qDSA: Small and Secure Digital Signatures with Curve-based - - PowerPoint PPT Presentation

qDSA: Small and Secure Digital Signatures with Curve-based Diffie-Hellman Key Pairs

Joost Renes1 Benjamin Smith2

1Radboud University 2INRIA and Laboratoire d’Informatique de l’´

Ecole polytechnique

15 November 2017

15 November 2017 1 / 24

Curve-based crypto

DH EdDSA

15 November 2017 2 / 24

Curve-based crypto

DH EdDSA Q1, Q2

15 November 2017 2 / 24

Curve-based crypto

DH EdDSA x1, Q2

15 November 2017 2 / 24

Curve-based crypto

DH XEdDSA x1, x2

15 November 2017 2 / 24

Curve-based crypto

DH qDSA x1, x2

15 November 2017 2 / 24

Curve-based crypto

DH qDSA x1, x2

15 November 2017 2 / 24

Outline

(1) Quotient operations (2) The qDSA scheme (3) Instantiating with the x-line (4) Instantiating with Kummer surfaces

15 November 2017 3 / 24

Operations on quotient groups

G G Operations G → G (G1) P → [λ]P (G2) (P, Q) → P + Q

15 November 2017 4 / 24

Operations on quotient groups

G G G/ ± 1 G/ ± 1 Operations G → G (G1) P → [λ]P (G2) (P, Q) → P + Q Operations G/ ± 1 → G/ ± 1

15 November 2017 4 / 24

Operations on quotient groups

G G G/ ± 1 G/ ± 1 Operations G → G (G1) P → [λ]P (G2) (P, Q) → P + Q Operations G/ ± 1 → G/ ± 1

15 November 2017 4 / 24

Operations on quotient groups

G G G/ ± 1 G/ ± 1 x(P) Operations G → G (G1) P → [λ]P (G2) (P, Q) → P + Q Operations G/ ± 1 → G/ ± 1

15 November 2017 4 / 24

Operations on quotient groups

G G G/ ± 1 G/ ± 1 x(P) {P, −P} Operations G → G (G1) P → [λ]P (G2) (P, Q) → P + Q Operations G/ ± 1 → G/ ± 1

15 November 2017 4 / 24

Operations on quotient groups

G G G/ ± 1 G/ ± 1 x(P) {P, −P} {[λ]P, −[λ]P} Operations G → G (G1) P → [λ]P (G2) (P, Q) → P + Q Operations G/ ± 1 → G/ ± 1

15 November 2017 4 / 24

Operations on quotient groups

G G G/ ± 1 G/ ± 1 x(P) {P, −P} {[λ]P, −[λ]P} x([λ]P) Operations G → G (G1) P → [λ]P (G2) (P, Q) → P + Q Operations G/ ± 1 → G/ ± 1

15 November 2017 4 / 24

Operations on quotient groups

G G G/ ± 1 G/ ± 1 x(P) {P, −P} {[λ]P, −[λ]P} x([λ]P) Operations G → G (G1) P → [λ]P (G2) (P, Q) → P + Q Operations G/ ± 1 → G/ ± 1 (Q1) x(P) → x([λ]P)

15 November 2017 4 / 24

Operations on quotient groups

G G G/ ± 1 G/ ± 1 (x(P), x(Q)) Operations G → G (G1) P → [λ]P (G2) (P, Q) → P + Q Operations G/ ± 1 → G/ ± 1 (Q1) x(P) → x([λ]P)

15 November 2017 4 / 24

Operations on quotient groups

G G G/ ± 1 G/ ± 1 (x(P), x(Q)) {{P, −P}, {Q, −Q}} Operations G → G (G1) P → [λ]P (G2) (P, Q) → P + Q Operations G/ ± 1 → G/ ± 1 (Q1) x(P) → x([λ]P)

15 November 2017 4 / 24

Operations on quotient groups

G G G/ ± 1 G/ ± 1 (x(P), x(Q)) {{P, −P}, {Q, −Q}} {±(P ± Q)} Operations G → G (G1) P → [λ]P (G2) (P, Q) → P + Q Operations G/ ± 1 → G/ ± 1 (Q1) x(P) → x([λ]P)

