Skip to main content
SpringerLink
Log in

Size, Speed, and Security: An Ed25519 Case Study

  • Conference paper
  • First Online:
Book cover Secure IT Systems (NordSec 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13115))

Included in the following conference series:

  • 649 Accesses

Abstract

Ed25519 has significant performance benefits compared to ECDSA using Weierstrass curves such as NIST P-256, therefore it is considered a state-of-the-art digital signature algorithm, specially for low performance IoT devices. However, such devices often have very limited resources and thus, implementations for these devices need to be as small and as performant as possible while being secure. In this paper we describe a scenario in which an obvious strategy to aggressively optimize an Ed25519 implementation for code size leads to a small memory footprint that is functionally correct but vulnerable to side-channel attacks. This strategy serves as an example of aggressive optimizations that might be considered by cryptography engineers, developers, and practitioners unfamiliar with the power of Side-Channel Analysis (SCA). As a solution to the flawed implementation example, we use a computer-aided cryptography tool generating formally verified finite field arithmetic to generate two secure Ed25519 implementations fulfilling different size requirements. After benchmarking and comparing these implementations to other widely used implementations our results show that computer-aided cryptography is capable of generating competitive code in terms of security, speed, and size.

C. P. García—This research was done while the author was an intern at Huawei Technologies Oy.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://github.com/floodyberry/ed25519-donna.

  2. 2.

    https://github.com/jedisct1/libsodium.

  3. 3.

    https://boringssl.googlesource.com/boringssl/+/4fb0dc4b.

  4. 4.

    https://github.com/mit-plv/fiat-crypto.

  5. 5.

    https://monocypher.org/.

  6. 6.

    https://www.openssl.org/blog/blog/2018/09/11/release111/.

  7. 7.

    https://github.com/ARMmbed/mbedtls/pull/3245.

  8. 8.

    https://ianix.com/pub/ed25519-deployment.html.

  9. 9.

    https://gitlab.com/nisec/ecckiila/.

  10. 10.

    https://bench.cr.yp.to/supercop.html.

References

  1. Digital signature standard (DSS): FIPS-PUB 186–5. National Institute of Standards and Technology, October 2019. https://doi.org/10.6028/NIST.FIPS.186-5-draft

  2. Allan, T., Brumley, B.B., Falkner, K.E., van de Pol, J., Yarom, Y.: Amplifying side channels through performance degradation. In: Schwab, S., Robertson, W.K., Balzarotti, D. (eds.) Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, Los Angeles, CA, USA, 5–9 December 2016, pp. 422–435. ACM (2016). http://dl.acm.org/citation.cfm?id=2991084

  3. Ambrose, C., Bos, J.W., Fay, B., Joye, M., Lochter, M., Murray, B.: Differential attacks on deterministic signatures. In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808, pp. 339–353. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76953-0_18

    Chapter  Google Scholar 

  4. Avanzi, R.M.: A note on the signed sliding window integer recoding and a left-to-right analogue. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 130–143. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30564-4_9

    Chapter  Google Scholar 

  5. Belyavsky, D., Brumley, B.B., Chi-Domínguez, J., Rivera-Zamarripa, L., Ustinov, I.: Set it and forget it! turnkey ECC for instant integration. In: ACSAC 2020: Annual Computer Security Applications Conference, Virtual Event/Austin, TX, USA, 7–11 December 2020, pp. 760–771. ACM (2020), https://doi.org/10.1145/3427228.3427291

  6. Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006). https://doi.org/10.1007/11745853_14

    Chapter  Google Scholar 

  7. Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.: High-speed high-security signatures. J. Cryptogr. Eng. 2(2), 77–89 (2012). https://doi.org/10.1007/s13389-012-0027-1

    Article  MATH  Google Scholar 

  8. Bernstein, D.J., Lange, T.: eBACS: ECRYPT Benchmarking of Cryptographic Systems, September 2020. https://bench.cr.yp.to

  9. Bernstein, D.J., Lange, T., Schwabe, P.: The security impact of a new cryptographic library. In: Hevia, A., Neven, G. (eds.) LATINCRYPT 2012. LNCS, vol. 7533, pp. 159–176. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33481-8_9

    Chapter  Google Scholar 

  10. Bernstein, D.J., Yang, B.: Fast constant-time gcd computation and modular inversion. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019(3), 340–398 (2019). https://doi.org/10.13154/tches.v2019.i3.340-398

  11. Brendel, J., Cremers, C., Jackson, D., Zhao, M.: The provable security of ed25519: theory and practice. IACR Cryptol. ePrint Arch. 2020, 823 (2020). https://eprint.iacr.org/2020/823

  12. Brumley, B.B., Hakala, R.M.: Cache-timing template attacks. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 667–684. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_39

    Chapter  Google Scholar 

  13. Chalkias, K., Garillot, F., Nikolaenko, V.: Taming the many EdDSAs. In: van der Merwe, T., Mitchell, C., Mehrnezhad, M. (eds.) SSR 2020. LNCS, vol. 12529, pp. 67–90. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64357-7_4

    Chapter  Google Scholar 

  14. Cohen, H., et al. (eds.): Handbook of Elliptic and Hyperelliptic Curve Cryptography. Chapman and Hall/CRC, Boca Raton (2005). https://doi.org/10.1201/9781420034981

