Re: [Cfrg] Signature performance using Montgomery curves
Mike Hamburg <mike@shiftleft.org> Tue, 17 March 2015 17:08 UTC
Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C98121A87BA for <cfrg@ietfa.amsl.com>; Tue, 17 Mar 2015 10:08:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.956
X-Spam-Level: **
X-Spam-Status: No, score=2.956 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id itDO5gFkSXlJ for <cfrg@ietfa.amsl.com>; Tue, 17 Mar 2015 10:08:52 -0700 (PDT)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDD7F1A1B4B for <cfrg@ietf.org>; Tue, 17 Mar 2015 10:08:51 -0700 (PDT)
Received: from [192.168.1.102] (unknown [192.168.1.1]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id 5DB2C3AA41; Tue, 17 Mar 2015 10:05:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1426611937; bh=gkDf3jzNft9nFCx3O+MtF83sBO30v6QF4L2Vd3bkatM=; h=Date:From:To:Subject:References:In-Reply-To:From; b=gi1aZ5d+ptsk28nTYXKi3q7WxMnvL5sSu5IEC/UrgUNJNKuXrdtQL1COvv63T81L0 zB7C6v7ZQfzuVj3NeToVdMK8lTiFsHcXIALGXTioqc3JUglRgb80SOmamzyGfC+Sts q8YXDh/EwzZEe3frQmQXlr2QIGg4w4T6mZsddgSA=
Message-ID: <55085FA0.2070807@shiftleft.org>
Date: Tue, 17 Mar 2015 10:08:48 -0700
From: Mike Hamburg <mike@shiftleft.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Evgeny Alekseev <eamsucmc@gmail.com>, "cfrg@ietf.org" <cfrg@ietf.org>
References: <CAOVPyjzpdxVzFL021adSXfcpQcsUeYUbPdL_bOX4QJ6jPCgx1w@mail.gmail.com>
In-Reply-To: <CAOVPyjzpdxVzFL021adSXfcpQcsUeYUbPdL_bOX4QJ6jPCgx1w@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------000904000400010904040308"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/beuaW4-HiSqOzdAU6I9ZmjLIAvM>
Subject: Re: [Cfrg] Signature performance using Montgomery curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Mar 2015 17:08:55 -0000
Hi Evgeny, Does the Russian standard require an inversion mod the curve order? Goldilocks doesn't implement this, and has very little optimization for scalar math because it's not a bottleneck in Schnorr signatures. But it is a major bottleneck in ECDSA. Without that step, the Goldilocks code base can do about 20000 signatures or 6100 verifies per second on a Core i7-4790. This is on one core of four, HT off, TB off, 3.6GHz, with IIRC a 15 kiB precomputed table. What were the settings for your benchmark? Your Core i5-4570 has a huge boost ratio, from 2 GHz to 3.2 GHz. Since I don't have optimized scalar math, I can only ballpark how long the inversion step would take, though perhaps you could share your numbers for 512? With the mostly unoptimized scalar montmul code in the Decaf branch, a double montmul (to multiply two scalars and correct for the Montgomery factor) takes 263ns. So about 448*1.25 montmuls would take 73us, dropping speeds to just over 8000 signatures or 4200 verifies per second, again on a 3.6GHz core. A more optimized FLT inverse might take half the time (with optimized montmul, dedicated squaring, an addition chain etc), which would raise speeds to ~11000 signs or 5000 verifies / core second. I don't know how fast blinded EGCD is at this size, but it's probably considerably faster than FLT at the cost of some complexity. Cheers, -- Mike On 03/17/2015 02:43 AM, Evgeny Alekseev wrote: > > Dear all, > > we studied performance of Russian national digital signature standard > (which is, in fact, very similar to ECDSA) using Montgomery curves > over F(p) with p1 = 2^512 - 569 and p2 = 2^256-617 and got the > following result (for Intel Core i5-4570) . > > Field size, bits Signatures per second > Verifications per second > > 256 14929 9971 > > 512 3558 1988 > > > Could anyone tell, please, if there is such a performance analysis of > ECDSA, using Montgomery curves over F(p) with p = 2^448 - 2^224 - 1? > > > Kind regards, Evgeny Alekseev, PhD > Moscow State University, Faculty of Computational Mathematics and Cybernetics > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg
- Re: [Cfrg] Signature performance using Montgomery… Mike Hamburg
- Re: [Cfrg] Signature performance using Montgomery… Mike Hamburg
- Re: [Cfrg] Signature performance using Montgomery… Ilari Liusvaara
- [Cfrg] Signature performance using Montgomery cur… Evgeny Alekseev
- Re: [Cfrg] Signature performance using Montgomery… Mike Hamburg