Add an optimized curve25519_base_donna #23
Conversation
In many protocols, it doesn't hurt security for a timing attacker to know whether we're computing SK*9 ==> PUBKEY or whether we're computing SK*PUBKEY ==> SHARED_SECRET. For example, when you're doing Diffie-Hellman, everybody will do one scalarmult of the basepoint (9), and one scalarmult of the other party's public key. For this kind of application, we can improve handshake speed by having an optimized curve25519_base_donna function (name taken from nacl's "crypto_scalarmult_base") that computes SK*BP. Here I've only done the most obvious version of the optimization by making an alternate fmonty_bp that does a scalar multiplication by 9 in place of fmul(.,.,qmqp). On my laptop, the 64-bit curve25519_base_donna is 11.5% faster than the regular 64-bit curve25519_donna, and the 32-bit curve25519_base_donna is faster than its counterpart by 4.7%.
|
I'm on vacation at the moment and I'm afraid it'll be a file of weeks till However, fixed base optimisations are typically much faster than this. If Are you thinking of using curve 25519 for ECDHE where key gen is common?
|
|
I've got a Tor branch where I'm using it for Ian Goldberg et al's "ntor" protocol, as described in their paper and specified in Tor proposal 216. The server side of the protocol is performance-critical for me; it involves 3 curve25519 operations, one of which is an operation on the base point. If you think it's something I could figure out, and you point me at something readable about how to do fixed base optimizations right, I might be able to take a crack at it. The other conceivable optimization to do for that protocol would be to implement something like Shamir's simultaneous multiple exponentiation -- but that one isn't at all an obvious fit for how curve25519 wants to be implemented. Alternatively, there's a protocol for a faster protocol out there, but it's less reviewed than ntor, and it would require point addition as well as simultaneous multiple curve25519. |
|
On Dec 30, 2012 2:54 AM, "Nick Mathewson" [email protected] wrote:
Firstly, the biggest improvement is probably to grab djb's code from But, as for adding fixed-base optimisations to donna, I suggest that I can't find plain addition formula for Montgomery curves and I don't From there, one can precompute a table of values tapping two or four Reading the table in constant time is a bit of a pain. Typically I've Cheers AGL |
|
I'll see about snarfing the SUPERCOP implementations; I was kind of hoping that the next version of nacl would come out sometime soon, including those implementations, so I wouldn't have to worry about it and could just tell people "link against nacl." The schedule for that is a fine thing for us to ask Dan about when we're co-located. WRT better implementations for implementing the ntor/ace handshakes: this is definitely a place to step back and talk about what the correct long-term solution really is. But even with the current naive implementation, ntor+curve25519-donna is much faster and much more secure than what Tor's been doing up till now, so I'm fine merging it and then optimizing it or moving to ace later. |
In many protocols, it doesn't hurt security for a timing attacker to
know whether we're computing SK_9 ==> PUBKEY or whether we're
computing SK_PUBKEY ==> SHARED_SECRET. For example, when you're doing
Diffie-Hellman, everybody will do one scalarmult of the basepoint (9),
and one scalarmult of the other party's public key.
For this kind of application, we can improve handshake speed by having
an optimized curve25519_base_donna function (name taken from nacl's
"crypto_scalarmult_base") that computes SK*BP.
Here I've only done the most obvious version of the optimization by
making an alternate fmonty_bp that does a scalar multiplication by 9
in place of fmul(.,.,qmqp). On my laptop, the 64-bit
curve25519_base_donna is 11.5% faster than the regular 64-bit
curve25519_donna, and the 32-bit curve25519_base_donna is faster than
its counterpart by 4.7%.