batch verification of ecdsa signatures africacrypt … ecdsa algorithm a naive algorithm for ecdsa...

IntroductionECDSA Algorithm

A Naive Algorithm for ECDSA Batch VerificationA New Batch-verification Algorithm for ECDSA (S1)

A More Efficient Batch-verification Algorithm (S2)Efficient Variants of S1 and S2

Experimental ResultsConclusionReferences

Batch Verification of ECDSA SignaturesAfricaCrypt 2012Ifrane, Morocco

Sabyasachi Karati

Department of Computer Science and EngineeringIndian Institute of Technology

Kharagpur, West Bengal, India.

Sabyasachi Karati Batch Verification of ECDSA Signatures AfricaCrypt 2012 Ifrane, Morocco





Outline

IntroductionBatch Verification

ECDSA AlgorithmECDSA Parameters

A Naive Algorithm for ECDSA Batch Verification

A New Batch-verification Algorithm for ECDSA (S1)Solving the Multivariate EquationsA Strategy for Faster Equation GenerationRetrieving the Unknown y -coordinatesAnalysis of Algorithm S1

A More Efficient Batch-verification Algorithm (S2)Analysis of Algorithm S2

Efficient Variants of S1 and S2Algorithm S1′

Algorithm S2′

Experimental Results

Conclusion

References






Batch Verification

Digital Signature

I The term Digital Signature was coined by Diffie and Hellman (1976).

I RSA was introduced at 1978.

I Digital Signature helps us to achieve both Source Authenticationand Data Integrity.

I Digital Signature algorithms based on two popular pubic-keyalgorithms:

I RSA signature scheme: based on the difficulty of factoring largecomposite integers.

I ElGamal signature scheme: based on discrete logarithms problem.






Batch Verification

Digital Signature

I Standards on ElGamal scheme:I The digital signature algorithm (DSA).I The elliptic curve digital signature algorithm (ECDSA).

I Verification an ElGamal-like signature needs at least 2 finite-fieldexponentiations (for DSA) or 2 elliptic-curve scalar multiplications(for ECDSA).






Batch Verification

Batch Verification

I Batch verification is used to verify multiple digital signatures in timeless than total individual verification time.

I Introduced by Naccache et. al. in EuroCrypt’94.

I Harn, in 1998, proposes an efficient scheme for the batch verificationof RSA signatures.

I These protocols are not directly applicable to ECDSA signatures.

I ECDSA requires smaller key and signature sizes than DSA and RSA.

I ECDSA*, a modification of ECDSA, permits an easy adaptation ofNaccache’s method.

I Cheon and Yi report speedup up to 7 for same signer and 4 fordifferent signers for batch verification of ECDSA* signatures.






Batch Verification

Batch Verification

I ECDSA* is unacceptable protocol because of the following reasons:I Yet not accepted as a standard.I Not applicable where interoperability is of concern.

I Batch verification of original ECDSA signatures turns out to be apractically important open research problem.

I The proposed algorithms are based upon symbolic manipulation onelliptic-curve points.






Batch Verification

Summary

I Several algorithms for batch verification of ECDSA signatures areproposed.

I One of them is based upon the naive idea of taking square roots inthe underlying field

I We propose two other algorithms which replace square-rootcomputations by symbolic manipulations to achieve better speedup.

I Maximum speedup is obtained above 6 for small (6 8) batch sizesand same signer.






ECDSA Parameters

ECDSA Parameters

I ECDSA Parameters:

q = Order of the prime field Fq.

E = An elliptic curve y 2 = x3 + ax + b defined over the prime field Fq.

P = A random non-zero base point in E (Fq).

n = The order of P, typically a prime.

h = The cofactor |E (Fq)|/n.

I Assumptions:I h = 1.I E(Fq) is a cyclic group.I P is a generator of E(Fq).I The x-coordinates of a few points on E has two representatives

modulo n.






ECDSA Parameters

ECDSA Key-pair Generation

I Private key d ∈ (1, n − 1).

I Public key Q = dP.






ECDSA Parameters

ECDSA Algorithms

I Generation of ECDSA signature (r , s) on a message M.

