![Page 1: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/1.jpg)
EdDSA signatures and Ed25519
Peter Schwabe
Joint work with Daniel J. Bernstein, Niels Duif,Tanja Lange, and Bo-Yin Yang
February 20, 2012
Coding Theory and Cryptography Seminar, University of Basel
![Page 2: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/2.jpg)
A few words about Taiwan and Academia Sinica
I Taiwan (台灣) is an island south of ChinaI About 36,200 km2 largeI Territory of the Republic of China (not to be confused with the
People’s Republic of China)I Capital is Taipei (台北)I Marine tropical climate
I 99 summits over 3000 meters (highest peak: 3952 m)I Wildlife includes black bears, salmon, monkeys. . .I Academia Sinica is a research facility funded by ROCI About 30 institutesI About 800 principal investigators, more than 750 postdocs
EdDSA signatures and Ed25519 2
![Page 3: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/3.jpg)
A few words about Taiwan and Academia Sinica
I Taiwan (台灣) is an island south of ChinaI About 36,200 km2 largeI Territory of the Republic of China (not to be confused with the
People’s Republic of China)I Capital is Taipei (台北)I Marine tropical climateI 99 summits over 3000 meters (highest peak: 3952 m)I Wildlife includes black bears, salmon, monkeys. . .
I Academia Sinica is a research facility funded by ROCI About 30 institutesI About 800 principal investigators, more than 750 postdocs
EdDSA signatures and Ed25519 2
![Page 4: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/4.jpg)
A few words about Taiwan and Academia Sinica
I Taiwan (台灣) is an island south of ChinaI About 36,200 km2 largeI Territory of the Republic of China (not to be confused with the
People’s Republic of China)I Capital is Taipei (台北)I Marine tropical climateI 99 summits over 3000 meters (highest peak: 3952 m)I Wildlife includes black bears, salmon, monkeys. . .I Academia Sinica is a research facility funded by ROCI About 30 institutesI About 800 principal investigators, more than 750 postdocs
EdDSA signatures and Ed25519 2
![Page 5: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/5.jpg)
Introduction – the NaCl library
EdDSA signatures and Ed25519 3
![Page 6: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/6.jpg)
How it startedI My research during Ph.D. was within the European project CACE
(Computer Aided Cryptography Engineering)I One of the deliverables: Networking and Cryptography Library
(NaCl, pronounced “salt”)
I Aim of this library: High-speed, high-security, easy-to-usecryptographic protection for network communication
I We are willing to sacrifice compatability to other crypto librariesI At the end of 2010 the library contained
I the stream cipher Salsa20,I the Poly1305 secret-key authenticator, andI Curve25519 elliptic-curve Diffie-Hellman key-exchange software.
I This is wrapped in a crypto_box API that performs high-securitypublic-key authenticated encryption
I This serves the typical one-to-one communication of most internetconnections
I Still required at the end of 2010: One-to-many authentication, i.e.cryptographic signatures
EdDSA signatures and Ed25519 4
![Page 7: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/7.jpg)
How it startedI My research during Ph.D. was within the European project CACE
(Computer Aided Cryptography Engineering)I One of the deliverables: Networking and Cryptography Library
(NaCl, pronounced “salt”)I Aim of this library: High-speed, high-security, easy-to-use
cryptographic protection for network communication
I We are willing to sacrifice compatability to other crypto librariesI At the end of 2010 the library contained
I the stream cipher Salsa20,I the Poly1305 secret-key authenticator, andI Curve25519 elliptic-curve Diffie-Hellman key-exchange software.
I This is wrapped in a crypto_box API that performs high-securitypublic-key authenticated encryption
I This serves the typical one-to-one communication of most internetconnections
I Still required at the end of 2010: One-to-many authentication, i.e.cryptographic signatures
EdDSA signatures and Ed25519 4
![Page 8: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/8.jpg)
How it startedI My research during Ph.D. was within the European project CACE
(Computer Aided Cryptography Engineering)I One of the deliverables: Networking and Cryptography Library
(NaCl, pronounced “salt”)I Aim of this library: High-speed, high-security, easy-to-use
cryptographic protection for network communicationI We are willing to sacrifice compatability to other crypto libraries
I At the end of 2010 the library contained
I the stream cipher Salsa20,I the Poly1305 secret-key authenticator, andI Curve25519 elliptic-curve Diffie-Hellman key-exchange software.
I This is wrapped in a crypto_box API that performs high-securitypublic-key authenticated encryption
I This serves the typical one-to-one communication of most internetconnections
I Still required at the end of 2010: One-to-many authentication, i.e.cryptographic signatures
EdDSA signatures and Ed25519 4
![Page 9: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/9.jpg)
How it startedI My research during Ph.D. was within the European project CACE
(Computer Aided Cryptography Engineering)I One of the deliverables: Networking and Cryptography Library
(NaCl, pronounced “salt”)I Aim of this library: High-speed, high-security, easy-to-use
cryptographic protection for network communicationI We are willing to sacrifice compatability to other crypto librariesI At the end of 2010 the library contained
I the stream cipher Salsa20,I the Poly1305 secret-key authenticator, andI Curve25519 elliptic-curve Diffie-Hellman key-exchange software.
I This is wrapped in a crypto_box API that performs high-securitypublic-key authenticated encryption
I This serves the typical one-to-one communication of most internetconnections
I Still required at the end of 2010: One-to-many authentication, i.e.cryptographic signatures
EdDSA signatures and Ed25519 4
![Page 10: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/10.jpg)
How it startedI My research during Ph.D. was within the European project CACE
(Computer Aided Cryptography Engineering)I One of the deliverables: Networking and Cryptography Library
(NaCl, pronounced “salt”)I Aim of this library: High-speed, high-security, easy-to-use
cryptographic protection for network communicationI We are willing to sacrifice compatability to other crypto librariesI At the end of 2010 the library contained
I the stream cipher Salsa20,I the Poly1305 secret-key authenticator, andI Curve25519 elliptic-curve Diffie-Hellman key-exchange software.
I This is wrapped in a crypto_box API that performs high-securitypublic-key authenticated encryption
I This serves the typical one-to-one communication of most internetconnections
I Still required at the end of 2010: One-to-many authentication, i.e.cryptographic signatures
EdDSA signatures and Ed25519 4
![Page 11: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/11.jpg)
How it startedI My research during Ph.D. was within the European project CACE
(Computer Aided Cryptography Engineering)I One of the deliverables: Networking and Cryptography Library
(NaCl, pronounced “salt”)I Aim of this library: High-speed, high-security, easy-to-use
cryptographic protection for network communicationI We are willing to sacrifice compatability to other crypto librariesI At the end of 2010 the library contained
I the stream cipher Salsa20,I the Poly1305 secret-key authenticator, andI Curve25519 elliptic-curve Diffie-Hellman key-exchange software.
I This is wrapped in a crypto_box API that performs high-securitypublic-key authenticated encryption
I This serves the typical one-to-one communication of most internetconnections
I Still required at the end of 2010: One-to-many authentication, i.e.cryptographic signatures
EdDSA signatures and Ed25519 4
![Page 12: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/12.jpg)
Designing a public-key signature scheme
I Core requirements: 128-bit security, fast signing, fast verification,secure software implementation
I Obvious candidates: RSA, ElGamal, DSA, ECDSA, Schnorr. . .
