improved digital signatures based on elliptic curve
play

Improved Digital Signatures Based on Elliptic Curve Endomorphism - PowerPoint PPT Presentation

Nov 06, 2022 •183 likes •911 views

Improved Digital Signatures Based on Elliptic Curve Endomorphism Rings Xiu Xu 3,4,5 Christopher Leonardi 1 Anzo Teh 1 David Jao 1,2 Kunpeng Wang 3,4,5 Wei Yu 3,4,5 Reza Azarderakhsh 6 [1] Department of Combinatorics and Optimization, University of

  1. Improved Digital Signatures Based on Elliptic Curve Endomorphism Rings Xiu Xu 3,4,5 Christopher Leonardi 1 Anzo Teh 1 David Jao 1,2 Kunpeng Wang 3,4,5 Wei Yu 3,4,5 Reza Azarderakhsh 6 [1] Department of Combinatorics and Optimization, University of Waterloo [2] evolutionQ, Inc., Waterloo, Ontario, Canada [3] State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China [4] Data Assurance and Communications Security Research Center, Beijing, China [5] School of Cyber Security, University of Chinese Academy of Sciences [6] Department of Computer and Electrical Engineering and Computer Science, Florida Atlantic University Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 1 / 20

  2. Introduction 1 Digital Signature Scheme 2 Elliptic Curve Background GPS Signatures Our Improvements 3 #1: Isogeny-to-Ideal #2: Ideal-to-Isogeny #3: Parallel Instances Performance Conclusion 4 Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 2 / 20

  3. Introduction Topic of discussion: Galbraith-Petit-Silva digital signature scheme (AsiaCrypt 2017). Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 3 / 20

  4. Introduction Topic of discussion: Galbraith-Petit-Silva digital signature scheme (AsiaCrypt 2017). Implementations are not widely available because: – one subroutine is mathematically complicated, and – signing would be too inefficient to be practical. Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 3 / 20

  5. Introduction Topic of discussion: Galbraith-Petit-Silva digital signature scheme (AsiaCrypt 2017). Implementations are not widely available because: – one subroutine is mathematically complicated, and – signing would be too inefficient to be practical. Our work presents three major ways to improve efficiency, and implements the scheme in SAGE. Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 3 / 20

  6. Digital Signature Scheme Elliptic Curve Background Elliptic curve E : y 2 = x 3 + ax + b over a finite field F p n is a finite Abelian group (operation is “+”, identity is ∞ ). Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 4 / 20

  7. Digital Signature Scheme Elliptic Curve Background Elliptic curve E : y 2 = x 3 + ax + b over a finite field F p n is a finite Abelian group (operation is “+”, identity is ∞ ). The m -torsion subgroup E [ m ] = { P ∈ E ( F p ) : [ m ] P = ∞} . Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 4 / 20

  8. Digital Signature Scheme Elliptic Curve Background Elliptic curve E : y 2 = x 3 + ax + b over a finite field F p n is a finite Abelian group (operation is “+”, identity is ∞ ). The m -torsion subgroup E [ m ] = { P ∈ E ( F p ) : [ m ] P = ∞} . If ∀ r ∈ N , E [ p r ] = {∞} , then E is called supersingular . Otherwise ∀ r ∈ N , E [ p r ] ∼ = Z / p r Z and is called ordinary . Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 4 / 20

  9. Digital Signature Scheme Elliptic Curve Background Elliptic curve E : y 2 = x 3 + ax + b over a finite field F p n is a finite Abelian group (operation is “+”, identity is ∞ ). The m -torsion subgroup E [ m ] = { P ∈ E ( F p ) : [ m ] P = ∞} . If ∀ r ∈ N , E [ p r ] = {∞} , then E is called supersingular . Otherwise ∀ r ∈ N , E [ p r ] ∼ = Z / p r Z and is called ordinary . The j -invariant is a unique element of F p n associated to each F p n -isomorphism family of elliptic curves. 4 a 3 j ( E ) = 1728 4 a 3 + 27 b 2 ∈ F p n Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 4 / 20

