Advertisement

High-Speed High-Security Signatures

  • Daniel J. Bernstein
  • Niels Duif
  • Tanja Lange
  • Peter Schwabe
  • Bo-Yin Yang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6917)

Abstract

This paper shows that a $390 mass-market quad-core 2.4GHz Intel Westmere (Xeon E5620) CPU can create 108000 signatures per second and verify 71000 signatures per second on an elliptic curve at a 2128 security level. Public keys are 32 bytes, and signatures are 64 bytes. These performance figures include strong defenses against software side-channel attacks: there is no data flow from secret keys to array indices, and there is no data flow from secret keys to branch conditions.

Keywords

Elliptic curves Edwards curves signatures speed software side channels foolproof session keys 

References

  1. 1.
    — (no editor), Technical guideline TR-03111, elliptic curve cryptography (2009), Citations in this document: Google Scholar
  2. 2.
    Antipa, A., Brown, D.R.L., Gallant, R.P., Lambert, R., Struik, R., Vanstone, S.A.: Accelerated verification of ECDSA signatures. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 307–318. Springer, Heidelberg (2006), Citations in this document:CrossRefGoogle Scholar
  3. 3.
    Barwood, G.: Digital signatures using elliptic curves, message 32f519ad.19609226@news.dial.pipex.com posted to sci.crypt (1997), http://groups.google.com/group/sci.crypt/msg/b28aba37180dd6c6, Citations in this document:
  4. 4.
    Bellare, M., Garay, J.A., Rabin, T.: Fast batch verification for modular exponentiation and digital signatures. In: Nyberg, K. (ed.) Eurocrypt ’98. LNCS, vol. 1403, pp. 236–250. Springer, Heidelberg (1998), Citations in this document:CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: CCS 2006, pp. 390–399 (2006), Citations in this document:Google Scholar
  6. 6.
    Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006), Citations in this document:CrossRefGoogle Scholar
  7. 7.
    Bernstein, D.J., Birkner, P., Joye, M., Lange, T., Peters, C.: Twisted Edwards curves. In: Vaudenay, S. (ed.) Africacrypt 2008. LNCS, vol. 5023, pp. 389–405. Springer, Heidelberg (2008), Citations in this document: CrossRefGoogle Scholar
  8. 8.
    Bernstein, D.J., Lange, T.: Faster addition and doubling on elliptic curves. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 29–50. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  9. 9.
    Bernstein, D.J., Lange, T. (eds.): eBACS: ECRYPT Benchmarking of Cryptographic Systems (2011), http://bench.cr.yp.to/ebats.html (accessed July 4, 2011), Citations in this document:
  10. 10.
    Bos, J.W.: High-performance modular multiplication on the Cell processor. In: Hasan, M.A., Helleseth, T. (eds.) WAIFI 2010. LNCS, vol. 6087, pp. 7–24. Springer, Heidelberg (2010), Citations in this document: CrossRefGoogle Scholar
  11. 11.
    Brickell, E.F., Gordon, D.M., McCurley, K.S., Wilson, D.B.: Fast exponentiation with precomputation (extended abstract). In: Rueppel, R.A. (ed.) Eurocrypt ’92. LNCS, vol. 658, pp. 200–207. Springer, Heidelberg (1993), Citations in this document:CrossRefGoogle Scholar
  12. 12.
    Brown, M., Hankerson, D., López, J., Menezes, A.: Software implementation of the NIST elliptic curves over prime fields (2000); see also newer version [13], http://www.cacr.math.uwaterloo.ca/techreports/2000/corr2000-56.ps, Citations in this document:
  13. 13.
    Brown, M., Hankerson, D., López, J., Menezes, A.: Software implementation of the NIST elliptic curves over prime fields. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 250–265. Springer, Heidelberg (2001); see also older version [12]. MR 1907102CrossRefGoogle Scholar
  14. 14.
    Brumley, B.B., Hakala, R.M.: Cache-timing template attacks. In: Matsui, M. (ed.) Asiacrypt 2009. LNCS, vol. 5912, pp. 667–684. Springer, Heidelberg (2009), Citations in this document:CrossRefGoogle Scholar
  15. 15.
