eddsa signatures and ed25519
play

EdDSA signatures and Ed25519 Peter Schwabe Joint work with Daniel - PowerPoint PPT Presentation

Apr 10, 2024 •256 likes •1.16k views

EdDSA signatures and Ed25519 Peter Schwabe Joint work with Daniel J. Bernstein, Niels Duif, Tanja Lange, and Bo-Yin Yang March 20, 2012 CARAMEL seminar, INRIA Nancy A few words about Taiwan and Academia Sinica Taiwan ( ) is an

  1. EdDSA signatures and Ed25519 Peter Schwabe Joint work with Daniel J. Bernstein, Niels Duif, Tanja Lange, and Bo-Yin Yang March 20, 2012 CARAMEL seminar, INRIA Nancy

  2. A few words about Taiwan and Academia Sinica ◮ Taiwan ( 台 灣 ) is an island south of China ◮ About 36,200 km 2 large ◮ Territory of the Republic of China (not to be confused with the People’s Republic of China) ◮ Capital is Taipei ( 台北 ) ◮ Marine tropical climate EdDSA signatures and Ed25519 2

  3. A few words about Taiwan and Academia Sinica ◮ Taiwan ( 台 灣 ) is an island south of China ◮ About 36,200 km 2 large ◮ Territory of the Republic of China (not to be confused with the People’s Republic of China) ◮ Capital is Taipei ( 台北 ) ◮ Marine tropical climate ◮ 99 summits over 3000 meters (highest peak: 3952 m) ◮ Wildlife includes black bears, salmon, monkeys . . . EdDSA signatures and Ed25519 2

  4. A few words about Taiwan and Academia Sinica ◮ Taiwan ( 台 灣 ) is an island south of China ◮ About 36,200 km 2 large ◮ Territory of the Republic of China (not to be confused with the People’s Republic of China) ◮ Capital is Taipei ( 台北 ) ◮ Marine tropical climate ◮ 99 summits over 3000 meters (highest peak: 3952 m) ◮ Wildlife includes black bears, salmon, monkeys . . . ◮ Academia Sinica is a research facility funded by ROC ◮ About 30 institutes ◮ More than 800 principal investigators, about 900 postdocs and more than 2200 students EdDSA signatures and Ed25519 2

  5. Introduction – the NaCl library EdDSA signatures and Ed25519 3

  6. How it started ◮ My research during Ph.D. was within the European project CACE (Computer Aided Cryptography Engineering) ◮ One of the deliverables: Networking and Cryptography Library (NaCl, pronounced “salt”) EdDSA signatures and Ed25519 4

  7. How it started ◮ My research during Ph.D. was within the European project CACE (Computer Aided Cryptography Engineering) ◮ One of the deliverables: Networking and Cryptography Library (NaCl, pronounced “salt”) ◮ Aim of this library: High-speed, high-security, easy-to-use cryptographic protection for network communication EdDSA signatures and Ed25519 4

  8. How it started ◮ My research during Ph.D. was within the European project CACE (Computer Aided Cryptography Engineering) ◮ One of the deliverables: Networking and Cryptography Library (NaCl, pronounced “salt”) ◮ Aim of this library: High-speed, high-security, easy-to-use cryptographic protection for network communication ◮ We are willing to sacrifice compatibility to other crypto libraries EdDSA signatures and Ed25519 4

  9. How it started ◮ My research during Ph.D. was within the European project CACE (Computer Aided Cryptography Engineering) ◮ One of the deliverables: Networking and Cryptography Library (NaCl, pronounced “salt”) ◮ Aim of this library: High-speed, high-security, easy-to-use cryptographic protection for network communication ◮ We are willing to sacrifice compatibility to other crypto libraries ◮ At the end of 2010 the library contained ◮ the stream cipher Salsa20, ◮ the Poly1305 secret-key authenticator, and ◮ Curve25519 elliptic-curve Diffie-Hellman key-exchange software. EdDSA signatures and Ed25519 4

  10. How it started ◮ My research during Ph.D. was within the European project CACE (Computer Aided Cryptography Engineering) ◮ One of the deliverables: Networking and Cryptography Library (NaCl, pronounced “salt”) ◮ Aim of this library: High-speed, high-security, easy-to-use cryptographic protection for network communication ◮ We are willing to sacrifice compatibility to other crypto libraries ◮ At the end of 2010 the library contained ◮ the stream cipher Salsa20, ◮ the Poly1305 secret-key authenticator, and ◮ Curve25519 elliptic-curve Diffie-Hellman key-exchange software. ◮ This is wrapped in a crypto_box API that performs high-security public-key authenticated encryption ◮ This serves the typical one-to-one communication of most internet connections EdDSA signatures and Ed25519 4

