qdsa: small and secure digital signatures with curve-based … · 2017. 11. 17. · qdsa: small and...

qDSA: Small and Secure Digital Signatures withCurve-based Diffie-Hellman Key Pairs

Joost Renes1 Benjamin Smith2

1Radboud University

2INRIA and Laboratoire d’Informatique de l’Ecole polytechnique

15 November 2017

15 November 2017 1 / 24

Curve-based crypto

DH EdDSA

XEdDSAqDSA

Q1,Q2x1,Q2x1, x2

15 November 2017 2 / 24

Curve-based crypto

DH EdDSA

XEdDSAqDSA

Q1,Q2

x1,Q2x1, x2

15 November 2017 2 / 24

Curve-based crypto

DH EdDSA

XEdDSAqDSA

Q1,Q2

x1,Q2

x1, x2

15 November 2017 2 / 24

Curve-based crypto

DH

EdDSA

XEdDSA

qDSA

Q1,Q2x1,Q2

x1, x2

15 November 2017 2 / 24

Curve-based crypto

DH

EdDSAXEdDSA

qDSA

Q1,Q2x1,Q2

x1, x2

15 November 2017 2 / 24

Outline

(1) Quotient operations

(2) The qDSA scheme

(3) Instantiating with the x-line

(4) Instantiating with Kummer surfaces

15 November 2017 3 / 24

Operations on quotient groups

G G

G/± 1 G/± 1

x(P)

{P,−P} {[λ]P,−[λ]P}

x([λ]P)(x(P), x(Q))

{{P,−P}, {Q,−Q}} {±(P ± Q)}

{x(P ± Q)}

Operations G → G

(G1) P 7→ [λ]P

(G2) (P,Q) 7→ P + Q

Operations G/± 1→ G/± 1

(Q1) x(P) 7→ x([λ]P)

(Q2) (x(P), x(Q)) 7→ {x(P + Q), x(P − Q)}

15 November 2017 4 / 24


G G

G/± 1 G/± 1

x(P)

{P,−P}

{[λ]P,−[λ]P}

x([λ]P)(x(P), x(Q))

{{P,−P}, {Q,−Q}} {±(P ± Q)}

{x(P ± Q)}

Operations G → G

(G1) P 7→ [λ]P

(G2) (P,Q) 7→ P + Q


(Q1) x(P) 7→ x([λ]P)

(Q2) (x(P), x(Q)) 7→ {x(P + Q), x(P − Q)}

15 November 2017 4 / 24


G G

G/± 1 G/± 1

x(P)

{P,−P} {[λ]P,−[λ]P}

x([λ]P)(x(P), x(Q))

{{P,−P}, {Q,−Q}} {±(P ± Q)}

{x(P ± Q)}

Operations G → G

(G1) P 7→ [λ]P

(G2) (P,Q) 7→ P + Q


(Q1) x(P) 7→ x([λ]P)

(Q2) (x(P), x(Q)) 7→ {x(P + Q), x(P − Q)}

15 November 2017 4 / 24


G G

G/± 1 G/± 1

x(P)

{P,−P} {[λ]P,−[λ]P}

x([λ]P)

(x(P), x(Q))

{{P,−P}, {Q,−Q}} {±(P ± Q)}

{x(P ± Q)}

Operations G → G

(G1) P 7→ [λ]P

(G2) (P,Q) 7→ P + Q


(Q1) x(P) 7→ x([λ]P)

(Q2) (x(P), x(Q)) 7→ {x(P + Q), x(P − Q)}

15 November 2017 4 / 24


G G

G/± 1 G/± 1

x(P)

{P,−P} {[λ]P,−[λ]P}

x([λ]P)

(x(P), x(Q))

{{P,−P}, {Q,−Q}}

{±(P ± Q)}

{x(P ± Q)}

Operations G → G

(G1) P 7→ [λ]P

(G2) (P,Q) 7→ P + Q


(Q1) x(P) 7→ x([λ]P)

(Q2) (x(P), x(Q)) 7→ {x(P + Q), x(P − Q)}

15 November 2017 4 / 24


G G

G/± 1 G/± 1

x(P)