15 November 2017 4 / 24

Operations on quotient groups

G G G/ ± 1 G/ ± 1 (x(P), x(Q)) {{P, −P}, {Q, −Q}} {±(P ± Q)} {x(P ± Q)} Operations G → G (G1) P → [λ]P (G2) (P, Q) → P + Q Operations G/ ± 1 → G/ ± 1 (Q1) x(P) → x([λ]P)

15 November 2017 4 / 24

Operations on quotient groups

G G G/ ± 1 G/ ± 1 (x(P), x(Q)) {{P, −P}, {Q, −Q}} {±(P ± Q)} {x(P ± Q)} Operations G → G (G1) P → [λ]P (G2) (P, Q) → P + Q Operations G/ ± 1 → G/ ± 1 (Q1) x(P) → x([λ]P) (Q2) (x(P), x(Q)) → {x(P + Q), x(P − Q)}

15 November 2017 4 / 24

Operations on quotient groups

G G G/ ± 1 G/ ± 1 Operations G → G (G1) P → [λ]P (G2) (P, Q) → P + Q Operations G/ ± 1 → G/ ± 1 (Q1) x(P) → x([λ]P) (Q2) (x(P), x(Q)) → {x(P + Q), x(P − Q)}

15 November 2017 4 / 24

Schnorr signatures

Starting point: Schnorr signatures [Sch89] (1) Schnorr identification scheme (group-based) (2) Apply Fiat-Shamir to make it non-interactive (3) Include message to create a signature scheme

15 November 2017 5 / 24

Schnorr signatures

Starting point: Schnorr signatures [Sch89] (1) Schnorr identification scheme (group-based) (2) Apply Fiat-Shamir to make it non-interactive (3) Include message to create a signature scheme

15 November 2017 5 / 24

Schnorr identification on the quotient (qID)

Prover(P, Q, α) Comm. Verifier(P, Q)

15 November 2017 6 / 24

Schnorr identification on the quotient (qID)

Prover(P, Q, α) Comm. Verifier(P, Q) r ←R Z∗

N

15 November 2017 6 / 24

Schnorr identification on the quotient (qID)

Prover(P, Q, α) Comm. Verifier(P, Q) r ←R Z∗

N

R ← [r]P R

15 November 2017 6 / 24

Schnorr identification on the quotient (qID)

Prover(P, Q, α) Comm. Verifier(P, Q) r ←R Z∗

N

R ← [r]P R c c ←R ZN

15 November 2017 6 / 24

Schnorr identification on the quotient (qID)

Prover(P, Q, α) Comm. Verifier(P, Q) r ←R Z∗

N

R ← [r]P R c c ←R ZN s ← (r − c · α) mod N s

15 November 2017 6 / 24

Schnorr identification on the quotient (qID)

Prover(P, Q, α) Comm. Verifier(P, Q) r ←R Z∗

N

R ← [r]P R c c ←R ZN s ← (r − c · α) mod N s R ? = [s]P + [c]Q

15 November 2017 6 / 24

Schnorr identification on the quotient (qID)

Prover(x(P), x(Q), α) Comm. Verifier(x(P), x(Q)) r ←R Z∗

N

R ← [r]P R c c ←R ZN s ← (r − c · α) mod N s R ? = [s]P + [c]Q

15 November 2017 6 / 24

Schnorr identification on the quotient (qID)

Prover(x(P), x(Q), α) Comm. Verifier(x(P), x(Q)) r ←R Z∗

N

x(R) ← x([r]P) x(R) c c ←R ZN s ← (r − c · α) mod N s R ? = [s]P + [c]Q

15 November 2017 6 / 24

Schnorr identification on the quotient (qID)

Prover(x(P), x(Q), α) Comm. Verifier(x(P), x(Q)) r ←R Z∗

N

x(R) ← x([r]P) x(R) c c ←R ZN s ← (r − c · α) mod N s R ? = [s]P + [c]Q

15 November 2017 6 / 24

Schnorr identification on the quotient (qID)

Prover(x(P), x(Q), α) Comm. Verifier(x(P), x(Q)) r ←R Z∗

N

x(R) ← x([r]P) x(R) c c ←R ZN s ← (r − c · α) mod N s x(R)

?

