Skip to main content

High-speed high-security signatures

Abstract

This paper shows that a $390 mass-market quad-core 2.4GHz Intel Westmere (Xeon E5620) CPU can create 109000 signatures per second and verify 71000 signatures per second on an elliptic curve at a 2128 security level. Public keys are 32 bytes, and signatures are 64 bytes. These performance figures include strong defenses against software side-channel attacks: there is no data flow from secret keys to array indices, and there is no data flow from secret keys to branch conditions.

References

  1. 1

    (no editor): 17th annual symposium on foundations of computer science, IEEE Computer Society, 1976. MR 56:1766. See [65]

  2. 2

    (no editor): Technical guideline TR-03111, elliptic curve cryptography (2009). URL:https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR03111/BSI-TR-03111_pdf.pdf?_blob=publicationFile. Citations in this document: §2

  3. 3

    (no editor): SPEED: software performance enhancement for encryption and decryption, 2007. URL: http://www.hyperelliptic.org/SPEED. See [35]

  4. 4

    (no editor): Proceedings of the 6th ACM symposium on information, computer and communications security, Hong Kong, March 22–24, 2011, Association for Computing Machinery, 2011. ISBN 978-1-4503-0564-8. See [71]

  5. 5

    Abdalla, M., Barreto, P.S.L.M. (editors): Progress in cryptology—LATINCRYPT 2010, first international conference on cryptology and information security in Latin America, Puebla, Mexico, August 8–11, 2010, proceedings, Lecture Notes in Computer Science, 6212, Springer, 2010. ISBN 978-3-642-14711-1. See [60]

  6. 6

    Abe, M. (editor): Advances in cryptology—ASIACRYPT 2010, 16th international conference on the theory and application of cryptology and information security, Singapore, December 5–9, 2010, proceedings, Lecture Notes in Computer Science, 6477, Springer, 2010. ISBN 978-3-642-17372-1. See [38]

  7. 7

    Antipa, A., Brown, D.R.L., Gallant, R.P., Lambert, R.J., Struik, R., Vanstone, S.A.: Accelerated verification of ECDSA signatures, in SAC 2005 [70] (2006), 307–318. MR 2007d:94044. URL: http://www.cacr.math.uwaterloo.ca/techreports/2005/tech_reports2005.html. Citations in this document: §5, §5

  8. 8

    Atluri, V., Jaeger, T. (program chairs): Proceedings of the 10th ACM conference on computer and communications security, ACM Press, 2003. ISBN 1-58113-738-9. See [47]

  9. 9

    Barwood, G.: Digital signatures using elliptic curves, message 32f519ad. 19609226@news.dial.pipex.com posted to sci.crypt (1997). URL: http://groups.google.com/group/sci.crypt/msg/b28aba37180dd6c6. Citations in this document: §2

  10. 10

    Bellare, M., Garay, J.A., Rabin, T.: Fast batch verification for modular exponentiation and digital signatures, in Eurocrypt ’98 [63] (1998), 236–250. URL: http://cseweb.ucsd.edu/~mihir/papers/batch.html. Citations in this document: §5, §5, §5, §5, §5

  11. 11

    Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma, in CCS 2006 [45] (2006), 390–399. URL: http://cseweb.ucsd.edu/~mihir/papers/multisignatures.html. Citations in this document: §2

  12. 12

    Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records, in PKC 2006 [82] (2006), 207–228. URL: http://cr.yp.to/papers.html#curve25519. Citations in this document: §1, §1, §2, §2, §2, §2, §3

  13. 13

    Bernstein, D.J., Birkner, P., Joye, M., Lange, T., Peters, C.: Twisted Edwards curves, in Africacrypt 2008 [78] (2008), 389–405. URL: http://eprint.iacr.org/2008/013. Citations in this document: §2, §2, §4

  14. 14

    Bernstein, D.J., Lange, T.: Faster addition and doubling on elliptic curves, in Asiacrypt 2007 [49] (2007), 29–50. URL: http://eprint.iacr.org/2007/286. Citations in this document: §2, §2