{P,−P} {[λ]P,−[λ]P}

x([λ]P)

(x(P), x(Q))

{{P,−P}, {Q,−Q}} {±(P ± Q)}

{x(P ± Q)}

Operations G → G

(G1) P 7→ [λ]P

(G2) (P,Q) 7→ P + Q


(Q1) x(P) 7→ x([λ]P)

(Q2) (x(P), x(Q)) 7→ {x(P + Q), x(P − Q)}

15 November 2017 4 / 24


G G

G/± 1 G/± 1

x(P)

{P,−P} {[λ]P,−[λ]P}

x([λ]P)

(x(P), x(Q))

{{P,−P}, {Q,−Q}} {±(P ± Q)}

{x(P ± Q)}Operations G → G

(G1) P 7→ [λ]P

(G2) (P,Q) 7→ P + Q


(Q1) x(P) 7→ x([λ]P)

(Q2) (x(P), x(Q)) 7→ {x(P + Q), x(P − Q)}

15 November 2017 4 / 24


G G

G/± 1 G/± 1

x(P)

{P,−P} {[λ]P,−[λ]P}

x([λ]P)(x(P), x(Q))

{{P,−P}, {Q,−Q}} {±(P ± Q)}

{x(P ± Q)}

Operations G → G

(G1) P 7→ [λ]P

(G2) (P,Q) 7→ P + Q


(Q1) x(P) 7→ x([λ]P)

(Q2) (x(P), x(Q)) 7→ {x(P + Q), x(P − Q)}

15 November 2017 4 / 24

Schnorr signatures

Starting point: Schnorr signatures [Sch89]

(1) Schnorr identification scheme (group-based)

(2) Apply Fiat-Shamir to make it non-interactive

(3) Include message to create a signature scheme

15 November 2017 5 / 24

Schnorr identification on the quotient (qID)

Prover(P,Q, α) Comm. Verifier(P,Q)

Need {x([s]P + [c]Q), x([s]P − [c]Q)}.. possible on G /±1!

15 November 2017 6 / 24



r ←R Z∗N


15 November 2017 6 / 24



r ←R Z∗N

R ← [r ]P R


15 November 2017 6 / 24



r ←R Z∗N

R ← [r ]P R

c c ←R ZN


15 November 2017 6 / 24



r ←R Z∗N

R ← [r ]P R

c c ←R ZN

s ← (r − c · α) mod N s


15 November 2017 6 / 24



r ←R Z∗N

R ← [r ]P R

c c ←R ZN

s ← (r − c · α) mod N s

R?= [s]P + [c]Q


15 November 2017 6 / 24


Prover(x(P), x(Q), α) Comm. Verifier(x(P), x(Q))

r ←R Z∗N

R ← [r ]P R

c c ←R ZN

s ← (r − c · α) mod N s

R?= [s]P + [c]Q


15 November 2017 6 / 24



r ←R Z∗N

x(R)← x([r ]P) x(R)

c c ←R ZN

s ← (r − c · α) mod N s

R?= [s]P + [c]Q


15 November 2017 6 / 24



r ←R Z∗N

x(R)← x([r ]P) x(R)

c c ←R ZN

s ← (r − c · α) mod N s

x(R)?∈ {x([s]P ± [c]Q)}


15 November 2017 6 / 24



r ←R Z∗N

x(R)← x([r ]P) x(R)

c c ←R Z+N

s ← (r − c · α) mod N s

x(R)?∈ {x([s]P ± [c]Q)}


15 November 2017 6 / 24

qSIG and qDSA

(1) Include the public key in the challenge

(2) Generate ephemeral secret r pseudo-randomly

=⇒Fiat-Shamir

=⇒

qID(Schn. ID)

qSIG(Schn. sig.)

qDSA(EdDSA)

Add countermeasures against side-channel attacks

(3) Fault attacks on ephemeral scalar multiplication

I Add randomness into hash for nonce generation

(4) Fault attacks on base point (Mehdi’s talk on Monday)

I Clamp, or add a small cofactor into the computation

I Verify correctness of base point

15 November 2017 7 / 24

qSIG and qDSA

(1) Include the public key in the challenge

(2) Generate ephemeral secret r pseudo-randomly

=⇒Fiat-Shamir

=⇒qID(Schn. ID)

qSIG(Schn. sig.)

