Cryptology ePrint Archive: Report 2012/309

Fast and compact elliptic-curve cryptography

Mike Hamburg

Abstract: 
Elliptic curve cryptosystems have improved greatly in speed over the past few years. In this paper we outline a new elliptic curve signature and key agreement implementation which achieves record speeds while remaining relatively compact. For example, on Intel Sandy Bridge, a curve with about $2^{250}$ points produces a signature in just under 60k clock cycles, verifies in under 169k clock cycles, and computes a Diffie-Hellman shared secret in under 153k clock cycles. Our implementation has a small footprint: the library is under 55kB. We also post competitive timings on ARM processors, verifying a signature in under 626k Tegra-2 cycles. We introduce faster field arithmetic, a new point compression algorithm, an improved fixed-base scalar multiplication algorithm and a new way to verify signatures without inversions or coordinate recovery. Some of these improvements should be applicable to other systems.

Category / Keywords: implementation / elliptic curve cryptosystem, public-key cryptography, digital signatures

Date: received 31 May 2012, last revised 7 Sep 2012

Contact author: mhamburg at cryptography com

Available format(s): PDF | BibTeX Citation

Note: 9/7/2012: Added a citation for Longa and Sica's work. Changed "prediction" to "look-ahead" in discussion of Hisil's mixed projective/extended coordinates, to make it clear that the prediction is certain. Removed verification with no x-coordinate; added verification with precomputation. Made it clear that this software sets records for ECC signing and verification, but not for key exchange.

Version: 20120907:205716 (All versions of this report)

Short URL: ia.cr/2012/309

Discussion forum: Show discussion | Start new discussion