  10. Digital Signature Scheme Elliptic Curve Background Elliptic curve E : y 2 = x 3 + ax + b over a finite field F p n is a finite Abelian group (operation is “+”, identity is ∞ ). The m -torsion subgroup E [ m ] = { P ∈ E ( F p ) : [ m ] P = ∞} . If ∀ r ∈ N , E [ p r ] = {∞} , then E is called supersingular . Otherwise ∀ r ∈ N , E [ p r ] ∼ = Z / p r Z and is called ordinary . The j -invariant is a unique element of F p n associated to each F p n -isomorphism family of elliptic curves. 4 a 3 j ( E ) = 1728 4 a 3 + 27 b 2 ∈ F p n Supersingular elliptic curves are always defined over F p 2 . Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 4 / 20

  11. Digital Signature Scheme Elliptic Curve Background Isogenies are rational morphisms between elliptic curves, and have associated degrees. Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 5 / 20

  12. Digital Signature Scheme Elliptic Curve Background Isogenies are rational morphisms between elliptic curves, and have associated degrees. e.g. E ( F 23 ) : y 2 = x 3 + x , E ′ ( F 23 ) : y 2 = x 3 + 13 φ : E ( F 23 ) → E ′ ( F 23 ) , deg( φ ) = 3 � x 3 + 10 x 2 + 16 x + 10 , ( x 3 + 15 x 2 + 15 x + 14) y � φ ( x , y ) = x 2 + 10 x + 2 x 3 + 15 x 2 + 6 x + 10 Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 5 / 20

  13. Digital Signature Scheme Elliptic Curve Background Isogenies are rational morphisms between elliptic curves, and have associated degrees. e.g. E ( F 23 ) : y 2 = x 3 + x , E ′ ( F 23 ) : y 2 = x 3 + 13 φ : E ( F 23 ) → E ′ ( F 23 ) , deg( φ ) = 3 � x 3 + 10 x 2 + 16 x + 10 , ( x 3 + 15 x 2 + 15 x + 14) y � φ ( x , y ) = x 2 + 10 x + 2 x 3 + 15 x 2 + 6 x + 10 Isogenies can be composed: if φ : E 1 → E 2 has degree d 1 , and ψ : E 2 → E 3 has degree d 2 , then ψ ◦ φ : E 1 → E 3 has degree d 1 d 2 . Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 5 / 20

  14. Digital Signature Scheme Elliptic Curve Background Isogenies are rational morphisms between elliptic curves, and have associated degrees. e.g. E ( F 23 ) : y 2 = x 3 + x , E ′ ( F 23 ) : y 2 = x 3 + 13 φ : E ( F 23 ) → E ′ ( F 23 ) , deg( φ ) = 3 � x 3 + 10 x 2 + 16 x + 10 , ( x 3 + 15 x 2 + 15 x + 14) y � φ ( x , y ) = x 2 + 10 x + 2 x 3 + 15 x 2 + 6 x + 10 Isogenies can be composed: if φ : E 1 → E 2 has degree d 1 , and ψ : E 2 → E 3 has degree d 2 , then ψ ◦ φ : E 1 → E 3 has degree d 1 d 2 . The endomorphism ring of an elliptic curve, End( E ), is the (non-commutative) ring of all isogenies from E to itself. Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 5 / 20

  15. Digital Signature Scheme Elliptic Curve Background Isogenies are rational morphisms between elliptic curves, and have associated degrees. e.g. E ( F 23 ) : y 2 = x 3 + x , E ′ ( F 23 ) : y 2 = x 3 + 13 φ : E ( F 23 ) → E ′ ( F 23 ) , deg( φ ) = 3 � x 3 + 10 x 2 + 16 x + 10 , ( x 3 + 15 x 2 + 15 x + 14) y � φ ( x , y ) = x 2 + 10 x + 2 x 3 + 15 x 2 + 6 x + 10 Isogenies can be composed: if φ : E 1 → E 2 has degree d 1 , and ψ : E 2 → E 3 has degree d 2 , then ψ ◦ φ : E 1 → E 3 has degree d 1 d 2 . The endomorphism ring of an elliptic curve, End( E ), is the (non-commutative) ring of all isogenies from E to itself. Right ideals of End( E ) are associated to isogenies with domain E . Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 5 / 20