  11. How it started ◮ My research during Ph.D. was within the European project CACE (Computer Aided Cryptography Engineering) ◮ One of the deliverables: Networking and Cryptography Library (NaCl, pronounced “salt”) ◮ Aim of this library: High-speed, high-security, easy-to-use cryptographic protection for network communication ◮ We are willing to sacrifice compatibility to other crypto libraries ◮ At the end of 2010 the library contained ◮ the stream cipher Salsa20, ◮ the Poly1305 secret-key authenticator, and ◮ Curve25519 elliptic-curve Diffie-Hellman key-exchange software. ◮ This is wrapped in a crypto_box API that performs high-security public-key authenticated encryption ◮ This serves the typical one-to-one communication of most internet connections ◮ Still required at the end of 2010: One-to-many authentication, i.e. cryptographic signatures EdDSA signatures and Ed25519 4

  12. Designing a public-key signature scheme ◮ Core requirements: 128-bit security, fast signing, fast verification, secure software implementation ◮ Obvious candidates: RSA, ElGamal, DSA, ECDSA, Schnorr . . . EdDSA signatures and Ed25519 5

  13. Designing a public-key signature scheme ◮ Core requirements: 128-bit security, fast signing, fast verification, secure software implementation ◮ Obvious candidates: RSA, ElGamal, DSA, ECDSA, Schnorr . . . ◮ Conventional wisdom: ECC is faster than anything based on factoring or the DLP in Z ∗ n ◮ (Twisted) Edwards curves support very fast arithmetic ◮ Edwards addition is complete (important for secure implementations) ◮ Curve25519 has an Edwards representation and offers very high security EdDSA signatures and Ed25519 5

  14. Designing a public-key signature scheme ◮ Core requirements: 128-bit security, fast signing, fast verification, secure software implementation ◮ Obvious candidates: RSA, ElGamal, DSA, ECDSA, Schnorr . . . ◮ Conventional wisdom: ECC is faster than anything based on factoring or the DLP in Z ∗ n ◮ (Twisted) Edwards curves support very fast arithmetic ◮ Edwards addition is complete (important for secure implementations) ◮ Curve25519 has an Edwards representation and offers very high security ◮ Looks like “some” signature scheme using Edwards arithmetic on Curve25519 is a good choice EdDSA signatures and Ed25519 5

  15. One step back: Is ECC really faster than, e.g., RSA? ◮ RSA with public exponent e = 3 can verify signatures with just one modular multiplication and one squaring ◮ Very hard to beat with any elliptic-curve-based signature scheme EdDSA signatures and Ed25519 6

  16. One step back: Is ECC really faster than, e.g., RSA? ◮ RSA with public exponent e = 3 can verify signatures with just one modular multiplication and one squaring ◮ Very hard to beat with any elliptic-curve-based signature scheme ◮ Verification speed primarily matters in applications that need to verify many signatures ◮ Idea: To get close to RSA verification speed, support batch verification EdDSA signatures and Ed25519 6

  17. One step back: Is ECC really faster than, e.g., RSA? ◮ RSA with public exponent e = 3 can verify signatures with just one modular multiplication and one squaring ◮ Very hard to beat with any elliptic-curve-based signature scheme ◮ Verification speed primarily matters in applications that need to verify many signatures ◮ Idea: To get close to RSA verification speed, support batch verification ◮ Easier: Verify batches of signatures under the same public key ◮ Harder (but much more useful!): Verify batches of signatures under different public keys ◮ We don’t know where the NaCl library is used, so support the latter EdDSA signatures and Ed25519 6

  18. One step back: Is ECC really faster than, e.g., RSA? ◮ RSA with public exponent e = 3 can verify signatures with just one modular multiplication and one squaring ◮ Very hard to beat with any elliptic-curve-based signature scheme ◮ Verification speed primarily matters in applications that need to verify many signatures ◮ Idea: To get close to RSA verification speed, support batch verification ◮ Easier: Verify batches of signatures under the same public key ◮ Harder (but much more useful!): Verify batches of signatures under different public keys ◮ We don’t know where the NaCl library is used, so support the latter ◮ None of the above-mentioned schemes supports fast batch verification ◮ Schnorr signatures only require small changes (and have many nice features anyways) EdDSA signatures and Ed25519 6

