qdsa: small and secure digital signatures with curve-based … · 2017. 11. 17. · qdsa: small and...
TRANSCRIPT
qDSA: Small and Secure Digital Signatures withCurve-based Diffie-Hellman Key Pairs
Joost Renes1 Benjamin Smith2
1Radboud University
2INRIA and Laboratoire d’Informatique de l’Ecole polytechnique
15 November 2017
15 November 2017 1 / 24
Curve-based crypto
DH EdDSA
XEdDSAqDSA
Q1,Q2x1,Q2x1, x2
15 November 2017 2 / 24
Curve-based crypto
DH EdDSA
XEdDSAqDSA
Q1,Q2
x1,Q2x1, x2
15 November 2017 2 / 24
Curve-based crypto
DH EdDSA
XEdDSAqDSA
Q1,Q2
x1,Q2
x1, x2
15 November 2017 2 / 24
Curve-based crypto
DH
EdDSA
XEdDSA
qDSA
Q1,Q2x1,Q2
x1, x2
15 November 2017 2 / 24
Curve-based crypto
DH
EdDSAXEdDSA
qDSA
Q1,Q2x1,Q2
x1, x2
15 November 2017 2 / 24
Curve-based crypto
DH
EdDSAXEdDSA
qDSA
Q1,Q2x1,Q2
x1, x2
15 November 2017 2 / 24
Outline
(1) Quotient operations
(2) The qDSA scheme
(3) Instantiating with the x-line
(4) Instantiating with Kummer surfaces
15 November 2017 3 / 24
Operations on quotient groups
G G
G/± 1 G/± 1
x(P)
{P,−P} {[λ]P,−[λ]P}
x([λ]P)(x(P), x(Q))
{{P,−P}, {Q,−Q}} {±(P ± Q)}
{x(P ± Q)}
Operations G → G
(G1) P 7→ [λ]P
(G2) (P,Q) 7→ P + Q
Operations G/± 1→ G/± 1
(Q1) x(P) 7→ x([λ]P)
(Q2) (x(P), x(Q)) 7→ {x(P + Q), x(P − Q)}
15 November 2017 4 / 24
Operations on quotient groups
G G
G/± 1 G/± 1
x(P)
{P,−P} {[λ]P,−[λ]P}
x([λ]P)(x(P), x(Q))
{{P,−P}, {Q,−Q}} {±(P ± Q)}
{x(P ± Q)}
Operations G → G
(G1) P 7→ [λ]P
(G2) (P,Q) 7→ P + Q
Operations G/± 1→ G/± 1
(Q1) x(P) 7→ x([λ]P)
(Q2) (x(P), x(Q)) 7→ {x(P + Q), x(P − Q)}
15 November 2017 4 / 24
Operations on quotient groups
G G
G/± 1 G/± 1
x(P)
{P,−P} {[λ]P,−[λ]P}
x([λ]P)(x(P), x(Q))
{{P,−P}, {Q,−Q}} {±(P ± Q)}
{x(P ± Q)}
Operations G → G
(G1) P 7→ [λ]P
(G2) (P,Q) 7→ P + Q
Operations G/± 1→ G/± 1
(Q1) x(P) 7→ x([λ]P)
(Q2) (x(P), x(Q)) 7→ {x(P + Q), x(P − Q)}
15 November 2017 4 / 24
Operations on quotient groups
G G
G/± 1 G/± 1
x(P)
{P,−P} {[λ]P,−[λ]P}
x([λ]P)(x(P), x(Q))
{{P,−P}, {Q,−Q}} {±(P ± Q)}
{x(P ± Q)}
Operations G → G
(G1) P 7→ [λ]P
(G2) (P,Q) 7→ P + Q
Operations G/± 1→ G/± 1
(Q1) x(P) 7→ x([λ]P)
(Q2) (x(P), x(Q)) 7→ {x(P + Q), x(P − Q)}
15 November 2017 4 / 24
Operations on quotient groups
G G
G/± 1 G/± 1
x(P)
{P,−P}
{[λ]P,−[λ]P}
x([λ]P)(x(P), x(Q))
{{P,−P}, {Q,−Q}} {±(P ± Q)}
{x(P ± Q)}
Operations G → G
(G1) P 7→ [λ]P
(G2) (P,Q) 7→ P + Q
Operations G/± 1→ G/± 1
(Q1) x(P) 7→ x([λ]P)
(Q2) (x(P), x(Q)) 7→ {x(P + Q), x(P − Q)}
15 November 2017 4 / 24
Operations on quotient groups
G G
G/± 1 G/± 1
x(P)
{P,−P} {[λ]P,−[λ]P}
x([λ]P)(x(P), x(Q))
{{P,−P}, {Q,−Q}} {±(P ± Q)}
{x(P ± Q)}
Operations G → G
(G1) P 7→ [λ]P
(G2) (P,Q) 7→ P + Q
Operations G/± 1→ G/± 1
(Q1) x(P) 7→ x([λ]P)
(Q2) (x(P), x(Q)) 7→ {x(P + Q), x(P − Q)}
15 November 2017 4 / 24
Operations on quotient groups
G G
G/± 1 G/± 1
x(P)
{P,−P} {[λ]P,−[λ]P}
x([λ]P)
(x(P), x(Q))
{{P,−P}, {Q,−Q}} {±(P ± Q)}