  15. 15

    Bernstein, D.J., Lange, T. (editors): eBACS: ECRYPT Benchmarking of Cryptographic Systems, accessed 19 September 2011 (2011). URL: http://bench.cr.yp.to. Citations in this document: §1

  16. 16

    Blakley, G.R., Chaum, D. (editors): Advances in cryptology, proceedings of CRYPTO ’84, Santa Barbara, California, USA, August 19–22, 1984, proceedings, Lecture Notes in Computer Science, 196, Springer, Berlin, 1985. ISBN 3-540-15658-5. MR 86j:94003. See [32]

  17. 17

    Bos, J.W.: High-performance modular multiplication on the Cell processor, in WAIFI 2010 [39] (2010), 7–24. Citations in this document: §3

  18. 18

    Brassard, G. (editor): Advances in cryptology—CRYPTO ’89, 9th annual international cryptology conference, Santa Barbara, California, USA, August 20–24, 1989, proceedings, Lecture Notes in Computer Science, 435, Springer, Berlin, 1990. ISBN 3-540-97317-6. MR 91b:94002. See [73]

  19. 19

    Brickell, E.F., Gordon, D.M., McCurley, K.S., Wilson, D.B.: Fast exponentiation with precomputation (extended abstract), in Eurocrypt ’92 [72] (1993), 200–207; see also newer version [20]. URL: http://cr.yp.to/bib/entries.html#1993/brickell-exp. Citations in this document: §4

  20. 20

    Brickell, E.F., Gordon, D.M., McCurley, K.S., Wilson, D.B.: Fast exponentiation with precomputation: algorithms and lower bounds (1995); see also older version [19]. URL: http://research.microsoft.com/~dbwilson/bgmw/

  21. 21

    Brown, M., Hankerson, D., López, J., Menezes, A.: Software implementation of the NIST elliptic curves over prime fields (2000); see also newer version [22]. URL: http://www.cacr.math.uwaterloo.ca/techreports/2000/corr2000-56.ps. Citations in this document: §1, §1

  22. 22

    Brown, M., Hankerson, D., López, J., Menezes, A.: Software implementation of the NIST elliptic curves over prime fields, in CT-RSA 2001 [57] (2001), 250–265; see also older version [21]. MR 1907102

  23. 23

    Brumley, B.B., Hakala, R.M.: Cache-timing template attacks, in Asiacrypt 2009 [54] (2009), 667–684. Citations in this document: §1

  24. 24

    “Bushing”, Hector Martin “marcan” Cantero, Segher Boessenkool, Sven Peter, PS3 epic fail (2010). URL: http://events.ccc.de/congress/2010/Fahrplan/attachments/1780_27c3_console_hacking_2010.pdf. Citations in this document: §2

  25. 25

    Carlsson S.: Average-case results on heapsort. BIT 27, 2–17 (1987) Citations in this document: §5

    MathSciNet  MATH  Article  Google Scholar 

  26. 26

    Costigan, N., Schwabe, P.: Fast elliptic-curve cryptography on the Cell Broadband Engine, in Africacrypt 2009 [69] (2009), 368–385. URL: http://cryptojedi.org/users/peter/#celldh. Citations in this document: §3

  27. 27

    de Rooij, P.: Efficient exponentiation using precomputation and vector addition chains, in Eurocrypt ’94 [28] (1995), 389–399. MR 1479665. Citations in this document: §5

  28. 28

    De Santis, A. (editor): Advances in cryptology—EUROCRYPT ’94, workshop on the theory and application of cryptographic techniques, Perugia, Italy, May 9–12, 1994, proceedings, Lecture Notes in Computer Science, 950, Springer, Berlin, 1995. ISBN 3-540-60176-7. MR 98h:94001. See [27], [59]

  29. 29

    Desmedt, Y. (editor): Advances in cryptology—CRYPTO ’94, 14th annual international cryptology conference, Santa Barbara, California, USA, August 21–25, 1994, proceedings, Lecture Notes in Computer Science, 839, Springer, Berlin, 1994. ISBN 3-540-58333-5. See [50]