  19. One step back: Is ECC really faster than, e.g., RSA? ◮ RSA with public exponent e = 3 can verify signatures with just one modular multiplication and one squaring ◮ Very hard to beat with any elliptic-curve-based signature scheme ◮ Verification speed primarily matters in applications that need to verify many signatures ◮ Idea: To get close to RSA verification speed, support batch verification ◮ Easier: Verify batches of signatures under the same public key ◮ Harder (but much more useful!): Verify batches of signatures under different public keys ◮ We don’t know where the NaCl library is used, so support the latter ◮ None of the above-mentioned schemes supports fast batch verification ◮ Schnorr signatures only require small changes (and have many nice features anyways) ⇒ Start with Schnorr signatures, modify as required EdDSA signatures and Ed25519 6

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Modern ECC signatures Many papers have explored Curve25519/Ed25519 speed. 2011

Modern ECC signatures Many papers have explored Curve25519/Ed25519 speed. 2011

1 2 Modern ECC signatures Many papers have explored Curve25519/Ed25519 speed. 2011 BernsteinDuifLange SchwabeYang: e.g. 2015 Chou software: Ed25519 signature scheme = on Intel Sandy Bridge (2011), EdDSA using conservative

2.15k views • 125 slides
Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties Signatures Signatures with various functionality/properties Constructions come in different flavors (well sample each flavor): Signatures

1.55k views • 131 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
Let's use Ed25519 with GnuPG 2.1 and Gnuk Token! Niibe Yutaka One of New Features in GnuPG 2.1

Let's use Ed25519 with GnuPG 2.1 and Gnuk Token! Niibe Yutaka One of New Features in GnuPG 2.1

Let's use Ed25519 with GnuPG 2.1 and Gnuk Token! Niibe Yutaka One of New Features in GnuPG 2.1 ECC: Elliptic Curve Cryptography New algorithm for public key crypto Benefit Smaller key size for equivalent strength NOTE:

433 views • 16 slides
EdDSA for more curves Daniel J. Bernstein, University of Illinois at Chicago; TU/e Simon

EdDSA for more curves Daniel J. Bernstein, University of Illinois at Chicago; TU/e Simon

EdDSA for more curves Daniel J. Bernstein, University of Illinois at Chicago; TU/e Simon Josefsson, Simon Josefsson Datakonsult Tanja Lange, Technische Universiteit Eindhoven Peter Schwabe, Radboud Universiteit Bo-Yin Yang, Academia Sinica

352 views • 13 slides
Cryptographic Engineering An example of post-quantum crypto Radboud University, Nijmegen, The

Cryptographic Engineering An example of post-quantum crypto Radboud University, Nijmegen, The

Cryptographic Engineering An example of post-quantum crypto Radboud University, Nijmegen, The Netherlands Spring 2015 Crypto today Ephemeral ECDH on 256 -bit curve to compute shared key Use EdDSA signatures for public-key

1.43k views • 109 slides
Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Motivation Research Question Results Conclusion Notes Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures Siamak Shahandashti 1 Rei Safavi-Naini 2 1 SCSSE & CCISR, Uni

465 views • 46 slides
BIP32-Ed25519 Dmitry Khovratovich Jason Law University of Luxembourg Evernym, Inc. April 30th,

BIP32-Ed25519 Dmitry Khovratovich Jason Law University of Luxembourg Evernym, Inc. April 30th,

BIP32-Ed25519 Dmitry Khovratovich Jason Law University of Luxembourg Evernym, Inc. April 30th, 2017 Story of BIP32 Bitcoin wallet: Need of multiple addresses to minimize privacy leakage, every address is used just once; Single secret

633 views • 16 slides
1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Digital Signatures have looked at message authentication but does not address issues of lack of trust Chapter 13 Digital Signatures digital signatures provide the ability to:

361 views • 3 slides
Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils Fleischhacker Johannes Krupp Giulio Malavolta Jonas Schneider Dominique Schr oder Mark Simkin March 7, 2016 Sanitizable Signatures

577 views • 46 slides
Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s users require only secretkeys users require n 2 secretkeys Privately verifiable and non-transferable Same signature

764 views • 53 slides
Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the

Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the

Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the Importance of Leptonic Decays for Higgs Discovery) Brooks Thomas (The University of Arizona) Shufang Su & BT [arXiv:0903.0667] What do we know about

375 views • 26 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-25 1 Outline Recap: security experiments Message space extension One-time signatures One-time signatures from one-way functions Digital