I Conventional wisdom: ECC is faster than anything based onfactoring or the DLP in Z∗
n
I (Twisted) Edwards curves support very fast arithmeticI Edwards addition is complete (important for secure implementations)I Curve25519 has an Edwards representation and offers very high
securityI Looks like “some” signature scheme using Edwards arithmetic on
Curve25519 is a good choice
EdDSA signatures and Ed25519 5
![Page 13: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/13.jpg)
Designing a public-key signature scheme
I Core requirements: 128-bit security, fast signing, fast verification,secure software implementation
I Obvious candidates: RSA, ElGamal, DSA, ECDSA, Schnorr. . .I Conventional wisdom: ECC is faster than anything based on
factoring or the DLP in Z∗n
I (Twisted) Edwards curves support very fast arithmeticI Edwards addition is complete (important for secure implementations)I Curve25519 has an Edwards representation and offers very high
security
I Looks like “some” signature scheme using Edwards arithmetic onCurve25519 is a good choice
EdDSA signatures and Ed25519 5
![Page 14: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/14.jpg)
Designing a public-key signature scheme
I Core requirements: 128-bit security, fast signing, fast verification,secure software implementation
I Obvious candidates: RSA, ElGamal, DSA, ECDSA, Schnorr. . .I Conventional wisdom: ECC is faster than anything based on
factoring or the DLP in Z∗n
I (Twisted) Edwards curves support very fast arithmeticI Edwards addition is complete (important for secure implementations)I Curve25519 has an Edwards representation and offers very high
securityI Looks like “some” signature scheme using Edwards arithmetic on
Curve25519 is a good choice
EdDSA signatures and Ed25519 5
![Page 15: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/15.jpg)
One step back: Is ECC really faster than, e.g., RSA?
I RSA with public exponent e = 3 can verify signatures with just onemodular multiplication and one squaring
I Very hard to beat with any elliptic-curve-based signature scheme
I Verification speed primarily matters in applications that need toverify many signatures
I Idea: To get close to RSA verification speed, support batchverification
I Easier: Verify batches of signatures under the same public keyI Harder (but much more useful!): Verify batches of signatures under
different public keysI We don’t know where the NaCl library is used, so support the latterI None of the above-mentioned schemes supports fast batch
verificationI Schnorr signatures only require small changes (and have many nice
features anyways)
⇒ Start with Schnorr signatures, modify as required
EdDSA signatures and Ed25519 6
![Page 16: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/16.jpg)
One step back: Is ECC really faster than, e.g., RSA?
I RSA with public exponent e = 3 can verify signatures with just onemodular multiplication and one squaring
I Very hard to beat with any elliptic-curve-based signature schemeI Verification speed primarily matters in applications that need to
verify many signaturesI Idea: To get close to RSA verification speed, support batch
verification
I Easier: Verify batches of signatures under the same public keyI Harder (but much more useful!): Verify batches of signatures under
different public keysI We don’t know where the NaCl library is used, so support the latterI None of the above-mentioned schemes supports fast batch
verificationI Schnorr signatures only require small changes (and have many nice
features anyways)
⇒ Start with Schnorr signatures, modify as required
EdDSA signatures and Ed25519 6
![Page 17: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/17.jpg)
One step back: Is ECC really faster than, e.g., RSA?
I RSA with public exponent e = 3 can verify signatures with just onemodular multiplication and one squaring
I Very hard to beat with any elliptic-curve-based signature schemeI Verification speed primarily matters in applications that need to
verify many signaturesI Idea: To get close to RSA verification speed, support batch
verificationI Easier: Verify batches of signatures under the same public keyI Harder (but much more useful!): Verify batches of signatures under
different public keysI We don’t know where the NaCl library is used, so support the latter
I None of the above-mentioned schemes supports fast batchverification
I Schnorr signatures only require small changes (and have many nicefeatures anyways)
⇒ Start with Schnorr signatures, modify as required
EdDSA signatures and Ed25519 6
![Page 18: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/18.jpg)
One step back: Is ECC really faster than, e.g., RSA?
I RSA with public exponent e = 3 can verify signatures with just onemodular multiplication and one squaring
I Very hard to beat with any elliptic-curve-based signature schemeI Verification speed primarily matters in applications that need to
verify many signaturesI Idea: To get close to RSA verification speed, support batch
verificationI Easier: Verify batches of signatures under the same public keyI Harder (but much more useful!): Verify batches of signatures under
different public keysI We don’t know where the NaCl library is used, so support the latterI None of the above-mentioned schemes supports fast batch
verificationI Schnorr signatures only require small changes (and have many nice
features anyways)
⇒ Start with Schnorr signatures, modify as required
EdDSA signatures and Ed25519 6
![Page 19: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/19.jpg)
One step back: Is ECC really faster than, e.g., RSA?
I RSA with public exponent e = 3 can verify signatures with just onemodular multiplication and one squaring
I Very hard to beat with any elliptic-curve-based signature schemeI Verification speed primarily matters in applications that need to
verify many signaturesI Idea: To get close to RSA verification speed, support batch
verificationI Easier: Verify batches of signatures under the same public keyI Harder (but much more useful!): Verify batches of signatures under
different public keysI We don’t know where the NaCl library is used, so support the latterI None of the above-mentioned schemes supports fast batch
verificationI Schnorr signatures only require small changes (and have many nice
features anyways)
⇒ Start with Schnorr signatures, modify as requiredEdDSA signatures and Ed25519 6
![Page 20: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/20.jpg)
Recall Schnorr signatures
I Variant of ElGamal SignaturesI Many more variants (DSA, ECDSA, KCDSA, . . . )I Uses finite group G = 〈B〉, with |G| = `
I Uses hash-function H : G× Z→ {0, . . . , 2t − 1}I Originally: G ≤ F∗
q , here: consider elliptic-curve group
I Private key: a ∈ {1, . . . , `}, public key: A = −aBI Sign: Generate secret random r ∈ {1, . . . , `}, compute signature
(H(R,M), S) on M with
R = rB
S = (r +H(R,M)a) mod `
I Verifier computes R = SB +H(R,M)A and checks that
H(R,M) = H(R,M)
EdDSA signatures and Ed25519 7
![Page 21: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/21.jpg)
Recall Schnorr signatures
I Variant of ElGamal SignaturesI Many more variants (DSA, ECDSA, KCDSA, . . . )I Uses finite group G = 〈B〉, with |G| = `
I Uses hash-function H : G× Z→ {0, . . . , 2t − 1}I Originally: G ≤ F∗
q , here: consider elliptic-curve groupI Private key: a ∈ {1, . . . , `}, public key: A = −aB
I Sign: Generate secret random r ∈ {1, . . . , `}, compute signature(H(R,M), S) on M with
R = rB
S = (r +H(R,M)a) mod `
I Verifier computes R = SB +H(R,M)A and checks that
H(R,M) = H(R,M)
EdDSA signatures and Ed25519 7
![Page 22: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/22.jpg)
Recall Schnorr signatures
I Variant of ElGamal SignaturesI Many more variants (DSA, ECDSA, KCDSA, . . . )I Uses finite group G = 〈B〉, with |G| = `
I Uses hash-function H : G× Z→ {0, . . . , 2t − 1}I Originally: G ≤ F∗
q , here: consider elliptic-curve groupI Private key: a ∈ {1, . . . , `}, public key: A = −aBI Sign: Generate secret random r ∈ {1, . . . , `}, compute signature
(H(R,M), S) on M with
R = rB
S = (r +H(R,M)a) mod `
I Verifier computes R = SB +H(R,M)A and checks that
H(R,M) = H(R,M)
EdDSA signatures and Ed25519 7
![Page 23: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/23.jpg)
Recall Schnorr signatures
I Variant of ElGamal SignaturesI Many more variants (DSA, ECDSA, KCDSA, . . . )I Uses finite group G = 〈B〉, with |G| = `
I Uses hash-function H : G× Z→ {0, . . . , 2t − 1}I Originally: G ≤ F∗
q , here: consider elliptic-curve groupI Private key: a ∈ {1, . . . , `}, public key: A = −aBI Sign: Generate secret random r ∈ {1, . . . , `}, compute signature
(H(R,M), S) on M with
R = rB
S = (r +H(R,M)a) mod `
I Verifier computes R = SB +H(R,M)A and checks that
H(R,M) = H(R,M)
EdDSA signatures and Ed25519 7
![Page 24: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/24.jpg)
The EdDSA signature scheme
EdDSA signatures and Ed25519 8
![Page 25: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/25.jpg)
EdDSA and Ed25519 parameters
EdDSAI Integer b ≥ 10
I Prime power q ≡ 1 (mod 4)
I (b− 1)-bit encoding ofelements of Fq
I Hash function H with 2b-bitoutput
I Non-square d ∈ Fq
I B ∈ {(x, y) ∈Fq×Fq,−x2+y2 = 1+dx2y2}(twisted Edwards curve E)
I prime ` ∈ (2b−4, 2b−3) with`B = (0, 1)
Ed25519-SHA-512I b = 256
I q = 2255 − 19 (prime)I little-endian encoding of{0, . . . , 2255 − 20}
I H = SHA-512
I d = −121665/121666I B = (x, 4/5), with x “even”
I ` a 253-bit prime
Ed25519 curve is birationally equivalent to the Curve25519 curve.