  30. 30

    Dubois, V., Fouque, P.-A., Shamir, A., Stern, J.: Practical cryptanalysis of SFLASH, in Crypto 2007 [55] (2007), 1–12. URL: http://eprint.iacr.org/2007/141. Citations in this document: §1

  31. 31

    Duif, N.: Smart card implementation of a digital signature scheme for Twisted Edwards curves, M.A. thesis, Technische Universiteit Eindhoven, 2011. URL: http://www.nielsduif.nl/2011_05_20_report_final.pdf. Citations in this document: §4

  32. 32

    ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms, in Crypto ’84 [16] (1985), 10–18; see also newer version [33]. MR 87b:94037

  33. 33

    ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms, IEEE Transactions on Information Theory 31 (1985), 469–472; see also older version [32]. ISSN 0018-9448. MR 86j:94045. Citations in this document: §2, §2, §2, §2, §2

  34. 34

    Galbraith, S., Lin, X., Scott, M.: Endomorphisms for faster elliptic curve cryptography on a large class of curves, in Eurocrypt 2009 [43] (2009), 518–535. URL: http://eprint.iacr.org/2008/194. Citations in this document: §1, §1, §1

  35. 35

    Gaudry, P., Thomé, E.: The mpFq library and implementing curvebased key exchanges, in SPEED [3] (2007), 49–64. URL: http://www.loria.fr/~gaudry/papers.en.html. Citations in this document: §1

  36. 36

    Gligoroski, D., Odegøard, R.S., Jensen, R.E., Perret, L., Faugère, J.-C., Knapskog, S.J., Markovski, S.: The digital signature scheme MQQ-SIG (2010). URL: http://eprint.iacr.org/2010/527.pdf.Citations in this document: §1

  37. 37

    Goh, E.-J., Jarecki, S., Katz, J., Wang, N.: Efficient signature schemes with tight reductions to the Diffie–Hellman problems, Journal of Cryptology 20 (2007), 493–514. URL: http://www.cs.umd.edu/~jkatz/papers.html. See [47]

  38. 38

    Granger, R.: On the static Diffie–Hellman problem on elliptic curves over extension fields, in Asiacrypt 2010 [6] (2010), 283–302. URL: http://eprint.iacr.org/2010/177. Citations in this document: §1

  39. 39

    Hasan, M.A., Helleseth, T. (editors): Arithmetic of finite fields, third international workshop, WAIFI 2010, Istanbul, Turkey, June 27–30, 2010, proceedings, Lecture Notes in Computer Science, 6087, Springer, 2010. ISBN 978-3-642-13796- 9. See [17]

  40. 40

    Hisil, H.: Elliptic curves, group law, and efficient computation, Ph.D. thesis, Queensland University of Technology, 2010. URL: http://eprints.qut.edu.au/33233. Citations in this document: §1

  41. 41

    Hisil, H., Wong, K.K.-H., Carter, G., Dawson, E.: Twisted Edwards curves revisited, in Asiacrypt 2008 [64] (2008), 326–343. URL: http://eprint.iacr.org/2008/522. Citations in this document: §4, §4, §4

  42. 42

    Hu, Z., Longa, P., Xu, M.: Implementing 4-dimensional GLV method on GLS elliptic curves with j-invariant 0, 15 June 2011 version, accessed 11 July 2011 (2011). URL: http://eprint.iacr.org/2011/315. Citations in this document: §1, §1, §1, §1

  43. 43

    Joux, A. (editor): Advances in cryptology—EUROCRYPT 2009, 28th annual international conference on the theory and applications of cryptographic techniques, Cologne, Germany, April 26–30, 2009, proceedings, Lecture Notes in Computer Science, 5479, Springer, 2009. ISBN 978-3-642-01000-2. See [34]

  44. 44

    Joux, A., Vitse, V.: Elliptic curve discrete logarithm problem over small degree extension fields. Application to the static Diffie–Hellman problem on \({E(\mathbf{F}_{{q}^{5}})}\) (2010). URL: http://eprint.iacr.org/2010/157. Citations in this document: §1