1. k = A randomly chosen element in the range [1, n − 1] (the sessionkey).

2. R = kP.3. r = x(R) (the x-coordinate of R) reduced modulo n.4. s = k−1(H(M) + dr)(mod n) (where H is a cryptographic hash

function like SHA-1).

I Verification of ECDSA signature (r , s) on a message M.

1. w = s−1 (mod n).2. u = H(M)w (mod n).3. v = rw (mod n).4. R = uP + vQ.5. Accept the signature if and only if x(R) = r (mod n).






A Naive Algorithm for ECDSA Batch Verification

I For t signed messages (Mi , ri , si ), i = 1, 2, . . . , t, we have

t∑i=1

Ri =

(t∑

i=1

ui

)P +

t∑i=1

viQi . (1)

If all the signatures belong to the same signer, we haveQ1 = Q2 = · · · = Qt = Q (say), and the last equation simplifies to:

t∑i=1

Ri =

(t∑

i=1

ui

)P +

(t∑

i=1

vi

)Q. (2)

I Reduces the number of scalar multiplications from 2t to an integerin the interval [2, t + 1].

I x-coordinates of Ri are known.I Two y -coordinates corresponding to a given x-coordinate.I Usually 2t choices of the square roots.






ECDSA Batch Verification Algorithm N

1. Compute wi = s−1i (mod n) for all i = 1, 2, . . . , t.

2. Compute ui = H(Mi )wi (mod n) for all i = 1, 2, . . . , t.3. Compute vi = riwi (mod n) for all i = 1, 2, . . . , t.4. Compute R ′ = (

∑ti=1 ui )P +

∑ti=1 viQi ∈ E (Fq).

Club together the points Qi from same signers during thecomputation of R ′. For example, if all the signatures belong to thesame signer, compute R ′ as (

∑ti=1 ui )P + (

∑ti=1 vi )Q.

5. For each i = 1, 2, . . . , t, if r 3i + ari + b is neither zero nor a quadratic

residue modulo q, reject the i-th signature, and remove it from thebatch.

6. For i = 1, . . . , t, compute the square roots of r 3i + ari + b modulo q.

7. For each square root yi of r 3i + ari + b for all i = 1, 2, . . . , t,if

R ′ =∑t

i=1(ri , yi ), accept all the signatures.8. Reject all the signatures.






ECDSA Batch Verification Algorithm N′

I A single extra bit of information in an ECDSA signature can removethe ambiguity.

I Avoid the Θ(2t) overhead.

I This updated (and efficient) version of the naive algorithm willhenceforth be denoted by Algorithm N′.






Solving the Multivariate EquationsA Strategy for Faster Equation GenerationRetrieving the Unknown y-coordinatesAnalysis of Algorithm S1

Symbolic Computation of R =t∑

i=1

Ri

I Let Ri = (xi , yi ), where xi = ri or xi = ri + n.I xi = ri + n has a very low probability. So we assume xi = ri .I

y 2i = r 3

i + ari + b (mod q) (3)

for all i = 1, 2, . . . , t.I Elliptic Curve Point Addition rule:

I Let P1 = (h1, k1) and P2 = (h2, k2), and P1,P2 6= 0 and P1 6= ±P2.I P1 + P2 = (h, k) on E computed as follows:

λ = (k2 − k1)/(h2 − h1), (4)

h = λ2 − h1 − h2, (5)

k = λ(h1 − h)− k1. (6)








i=1

Ri

I Apply addition formula repeatedly.I R =

∑ti=1 Ri :

R =

(gx(y1, y2, . . . , yt)

hx(y1, y2, . . . , yt),

gy (y1, y2, . . . , yt)

hy (y1, y2, . . . , yt)

), (7)

I gx , gy , hx , hy are polynomials in Fq[y1, y2, . . . , yt ].I In view of Eqn (3), yi -degrees 6 1 for all i = 1, 2, . . . , t.I The denominator hx(y) = u(y2, y3, . . . , yt)y1 + v(y2, y3, . . . , yt).I Multiplying both gx and hx by u(y2, y3, . . . , yt)y1 − v(y2, y3, . . . , yt)

and use Eqn (3).I This eliminates y1 from the denominator.I Repeat this method successively to eliminate y2, y3, . . . , yt .