EdDSA signatures and Ed25519 9
![Page 26: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/26.jpg)
EdDSA and Ed25519 parameters
EdDSAI Integer b ≥ 10
I Prime power q ≡ 1 (mod 4)
I (b− 1)-bit encoding ofelements of Fq
I Hash function H with 2b-bitoutput
I Non-square d ∈ Fq
I B ∈ {(x, y) ∈Fq×Fq,−x2+y2 = 1+dx2y2}(twisted Edwards curve E)
I prime ` ∈ (2b−4, 2b−3) with`B = (0, 1)
Ed25519-SHA-512I b = 256
I q = 2255 − 19 (prime)I little-endian encoding of{0, . . . , 2255 − 20}
I H = SHA-512
I d = −121665/121666I B = (x, 4/5), with x “even”
I ` a 253-bit prime
Ed25519 curve is birationally equivalent to the Curve25519 curve.
EdDSA signatures and Ed25519 9
![Page 27: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/27.jpg)
EdDSA and Ed25519 parameters
EdDSAI Integer b ≥ 10
I Prime power q ≡ 1 (mod 4)
I (b− 1)-bit encoding ofelements of Fq
I Hash function H with 2b-bitoutput
I Non-square d ∈ Fq
I B ∈ {(x, y) ∈Fq×Fq,−x2+y2 = 1+dx2y2}(twisted Edwards curve E)
I prime ` ∈ (2b−4, 2b−3) with`B = (0, 1)
Ed25519-SHA-512I b = 256
I q = 2255 − 19 (prime)I little-endian encoding of{0, . . . , 2255 − 20}
I H = SHA-512
I d = −121665/121666I B = (x, 4/5), with x “even”
I ` a 253-bit prime
Ed25519 curve is birationally equivalent to the Curve25519 curve.
EdDSA signatures and Ed25519 9
![Page 28: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/28.jpg)
EdDSA and Ed25519 parameters
EdDSAI Integer b ≥ 10
I Prime power q ≡ 1 (mod 4)
I (b− 1)-bit encoding ofelements of Fq
I Hash function H with 2b-bitoutput
I Non-square d ∈ Fq
I B ∈ {(x, y) ∈Fq×Fq,−x2+y2 = 1+dx2y2}(twisted Edwards curve E)
I prime ` ∈ (2b−4, 2b−3) with`B = (0, 1)
Ed25519-SHA-512I b = 256
I q = 2255 − 19 (prime)I little-endian encoding of{0, . . . , 2255 − 20}
I H = SHA-512
I d = −121665/121666I B = (x, 4/5), with x “even”
I ` a 253-bit prime
Ed25519 curve is birationally equivalent to the Curve25519 curve.
EdDSA signatures and Ed25519 9
![Page 29: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/29.jpg)
EdDSA and Ed25519 parameters
EdDSAI Integer b ≥ 10
I Prime power q ≡ 1 (mod 4)
I (b− 1)-bit encoding ofelements of Fq
I Hash function H with 2b-bitoutput
I Non-square d ∈ Fq
I B ∈ {(x, y) ∈Fq×Fq,−x2+y2 = 1+dx2y2}(twisted Edwards curve E)
I prime ` ∈ (2b−4, 2b−3) with`B = (0, 1)
Ed25519-SHA-512I b = 256
I q = 2255 − 19 (prime)I little-endian encoding of{0, . . . , 2255 − 20}
I H = SHA-512
I d = −121665/121666I B = (x, 4/5), with x “even”
I ` a 253-bit prime
Ed25519 curve is birationally equivalent to the Curve25519 curve.
