Curve25519: New Diffie-Hellman Speed Records

  • Daniel J. Bernstein
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3958)

Abstract

This paper explains the design and implementation of a high-security elliptic-curve-Diffie-Hellman function achieving record-setting speeds: e.g., 832457 Pentium III cycles (with several side benefits: free key compression, free key validation, and state-of-the-art timing-attack protection), more than twice as fast as other authors’ results at the same conjectured security level (with or without the side benefits).

Keywords

Diffie-Hellman elliptic curves point multiplication new curve new software high conjectured security high speed constant time short keys 

References

  1. 1.
    17th annual symposium on foundations of computer science. IEEE Computer Society, Long Beach (1976); MR 56:1766. See [52].Google Scholar
  2. 2.
    Alster, K., Urbanowicz, J., Williams, H.C. (eds.): Public-key cryptography and computational number theory: proceedings of the international conference held in Warsaw, September 11–15, 2000. Walter de Gruyter, Berlin (2001); ISBN 3–11–017046–9. MR 2002h:94001. See [60]MATHGoogle Scholar
  3. 3.
    Antipa, A., Brown, D., Menezes, A., Struik, R., Vanstone, S.: Validation of elliptic curve public keys. In: [21], pp. 211–223 (2003); MR 2171928. Citations in this paper: §1Google Scholar
  4. 4.
    Avanzi, R.M.: Aspects of hyperelliptic curves over large prime fields in software implementations. In: [36], pp. 148–162 (2004); Citations in this paper: §1, §5Google Scholar
  5. 5.
    Avanzi, R.M.: Generic algorithms for computing discrete logarithms. In: [19], pp. 477–494 (2005); MR 2162735. Citations in this paper: §3, §3Google Scholar
  6. 6.
    Avanzi, R.M., Mihăilescu, P.: Generic efficient arithmetic algorithms for PAFFs (processor adequate finite fields) and related algebraic structures (extended abstract). In: [43], pp. 320–334 (2004); Citations in this paper: §4Google Scholar
  7. 7.
    Bailey, D.V., Paar, C.: Efficient arithmetic in finite field extensions with application in elliptic curve cryptography. Journal of Cryptology 14, 153–176 (2001); ISSN 0933–2790. Citations in this paper: §1, §4MathSciNetCrossRefMATHGoogle Scholar
  8. 8.
    Bellare, M. (ed.): CRYPTO 2000. LNCS, vol. 1880. Springer, Heidelberg (2000); ISBN 3–540–67907–3. MR 2002c:94002. See [14]MATHGoogle Scholar
  9. 9.
    Bender, A., Castagnoli, G.: On the implementation of elliptic curve cryptosystems. In: [16], pp. 186–192 (1990); MR 91d:11154. Citations in this paper: §4Google Scholar
  10. 10.
    Bentahar, K.: The equivalence between the DHP and DLP for elliptic curves used in practical applications (revisited, 2005); Citations in this paper: §3, http://eprint.iacr.org/2005/307
  11. 11.
    Bernstein, D.J.: The Poly1305-AES message-authentication code. In: [32], pp. 32–49 (2005); ID 0018d9551b5 546d97c340e0dd8cb5750. Citations in this paper: §4, http://cr.yp.to/papers.html#poly1305
  12. 12.
    Bernstein, D.J.: Cache-timing attacks on AES (2005); ID cd9faae9bd5308c440df50fc26a517b4. Citations in this paper: §1, §4, http://cr.yp.to/papers.html#cachetiming
  13. 13.
    Bernstein, D.J.: Salsa20 specification (2005); Citations in this paper: §3, http://cr.yp.to/snuffle.html
  14. 14.
    Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems (extended abstract). In: [8], pp. 131–146 (2000); Citations in this paper: §1, §3, http://lecturer.ukdw.ac.id/vmueller/publications.php
