a survey of cryptographic libraries supporting elliptic
TRANSCRIPT
![Page 1: A Survey of Cryptographic Libraries Supporting Elliptic](https://reader030.vdocuments.net/reader030/viewer/2022012221/61e05a4f788b6e580f1b333a/html5/thumbnails/1.jpg)
A Survey of Cryptographic Libraries Supporting Elliptic
Curve Cryptography
Month/2005
David Reis Jr.Nelson Uto
![Page 2: A Survey of Cryptographic Libraries Supporting Elliptic](https://reader030.vdocuments.net/reader030/viewer/2022012221/61e05a4f788b6e580f1b333a/html5/thumbnails/2.jpg)
2
Agenda
Brief introduction to ECC.
Description of the libraries.
Performance comparison.
Conclusions.
![Page 3: A Survey of Cryptographic Libraries Supporting Elliptic](https://reader030.vdocuments.net/reader030/viewer/2022012221/61e05a4f788b6e580f1b333a/html5/thumbnails/3.jpg)
3
Elliptic curve equation
and
E : y2a1 xya3 y=x3a2 x
2a4 xa6
a1,a2,a3,a4,a6∈K ≠0
=−d 22d 8−8 d 4
3−27d 629d 2d 4d 6
d 2=a124a2
d 4=2a4a1a3d 6=a3
24 a6d 8=a1
2a64 a2a6−a1a3a4a2a32−a4
2
![Page 4: A Survey of Cryptographic Libraries Supporting Elliptic](https://reader030.vdocuments.net/reader030/viewer/2022012221/61e05a4f788b6e580f1b333a/html5/thumbnails/4.jpg)
4
Elliptic curve over R – Example 1
y2=x3−x1
planetmath.org
![Page 5: A Survey of Cryptographic Libraries Supporting Elliptic](https://reader030.vdocuments.net/reader030/viewer/2022012221/61e05a4f788b6e580f1b333a/html5/thumbnails/5.jpg)
5
Elliptic curve over R – Example 2
y2=x3−x
planetmath.org
![Page 6: A Survey of Cryptographic Libraries Supporting Elliptic](https://reader030.vdocuments.net/reader030/viewer/2022012221/61e05a4f788b6e580f1b333a/html5/thumbnails/6.jpg)
6
Chord-and-tangent rule
(a) Addition: R = P + Q. (b) Doubling: R = P + P.
Extracted from Hankerson's presentation.
![Page 7: A Survey of Cryptographic Libraries Supporting Elliptic](https://reader030.vdocuments.net/reader030/viewer/2022012221/61e05a4f788b6e580f1b333a/html5/thumbnails/7.jpg)
7
Elliptic curve over finite field
![Page 8: A Survey of Cryptographic Libraries Supporting Elliptic](https://reader030.vdocuments.net/reader030/viewer/2022012221/61e05a4f788b6e580f1b333a/html5/thumbnails/8.jpg)
8
Point multiplication
Also known as scalar multiplication. Given an integer k and a point P on a elliptic curve E,
compute R = kP.
Point multiplication dominates the execution time of elliptic curve cryptographic schemes.
For a fixed point, it is possible to exploit precomputed data, to accelerate the scalar multiplication.
kP=PP...Pk times
![Page 9: A Survey of Cryptographic Libraries Supporting Elliptic](https://reader030.vdocuments.net/reader030/viewer/2022012221/61e05a4f788b6e580f1b333a/html5/thumbnails/9.jpg)
9
ECDLP
Given an elliptic curve E defined over a finite field , a point of order n, and a point , find an integer such that
Harder problem than integer factorization and discrete logarithm problem.
F qP∈E F q Q∈⟨P ⟩l∈[0,n−1 ] Q=lP.
![Page 10: A Survey of Cryptographic Libraries Supporting Elliptic](https://reader030.vdocuments.net/reader030/viewer/2022012221/61e05a4f788b6e580f1b333a/html5/thumbnails/10.jpg)
10
Key pair generation
Input: Domain Parameters D = (q, FR, S, a, b, P, n, h) Output: Public key Q, private key d.
1. Select 2. Compute Q = dP.3. Return (Q, d).
d ∈R [1,n−1 ]
![Page 11: A Survey of Cryptographic Libraries Supporting Elliptic](https://reader030.vdocuments.net/reader030/viewer/2022012221/61e05a4f788b6e580f1b333a/html5/thumbnails/11.jpg)
11
ECDSA – Signature generation
Input: Domain parameters D = (q, FR, S, a, b, P, n, h), private key d, message m.
Output: Signature (r, s).1. Select2. Compute and convert to an integer 3. Compute If r = 0 then go to step 1.4. Compute e = H(m).5. Compute If s = 0 then go to step 1.6. Return (r, s).
k∈R [1,n−1]kP= x1, y1 x1 x1r= x1mod n.
s=k−1edr mod n.