{x(P ± Q)}
Operations G → G
(G1) P 7→ [λ]P
(G2) (P,Q) 7→ P + Q
Operations G/± 1→ G/± 1
(Q1) x(P) 7→ x([λ]P)
(Q2) (x(P), x(Q)) 7→ {x(P + Q), x(P − Q)}
15 November 2017 4 / 24
Operations on quotient groups
G G
G/± 1 G/± 1
x(P)
{P,−P} {[λ]P,−[λ]P}
x([λ]P)
(x(P), x(Q))
{{P,−P}, {Q,−Q}} {±(P ± Q)}
{x(P ± Q)}
Operations G → G
(G1) P 7→ [λ]P
(G2) (P,Q) 7→ P + Q
Operations G/± 1→ G/± 1
(Q1) x(P) 7→ x([λ]P)
(Q2) (x(P), x(Q)) 7→ {x(P + Q), x(P − Q)}
15 November 2017 4 / 24
Operations on quotient groups
G G
G/± 1 G/± 1
x(P)
{P,−P} {[λ]P,−[λ]P}
x([λ]P)
(x(P), x(Q))
{{P,−P}, {Q,−Q}} {±(P ± Q)}
{x(P ± Q)}
Operations G → G
(G1) P 7→ [λ]P
(G2) (P,Q) 7→ P + Q
Operations G/± 1→ G/± 1
(Q1) x(P) 7→ x([λ]P)
(Q2) (x(P), x(Q)) 7→ {x(P + Q), x(P − Q)}
15 November 2017 4 / 24
Operations on quotient groups
G G
G/± 1 G/± 1
x(P)
{P,−P} {[λ]P,−[λ]P}
x([λ]P)
(x(P), x(Q))
{{P,−P}, {Q,−Q}}
{±(P ± Q)}
{x(P ± Q)}
Operations G → G
(G1) P 7→ [λ]P
(G2) (P,Q) 7→ P + Q
Operations G/± 1→ G/± 1
(Q1) x(P) 7→ x([λ]P)
(Q2) (x(P), x(Q)) 7→ {x(P + Q), x(P − Q)}
15 November 2017 4 / 24
Operations on quotient groups
G G
G/± 1 G/± 1
x(P)
{P,−P} {[λ]P,−[λ]P}
x([λ]P)
(x(P), x(Q))
{{P,−P}, {Q,−Q}} {±(P ± Q)}
{x(P ± Q)}
Operations G → G
(G1) P 7→ [λ]P
(G2) (P,Q) 7→ P + Q
Operations G/± 1→ G/± 1
(Q1) x(P) 7→ x([λ]P)
(Q2) (x(P), x(Q)) 7→ {x(P + Q), x(P − Q)}
15 November 2017 4 / 24
Operations on quotient groups
G G
G/± 1 G/± 1
x(P)
{P,−P} {[λ]P,−[λ]P}
x([λ]P)
(x(P), x(Q))
{{P,−P}, {Q,−Q}} {±(P ± Q)}
{x(P ± Q)}Operations G → G
(G1) P 7→ [λ]P
(G2) (P,Q) 7→ P + Q
Operations G/± 1→ G/± 1
(Q1) x(P) 7→ x([λ]P)
(Q2) (x(P), x(Q)) 7→ {x(P + Q), x(P − Q)}
15 November 2017 4 / 24
Operations on quotient groups
G G
G/± 1 G/± 1
x(P)
{P,−P} {[λ]P,−[λ]P}
x([λ]P)
(x(P), x(Q))
{{P,−P}, {Q,−Q}} {±(P ± Q)}
{x(P ± Q)}Operations G → G
(G1) P 7→ [λ]P
(G2) (P,Q) 7→ P + Q
Operations G/± 1→ G/± 1
(Q1) x(P) 7→ x([λ]P)
(Q2) (x(P), x(Q)) 7→ {x(P + Q), x(P − Q)}
15 November 2017 4 / 24
Operations on quotient groups
G G
G/± 1 G/± 1
x(P)
{P,−P} {[λ]P,−[λ]P}
x([λ]P)(x(P), x(Q))
{{P,−P}, {Q,−Q}} {±(P ± Q)}
{x(P ± Q)}
Operations G → G
(G1) P 7→ [λ]P
(G2) (P,Q) 7→ P + Q
Operations G/± 1→ G/± 1
(Q1) x(P) 7→ x([λ]P)
(Q2) (x(P), x(Q)) 7→ {x(P + Q), x(P − Q)}
15 November 2017 4 / 24
Schnorr signatures
Starting point: Schnorr signatures [Sch89]
(1) Schnorr identification scheme (group-based)
(2) Apply Fiat-Shamir to make it non-interactive
(3) Include message to create a signature scheme
15 November 2017 5 / 24
Schnorr signatures
Starting point: Schnorr signatures [Sch89]
(1) Schnorr identification scheme (group-based)
(2) Apply Fiat-Shamir to make it non-interactive
(3) Include message to create a signature scheme
15 November 2017 5 / 24
Schnorr identification on the quotient (qID)
Prover(P,Q, α) Comm. Verifier(P,Q)
Need {x([s]P + [c]Q), x([s]P − [c]Q)}.. possible on G /±1!