∈ {x([s]P ± [c]Q)} Need {x([s]P + [c]Q), x([s]P − [c]Q)}.. possible on G / ±1!

15 November 2017 6 / 24

Schnorr identification on the quotient (qID)

Prover(x(P), x(Q), α) Comm. Verifier(x(P), x(Q)) r ←R Z∗

N

x(R) ← x([r]P) x(R) c c ←R Z+

N

s ← (r − c · α) mod N s x(R)

?

∈ {x([s]P ± [c]Q)} Need {x([s]P + [c]Q), x([s]P − [c]Q)}.. possible on G / ±1!

15 November 2017 6 / 24

qSIG and qDSA

= ⇒ Fiat-Shamir qID (Schn. ID) qSIG (Schn. sig.)

15 November 2017 7 / 24

qSIG and qDSA

(1) Include the public key in the challenge (2) Generate ephemeral secret r pseudo-randomly = ⇒ Fiat-Shamir = ⇒ qID (Schn. ID) qSIG (Schn. sig.) qDSA (EdDSA)

15 November 2017 7 / 24

qSIG and qDSA

(1) Include the public key in the challenge (2) Generate ephemeral secret r pseudo-randomly = ⇒ Fiat-Shamir = ⇒ qID (Schn. ID) qSIG (Schn. sig.) qDSA (EdDSA) Add countermeasures against side-channel attacks

15 November 2017 7 / 24

qSIG and qDSA

(1) Include the public key in the challenge (2) Generate ephemeral secret r pseudo-randomly = ⇒ Fiat-Shamir = ⇒ qID (Schn. ID) qSIG (Schn. sig.) qDSA (EdDSA) Add countermeasures against side-channel attacks (3) Fault attacks on ephemeral scalar multiplication

◮ Add randomness into hash for nonce generation 15 November 2017 7 / 24

qSIG and qDSA

(1) Include the public key in the challenge (2) Generate ephemeral secret r pseudo-randomly = ⇒ Fiat-Shamir = ⇒ qID (Schn. ID) qSIG (Schn. sig.) qDSA (EdDSA) Add countermeasures against side-channel attacks (3) Fault attacks on ephemeral scalar multiplication

◮ Add randomness into hash for nonce generation

(4) Fault attacks on base point (Mehdi’s talk on Monday)

◮ Clamp, or add a small cofactor into the computation ◮ Verify correctness of base point 15 November 2017 7 / 24

Additional remarks

(1) Security reduction. Similar to original Schnorr ID scheme (2) Unified keys. Identical key pairs for DH and qDSA (3) Key and signatures sizes. 32-byte keys, 64-byte signatures (requires work in genus 2!) (4) Verification. Two-dimensional scalar multiplication algorithms not available & no batching

15 November 2017 8 / 24

Back to curves

Here, G the Jacobian group of a hyperelliptic curve of genus g

◮ Elliptic curves for g = 1, have J / ±1 = P1 ◮ Hyperelliptic curves with g = 2, have J / ±1 = K ◮ For g ≥ 3 does not scale well (index calculus)

15 November 2017 9 / 24

Back to curves

Here, G the Jacobian group of a hyperelliptic curve of genus g

◮ Elliptic curves for g = 1, have J / ±1 = P1 ◮ Hyperelliptic curves with g = 2, have J / ±1 = K ◮ For g ≥ 3 does not scale well (index calculus)

Need to define (1) x(P) → x([λ]P) (usual way via Montgomery ladder) (2) {x(P), x(Q)} → {x(P + Q), x(P − Q)} (3) For any x(P), a 32-byte representation of x(P)

15 November 2017 9 / 24

On the choice of model (g = 1)

For elliptic curves common choice of Montgomery model E/Fp : By2 = x3 + Ax2 + x We obtain Curve25519 by defining p = 2255 − 19 , A = 486662 , B = 1