  16. Digital Signature Scheme Elliptic Curve Background Isogenies are rational morphisms between elliptic curves, and have associated degrees. e.g. E ( F 23 ) : y 2 = x 3 + x , E ′ ( F 23 ) : y 2 = x 3 + 13 φ : E ( F 23 ) → E ′ ( F 23 ) , deg( φ ) = 3 � x 3 + 10 x 2 + 16 x + 10 , ( x 3 + 15 x 2 + 15 x + 14) y � φ ( x , y ) = x 2 + 10 x + 2 x 3 + 15 x 2 + 6 x + 10 Isogenies can be composed: if φ : E 1 → E 2 has degree d 1 , and ψ : E 2 → E 3 has degree d 2 , then ψ ◦ φ : E 1 → E 3 has degree d 1 d 2 . The endomorphism ring of an elliptic curve, End( E ), is the (non-commutative) ring of all isogenies from E to itself. Right ideals of End( E ) are associated to isogenies with domain E . Knowledge of an elliptic curve’s endomorphism ring can be used as Trapdoor Information. Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 5 / 20

  17. Digital Signature Scheme Elliptic Curve Background Hard and Easy Problems with Isogenies Consider a supersingular E ( F p 2 ), and a hash function H which outputs isogenies with domain E . End( E ) known End( E ) unknown Preimage resistant � � 2 nd Preimage resistant X � Collision resistant X � Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 6 / 20

  18. Digital Signature Scheme Elliptic Curve Background Easy Problems Hard Problems Let E ( F p 2 ) be a supersingular elliptic curve. Given E , compute an arbitrary isogeny with domain E and smooth degree (e.g. 2 m ). 1 Kohel, Lauter, Petit, Tignol “On the quaternion ℓ -isogeny path problem”, 2014. Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 7 / 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lattice Attacks against Elliptic-Curve Signatures with Blinded Scalar Multiplication Dahmun

Lattice Attacks against Elliptic-Curve Signatures with Blinded Scalar Multiplication Dahmun

Lattice Attacks against Elliptic-Curve Signatures with Blinded Scalar Multiplication Dahmun Goudarzi, Matthieu Rivain, Damien Vergnaud SAC 2016, 12 Aug, St. Johns Outline EC signature schemes based on random nonces computed from [ k ]

696 views • 52 slides
Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July

Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July

Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July 23, 2014 1 / 12 Elliptic-curve cryptography: signatures and key exchange Given: some elliptic curve E , point P on E of known order . Key

885 views • 16 slides
SafeCurves: Cryptography choosing safe curves for Public-key signatures: elliptic-curve

SafeCurves: Cryptography choosing safe curves for Public-key signatures: elliptic-curve

SafeCurves: Cryptography choosing safe curves for Public-key signatures: elliptic-curve cryptography e.g., RSA, DSA, ECDSA. Daniel J. Bernstein Some uses: signed OS updates, University of Illinois at Chicago & SSL certificates,

1.85k views • 165 slides
Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Elliptic Curves Suppose F is a field and a 1 , . . . , a 6 F . Elliptic Curve Cryptography Definition 1. An elliptic curve E over a field F is a curve given by an equation: Jim Royer Y 2 + a 1 XY + a 3 Y X 3 + a 2 X 2 + a 4 X + a 6 = (1)

337 views • 5 slides
Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Cryptography Elliptic Curve Cryptography Overview of Elliptic Curve Cryptography Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve Cryptography Cryptography in OpenSSL School of Engineering and

857 views • 17 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Tanja Lange

318 views • 29 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-25 1 Outline Recap: security experiments Message space extension One-time signatures One-time signatures from one-way functions Digital

1.07k views • 48 slides
qDSA: Small and Secure Digital Signatures with Curve-based Diffie-Hellman Key Pairs Joost Renes 1

qDSA: Small and Secure Digital Signatures with Curve-based Diffie-Hellman Key Pairs Joost Renes 1

qDSA: Small and Secure Digital Signatures with Curve-based Diffie-Hellman Key Pairs Joost Renes 1 Benjamin Smith 2 1 Radboud University 2 INRIA and Laboratoire dInformatique de l Ecole polytechnique 15 November 2017 15 November 2017 1 /