  15. 15.
    Boyd, C. (ed.): ASIACRYPT 2001. LNCS, vol. 2248. Springer, Heidelberg (2001); ISBN 3–540–42987–5. MR 2003d:94001. See [59]MATHGoogle Scholar
  16. 16.
    Brassard, G. (ed.): CRYPTO 1989. LNCS, vol. 435. Springer, Heidelberg (1990); ISBN 0–387–97317–6. MR 91b:94002. See [9]MATHGoogle Scholar
  17. 17.
    Brown, M., Hankerson, D., López, J., Menezes, A.: Software implementation of the NIST elliptic curves over prime fields (2000); see also newer version [18]. Citations in this paper: §1, §5, http://www.cacr.math.uwaterloo.ca/techreports/2000/corr2000-56.ps
  18. 18.
    Brown, M., Hankerson, D., López, J., Menezes, A.: Software implementation of the NIST elliptic curves over prime fields. In: [49], pp. 250–265 (2001); see also older version [17]. MR 1907102Google Scholar
  19. 19.
    Cohen, H., Frey, G. (eds.): Handbook of elliptic and hyperelliptic curve cryptography. CRC Press, Boca Raton (2005); ISBN 1–58488–518–1. See [5], [24], [25], [30] Google Scholar
  20. 20.
    Desmedt, Y. (ed.): CRYPTO 1994. LNCS, vol. 839. Springer, Heidelberg (1994); See [44]MATHGoogle Scholar
  21. 21.
    Desmedt, Y. (ed.): PKC 2003. LNCS, vol. 2567. Springer, Heidelberg (2002); ISBN 3–540–00324–X. See [3]MATHGoogle Scholar
  22. 22.
    Diem, C.: The GHS attack in odd characteristic. Journal of the Ramanujan Mathematical Society 18, 1–32 (2003); MR 2004a:14030. Citations in this paper: §4, http://www.math.uni-leipzig.de/~diem/preprints MathSciNetMATHGoogle Scholar
  23. 23.
    Diffie, W., Hellman, M.: New directions in cryptography. IEEE Transactions on Information Theory 22, 644–654 (1976); ISSN 0018–9448. MR 55:10141. Citations in this paper: §3, http://cr.yp.to/bib/entries.html#1976/diffie MathSciNetCrossRefMATHGoogle Scholar
  24. 24.
    Doche, C., Lange, T.: Arithmetic of elliptic curves. In: [19], pp. 267–302 (2005); MR 2162729. Citations in this paper: §AGoogle Scholar
  25. 25.
    Doche, C., Lange, T.: Arithmetic of special curves. In: [19], pp. 355–387 (2005); MR 2162731. Citations in this paper: §4Google Scholar
  26. 26.
    Fong, K., Hankerson, D., López, J., Menezes, A.: Field inversion and point halving revisited (2003); see also newer version [27]. Citations in this paper: §1, http://www.cacr.math.uwaterloo.ca/techreports/2003/techreports2003.html
  27. 27.
    Fong, K., Hankerson, D., López, J., Menezes, A.: Field inversion and point halving revisited. IEEE Transactions on Computers 53, 1047–1059 (2004); see also older version [26]. ISSN 0018–9340CrossRefGoogle Scholar
  28. 28.
    Franke, J., Kleinjung, T., Paar, C., Pelzl, J., Priplata, C., Simka, M., Stahlke, C.: In: Workshop Record of SHARCS 2005, pp. 51–62 (2005); Citations in this paper: §3, §3, http://www.best.tuke.sk/simka/pub.html
  29. 29.
    Frey, G.: How to disguise an elliptic curve, Weil descent (1998); Citations in this paper: §4, http://www.cacr.math.uwaterloo.ca/conferences/1998/ecc98/slides.html
  30. 30.
    Frey, G., Lange, T.: Transfer of discrete logarithms. In: [19], pp. 529–543 (2005); MR 2162738. Citations in this paper: §3Google Scholar
  31. 31.
    Robert, P., Gallant, R.J., Lambert, S.A.: Faster point multiplication on elliptic curves with efficient endomorphisms. In: [38], pp. 190–200 (2001); MR 2003h:14043. Citations in this paper: §5.Google Scholar
  32. 32.
    Gilbert, H., Handschuh, H. (eds.): FSE 2005. LNCS, vol. 3557. Springer, Heidelberg (2005); ISBN 3–540– 26541–4. See [11].Google Scholar