qDSA(EdDSA)

Add countermeasures against side-channel attacks

(3) Fault attacks on ephemeral scalar multiplication

I Add randomness into hash for nonce generation

(4) Fault attacks on base point (Mehdi’s talk on Monday)

I Clamp, or add a small cofactor into the computation

I Verify correctness of base point

15 November 2017 7 / 24

Additional remarks

(1) Security reduction. Similar to original Schnorr ID scheme

(2) Unified keys. Identical key pairs for DH and qDSA

(3) Key and signatures sizes. 32-byte keys, 64-byte signatures(requires work in genus 2!)

(4) Verification. Two-dimensional scalar multiplicationalgorithms not available & no batching

15 November 2017 8 / 24

Back to curves

Here, G the Jacobian group of a hyperelliptic curve of genus g

I Elliptic curves for g = 1, have J /±1 = P1

I Hyperelliptic curves with g = 2, have J /±1 = K

I For g ≥ 3 does not scale well (index calculus)

Need to define

(1) x(P) 7→ x([λ]P) (usual way via Montgomery ladder)

(2) {x(P), x(Q)} 7→ {x(P + Q), x(P − Q)}

(3) For any x(P), a 32-byte representation of x(P)

15 November 2017 9 / 24

On the choice of model (g = 1)

For elliptic curves common choice of Montgomery model

E/Fp : By2 = x3 + Ax2 + x

We obtain Curve25519 by defining

p = 2255 − 19 , A = 486662 , B = 1

15 November 2017 10 / 24

Arithmetic on P1

If

x(P) = (X1 : Z1) , x(P + Q) = (X3 : Z3) ,

x(Q) = (X2 : Z2) , x(P − Q) = (X4 : Z4) ,

then

xADD :X3X4 = λ · (X1X2 − Z1Z2)2 ,

Z3Z4 = λ · (X1Z2 − X2Z1)2 ,

xDBL :X3 = µ ·

(X 2 − Z 2

)2,

Z3 = µ · 4XZ(X 2 + AXZ + Z 2

)

15 November 2017 11 / 24

Biquadratic forms on P1

In fact, have

X3X4 = B00 , B00 = ν · (X1X2 − Z1Z2)2 ,

Z3Z4 = B11 , B11 = ν · (X1Z2 − X2Z1)2 ,

X3Z4 + X4Z3 = B10 , B10 = ν ·[

(X1Z2 − X2Z1) (X1Z2 + X2Z1)

+ 2AX1X2Z1Z2

],

ie. (X3X4 ∗

X3Z4 + X4Z3 Z3Z4

)= ν ·

(B00 ∗B10 B11

).

Thus (X3 : Z3) and (X4 : Z4) are the unique solutions to

B11X2 − 2 · B10XZ + B00Z

2 = 0

15 November 2017 12 / 24

Summarizing verification on P1

Given a signature (x(R) || s) on M w.r.t. x(Q)

(1) c ← H(x(R) || M)

(2) x(T0)← x([s]P)

(3) x(T1)← x([c]Q)

(4) Compute all B00,B10,B11 for x(T0) and x(T1)

(5) Check that x(R) vanishes on

B11 · X 2 − 2 · B10 · XZ + B00 · Z 2

(ie. x(R) ∈ {x(T0 + T1), x(T0 − T1)})

15 November 2017 13 / 24

On the choice of model (g = 2)

Gaudry-Schost curve [GS12]

E/F2127−1 :y2 = x5

+ 64408548613810695909971240431892164827 · x4

+ 76637216448498510246042731975843417626 · x3

+ 54735094972565041023366918099598639851 · x2

+ 9855732443590990513334918966847277222 · x+ 81689052950067229064357938692912969725

and its “squared” Kummer surface [CC86]

K : 4E 2 · xyzt =

(x2 + y2 + z2 + t2 − F (xt + yz)−G (xz + yt)− H(xy + zt)

)