15 November 2017 6 / 24
Schnorr identification on the quotient (qID)
Prover(P,Q, α) Comm. Verifier(P,Q)
r ←R Z∗N
Need {x([s]P + [c]Q), x([s]P − [c]Q)}.. possible on G /±1!
15 November 2017 6 / 24
Schnorr identification on the quotient (qID)
Prover(P,Q, α) Comm. Verifier(P,Q)
r ←R Z∗N
R ← [r ]P R
Need {x([s]P + [c]Q), x([s]P − [c]Q)}.. possible on G /±1!
15 November 2017 6 / 24
Schnorr identification on the quotient (qID)
Prover(P,Q, α) Comm. Verifier(P,Q)
r ←R Z∗N
R ← [r ]P R
c c ←R ZN
Need {x([s]P + [c]Q), x([s]P − [c]Q)}.. possible on G /±1!
15 November 2017 6 / 24
Schnorr identification on the quotient (qID)
Prover(P,Q, α) Comm. Verifier(P,Q)
r ←R Z∗N
R ← [r ]P R
c c ←R ZN
s ← (r − c · α) mod N s
Need {x([s]P + [c]Q), x([s]P − [c]Q)}.. possible on G /±1!
15 November 2017 6 / 24
Schnorr identification on the quotient (qID)
Prover(P,Q, α) Comm. Verifier(P,Q)
r ←R Z∗N
R ← [r ]P R
c c ←R ZN
s ← (r − c · α) mod N s
R?= [s]P + [c]Q
Need {x([s]P + [c]Q), x([s]P − [c]Q)}.. possible on G /±1!
15 November 2017 6 / 24
Schnorr identification on the quotient (qID)
Prover(x(P), x(Q), α) Comm. Verifier(x(P), x(Q))
r ←R Z∗N
R ← [r ]P R
c c ←R ZN
s ← (r − c · α) mod N s
R?= [s]P + [c]Q
Need {x([s]P + [c]Q), x([s]P − [c]Q)}.. possible on G /±1!
15 November 2017 6 / 24
Schnorr identification on the quotient (qID)
Prover(x(P), x(Q), α) Comm. Verifier(x(P), x(Q))
r ←R Z∗N
x(R)← x([r ]P) x(R)
c c ←R ZN
s ← (r − c · α) mod N s
R?= [s]P + [c]Q
Need {x([s]P + [c]Q), x([s]P − [c]Q)}.. possible on G /±1!
15 November 2017 6 / 24
Schnorr identification on the quotient (qID)
Prover(x(P), x(Q), α) Comm. Verifier(x(P), x(Q))
r ←R Z∗N
x(R)← x([r ]P) x(R)
c c ←R ZN
s ← (r − c · α) mod N s
R?= [s]P + [c]Q
Need {x([s]P + [c]Q), x([s]P − [c]Q)}.. possible on G /±1!
15 November 2017 6 / 24
Schnorr identification on the quotient (qID)
Prover(x(P), x(Q), α) Comm. Verifier(x(P), x(Q))
r ←R Z∗N
x(R)← x([r ]P) x(R)
c c ←R ZN
s ← (r − c · α) mod N s
x(R)?∈ {x([s]P ± [c]Q)}
Need {x([s]P + [c]Q), x([s]P − [c]Q)}.. possible on G /±1!
15 November 2017 6 / 24
Schnorr identification on the quotient (qID)
Prover(x(P), x(Q), α) Comm. Verifier(x(P), x(Q))
r ←R Z∗N
x(R)← x([r ]P) x(R)
c c ←R Z+N
s ← (r − c · α) mod N s
x(R)?∈ {x([s]P ± [c]Q)}
Need {x([s]P + [c]Q), x([s]P − [c]Q)}.. possible on G /±1!
15 November 2017 6 / 24
qSIG and qDSA
(1) Include the public key in the challenge
(2) Generate ephemeral secret r pseudo-randomly
=⇒Fiat-Shamir
=⇒
qID(Schn. ID)
qSIG(Schn. sig.)
qDSA(EdDSA)
Add countermeasures against side-channel attacks
(3) Fault attacks on ephemeral scalar multiplication
I Add randomness into hash for nonce generation
(4) Fault attacks on base point (Mehdi’s talk on Monday)
I Clamp, or add a small cofactor into the computation
I Verify correctness of base point
15 November 2017 7 / 24
qSIG and qDSA
(1) Include the public key in the challenge
(2) Generate ephemeral secret r pseudo-randomly
=⇒Fiat-Shamir
=⇒qID(Schn. ID)
qSIG(Schn. sig.)
qDSA(EdDSA)
Add countermeasures against side-channel attacks
(3) Fault attacks on ephemeral scalar multiplication
I Add randomness into hash for nonce generation
(4) Fault attacks on base point (Mehdi’s talk on Monday)
I Clamp, or add a small cofactor into the computation
I Verify correctness of base point
15 November 2017 7 / 24
qSIG and qDSA
(1) Include the public key in the challenge
(2) Generate ephemeral secret r pseudo-randomly
=⇒Fiat-Shamir
=⇒qID(Schn. ID)
qSIG(Schn. sig.)
qDSA(EdDSA)
Add countermeasures against side-channel attacks
(3) Fault attacks on ephemeral scalar multiplication
I Add randomness into hash for nonce generation
(4) Fault attacks on base point (Mehdi’s talk on Monday)
I Clamp, or add a small cofactor into the computation
I Verify correctness of base point
15 November 2017 7 / 24
qSIG and qDSA
(1) Include the public key in the challenge
(2) Generate ephemeral secret r pseudo-randomly
=⇒Fiat-Shamir
=⇒qID(Schn. ID)
qSIG(Schn. sig.)
qDSA(EdDSA)
Add countermeasures against side-channel attacks
(3) Fault attacks on ephemeral scalar multiplication
I Add randomness into hash for nonce generation
(4) Fault attacks on base point (Mehdi’s talk on Monday)
I Clamp, or add a small cofactor into the computation
I Verify correctness of base point
15 November 2017 7 / 24
qSIG and qDSA
(1) Include the public key in the challenge
(2) Generate ephemeral secret r pseudo-randomly
=⇒Fiat-Shamir
=⇒qID(Schn. ID)
qSIG(Schn. sig.)
qDSA(EdDSA)
Add countermeasures against side-channel attacks
(3) Fault attacks on ephemeral scalar multiplication
I Add randomness into hash for nonce generation
(4) Fault attacks on base point (Mehdi’s talk on Monday)
I Clamp, or add a small cofactor into the computation
I Verify correctness of base point
15 November 2017 7 / 24
Additional remarks
(1) Security reduction. Similar to original Schnorr ID scheme
(2) Unified keys. Identical key pairs for DH and qDSA
(3) Key and signatures sizes. 32-byte keys, 64-byte signatures(requires work in genus 2!)
(4) Verification. Two-dimensional scalar multiplicationalgorithms not available & no batching
15 November 2017 8 / 24
Back to curves
Here, G the Jacobian group of a hyperelliptic curve of genus g
I Elliptic curves for g = 1, have J /±1 = P1
I Hyperelliptic curves with g = 2, have J /±1 = K
I For g ≥ 3 does not scale well (index calculus)
Need to define
(1) x(P) 7→ x([λ]P) (usual way via Montgomery ladder)
(2) {x(P), x(Q)} 7→ {x(P + Q), x(P − Q)}
(3) For any x(P), a 32-byte representation of x(P)
15 November 2017 9 / 24
Back to curves
Here, G the Jacobian group of a hyperelliptic curve of genus g
I Elliptic curves for g = 1, have J /±1 = P1
I Hyperelliptic curves with g = 2, have J /±1 = K
I For g ≥ 3 does not scale well (index calculus)
Need to define
(1) x(P) 7→ x([λ]P) (usual way via Montgomery ladder)
(2) {x(P), x(Q)} 7→ {x(P + Q), x(P − Q)}
(3) For any x(P), a 32-byte representation of x(P)
15 November 2017 9 / 24
On the choice of model (g = 1)
For elliptic curves common choice of Montgomery model
E/Fp : By2 = x3 + Ax2 + x
We obtain Curve25519 by defining
p = 2255 − 19 , A = 486662 , B = 1
15 November 2017 10 / 24
Arithmetic on P1
If
x(P) = (X1 : Z1) , x(P + Q) = (X3 : Z3) ,
x(Q) = (X2 : Z2) , x(P − Q) = (X4 : Z4) ,
then
xADD :X3X4 = λ · (X1X2 − Z1Z2)2 ,
Z3Z4 = λ · (X1Z2 − X2Z1)2 ,
xDBL :X3 = µ ·
(X 2 − Z 2
)2,
Z3 = µ · 4XZ(X 2 + AXZ + Z 2
)
15 November 2017 11 / 24
Arithmetic on P1
If
x(P) = (X1 : Z1) , x(P + Q) = (X3 : Z3) ,
x(Q) = (X2 : Z2) , x(P − Q) = (X4 : Z4) ,
then
xADD :X3X4 = λ · (X1X2 − Z1Z2)2 ,
Z3Z4 = λ · (X1Z2 − X2Z1)2 ,
xDBL :X3 = µ ·
(X 2 − Z 2
)2,
Z3 = µ · 4XZ(X 2 + AXZ + Z 2
)
15 November 2017 11 / 24
Biquadratic forms on P1
In fact, have
X3X4 = B00 , B00 = ν · (X1X2 − Z1Z2)2 ,
Z3Z4 = B11 , B11 = ν · (X1Z2 − X2Z1)2 ,
X3Z4 + X4Z3 = B10 , B10 = ν ·[
(X1Z2 − X2Z1) (X1Z2 + X2Z1)
+ 2AX1X2Z1Z2
],
ie. (X3X4 ∗
X3Z4 + X4Z3 Z3Z4
)= ν ·
(B00 ∗B10 B11
).
Thus (X3 : Z3) and (X4 : Z4) are the unique solutions to
B11X2 − 2 · B10XZ + B00Z
2 = 0
15 November 2017 12 / 24
Biquadratic forms on P1
In fact, have
X3X4 = B00 , B00 = ν · (X1X2 − Z1Z2)2 ,
Z3Z4 = B11 , B11 = ν · (X1Z2 − X2Z1)2 ,
X3Z4 + X4Z3 = B10 , B10 = ν ·[
(X1Z2 − X2Z1) (X1Z2 + X2Z1)
+ 2AX1X2Z1Z2
],
ie. (X3X4 ∗
X3Z4 + X4Z3 Z3Z4
)= ν ·
(B00 ∗B10 B11
).
Thus (X3 : Z3) and (X4 : Z4) are the unique solutions to
B11X2 − 2 · B10XZ + B00Z
2 = 0
15 November 2017 12 / 24
Biquadratic forms on P1
In fact, have
X3X4 = B00 , B00 = ν · (X1X2 − Z1Z2)2 ,
Z3Z4 = B11 , B11 = ν · (X1Z2 − X2Z1)2 ,
X3Z4 + X4Z3 = B10 , B10 = ν ·[
(X1Z2 − X2Z1) (X1Z2 + X2Z1)
+ 2AX1X2Z1Z2
],
ie. (X3X4 ∗
X3Z4 + X4Z3 Z3Z4
)= ν ·
(B00 ∗B10 B11
).
Thus (X3 : Z3) and (X4 : Z4) are the unique solutions to
B11X2 − 2 · B10XZ + B00Z
2 = 0
15 November 2017 12 / 24
Summarizing verification on P1
Given a signature (x(R) || s) on M w.r.t. x(Q)
(1) c ← H(x(R) || M)
(2) x(T0)← x([s]P)
(3) x(T1)← x([c]Q)
(4) Compute all B00,B10,B11 for x(T0) and x(T1)
(5) Check that x(R) vanishes on
B11 · X 2 − 2 · B10 · XZ + B00 · Z 2
(ie. x(R) ∈ {x(T0 + T1), x(T0 − T1)})
15 November 2017 13 / 24
On the choice of model (g = 2)
Gaudry-Schost curve [GS12]
E/F2127−1 :y2 = x5
+ 64408548613810695909971240431892164827 · x4
+ 76637216448498510246042731975843417626 · x3
+ 54735094972565041023366918099598639851 · x2
+ 9855732443590990513334918966847277222 · x+ 81689052950067229064357938692912969725
and its “squared” Kummer surface [CC86]
K : 4E 2 · xyzt =
(x2 + y2 + z2 + t2 − F (xt + yz)−G (xz + yt)− H(xy + zt)
)
15 November 2017 14 / 24
Arithmetic on KIf
x(P) = (x1 : y1 : z1 : t1) , x(P + Q) = (x3 : y3 : z3 : t3) ,
x(Q) = (x2 : y2 : z2 : t2) , x(P − Q) = (x4 : y4 : z4 : t4) ,
then [Gau07; Ber+14]
xADD :
x3x4 = ν · ε1 · (x ′ + y ′ + z ′ + t ′)2 ,
y3y4 = ν · ε2 · (x ′ + y ′ − z ′ − t ′)2 ,
z3z4 = ν · ε3 · (x ′ − y ′ + z ′ − t ′)2 ,
t3t4 = ν · ε4 · (x ′ − y ′ − z ′ + t ′)2 , where
x ′ = ε1 · (x1 + y1 + z1 + t1) · (x2 + y2 + z2 + t2)y ′ = ε2 · (x1 + y1 − z1 − t1) · (x2 + y2 − z2 − t2)z ′ = ε3 · (x1 − y1 + z1 − t1) · (x2 − y2 + z2 − t2)t ′ = ε4 · (x1 − y1 − z1 + t1) · (x2 − y2 − z2 + t2)