785 views • 75 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-03-03 1 Outline Why assumptions? Efficient one-time signatures Digital Signatures 2020-03-03 2 Recap: Lamport EUF-1-CMA secure

1.14k views • 37 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein Through our inefficient use of University of Illinois at Chicago & energy (gas

1.07k views • 76 slides
Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm

587 views • 30 slides
1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Digital Signatures have looked at message authentication but does not address issues of lack of trust Chapter 13 Digital Signatures digital signatures provide the ability to:

361 views • 3 slides
Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a nonsingular plane cu- Theorem (Mordell). The group E ( Q ) of rational points on an bic curve with a rational point (possibly at elliptic curve is a

402 views • 7 slides
The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point counting David R. Kohel School of Mathematics and Statistics University of Sydney I Elliptic Curves in Cryptography An elliptic curve E/ F p r for

415 views • 18 slides
Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China) KU Leuven ESAT/COSIC (Belgium) frederik.vercauteren@gmail.com 23 August 2016 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23

839 views • 52 slides
Cryptography: RSA and Factoring; Digital Signatures; Ssh Greg Plaxton Theory in Programming

Cryptography: RSA and Factoring; Digital Signatures; Ssh Greg Plaxton Theory in Programming

Cryptography: RSA and Factoring; Digital Signatures; Ssh Greg Plaxton Theory in Programming Practice, Fall 2005 Department of Computer Science University of Texas at Austin The Hardness of Breaking RSA One approach to breaking RSA is to

274 views • 15 slides
hig igh-performance and lo low-power applications Real World Cryptography Conference 2017

hig igh-performance and lo low-power applications Real World Cryptography Conference 2017

Four -based cryptography for hig igh-performance and lo low-power applications Real World Cryptography Conference 2017 January 4-6, New York, USA Patrick Longa Microsoft Research Next-generation elliptic curves New IETF Standards

861 views • 59 slides
Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E ,P) P

Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E ,P) P

Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E ,P) P = D(K D ,C) Often, works the other way, too Lecture 4 Page 1 CS 236 Online History of Public Key Cryptography Invented by Diffie and

618 views • 24 slides
DTTF/NB479: Dszquphsbqiz Day 30 Announcements: Questions? This week: Digital signatures, DSA

DTTF/NB479: Dszquphsbqiz Day 30 Announcements: Questions? This week: Digital signatures, DSA

DTTF/NB479: Dszquphsbqiz Day 30 Announcements: Questions? This week: Digital signatures, DSA Coin flipping over the phone RSA Signatures allow you to recover the message from the signature; ElGamal signatures dont ElGamal Sig

410 views • 14 slides
Digital Signatures Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical

Digital Signatures Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical

Digital Signatures Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay July 24, 2018 1 / 29 Group Theory Recap Groups Definition A set G with a binary operation defined

483 views • 29 slides
The Picnic Post-Quantum Signature Scheme and its Security Analysis Itai Dinur Ben-Gurion

The Picnic Post-Quantum Signature Scheme and its Security Analysis Itai Dinur Ben-Gurion

The Picnic Post-Quantum Signature Scheme and its Security Analysis Itai Dinur Ben-Gurion University Credit for some slides: Melissa Chase and Picnic team Post-Quantum Cryptography Large-scale quantum computer could efficiently factor large

533 views • 34 slides
Blockchains: The Bits That Could Be Standardized Manu Sporny - CEO - Digital Bazaar Research

Blockchains: The Bits That Could Be Standardized Manu Sporny - CEO - Digital Bazaar Research

Blockchains: The Bits That Could Be Standardized Manu Sporny - CEO - Digital Bazaar Research Into Decentralized Ledger Technologies Principle Bitcoin Ethereum Stellar IPFS Blockstack Hashgraph Confidentiality None None None Hash-based

524 views • 4 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-05-19 1 Outline Waters signatures Overview over course topics General remarks Digital Signatures 2020-05-19 2 Recap:

250 views • 20 slides

More recommend