  15. Erbsen, A., Philipoom, J., Gross, J., Sloan, R., Chlipala, A.: Simple high-level code for cryptographic arithmetic - with proofs, without compromises. In: 2019 IEEE Symposium on Security and Privacy, SP 2019, San Francisco, CA, USA, 19–23 May 2019, pp. 1202–1219. IEEE (2019). https://doi.org/10.1109/SP.2019.00005

  16. Gras, B., Giuffrida, C., Kurth, M., Bos, H., Razavi, K.: Absynthe: automatic blackbox side-channel synthesis on commodity microarchitectures. In: 27th Annual Network and Distributed System Security Symposium, NDSS 2020, San Diego, California, USA, 23–26 February 2020. The Internet Society (2020). https://www.ndss-symposium.org/ndss-paper/absynthe-automatic-blackbox-side-channel-synthesis-on-commodity-microarchitectures/

  17. Gras, B., Razavi, K., Bos, H., Giuffrida, C.: Translation leak-aside buffer: defeating cache side-channel protections with TLB attacks. In: Enck, W., Felt, A.P. (eds.) 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, 15–17 August 2018, pp. 955–972. USENIX Association (2018). https://www.usenix.org/conference/usenixsecurity18/presentation/gras

  18. ul Hassan, S., et al.: Side-channel analysis of Mozilla’s NSS. In: Ligatti, J., Ou, X., Katz, J., Vigna, G. (eds.) CCS 2020: 2020 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event, USA, 9–13 November 2020, pp. 1887–1902. ACM (2020). https://doi.org/10.1145/3372297.3421761

  19. Josefsson, S., Liusvaara, I.: Edwards-curve digital signature algorithm (EdDSA). In: RFC 8032, pp. 1–60 (2017). https://doi.org/10.17487/RFC8032

  20. Joye, M., Tunstall, M.: Exponent recoding and regular exponentiation algorithms. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 334–349. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02384-2_21

    Chapter  Google Scholar 

  21. Möller, B.: Algorithms for multi-exponentiation. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 165–180. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45537-X_13

    Chapter  Google Scholar 

  22. Pippenger, N.: On the evaluation of powers and related problems (preliminary version). In: 17th Annual Symposium on Foundations of Computer Science, Houston, TX, USA, 25–27 October 1976. pp. 258–263. IEEE Computer Society (1976). https://doi.org/10.1109/SFCS.1976.21

  23. Poddebniak, D., Somorovsky, J., Schinzel, S., Lochter, M., Rösler, P.: Attacking deterministic signature schemes using fault attacks. In: 2018 IEEE European Symposium on Security and Privacy, EuroS&P 2018, London, UK, 24–26 April 2018. pp. 338–352. IEEE (2018). https://doi.org/10.1109/EuroSP.2018.00031

  24. Romailler, Y., Pelissier, S.: Practical fault attack against the ed25519 and eddsa signature schemes. In: 2017 Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2017, Taipei, Taiwan, 25 September 2017, pp. 17–24. IEEE Computer Society (2017). https://doi.org/10.1109/FDTC.2017.12

  25. Samwel, N., Batina, L.: Practical fault injection on deterministic signatures: the case of EdDSA. In: Joux, A., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2018. LNCS, vol. 10831, pp. 306–321. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89339-6_17

    Chapter  Google Scholar 

  26. Samwel, N., Batina, L., Bertoni, G., Daemen, J., Susella, R.: Breaking Ed25519 in WolfSSL. In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808, pp. 1–20. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76953-0_1

    Chapter  MATH  Google Scholar 

  27. Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_22

    Chapter  Google Scholar 

  28. Tuveri, N., Brumley, B.B.: Start your ENGINEs: dynamically loadable contemporary crypto. In: 2019 IEEE Cybersecurity Development, SecDev 2019, Tysons Corner, VA, USA, 23–25September 2019, pp. 4–19. IEEE (2019). https://doi.org/10.1109/SecDev.2019.00014

  29. Tuveri, N., ul Hassan, S., Pereida García, C., Brumley, B.B.: Side-channel analysis of SM2: a late-stage featurization case study. In: Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC 2018, San Juan, PR, USA, 03–07 December 2018, pp. 147–160. ACM (2018), https://doi.org/10.1145/3274694.3274725

  30. de Valence, H., Grigg, J., Tankersley, G., Valsorda, F., Lovecruft, I.: The ristretto255 group. Tech. Rep, IETF CFRG Internet Draft (2019)

    Google Scholar 

Download references

Acknowledgments

The authors would like to thank Philip Ginzboorg for the comments during the development of this research.

The first author thanks the Nokia Foundation for the generous support through a Nokia Scholarship.

This project received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No 804476).

Author information

Authors and Affiliations

  1. Tampere University, Tampere, Finland

    Cesar Pereida García

  2. Huawei Technologies Oy, Helsinki, Finland

    Sampo Sovio

Authors
  1. Cesar Pereida García
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sampo Sovio
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Cesar Pereida García .

Editor information

Editors and Affiliations

  1. Tampere University, Tampere, Finland

    Nicola Tuveri

  2. Tampere University, Tampere, Finland

    Antonis Michalas

  3. Tampere University, Tampere, Finland

    Billy Bob Brumley

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Pereida García, C., Sovio, S. (2021). Size, Speed, and Security: An Ed25519 Case Study. In: Tuveri, N., Michalas, A., Brumley, B.B. (eds) Secure IT Systems. NordSec 2021. Lecture Notes in Computer Science(), vol 13115. Springer, Cham. https://doi.org/10.1007/978-3-030-91625-1_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-91625-1_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-91624-4

  • Online ISBN: 978-3-030-91625-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation