eddsa for more curves
play

EdDSA for more curves Daniel J. Bernstein, University of Illinois at - PowerPoint PPT Presentation

Nov 09, 2022 •211 likes •352 views

EdDSA for more curves Daniel J. Bernstein, University of Illinois at Chicago; TU/e Simon Josefsson, Simon Josefsson Datakonsult Tanja Lange, Technische Universiteit Eindhoven Peter Schwabe, Radboud Universiteit Bo-Yin Yang, Academia Sinica

  1. EdDSA for more curves Daniel J. Bernstein, University of Illinois at Chicago; TU/e Simon Josefsson, Simon Josefsson Datakonsult Tanja Lange, Technische Universiteit Eindhoven Peter Schwabe, Radboud Universiteit Bo-Yin Yang, Academia Sinica CFRG, IETF 93, Prague 22 July 2015 EdDSA eprint.iacr.org/2015/677 Speakers: Daniel J. Bernstein (UIC, TU/e) and Tanja Lange (TU/e) 1

  2. Background How ECC signatures fail: ◮ PlayStation 3 disaster. EdDSA eprint.iacr.org/2015/677 Speakers: Daniel J. Bernstein (UIC, TU/e) and Tanja Lange (TU/e) 2

  3. Background How ECC signatures fail: ◮ PlayStation 3 disaster. ◮ Hash-function collisions. ◮ Biased nonces leaking secret key. ◮ Timing leaks from, e.g., inversion mod group order. EdDSA eprint.iacr.org/2015/677 Speakers: Daniel J. Bernstein (UIC, TU/e) and Tanja Lange (TU/e) 2

  4. Background How ECC signatures fail: ◮ PlayStation 3 disaster. ◮ Hash-function collisions. ◮ Biased nonces leaking secret key. ◮ Timing leaks from, e.g., inversion mod group order. ◮ Being so complex that errors are bound to occur. ◮ Being so slow that protocol designer skips signatures. ◮ Being so slow that implementor turns them off. EdDSA eprint.iacr.org/2015/677 Speakers: Daniel J. Bernstein (UIC, TU/e) and Tanja Lange (TU/e) 2

  5. Background How ECC signatures fail: ◮ PlayStation 3 disaster. ◮ Hash-function collisions. ◮ Biased nonces leaking secret key. ◮ Timing leaks from, e.g., inversion mod group order. ◮ Being so complex that errors are bound to occur. ◮ Being so slow that protocol designer skips signatures. ◮ Being so slow that implementor turns them off. 1992 Rivest (on DSA): “ The poor user is given enough rope with which to hang himself—something a standard should not do. ” EdDSA eprint.iacr.org/2015/677 Speakers: Daniel J. Bernstein (UIC, TU/e) and Tanja Lange (TU/e) 2

  6. The Ed25519 signature system 2011 Bernstein–Duif–Lange–Schwabe–Yang “High-speed high-security signatures” ed25519.cr.yp.to : Eliminate failures. EdDSA eprint.iacr.org/2015/677 Speakers: Daniel J. Bernstein (UIC, TU/e) and Tanja Lange (TU/e) 3

  7. The Ed25519 signature system 2011 Bernstein–Duif–Lange–Schwabe–Yang “High-speed high-security signatures” ed25519.cr.yp.to : Take advantage of crypto research: ◮ Curve25519. ◮ Edwards curves. ◮ Schnorr signatures, including collision resilience. (Schnorr patent expired 2008.) ◮ Conservative hash functions. ◮ Fast batch verification. ◮ Barwood–Wigley pseudorandom nonce generation. EdDSA eprint.iacr.org/2015/677 Speakers: Daniel J. Bernstein (UIC, TU/e) and Tanja Lange (TU/e) 3

  8. Ed25519-SHA-512 deployment Nicolai Brown is tracking applications and implementations: ianix.com/pub/ed25519-deployment.html Examples of applications: ◮ OpenSSH. ◮ GnuPG. ◮ GNUnet. ◮ DNSCrypt. ◮ OpenBSD’s signify . Many independent interoperable implementations. EdDSA eprint.iacr.org/2015/677 Speakers: Daniel J. Bernstein (UIC, TU/e) and Tanja Lange (TU/e) 4

  9. A few examples of Ed25519 implementations Fast constant-time implementation from 2015 Chou: ◮ 57164 cycles for keygen on Intel Sandy Bridge. ◮ 63526 cycles for sign. ◮ 205741 cycles for (non-batch) verify. Compare to 430000 cycles for OpenSSL 1.0.2 ecdsap256 verify. Small constant-time implementations of Salsa20+Poly1305+X25519+SHA-512+Ed25519: ◮ 2013 Hutter–Schwabe “NaCl on 8-bit AVR microcontrollers”: 17366 bytes of object code. ◮ 2014 Bernstein–van Gastel–Janssen–Lange–Schwabe– Smetsers “TweetNaCl: a crypto library in 100 tweets”. EdDSA eprint.iacr.org/2015/677 Speakers: Daniel J. Bernstein (UIC, TU/e) and Tanja Lange (TU/e) 5

  10. New: EdDSA for more curves Ed25519 is an example of “EdDSA” defined in 2011 paper. 2015 Bernstein–Josefsson–Lange–Schwabe–Yang “EdDSA for more curves”: ◮ Easy extension of original EdDSA definition. ◮ Ed25519 is still an example! EdDSA eprint.iacr.org/2015/677 Speakers: Daniel J. Bernstein (UIC, TU/e) and Tanja Lange (TU/e) 6

  11. New: EdDSA for more curves Ed25519 is an example of “EdDSA” defined in 2011 paper. 2015 Bernstein–Josefsson–Lange–Schwabe–Yang “EdDSA for more curves”: ◮ Easy extension of original EdDSA definition. ◮ Ed25519 is still an example! ◮ Also allows Ed448-Goldilocks. ◮ Also allows Curve41417 and E-521. EdDSA eprint.iacr.org/2015/677 Speakers: Daniel J. Bernstein (UIC, TU/e) and Tanja Lange (TU/e) 6

  12. New: EdDSA for more curves Ed25519 is an example of “EdDSA” defined in 2011 paper. 2015 Bernstein–Josefsson–Lange–Schwabe–Yang “EdDSA for more curves”: ◮ Easy extension of original EdDSA definition. ◮ Ed25519 is still an example! ◮ Also allows Ed448-Goldilocks. ◮ Also allows Curve41417 and E-521. ◮ Also explicitly describes prehashing: e.g., GnuPG uses Ed25519-SHA-512 to sign SHA-256( m ). Note: Mixing SHA-256+SHA-512 is bad for code size! EdDSA eprint.iacr.org/2015/677 Speakers: Daniel J. Bernstein (UIC, TU/e) and Tanja Lange (TU/e) 6

  13. [switch to browser showing merged Python implementation for comparing details of signature proposals] EdDSA eprint.iacr.org/2015/677 Speakers: Daniel J. Bernstein (UIC, TU/e) and Tanja Lange (TU/e) 7

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

EdDSA signatures and Ed25519 Peter Schwabe Joint work with Daniel J. Bernstein, Niels Duif,

EdDSA signatures and Ed25519 Peter Schwabe Joint work with Daniel J. Bernstein, Niels Duif,

EdDSA signatures and Ed25519 Peter Schwabe Joint work with Daniel J. Bernstein, Niels Duif, Tanja Lange, and Bo-Yin Yang March 20, 2012 CARAMEL seminar, INRIA Nancy A few words about Taiwan and Academia Sinica Taiwan ( ) is an

1.16k views • 90 slides
1 Properties of Bzier Curves Important Algorithms for Bzier Curves Affine invariance Convex

1 Properties of Bzier Curves Important Algorithms for Bzier Curves Affine invariance Convex

Topics Parametric curves and surfaces Polynomial curves Advanced Modeling 2 Rational curves Katja Bhler, Andrej Varchola, Eduard Tensor product surfaces Grller Triangular surfaces Institute of Computer Graphics and Algorithms Vienna

78 views • 6 slides
Curves http://www.ugrad.cs.ubc.ca/~cs314/Vjan2013 Reading FCG Chap 15 Curves Ch 13 2nd

Curves http://www.ugrad.cs.ubc.ca/~cs314/Vjan2013 Reading FCG Chap 15 Curves Ch 13 2nd

University of British Columbia CPSC 314 Computer Graphics Jan-Apr 2013 Tamara Munzner Curves http://www.ugrad.cs.ubc.ca/~cs314/Vjan2013 Reading FCG Chap 15 Curves Ch 13 2nd edition 2 Curves 3 Parametric Curves parametric form

615 views • 32 slides
Neatening sketched strokes using piecewise French Curves James McCrae, Karan Singh French Curves

Neatening sketched strokes using piecewise French Curves James McCrae, Karan Singh French Curves

Neatening sketched strokes using piecewise French Curves James McCrae, Karan Singh French Curves Physical tools, used to model curves French Curves Smoothly connect pre-determined curve points French Curves French Curves Digital French

845 views • 42 slides
parametric spline curves 1 curves used in many contexts fonts (2D) animation paths (3D) shape

parametric spline curves 1 curves used in many contexts fonts (2D) animation paths (3D) shape

parametric spline curves 1 curves used in many contexts fonts (2D) animation paths (3D) shape modeling (3D) different representation implicit curves parametric curves (mostly used) 2D and 3D curves are mostly the same use vector notation

724 views • 35 slides
BEZIER CURVES 1 OUTLINE Introduce types of curves and surfaces Introduce the types of

BEZIER CURVES 1 OUTLINE Introduce types of curves and surfaces Introduce the types of

BEZIER CURVES 1 OUTLINE Introduce types of curves and surfaces Introduce the types of curves Interpolating Hermite Bezier B-spline Quadratic Bezier Curves Cubic Bezier Curves 2 ESCAPING FLATLAND

991 views • 38 slides
Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation Reduced customer confidence in NIST-standardized curves (FIPS 186-3) Industry moving to Perfect Forward Secrecy (PFS) ciphersuites (e.g. ECDHE)

306 views • 11 slides
Evaluation of Classifiers Evaluation of Classifiers ROC Curves ROC Curves Reject Curves Reject

Evaluation of Classifiers Evaluation of Classifiers ROC Curves ROC Curves Reject Curves Reject

Evaluation of Classifiers Evaluation of Classifiers ROC Curves ROC Curves Reject Curves Reject Curves Precision- -Recall Curves Recall Curves Precision Statistical Tests Statistical Tests Estimating the error rate of a classifier

565 views • 32 slides
CS 5 4 3 : Com puter Graphics Lecture 1 0 ( Part I I I ) : Curves Emmanuel Agu So Far

CS 5 4 3 : Com puter Graphics Lecture 1 0 ( Part I I I ) : Curves Emmanuel Agu So Far

CS 5 4 3 : Com puter Graphics Lecture 1 0 ( Part I I I ) : Curves Emmanuel Agu So Far Dealt with straight lines and flat surfaces Real world objects include curves Need to develop: Representations of curves Tools to render

300 views • 26 slides
Bzier Curves CPSC 453 Fall 2018 Sonny Chan Todays Outline Quadratic Bzier curves

Bzier Curves CPSC 453 Fall 2018 Sonny Chan Todays Outline Quadratic Bzier curves

Bzier Curves CPSC 453 Fall 2018 Sonny Chan Todays Outline Quadratic Bzier curves de Casteljau formulation Bernstein polynomial form Bzier splines Cubic Bzier curves Drawing Bzier curves freeform shape?

687 views • 37 slides
Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Elliptic curves over F q Introduction History length of ellipses why Elliptic curves? Fields Weierstra Equations Singular points The Discriminant E LLIPTIC CURVES OVER FINITE FIELDS Elliptic curves / F 2 Elliptic curves / F 3 The sum of

660 views • 32 slides
Smooth models for Suzuki and Ree Curves Abdulla Eid RICAM Workshop Algebraic curves over finite

Smooth models for Suzuki and Ree Curves Abdulla Eid RICAM Workshop Algebraic curves over finite

Smooth models for Suzuki and Ree Curves Abdulla Eid RICAM Workshop Algebraic curves over finite fields Linz, Austria, November 11-15, 2013 DL curves 1 / 35 Introduction Three important examples of algebraic curves over finite fields: The

625 views • 35 slides
Curves and Surfaces CMSC 635 January 15, 2013 Spline curves #/23

Curves and Surfaces CMSC 635 January 15, 2013 Spline curves #/23

A D V A N C E D C O M P U T E R G R A P H I C S A D V A N C E D C O M P U T E R G R A P H I C S To do Continue to work on ray programming assignment Start thinking about final project Curves and Surfaces CMSC 635

276 views • 6 slides
GARDEN CORNER CURVES INTRODUCTION Updat e: Garden Corner Curves Concept St udy Result

GARDEN CORNER CURVES INTRODUCTION Updat e: Garden Corner Curves Concept St udy Result

GARDEN CORNER CURVES Open House June 13, 2017 GARDEN CORNER CURVES INTRODUCTION Updat e: Garden Corner Curves Concept St udy Result s from Public Out reach Four draft alt ernat ives (including cost ) Next st eps Proj

340 views • 15 slides
Constructing cryptographic curves with complex multiplication Reinier Br oker

Constructing cryptographic curves with complex multiplication Reinier Br oker

Constructing cryptographic curves with complex multiplication Reinier Br oker Microsoft Research Fields Institute May 2009 Curves and crypto Curve cryptography comes in 2 flavours: standard : we want curves of prime order;

594 views • 36 slides
Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA MathFest Boulder, Colorado August 2003 http://www.math.mcgill.ca/darmon /slides/slides.html Elliptic Curves Definition : An elliptic curve over the

494 views • 26 slides
Comparison of CT800 non-contact tonometer and Perkins applanation tonometer in community

Comparison of CT800 non-contact tonometer and Perkins applanation tonometer in community

0 12/12/2017 Comparison of CT800 non-contact tonometer and Perkins applanation tonometer in community practices Dr Ting Siew Leng Universiti Malaysia Sarawak (UNIMAS) Malaysia Declaration Recipient of KOS Travel Grant NO conflict of

329 views • 8 slides
LIGO Mirror Diagnosis and Requirement SEN HAN University of Shanghai for Science and Technology

LIGO Mirror Diagnosis and Requirement SEN HAN University of Shanghai for Science and Technology

The 3rd KAGRA International Workshop (KIW3) LIGO Mirror Diagnosis and Requirement SEN HAN University of Shanghai for Science and Technology Suzhou H&L Instruments LLC Academia Sinica (NTU campus), Taipei May 21-22, 2017 Outline KIW3

855 views • 28 slides
Focus Mismatch Detection in stereoscopic content Frdric Devernay, Sergi Pujades and Vijay

Focus Mismatch Detection in stereoscopic content Frdric Devernay, Sergi Pujades and Vijay

Focus Mismatch Detection in stereoscopic content Frdric Devernay, Sergi Pujades and Vijay Ch.A.V. INRIA Grenoble, France Stereoscopic Displays and Applications 2012 Motivation: stereoscopic visual quality For best visual quality and visual

661 views • 46 slides
State-Based Mode Switching with Applications to Mixed-Criticality Systems Pontus Ekberg , Martin

State-Based Mode Switching with Applications to Mixed-Criticality Systems Pontus Ekberg , Martin

State-Based Mode Switching with Applications to Mixed-Criticality Systems Pontus Ekberg , Martin Stigge, Nan Guan & Wang Yi Uppsala University, Sweden WMC 2013 Mixed Criticality as Mode Switching At a switch between modes (e.g., lo to hi),

627 views • 48 slides
Angeliki Fotopoulou, Stella Markantonatou and Voula Giouli Institute for Language and Speech

Angeliki Fotopoulou, Stella Markantonatou and Voula Giouli Institute for Language and Speech

Encoding MWEs in a conceptual lexicon of Modern Greek Angeliki Fotopoulou, Stella Markantonatou and Voula Giouli Institute for Language and Speech Processing, Athena RIC {afotop; marks; voula}@ilsp.athena-innovation.gr PARSEME Athens WG1

189 views • 4 slides
Master Informatique - Universit Paris-Sud 27/09/18 Outline The design of everyday things

Master Informatique - Universit Paris-Sud 27/09/18 Outline The design of everyday things

Master Informatique - Universit Paris-Sud 27/09/18 Outline The design of everyday things - Don Norman Affordances, Metaphors, and Affordances Conceptual modeling Metaphors Michel Beaudouin-Lafon - mbl@lri.fr Laboratoire de Recherche

273 views • 9 slides
APM(Robot) Towards a platform for meta-reasoning in robotic applications Cdric Dinont,

APM(Robot) Towards a platform for meta-reasoning in robotic applications Cdric Dinont,

APM(Robot) Towards a platform for meta-reasoning in robotic applications Cdric Dinont, Franois Gaillard and Michal Soulignac Computer Science Department ISEN Lille 1/22 APM(Robot): Towards a platform for meta-reasoning in robotic

492 views • 22 slides
Personal Health Informatics CS 8803 Fall 2015 Introduction: Aug 17th, 2015 Lauren Wilcox Asst

Personal Health Informatics CS 8803 Fall 2015 Introduction: Aug 17th, 2015 Lauren Wilcox Asst

Personal Health Informatics CS 8803 Fall 2015 Introduction: Aug 17th, 2015 Lauren Wilcox Asst Prof Office Hours M 3:30pm 345 TSRB Background Research CS PhD, 2013 Columbia University HCI, Health Informatics

630 views • 43 slides

More recommend