Cryptology ePrint Archive: Report 2021/471

Size, Speed, and Security: An Ed25519 Case Study

Cesar Pereida García and Sampo Sovio

Abstract: Ed25519 has significant performance benefits compared to ECDSA using Weierstrass curves such as NIST P-256, therefore it is considered a good digital signature algorithm, specially for low performance IoT devices. However, such devices often have very limited resources and thus, implementations for these devices need to be as small and as performant as possible while being secure. In this paper we describe a scenario in which an obvious strategy to aggressively optimize an Ed25519 implementation for code size leads to a small memory footprint that is functionally correct but vulnerable to side-channel attacks. This strategy serves as an example of aggressive optimizations that might be considered by cryptography engineers, developers, and practitioners unfamiliar with the power of Side-Channel Analysis (SCA). As a solution to the flawed implementation example, we use a computer-aided cryptography tool generating formally verified finite field arithmetic to generate two secure Ed25519 implementations fulfilling different size requirements. After benchmarking and comparing these implementations to other widely used implementations our results show that computer-aided cryptography is capable of generating competitive code in terms of security, speed, and size.

Category / Keywords: public-key cryptography / applied cryptography; EdDSA; Ed25519; side-channel analysis; computer-aided cryptography

Date: received 12 Apr 2021

Contact author: cesar pereidagarcia at tuni fi,sampo sovio@huawei com

Available format(s): PDF | BibTeX Citation

Version: 20210412:180750 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]