[curves] New curve25519/ed25519 library
mehdisotoodeh at gmail.com
Tue Jun 30 16:42:19 PDT 2015
Hi Peter, Mike,
Thank you both for your comments and valuable suggestions.
>The first aspect is that the Curve25519 implementation uses secretly
>indexed memory access which is a possible source for timing attacks.
>State-of-the-art Curve25519 implementations avoid this by using
>constant-time conditional swaps.
>Similar statements apply to the table lookup in the fixed-basepoint
>scalar multiplication, but those would be much more expensive to
The constant time implementation of field operations added approximately
20% to the timings. Applying recommendations regarding indexing has a way
bigger impact on the overall performance. I am trying to find a compromised
solution based on blinding that can justify usage of indexing.
The library currently implements randomization of the starting point as
well as using (a+b)*P + B instead of a*P where b is random and B = -b*P.
Another method that can be built into pre-calculated tables is to replace
base point P with Q = (1/r mod BPO)*P and then use (a*r mod BPO)*Q instead
of a*P. The combination of these two methods is another option: ((a-b)*r
mod BPO)*Q + S, where S = -b*Q.
For embedded applications such as IOT, the randomized Q tables can be
generated and programmed into devices during manufacturing and random
blinding b generated during power ups.
Is this is good enough approach? Does it need to be updated time to time?
Please note that I am a software engineer and relying on crypto experts
like you to evaluate the security level and come up with recommendations.
>The second thing is: It's great to hear about new speed records!
>Are you planning to support the SUPERCOP API ...
I am planning to support SUPERCOP API once I am happy with the library.
>My understanding is that the technique that you call folding is only
>efficient for signing; the verification part needs a precomputation
>which is just way too expensive: it needs 384 point doublings! You will
>probably answer that the ed25519_Verify_Init needs to be done just once
>for many verifications, but then a huge expanded public key is sitting
>around in memory and if I'm not totally mistaken, a sliding-window
>method would still be faster.
The folding technique benefits Signing and Key Gen as well as
Verify(partially) for ed25519. Currently curve25519-DH public key
calculation also uses folding but I am going to switch back to Montgomery
ladder. There is no pre-calculation for these since the tables are part of
For the verify operation, the pre-calculation needs 191D and 11A
(verify_init function). I do not see how you came up with 384D. The total
(pre+post) is 255D and 2W+11 A's where W is the bit size of each fold.
There are some potential saving on the 2W part due to 8-folds of base point
but I have not figure it out yet.
I checked Pippenger's algorithm and did not see any similarity. I am going
to have a look at other references. Thanks for providing this comprehensive
>3) Using multiple tables (so the inner loop is double; add; add; add)
lets you reduce the number of doubles without making the tables too wide.
Can you elaborate on this? Based on the pre-calculations, it is
double-add(P)-add(Q). Are you considering 8 vs 4 combs here?
On Tue, Jun 30, 2015 at 11:41 AM, Michael Hamburg <mike at shiftleft.org>
> I should add to this that I haven’t actually seen a complete comb
> implementation for Curve25519 before, though there might be one somewhere.
> I think Donna (including Floodyberry’s Donna fork) uses the older windowed
> technique. So if you make a nicely tuned implementation, you will be the
> first. I’m working on one as well, but it uses Decaf so it won’t be
> directly compatible with curve25519.
> To tune your comb implementation, here are a few ideas:
> 1) As Peter said, you should probably use constant-time lookups for
> signing, though it isn’t necessary for verification. This will limit you
> to a smaller table.
> 2) Signed binary uses half the table space vs unsigned binary, and also is
> half as expensive if you’re using constant-time lookups. You can convert a
> scalar to signed binary by adding a certain constant (2^width-1 IIRC) and
> halving mod the curve order.
> 3) Using multiple tables (so the inner loop is double; add; add; add) lets
> you reduce the number of doubles without making the tables too wide.
> 4) For any given size, there's a tradeoff between more tables and bigger
> tables. You can optimize that tradeoff with a simple script or spreadsheet.
> — Mike
> On Jun 30, 2015, at 10:56 AM, Mike Hamburg <mike at shiftleft.org> wrote:
> Hi Mehdi,
> I think your "folding" trick has been invented and re-invented many
> times. I came up with it in 2012, and thought it should be called
> "combs". I Googled the term, and found that Pippenger invented it in 1979.
> Lim and Lee reinvented it in 1994. Hankerson-Menezes-Vanstone improved it
> in 2004 (by using multiple tables), as did Hedabou (by using signed
> all-bits-set binary); Feng et al published a different version in 2006
> (signed-MSB-set). The first Ed25519 implementation used a less efficient,
> non-combed variant of the same technique.
> Some of the variants are patented, too, but I think your variant is
> similar to Lim-Lee and so should probably be out of patent by now.
> I think the best variant these days is to combine the 2004 techniques:
> multiple combs, signed-all-bits-set. It's simpler than signed-MSB-set, and
> I think it's the fastest once you have the table. The table is slightly
> slower to compute than signed-MSB-set, which makes that algorithm better in
> a few limited circumstances, but SMSBS is also patented (by Microsoft) and
> SABS is unpatented to the best of my knowledge.
> You're right that fixed-point techniques can be useful for verification
> and not just signing. For example, in a vehicle-to-vehicle setting, you
> will see many signed messages from each car going the same direction as
> you. Verification latency is important, so precomputing a small table on
> another core may be worthwhile if memory permits. A small table can be
> worthwhile even for only 2 signatures, and a larger one for 3.
> -- Mike
> On 06/30/2015 10:26 AM, Peter Schwabe wrote:
> Mehdi Sotoodeh <mehdisotoodeh at gmail.com> <mehdisotoodeh at gmail.com> wrote:
> Dear Mehdi,
> I would like to introduce a remarkable implementation of x25519 and ed25519
> library. The sources are hosted at: https://github.com/msotoodeh/curve25519
> The code is experimental but rather stable. It is compact, portable
> and uses simple design logic. On the security front, it employs
> several measures for side-channel security.
> I only took a quick look at the software, but two things immediately
> caught my eye.
> The first aspect is that the Curve25519 implementation uses secretly
> indexed memory access which is a possible source for timing attacks.
> State-of-the-art Curve25519 implementations avoid this by using
> constant-time conditional swaps.
> Similar statements apply to the table lookup in the fixed-basepoint
> scalar multiplication, but those would be much more expensive to
> But the most remarkable feature is speed. This library sets new speed
> records. It uses a new technique I call it FOLDING for achieving this goal.
> FOLDING chops the scalar multiplier into n pieces (or folds) and operates
> on the folds simultaneously reducing number of point operations by a factor
> of 4 or 8. For example, ed25519 signature takes 31 point doubling and 31
> point additions.
> The second thing is: It's great to hear about new speed records!
> Are you planning to support the SUPERCOP API and submit to eBATS so that
> the software can be publicly benchmarked on a large bunch of computers?
> My understanding is that the technique that you call folding is only
> efficient for signing; the verification part needs a precomputation
> which is just way too expensive: it needs 384 point doublings! You will
> probably answer that the ed25519_Verify_Init needs to be done just once
> for many verifications, but then a huge expanded public key is sitting
> around in memory and if I'm not totally mistaken, a sliding-window
> method would still be faster.
> Best regards,
> Curves mailing listCurves at moderncrypto.orghttps://moderncrypto.org/mailman/listinfo/curves
> Curves mailing list
> Curves at moderncrypto.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Curves