15 November 2017 10 / 24

Arithmetic on P1

If x(P) = (X1 : Z1) , x(P + Q) = (X3 : Z3) , x(Q) = (X2 : Z2) , x(P − Q) = (X4 : Z4) , then xADD : X3X4 = λ · (X1X2 − Z1Z2)2 , Z3Z4 = λ · (X1Z2 − X2Z1)2 ,

15 November 2017 11 / 24

Arithmetic on P1

If x(P) = (X1 : Z1) , x(P + Q) = (X3 : Z3) , x(Q) = (X2 : Z2) , x(P − Q) = (X4 : Z4) , then xADD : X3X4 = λ · (X1X2 − Z1Z2)2 , Z3Z4 = λ · (X1Z2 − X2Z1)2 , xDBL : X3 = µ ·

• X 2 − Z 22 ,

Z3 = µ · 4XZ

• X 2 + AXZ + Z 2

15 November 2017 11 / 24

Biquadratic forms on P1

In fact, have X3X4 = B00 , B00 = ν · (X1X2 − Z1Z2)2 , Z3Z4 = B11 , B11 = ν · (X1Z2 − X2Z1)2 , X3Z4 + X4Z3 = B10 , B10 = ν ·

• (X1Z2 − X2Z1) (X1Z2 + X2Z1)

+ 2AX1X2Z1Z2

• ,

15 November 2017 12 / 24

Biquadratic forms on P1

In fact, have X3X4 = B00 , B00 = ν · (X1X2 − Z1Z2)2 , Z3Z4 = B11 , B11 = ν · (X1Z2 − X2Z1)2 , X3Z4 + X4Z3 = B10 , B10 = ν ·

• (X1Z2 − X2Z1) (X1Z2 + X2Z1)

+ 2AX1X2Z1Z2

• ,

ie.

• X3X4

∗ X3Z4 + X4Z3 Z3Z4

• = ν ·

B00 ∗ B10 B11

• .

15 November 2017 12 / 24

Biquadratic forms on P1

In fact, have X3X4 = B00 , B00 = ν · (X1X2 − Z1Z2)2 , Z3Z4 = B11 , B11 = ν · (X1Z2 − X2Z1)2 , X3Z4 + X4Z3 = B10 , B10 = ν ·

• (X1Z2 − X2Z1) (X1Z2 + X2Z1)

+ 2AX1X2Z1Z2

• ,

ie.

• X3X4

∗ X3Z4 + X4Z3 Z3Z4

• = ν ·

B00 ∗ B10 B11

• .

Thus (X3 : Z3) and (X4 : Z4) are the unique solutions to B11X 2 − 2 · B10XZ + B00Z 2 = 0

15 November 2017 12 / 24

Summarizing verification on P1

Given a signature (x(R) || s) on M w.r.t. x(Q) (1) c ← H(x(R) || M) (2) x(T0) ← x([s]P) (3) x(T1) ← x([c]Q) (4) Compute all B00, B10, B11 for x(T0) and x(T1) (5) Check that x(R) vanishes on B11 · X 2 − 2 · B10 · XZ + B00 · Z 2 (ie. x(R) ∈ {x(T0 + T1), x(T0 − T1)})

15 November 2017 13 / 24

On the choice of model (g = 2)

Gaudry-Schost curve [GS12] E/F2127−1 :y2 = x5 + 64408548613810695909971240431892164827 · x4 + 76637216448498510246042731975843417626 · x3 + 54735094972565041023366918099598639851 · x2 + 9855732443590990513334918966847277222 · x + 81689052950067229064357938692912969725 and its “squared” Kummer surface [CC86] K : 4E 2 · xyzt = x2 + y2 + z2 + t2 − F(xt + yz) −G(xz + yt) − H(xy + zt)

