A Survey of Cryptographic Libraries Supporting Elliptic

Curve Cryptography

Month/2005

David Reis Jr.Nelson Uto

2

Agenda

Brief introduction to ECC.

Description of the libraries.

Performance comparison.

Conclusions.

3

Elliptic curve equation

and

E : y2a1 xya3 y=x3a2 x

2a4 xa6

a1,a2,a3,a4,a6∈K ≠0

=−d 22d 8−8 d 4

3−27d 629d 2d 4d 6

d 2=a124a2

d 4=2a4a1a3d 6=a3

24 a6d 8=a1

2a64 a2a6−a1a3a4a2a32−a4

2

4

Elliptic curve over R – Example 1

y2=x3−x1

planetmath.org

5

Elliptic curve over R – Example 2

y2=x3−x

planetmath.org

6

Chord-and-tangent rule

(a) Addition: R = P + Q. (b) Doubling: R = P + P.

Extracted from Hankerson's presentation.

7

Elliptic curve over finite field

8

Point multiplication

Also known as scalar multiplication. Given an integer k and a point P on a elliptic curve E,

compute R = kP.

Point multiplication dominates the execution time of elliptic curve cryptographic schemes.

For a fixed point, it is possible to exploit precomputed data, to accelerate the scalar multiplication.

kP=PP...Pk times

9

ECDLP

Given an elliptic curve E defined over a finite field , a point of order n, and a point , find an integer such that

Harder problem than integer factorization and discrete logarithm problem.

F qP∈E F q Q∈⟨P ⟩l∈[0,n−1 ] Q=lP.

10

Key pair generation

Input: Domain Parameters D = (q, FR, S, a, b, P, n, h) Output: Public key Q, private key d.

1. Select 2. Compute Q = dP.3. Return (Q, d).

d ∈R [1,n−1 ]

11

ECDSA – Signature generation

Input: Domain parameters D = (q, FR, S, a, b, P, n, h), private key d, message m.

Output: Signature (r, s).1. Select2. Compute and convert to an integer 3. Compute If r = 0 then go to step 1.4. Compute e = H(m).5. Compute If s = 0 then go to step 1.6. Return (r, s).

k∈R [1,n−1]kP= x1, y1 x1 x1r= x1mod n.

s=k−1edr mod n.

12

ECDSA – Signature verification

Input: Domain Parameters D = (q, FR, S, a, b, P, n, h), public key Q, message m, signature (r, s).

Output: Acceptance or rejection of the signature.1. Verify that r and s are integers in the interval [1, n-1]. If any

verification fails then return (“ Reject the signature”).2. Compute e = H(m).3. Compute 4. Compute and 5. Compute 6. If then return (“Reject the signature”).7. Convert the x-coordinate of to an integer ; compute

8. If v = r then return (“Accept the signature”); else return (“Reject the

signature”).

w=s−1mod n.u1=ew mod n u2=rwmod n.X=u1Pu2Q.

X=∞x1 X x1

v= x1mod n.

13

borZoi

Developed by Dragongate Technologies. GNU GPL. Written in C++. It supports ECDSA, ECIES, and ECDH. Built-in domain parameters for NIST's binary curves. Correctly compiled in xScale and x86. To improve performance, it might be compiled with NTL,

but an error was found with release 5.3.1. Timings looked completely random, without any

reasonable explanation.

14

Crypto++

It is a C++ library. It supports ECDSA, ECDH, and ECIES. Supports both binary and prime curves. The library comes with domain parameters defined by

NIST and SECG. Crypto++ is trying to receive NIST's certification of

ECDSA. Great support for manipulating data. Precomputation is supported. Hard to assert the cause of compilation errors. The execution time is odd for binary curves which use a

pentanomial as an irreducible polynomial.

15

LibTomCrypt

Developed by Tom St Denis. It is open source. Written in ISO C. Supports ECDSA and ECDH. It supports only curves defined over prime fields. Built-in domain parameters for NIST's prime curves. Nice interface and documentation. It correctly compiled on xScale and x86.

16

LiDIA

Developed by LiDIA group at Technische Universität Darmstadt.