i=1

Ri

I Represent the point R as a pair of polynomial expressions:

R = (Rx(y1, y2, . . . , yt),Ry (y1, y2, . . . , yt)) (8)

I Polynomials Rx and Ry linear individually with respect to all yi .I Using Eqn (1) or Eqn (2), we compute R as

R = (α, β)

for some α, β ∈ Fq.I

Rx(y1, y2, . . . , yt) = α, (9)

Ry (y1, y2, . . . , yt) = β. (10)







Solving the Multivariate Equations

I We treat Eqns (9) and (10) as linear equations in the monomials yi ,yiyj , yiyjyk .

I m = 2t .I Total number of such monomials is µ = 2t−1 − 1 = m

2 − 1 in Rx orRy .

I Rename these monomials as z1, z2, . . . , zµ.I Rewrite Eqn (9) as

ρ1,1z1 + ρ1,2z2 + · · ·+ ρ1,µzµ = α1. (11)

I Repeatedly square both sides of this equation and use Eqn (3) toeliminate all squares of variables.

I We generate a total of µ linear equations.I If the system is not of full rank, use of Eqn (10).







A Strategy for Faster Equation Generation

I Letρ1z1 + ρ2z2 + · · ·+ ρµzµ = γ (12)

I Let f (z1, z2, . . . , zµ) be any Fq-linear combination of the monomialsz1, z2, . . . , zµ.

I

(ρ1z1 + ρ2z2 + · · ·+ ρµzµ)f (z1, z2, . . . , zµ) = γf (z1, z2, . . . , zµ)

and use Eqn (3).

I This again yields a linear equation in z1, z2, . . . , zµ.

I Choice f (z1, z2, . . . , zµ) = zi with a small degree of zi typically leadsto a faster generation full-rank system.

I Only Rx suffices to generate a uniquely solvable linearized system.







Retrieving the Unknown y -coordinates

I The final step is the determination of the y -coordinates yi of thepoints Ri .

I Solving the multivariate linear system for monomials.

I Use Ry [Eqn (10)] to retrieve all the unknown y -coordinates.

I We accept all the signatures if and only x(R(1)) = x(R(2)) ify 2i = r 3

i + ari + b (mod q) for all i = 1, 2, . . . , t.







Example of linearized system where t = 3

∣∣∣∣∣∣ρ1,1 ρ2,1 ρ3,1

ρ1,2 ρ2,2 ρ3,2

ρ1,3 ρ2,3 ρ3,3

∣∣∣∣∣∣∣∣∣∣∣∣

z1

z2

z3

∣∣∣∣∣∣ =

∣∣∣∣∣∣γ1

γ2

γ3

∣∣∣∣∣∣







Analysis of Algorithm S1

1. Running Time: The running time = Θ(m3) field operations.Algorithm S1 becomes impractical for bigger values of t.

2. Unique Solvability of the Linearized System:I The µ× µ system Mz = b is uniquely solvable if

det M = D(r1, r2, . . . , rt) 6= 0, where r1, r2, . . . , rt are symbols.I Assume, D is not identically zero.I δ = maximum degree of each individual ri in D.

I δ 6“

22t+3dlog2 te+2 + 3”“

22t−1−1 − 1”≈ 22t−1+2t+3dlog2 te+1.

I Maximum number of roots of D ≤ tδqt−1 and total number oft-tuples (r1, r2, . . . , rt) over Fq is qt .

I Pr[A randomly chosen tuple (r1, r2, . . . , rt) is a root of D]6 tδqt−1/qt = tδ/q.

I If t 6 6, δ 6 254 and q > 2160, Pr ≤ 2−103.

3. Security Analysis: We have proved that Algorithm S1 is as secureas ECDSA* batch verification.







Algorithm S2

I It was designed in order to avoid the linearization stage (O(m2t)field operations) and the Gaussian-elimination stage of Algorithm S1.