EdDSA signatures and Ed25519 9
![Page 30: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/30.jpg)
EdDSA keys
I Secret key: b-bit string kI Compute H(k) = (h0, . . . , h2b−1)
I Derive integer a = 2b−2 +∑
3≤i≤b−3 2ihi
I Note that a is a multiple of 8I Compute A = aB
I Public key: Encoding A of A = (xA, yA) as yA and one (parity) bitof xA (needs b bits)
I Compute A from A: xA = ±√(y2A − 1)/(dy2A + 1)
EdDSA signatures and Ed25519 10
![Page 31: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/31.jpg)
EdDSA keys
I Secret key: b-bit string kI Compute H(k) = (h0, . . . , h2b−1)
I Derive integer a = 2b−2 +∑
3≤i≤b−3 2ihi
I Note that a is a multiple of 8
I Compute A = aB
I Public key: Encoding A of A = (xA, yA) as yA and one (parity) bitof xA (needs b bits)
I Compute A from A: xA = ±√(y2A − 1)/(dy2A + 1)
EdDSA signatures and Ed25519 10
![Page 32: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/32.jpg)
EdDSA keys
I Secret key: b-bit string kI Compute H(k) = (h0, . . . , h2b−1)
I Derive integer a = 2b−2 +∑
3≤i≤b−3 2ihi
I Note that a is a multiple of 8I Compute A = aB
I Public key: Encoding A of A = (xA, yA) as yA and one (parity) bitof xA (needs b bits)
I Compute A from A: xA = ±√(y2A − 1)/(dy2A + 1)
EdDSA signatures and Ed25519 10
![Page 33: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/33.jpg)
EdDSA keys
I Secret key: b-bit string kI Compute H(k) = (h0, . . . , h2b−1)
I Derive integer a = 2b−2 +∑
3≤i≤b−3 2ihi
I Note that a is a multiple of 8I Compute A = aB
I Public key: Encoding A of A = (xA, yA) as yA and one (parity) bitof xA (needs b bits)
I Compute A from A: xA = ±√(y2A − 1)/(dy2A + 1)
EdDSA signatures and Ed25519 10
![Page 34: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/34.jpg)
EdDSA signatures
SigningI Message M determines r = H(hb, . . . , h2b−1,M) ∈ {0, . . . , 22b − 1}I Define R = rB
I Define S = (r +H(R,A,M)a) mod `
I Signature: (R,S), with S the b-bit little-endian encoding of SI (R,S) has 2b bits (3 known to be zero)
VerificationI Verifier parses A from A and R from R
I Computes H(R,A,M)
I Checks group equation
8SB = 8R+ 8H(R,A,M)A
I Rejects if parsing fails or equation does not hold
EdDSA signatures and Ed25519 11
![Page 35: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/35.jpg)
EdDSA signatures
SigningI Message M determines r = H(hb, . . . , h2b−1,M) ∈ {0, . . . , 22b − 1}I Define R = rB
I Define S = (r +H(R,A,M)a) mod `
I Signature: (R,S), with S the b-bit little-endian encoding of SI (R,S) has 2b bits (3 known to be zero)
VerificationI Verifier parses A from A and R from R
I Computes H(R,A,M)
I Checks group equation
8SB = 8R+ 8H(R,A,M)A
I Rejects if parsing fails or equation does not hold
EdDSA signatures and Ed25519 11
![Page 36: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/36.jpg)
EdDSA and Ed25519 security
EdDSA signatures and Ed25519 12
![Page 37: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/37.jpg)
Collision resilience
I ECDSA uses H(M)
I Collisions in H allow existential forgery
I Schnorr signatures and EdDSA include R in the hash
I Schnorr: H(R,M)I EdDSA: H(R,A,M)
I Signatures are hash-function-collision resilientI Including A alleviates concerns about attacks against multiple keys
EdDSA signatures and Ed25519 13
![Page 38: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/38.jpg)
Collision resilience
I ECDSA uses H(M)
I Collisions in H allow existential forgeryI Schnorr signatures and EdDSA include R in the hash
I Schnorr: H(R,M)I EdDSA: H(R,A,M)
I Signatures are hash-function-collision resilient
I Including A alleviates concerns about attacks against multiple keys
EdDSA signatures and Ed25519 13
![Page 39: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/39.jpg)
Collision resilience
I ECDSA uses H(M)
I Collisions in H allow existential forgeryI Schnorr signatures and EdDSA include R in the hash
I Schnorr: H(R,M)I EdDSA: H(R,A,M)
I Signatures are hash-function-collision resilientI Including A alleviates concerns about attacks against multiple keys
EdDSA signatures and Ed25519 13
![Page 40: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/40.jpg)
Foolproof session keys
I Each message needs a different, hard-to-predict r (“session key”)I Just knowing a few bits of r for many signatures allows to recover aI Usual approach (e.g., Schnorr signatures): Choose random r for
each message
I Potential problems: Bad random-number generators,off-by-one(-byte) bugs
I Even worse: No random-number generator: Sony’s PS3 securitydisaster
I EdDSA uses deterministic, pseudo-random session keysH(hb, . . . , h2b−1,M)
I Same security as random r under standard PRF assumptionsI Does not consume per-message randomnessI Better for testing (deterministic output)
EdDSA signatures and Ed25519 14
![Page 41: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/41.jpg)
Foolproof session keys
I Each message needs a different, hard-to-predict r (“session key”)I Just knowing a few bits of r for many signatures allows to recover aI Usual approach (e.g., Schnorr signatures): Choose random r for
each messageI Potential problems: Bad random-number generators,
off-by-one(-byte) bugs
I Even worse: No random-number generator: Sony’s PS3 securitydisaster
I EdDSA uses deterministic, pseudo-random session keysH(hb, . . . , h2b−1,M)
I Same security as random r under standard PRF assumptionsI Does not consume per-message randomnessI Better for testing (deterministic output)
EdDSA signatures and Ed25519 14
![Page 42: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/42.jpg)
Foolproof session keys
I Each message needs a different, hard-to-predict r (“session key”)I Just knowing a few bits of r for many signatures allows to recover aI Usual approach (e.g., Schnorr signatures): Choose random r for
each messageI Potential problems: Bad random-number generators,
off-by-one(-byte) bugsI Even worse: No random-number generator: Sony’s PS3 security
disaster
I EdDSA uses deterministic, pseudo-random session keysH(hb, . . . , h2b−1,M)
I Same security as random r under standard PRF assumptionsI Does not consume per-message randomnessI Better for testing (deterministic output)
EdDSA signatures and Ed25519 14
![Page 43: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/43.jpg)
Foolproof session keys
I Each message needs a different, hard-to-predict r (“session key”)I Just knowing a few bits of r for many signatures allows to recover aI Usual approach (e.g., Schnorr signatures): Choose random r for
each messageI Potential problems: Bad random-number generators,
off-by-one(-byte) bugsI Even worse: No random-number generator: Sony’s PS3 security
disasterI EdDSA uses deterministic, pseudo-random session keysH(hb, . . . , h2b−1,M)
I Same security as random r under standard PRF assumptionsI Does not consume per-message randomnessI Better for testing (deterministic output)
EdDSA signatures and Ed25519 14
![Page 44: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/44.jpg)
Foolproof session keys
I Each message needs a different, hard-to-predict r (“session key”)I Just knowing a few bits of r for many signatures allows to recover aI Usual approach (e.g., Schnorr signatures): Choose random r for
each messageI Potential problems: Bad random-number generators,
off-by-one(-byte) bugsI Even worse: No random-number generator: Sony’s PS3 security
disasterI EdDSA uses deterministic, pseudo-random session keysH(hb, . . . , h2b−1,M)
I Same security as random r under standard PRF assumptionsI Does not consume per-message randomnessI Better for testing (deterministic output)
EdDSA signatures and Ed25519 14
![Page 45: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/45.jpg)
Constant-time implementationAvoiding secret branch conditions
I Many scalar-multiplication algorithms contain parts likeif(s) do Aelse do B
where s is a part (e.g., a bit) of the secret scalar
I Program takes different amount of time depending on the value of sI This is true, even if A and B take the same amount of time!I Reason: Branch predictors contained in all modern CPUsI Attacker can gain information about the secret scalar by timing the
