Better-performing "25519" elliptic-curve cryptography
Amazon Web Services has improved the performance of x25519 and Ed25519 cryptographic algorithms, achieving significant gains and enhancing security through automated reasoning and architecture-specific optimizations in AWS LibCrypto.
Read original article
Amazon Web Services (AWS) has enhanced the performance of its x25519 and Ed25519 elliptic-curve cryptography algorithms through automated reasoning and microarchitecture-specific optimizations. These algorithms, crucial for secure online communications, are implemented in AWS's open-source cryptographic library, AWS LibCrypto (AWS-LC). The recent updates include assembly-level implementations that improve both performance and correctness assurance. The optimizations leverage the unique characteristics of different CPU microarchitectures, specifically targeting x86_64 and Arm64 architectures. The new implementations have shown significant performance gains, with Ed25519 signing operations increasing by an average of 108% and x25519 operations by 113% across various microarchitectures. Additionally, the team employed constant-time execution strategies to mitigate side-channel attack risks. The correctness of these implementations is verified using automated reasoning techniques, ensuring that the algorithms function as intended. This work not only enhances the efficiency of cryptographic operations but also contributes to the security of AWS services, aligning with the growing demand for robust cryptographic solutions in the digital landscape.
- AWS has improved x25519 and Ed25519 cryptographic algorithms for better performance and correctness.
- The enhancements utilize automated reasoning and optimizations tailored to specific CPU architectures.
- Performance gains include a 108% increase in Ed25519 signing operations and a 113% increase in x25519 operations.
- Constant-time execution strategies are implemented to protect against side-channel attacks.
- The correctness of the implementations is verified using automated reasoning techniques.
Related
The XAES-256-GCM extended-nonce AEAD
XAES-256-GCM is a secure AEAD algorithm with 256-bit keys and 192-bit nonces, aiming for safety, compliance, and ease of use. It complements other AEAD implementations and receives support from various clients.
Revealing the Inner Structure of AWS Session Tokens
A study by Tal Be'ery reverse-engineered AWS Session Tokens, revealing their structure and developing tools for analysis. This research aids security professionals in understanding AWS's authentication protocols to prevent attacks.
Reversing the AMD Secure Processor (PSP) – Part 2: Cryptographic Co-Processor
The AMD Secure Processor's Cryptographic Co-Processor (CCPv5) enhances cryptography and firmware operations with Local Storage Blocks, multiple command queues, and a layered encryption key system for efficient data management.
AWS powered Prime Day 2024
Amazon Prime Day 2024, on July 17-18, set sales records with millions of deals. AWS infrastructure supported the event, deploying numerous AI and Graviton chips, ensuring operational readiness and security.
Intel Further Speeds Up Strnlen() in the GNU C Library for Recent Intel/AMD CPUs
Intel has optimized the strnlen() function in glibc for better performance on modern CPUs, unifying implementations and showing significant improvements in benchmark tests. The update will be in glibc 2.41.
- Performance Optimizations: Several commenters highlight existing optimized implementations of these algorithms, noting significant performance gains compared to OpenSSL.
- Security Concerns: There are discussions about the potential impact of optimizations on security features, particularly regarding timing side channels and formal verification of the implementation.
- Post-Quantum Cryptography: Some comments question the relevance of x25519 in post-quantum contexts, suggesting that its inclusion in modern protocols may be overstated.
- Adoption and Usage: Commenters speculate on the potential for ed25519 to become the default key algorithm over RSA, given its performance advantages.
- Technical Curiosity: There is a strong interest in the technical details of the implementation, including the use of formal methods and the implications of architecture-specific optimizations.
10 commentshttps://github.com/firedancer-io/firedancer/pull/716
Ditto for sha256: https://github.com/firedancer-io/firedancer/pull/778
And sha512: https://github.com/firedancer-io/firedancer/pull/760
If you’re an optimization nerd, this codebase is wild.
Really though? This mostly-untrue statement is the line that warrants adding hashtag #post-quantum-cryptography to the blogpost?
If this further improvement becomes widely used, it would be interesting to see if it's enough to tip the scales towards ed25519 being more of the de facto "default" ssh key algorithm. My experience is that a decent number of people still use RSA keys most of the time, but I don't feel like I have nearly enough of a sample size to conclude anything significant from that.
That's pretty sweet. I'm currently using BoringSSL in a project as a supplement to OpenSSL (mostly because it is much easier to build for Windows users than requiring them to fiddle with msys2/vcpkg etc; the alternative is to rely on the Windows CNG API, but it lacks features like ed25519 support.) I wonder how much effort it would take to use aws-lc instead... Not that I'm that interested, BSSL is pretty good, but free performance and heavy automated verification is always nice :)
Related: one of the authors of this post, John Harrison, wrote a really good book about automated theorm proving about 15 years ago while working on floating point verification at Intel -- there's still no other book quite like this one, I think https://www.cl.cam.ac.uk/~jrh13/
My immediate fear was that they optimized away the security features like absence of timing side channels, but they say they still have those.
They also claim to have formal proof of correctness, which is even more amazing, because they are not doing it on a symbolic level but on a machine instruction level. Apparently they tought their reasoning system the semantics of all the CPU instructions used in the assembler implementation.
I'll still wait what djb has to say about this, but it looks freaking amazing to me.
Is this implementation resistant to that?
If it isn't, it's kinda a footgun which shouldn't be published for general use.
Related
The XAES-256-GCM extended-nonce AEAD
XAES-256-GCM is a secure AEAD algorithm with 256-bit keys and 192-bit nonces, aiming for safety, compliance, and ease of use. It complements other AEAD implementations and receives support from various clients.
Revealing the Inner Structure of AWS Session Tokens
A study by Tal Be'ery reverse-engineered AWS Session Tokens, revealing their structure and developing tools for analysis. This research aids security professionals in understanding AWS's authentication protocols to prevent attacks.
Reversing the AMD Secure Processor (PSP) – Part 2: Cryptographic Co-Processor
The AMD Secure Processor's Cryptographic Co-Processor (CCPv5) enhances cryptography and firmware operations with Local Storage Blocks, multiple command queues, and a layered encryption key system for efficient data management.
AWS powered Prime Day 2024
Amazon Prime Day 2024, on July 17-18, set sales records with millions of deals. AWS infrastructure supported the event, deploying numerous AI and Graviton chips, ensuring operational readiness and security.
Intel Further Speeds Up Strnlen() in the GNU C Library for Recent Intel/AMD CPUs
Intel has optimized the strnlen() function in glibc for better performance on modern CPUs, unifying implementations and showing significant improvements in benchmark tests. The update will be in glibc 2.41.