  45. 45

    Juels, A., Wright, R.N., De Capitani di Vimercati, S. (editors): Proceedings of the 13th ACM conference on computer and communications security, CCS 2006, Alexandria, VA, USA, October 30–November 3, 2006, Association for Computing Machinery, (2006). See [11]

  46. 46

    Käsper, E.: Fast elliptic curve cryptography in OpenSSL, in 2nd Workshop on Real-Life Cryptographic Protocols and Standardization (RLCPS 2011), to appear (2011). Citations in this document: §1, §1

  47. 47

    Katz, J., Wang, N.: Efficiency improvements for signature schemes with tight security reductions, in CCS 2003 [8] (2003), 155–164; portions incorporated into [37]. URL: http://www.cs.umd.edu/~jkatz/papers.html. Citations in this document: §2

  48. 48

    Knuth, D.E.: The art of computer programming, volume 3: sorting and searching, 2nd edition, Addison-Wesley, Reading, 1998. ISBN 0-201-89685-0. Citations in this document: §5

  49. 49

    Kurosawa, K. (editor): Advances in cryptology—ASIACRYPT 2007, 13th international conference on the theory and application of cryptology and information security, Kuching, Malaysia, December 2–6, 2007, proceedings, Lecture Notes in Computer Science, 4833, Springer, 2007. ISBN 978-3-540-76899-9. See [14]

  50. 50

    Lim, C.H., Lee, P.J.: More flexible exponentiation with precomputation, in [29] (1994), 95–107. Citations in this document: §4

  51. 51

    Longa, P.: Speed benchmarks for elliptic curve scalar multiplication, accessed 11 July 2011 (2011). URL: http://www.patricklonga.bravehost.com/speed_ecc.html. Citations in this document: §1, §1

  52. 52

    Longa, P., Gebotys, C.H.: Efficient techniques for high-speed elliptic curve cryptography, in CHES 2010 [53] (2010), 80–94. Citations in this document: §1, §1, §1

  53. 53

    Mangard, S., Standaert, F.-X. (editors): Cryptographic hardware and embedded systems, CHES 2010, 12th international workshop, Santa Barbara, CA, USA, August 17–20, 2010, proceedings, Lecture Notes in Computer Science, 6225, Springer, 2010. ISBN 978-3-642-15030-2. See [52]

  54. 54

    Matsui, M. (editor): Advances in cryptology—ASIACRYPT 2009, 15th international conference on the theory and application of cryptology and information security, Tokyo, Japan, December 6–10, 2009, proceedings, Lecture Notes in Computer Science, 5912, Springer, 2009. ISBN 978-3-642-10365-0. See [23]

  55. 55

    Menezes, A. (editor): Advances in cryptology—CRYPTO 2007, 27th annual international cryptology conference, Santa Barbara, CA, USA, August 19–23, 2007, proceedings, Lecture Notes in Computer Science, 4622, Springer, 2007. ISBN 978-3-540-74142-8. See [30]

  56. 56

    M’Raïhi, D., Naccache, D., Pointcheval, D., Vaudenay, S.: Computational alternatives to random number generators, in SAC ’98 [77] (1999), 72–80. URL: http://www.di.ens.fr/~pointche/Documents/Papers/1998_sac.pdf. Citations in this document: §2

  57. 57

    Naccache, D. (editor): Topics in cryptology—CT-RSA 2001: the cryptographers’ track at RSA Conference 2001, San Francisco, CA, USA, April 2001, proceedings, Lecture Notes in Computer Science, 2020, Springer, 2001. ISBN 3-540-41898-9. MR 2003a:94039. See [22]

  58. 58

    Naccache, D., M’Raïhi, D., Levy-dit-Vehel, F.: Patent application WO/1998/051038: pseudo-random generator based on a hash coding function for cryptographic systems requiring random drawing (1997). URL: http://www.wipo.int/pctdb/en/ia.jsp?IA=FR1998000901. Citations in this document: §2