execution of the programI In 2011, Brumley and Tuveri recoverd the OpenSSL ECDSA secret
signing key through such a timing attackI Ed25519 software does not contain any secret branch
conditions
EdDSA signatures and Ed25519 15
![Page 46: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/46.jpg)
Constant-time implementationAvoiding secret branch conditions
I Many scalar-multiplication algorithms contain parts likeif(s) do Aelse do B
where s is a part (e.g., a bit) of the secret scalarI Program takes different amount of time depending on the value of s
I This is true, even if A and B take the same amount of time!I Reason: Branch predictors contained in all modern CPUsI Attacker can gain information about the secret scalar by timing the
execution of the programI In 2011, Brumley and Tuveri recoverd the OpenSSL ECDSA secret
signing key through such a timing attackI Ed25519 software does not contain any secret branch
conditions
EdDSA signatures and Ed25519 15
![Page 47: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/47.jpg)
Constant-time implementationAvoiding secret branch conditions
I Many scalar-multiplication algorithms contain parts likeif(s) do Aelse do B
where s is a part (e.g., a bit) of the secret scalarI Program takes different amount of time depending on the value of sI This is true, even if A and B take the same amount of time!I Reason: Branch predictors contained in all modern CPUs
I Attacker can gain information about the secret scalar by timing theexecution of the program
I In 2011, Brumley and Tuveri recoverd the OpenSSL ECDSA secretsigning key through such a timing attack
I Ed25519 software does not contain any secret branchconditions
EdDSA signatures and Ed25519 15
![Page 48: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/48.jpg)
Constant-time implementationAvoiding secret branch conditions
I Many scalar-multiplication algorithms contain parts likeif(s) do Aelse do B
where s is a part (e.g., a bit) of the secret scalarI Program takes different amount of time depending on the value of sI This is true, even if A and B take the same amount of time!I Reason: Branch predictors contained in all modern CPUsI Attacker can gain information about the secret scalar by timing the
execution of the program
I In 2011, Brumley and Tuveri recoverd the OpenSSL ECDSA secretsigning key through such a timing attack
I Ed25519 software does not contain any secret branchconditions
EdDSA signatures and Ed25519 15
![Page 49: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/49.jpg)
Constant-time implementationAvoiding secret branch conditions
I Many scalar-multiplication algorithms contain parts likeif(s) do Aelse do B
where s is a part (e.g., a bit) of the secret scalarI Program takes different amount of time depending on the value of sI This is true, even if A and B take the same amount of time!I Reason: Branch predictors contained in all modern CPUsI Attacker can gain information about the secret scalar by timing the
execution of the programI In 2011, Brumley and Tuveri recoverd the OpenSSL ECDSA secret
signing key through such a timing attack
I Ed25519 software does not contain any secret branchconditions
EdDSA signatures and Ed25519 15
![Page 50: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/50.jpg)
Constant-time implementationAvoiding secret branch conditions
I Many scalar-multiplication algorithms contain parts likeif(s) do Aelse do B
where s is a part (e.g., a bit) of the secret scalarI Program takes different amount of time depending on the value of sI This is true, even if A and B take the same amount of time!I Reason: Branch predictors contained in all modern CPUsI Attacker can gain information about the secret scalar by timing the
execution of the programI In 2011, Brumley and Tuveri recoverd the OpenSSL ECDSA secret
signing key through such a timing attackI Ed25519 software does not contain any secret branch
conditions
EdDSA signatures and Ed25519 15
![Page 51: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/51.jpg)
Constant-time implementationAvoiding secret lookup indices
I In particular fixed-basepoint scalar-multiplication algorithms containparts likeP += precomputed_points[s]
where s is a part (e.g., a bit) of the secret scalar
I Loading from memory can take a different amount of timedepending on the (secret) address s
I Reason: Access to memory is cached, if data is found in cache theload is fast (cache hit), otherwise it’s slow
I Again: Attacker can gain information about the secret scalar bytiming the exeuction of the program
I In 2005, Osvik, Shamir, and Tromer discovered the AES key used forhard-disk encryption in Linux in just 65 ms using such acache-timing attack
I Ed25519 software does not perform any loads from secretaddresses
EdDSA signatures and Ed25519 16
![Page 52: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/52.jpg)
Constant-time implementationAvoiding secret lookup indices
I In particular fixed-basepoint scalar-multiplication algorithms containparts likeP += precomputed_points[s]
where s is a part (e.g., a bit) of the secret scalarI Loading from memory can take a different amount of time
depending on the (secret) address sI Reason: Access to memory is cached, if data is found in cache the
load is fast (cache hit), otherwise it’s slow
I Again: Attacker can gain information about the secret scalar bytiming the exeuction of the program
I In 2005, Osvik, Shamir, and Tromer discovered the AES key used forhard-disk encryption in Linux in just 65 ms using such acache-timing attack
I Ed25519 software does not perform any loads from secretaddresses
EdDSA signatures and Ed25519 16
![Page 53: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/53.jpg)
Constant-time implementationAvoiding secret lookup indices
I In particular fixed-basepoint scalar-multiplication algorithms containparts likeP += precomputed_points[s]
where s is a part (e.g., a bit) of the secret scalarI Loading from memory can take a different amount of time
depending on the (secret) address sI Reason: Access to memory is cached, if data is found in cache the
load is fast (cache hit), otherwise it’s slowI Again: Attacker can gain information about the secret scalar by
timing the exeuction of the program
I In 2005, Osvik, Shamir, and Tromer discovered the AES key used forhard-disk encryption in Linux in just 65 ms using such acache-timing attack
I Ed25519 software does not perform any loads from secretaddresses
EdDSA signatures and Ed25519 16
![Page 54: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/54.jpg)
Constant-time implementationAvoiding secret lookup indices
I In particular fixed-basepoint scalar-multiplication algorithms containparts likeP += precomputed_points[s]
where s is a part (e.g., a bit) of the secret scalarI Loading from memory can take a different amount of time
depending on the (secret) address sI Reason: Access to memory is cached, if data is found in cache the
load is fast (cache hit), otherwise it’s slowI Again: Attacker can gain information about the secret scalar by
timing the exeuction of the programI In 2005, Osvik, Shamir, and Tromer discovered the AES key used for
hard-disk encryption in Linux in just 65 ms using such acache-timing attack
I Ed25519 software does not perform any loads from secretaddresses
EdDSA signatures and Ed25519 16
![Page 55: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/55.jpg)
Constant-time implementationAvoiding secret lookup indices
I In particular fixed-basepoint scalar-multiplication algorithms containparts likeP += precomputed_points[s]
where s is a part (e.g., a bit) of the secret scalarI Loading from memory can take a different amount of time
depending on the (secret) address sI Reason: Access to memory is cached, if data is found in cache the
load is fast (cache hit), otherwise it’s slowI Again: Attacker can gain information about the secret scalar by
timing the exeuction of the programI In 2005, Osvik, Shamir, and Tromer discovered the AES key used for
hard-disk encryption in Linux in just 65 ms using such acache-timing attack