15 November 2017 14 / 24

Arithmetic on KIf

x(P) = (x1 : y1 : z1 : t1) , x(P + Q) = (x3 : y3 : z3 : t3) ,

x(Q) = (x2 : y2 : z2 : t2) , x(P − Q) = (x4 : y4 : z4 : t4) ,

then [Gau07; Ber+14]

xADD :

x3x4 = ν · ε1 · (x ′ + y ′ + z ′ + t ′)2 ,

y3y4 = ν · ε2 · (x ′ + y ′ − z ′ − t ′)2 ,

z3z4 = ν · ε3 · (x ′ − y ′ + z ′ − t ′)2 ,

t3t4 = ν · ε4 · (x ′ − y ′ − z ′ + t ′)2 , where

x ′ = ε1 · (x1 + y1 + z1 + t1) · (x2 + y2 + z2 + t2)y ′ = ε2 · (x1 + y1 − z1 − t1) · (x2 + y2 − z2 − t2)z ′ = ε3 · (x1 − y1 + z1 − t1) · (x2 − y2 + z2 − t2)t ′ = ε4 · (x1 − y1 − z1 + t1) · (x2 − y2 − z2 + t2)

15 November 2017 15 / 24

Quadratic identities on KThese formulas give rise to an identity [Cos11]

2x3x4 ∗ ∗ ∗∗ 2y3y4 ∗ ∗∗ ∗ 2z3z4 ∗∗ ∗ ∗ 2t3t4

= ν ·

B00 ∗ ∗ ∗∗ B11 ∗ ∗∗ ∗ B22 ∗∗ ∗ ∗ B33

where σ(a, b) = a3b4 + a4b3. Thus

(x3 : y3 : z3 : t3) , (x4 : y4 : z4 : t4)

are the unique solutions to

B11 · x2 − 2 · B10 · xy + B00 · y2 = 0 ,

B22 · x2 − 2 · B20 · xz + B00 · z2 = 0 ,

B33 · x2 − 2 · B30 · xt + B00 · t2 = 0 ,

B22 · y2 − 2 · B21 · yz + B11 · z2 = 0 ,

B33 · y2 − 2 · B31 · yt + B11 · t2 = 0 ,

B33 · z2 − 2 · B32 · zt + B22 · t2 = 0

15 November 2017 16 / 24


2x3x4 ∗ ∗ ∗σ(x , y) 2y3y4 ∗ ∗σ(x , z) σ(y , z) 2z3z4 ∗σ(x , t) σ(y , t) σ(z , t) 2t3t4

= ν ·

B00 ∗ ∗ ∗B10 B11 ∗ ∗B20 B21 B22 ∗B30 B31 B32 B33

where σ(a, b) = a3b4 + a4b3.

Thus

(x3 : y3 : z3 : t3) , (x4 : y4 : z4 : t4)


B11 · x2 − 2 · B10 · xy + B00 · y2 = 0 ,

B22 · x2 − 2 · B20 · xz + B00 · z2 = 0 ,

B33 · x2 − 2 · B30 · xt + B00 · t2 = 0 ,

B22 · y2 − 2 · B21 · yz + B11 · z2 = 0 ,

B33 · y2 − 2 · B31 · yt + B11 · t2 = 0 ,

B33 · z2 − 2 · B32 · zt + B22 · t2 = 0

15 November 2017 16 / 24


2x3x4 ∗ ∗ ∗σ(x , y) 2y3y4 ∗ ∗σ(x , z) σ(y , z) 2z3z4 ∗σ(x , t) σ(y , t) σ(z , t) 2t3t4

= ν ·

B00 ∗ ∗ ∗B10 B11 ∗ ∗B20 B21 B22 ∗B30 B31 B32 B33

where σ(a, b) = a3b4 + a4b3. Thus

(x3 : y3 : z3 : t3) , (x4 : y4 : z4 : t4)


B11 · x2 − 2 · B10 · xy + B00 · y2 = 0 ,

B22 · x2 − 2 · B20 · xz + B00 · z2 = 0 ,

B33 · x2 − 2 · B30 · xt + B00 · t2 = 0 ,

B22 · y2 − 2 · B21 · yz + B11 · z2 = 0 ,

B33 · y2 − 2 · B31 · yt + B11 · t2 = 0 ,

B33 · z2 − 2 · B32 · zt + B22 · t2 = 015 November 2017 16 / 24

Summarizing verification on K

Given a signature (x(R) || s) on M w.r.t. x(Q)

(1) c ← H(x(R) || M)

(2) x(T0)← x([s]P)

(3) x(T1)← x([c]Q)

(4) Compute all BIJ for x(T0) and x(T1)

(5) Check 6 quadratic polynomial equations in x(R)

15 November 2017 17 / 24

Efficiency of the BIJ

Computing the BIJ on K does not look great.

