“Dcoder” on the #tahoe-lafs IRC channel was kind enough to point me at the latest SUPERCOP benchmark-suite release: http://hyperelliptic.org/ebats/supercop-20120210.tar.bz2 , which includes a new portable-C reference version of the Ed25519 signature code named “ref10”. I added this into python-ed25519 in the “ref10” branch (at https://github.com/warner/python-ed25519/tree/ref10) and did some quick speed comparisons.
I’m delighted to see that the new code is roughly 20x faster than the previous version, without using processor-specific non-portable assembly language. The old “ref” code, on my 2008 laptop (2.53GHz Core2Duo), makes signatures in 2ms and verifies them in 7ms. The “ref10” code signs in 120us and verifies in 307us. That’s over 8300 signatures per second! The ref10 version also includes the batch-verification function, which (thanks to some tricks in the design of Ed25519) makes it faster to verify many signatures at once. Interestingly, this requires random numbers on the *verification* side (since it’s doing statistical verification: if the attacker knew which random numbers you were going to use, they could craft a set of message that would appear valid when checked by the batch verifier, but were invalid when checked individually).
Naturally, this release came exactly one day after I finally published python-ed25519 1.0 :-). But 1.1 will have the speedups.
One update: DJB wrote me to mention that the ref10 code is still undergoing review, and won’t be recommended for actual use for another couple of weeks. Also, it doesn’t actually include batch-verification (I confused myself by looking at the AMD64 assembly version at the same time, which *does* have the batch-verification function). So I’ll hold off adding it to python-ed25519 until it passes code review.