I Ed25519 software does not perform any loads from secretaddresses
EdDSA signatures and Ed25519 16
![Page 56: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/56.jpg)
Speed of Ed25519
EdDSA signatures and Ed25519 17
![Page 57: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/57.jpg)
Fast arithmetic in F2255−19
Radix 264
I Standard: break elements of F2255−19 into 4 64-bit integersI (Schoolbook) multiplication breaks down into 16 64-bit integer
multiplicationsI Adding up partial results requires many add-with-carry (adc)I Westmere bottleneck: 1 adc every two cycles vs. 3 add per cycle
Radix 251
I Instead break into 5 64-bit integers, use radix 251
I Schoolbook multiplication now 25 64-bit integer multiplicationsI Partial results have < 128 bits, adding upper part is add, not adcI Easy to merge multiplication with reduction (multiplies by 19)I Better performance on Westmere/Nehalem, worse on 65 nm Core 2
and AMD processors
EdDSA signatures and Ed25519 18
![Page 58: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/58.jpg)
Fast arithmetic in F2255−19
Radix 264
I Standard: break elements of F2255−19 into 4 64-bit integersI (Schoolbook) multiplication breaks down into 16 64-bit integer
multiplicationsI Adding up partial results requires many add-with-carry (adc)I Westmere bottleneck: 1 adc every two cycles vs. 3 add per cycle
Radix 251
I Instead break into 5 64-bit integers, use radix 251
I Schoolbook multiplication now 25 64-bit integer multiplicationsI Partial results have < 128 bits, adding upper part is add, not adcI Easy to merge multiplication with reduction (multiplies by 19)I Better performance on Westmere/Nehalem, worse on 65 nm Core 2
and AMD processors
EdDSA signatures and Ed25519 18
![Page 59: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/59.jpg)
Fast signing
I Main computational task: Compute R = rB
I First compute r mod `, write it as r0 + 16r1 + · · ·+ 1663r63, with
ri ∈ {−8,−7,−6,−5,−4,−3,−2,−1, 0, 1, 2, 3, 4, 5, 6, 7}
I Precompute 16i|ri|B for i = 0, . . . , 63 and |ri| ∈ {1, . . . , 8}, in alookup table at compile time
I Compute R =∑63
i=0 16iriB
I 64 table lookups, 64 conditional point negations, 63 point additionsI Wait, table lookups?I In each lookup load all 8 relevant entries from the table, use
arithmetic to obtain the desired oneI Signing takes 87548 cycles on an Intel Westmere CPUI Key generation takes about 6000 cycles more (read from
/dev/urandom)
EdDSA signatures and Ed25519 19
![Page 60: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/60.jpg)
Fast signing
I Main computational task: Compute R = rB
I First compute r mod `, write it as r0 + 16r1 + · · ·+ 1663r63, with
ri ∈ {−8,−7,−6,−5,−4,−3,−2,−1, 0, 1, 2, 3, 4, 5, 6, 7}
I Precompute 16i|ri|B for i = 0, . . . , 63 and |ri| ∈ {1, . . . , 8}, in alookup table at compile time
I Compute R =∑63
i=0 16iriB
I 64 table lookups, 64 conditional point negations, 63 point additionsI Wait, table lookups?I In each lookup load all 8 relevant entries from the table, use
arithmetic to obtain the desired oneI Signing takes 87548 cycles on an Intel Westmere CPUI Key generation takes about 6000 cycles more (read from
/dev/urandom)
EdDSA signatures and Ed25519 19
![Page 61: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/61.jpg)
Fast signing
I Main computational task: Compute R = rB
I First compute r mod `, write it as r0 + 16r1 + · · ·+ 1663r63, with
ri ∈ {−8,−7,−6,−5,−4,−3,−2,−1, 0, 1, 2, 3, 4, 5, 6, 7}
I Precompute 16i|ri|B for i = 0, . . . , 63 and |ri| ∈ {1, . . . , 8}, in alookup table at compile time
I Compute R =∑63
i=0 16iriB
I 64 table lookups, 64 conditional point negations, 63 point additionsI Wait, table lookups?I In each lookup load all 8 relevant entries from the table, use
arithmetic to obtain the desired oneI Signing takes 87548 cycles on an Intel Westmere CPUI Key generation takes about 6000 cycles more (read from
/dev/urandom)
EdDSA signatures and Ed25519 19
![Page 62: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/62.jpg)
Fast signing
I Main computational task: Compute R = rB
I First compute r mod `, write it as r0 + 16r1 + · · ·+ 1663r63, with
ri ∈ {−8,−7,−6,−5,−4,−3,−2,−1, 0, 1, 2, 3, 4, 5, 6, 7}
I Precompute 16i|ri|B for i = 0, . . . , 63 and |ri| ∈ {1, . . . , 8}, in alookup table at compile time
I Compute R =∑63
i=0 16iriB
I 64 table lookups, 64 conditional point negations, 63 point additionsI Wait, table lookups?I In each lookup load all 8 relevant entries from the table, use
arithmetic to obtain the desired oneI Signing takes 87548 cycles on an Intel Westmere CPUI Key generation takes about 6000 cycles more (read from
/dev/urandom)
EdDSA signatures and Ed25519 19
![Page 63: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/63.jpg)
Fast signing
I Main computational task: Compute R = rB
I First compute r mod `, write it as r0 + 16r1 + · · ·+ 1663r63, with
ri ∈ {−8,−7,−6,−5,−4,−3,−2,−1, 0, 1, 2, 3, 4, 5, 6, 7}
I Precompute 16i|ri|B for i = 0, . . . , 63 and |ri| ∈ {1, . . . , 8}, in alookup table at compile time
I Compute R =∑63
i=0 16iriB
I 64 table lookups, 64 conditional point negations, 63 point additions
I Wait, table lookups?I In each lookup load all 8 relevant entries from the table, use
arithmetic to obtain the desired oneI Signing takes 87548 cycles on an Intel Westmere CPUI Key generation takes about 6000 cycles more (read from
/dev/urandom)
EdDSA signatures and Ed25519 19
![Page 64: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/64.jpg)
Fast signing
I Main computational task: Compute R = rB
I First compute r mod `, write it as r0 + 16r1 + · · ·+ 1663r63, with
ri ∈ {−8,−7,−6,−5,−4,−3,−2,−1, 0, 1, 2, 3, 4, 5, 6, 7}
I Precompute 16i|ri|B for i = 0, . . . , 63 and |ri| ∈ {1, . . . , 8}, in alookup table at compile time
I Compute R =∑63
i=0 16iriB
I 64 table lookups, 64 conditional point negations, 63 point additionsI Wait, table lookups?
I In each lookup load all 8 relevant entries from the table, usearithmetic to obtain the desired one
I Signing takes 87548 cycles on an Intel Westmere CPUI Key generation takes about 6000 cycles more (read from
/dev/urandom)
EdDSA signatures and Ed25519 19
![Page 65: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/65.jpg)
Fast signing
I Main computational task: Compute R = rB
I First compute r mod `, write it as r0 + 16r1 + · · ·+ 1663r63, with
ri ∈ {−8,−7,−6,−5,−4,−3,−2,−1, 0, 1, 2, 3, 4, 5, 6, 7}
I Precompute 16i|ri|B for i = 0, . . . , 63 and |ri| ∈ {1, . . . , 8}, in alookup table at compile time
I Compute R =∑63
i=0 16iriB
I 64 table lookups, 64 conditional point negations, 63 point additionsI Wait, table lookups?I In each lookup load all 8 relevant entries from the table, use
arithmetic to obtain the desired one
I Signing takes 87548 cycles on an Intel Westmere CPUI Key generation takes about 6000 cycles more (read from
/dev/urandom)
EdDSA signatures and Ed25519 19
![Page 66: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/66.jpg)
Fast signing
I Main computational task: Compute R = rB
I First compute r mod `, write it as r0 + 16r1 + · · ·+ 1663r63, with
ri ∈ {−8,−7,−6,−5,−4,−3,−2,−1, 0, 1, 2, 3, 4, 5, 6, 7}
I Precompute 16i|ri|B for i = 0, . . . , 63 and |ri| ∈ {1, . . . , 8}, in alookup table at compile time
I Compute R =∑63
i=0 16iriB
I 64 table lookups, 64 conditional point negations, 63 point additionsI Wait, table lookups?I In each lookup load all 8 relevant entries from the table, use
arithmetic to obtain the desired oneI Signing takes 87548 cycles on an Intel Westmere CPUI Key generation takes about 6000 cycles more (read from
/dev/urandom)
EdDSA signatures and Ed25519 19
![Page 67: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/67.jpg)
Fast verificationI First part: point decompression, compute x coordinate xR of R as
xR = ±√(y2R − 1)/(dy2R + 1)
I Looks like a square root and an inversion is required
I As q ≡ 5 (mod 8) for each square α we have α2 = β4, withβ = α(q+3)/8
I Standard: Compute β, conditionally multiply by√−1 if β2 = −α
I Decompression has α = u/v, merge square root with inversion:
β = (u/v)(q+3)/8
= u(q+3)/8vq−1−(q+3)/8
= u(q+3)/8v(7q−11)/8 = uv3(uv7)(q−5)/8.