    “Bushing”, “marcan” Cantero, H.M., Boessenkool, S., Peter, S.: PS3 epic fail (2010), http://events.ccc.de/congress/2010/Fahrplan/attachments/1780_27c3_console_hacking_2010.pdf, Citations in this document:
  16. 16.
    Carlsson, S.: Average-case results on heapsort. BIT 27, 2–17 (1987), Citations in this document:MathSciNetMATHCrossRefGoogle Scholar
  17. 17.
    Costigan, N., Schwabe, P.: Fast elliptic-curve cryptography on the Cell Broadband Engine. In: Preneel, B. (ed.) Africacrypt 2009. LNCS, vol. 5580, pp. 368–385. Springer, Heidelberg (2009), Citations in this document:CrossRefGoogle Scholar
  18. 18.
    de Rooij, P.: Efficient exponentiation using precomputation and vector addition chains. In: De Santis, A. (ed.) Eurocrypt ’94. LNCS, vol. 950, pp. 389–399. Springer, Heidelberg (1995), Citations in this document:CrossRefGoogle Scholar
  19. 19.
    Dubois, V., Fouque, P.-A., Shamir, A., Stern, J.: Practical cryptanalysis of SFLASH. In: Menezes, A. (ed.) Crypto 2007. LNCS, vol. 4622, pp. 1–12. Springer, Heidelberg (2007), Citations in this document:CrossRefGoogle Scholar
  20. 20.
    Duif, N.: Smart card implementation of a digital signature scheme for Twisted Edwards curves, M.A. thesis, Technische Universiteit Eindhoven (2011), Citations in this document:Google Scholar
  21. 21.
    ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory 31, 469–472 (1985), Citations in this document: MathSciNetMATHCrossRefGoogle Scholar
  22. 22.
    Galbraith, S.D., Lin, X., Scott, M.: Endomorphisms for faster elliptic curve cryptography on a large class of curves. In: Joux, A. (ed.) Eurocrypt 2009. LNCS, vol. 5479, pp. 518–535. Springer, Heidelberg (2009), Citations in this document: CrossRefGoogle Scholar
  23. 23.
    Gaudry, P., Thomé, E.: The mpFq library and implementing curve-based key exchanges. In: SPEED 2007, pp. 49–64 (2007), Citations in this document:Google Scholar
  24. 24.
    Gligoroski, D., Odegøard, R.S., Jensen, R.E., Perret, L., Faugère, J.-C., Knapskog, S.J., Markovski, S.: The digital signature scheme MQQ-SIG (2010), Citations in this document:Google Scholar
  25. 25.
    Goh, E.-J., Jarecki, S., Katz, J., Wang, N.: Efficient signature schemes with tight reductions to the Diffie-Hellman problems. Journal of Cryptology 20, 493–514 (2007), See [31]MathSciNetMATHCrossRefGoogle Scholar
  26. 26.
    Granger, R.: On the static Diffie-Hellman problem on elliptic curves over extension fields. In: Abe, M. (ed.) Asiacrypt 2010. LNCS, vol. 6477, pp. 283–302. Springer, Heidelberg (2010), Citations in this document:CrossRefGoogle Scholar
  27. 27.
    Hisil, H.: Elliptic curves, group law, and efficient computation, Ph.D. thesis, Queensland University of Technology (2010), Citations in this document: Google Scholar
  28. 28.
    Hisil, H., Wong, K.K.-H., Carter, G., Dawson, E.: Twisted Edwards curves revisited. In: Pieprzyk, J. (ed.) Asiacrypt 2008. LNCS, vol. 5350, pp. 326–343. Springer, Heidelberg (2008), Citations in this document: CrossRefGoogle Scholar
  29. 29.
    Joux, A., Vitse, V.: Elliptic curve discrete logarithm problem over small degree extension fields. Application to the static Diffie-Hellman problem on E(F\(_{q^5}\)) (2010), Citations in this document:Google Scholar
  30. 30.
    Käsper, E.: Fast elliptic curve cryptography in OpenSSL. In: RLCPS 2011 (to appear, 2011), Citations in this document:Google Scholar
  31. 31.
    Katz, J., Wang, N.: Efficiency improvements for signature schemes with tight security reductions. In: CCS 2003, pp. 155–164 (2003); portions incorporated into [25], Citations in this document: Google Scholar
  32. 32.
    Knuth, D.E.: The art of computer programming, volume 3: sorting and searching, 2nd edn. Addison-Wesley, Reading (1998), Citations in this document: Google Scholar
  33. 33.
    Lim, C.H., Lee, P.J.: More flexible exponentiation with precomputation. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 95–107. Springer, Heidelberg (1994), Citations in this document: Google Scholar
