High-speed high-security signatures

This paper shows that a $390 mass-market quad-core 2.4GHz Intel Westmere (Xeon E5620) CPU can create 109000 signatures per second and verify 71000 signatures per second on an elliptic curve at a 2128 security level. Public keys are 32 bytes, and signatures are 64 bytes. These performance figures include strong defenses against software side-channel attacks: there is no data flow from secret keys to array indices, and there is no data flow from secret keys to branch conditions.

[1]  Donald E. Knuth,et al.  The Art of Computer Programming: Volume 3: Sorting and Searching , 1998 .

[2]  M. V. Wilkes,et al.  The Art of Computer Programming, Volume 3, Sorting and Searching , 1974 .

[3]  17th Annual Symposium on Foundations of Computer Science, Houston, Texas, USA, 25-27 October 1976 , 1976, FOCS.

[4]  Nicholas Pippenger,et al.  On the evaluation of powers and related problems , 1976, 17th Annual Symposium on Foundations of Computer Science (sfcs 1976).

[5]  Nicholas Pippenger,et al.  On the Evaluation of Powers and Monomials , 1980, SIAM J. Comput..

[6]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[7]  David Chaum,et al.  Advances in Cryptology: Proceedings Of Crypto 83 , 2012 .

[8]  Svante Carlsson,et al.  Average-case results on heapsort , 1987, BIT.

[9]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[10]  Ingo Wegener,et al.  Bottom-Up-Heap Sort, a New Variant of Heap Sort Beating on Average Quick Sort (if n is not very small) , 1990, MFCS.

[11]  Ernest F. Brickell,et al.  Fast Exponentiation with Precomputation (Extended Abstract) , 1992, EUROCRYPT.

[12]  Ingo Wegener BOTTOM-UP-HEAPSORT, a New Variant of HEAPSORT, Beating, on an Average, QUICKSORT (if n is not Very Small) , 1993, Theor. Comput. Sci..

[13]  E. Brickell,et al.  Fast Exponentiation with Precomputation: Algorithms and Lower Bounds , 1993 .

[14]  Peter de Rooij,et al.  Efficient Exponentiation using Procomputation and Vector Addition Chains , 1994, EUROCRYPT.

[15]  Chae Hoon Lim,et al.  More Flexible Exponentiation with Precomputation , 1994, CRYPTO.

[16]  David M'Raïhi,et al.  Can D.S.A. be Improved? Complexity Trade-Offs with the Digital Signature Standard , 1994, EUROCRYPT.

[17]  A. D. Santis Advances in cryptology, EUROCRYPT '94 : Workshop on the Theory and Application of Cryptographic Techniques, Perugia, Italy, May 9-12, 1994 : proceedings , 1995 .

[18]  K. Nyberg Advances in cryptology-EUROCRYPT '98 : International Conference on the Theory and Application of Cryptographic Techniques, Espoo, Finland, May 31-June 4, 1998 : proceedings , 1998 .

[19]  Mihir Bellare,et al.  Fast Batch Verification for Modular Exponentiation and Digital Signatures , 1998, IACR Cryptol. ePrint Arch..

[20]  Kaisa Nyberg,et al.  Advances in Cryptology — EUROCRYPT'98 , 1998 .

[21]  David M'Raïhi,et al.  Computational Alternatives to Random Number Generators , 1998, Selected Areas in Cryptography.

[22]  Peter,et al.  Security of Discrete Log Cryptosystems in theRandom Oracle + Generic ModelClaus , 1999 .

[23]  Carl Pomerance,et al.  Advances in Cryptology — CRYPTO ’87 , 2000, Lecture Notes in Computer Science.

[24]  Alfred Menezes,et al.  Software Implementation of the NIST Elliptic Curves Over Prime Fields , 2001, CT-RSA.

[25]  Yvo Desmedt,et al.  Advances in Cryptology — CRYPTO ’94 , 2001, Lecture Notes in Computer Science.

[26]  David Naccache,et al.  Topics in Cryptology — CT-RSA 2001 , 2001, Lecture Notes in Computer Science.

[27]  Jacques Stern,et al.  Flaws in Applying Proof Methodologies to Signature Schemes , 2002, CRYPTO.

[28]  Jonathan Katz,et al.  Efficiency improvements for signature schemes with tight security reductions , 2003, CCS '03.

[29]  Igor E. Shparlinski,et al.  The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces , 2003, Des. Codes Cryptogr..

[30]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[31]  Nicholas Pippenger The minimum number of edges in graphs with prescribed paths , 2005, Mathematical systems theory.

[32]  Sabrina De Capitani di Vimercati,et al.  Proceedings of the 13th ACM conference on Computer and communications security , 2006, CCS 2006.

[33]  Scott A. Vanstone,et al.  Accelerated Verification of ECDSA Signatures , 2005, Selected Areas in Cryptography.

[34]  Daniel J. Bernstein,et al.  Curve25519: New Diffie-Hellman Speed Records , 2006, Public Key Cryptography.