  59. 59

    Naccache, D., M’Raïhi, D., Vaudenay, S., Raphaeli, D.: Can D.S.A. be improved? Complexity trade-offs with the digital signature standard, in Eurocrypt ’94 [28] (1994). Citations in this document: §5, §5, §5, §5, §5, §5, §5

  60. 60

    Naehrig, M., Niederhagen, R., Schwabe, P.: New software speed records for cryptographic pairings, in Latincrypt 2010 [5] (2010), 109–123. URL: http://cryptojedi.org/users/peter/#dclxvi. Citations in this document: §3

  61. 61

    Neven, G., Smart, N.P., Warinschi, B.: Hash function requirements for Schnorr signatures, Journal of Mathematical Cryptology 3 (2009), 69–87. URL: http://www.zurich.ibm.com/~nev/papers/schnorr.html. Citations in this document: §2, §2

  62. 62

    Nguyen P.Q., Shparlinski I.:: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Designs, Codes and Cryptography 30, 201–217 (2003) Citations in this document: §2

    MathSciNet  MATH  Article  Google Scholar 

  63. 63

    Nyberg, K. (editor): Advances in cryptology—EUROCRYPT ’98, international conference on the theory and application of cryptographic techniques, Espoo, Finland, May 31–June 4, 1998, proceedings, Lecture Notes in Computer Science, 1403, Springer, 1998. ISBN 3-540-64518-7. See [10]

  64. 64

    Pieprzyk, J. (editor): Advances in cryptology—ASIACRYPT 2008, 14th international conference on the theory and application of cryptology and information security, Melbourne, Australia, December 7–11, 2008, Lecture Notes in Computer Science, 5350, 2008. ISBN 978-3-540-89254-0. See [41]

  65. 65

    Pippenger, N.: On the evaluation of powers and related problems (preliminary version), in FOCS ’76 [1] (1976), 258–263; newer version split into [66] and [67]. MR 58:3682. URL: http://cr.yp.to/bib/entries.html#1976/pippenger. Citations in this document: §4, §5

  66. 66

    Pippenger, N.: The minimum number of edges in graphs with prescribed paths, Mathematical Systems Theory 12 (1979), 325–346; see also older version [65]. ISSN 0025-5661. MR 81e:05079. URL: http://cr.yp.to/bib/entries.html#1976/pippenger

  67. 67

    Pippenger, N.: On the evaluation of powers and monomials, SIAM Journal on Computing 9 (1980), 230–250; see also older version [65]. ISSN 0097-5397. MR 82c:10064. URL: http://cr.yp.to/bib/entries.html#1976/pippenger

  68. 68

    Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures, Journal of Cryptology 13 (2000), 361–396. URL: ftp://ftp.di.ens.fr/pub/users/pointche/Papers/2000_joc.pdf. Citations in this document: §2

  69. 69

    Preneel, B. (editor): Progress in cryptology—AFRICACRYPT 2009, second international conference on cryptology in Africa, Gammarth, Tunisia, June 21–25, 2009, proceedings, Lecture Notes in Computer Science, 5580, Springer, 2009. See [26]

  70. 70

    Preneel, B., Tavares, S.E. (editors): Selected areas in cryptography, 12th international workshop, SAC 2005, Kingston, ON, Canada, August 11–12, 2005, revised selected papers, Lecture Notes in Computer Science, 3897, Springer, 2006. ISBN 3-540-33108-5. MR 2007b:94002. See [7]

  71. 71

    Rangasamy, J., Stebila, D., Boyd, C., Nieto, J.G.: An integrated approach to cryptographic mitigation of denial-of-service attacks, in ASIACCS 2011 [4] (2011). URL: http://www.douglas.stebila.ca/files/research/papers/RSBG11.pdf. Citations in this document: §1

  72. 72

    Rueppel, R.A. (editor): Advances in cryptology—EUROCRYPT ’92, workshop on the theory and application of cryptographic techniques, Balatonfüred, Hungary, May 24–28, 1992, proceedings, Lecture Notes in Computer Science, 658, Springer, Berlin, 1993. ISBN 3-540-56413-6. MR 94e:94002. See [19]

