Research Area:  Internet of Things
EdDSA is a digital signature scheme based on elliptic curves in Edwards form that is supported in the latest incarnation of the TLS protocol (i.e. TLS version 1.3). The straightforward way of verifying an EdDSA signature involves a costly double-scalar multiplication of the form ๐๐โ๐๐ where P is a โfixedโ point (namely the generator of the underlying elliptic-curve group) and Q is only known at run time. This computation makes a verification not only much slower than a signature generation, but also more memory demanding. In the present paper we compare two implementations of EdDSA verification using Ed25519 as case study; the first is speed-optimized, while the other aims to achieve low RAM footprint. The speed-optimized variant performs the double-scalar multiplication in a simultaneous fashion and uses a Joint-Sparse Form (JSF) representation for the two scalars. On the other hand, the memory-optimized variant splits the computation of ๐๐โ๐๐ into two separate parts, namely a fixed-base scalar multiplication that is carried out using a standard comb method with eight pre-computed points, and a variable-base scalar multiplication, which is executed by means of the conventional Montgomery ladder on the birationally-equivalent Montgomery curve. Our experiments with a 16-bit ultra-low-power MSP430 microcontroller show that the separated method is 24% slower than the simultaneous technique, but reduces the RAM footprint by 40%. This makes the separated method attractive for โlightweightโ cryptographic libraries, in particular if both Ed25519 signature generation/verification and X25519 key exchange need to be supported.
Keywords:  
Author(s) Name:  Johann Groรschรคdl, Christian FranckZhe Liu
Journal name:  
Conferrence name:  International Conference on Information Security Practice and Experience
Publisher name:  SPRINGER
DOI:  10.1007/978-3-030-93206-0_16
Volume Information:  
Paper Link:   https://link.springer.com/chapter/10.1007/978-3-030-93206-0_16