# High-speed high-security signatures

@article{Bernstein2012HighspeedHS, title={High-speed high-security signatures}, author={Daniel J. Bernstein and Niels Duif and Tanja Lange and Peter Schwabe and Bo-Yin Yang}, journal={Journal of Cryptographic Engineering}, year={2012}, volume={2}, pages={77-89} }

This paper shows that a $390 mass-market quad-core 2.4GHz Intel Westmere (Xeon E5620) CPU can create 109000 signatures per second and verify 71000 signatures per second on an elliptic curve at a 2128 security level. Public keys are 32 bytes, and signatures are 64 bytes. These performance figures include strong defenses against software side-channel attacks: there is no data flow from secret keys to array indices, and there is no data flow from secret keys to branch conditions.

## 560 Citations

### Software Speed Records for Lattice-Based Signatures

- Computer SciencePQCrypto
- 2013

This work presents a first highly-optimized SIMD-based soft- ware implementation of the lattice-based digital signature scheme targeting Intel's Sandy Bridge and Ivy Bridge microarchitectures and achieves full protection against timing attacks.

### FourQ on embedded devices with strong countermeasures against side-channel attacks

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2017

This work sets new speed records for constant-time curve-based scalar multiplication, DH key exchange and digital signatures at the 128-bit security level and proposes a secure implementation that offers protection against a wide range of sophisticated side-channel attacks, including differential power analysis (DPA).

### SCA-secure ECC in software - mission impossible?

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2021

This paper describes an ECC implementation computing the X25519 key-exchange protocol on the ARM-Cortex M4 microcontroller that is, to the best knowledge, the first to claim affordable protection against multiple classes of attacks that are motivated by distinct real-world application scenarios.

### NEON Crypto

- Computer Science, MathematicsCHES
- 2012

This paper explains how to use a single 800MHz Cortex A8 core to compute the existing NaCl suite of high-security cryptographic primitives at the following speeds: 5.60 cycles per byte (1.14 Gbps) to encrypt using a shared secret key, 2.30 cycles perbyte (2.78 Gbps), and 244655 cycles (3269/second) to sign a message.

### Practical Fault Attack against the Ed25519 and EdDSA Signature Schemes

- Computer Science, Mathematics2017 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC)
- 2017

It is demonstrated here that a single-fault attack against EdDSA can recover enough private key material to forge valid signatures for any message.

### Fast and compact elliptic-curve cryptography

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2012

This paper outlines a new elliptic curve signature and key agreement implementation that achieves record speeds for signatures while remaining relatively compact, and introduces faster field arithmetic, a new point compression algorithm, an improved fixed-base scalar multiplication algorithm and a new way to verify signatures without inversions or coordinate recovery.

### The Security Impact of a New Cryptographic Library

- Computer Science, MathematicsLATINCRYPT
- 2012

This paper introduces a new cryptographic library, NaCl, and explains how the design and implementation of the library avoid various types of cryptographic disasters suffered by previous…

### McBits: Fast Constant-Time Code-Based Cryptography

- Computer ScienceCHES
- 2013

This paper presents extremely fast algorithms for code-based public-key cryptography, including full protection against timing attacks, and achieves a reciprocal decryption throughput of just 60493 cycles on a single Ivy Bridge core.

### Template Attacks against ECC: practical implementation against Curve25519

- Computer Science, Mathematics2020 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)
- 2020

A new profiling attack that targets elliptic curves-based cryptographic implementations that exploits leakages from the conditional swap operation used in implementations using the Montgomery Ladder as a scalar multiplication method for calculating kP in constant time.

### High-assurance field inversion for curve-based cryptography

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2021

The Fiat-Cryptography framework is extended, which synthesizes provably correct-by-construction implementations, to implement the Bernstein-Yang constant-time inversion algorithm as a step toward a correct implementation of prime field inversion to be conveniently synthesized for any prime.

## References

SHOWING 1-10 OF 135 REFERENCES

### Curve25519: New Diffie-Hellman Speed Records

- Computer SciencePublic Key Cryptography
- 2006

This paper explains the design and implementation of a high-security elliptic-curve-Diffie-Hellman function achieving record-setting speeds: e.g., 832457 Pentium III cycles more than twice as fast as other authors' results at the same conjectured security level.

### Cache-Timing Template Attacks

- Computer Science, MathematicsASIACRYPT
- 2009

It is shown that the combination of vector quantization and hidden Markov model cryptanalysis is a powerful tool for automated analysis of cache-timing data; it can be used to recover critical algorithm state such as key material.

### New Software Speed Records for Cryptographic Pairings

- Computer Science, MathematicsLATINCRYPT
- 2010

An implementation which computes the optimal ate pairing on a 257- bit Barreto-Naehrig curve in only 4,470,408 cycles on one core of an Intel Core 2 Quad Q6600 processor is presented.

### Fast Elliptic Curve Cryptography in OpenSSL

- Computer Science, MathematicsFinancial Cryptography Workshops
- 2011

This work presents a 64-bit optimized implementation of the NIST and SECG-standardized elliptic curve P-224, and shows how to do small table look-ups in a cache-timing resistant way, allowing us to use precomputation.

### Fast Elliptic-Curve Cryptography on the Cell Broadband Engine

- Computer Science, MathematicsAFRICACRYPT
- 2009

This paper is the first to investigate the power of the Cell Broadband Engine for state-of-the-art public-key cryptography. We present a high-speed implementation of elliptic-curve Diffie-Hellman…

### The Digital Signature Scheme MQQ-SIG

- Computer ScienceIACR Cryptol. ePrint Arch.
- 2010

This document contains the Intellectual Property Statement and the technical description of the MQQ-SIG - a new public key digital signature scheme that consists of quadratic polynomials with Boolean variables where n=160, 196, 224 or 256.

### Efficient Techniques for High-Speed Elliptic Curve Cryptography

- Computer Science, MathematicsCHES
- 2010

In this paper, a thorough bottom-up optimization process (field, point and scalar arithmetic) is used to speed up the computation of elliptic curve pointmultiplication and report newspeed records on…

### Efficient signature generation by smart cards

- Computer Science, MathematicsJournal of Cryptology
- 2004

An efficient algorithm that preprocesses the exponentiation of a random residue modulo p is presented, which improves the ElGamal signature scheme in the speed of the procedures for the generation and the verification of signatures and also in the bit length of signatures.

### Practical Cryptanalysis of SFLASH

- Computer Science, MathematicsCRYPTO
- 2007

A practical attack on the signature scheme SFLASH proposed by Patarin, Goubin and Courtois in 2001 is presented, which can be applied to both SFLashv2 which was accepted by NESSIE, as well as to SFLashingv3 which is a higher security version.

### Advances in cryptology, EUROCRYPT '94 : Workshop on the Theory and Application of Cryptographic Techniques, Perugia, Italy, May 9-12, 1994 : proceedings

- Computer Science, Mathematics
- 1995

A systematic attack on clock controlled cascades on A2-codes including arbiter's attacks and an improvement of Davies' attack on DES are presented.