Reference : Lightweight EdDSA Signature Verification for the Ultra-Low-Power Internet of Things
Scientific congresses, symposiums and conference proceedings : Paper published in a book
Engineering, computing & technology : Computer science
Security, Reliability and Trust
Lightweight EdDSA Signature Verification for the Ultra-Low-Power Internet of Things
Groszschädl, Johann mailto [University of Luxembourg > Faculty of Science, Technology and Medicine (FSTM) > Department of Computer Science (DCS) >]
Franck, Christian mailto [University of Luxembourg > Faculty of Science, Technology and Medicine (FSTM) > Department of Computer Science (DCS) >]
Liu, Zhe [Nanjing University of Aeronautics and Astronautics > College of Computer Science and Technology]
Information Security Practice and Experience, 16th International Conference, ISPEC 2021, Nanjing, China, December 17–19, 2021, Proceedings
Deng, Robert
Bao, Feng
Wang, Guilin
Shen, Jian
Ryan, Mark
Meng, Weizhi
Wang, Ding
Springer Verlag
Lecture Notes in Computer Science, volume 13107
16th International Conference on Information Security Practice and Experience (ISPEC 2021)
17-12-2021 to 19-12-2021
[en] Lightweight Cryptography ; EdDSA Signature Scheme ; Double-Scalar Multiplication ; MSP430 Architecture ; Software Optimization
[en] EdDSA is a digital signature scheme based on elliptic curves in Edwards form that is supported in the latest incarnation of the TLS protocol (i.e. TLS version 1.3). The straightforward way of verifying an EdDSA signature involves a costly double-scalar multiplication of the form kP - lQ where P is a "fixed" point (namely the generator of the underlying elliptic-curve group) and Q is only known at run time. This computation makes a verification not only much slower than a signature generation, but also more memory demanding. In the present paper we compare two implementations of EdDSA verification using Ed25519 as case study; the first is speed-optimized, while the other aims to achieve low RAM footprint. The speed-optimized variant performs the double-scalar multiplication in a simultaneous fashion and uses a Joint-Sparse Form (JSF) representation for the two scalars. On the other hand, the memory-optimized variant splits the computation of kP - lQ into two separate parts, namely a fixed-base scalar multiplication that is carried out using a standard comb method with eight pre-computed points, and a variable-base scalar multiplication, which is executed by means of the conventional Montgomery ladder on the birationally-equivalent Montgomery curve. Our experiments with a 16-bit ultra-low-power MSP430 microcontroller show that the separated method is 24% slower than the simultaneous technique, but reduces the RAM footprint by 40%. This makes the separated method attractive for "lightweight" cryptographic libraries, in particular if both Ed25519 signature generation/verification and X25519 key exchange need to be supported.
Researchers ; Professionals

File(s) associated to this reference

Fulltext file(s):

Open access
ISPEC2021.pdfPublisher postprint370.27 kBView/Open

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.