I Determine each yi correctly up to multiplication by ±1.I Multivariate equation (linear in yi ) can be written as uyi + v = 0

(where u, v are polynomials in y1, . . . , yi−1, yi+1, . . . , yt).I Multiplying this equation by uyi − v so that ±yi satisfy

u2y 2i − v 2 = u2

i (r 3i + ari + b)− v 2

i = 0 [∵ y 2i = r 3

i + ari + b].I Like Algorithm S1, symbolically compute R =

∑ti=1 Ri = (Rx ,Ry )

to arrive the multivariate equation Rx − α = 0.I First eliminate y1, and use substitution given by Eqn (3) for

i = 2, 3, . . . , t to arrive at a linear multivariate equation iny2, y3, . . . , yt .

I Eliminate yi for i = 2, 3, . . . , t, using the same method.I If the polynomial reduces to zero, accepts all the signatures.








1. Running Time: The time complexity of Algorithm S2 is O(mt2)field operations, which is significantly better than the O(m3)operations needed by Algorithm S1. Moreover, Algorithm S2outperforms Algorithm N for a wide range of t and q.

2. Security Analysis: It was proved that Algorithm S2 is as secure asECDSA* batch verification.






Algorithm S1′Algorithm S2′

Efficient Variants of S1 and S2

I In Algorithm S1, the costliest steps are generating and solving thesystem of linearized equations, which needs Θ(m3) field operations.

I In Algorithm S2, the symbolic computation of R = (Rx ,Ry ) is themost time-consuming step(Θ(mt2) field operations).

I The elimination phase of S2 also needs Θ(mt2) operations.I Strategy to reduce the number of monomials in Algorithms S1 and

S2:I Let R =

Pti=1 Ri , R ′ = (α, β) and τ = dt/2e.

I Symbolically compute the two sums: R(1) =Pτ

i=1 Ri and

R(2) = R ′ −Pt

i=τ+1 Ri .I R(1) and R(2) contain only Θ(2τ ) =

√m) non-zero terms which need

Θ(2ττ 2) to compute.I Θ(

√mt2) field operations which is significantly smaller than the

Θ(mt2) operations.I The condition R = R ′ is equivalent to R(1) = R(2).







Algorithm S1′

I Replace the equations Rx = α and Ry = β by the two equationsx(R(1)) = x(R(2)) and y(R(1)) = y(R(2)), in Algorithm S1.

I The number of non-zero terms in x(R(1)) and y(R(1)) is 2τ−1 =√

m2 .

I Because of presence of R ′ = (α, β) on the right side of theexpression for R(2), x(R(2)) and y(R(2)) contain all (square-free)monomials in yτ+1, yτ+2, . . . , yt (both even and odd degrees).

I There are exactly 2bt/2c − 1 6√

m − 1 monomials.I There are only the even-degree monomials in y1, y2, . . . , yτ and all

monomials in yτ+1, yτ+2, . . . , yt .I keep on squaring the equation x(R(1)) = x(R(2)) (and y(R(1)) =

y(R(2))) to obtain a full-rank system of Θ(√

m) linearized variables.I Solving the system needs Θ(m3/2) field operations.I Call this efficient variant of S1 as S1′.I The security is same as S1.







Algorithm S2′

I Replace the starting equation φ = Rx − α of Algorithm S2′ with

φ = x(R(1))− x(R(2)). (13)

I Then repeatedly eliminate y1, y2, . . . , yt .

I Initial expression of φ contains much less number of monomials thanin the original Algorithm S2.

I Elimination of y1 makes φ almost full through introduction of manynew monomials in φ.

I The theoretical running time of S2′, same as that of S2, is Θ(mt2)field operations.

I Still, the effects of our heuristic are clearly noticeable in practicalimplementations.

I Call this efficient variant of S2 as S2′.







I Implemented using the GP/PARI calculator.

I Choice of this implementation platform is dictated by

1. the symbolic-computation facilities.2. an easy user interface

I All experiments are carried out inI a 2.33 MHz Xeon server.I Mandriva Linux Version 2010.1.