  33. 33.
    Hankerson, D., Hernandez, J.L., Menezes, A.: Software implementation of elliptic curve cryptography over binary fields (2000); Citations in this paper: §1, see also newer version [34], http://www.cacr.math.uwaterloo.ca/techreports/2000/corr2000-42.ps
  34. 34.
    Hankerson, D., Hernandez, J.L., Menezes, A.: Software implementation of elliptic curve cryptography over binary fields. In: [40], pp. 1–24 (2000); see also older version [33]Google Scholar
  35. 35.
    Hankerson, D., Menezes, A., Vanstone, S.: Guide to elliptic curve cryptography. Springer, New York (2004); ISBN 0–387–95273–X. MR 2054891. Citations in this paper: §4MATHGoogle Scholar
  36. 36.
    Joye, M., Quisquater, J.-J. (eds.): CHES 2004. LNCS, vol. 3156. Springer, Heidelberg (2004); ISBN 3–540–22666–4. See [4]MATHGoogle Scholar
  37. 37.
    Kaliski Jr., B.S. (ed.): CRYPTO 1997. LNCS, vol. 1294. Springer, Heidelberg (1997); ISBN 3–540–63384–7. MR 99a:94041. See [42]MATHGoogle Scholar
  38. 38.
    Kilian, J. (ed.): CRYPTO 2001. LNCS, vol. 2139. Springer, Heidelberg (2001); ISBN 3–540–42456–3. MR 2003d:94002. See [31]MATHGoogle Scholar
  39. 39.
    Koblitz, N., Menezes, A.J.: Another look at provable security (2004); Citations in this paper: §3, http://www.cacr.math.uwaterloo.ca/~ajmeneze/publications/provable.pdf
  40. 40.
    Ko̧c, Ç.K., Paar, C.: CHES 2000. LNCS, vol. 1965. Springer, Heidelberg (2000); ISBN 3–540–42521–7. See [34]CrossRefGoogle Scholar
  41. 41.
    Kuhn, F., Struik, R.: Random walks revisited: extensions of Pollard’s rho algorithm for computing multiple discrete logarithms. In: [64], pp. 212–229 (2001); Citations in this paper: §3, http://www.distcomp.ethz.ch/publications.html
  42. 42.
    Lim, C.H., Lee, P.J.: A key recovery attack on discrete log-based schemes using a prime order subgroup. In: [37], pp. 249–263 (1997); Citations in this paper: §3, §3, http://dasan.sejong.ac.kr/~chlim/english_pub.html
  43. 43.
    Matsui, M., Zuccherato, R.: SAC 2003. LNCS, vol. 3006. Springer, Heidelberg (2004); ISBN 3–540–21370–8. See [6]CrossRefMATHGoogle Scholar
  44. 44.
    Maurer, U.M.: Towards the equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms. In: [20], pp. 271–281 (1994); Citations in this paper: §3, http://www.crypto.ethz.ch/~maurer/publications.html
  45. 45.
    Menezes, A.: Another look at HMQV (2005); Citations in this paper: §2, http://eprint.iacr.org/2005/205
  46. 46.
    Miller, V.S.: Use of elliptic curves in cryptography. In: [65], pp. 417–426 (1986); MR 88b:68040. Citations in this paper: §1Google Scholar
  47. 47.
    Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Mathematics of Computation 48, 243–264 (1987); ISSN 0025–5718. Citations in this paper: §5, http://cr.yp.to/bib/entries.html#1987/montgomery MathSciNetCrossRefMATHGoogle Scholar
  48. 48.
    Muzereau, A., Smart, N.P., Vercauteren, F.: The equivalence between the DHP and DLP for elliptic curves used in practical applications. LMS Journal of Computation and Mathematics 7, 50–72 (2004); Citations in this paper: §3, http://www.lms.ac.uk/jcm/7/lms2003-034/ MathSciNetCrossRefMATHGoogle Scholar
  49. 49.
    Naccache, D. (ed.): CT-RSA 2001. LNCS, vol. 2020. Springer, Heidelberg (2001); ISBN 3– 540–41898–9. MR 2003a:94039. See [18]MATHGoogle Scholar
  50. 50.
    Osvik, D.A., Shamir, A., Tromer, E.: Cache atacks and countermeasures: the case of AES, extended version (2005); Citations in this paper: §1, http://www.wisdom.weizmann.ac.il/~tromer/
