Positive value for ECC

NIIBE Yutaka gniibe at fsij.org
Wed Apr 6 10:50:25 CEST 2016

On 04/05/2016 11:07 PM, Werner Koch wrote:
> On Tue,  5 Apr 2016 04:46, gniibe at fsij.org said:
>> I think that it's worth to keep the value as positive for ECC
>> computation (even if we don't enable GCRYPT_BARRETT).
> Agreed.

Note that I keep the values in domain_parms, so that computation of
keygrip will not be changed.

>> Here is a patch to keep the value positive in ECC computation.
>> I'm going to commit this if no objection.
> Okay.  Can you also run tests to check whether there is any noticeable
> performance gain?

Here are results.  This is taken by the second run of "benchmark"
program after the build.

=========================== Plain vanilla
$ ./benchmark ecc
Algorithm         generate  100*priv  100*public
ECDSA 192 bit         80ms    1960ms      2230ms
ECDSA 224 bit        110ms    2480ms      2810ms
ECDSA 256 bit        120ms    3060ms      3350ms
ECDSA 384 bit        250ms    6870ms      8020ms
ECDSA 521 bit        600ms   18380ms     21910ms
EdDSA Ed25519         40ms    4020ms      5980ms
GOST  256 bit        120ms    2950ms      3670ms
GOST  512 bit        570ms   17070ms     21290ms

=========================== With the patch
$ ./benchmark ecc
Algorithm         generate  100*priv  100*public
ECDSA 192 bit         70ms    1960ms      2170ms
ECDSA 224 bit         90ms    2480ms      2790ms
ECDSA 256 bit        110ms    3020ms      3380ms
ECDSA 384 bit        230ms    6900ms      7960ms
ECDSA 521 bit        590ms   18450ms     21190ms
EdDSA Ed25519         40ms    4220ms      5800ms
GOST  256 bit        110ms    2920ms      3530ms
GOST  512 bit        580ms   17210ms     20940ms

No noticeable difference, so far.

Given the condition that values are positive, it will be possible to
improve smaller memory footprint for the computation (at least for

More information about the Gcrypt-devel mailing list