We have

[CC86] [Gau07]

K H−→ KInt C−→ KGau

I The forms BGauIJ on KGau are nice, but need extra constants

I Pulling back all the way via H ◦ C destroys nice symmetry

Solution: Pull back BGauIJ via C, evaluate at H(x(P))

15 November 2017 18 / 24

Efficiency of the BIJ

Computing the BIJ on K does not look great. We have

[CC86] [Gau07]

K H−→ KInt C−→ KGau

I The forms BGauIJ on KGau are nice, but need extra constants

I Pulling back all the way via H ◦ C destroys nice symmetry

Solution: Pull back BGauIJ via C, evaluate at H(x(P))

15 November 2017 18 / 24

Cost of computing biquadratic forms

g Func. M S C

1Check 8 3 1

Ladder 1 280 1 024 256

2Check 76 8 88

Ladder 1 799 3 072 3 072

Table: Cost of BIJ

15 November 2017 19 / 24

Point compression

I Signatures (x(R) || s)

I Have K ⊂ P3, so

x(R) = (x : y : z : t) = (x

t:y

t:z

t: 1) (if t 6= 0)

At first sight need 48 bytes to represent x(R)

I Compressing further seems to require solving a quartic

I But have a projection π : K → P2 as a double cover

15 November 2017 20 / 24

Point compression

Take the four nodes N0, . . . ,N3 and an isomorphism

N0 7→ (0 : 0 : 0 : 1) , N1 7→ (0 : 0 : 1 : 0) ,

N2 7→ (0 : 1 : 0 : 0) , N3 7→ (1 : 0 : 0 : 0) .

Then

K : 4C · xyzt =

r21 (xy + zt)2 + r2

2 (xz + yt)2 + r23 (xt + yz)2

− 2r1s1((x2 + y2)zt + xy(z2 + t2))− 2r2s2((x2 + z2)yt + xz(y2 + t2))− 2r3s3((x2 + t2)yz + xt(y2 + z2))

Quadratic in all its variables! Projection away from N0 is

π : (x : y : z : t) 7→ (x : y : z)

which we can represent in 32 bytes.

Recovery is solving a quadratic, ie. computing a square root

15 November 2017 21 / 24

Point compression

Take the four nodes N0, . . . ,N3 and an isomorphism

N0 7→ (0 : 0 : 0 : 1) , N1 7→ (0 : 0 : 1 : 0) ,

N2 7→ (0 : 1 : 0 : 0) , N3 7→ (1 : 0 : 0 : 0) .

Then

K : 4C · xyzt =

r21 (xy + zt)2 + r2

2 (xz + yt)2 + r23 (xt + yz)2

− 2r1s1((x2 + y2)zt + xy(z2 + t2))− 2r2s2((x2 + z2)yt + xz(y2 + t2))− 2r3s3((x2 + t2)yz + xt(y2 + z2))

Quadratic in all its variables! Projection away from N0 is

π : (x : y : z : t) 7→ (x : y : z)

which we can represent in 32 bytes.

Recovery is solving a quadratic, ie. computing a square root15 November 2017 21 / 24

Implementing the scheme

g. Ref. Object. Function. CC. Stack.

1

This Curve25519 sign 14 M 512 B

[NLD15] Ed25519 sign 19 M 1 473 B

[Liu+17] FourQ sign 5 M 1 572 B

Table: AVR ATmega comparison (rounded)

15 November 2017 22 / 24



1

This Curve25519 verify 25 M 644 B

[NLD15] Ed25519 verify 31 M 1 226 B

[Liu+17] FourQ verify 11 M 4 957 B


15 November 2017 22 / 24



2This GS sign 10 M 417 B

[Ren+16] GS sign 10 M 926 B


15 November 2017 23 / 24



2This GS verify 20 M 609 B

[Ren+16] GS verify 16 M 992 B


15 November 2017 23 / 24

Thanks!

