a survey of cryptographic libraries supporting elliptic
TRANSCRIPT
A Survey of Cryptographic Libraries Supporting Elliptic
Curve Cryptography
Month/2005
David Reis Jr.Nelson Uto
2
Agenda
Brief introduction to ECC.
Description of the libraries.
Performance comparison.
Conclusions.
3
Elliptic curve equation
and
E : y2a1 xya3 y=x3a2 x
2a4 xa6
a1,a2,a3,a4,a6∈K ≠0
=−d 22d 8−8 d 4
3−27d 629d 2d 4d 6
d 2=a124a2
d 4=2a4a1a3d 6=a3
24 a6d 8=a1
2a64 a2a6−a1a3a4a2a32−a4
2
4
Elliptic curve over R – Example 1
y2=x3−x1
planetmath.org
5
Elliptic curve over R – Example 2
y2=x3−x
planetmath.org
6
Chord-and-tangent rule
(a) Addition: R = P + Q. (b) Doubling: R = P + P.
Extracted from Hankerson's presentation.
7
Elliptic curve over finite field
8
Point multiplication
Also known as scalar multiplication. Given an integer k and a point P on a elliptic curve E,
compute R = kP.
Point multiplication dominates the execution time of elliptic curve cryptographic schemes.
For a fixed point, it is possible to exploit precomputed data, to accelerate the scalar multiplication.
kP=PP...Pk times
9
ECDLP
Given an elliptic curve E defined over a finite field , a point of order n, and a point , find an integer such that
Harder problem than integer factorization and discrete logarithm problem.
F qP∈E F q Q∈⟨P ⟩l∈[0,n−1 ] Q=lP.
10
Key pair generation
Input: Domain Parameters D = (q, FR, S, a, b, P, n, h) Output: Public key Q, private key d.
1. Select 2. Compute Q = dP.3. Return (Q, d).
d ∈R [1,n−1 ]
11
ECDSA – Signature generation
Input: Domain parameters D = (q, FR, S, a, b, P, n, h), private key d, message m.
Output: Signature (r, s).1. Select2. Compute and convert to an integer 3. Compute If r = 0 then go to step 1.4. Compute e = H(m).5. Compute If s = 0 then go to step 1.6. Return (r, s).
k∈R [1,n−1]kP= x1, y1 x1 x1r= x1mod n.
s=k−1edr mod n.
12
ECDSA – Signature verification
Input: Domain Parameters D = (q, FR, S, a, b, P, n, h), public key Q, message m, signature (r, s).
Output: Acceptance or rejection of the signature.1. Verify that r and s are integers in the interval [1, n-1]. If any
verification fails then return (“ Reject the signature”).2. Compute e = H(m).3. Compute 4. Compute and 5. Compute 6. If then return (“Reject the signature”).7. Convert the x-coordinate of to an integer ; compute
8. If v = r then return (“Accept the signature”); else return (“Reject the
signature”).
w=s−1mod n.u1=ew mod n u2=rwmod n.X=u1Pu2Q.
X=∞x1 X x1
v= x1mod n.
13
borZoi
Developed by Dragongate Technologies. GNU GPL. Written in C++. It supports ECDSA, ECIES, and ECDH. Built-in domain parameters for NIST's binary curves. Correctly compiled in xScale and x86. To improve performance, it might be compiled with NTL,
but an error was found with release 5.3.1. Timings looked completely random, without any
reasonable explanation.
14
Crypto++
It is a C++ library. It supports ECDSA, ECDH, and ECIES. Supports both binary and prime curves. The library comes with domain parameters defined by
NIST and SECG. Crypto++ is trying to receive NIST's certification of
ECDSA. Great support for manipulating data. Precomputation is supported. Hard to assert the cause of compilation errors. The execution time is odd for binary curves which use a
pentanomial as an irreducible polynomial.
15
LibTomCrypt
Developed by Tom St Denis. It is open source. Written in ISO C. Supports ECDSA and ECDH. It supports only curves defined over prime fields. Built-in domain parameters for NIST's prime curves. Nice interface and documentation. It correctly compiled on xScale and x86.