  51. 51.
    Percival, C.: Cache missing for fun and profit (2005); Citations in this paper: §1, http://www.daemonology.net/hyperthreading-considered-harmful/
  52. 52.
    Pippenger, N.: On the evaluation of powers and related problems (preliminary version). In: [1], pp. 258–263 (1976); newer version split into [53] and [54]. MR 58:3682. Citations in this paper: §5, http://cr.yp.to/bib/entries.html#1976/pippenger
  53. 53.
    Pippenger, N.: The minimum number of edges in graphs with prescribed paths. Mathematical Systems Theory 12, 325–346 (1979); see also older version [52], ISSN 0025–5661. MR 81 e:05079, http://cr.yp.to/bib/entries.html#1979/pippenger MathSciNetCrossRefMATHGoogle Scholar
  54. 54.
    Pippenger, N.: On the evaluation of powers and monomials. SIAM Journal on Computing 9, 230–250 (1980); see also older version [52]. ISSN 0097–5397. MR 82c:10064, http://cr.yp.to/bib/entries.html#1980/pippenger MathSciNetCrossRefMATHGoogle Scholar
  55. 55.
    Pollard, J.M.: Kangaroos, Monopoly and discrete logarithms. Journal of Cryptology 13, 437–447 (2000); ISSN 0933–2790. Citations in this paper: §3MathSciNetCrossRefMATHGoogle Scholar
  56. 56.
    Proos, J., Zalka, C.: Shor’s discrete logarithm quantum algorithm for elliptic curves (2003); Citations in this paper: §1, http://www.cacr.math.uwaterloo.ca/techreports/2003/tech_reports2003.html
  57. 57.
    Smart, N.P.: A comparison of different finite fields for use in elliptic curve cryptosystems (2000); see also newer version [58], http://www.cs.bris.ac.uk/Publications/pub_info.jsp?id=1000458
  58. 58.
    Smart, N.P.: A comparison of different finite fields for elliptic curve cryptosystems. Computers and Mathematics with Applications 42, 91–100 (2001); see also older version [57]. MR 2002c:94033. Citations in this paper: §1MathSciNetCrossRefMATHGoogle Scholar
  59. 59.
    Stam, M., Lenstra, A.K.: Speeding up XTR. In: [15], pp. 125–143 (2001); MR 2003h:94049. Citations in this paper: §5Google Scholar
  60. 60.
    Teske, E.: Square-root algorithms for the discrete logarithm problem (a survey). In: [2], pp. 283–301 (2001); MR 2003c:11156. Citations in this paper: §3, http://www.cacr.math.uwaterloo.ca/~eteske/publications.html
  61. 61.
    Teske, E.: Computing discrete logarithms with the parallelized kangaroo method (2001); see also newer version [62]. Citations in this paper: §3, http://www.cacr.math.uwaterloo.ca/techreports/2001/tech_reports2001.html
  62. 62.
    Teske, E.: Computing discrete logarithms with the parallelized kangaroo method. Discrete Applied Mathematics 130, 61–82 (2003); see also older version [61]. MR 2004h:11112MathSciNetCrossRefMATHGoogle Scholar
  63. 63.
    van Oorschot, P.C., Wiener, M.: Parallel collision search with cryptanalytic applications. Journal of Cryptology 12, 1–28 (1999); ISSN 0933–2790. Citations in this paper: §3, http://members.rogers.com/paulv/papers/pubs.html MathSciNetCrossRefMATHGoogle Scholar
  64. 64.
    Vaudenay, S., Youssef, A.M. (eds.): SAC 2001. LNCS, vol. 2259. Springer, Heidelberg (2001); ISBN 3–540–43066–0. MR 2004k:94066. See [41]MATHGoogle Scholar
  65. 65.
    Williams, H.C. (ed.): CRYPTO 1985. LNCS, vol. 218. Springer, Heidelberg (1986); ISBN 3–540–16463–4. See [46]Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Daniel J. Bernstein

There are no affiliations available

Personalised recommendations