Abstract
This paper studies software optimization of elliptic-curve cryptography with \(256\)-bit prime fields. We propose a constant-time implementation of the NIST and SECG standardized curve P-\(256\), that can be seamlessly integrated into OpenSSL. This accelerates Perfect Forward Secrecy TLS handshakes that use ECDSA and/or ECDHE, and can help in improving the efficiency of TLS servers. We report significant performance improvements for ECDSA and ECDH, on several architectures. For example, on the latest Intel Haswell microarchitecture, our ECDSA sign is \(2.33\times \) faster than OpenSSL’s implementation.
Similar content being viewed by others
Notes
“Demand for encryption apps has increased dramatically ever since the exposure of massive internet surveillance programs run by US and UK intelligence agencies. Now Facebook is reportedly moving to implement a strong, decades-old encryption technique that’s been largely avoided by the online services that need it most”; J. Kopstein, The Verge, http://www.theverge.com/2013/6/26/4468050/facebook-follows-google-with-tough-encryption-standard.
RSA signature verification with the standard short public exponent remains faster than ECDSA verification. However, verification is done by the client, and not by the server side.
An optimized implementation of P-224, P-\(^{\prime }256\) and P-521 was contributed to OpenSSL by Emilia K sper, Adam Langley and Bodo Moeller. To enable it, OpenSSL should be configured with ‘enable-ec_nistp_64_gcc_128’.
It is currently in the process of integration into a future version of this library (1.0.2), and can be found in the latest beta version (1.0.2 beta 3).
References
Aciiçmez, O., Gueron, S., Seifert, J.P.: New branch prediction vulnerabilities in open SSL and necessary software countermeasures. In: Galbarith, S.D (ed.) Cryptography and Coding. LNCS, vol. 4887, pp. 185–203. Springer, Heidelberg (2007)
Barker, E., Roginsky, A.: Transitions: recommendation for transitioning the use of cryptographic algorithms and key lengths. NIST Special Publication 800–131A, NIST (2011). http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
Bernstein, D.J.: Curve25519: new Diffie–Hellman speed records. In: 9th International Conference on Theory and Practice in Public-Key Cryptography, New York, NY, USA, April 24–26, 2006. Proceedings, pp. 24–26. Springer, Heidleberg (2006)
Booth, A.D.: A signed binary multiplication technique. Q. J. Mech. Appl. Math. 4(2), 236–240. Oxford University Press, Oxford (1951)
China Cryptography Administration: SM2 Elliptic curve recommended parameters (in Chinese). http://www.oscca.gov.cn/UpFile/2010122214836668.pdf
China Cryptography Administration: State Public Key Cryptographic Algorithm SM2 Based on Elliptic Curves (2010, in Chinese). http://www.oscca.gov.cn/UpFile/2010122214822692.pdf
Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.2. IETF RFC5246. IETF (2008). http://tools.ietf.org/html/rfc5246
Gueron, S., Krasnov, V.: [PATCH] Efficient and side channel analysis resistant 1024-bit and 2048-bit modular exponentiation, optimizing RSA, DSA and DH of compatible sizes, for AVX2 capable x86\_64 platforms. OpenSSL patch (2013). http://rt.openssl.org/Ticket/Display.html?id=3054&user=guest&pass=guest
Gueron, S.: Efficient software implementations of modular exponentiation. J. Cryptograph. Eng. 2, 31–43. Springer, Heidelberg (2012)
Gueron, S., Krasnov, V.: [PATCH] Fast and side channel protected implementation of the NIST P-256 elliptic curve, for x86–64 platforms. OpenSSL patch (2013). http://rt.openssl.org/Ticket/Display.html?id=3149&user=guest&pass=guest
Greenwald, G., MacAskill, E.: NSA prism program taps in to user data of Apple, Google and others. In: The Guardian (June 2013). http://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data
Intel: Intel R architecture instruction set extensions programming reference (2013). http://download-software.intel.com/sites/default/files/319433-015.pdf
Käsper, E.: Fast Elliptic Curve Cryptography in OpenSSL. In: Danezis, G., Dietrich, S., Sako, K. (eds.) Financial Cryptography and Data Security. LNCS, vol. 7126, pp. 27–39. Springer, Heidelberg (2012)
Langley, A.: Protecting data for the long term with forward secrecy. In: Google Online Security Blog (2011). http://googleonlinesecurity.blogspot.co.il/2011/11/protecting-data-for-long-term-with.html
Montgomery, P.L.: Modular multiplication without trial division. Math. Comput. 44, 519–521 (1985)
NIST: Mathematical routines for the NIST prime elliptic curves (2010). http://www.nsa.gov/ia/_files/nist-routines.pdf
NSS, Mozilla. https://developer.mozilla.org/en/docs/NSS
OpenSSL git repository. http://git.openssl.org/gitweb/
Renfro, S.: Secure browsing by default. In: Facebook, Facebook Engineering. https://www.facebook.com/notes/facebook-engineering/secure-browsing-by-default/10151590414803920
Satler, M., Housley, R.: Suite B Profile for Transport Layer Security (TLS). IETF RFC6460. IETF (2012). http://tools.ietf.org/html/rfc6460
Solinas, J.A.: Generalized Mersenne numbers. Center for Applied Cryptographic Research. University of Waterloo,Technical Report (1999)
Author information
Authors and Affiliations
Corresponding author
Appendix A
Appendix A
The configuration details of the platform that was used for the system profiling experiment:
CPU: Engineering sample of Intel microarchitecture codename Haswell, native speed of 2.9 GHz, 4 cores, 8 threads. For the experiment, we disabled 3 out of 4 cores and underclocked the CPU to 1 GHz, this is because otherwise, when using AES-GCM cipher, that performs at around 1 cycle/byte, the CPU outperforms the network card and idles most of the time.
Memory: 8GB DDR3 1,600 MHz, two-channel configuration.
Hard drive: Intel SSD X25-M 80GB.
Software: Apache server version 2.4.4; OpenSSL development version (from September 9, 2013).
Network: Engineering sample of Intel 10Gbit Ethernet adapter.
Rights and permissions
About this article
Cite this article
Gueron, S., Krasnov, V. Fast prime field elliptic-curve cryptography with 256-bit primes. J Cryptogr Eng 5, 141–151 (2015). https://doi.org/10.1007/s13389-014-0090-x
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13389-014-0090-x