I Second part: computation of SB −H(R,A,M)A
I Double-scalar multiplication using signed sliding windowsI Different window sizes for B (compile time) and A (run time)I Verification takes 273364 cycles
EdDSA signatures and Ed25519 20
![Page 68: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/68.jpg)
Fast verificationI First part: point decompression, compute x coordinate xR of R as
xR = ±√(y2R − 1)/(dy2R + 1)
I Looks like a square root and an inversion is requiredI As q ≡ 5 (mod 8) for each square α we have α2 = β4, withβ = α(q+3)/8
I Standard: Compute β, conditionally multiply by√−1 if β2 = −α
I Decompression has α = u/v, merge square root with inversion:
β = (u/v)(q+3)/8
= u(q+3)/8vq−1−(q+3)/8
= u(q+3)/8v(7q−11)/8 = uv3(uv7)(q−5)/8.
I Second part: computation of SB −H(R,A,M)A
I Double-scalar multiplication using signed sliding windowsI Different window sizes for B (compile time) and A (run time)I Verification takes 273364 cycles
EdDSA signatures and Ed25519 20
![Page 69: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/69.jpg)
Fast verificationI First part: point decompression, compute x coordinate xR of R as
xR = ±√(y2R − 1)/(dy2R + 1)
I Looks like a square root and an inversion is requiredI As q ≡ 5 (mod 8) for each square α we have α2 = β4, withβ = α(q+3)/8
I Standard: Compute β, conditionally multiply by√−1 if β2 = −α
I Decompression has α = u/v, merge square root with inversion:
β = (u/v)(q+3)/8
= u(q+3)/8vq−1−(q+3)/8
= u(q+3)/8v(7q−11)/8 = uv3(uv7)(q−5)/8.
I Second part: computation of SB −H(R,A,M)A
I Double-scalar multiplication using signed sliding windowsI Different window sizes for B (compile time) and A (run time)I Verification takes 273364 cycles
EdDSA signatures and Ed25519 20
![Page 70: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/70.jpg)
Fast verificationI First part: point decompression, compute x coordinate xR of R as
xR = ±√(y2R − 1)/(dy2R + 1)
I Looks like a square root and an inversion is requiredI As q ≡ 5 (mod 8) for each square α we have α2 = β4, withβ = α(q+3)/8
I Standard: Compute β, conditionally multiply by√−1 if β2 = −α
I Decompression has α = u/v, merge square root with inversion:
β = (u/v)(q+3)/8 = u(q+3)/8vq−1−(q+3)/8
= u(q+3)/8v(7q−11)/8 = uv3(uv7)(q−5)/8.
I Second part: computation of SB −H(R,A,M)A
I Double-scalar multiplication using signed sliding windowsI Different window sizes for B (compile time) and A (run time)I Verification takes 273364 cycles
EdDSA signatures and Ed25519 20
![Page 71: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/71.jpg)
Fast verificationI First part: point decompression, compute x coordinate xR of R as
xR = ±√(y2R − 1)/(dy2R + 1)
I Looks like a square root and an inversion is requiredI As q ≡ 5 (mod 8) for each square α we have α2 = β4, withβ = α(q+3)/8
I Standard: Compute β, conditionally multiply by√−1 if β2 = −α
I Decompression has α = u/v, merge square root with inversion:
β = (u/v)(q+3)/8 = u(q+3)/8vq−1−(q+3)/8
= u(q+3)/8v(7q−11)/8 = uv3(uv7)(q−5)/8.
I Second part: computation of SB −H(R,A,M)A
I Double-scalar multiplication using signed sliding windowsI Different window sizes for B (compile time) and A (run time)
I Verification takes 273364 cycles
EdDSA signatures and Ed25519 20
![Page 72: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/72.jpg)
Fast verificationI First part: point decompression, compute x coordinate xR of R as
xR = ±√(y2R − 1)/(dy2R + 1)
I Looks like a square root and an inversion is requiredI As q ≡ 5 (mod 8) for each square α we have α2 = β4, withβ = α(q+3)/8
I Standard: Compute β, conditionally multiply by√−1 if β2 = −α
I Decompression has α = u/v, merge square root with inversion:
β = (u/v)(q+3)/8 = u(q+3)/8vq−1−(q+3)/8
= u(q+3)/8v(7q−11)/8 = uv3(uv7)(q−5)/8.
I Second part: computation of SB −H(R,A,M)A
I Double-scalar multiplication using signed sliding windowsI Different window sizes for B (compile time) and A (run time)I Verification takes 273364 cycles
EdDSA signatures and Ed25519 20
![Page 73: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/73.jpg)
Faster batch verification
I Verify a batch of (Mi, Ai, Ri, Si), where (Ri, Si) is the allegedsignature of Mi under key Ai
I Choose independent uniform random 128-bit integers ziI Compute Hi = H(Ri, Ai,Mi)
I Verify the equation(−∑i
ziSi mod `
)B +
∑i
ziRi +∑i
(ziHi mod `)Ai = 0
I Use Bos-Coster algorithm for multi-scalar multiplicationI Verifying a batch of 64 valid signatures takes 8.55 million cycles
(i.e., < 134000 cycles/signature)
EdDSA signatures and Ed25519 21
![Page 74: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/74.jpg)
Faster batch verification
I Verify a batch of (Mi, Ai, Ri, Si), where (Ri, Si) is the allegedsignature of Mi under key Ai
I Choose independent uniform random 128-bit integers ziI Compute Hi = H(Ri, Ai,Mi)
I Verify the equation(−∑i
ziSi mod `
)B +
∑i
ziRi +∑i
(ziHi mod `)Ai = 0
I Use Bos-Coster algorithm for multi-scalar multiplicationI Verifying a batch of 64 valid signatures takes 8.55 million cycles
(i.e., < 134000 cycles/signature)
EdDSA signatures and Ed25519 21
![Page 75: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/75.jpg)
Faster batch verification
I Verify a batch of (Mi, Ai, Ri, Si), where (Ri, Si) is the allegedsignature of Mi under key Ai
I Choose independent uniform random 128-bit integers ziI Compute Hi = H(Ri, Ai,Mi)
I Verify the equation(−∑i
ziSi mod `
)B +
∑i
ziRi +∑i
(ziHi mod `)Ai = 0
I Use Bos-Coster algorithm for multi-scalar multiplicationI Verifying a batch of 64 valid signatures takes 8.55 million cycles
(i.e., < 134000 cycles/signature)
EdDSA signatures and Ed25519 21
![Page 76: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/76.jpg)
Faster batch verification
I Verify a batch of (Mi, Ai, Ri, Si), where (Ri, Si) is the allegedsignature of Mi under key Ai
I Choose independent uniform random 128-bit integers ziI Compute Hi = H(Ri, Ai,Mi)
I Verify the equation(−∑i
ziSi mod `
)B +
∑i
ziRi +∑i
(ziHi mod `)Ai = 0
I Use Bos-Coster algorithm for multi-scalar multiplication
I Verifying a batch of 64 valid signatures takes 8.55 million cycles(i.e., < 134000 cycles/signature)
EdDSA signatures and Ed25519 21
![Page 77: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/77.jpg)
Faster batch verification
I Verify a batch of (Mi, Ai, Ri, Si), where (Ri, Si) is the allegedsignature of Mi under key Ai
I Choose independent uniform random 128-bit integers ziI Compute Hi = H(Ri, Ai,Mi)
I Verify the equation(−∑i
ziSi mod `
)B +
∑i
ziRi +∑i
(ziHi mod `)Ai = 0
I Use Bos-Coster algorithm for multi-scalar multiplicationI Verifying a batch of 64 valid signatures takes 8.55 million cycles
(i.e., < 134000 cycles/signature)
EdDSA signatures and Ed25519 21
![Page 78: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/78.jpg)
The Bos-Coster algorithm
I Computation of Q =∑n
1 siPi
I Idea: Assume s1 > s2 > · · · > sn. Recursively computeQ = (s1 − s2)P1 + s2(P1 + P2) + s3P3 · · ·+ snPn
I Each step requires the two largest scalars, one scalar subtraction andone point addition