![Page 12: A Survey of Cryptographic Libraries Supporting Elliptic](https://reader030.vdocuments.net/reader030/viewer/2022012221/61e05a4f788b6e580f1b333a/html5/thumbnails/12.jpg)
12
ECDSA – Signature verification
Input: Domain Parameters D = (q, FR, S, a, b, P, n, h), public key Q, message m, signature (r, s).
Output: Acceptance or rejection of the signature.1. Verify that r and s are integers in the interval [1, n-1]. If any
verification fails then return (“ Reject the signature”).2. Compute e = H(m).3. Compute 4. Compute and 5. Compute 6. If then return (“Reject the signature”).7. Convert the x-coordinate of to an integer ; compute
8. If v = r then return (“Accept the signature”); else return (“Reject the
signature”).
w=s−1mod n.u1=ew mod n u2=rwmod n.X=u1Pu2Q.
X=∞x1 X x1
v= x1mod n.
![Page 13: A Survey of Cryptographic Libraries Supporting Elliptic](https://reader030.vdocuments.net/reader030/viewer/2022012221/61e05a4f788b6e580f1b333a/html5/thumbnails/13.jpg)
13
borZoi
Developed by Dragongate Technologies. GNU GPL. Written in C++. It supports ECDSA, ECIES, and ECDH. Built-in domain parameters for NIST's binary curves. Correctly compiled in xScale and x86. To improve performance, it might be compiled with NTL,
but an error was found with release 5.3.1. Timings looked completely random, without any
reasonable explanation.
![Page 14: A Survey of Cryptographic Libraries Supporting Elliptic](https://reader030.vdocuments.net/reader030/viewer/2022012221/61e05a4f788b6e580f1b333a/html5/thumbnails/14.jpg)
14
Crypto++
It is a C++ library. It supports ECDSA, ECDH, and ECIES. Supports both binary and prime curves. The library comes with domain parameters defined by
NIST and SECG. Crypto++ is trying to receive NIST's certification of
ECDSA. Great support for manipulating data. Precomputation is supported. Hard to assert the cause of compilation errors. The execution time is odd for binary curves which use a
pentanomial as an irreducible polynomial.
![Page 15: A Survey of Cryptographic Libraries Supporting Elliptic](https://reader030.vdocuments.net/reader030/viewer/2022012221/61e05a4f788b6e580f1b333a/html5/thumbnails/15.jpg)
15
LibTomCrypt
Developed by Tom St Denis. It is open source. Written in ISO C. Supports ECDSA and ECDH. It supports only curves defined over prime fields. Built-in domain parameters for NIST's prime curves. Nice interface and documentation. It correctly compiled on xScale and x86.
![Page 16: A Survey of Cryptographic Libraries Supporting Elliptic](https://reader030.vdocuments.net/reader030/viewer/2022012221/61e05a4f788b6e580f1b333a/html5/thumbnails/16.jpg)
16
LiDIA
Developed by LiDIA group at Technische Universität Darmstadt.
Free for non commercial use. It is a C++ library. It compiled correctly on Pentium 4 and xScale. Requires a multi-precision integer arithmetic module. The
packages supported are libI, GMP, and cln. It supports curves defined over binary and prime fields. Points can be represented in either affine or projective
coordinates. Nice documentation. No support for precomputation.
![Page 17: A Survey of Cryptographic Libraries Supporting Elliptic](https://reader030.vdocuments.net/reader030/viewer/2022012221/61e05a4f788b6e580f1b333a/html5/thumbnails/17.jpg)
17
MIRACL
Developed by Shamus Software Ltd. Free for non profit purposes. It is a C library, but wrappers for C++ are provided. ECDSA and ECDH provided as examples. It supports curves defined over prime and binary curves. The fastest library available. Precomputation is supported. Critical routines are written in assembly for optimal
performance. Special optimizations for curves over prime fields.
API is not very intuitive.
![Page 18: A Survey of Cryptographic Libraries Supporting Elliptic](https://reader030.vdocuments.net/reader030/viewer/2022012221/61e05a4f788b6e580f1b333a/html5/thumbnails/18.jpg)
18
OpenSSL
BSD-like license. Open-source. Written in C. Supports ECDSA and ECDH. Domain parameters for almost all of the curves defined by
NIST, SECG, and ANSI. Some routines are written in assembly. Supports point precomputation. It was easily compiled on P4, but a patch was required to
compile it on xScale. Poor documentation.
![Page 19: A Survey of Cryptographic Libraries Supporting Elliptic](https://reader030.vdocuments.net/reader030/viewer/2022012221/61e05a4f788b6e580f1b333a/html5/thumbnails/19.jpg)
19
Bouncy Castle
Developed by the Legion of Bouncy Castle. It is a Java library. There is no support for JCA/JCE ECC classes. Supports ECDSA, ECDH, and ECIES. Only supports curves defined over prime fields, although
the documentation refers to binary curves as well. There are built-in domain parameters for prime curves
defined in X9.62. Precomputation is not supported. Documentation is poor.