[35]  Sac,et al.  Selected areas in cryptography : 12th International Workshop, SAC 2005, Kingston, ON, Canada, August 11-12, 2005 : revised selected papers , 2006 .

[36]  Sabrina De Capitani di Vimercati,et al.  Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, Alexandria, VA, USA, Ioctober 30 - November 3, 2006 , 2006, CCS 2006.

[37]  Mihir Bellare,et al.  Multi-signatures in the plain public-Key model and a general forking lemma , 2006, CCS '06.

[38]  Jacques Stern,et al.  Practical Cryptanalysis of SFLASH , 2007, CRYPTO.

[39]  Jonathan Katz,et al.  Efficient Signature Schemes with Tight Reductions to the Diffie-Hellman Problems , 2007, Journal of Cryptology.

[40]  Tanja Lange,et al.  Faster Addition and Doubling on Elliptic Curves , 2007, ASIACRYPT.

[41]  Pierrick Gaudry,et al.  The mpFq library and implementing curve-based key exchanges , 2007 .

[42]  Ed Dawson,et al.  Twisted Edwards Curves Revisited , 2008, IACR Cryptol. ePrint Arch..

[43]  Tanja Lange,et al.  Twisted Edwards Curves , 2008, AFRICACRYPT.

[44]  Risto M. Hakala,et al.  Cache-Timing Template Attacks , 2009, ASIACRYPT.

[45]  Gregory Neven,et al.  Hash function requirements for Schnorr signatures , 2009, J. Math. Cryptol..

[46]  Peter Schwabe,et al.  Fast Elliptic-Curve Cryptography on the Cell Broadband Engine , 2009, AFRICACRYPT.

[47]  Bart Preneel Progress in Cryptology - AFRICACRYPT 2009, Second International Conference on Cryptology in Africa, Gammarth, Tunisia, June 21-25, 2009. Proceedings , 2009, AFRICACRYPT.

[48]  Tor Helleseth,et al.  Arithmetic of Finite Fields, Third International Workshop, WAIFI 2010, Istanbul, Turkey, June 27-30, 2010. Proceedings , 2010, WAIFI.

[49]  Stefan Mangard,et al.  Cryptographic Hardware and Embedded Systems, CHES 2010, 12th International Workshop, Santa Barbara, CA, USA, August 17-20, 2010. Proceedings , 2010, CHES.

[50]  Peter Schwabe,et al.  New Software Speed Records for Cryptographic Pairings , 2010, LATINCRYPT.

[51]  Patrick Longa,et al.  Efficient Techniques for High-Speed Elliptic Curve Cryptography , 2010, CHES.

[52]  Joppe W. Bos High-Performance Modular Multiplication on the Cell Processor , 2010, WAIFI.

[53]  Robert Granger,et al.  On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields , 2010, IACR Cryptol. ePrint Arch..

[54]  Ludovic Perret,et al.  The Digital Signature Scheme MQQ-SIG , 2010, IACR Cryptol. ePrint Arch..

[55]  H. Hisil Elliptic curves, group law, and efficient computation , 2010 .

[56]  Paulo S. L. M. Barreto,et al.  Progress in Cryptology - LATINCRYPT 2010, First International Conference on Cryptology and Information Security in Latin America, Puebla, Mexico, August 8-11, 2010, Proceedings , 2010, LATINCRYPT.

[57]  Colin Boyd,et al.  An integrated approach to cryptographic mitigation of denial-of-service attacks , 2011, ASIACCS '11.

[58]  Tanja Lange,et al.  High-Speed High-Security Signatures , 2011, CHES.

[59]  Antoine Joux,et al.  Elliptic Curve Discrete Logarithm Problem over Small Degree Extension Fields , 2011, Journal of Cryptology.

[60]  Michael Scott,et al.  Endomorphisms for Faster Elliptic Curve Cryptography on a Large Class of Curves , 2009, Journal of Cryptology.

[61]  Cees J. A. Jansen,et al.  Smart card implementation of a digital signature scheme for Twisted Edwards curves , 2011 .

[62]  Emilia Käsper Fast Elliptic Curve Cryptography in OpenSSL , 2011, Financial Cryptography Workshops.

[63]  Kazue Sako,et al.  Advances in Cryptology – ASIACRYPT 2012 , 2012, Lecture Notes in Computer Science.

[64]  Patrick Longa,et al.  Implementing the 4-dimensional GLV method on GLS elliptic curves with j-invariant 0 , 2012, Des. Codes Cryptogr..

[65]  Simon J. Julier,et al.  Program chairs , 2013, ISMAR.

[66]  Trent Jaeger,et al.  Proceedings of the 9th ACM symposium on Information, computer and communications security , 2014, ASIACCS 2014.

[67]  Matthew J. B. Robshaw,et al.  Cryptographic Hardware and Embedded Systems – CHES 2014 , 2014, Lecture Notes in Computer Science.