I Each step “eliminates” expected log n scalar bitsI Requires fast access to the two largest scalars: put scalars into a
heapI Crucial for good performance: fast heap implementationI Further optimization: Start with heap without the zi until largest
scalar has ≤ 128 bitsI Then: extend heap with the zi
EdDSA signatures and Ed25519 22
![Page 79: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/79.jpg)
The Bos-Coster algorithm
II Computation of Q =∑n
1 siPi
I Idea: Assume s1 > s2 > · · · > sn. Recursively computeQ = (s1 − s2)P1 + s2(P1 + P2) + s3P3 · · ·+ snPn
I Each step requires the two largest scalars, one scalar subtraction andone point addition
I Each step “eliminates” expected log n scalar bits
I Requires fast access to the two largest scalars: put scalars into aheap
I Crucial for good performance: fast heap implementationI Further optimization: Start with heap without the zi until largest
scalar has ≤ 128 bitsI Then: extend heap with the zi
EdDSA signatures and Ed25519 22
![Page 80: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/80.jpg)
The Bos-Coster algorithm
II Computation of Q =∑n
1 siPi
I Idea: Assume s1 > s2 > · · · > sn. Recursively computeQ = (s1 − s2)P1 + s2(P1 + P2) + s3P3 · · ·+ snPn
I Each step requires the two largest scalars, one scalar subtraction andone point addition
I Each step “eliminates” expected log n scalar bitsI Requires fast access to the two largest scalars: put scalars into a
heapI Crucial for good performance: fast heap implementation
I Further optimization: Start with heap without the zi until largestscalar has ≤ 128 bits
I Then: extend heap with the zi
EdDSA signatures and Ed25519 22
![Page 81: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/81.jpg)
A fast heap
II Heap is a binary tree, each parent node is larger than the two childnodes
I Data structure is stored as a simple array, positions in the arraydetermine positions in the tree
I Root is at position 0, left child node at position 1, right child nodeat position 2 etc.
I For node at position i, child nodes are at position 2 · i+ 1 and2 · i+ 2, parent node is at position b(i− 1)/2c
I Typical heap root replacement (pop operation): start at the root,swap down for a variable amount of times
I Floyd’s heap: swap down to the bottom, swap up for a variableamount of times, advantages:
I Each swap-down step needs only one comparison (instead of two)I Swap-down loop is more friendly to branch predictors
EdDSA signatures and Ed25519 23
![Page 82: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/82.jpg)
A fast heap
I Heap is a binary tree, each parent node is larger than the two childnodes
I Data structure is stored as a simple array, positions in the arraydetermine positions in the tree
I Root is at position 0, left child node at position 1, right child nodeat position 2 etc.
I For node at position i, child nodes are at position 2 · i+ 1 and2 · i+ 2, parent node is at position b(i− 1)/2c
I Typical heap root replacement (pop operation): start at the root,swap down for a variable amount of times
I Floyd’s heap: swap down to the bottom, swap up for a variableamount of times, advantages:
I Each swap-down step needs only one comparison (instead of two)I Swap-down loop is more friendly to branch predictors
EdDSA signatures and Ed25519 23
![Page 83: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/83.jpg)
A fast heap
I Heap is a binary tree, each parent node is larger than the two childnodes
I Data structure is stored as a simple array, positions in the arraydetermine positions in the tree
I Root is at position 0, left child node at position 1, right child nodeat position 2 etc.
I For node at position i, child nodes are at position 2 · i+ 1 and2 · i+ 2, parent node is at position b(i− 1)/2c
I Typical heap root replacement (pop operation): start at the root,swap down for a variable amount of times
I Floyd’s heap: swap down to the bottom, swap up for a variableamount of times, advantages:
I Each swap-down step needs only one comparison (instead of two)I Swap-down loop is more friendly to branch predictors
EdDSA signatures and Ed25519 23
![Page 84: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/84.jpg)
The Bos-Coster algorithm
I Computation of Q =∑n
1 siPi
I Idea: Assume s1 > s2 > · · · > sn. Recursively computeQ = (s1 − s2)P1 + s2(P1 + P2) + s3P3 · · ·+ snPn
I Each step requires the two largest scalars, one scalar subtraction andone point addition
I Each step “eliminates” expected log n scalar bitsI Requires fast access to the two largest scalars: put scalars into a
heapI Crucial for good performance: fast heap implementation
I Further optimization: Start with heap without the zi until largestscalar has ≤ 128 bits
I Then: extend heap with the ziI Optimize the heap on the assembly level
EdDSA signatures and Ed25519 24
![Page 85: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/85.jpg)
The Bos-Coster algorithm
I Computation of Q =∑n
1 siPi
I Idea: Assume s1 > s2 > · · · > sn. Recursively computeQ = (s1 − s2)P1 + s2(P1 + P2) + s3P3 · · ·+ snPn
I Each step requires the two largest scalars, one scalar subtraction andone point addition
I Each step “eliminates” expected log n scalar bitsI Requires fast access to the two largest scalars: put scalars into a
heapI Crucial for good performance: fast heap implementationI Further optimization: Start with heap without the zi until largest
scalar has ≤ 128 bitsI Then: extend heap with the zi
I Optimize the heap on the assembly level
EdDSA signatures and Ed25519 24
![Page 86: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/86.jpg)
The Bos-Coster algorithm
I Computation of Q =∑n
1 siPi
I Idea: Assume s1 > s2 > · · · > sn. Recursively computeQ = (s1 − s2)P1 + s2(P1 + P2) + s3P3 · · ·+ snPn
I Each step requires the two largest scalars, one scalar subtraction andone point addition
I Each step “eliminates” expected log n scalar bitsI Requires fast access to the two largest scalars: put scalars into a
heapI Crucial for good performance: fast heap implementationI Further optimization: Start with heap without the zi until largest
scalar has ≤ 128 bitsI Then: extend heap with the ziI Optimize the heap on the assembly level
EdDSA signatures and Ed25519 24
![Page 87: EdDSAsignaturesandEd25519 - · PDF fileEdDSAsignaturesandEd25519 PeterSchwabe JointworkwithDanielJ.Bernstein,NielsDuif, ... I Manymorevariants(DSA,ECDSA,KCDSA,:::) I UsesfinitegroupG=](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a860add7f8b9afc5d8ccfb2/html5/thumbnails/87.jpg)
Results
I New fast and secure signature schemeI (Slow) C and Python reference implementationsI Fast AMD64 assembly implementationsI Also new speed records for Curve25519 ECDHI All software in the public domain and included in eBATSI All reported benchmarks (except batch verification) are eBATS
benchmarksI All reported benchmarks had TurboBoost switched offI Software to be included in the NaCl library
http://ed25519.cr.yp.to/http://nacl.cr.yp.to/
EdDSA signatures and Ed25519 25