  73. 73

    Schnorr, C.P.: Efficient identification and signatures for smart cards, in Crypto ’89 [18] (1990), 239–252; see also newer version [74]. Citations in this document: §2, §2, §2

  74. 74

    Schnorr, C.P.: Efficient signature generation by smart cards, Journal of Cryptology 4 (1991), 161–174; see also older version [73]. URL: http://www.mi.informatik.uni-frankfurt.de/research/papers.html

  75. 75

    Schnorr, C.P., Jakobsson, M.: Security of discrete log cryptosystems in the random oracle + generic model (2000). URL: http://www.mi.informatik.uni-frankfurt.de/research/papers.html. Citations in this document: §2

  76. 76

    Stern, J., Pointcheval, D., Malone-Lee, J., Smart, N.P.: Flaws in applying proof methodologies to signature schemes, in Crypto 2002 [81] (2002), 93–110. Citations in this document: §2

  77. 77

    Tavares, S., Meijer, H. (editors): Selected areas in cryptography, 5th annual international workshop, SAC98, Kingston, Ontario, Canada, August 17–18, 1998, proceedings, Lecture Notes in Computer Science, 1556, Springer, 1999. ISBN 3-540-65894-7. See [56]

  78. 78

    Vaudenay, S. (editor): Progress in cryptology—AFRICACRYPT 2008, First international conference on cryptology in Africa, Casablanca, Morocco, June 11–14, 2008, proceedings, Lecture Notes in Computer Science, 5023, Springer, 2008. ISBN 978-3-540-68159-5. See [13]

  79. 79

    Wegener, I.: Bottom-up-heapsort, a new variant of heapsort, beating, on average, quicksort (if n is not very small), Theoretical Computer Science 118 (1993), 81–98. Citations in this document: §5

  80. 80

    Wigley, J.: Removing need for rng in signatures, message 5gov5dpad@wapping.ecs.soton.ac.uk posted to sci.crypt (1997). URL: http://groups.google.com/group/sci.crypt/msg/a6da45bcc8939a89. Citations in this document: §2

  81. 81

    Yung, M. (editor): Advances in cryptology—CRYPTO 2002, 22nd annual international cryptology conference, Santa Barbara, California, USA, August 18–22, 2002, proceedings, Lecture Notes in Computer Science, 2442, Springer, 2002. ISBN 3-540-44050-X. See [76]

  82. 82

    Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (editors): Public key cryptography—9th international conference on theory and practice in public-key cryptography, New York, NY, USA, April 24–26, 2006, proceedings, Lecture Notes in Computer Science, 3958, Springer, 2006. ISBN 978-3-540-33851-2. See [12]

Download references

Open Access

This article is distributed under the terms of the Creative Commons Attribution License which permits any use, distribution, and reproduction in any medium, provided the original author(s) and the source are credited.

Author information

Affiliations

Authors

Corresponding author

Correspondence to Daniel J. Bernstein.

Additional information

This work was supported by the National Science Foundation under grant 1018836, by the European Commission under Contract ICT-2007-216676 ECRYPT II, and by the National Science Council, National Taiwan University and Intel Corporation under Grant NSC99-2911-I-002-001 and 99-2218-E-001-007, and the Academia Sinica Career Award. Part of this work was carried out when Peter Schwabe was employed by Academia Sinica, Taiwan. Part of this work was carried out when Niels Duif was employed by Compumatica secure networks BV, the Netherlands. Permanent ID of this document: a1a62a2f76d23f65d622484ddd09caf8. Date: 2012.01.26.

Rights and permissions

Open Access This article is distributed under the terms of the Creative Commons Attribution 2.0 International License (https://creativecommons.org/licenses/by/2.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Reprints and Permissions

About this article

Cite this article

Bernstein, D.J., Duif, N., Lange, T. et al. High-speed high-security signatures. J Cryptogr Eng 2, 77–89 (2012). https://doi.org/10.1007/s13389-012-0027-1

Download citation

Keywords

  • Elliptic curves
  • Edwards curves
  • Signatures
  • Speed
  • Software side channels
  • Foolproof session keys