Questions?

15 November 2017 24 / 24

References I

[Ber+14] Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Langeand Peter Schwabe. “Kummer Strikes Back: New DH SpeedRecords”. In: Advances in Cryptology – ASIACRYPT 2014. Ed. byPalash Sarkar and Tetsu Iwata. Vol. 8873. LNCS.https://cryptojedi.org/papers/#kummer. SV, 2014,pp. 317–337.

[CC86] David V. Chudnovsky and Gregory V. Chudnovsky. “Sequences ofnumbers generated by addition in formal groups and new primalityand factorization tests”. In: Adv. in Appl. Math. 7 (1986),pp. 385–434.

[Cos11] Romain Cosset. “Applications des fonctions theta a lacryptographie sur les courbes hyperelliptiques”. https:

//tel.archives-ouvertes.fr/tel-00642951/file/main.pdf.PhD thesis. Universite Henri Poincare - Nancy I, 2011.

[Gau07] Pierrick Gaudry. “Fast genus 2 arithmetic based on Thetafunctions”. In: J. Mathematical Cryptology 1.3 (2007).https://eprint.iacr.org/2005/314/, pp. 243–265.

15 November 2017 25 / 24

https://cryptojedi.org/papers/#kummer

https://tel.archives-ouvertes.fr/tel-00642951/file/main.pdf

https://tel.archives-ouvertes.fr/tel-00642951/file/main.pdf

https://eprint.iacr.org/2005/314/

References II[GS12] Pierrick Gaudry and Eric Schost. “Genus 2 point counting over

prime fields”. In: J. Symb. Comput. 47.4 (2012), pp. 368–400.doi: 10.1016/j.jsc.2011.09.003. url:http://dx.doi.org/10.1016/j.jsc.2011.09.003.

[Liu+17] Zhe Liu, Patrick Longa, Geovandro Pereira, Oscar Reparaz andHwajeong Seo. FourQ on embedded devices with strongcountermeasures against side-channel attacks. Cryptology ePrintArchive, Report 2017/434. http://eprint.iacr.org/2017/434.2017.

[NLD15] Erick Nascimento, Julio Lopez and Ricardo Dahab. “Efficient andSecure Elliptic Curve Cryptography for 8-bit AVRMicrocontrollers”. In: Security, Privacy, and Applied CryptographyEngineering. Ed. by Rajat Subhra Chakraborty, Peter Schwabe andJon Solworth. Vol. 9354. LNCS. Springer, 2015, pp. 289–309.

15 November 2017 26 / 24

http://dx.doi.org/10.1016/j.jsc.2011.09.003

http://dx.doi.org/10.1016/j.jsc.2011.09.003

http://eprint.iacr.org/2017/434

References III[Ren+16] Joost Renes, Peter Schwabe, Benjamin Smith and Lejla Batina.

“µKummer: Efficient Hyperelliptic Signatures and Key Exchangeon Microcontrollers”. In: Cryptographic Hardware and EmbeddedSystems - CHES 2016 - 18th International Conference, SantaBarbara, CA, USA, August 17-19, 2016, Proceedings. 2016,pp. 301–320. doi: 10.1007/978-3-662-53140-2_15. url:http://dx.doi.org/10.1007/978-3-662-53140-2_15.

[Sch89] Claus-Peter Schnorr. “Efficient Identification and Signatures forSmart Cards”. In: Advances in Cryptology - CRYPTO ’89. Ed. byGilles Brassard. Vol. 435. LNCS. Springer, 1989, pp. 239–252.

15 November 2017 27 / 24

http://dx.doi.org/10.1007/978-3-662-53140-2_15

http://dx.doi.org/10.1007/978-3-662-53140-2_15

qdsa: small and secure digital signatures with curve-based … · 2017. 11. 17. · qdsa: small and...

Documents