15 November 2017 15 / 24
Quadratic identities on KThese formulas give rise to an identity [Cos11]
2x3x4 ∗ ∗ ∗∗ 2y3y4 ∗ ∗∗ ∗ 2z3z4 ∗∗ ∗ ∗ 2t3t4
= ν ·
B00 ∗ ∗ ∗∗ B11 ∗ ∗∗ ∗ B22 ∗∗ ∗ ∗ B33
where σ(a, b) = a3b4 + a4b3. Thus
(x3 : y3 : z3 : t3) , (x4 : y4 : z4 : t4)
are the unique solutions to
B11 · x2 − 2 · B10 · xy + B00 · y2 = 0 ,
B22 · x2 − 2 · B20 · xz + B00 · z2 = 0 ,
B33 · x2 − 2 · B30 · xt + B00 · t2 = 0 ,
B22 · y2 − 2 · B21 · yz + B11 · z2 = 0 ,
B33 · y2 − 2 · B31 · yt + B11 · t2 = 0 ,
B33 · z2 − 2 · B32 · zt + B22 · t2 = 0
15 November 2017 16 / 24
Quadratic identities on KThese formulas give rise to an identity [Cos11]
2x3x4 ∗ ∗ ∗σ(x , y) 2y3y4 ∗ ∗σ(x , z) σ(y , z) 2z3z4 ∗σ(x , t) σ(y , t) σ(z , t) 2t3t4
= ν ·
B00 ∗ ∗ ∗B10 B11 ∗ ∗B20 B21 B22 ∗B30 B31 B32 B33
where σ(a, b) = a3b4 + a4b3.
Thus
(x3 : y3 : z3 : t3) , (x4 : y4 : z4 : t4)
are the unique solutions to
B11 · x2 − 2 · B10 · xy + B00 · y2 = 0 ,
B22 · x2 − 2 · B20 · xz + B00 · z2 = 0 ,
B33 · x2 − 2 · B30 · xt + B00 · t2 = 0 ,
B22 · y2 − 2 · B21 · yz + B11 · z2 = 0 ,
B33 · y2 − 2 · B31 · yt + B11 · t2 = 0 ,
B33 · z2 − 2 · B32 · zt + B22 · t2 = 0
15 November 2017 16 / 24
Quadratic identities on KThese formulas give rise to an identity [Cos11]
2x3x4 ∗ ∗ ∗σ(x , y) 2y3y4 ∗ ∗σ(x , z) σ(y , z) 2z3z4 ∗σ(x , t) σ(y , t) σ(z , t) 2t3t4
= ν ·
B00 ∗ ∗ ∗B10 B11 ∗ ∗B20 B21 B22 ∗B30 B31 B32 B33
where σ(a, b) = a3b4 + a4b3. Thus
(x3 : y3 : z3 : t3) , (x4 : y4 : z4 : t4)
are the unique solutions to
B11 · x2 − 2 · B10 · xy + B00 · y2 = 0 ,
B22 · x2 − 2 · B20 · xz + B00 · z2 = 0 ,
B33 · x2 − 2 · B30 · xt + B00 · t2 = 0 ,
B22 · y2 − 2 · B21 · yz + B11 · z2 = 0 ,
B33 · y2 − 2 · B31 · yt + B11 · t2 = 0 ,
B33 · z2 − 2 · B32 · zt + B22 · t2 = 015 November 2017 16 / 24
Summarizing verification on K
Given a signature (x(R) || s) on M w.r.t. x(Q)
(1) c ← H(x(R) || M)
(2) x(T0)← x([s]P)
(3) x(T1)← x([c]Q)
(4) Compute all BIJ for x(T0) and x(T1)
(5) Check 6 quadratic polynomial equations in x(R)
15 November 2017 17 / 24
Efficiency of the BIJ
Computing the BIJ on K does not look great.
We have
[CC86] [Gau07]
K H−→ KInt C−→ KGau
I The forms BGauIJ on KGau are nice, but need extra constants
I Pulling back all the way via H ◦ C destroys nice symmetry
Solution: Pull back BGauIJ via C, evaluate at H(x(P))
15 November 2017 18 / 24
Efficiency of the BIJ
Computing the BIJ on K does not look great. We have
[CC86] [Gau07]
K H−→ KInt C−→ KGau
I The forms BGauIJ on KGau are nice, but need extra constants
I Pulling back all the way via H ◦ C destroys nice symmetry
Solution: Pull back BGauIJ via C, evaluate at H(x(P))
15 November 2017 18 / 24
Efficiency of the BIJ
Computing the BIJ on K does not look great. We have
[CC86] [Gau07]
K H−→ KInt C−→ KGau
I The forms BGauIJ on KGau are nice, but need extra constants
I Pulling back all the way via H ◦ C destroys nice symmetry
Solution: Pull back BGauIJ via C, evaluate at H(x(P))
15 November 2017 18 / 24
Efficiency of the BIJ
Computing the BIJ on K does not look great. We have
[CC86] [Gau07]
K H−→ KInt C−→ KGau
I The forms BGauIJ on KGau are nice, but need extra constants
I Pulling back all the way via H ◦ C destroys nice symmetry
Solution: Pull back BGauIJ via C, evaluate at H(x(P))
15 November 2017 18 / 24
Cost of computing biquadratic forms
g Func. M S C
1Check 8 3 1
Ladder 1 280 1 024 256
2Check 76 8 88
Ladder 1 799 3 072 3 072
Table: Cost of BIJ
15 November 2017 19 / 24
Point compression
I Signatures (x(R) || s)
I Have K ⊂ P3, so
x(R) = (x : y : z : t) = (x
t:y
t:z
t: 1) (if t 6= 0)
At first sight need 48 bytes to represent x(R)
I Compressing further seems to require solving a quartic
I But have a projection π : K → P2 as a double cover
15 November 2017 20 / 24
Point compression
I Signatures (x(R) || s)
I Have K ⊂ P3, so
x(R) = (x : y : z : t) = (x
t:y
t:z
t: 1) (if t 6= 0)
At first sight need 48 bytes to represent x(R)
I Compressing further seems to require solving a quartic
I But have a projection π : K → P2 as a double cover
15 November 2017 20 / 24
Point compression
Take the four nodes N0, . . . ,N3 and an isomorphism
N0 7→ (0 : 0 : 0 : 1) , N1 7→ (0 : 0 : 1 : 0) ,
N2 7→ (0 : 1 : 0 : 0) , N3 7→ (1 : 0 : 0 : 0) .
Then
K : 4C · xyzt =
r21 (xy + zt)2 + r2
2 (xz + yt)2 + r23 (xt + yz)2
− 2r1s1((x2 + y2)zt + xy(z2 + t2))− 2r2s2((x2 + z2)yt + xz(y2 + t2))− 2r3s3((x2 + t2)yz + xt(y2 + z2))
Quadratic in all its variables! Projection away from N0 is
π : (x : y : z : t) 7→ (x : y : z)
which we can represent in 32 bytes.
Recovery is solving a quadratic, ie. computing a square root
15 November 2017 21 / 24
Point compression
Take the four nodes N0, . . . ,N3 and an isomorphism
N0 7→ (0 : 0 : 0 : 1) , N1 7→ (0 : 0 : 1 : 0) ,
N2 7→ (0 : 1 : 0 : 0) , N3 7→ (1 : 0 : 0 : 0) .
Then
K : 4C · xyzt =
r21 (xy + zt)2 + r2
2 (xz + yt)2 + r23 (xt + yz)2
− 2r1s1((x2 + y2)zt + xy(z2 + t2))− 2r2s2((x2 + z2)yt + xz(y2 + t2))− 2r3s3((x2 + t2)yz + xt(y2 + z2))
Quadratic in all its variables! Projection away from N0 is
π : (x : y : z : t) 7→ (x : y : z)
which we can represent in 32 bytes.
Recovery is solving a quadratic, ie. computing a square root
15 November 2017 21 / 24
Point compression
Take the four nodes N0, . . . ,N3 and an isomorphism
N0 7→ (0 : 0 : 0 : 1) , N1 7→ (0 : 0 : 1 : 0) ,
N2 7→ (0 : 1 : 0 : 0) , N3 7→ (1 : 0 : 0 : 0) .
Then
K : 4C · xyzt =
r21 (xy + zt)2 + r2
2 (xz + yt)2 + r23 (xt + yz)2
− 2r1s1((x2 + y2)zt + xy(z2 + t2))− 2r2s2((x2 + z2)yt + xz(y2 + t2))− 2r3s3((x2 + t2)yz + xt(y2 + z2))
Quadratic in all its variables! Projection away from N0 is
π : (x : y : z : t) 7→ (x : y : z)
which we can represent in 32 bytes.
Recovery is solving a quadratic, ie. computing a square root
15 November 2017 21 / 24
Point compression
Take the four nodes N0, . . . ,N3 and an isomorphism
N0 7→ (0 : 0 : 0 : 1) , N1 7→ (0 : 0 : 1 : 0) ,
N2 7→ (0 : 1 : 0 : 0) , N3 7→ (1 : 0 : 0 : 0) .