• 15 November 2017

14 / 24

Arithmetic on K

If x(P) = (x1 : y1 : z1 : t1) , x(P + Q) = (x3 : y3 : z3 : t3) , x(Q) = (x2 : y2 : z2 : t2) , x(P − Q) = (x4 : y4 : z4 : t4) , then [Gau07; Ber+14] xADD :                              x3x4 = ν · ε1 · (x′ + y′ + z′ + t′)2 , y3y4 = ν · ε2 · (x′ + y′ − z′ − t′)2 , z3z4 = ν · ε3 · (x′ − y′ + z′ − t′)2 , t3t4 = ν · ε4 · (x′ − y′ − z′ + t′)2 , where x′ =

• ε1 · (x1 + y1 + z1 + t1) · (x2 + y2 + z2 + t2)

y′ =

• ε2 · (x1 + y1 − z1 − t1) · (x2 + y2 − z2 − t2)

z′ =

• ε3 · (x1 − y1 + z1 − t1) · (x2 − y2 + z2 − t2)

t′ =

• ε4 · (x1 − y1 − z1 + t1) · (x2 − y2 − z2 + t2)

15 November 2017 15 / 24

Quadratic identities on K

These formulas give rise to an identity [Cos11]     2x3x4 ∗ ∗ ∗ ∗ 2y3y4 ∗ ∗ ∗ ∗ 2z3z4 ∗ ∗ ∗ ∗ 2t3t4     = ν ·     B00 ∗ ∗ ∗ ∗ B11 ∗ ∗ ∗ ∗ B22 ∗ ∗ ∗ ∗ B33    

15 November 2017 16 / 24

Quadratic identities on K

These formulas give rise to an identity [Cos11]     2x3x4 ∗ ∗ ∗ σ(x, y) 2y3y4 ∗ ∗ σ(x, z) σ(y, z) 2z3z4 ∗ σ(x, t) σ(y, t) σ(z, t) 2t3t4     = ν ·     B00 ∗ ∗ ∗ B10 B11 ∗ ∗ B20 B21 B22 ∗ B30 B31 B32 B33     where σ(a, b) = a3b4 + a4b3.

15 November 2017 16 / 24

Quadratic identities on K

These formulas give rise to an identity [Cos11]     2x3x4 ∗ ∗ ∗ σ(x, y) 2y3y4 ∗ ∗ σ(x, z) σ(y, z) 2z3z4 ∗ σ(x, t) σ(y, t) σ(z, t) 2t3t4     = ν ·     B00 ∗ ∗ ∗ B10 B11 ∗ ∗ B20 B21 B22 ∗ B30 B31 B32 B33     where σ(a, b) = a3b4 + a4b3. Thus (x3 : y3 : z3 : t3) , (x4 : y4 : z4 : t4) are the unique solutions to B11 · x2 − 2 · B10 · xy + B00 · y2 = 0 , B22 · x2 − 2 · B20 · xz + B00 · z2 = 0 , B33 · x2 − 2 · B30 · xt + B00 · t2 = 0 , B22 · y2 − 2 · B21 · yz + B11 · z2 = 0 , B33 · y2 − 2 · B31 · yt + B11 · t2 = 0 , B33 · z2 − 2 · B32 · zt + B22 · t2 = 0

15 November 2017 16 / 24

Summarizing verification on K

Given a signature (x(R) || s) on M w.r.t. x(Q) (1) c ← H(x(R) || M) (2) x(T0) ← x([s]P) (3) x(T1) ← x([c]Q) (4) Compute all BIJ for x(T0) and x(T1) (5) Check 6 quadratic polynomial equations in x(R)

15 November 2017 17 / 24

Efficiency of the BIJ

Computing the BIJ on K does not look great.

15 November 2017 18 / 24

Efficiency of the BIJ

Computing the BIJ on K does not look great. We have [CC86] [Gau07] K

H

− → KInt

• C

− →

• KGau

15 November 2017 18 / 24

Efficiency of the BIJ

Computing the BIJ on K does not look great. We have [CC86] [Gau07] K

H

− → KInt

• C

− →

• KGau

◮ The forms

BGau

IJ

• n

KGau are nice, but need extra constants

◮ Pulling back all the way via H ◦

C destroys nice symmetry

15 November 2017 18 / 24

Efficiency of the BIJ

Computing the BIJ on K does not look great. We have [CC86] [Gau07] K

H

− → KInt

• C

− →

• KGau

◮ The forms

BGau

IJ

• n

KGau are nice, but need extra constants

◮ Pulling back all the way via H ◦

C destroys nice symmetry Solution: Pull back BGau

IJ

via C, evaluate at H(x(P))