Free for non commercial use. It is a C++ library. It compiled correctly on Pentium 4 and xScale. Requires a multi-precision integer arithmetic module. The

packages supported are libI, GMP, and cln. It supports curves defined over binary and prime fields. Points can be represented in either affine or projective

coordinates. Nice documentation. No support for precomputation.

17

MIRACL

Developed by Shamus Software Ltd. Free for non profit purposes. It is a C library, but wrappers for C++ are provided. ECDSA and ECDH provided as examples. It supports curves defined over prime and binary curves. The fastest library available. Precomputation is supported. Critical routines are written in assembly for optimal

performance. Special optimizations for curves over prime fields.

API is not very intuitive.

18

OpenSSL

BSD-like license. Open-source. Written in C. Supports ECDSA and ECDH. Domain parameters for almost all of the curves defined by

NIST, SECG, and ANSI. Some routines are written in assembly. Supports point precomputation. It was easily compiled on P4, but a patch was required to

compile it on xScale. Poor documentation.

19

Bouncy Castle

Developed by the Legion of Bouncy Castle. It is a Java library. There is no support for JCA/JCE ECC classes. Supports ECDSA, ECDH, and ECIES. Only supports curves defined over prime fields, although

the documentation refers to binary curves as well. There are built-in domain parameters for prime curves

defined in X9.62. Precomputation is not supported. Documentation is poor.

20

FlexiProvider

Developed by Cryptography and Computer Algebra group at the Technische Universität Darmstadt.

It is a Java library. Does not support the JCA/JCE ECC classes. Licensed under LGPL (CoreProvider) and GPL (EC and

NF providers). Supports ECDSA, ECNR, ECIES, and ECDH. Supports curves defined over binary and prime fields. There are built-in domain parameters for prime curves of

X9.62 and SEC 2 and for binary curves of X9.62. The parameters for SEC 2 binary curves do not work.

No support for precomputation.

21

IAIK

Developed by the SIC group at the Graz University of Technology.

It is a Java library. Does not support the JCA/JCE ECC classes. It is available under educational, commercial, or open

source licenses. It supports ECDSA and ECDH. It can handle curves defined over binary and prime fields. Built-in domain parameters for some of NIST's curves and

all of the X9.62 curves. Precomputation is available for prime curves. The API is not uniform is some cases.

22

Benchmarking

Platforms:o P4 2.80GHz, 512MB RAM, Linux kernel 2.4.20.8, gcc 3.2.2, g++

3.2.2, javac 1.5.0_04, Java HotSpot Client VM build 1.5.0_04-b05.o PXA27x 520MHz, 64MB RAM, Linux kernel 2.6.11.8, arm-linux-gcc

3.4.3, arm-linux-g++ 3.4.3. Methodology:

o Messages of fixed size (1 SHA-1 block).o One key pair for each iteration.o Signature generation (with and without precomputation) and

signature verification.o Five rounds of timings.o 100 iterations for xScale and 1000 for P4.

23

P4 timings

24

xScale timings

25

Issues benchmarking Java applications

Java HotSpot virtual machines improves the speed of Java applications.

It compiles and inlines methods on-the-fly. Performance depends on what has been optimized. How can one measure the performance in such a

scenario?

26

Java timings on P4

27

Conclusions

MIRACL is the fastest library available. OpenSSL is an interesting option to MIRACL, although

about 50% slower. It is possible to use either a C or a Java library on P4. The C libraries MIRACL and OpenSSL can be used on

xScale as well. Probably IAIK can be used on xScale for elliptic curves

defined over prime fields (even at the highest security levels).

Questions?

Nelson Utouto@cpqd.com.brPhone: +55 (19) 3705.4992

CPqD – Centro dePesquisa e Desenvolvimento

em TelecomunicaçõesRod. Campinas–Mogi-Mirim, km 118,5 – SP340

13086-902 – Campinas – SPBRASIL

www.cpqd.com.br

CPqD Technologies & Systems, Inc.101 NE Third Ave – Suite 1500

Fort Lauderdale, FL 33301, USAwww.cpqdusa.com