I The GNU C compiler 4.4.3 is used for compiling the GP/PARIcalculator.







I The maximum speedup achieved is 6.20 in the case of same signer.

I The maximum speedup achieved is 1.70 in the case of differentsigners.

I Both these records are achieved by Algorithm S2′ for the curveP-521 and for the batch size t = 7.






Small curve P-192 and Same signer






Small curve P-192 and Different signers






Large curve P-521 and Same signer






Large curve P-521 and and Different signers






Conclusion

There are several ways to extend our study, some of which are listedbelow.

I We described a way to reduce the running time of thesymbolic-addition phase of Algorithm S2 from O(mt2) to O(

√mt2).

An analogous speedup for the elimination phase would be veryuseful.

I Our best symbolic-computation algorithm runs in O(mt2) time.Removal of a factor of t would be useful to achieve higher speedupvalues.

I It is of interest to study our algorithms in conjunction with theearlier works on ECDSA*.

I Our batch verification algorithms can be easily ported to othercurves (like the Koblitz and Pseudorandom families recommended byNIST).






References

I W. Diffie and M. Hellman, ‘New Directions in Cryptography’, IEEE Transactionson Information Theory, Vol. 22, 644–654, 1976.

I R. L. Rivest, A. Shamir and L. Adleman, ‘A method for obtaining digitalsignatures and pubic-key cryptosystem’, Communications of the ACM, Vol. 2,120–126, 1978.

I T. ElGamal, ‘A public-key cryptosystem and a signature scheme based ondiscrete logarithms’, IEEE Transactions on Information Theory, Vol. 31,469–472, 1985.

I NIST, ‘Digital Signature Standard (DSS)’,http://csrc.nist.gov/publications/drafts/fips 186-3/Draft-FIPS-186-3%20March2006.pdf, 2006.

I ANSI, ‘Public Key Cryptography for the Financial Services Industry: The EllipticCurve Digital Signature Algorithm (ECDSA)’, ANSI X9.62, approved January 7,1999.

I D. Johnson and A. Menezes, ‘The Elliptic Curve Digital Signature Algorithm(ECDSA)’, International Journal on Information Security, Vol. 1, 36–63, 2001.






References

I D. Naccache, D. M’Raihi, D. Rapheali and S. Vaudenay, ‘Can D.S.A. beimproved: Complexity trade-offs with the digital signature standard’,EuroCrypt’94, LNCS Vol. 950, 77–85, 1994.

I L. Harn, ‘Batch verifying multiple RSA digital signatures’, Electronics Letters,Vol. 34, No. 12, 1219–1220, 1998.

I M.-S. Hwang, I.-C. Lin, K.-F. Hwang, ‘Cryptanalysis of the Batch VerifyingMultiple RSA Digital Signatures’, Informatica, 2000, Vol. 11, No. 1, 15–19,2000.

I A. Antipa, D. Brown, R. Gallant, R. Lambert, R. Struik, and S. Vanstone,‘Accelerated verification of ECDSA signatures’, SAC 2005, LNCS Vol. 3897,307–318, 2006.

I J. H. Cheon and J. H. Yi, ‘Fast batch verification of multiple signatures’, PKC2007, LNCS Vol. 4450, 442–457, 2007.

I A. Das, D. Roy Choudhury, D. Bhattacharya, S. Rajavelu, R. Shorey and T.Thomas, ‘Authentication schemes for VANETs: A survey’, International Journalof Vehicle Information and Communication Systems, in press.






References

I NIST, ‘Recommended elliptic curves for federal government use’,http://csrc.nist.gov/groups/ST/toolkit/documents/dss/NISTReCur.pdf, July1999.

I NIST, ‘Secure Hash Standard (SHS)’, http://csrc.nist.gov/publications/drafts/fips 180-3/draft fips-180-3 June-08-2007.pdf,2007.

I PARI Group, ‘PARI/GP Development Headquarters’, http://pari.math.u-bordeaux.fr/,2003–2008.






Thank You!


batch verification of ecdsa signatures africacrypt … ecdsa algorithm a naive algorithm for ecdsa...

Documents