1.07k views • 48 slides
Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976 Diffie Hellman: Public-key signatures would allow verification by anyone, not just signer. Cool! Can we build a signature system? 1977 Rivest

743 views • 33 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-03-03 1 Outline Why assumptions? Efficient one-time signatures Digital Signatures 2020-03-03 2 Recap: Lamport EUF-1-CMA secure

1.14k views • 37 slides
The Petition 11 614 signatures so far, on-line and hard copy Raised in Parliament by Jacob

The Petition 11 614 signatures so far, on-line and hard copy Raised in Parliament by Jacob

The Petition 11 614 signatures so far, on-line and hard copy Raised in Parliament by Jacob Rees-Mogg Submitted to 10 Downing Street 21 March www.change.org Geographical spread of signatures Distribution of Signatures Bath East of

483 views • 13 slides
6.02 Fall 2012 Lecture #5 Error correction for linear block codes - Syndrome decoding

6.02 Fall 2012 Lecture #5 Error correction for linear block codes - Syndrome decoding

6.02 Fall 2012 Lecture #5 Error correction for linear block codes - Syndrome decoding Burst errors and interleaving 6.02 Fall 2012 Lecture 5, Slide #1 Matrix Notation for Linear Block Codes Task: given k-bit message, compute n-bit

417 views • 18 slides
33 rd APAN Meeting 2012 g Chiangmai, Thailand Feb 13 (Mon) - 17 (Fri), 2012 ( ) ( ), The

33 rd APAN Meeting 2012 g Chiangmai, Thailand Feb 13 (Mon) - 17 (Fri), 2012 ( ) ( ), The

33 rd APAN Meeting 2012 g Chiangmai, Thailand Feb 13 (Mon) - 17 (Fri), 2012 ( ) ( ), The Empress hotel & Convention Centre General Information The third APAN meeting in Thailand Chiang Mai located in the northern part of C g

501 views • 23 slides
Kindergarten Readiness Numeracy Workshop October 18, 2017 Amy Zappone Pre-k-12 Math Coordinator

Kindergarten Readiness Numeracy Workshop October 18, 2017 Amy Zappone Pre-k-12 Math Coordinator

Kindergarten Readiness Numeracy Workshop October 18, 2017 Amy Zappone Pre-k-12 Math Coordinator Southington Public Schools Key Shifts in Common Core Mathematics Focuses on Conceptual understanding (knowing the why and how)

413 views • 14 slides
Automatic Generation of HCCA Resistant Scalar Multiplication Algorithm by Proper Sequencing of

Automatic Generation of HCCA Resistant Scalar Multiplication Algorithm by Proper Sequencing of

Automatic Generation of HCCA Resistant Scalar Multiplication Algorithm by Proper Sequencing of Field Multiplier Operands Poulami Das, Debapriya Basu Roy and, Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur 29 / 09 / 2017 Debapriya

1k views • 74 slides
Building Organisational Capacity through Teacher Leadership Presenter: Dr Sum Chee Wah Session

Building Organisational Capacity through Teacher Leadership Presenter: Dr Sum Chee Wah Session

Building Organisational Capacity through Teacher Leadership Presenter: Dr Sum Chee Wah Session C9 on Sat, 6 Oct 2018 1100-1230h Room 324 Synopsis of Session Join this workshop to learn and discuss the key concepts of teacher leadership. In

600 views • 22 slides
Inferring Automation Logic from Manual Control Scenarios: Implementation in Function Blocks

Inferring Automation Logic from Manual Control Scenarios: Implementation in Function Blocks

Inferring Automation Logic from Manual Control Scenarios: Implementation in Function Blocks Anatoly Shalyto Daniil Chivilikhin Valeriy Vyatkin Dr. Sci., professor Dr. Eng., professor, PhD student ITMO University ITMO University Aalto

864 views • 34 slides
Network Applications Network Applications There are many network applications Network

Network Applications Network Applications There are many network applications Network

Network Applications Network Applications There are many network applications Network applications involve the cooperation Client Server Programming Client Server Programming of processes running on different hosts connected by a

323 views • 7 slides
TCP/IP: ICMP, UDP Network Security Lecture 5 Recap and overview Looking at security of

TCP/IP: ICMP, UDP Network Security Lecture 5 Recap and overview Looking at security of

TCP/IP: ICMP, UDP Network Security Lecture 5 Recap and overview Looking at security of TCP/IP IP, Ethernet, ARP Sniffing the network and forging packets tcpdump, wireshark Today: ICMP and UDP Eike Ritter Network Security -

881 views • 38 slides

More recommend