15 November 2017 18 / 24

Cost of computing biquadratic forms

g Func. M S C 1 Check 8 3 1 Ladder 1 280 1 024 256 2 Check 76 8 88 Ladder 1 799 3 072 3 072

Table: Cost of BIJ

15 November 2017 19 / 24

Point compression

◮ Signatures (x(R) || s) ◮ Have K ⊂ P3, so

x(R) = (x : y : z : t) = (x t : y t : z t : 1) (if t = 0) At first sight need 48 bytes to represent x(R)

◮ Compressing further seems to require solving a quartic

15 November 2017 20 / 24

Point compression

◮ Signatures (x(R) || s) ◮ Have K ⊂ P3, so

x(R) = (x : y : z : t) = (x t : y t : z t : 1) (if t = 0) At first sight need 48 bytes to represent x(R)

◮ Compressing further seems to require solving a quartic ◮ But have a projection π : K → P2 as a double cover

15 November 2017 20 / 24

Point compression

Take the four nodes N0, . . . , N3 and an isomorphism N0 → (0 : 0 : 0 : 1) , N1 → (0 : 0 : 1 : 0) , N2 → (0 : 1 : 0 : 0) , N3 → (1 : 0 : 0 : 0) .

15 November 2017 21 / 24

Point compression

Take the four nodes N0, . . . , N3 and an isomorphism N0 → (0 : 0 : 0 : 1) , N1 → (0 : 0 : 1 : 0) , N2 → (0 : 1 : 0 : 0) , N3 → (1 : 0 : 0 : 0) . Then K : 4C · xyzt = r2

1 (xy + zt)2 + r2 2 (xz + yt)2 + r2 3 (xt + yz)2

− 2r1s1((x2 + y2)zt + xy(z2 + t2)) − 2r2s2((x2 + z2)yt + xz(y2 + t2)) − 2r3s3((x2 + t2)yz + xt(y2 + z2))

15 November 2017 21 / 24

Point compression

Take the four nodes N0, . . . , N3 and an isomorphism N0 → (0 : 0 : 0 : 1) , N1 → (0 : 0 : 1 : 0) , N2 → (0 : 1 : 0 : 0) , N3 → (1 : 0 : 0 : 0) . Then K : 4C · xyzt = r2

1 (xy + zt)2 + r2 2 (xz + yt)2 + r2 3 (xt + yz)2

− 2r1s1((x2 + y2)zt + xy(z2 + t2)) − 2r2s2((x2 + z2)yt + xz(y2 + t2)) − 2r3s3((x2 + t2)yz + xt(y2 + z2)) Quadratic in all its variables! Projection away from N0 is π : (x : y : z : t) → (x : y : z) which we can represent in 32 bytes.

15 November 2017 21 / 24

Point compression

Take the four nodes N0, . . . , N3 and an isomorphism N0 → (0 : 0 : 0 : 1) , N1 → (0 : 0 : 1 : 0) , N2 → (0 : 1 : 0 : 0) , N3 → (1 : 0 : 0 : 0) . Then K : 4C · xyzt = r2

1 (xy + zt)2 + r2 2 (xz + yt)2 + r2 3 (xt + yz)2

− 2r1s1((x2 + y2)zt + xy(z2 + t2)) − 2r2s2((x2 + z2)yt + xz(y2 + t2)) − 2r3s3((x2 + t2)yz + xt(y2 + z2)) Quadratic in all its variables! Projection away from N0 is π : (x : y : z : t) → (x : y : z) which we can represent in 32 bytes. Recovery is solving a quadratic, ie. computing a square root

15 November 2017 21 / 24

Implementing the scheme

g. Ref. Object. Function. CC. Stack. 1 This Curve25519 sign 14 M 512 B [NLD15] Ed25519 sign 19 M 1 473 B [Liu+17] FourQ sign 5 M 1 572 B

