IETF Logo Mail Archive

Re: [Cfrg] Signature performance using Montgomery curves

Mike Hamburg <mike@shiftleft.org> Tue, 17 March 2015 17:08 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C98121A87BA for <cfrg@ietfa.amsl.com>; Tue, 17 Mar 2015 10:08:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.956
X-Spam-Level: **
X-Spam-Status: No, score=2.956 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id itDO5gFkSXlJ for <cfrg@ietfa.amsl.com>; Tue, 17 Mar 2015 10:08:52 -0700 (PDT)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDD7F1A1B4B for <cfrg@ietf.org>; Tue, 17 Mar 2015 10:08:51 -0700 (PDT)
Received: from [192.168.1.102] (unknown [192.168.1.1]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id 5DB2C3AA41; Tue, 17 Mar 2015 10:05:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1426611937; bh=gkDf3jzNft9nFCx3O+MtF83sBO30v6QF4L2Vd3bkatM=; h=Date:From:To:Subject:References:In-Reply-To:From; b=gi1aZ5d+ptsk28nTYXKi3q7WxMnvL5sSu5IEC/UrgUNJNKuXrdtQL1COvv63T81L0 zB7C6v7ZQfzuVj3NeToVdMK8lTiFsHcXIALGXTioqc3JUglRgb80SOmamzyGfC+Sts q8YXDh/EwzZEe3frQmQXlr2QIGg4w4T6mZsddgSA=
Message-ID: <55085FA0.2070807@shiftleft.org>
Date: Tue, 17 Mar 2015 10:08:48 -0700
From: Mike Hamburg <mike@shiftleft.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Evgeny Alekseev <eamsucmc@gmail.com>, "cfrg@ietf.org" <cfrg@ietf.org>
References: <CAOVPyjzpdxVzFL021adSXfcpQcsUeYUbPdL_bOX4QJ6jPCgx1w@mail.gmail.com>
In-Reply-To: <CAOVPyjzpdxVzFL021adSXfcpQcsUeYUbPdL_bOX4QJ6jPCgx1w@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------000904000400010904040308"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/beuaW4-HiSqOzdAU6I9ZmjLIAvM>
Subject: Re: [Cfrg] Signature performance using Montgomery curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Mar 2015 17:08:55 -0000

Hi Evgeny,

Does the Russian standard require an inversion mod the curve order? 
Goldilocks doesn't implement this, and has very little optimization for 
scalar math because it's not a bottleneck in Schnorr signatures.  But it 
is a major bottleneck in ECDSA.

Without that step, the Goldilocks code base can do about 20000 
signatures or 6100 verifies per second on a Core i7-4790.  This is on 
one core of four, HT off, TB off, 3.6GHz, with IIRC a 15 kiB precomputed 
table.  What were the settings for your benchmark?  Your Core i5-4570 
has a huge boost ratio, from 2 GHz to 3.2 GHz.

Since I don't have optimized scalar math, I can only ballpark how long 
the inversion step would take, though perhaps you could share your 
numbers for 512?  With the mostly unoptimized scalar montmul code in the 
Decaf branch, a double montmul (to multiply two scalars and correct for 
the Montgomery factor) takes 263ns.  So about 448*1.25 montmuls would 
take 73us, dropping speeds to just over 8000 signatures or 4200 verifies 
per second, again on a 3.6GHz core.

A more optimized FLT inverse might take half the time (with optimized 
montmul, dedicated squaring, an addition chain etc), which would raise 
speeds to ~11000 signs or 5000 verifies / core second. I don't know how 
fast blinded EGCD is at this size, but it's probably considerably faster 
than FLT at the cost of some complexity.

Cheers,
-- Mike

On 03/17/2015 02:43 AM, Evgeny Alekseev wrote:
>
> Dear all,
>
> we studied performance of Russian national digital signature standard 
> (which is, in fact, very similar to ECDSA) using Montgomery curves  
> over F(p) with p1 = 2^512 - 569 and p2 = 2^256-617 and got the 
> following result (for Intel Core i5-4570) .
>
> Field size, bits             Signatures per second                  
> Verifications per second
>
> 256 14929                                                   9971
>
> 512 3558                                                     1988
>
>
> Could anyone tell, please, if there is such a performance analysis of 
> ECDSA, using Montgomery curves over F(p) with p = 2^448 - 2^224 - 1?
>
>
> Kind regards, Evgeny Alekseev, PhD
> Moscow State University, Faculty of Computational Mathematics and Cybernetics
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email