High-speed high-security signatures

  title={High-speed high-security signatures},
  author={Daniel J. Bernstein and Niels Duif and Tanja Lange and Peter Schwabe and Bo-Yin Yang},
  journal={Journal of Cryptographic Engineering},
This paper shows that a $390 mass-market quad-core 2.4GHz Intel Westmere (Xeon E5620) CPU can create 109000 signatures per second and verify 71000 signatures per second on an elliptic curve at a 2128 security level. Public keys are 32 bytes, and signatures are 64 bytes. These performance figures include strong defenses against software side-channel attacks: there is no data flow from secret keys to array indices, and there is no data flow from secret keys to branch conditions. 

Software Speed Records for Lattice-Based Signatures

This work presents a first highly-optimized SIMD-based soft- ware implementation of the lattice-based digital signature scheme targeting Intel's Sandy Bridge and Ivy Bridge microarchitectures and achieves full protection against timing attacks.

FourQ on embedded devices with strong countermeasures against side-channel attacks

This work sets new speed records for constant-time curve-based scalar multiplication, DH key exchange and digital signatures at the 128-bit security level and proposes a secure implementation that offers protection against a wide range of sophisticated side-channel attacks, including differential power analysis (DPA).

SCA-secure ECC in software - mission impossible?

This paper describes an ECC implementation computing the X25519 key-exchange protocol on the ARM-Cortex M4 microcontroller that is, to the best knowledge, the first to claim affordable protection against multiple classes of attacks that are motivated by distinct real-world application scenarios.

NEON Crypto

This paper explains how to use a single 800MHz Cortex A8 core to compute the existing NaCl suite of high-security cryptographic primitives at the following speeds: 5.60 cycles per byte (1.14 Gbps) to encrypt using a shared secret key, 2.30 cycles perbyte (2.78 Gbps), and 244655 cycles (3269/second) to sign a message.

Practical Fault Attack against the Ed25519 and EdDSA Signature Schemes

It is demonstrated here that a single-fault attack against EdDSA can recover enough private key material to forge valid signatures for any message.

Fast and compact elliptic-curve cryptography

This paper outlines a new elliptic curve signature and key agreement implementation that achieves record speeds for signatures while remaining relatively compact, and introduces faster field arithmetic, a new point compression algorithm, an improved fixed-base scalar multiplication algorithm and a new way to verify signatures without inversions or coordinate recovery.

The Security Impact of a New Cryptographic Library

This paper introduces a new cryptographic library, NaCl, and explains how the design and implementation of the library avoid various types of cryptographic disasters suffered by previous

McBits: Fast Constant-Time Code-Based Cryptography

This paper presents extremely fast algorithms for code-based public-key cryptography, including full protection against timing attacks, and achieves a reciprocal decryption throughput of just 60493 cycles on a single Ivy Bridge core.

Template Attacks against ECC: practical implementation against Curve25519

A new profiling attack that targets elliptic curves-based cryptographic implementations that exploits leakages from the conditional swap operation used in implementations using the Montgomery Ladder as a scalar multiplication method for calculating kP in constant time.

High-assurance field inversion for curve-based cryptography

The Fiat-Cryptography framework is extended, which synthesizes provably correct-by-construction implementations, to implement the Bernstein-Yang constant-time inversion algorithm as a step toward a correct implementation of prime field inversion to be conveniently synthesized for any prime.



Curve25519: New Diffie-Hellman Speed Records

This paper explains the design and implementation of a high-security elliptic-curve-Diffie-Hellman function achieving record-setting speeds: e.g., 832457 Pentium III cycles more than twice as fast as other authors' results at the same conjectured security level.

Cache-Timing Template Attacks

It is shown that the combination of vector quantization and hidden Markov model cryptanalysis is a powerful tool for automated analysis of cache-timing data; it can be used to recover critical algorithm state such as key material.

New Software Speed Records for Cryptographic Pairings

An implementation which computes the optimal ate pairing on a 257- bit Barreto-Naehrig curve in only 4,470,408 cycles on one core of an Intel Core 2 Quad Q6600 processor is presented.

Fast Elliptic Curve Cryptography in OpenSSL

  • E. Käsper
  • Computer Science, Mathematics
    Financial Cryptography Workshops
  • 2011
This work presents a 64-bit optimized implementation of the NIST and SECG-standardized elliptic curve P-224, and shows how to do small table look-ups in a cache-timing resistant way, allowing us to use precomputation.

Fast Elliptic-Curve Cryptography on the Cell Broadband Engine

This paper is the first to investigate the power of the Cell Broadband Engine for state-of-the-art public-key cryptography. We present a high-speed implementation of elliptic-curve Diffie-Hellman

The Digital Signature Scheme MQQ-SIG

This document contains the Intellectual Property Statement and the technical description of the MQQ-SIG - a new public key digital signature scheme that consists of quadratic polynomials with Boolean variables where n=160, 196, 224 or 256.

Efficient Techniques for High-Speed Elliptic Curve Cryptography

In this paper, a thorough bottom-up optimization process (field, point and scalar arithmetic) is used to speed up the computation of elliptic curve pointmultiplication and report newspeed records on

Efficient signature generation by smart cards

  • C. Schnorr
  • Computer Science, Mathematics
    Journal of Cryptology
  • 2004
An efficient algorithm that preprocesses the exponentiation of a random residue modulo p is presented, which improves the ElGamal signature scheme in the speed of the procedures for the generation and the verification of signatures and also in the bit length of signatures.

Practical Cryptanalysis of SFLASH

A practical attack on the signature scheme SFLASH proposed by Patarin, Goubin and Courtois in 2001 is presented, which can be applied to both SFLashv2 which was accepted by NESSIE, as well as to SFLashingv3 which is a higher security version.

Advances in cryptology, EUROCRYPT '94 : Workshop on the Theory and Application of Cryptographic Techniques, Perugia, Italy, May 9-12, 1994 : proceedings

A systematic attack on clock controlled cascades on A2-codes including arbiter's attacks and an improvement of Davies' attack on DES are presented.