Table: AVR ATmega comparison (rounded)

15 November 2017 22 / 24

Implementing the scheme

g. Ref. Object. Function. CC. Stack. 1 This Curve25519 verify 25 M 644 B [NLD15] Ed25519 verify 31 M 1 226 B [Liu+17] FourQ verify 11 M 4 957 B

Table: AVR ATmega comparison (rounded)

15 November 2017 22 / 24

Implementing the scheme

g. Ref. Object. Function. CC. Stack. 2 This GS sign 10 M 417 B [Ren+16] GS sign 10 M 926 B

Table: AVR ATmega comparison (rounded)

15 November 2017 23 / 24

Implementing the scheme

g. Ref. Object. Function. CC. Stack. 2 This GS verify 20 M 609 B [Ren+16] GS verify 16 M 992 B

Table: AVR ATmega comparison (rounded)

15 November 2017 23 / 24

Thanks! Questions?

15 November 2017 24 / 24

References I

[Ber+14] Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange and Peter Schwabe. “Kummer Strikes Back: New DH Speed Records”. In: Advances in Cryptology – ASIACRYPT 2014. Ed. by Palash Sarkar and Tetsu Iwata. Vol. 8873. LNCS. https://cryptojedi.org/papers/#kummer. SV, 2014,

• pp. 317–337.

[CC86] David V. Chudnovsky and Gregory V. Chudnovsky. “Sequences of numbers generated by addition in formal groups and new primality and factorization tests”. In: Adv. in Appl. Math. 7 (1986),

• pp. 385–434.

[Cos11] Romain Cosset. “Applications des fonctions theta ` a la cryptographie sur les courbes hyperelliptiques”. https: //tel.archives-ouvertes.fr/tel-00642951/file/main.pdf. PhD thesis. Universit´ e Henri Poincar´ e - Nancy I, 2011. [Gau07] Pierrick Gaudry. “Fast genus 2 arithmetic based on Theta functions”. In: J. Mathematical Cryptology 1.3 (2007). https://eprint.iacr.org/2005/314/, pp. 243–265.

15 November 2017 25 / 24

References II

[GS12] Pierrick Gaudry and Eric Schost. “Genus 2 point counting over prime fields”. In: J. Symb. Comput. 47.4 (2012), pp. 368–400. doi: 10.1016/j.jsc.2011.09.003. url: http://dx.doi.org/10.1016/j.jsc.2011.09.003. [Liu+17] Zhe Liu, Patrick Longa, Geovandro Pereira, Oscar Reparaz and Hwajeong Seo. FourQ on embedded devices with strong countermeasures against side-channel attacks. Cryptology ePrint Archive, Report 2017/434. http://eprint.iacr.org/2017/434. 2017. [NLD15] Erick Nascimento, Julio L´

• pez and Ricardo Dahab. “Efficient and

Secure Elliptic Curve Cryptography for 8-bit AVR Microcontrollers”. In: Security, Privacy, and Applied Cryptography

• Engineering. Ed. by Rajat Subhra Chakraborty, Peter Schwabe and

Jon Solworth. Vol. 9354. LNCS. Springer, 2015, pp. 289–309.

15 November 2017 26 / 24

References III

[Ren+16] Joost Renes, Peter Schwabe, Benjamin Smith and Lejla Batina. “µKummer: Efficient Hyperelliptic Signatures and Key Exchange

• n Microcontrollers”. In: Cryptographic Hardware and Embedded

Systems - CHES 2016 - 18th International Conference, Santa Barbara, CA, USA, August 17-19, 2016, Proceedings. 2016,

• pp. 301–320. doi: 10.1007/978-3-662-53140-2_15. url:

http://dx.doi.org/10.1007/978-3-662-53140-2_15. [Sch89] Claus-Peter Schnorr. “Efficient Identification and Signatures for Smart Cards”. In: Advances in Cryptology - CRYPTO ’89. Ed. by Gilles Brassard. Vol. 435. LNCS. Springer, 1989, pp. 239–252.

15 November 2017 27 / 24