  34. 34.
    Longa, P., Gebotys, C.: Efficient techniques for high-speed elliptic curve cryptography. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 80–94. Springer, Heidelberg (2010), Citations in this document:CrossRefGoogle Scholar
  35. 35.
    M’Raïhi, D., Naccache, D., Pointcheval, D., Vaudenay, S.: Computational alternatives to random number generators. In: Tavares, S., Meijer, H. (eds.) SAC ’98. LNCS, vol. 1556, pp. 72–80. Springer, Heidelberg (1999), Citations in this document: CrossRefGoogle Scholar
  36. 36.
    Naccache, D., M’Raïhi, D., Levy-dit-Vehel, F.: Patent application WO/1998/051038: pseudo-random generator based on a hash coding function for cryptographic systems requiring random drawing (1997), Citations in this document:Google Scholar
  37. 37.
    Naccache, D., M’Raïhi, D., Vaudenay, S., Raphaeli, D.: Can D.S.A. be improved? Complexity trade-offs with the digital signature standard. In: De Santis, A. (ed.) Eurocrypt ’94. LNCS, vol. 950, pp. 77–85. Springer, Heidelberg (1995), Citations in this document: CrossRefGoogle Scholar
  38. 38.
    Naehrig, M., Niederhagen, R., Schwabe, P.: New software speed records for cryptographic pairings. In: Abdalla, M., Barreto, P.S.L.M. (eds.) Latincrypt 2010. LNCS, vol. 6212, pp. 109–123. Springer, Heidelberg (2010), Citations in this document: CrossRefGoogle Scholar
  39. 39.
    Neven, G., Smart, N.P., Warinschi, B.: Hash function requirements for Schnorr signatures. Journal of Mathematical Cryptology 3, 69–87 (2009), Citations in this document: MathSciNetMATHCrossRefGoogle Scholar
  40. 40.
    Nguyen, P.Q., Shparlinski, I.: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Designs, Codes and Cryptography 30, 201–217 (2003), Citations in this document:MathSciNetMATHCrossRefGoogle Scholar
  41. 41.
    Pippenger, N.: On the evaluation of powers and related problems (preliminary version). In: FOCS ’76, pp. 258–263 (1976), Citations in this document:Google Scholar
  42. 42.
    Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. Journal of Cryptology 13, 361–396 (2000), Citations in this document: MATHCrossRefGoogle Scholar
  43. 43.
    Rangasamy, J., Stebila, D., Boyd, C., González Nieto, J.: An integrated approach to cryptographic mitigation of denial-of-service attacks. In: ASIACCS 2011 (2011), Citations in this document:Google Scholar
  44. 44.
    Schnorr, C.-P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) Crypto ’89. LNCS, vol. 435, pp. 239–252. Springer, Heidelberg (1990), Citations in this document: Google Scholar
  45. 45.
    Stern, J., Pointcheval, D., Malone-Lee, J., Smart, N.P.: Flaws in applying proof methodologies to signature schemes. In: Yung, M. (ed.) Crypto 2002. LNCS, vol. 2442, pp. 93–110. Springer, Heidelberg (2002), Citations in this document: CrossRefGoogle Scholar
  46. 46.
    Wegener, I.: Bottom-up-heapsort, a new variant of heapsort, beating, on average, quicksort (if n is not very small). Theoretical Computer Science 118, 81–98 (1993), Citations in this document: MathSciNetMATHCrossRefGoogle Scholar
  47. 47.
    Wigley, J.: Removing need for rng in signatures, message 5gov5d$pad@wapping.ecs.soton.ac.uk posted to sci.crypt (1997), http://groups.google.com/group/sci.crypt/msg/a6da45bcc8939a89, Citations in this document:

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Daniel J. Bernstein
    • 1
  • Niels Duif
    • 2
  • Tanja Lange
    • 2
  • Peter Schwabe
    • 3
  • Bo-Yin Yang
    • 4
  1. 1.Department of Computer ScienceUniversity of Illinois at ChicagoChicagoUSA
  2. 2.Department of Mathematics and Computer ScienceTechnische Universiteit EindhovenEindhovenNetherlands
  3. 3.Department of Electrical EngineeringNational Taiwan UniversityTaipeiTaiwan
  4. 4.Institute of Information ScienceAcademia SinicaTaipeiTaiwan

Personalised recommendations