![Page 20: A Survey of Cryptographic Libraries Supporting Elliptic](https://reader030.vdocuments.net/reader030/viewer/2022012221/61e05a4f788b6e580f1b333a/html5/thumbnails/20.jpg)
20
FlexiProvider
Developed by Cryptography and Computer Algebra group at the Technische Universität Darmstadt.
It is a Java library. Does not support the JCA/JCE ECC classes. Licensed under LGPL (CoreProvider) and GPL (EC and
NF providers). Supports ECDSA, ECNR, ECIES, and ECDH. Supports curves defined over binary and prime fields. There are built-in domain parameters for prime curves of
X9.62 and SEC 2 and for binary curves of X9.62. The parameters for SEC 2 binary curves do not work.
No support for precomputation.
![Page 21: A Survey of Cryptographic Libraries Supporting Elliptic](https://reader030.vdocuments.net/reader030/viewer/2022012221/61e05a4f788b6e580f1b333a/html5/thumbnails/21.jpg)
21
IAIK
Developed by the SIC group at the Graz University of Technology.
It is a Java library. Does not support the JCA/JCE ECC classes. It is available under educational, commercial, or open
source licenses. It supports ECDSA and ECDH. It can handle curves defined over binary and prime fields. Built-in domain parameters for some of NIST's curves and
all of the X9.62 curves. Precomputation is available for prime curves. The API is not uniform is some cases.
![Page 22: A Survey of Cryptographic Libraries Supporting Elliptic](https://reader030.vdocuments.net/reader030/viewer/2022012221/61e05a4f788b6e580f1b333a/html5/thumbnails/22.jpg)
22
Benchmarking
Platforms:o P4 2.80GHz, 512MB RAM, Linux kernel 2.4.20.8, gcc 3.2.2, g++
3.2.2, javac 1.5.0_04, Java HotSpot Client VM build 1.5.0_04-b05.o PXA27x 520MHz, 64MB RAM, Linux kernel 2.6.11.8, arm-linux-gcc
3.4.3, arm-linux-g++ 3.4.3. Methodology:
o Messages of fixed size (1 SHA-1 block).o One key pair for each iteration.o Signature generation (with and without precomputation) and
signature verification.o Five rounds of timings.o 100 iterations for xScale and 1000 for P4.
![Page 23: A Survey of Cryptographic Libraries Supporting Elliptic](https://reader030.vdocuments.net/reader030/viewer/2022012221/61e05a4f788b6e580f1b333a/html5/thumbnails/23.jpg)
23
P4 timings
![Page 24: A Survey of Cryptographic Libraries Supporting Elliptic](https://reader030.vdocuments.net/reader030/viewer/2022012221/61e05a4f788b6e580f1b333a/html5/thumbnails/24.jpg)
24
xScale timings
![Page 25: A Survey of Cryptographic Libraries Supporting Elliptic](https://reader030.vdocuments.net/reader030/viewer/2022012221/61e05a4f788b6e580f1b333a/html5/thumbnails/25.jpg)
25
Issues benchmarking Java applications
Java HotSpot virtual machines improves the speed of Java applications.
It compiles and inlines methods on-the-fly. Performance depends on what has been optimized. How can one measure the performance in such a
scenario?
![Page 26: A Survey of Cryptographic Libraries Supporting Elliptic](https://reader030.vdocuments.net/reader030/viewer/2022012221/61e05a4f788b6e580f1b333a/html5/thumbnails/26.jpg)
26
Java timings on P4
![Page 27: A Survey of Cryptographic Libraries Supporting Elliptic](https://reader030.vdocuments.net/reader030/viewer/2022012221/61e05a4f788b6e580f1b333a/html5/thumbnails/27.jpg)
27
Conclusions
MIRACL is the fastest library available. OpenSSL is an interesting option to MIRACL, although
about 50% slower. It is possible to use either a C or a Java library on P4. The C libraries MIRACL and OpenSSL can be used on
xScale as well. Probably IAIK can be used on xScale for elliptic curves
defined over prime fields (even at the highest security levels).
![Page 28: A Survey of Cryptographic Libraries Supporting Elliptic](https://reader030.vdocuments.net/reader030/viewer/2022012221/61e05a4f788b6e580f1b333a/html5/thumbnails/28.jpg)
Questions?
Nelson [email protected]: +55 (19) 3705.4992
CPqD – Centro dePesquisa e Desenvolvimento
em TelecomunicaçõesRod. Campinas–Mogi-Mirim, km 118,5 – SP340
13086-902 – Campinas – SPBRASIL
www.cpqd.com.br
CPqD Technologies & Systems, Inc.101 NE Third Ave – Suite 1500
Fort Lauderdale, FL 33301, USAwww.cpqdusa.com