: New software speed records for cryptographic pairings, in Latincrypt 2010 [5] (2010), 109–123. URL: http://cryptojedi.org/users/peter/#dclxvi. Citations in this document: §3
  61. 61.
    Neven, G., Smart, N.P., Warinschi, B.: Hash function requirements for Schnorr signatures, Journal of Mathematical Cryptology 3 (2009), 69–87. URL: http://www.zurich.ibm.com/~nev/papers/schnorr.html. Citations in this document: §2, §2
  62. 62.
    Nguyen P.Q., Shparlinski I.:: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Designs, Codes and Cryptography 30, 201–217 (2003) Citations in this document: §2MathSciNetMATHCrossRefGoogle Scholar
  63. 63.
    Nyberg, K. (editor): Advances in cryptology—EUROCRYPT ’98, international conference on the theory and application of cryptographic techniques, Espoo, Finland, May 31–June 4, 1998, proceedings, Lecture Notes in Computer Science, 1403, Springer, 1998. ISBN 3-540-64518-7. See [10]Google Scholar
  64. 64.
    Pieprzyk, J. (editor): Advances in cryptology—ASIACRYPT 2008, 14th international conference on the theory and application of cryptology and information security, Melbourne, Australia, December 7–11, 2008, Lecture Notes in Computer Science, 5350, 2008. ISBN 978-3-540-89254-0. See [41]Google Scholar
  65. 65.
    Pippenger, N.: On the evaluation of powers and related problems (preliminary version), in FOCS ’76 [1] (1976), 258–263; newer version split into [66] and [67]. MR 58:3682. URL: http://cr.yp.to/bib/entries.html#1976/pippenger. Citations in this document: §4, §5
  66. 66.
    Pippenger, N.: The minimum number of edges in graphs with prescribed paths, Mathematical Systems Theory 12 (1979), 325–346; see also older version [65]. ISSN 0025-5661. MR 81e:05079. URL: http://cr.yp.to/bib/entries.html#1976/pippenger
  67. 67.
    Pippenger, N.: On the evaluation of powers and monomials, SIAM Journal on Computing 9 (1980), 230–250; see also older version [65]. ISSN 0097-5397. MR 82c:10064. URL: http://cr.yp.to/bib/entries.html#1976/pippenger
  68. 68.
    Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures, Journal of Cryptology 13 (2000), 361–396. URL: ftp://ftp.di.ens.fr/pub/users/pointche/Papers/2000_joc.pdf. Citations in this document: §2
  69. 69.
    Preneel, B. (editor): Progress in cryptology—AFRICACRYPT 2009, second international conference on cryptology in Africa, Gammarth, Tunisia, June 21–25, 2009, proceedings, Lecture Notes in Computer Science, 5580, Springer, 2009. See [26]Google Scholar
  70. 70.
    Preneel, B., Tavares, S.E. (editors): Selected areas in cryptography, 12th international workshop, SAC 2005, Kingston, ON, Canada, August 11–12, 2005, revised selected papers, Lecture Notes in Computer Science, 3897, Springer, 2006. ISBN 3-540-33108-5. MR 2007b:94002. See [7]Google Scholar
  71. 71.
    Rangasamy, J., Stebila, D., Boyd, C., Nieto, J.G.: An integrated approach to cryptographic mitigation of denial-of-service attacks, in ASIACCS 2011 [4] (2011). URL: http://www.douglas.stebila.ca/files/research/papers/RSBG11.pdf. Citations in this document: §1
  72. 72.
    Rueppel, R.A. (editor): Advances in cryptology—EUROCRYPT ’92, workshop on the theory and application of cryptographic techniques, Balatonfüred, Hungary, May 24–28, 1992, proceedings, Lecture Notes in Computer Science, 658, Springer, Berlin, 1993. ISBN 3-540-56413-6. MR 94e:94002. See [19]Google Scholar
  73. 73.
    Schnorr, C.P.: Efficient identification and signatures for smart cards, in Crypto ’89 [18] (1990), 239–252; see also newer version [74]. Citations in this document: §2, §2, §2Google Scholar
  74. 74.
    Schnorr, C.P.: Efficient signature generation by smart cards, Journal of Cryptology 4 (1991), 161–174; see also older version [73]. URL: http://www.mi.informatik.uni-frankfurt.de/research/papers.html
  75. 75.
    Schnorr, C.P., Jakobsson, M.: Security of discrete log cryptosystems in the random oracle + generic model (2000). URL: http://www.mi.informatik.uni-frankfurt.de/research/papers.html. Citations in this document: §2
  76. 76.
    Stern, J., Pointcheval, D., Malone-Lee, J., Smart, N.P.: Flaws in applying proof methodologies to signature schemes, in Crypto 2002 [81] (2002), 93–110. Citations in this document: §2Google Scholar
  77. 77.
    Tavares, S., Meijer, H. (editors): Selected areas in cryptography, 5th annual international workshop, SAC98, Kingston, Ontario, Canada, August 17–18, 1998, proceedings, Lecture Notes in Computer Science, 1556, Springer, 1999. ISBN 3-540-65894-7. See [56]Google Scholar
  78. 78.
    Vaudenay, S. (editor): Progress in cryptology—AFRICACRYPT 2008, First international conference on cryptology in Africa, Casablanca, Morocco, June 11–14, 2008, proceedings, Lecture Notes in Computer Science, 5023, Springer, 2008. ISBN 978-3-540-68159-5. See [13]Google Scholar
  79. 79.
    Wegener, I.: Bottom-up-heapsort, a new variant of heapsort, beating, on average, quicksort (if n is not very small), Theoretical Computer Science 118 (1993), 81–98. Citations in this document: §5Google Scholar
  80. 80.
    Wigley, J.: Removing need for rng in signatures, message 5gov5dpad@wapping.ecs.soton.ac.uk posted to sci.crypt (1997). URL: http://groups.google.com/group/sci.crypt/msg/a6da45bcc8939a89. Citations in this document: §2
  81. 81.
    Yung, M. (editor): Advances in cryptology—CRYPTO 2002, 22nd annual international cryptology conference, Santa Barbara, California, USA, August 18–22, 2002, proceedings, Lecture Notes in Computer Science, 2442, Springer, 2002. ISBN 3-540-44050-X. See [76]Google Scholar
  82. 82.
    Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (editors): Public key cryptography—9th international conference on theory and practice in public-key cryptography, New York, NY, USA, April 24–26, 2006, proceedings, Lecture Notes in Computer Science, 3958, Springer, 2006. ISBN 978-3-540-33851-2. See [12]Google Scholar

Copyright information

© The Author(s) 2012

Authors and Affiliations

  • Daniel J. Bernstein
    • 1
  • Niels Duif
    • 2
  • Tanja Lange
    • 2
  • Peter Schwabe
    • 3
  • Bo-Yin Yang
    • 4
  1. 1.Department of Computer ScienceUniversity of Illinois at ChicagoChicagoUSA
  2. 2.Department of Mathematics and Computer ScienceTechnische Universiteit EindhovenEindhovenThe Netherlands
  3. 3.Department of Electrical EngineeringNational Taiwan UniversityTaipeiTaiwan
  4. 4.Institute of Information Science, Academia SinicaTaipeiTaiwan

Personalised recommendations