Then
K : 4C · xyzt =
r21 (xy + zt)2 + r2
2 (xz + yt)2 + r23 (xt + yz)2
− 2r1s1((x2 + y2)zt + xy(z2 + t2))− 2r2s2((x2 + z2)yt + xz(y2 + t2))− 2r3s3((x2 + t2)yz + xt(y2 + z2))
Quadratic in all its variables! Projection away from N0 is
π : (x : y : z : t) 7→ (x : y : z)
which we can represent in 32 bytes.
Recovery is solving a quadratic, ie. computing a square root15 November 2017 21 / 24
Implementing the scheme
g. Ref. Object. Function. CC. Stack.
1
This Curve25519 sign 14 M 512 B
[NLD15] Ed25519 sign 19 M 1 473 B
[Liu+17] FourQ sign 5 M 1 572 B
Table: AVR ATmega comparison (rounded)
15 November 2017 22 / 24
Implementing the scheme
g. Ref. Object. Function. CC. Stack.
1
This Curve25519 verify 25 M 644 B
[NLD15] Ed25519 verify 31 M 1 226 B
[Liu+17] FourQ verify 11 M 4 957 B
Table: AVR ATmega comparison (rounded)
15 November 2017 22 / 24
Implementing the scheme
g. Ref. Object. Function. CC. Stack.
2This GS sign 10 M 417 B
[Ren+16] GS sign 10 M 926 B
Table: AVR ATmega comparison (rounded)
15 November 2017 23 / 24
Implementing the scheme
g. Ref. Object. Function. CC. Stack.
2This GS verify 20 M 609 B
[Ren+16] GS verify 16 M 992 B
Table: AVR ATmega comparison (rounded)
15 November 2017 23 / 24
Thanks!
Questions?
15 November 2017 24 / 24
References I
[Ber+14] Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Langeand Peter Schwabe. “Kummer Strikes Back: New DH SpeedRecords”. In: Advances in Cryptology – ASIACRYPT 2014. Ed. byPalash Sarkar and Tetsu Iwata. Vol. 8873. LNCS.https://cryptojedi.org/papers/#kummer. SV, 2014,pp. 317–337.
[CC86] David V. Chudnovsky and Gregory V. Chudnovsky. “Sequences ofnumbers generated by addition in formal groups and new primalityand factorization tests”. In: Adv. in Appl. Math. 7 (1986),pp. 385–434.
[Cos11] Romain Cosset. “Applications des fonctions theta a lacryptographie sur les courbes hyperelliptiques”. https:
//tel.archives-ouvertes.fr/tel-00642951/file/main.pdf.PhD thesis. Universite Henri Poincare - Nancy I, 2011.
[Gau07] Pierrick Gaudry. “Fast genus 2 arithmetic based on Thetafunctions”. In: J. Mathematical Cryptology 1.3 (2007).https://eprint.iacr.org/2005/314/, pp. 243–265.
15 November 2017 25 / 24
References II[GS12] Pierrick Gaudry and Eric Schost. “Genus 2 point counting over
prime fields”. In: J. Symb. Comput. 47.4 (2012), pp. 368–400.doi: 10.1016/j.jsc.2011.09.003. url:http://dx.doi.org/10.1016/j.jsc.2011.09.003.
[Liu+17] Zhe Liu, Patrick Longa, Geovandro Pereira, Oscar Reparaz andHwajeong Seo. FourQ on embedded devices with strongcountermeasures against side-channel attacks. Cryptology ePrintArchive, Report 2017/434. http://eprint.iacr.org/2017/434.2017.
[NLD15] Erick Nascimento, Julio Lopez and Ricardo Dahab. “Efficient andSecure Elliptic Curve Cryptography for 8-bit AVRMicrocontrollers”. In: Security, Privacy, and Applied CryptographyEngineering. Ed. by Rajat Subhra Chakraborty, Peter Schwabe andJon Solworth. Vol. 9354. LNCS. Springer, 2015, pp. 289–309.
15 November 2017 26 / 24
References III[Ren+16] Joost Renes, Peter Schwabe, Benjamin Smith and Lejla Batina.
“µKummer: Efficient Hyperelliptic Signatures and Key Exchangeon Microcontrollers”. In: Cryptographic Hardware and EmbeddedSystems - CHES 2016 - 18th International Conference, SantaBarbara, CA, USA, August 17-19, 2016, Proceedings. 2016,pp. 301–320. doi: 10.1007/978-3-662-53140-2_15. url:http://dx.doi.org/10.1007/978-3-662-53140-2_15.
[Sch89] Claus-Peter Schnorr. “Efficient Identification and Signatures forSmart Cards”. In: Advances in Cryptology - CRYPTO ’89. Ed. byGilles Brassard. Vol. 435. LNCS. Springer, 1989, pp. 239–252.
15 November 2017 27 / 24