Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Use of Curve25519 in ECDSA

I'm currently investigating the use of curve25519 for signing. Original distribution and a C implementation (and a second C implementation).

Bernstein suggests to use ECDSA for this but I could not find any code.

like image 477
chmike Avatar asked Mar 25 '10 13:03

chmike


People also ask

What is Curve25519 used for?

In the TextSecure application, Curve25519 is used for key exchanges and authentication. However, in this paper we show that Curve25519 can also be implemented in simplified Elliptic Curve Integrated Encryption Scheme (S-ECIES). Therefore Curve25519 serves for key exchange, authentication, encryption, and decryption.

How does ECC signing work?

A welcome alternative to this logistics problem is elliptic curve cryptography (ECC), where all participating devices have a pair of keys called “private key” and “public key.” The private key is used by the originator to sign a message, and the recipient uses the originator's public key to verify the authenticity of ...

Is ECDSA better than Ed25519?

Ed25519 is the fastest performing algorithm across all metrics. As with ECDSA, public keys are twice the length of the desired bit security. EdDSA provides the highest security level compared to key length. It also improves on the insecurities found in ECDSA.

Is ECDSA more secure than RSA?

ECDSA provides the same level of security as RSA but it does so while using much shorter key lengths. Therefore, for longer keys, ECDSA will take considerably more time to crack through brute-forcing attacks. Another great advantage that ECDSA offers over RSA is the advantage of performance and scalability.


1 Answers

ECDSA is specified by ANSI X9.62. That standard defines the kind of curves on which ECDSA is defined, including details curve equations, key representations and so on. These do not match Curve25519: part of the optimizations which make Curve25519 faster than standard curves of the same size rely on the special curve equation, which does not enter in X9.62 formalism. Correspondingly, there cannot be any implementation of ECDSA which both conforms to ANSI X9.62, and uses Curve25519. In practice, I know of no implementation of an ECDSA-like algorithm on Curve25519.

To be brief, you are on your own. You may want to implement ECDSA over the Curve25519 implementation by following X9.62 (there a draft from 1998 which can be downloaded from several places, e.g. there, or you can spend a hundred bucks and get the genuine 2005 version from Techstreet). But be warned that you are walking outside of the carefully trodden paths of analyzed cryptography; in other words I explicitly deny any kind of guarantee on how secure that kind-of-ECDSA would be.

My advice would be to stick to standard curves (such as NIST P-256). Note that while Curve25519 is faster than most curves of the same size, smaller standard curves will be faster, and yet provide adequate security for most purposes. NIST P-192, for instance, provides "96-bit security", somewhat similar to 1536-bit RSA. Also, standard curves already provide performance on the order of several thousands signature per second on a small PC, and I have trouble imagining a scenario where more performance is needed.

like image 64
Thomas Pornin Avatar answered Nov 20 '22 19:11

Thomas Pornin