16
LiDIA
Developed by LiDIA group at Technische Universität Darmstadt.
Free for non commercial use. It is a C++ library. It compiled correctly on Pentium 4 and xScale. Requires a multi-precision integer arithmetic module. The
packages supported are libI, GMP, and cln. It supports curves defined over binary and prime fields. Points can be represented in either affine or projective
coordinates. Nice documentation. No support for precomputation.
17
MIRACL
Developed by Shamus Software Ltd. Free for non profit purposes. It is a C library, but wrappers for C++ are provided. ECDSA and ECDH provided as examples. It supports curves defined over prime and binary curves. The fastest library available. Precomputation is supported. Critical routines are written in assembly for optimal
performance. Special optimizations for curves over prime fields.
API is not very intuitive.
18
OpenSSL
BSD-like license. Open-source. Written in C. Supports ECDSA and ECDH. Domain parameters for almost all of the curves defined by
NIST, SECG, and ANSI. Some routines are written in assembly. Supports point precomputation. It was easily compiled on P4, but a patch was required to
compile it on xScale. Poor documentation.
19
Bouncy Castle
Developed by the Legion of Bouncy Castle. It is a Java library. There is no support for JCA/JCE ECC classes. Supports ECDSA, ECDH, and ECIES. Only supports curves defined over prime fields, although
the documentation refers to binary curves as well. There are built-in domain parameters for prime curves
defined in X9.62. Precomputation is not supported. Documentation is poor.
20
FlexiProvider
Developed by Cryptography and Computer Algebra group at the Technische Universität Darmstadt.
It is a Java library. Does not support the JCA/JCE ECC classes. Licensed under LGPL (CoreProvider) and GPL (EC and
NF providers). Supports ECDSA, ECNR, ECIES, and ECDH. Supports curves defined over binary and prime fields. There are built-in domain parameters for prime curves of
X9.62 and SEC 2 and for binary curves of X9.62. The parameters for SEC 2 binary curves do not work.
No support for precomputation.
21
IAIK
Developed by the SIC group at the Graz University of Technology.
It is a Java library. Does not support the JCA/JCE ECC classes. It is available under educational, commercial, or open
source licenses. It supports ECDSA and ECDH. It can handle curves defined over binary and prime fields. Built-in domain parameters for some of NIST's curves and
all of the X9.62 curves. Precomputation is available for prime curves. The API is not uniform is some cases.
22
Benchmarking
Platforms:o P4 2.80GHz, 512MB RAM, Linux kernel 2.4.20.8, gcc 3.2.2, g++
3.2.2, javac 1.5.0_04, Java HotSpot Client VM build 1.5.0_04-b05.o PXA27x 520MHz, 64MB RAM, Linux kernel 2.6.11.8, arm-linux-gcc
3.4.3, arm-linux-g++ 3.4.3. Methodology:
o Messages of fixed size (1 SHA-1 block).o One key pair for each iteration.o Signature generation (with and without precomputation) and
signature verification.o Five rounds of timings.o 100 iterations for xScale and 1000 for P4.
23
P4 timings
24
xScale timings
25
Issues benchmarking Java applications
Java HotSpot virtual machines improves the speed of Java applications.
It compiles and inlines methods on-the-fly. Performance depends on what has been optimized. How can one measure the performance in such a
scenario?
26
Java timings on P4
27
Conclusions
MIRACL is the fastest library available. OpenSSL is an interesting option to MIRACL, although
about 50% slower. It is possible to use either a C or a Java library on P4. The C libraries MIRACL and OpenSSL can be used on
xScale as well. Probably IAIK can be used on xScale for elliptic curves
defined over prime fields (even at the highest security levels).
Questions?
Nelson [email protected]: +55 (19) 3705.4992
CPqD – Centro dePesquisa e Desenvolvimento
em TelecomunicaçõesRod. Campinas–Mogi-Mirim, km 118,5 – SP340
13086-902 – Campinas – SPBRASIL
www.cpqd.com.br
CPqD Technologies & Systems, Inc.101 NE Third Ave – Suite 1500
Fort Lauderdale, FL 33301, USAwww.cpqdusa.com