Set It and Forget It! Turnkey ECC for Instant Integration

TL;DR

This paper presents an automated methodology for implementing, testing, and integrating high-speed, constant-time elliptic curve cryptography (ECC) into real-world software, significantly improving performance and security verification.

Contribution

It introduces a fully automated approach to ECC implementation and testing, enabling seamless integration into existing cryptographic libraries with substantial performance gains.

Findings

Achieved up to 13.3x speedup in ECC operations

Uncovered vulnerabilities in OpenSSL and a Russian standard

Successfully integrated into OpenSSL, NSS, and GOST engine

Abstract

Historically, Elliptic Curve Cryptography (ECC) is an active field of applied cryptography where recent focus is on high speed, constant time, and formally verified implementations. While there are a handful of outliers where all these concepts join and land in real-world deployments, these are generally on a case-by-case basis: e.g. a library may feature such X25519 or P-256 code, but not for all curves. In this work, we propose and implement a methodology that fully automates the implementation, testing, and integration of ECC stacks with the above properties. We demonstrate the flexibility and applicability of our methodology by seamlessly integrating into three real-world projects: OpenSSL, Mozilla's NSS, and the GOST OpenSSL Engine, achieving roughly 9.5x, 4.5x, 13.3x, and 3.7x speedup on any given curve for key generation, key agreement, signing, and verifying, respectively. Furthermore, we showcase the efficacy of our testing methodology by uncovering flaws and vulnerabilities in OpenSSL, and a specification-level vulnerability in a Russian standard. Our work bridges the gap between significant applied cryptography research results and deployed software, fully automating the process.