eddsa for more curves
play

EdDSA for more curves Daniel J. Bernstein, University of Illinois at - PowerPoint PPT Presentation

Nov 09, 2022 •211 likes •352 views

EdDSA for more curves Daniel J. Bernstein, University of Illinois at Chicago; TU/e Simon Josefsson, Simon Josefsson Datakonsult Tanja Lange, Technische Universiteit Eindhoven Peter Schwabe, Radboud Universiteit Bo-Yin Yang, Academia Sinica

  1. EdDSA for more curves Daniel J. Bernstein, University of Illinois at Chicago; TU/e Simon Josefsson, Simon Josefsson Datakonsult Tanja Lange, Technische Universiteit Eindhoven Peter Schwabe, Radboud Universiteit Bo-Yin Yang, Academia Sinica CFRG, IETF 93, Prague 22 July 2015 EdDSA eprint.iacr.org/2015/677 Speakers: Daniel J. Bernstein (UIC, TU/e) and Tanja Lange (TU/e) 1

  2. Background How ECC signatures fail: ◮ PlayStation 3 disaster. EdDSA eprint.iacr.org/2015/677 Speakers: Daniel J. Bernstein (UIC, TU/e) and Tanja Lange (TU/e) 2

  3. Background How ECC signatures fail: ◮ PlayStation 3 disaster. ◮ Hash-function collisions. ◮ Biased nonces leaking secret key. ◮ Timing leaks from, e.g., inversion mod group order. EdDSA eprint.iacr.org/2015/677 Speakers: Daniel J. Bernstein (UIC, TU/e) and Tanja Lange (TU/e) 2

  4. Background How ECC signatures fail: ◮ PlayStation 3 disaster. ◮ Hash-function collisions. ◮ Biased nonces leaking secret key. ◮ Timing leaks from, e.g., inversion mod group order. ◮ Being so complex that errors are bound to occur. ◮ Being so slow that protocol designer skips signatures. ◮ Being so slow that implementor turns them off. EdDSA eprint.iacr.org/2015/677 Speakers: Daniel J. Bernstein (UIC, TU/e) and Tanja Lange (TU/e) 2

  5. Background How ECC signatures fail: ◮ PlayStation 3 disaster. ◮ Hash-function collisions. ◮ Biased nonces leaking secret key. ◮ Timing leaks from, e.g., inversion mod group order. ◮ Being so complex that errors are bound to occur. ◮ Being so slow that protocol designer skips signatures. ◮ Being so slow that implementor turns them off. 1992 Rivest (on DSA): “ The poor user is given enough rope with which to hang himself—something a standard should not do. ” EdDSA eprint.iacr.org/2015/677 Speakers: Daniel J. Bernstein (UIC, TU/e) and Tanja Lange (TU/e) 2

  6. The Ed25519 signature system 2011 Bernstein–Duif–Lange–Schwabe–Yang “High-speed high-security signatures” ed25519.cr.yp.to : Eliminate failures. EdDSA eprint.iacr.org/2015/677 Speakers: Daniel J. Bernstein (UIC, TU/e) and Tanja Lange (TU/e) 3

  7. The Ed25519 signature system 2011 Bernstein–Duif–Lange–Schwabe–Yang “High-speed high-security signatures” ed25519.cr.yp.to : Take advantage of crypto research: ◮ Curve25519. ◮ Edwards curves. ◮ Schnorr signatures, including collision resilience. (Schnorr patent expired 2008.) ◮ Conservative hash functions. ◮ Fast batch verification. ◮ Barwood–Wigley pseudorandom nonce generation. EdDSA eprint.iacr.org/2015/677 Speakers: Daniel J. Bernstein (UIC, TU/e) and Tanja Lange (TU/e) 3

  8. Ed25519-SHA-512 deployment Nicolai Brown is tracking applications and implementations: ianix.com/pub/ed25519-deployment.html Examples of applications: ◮ OpenSSH. ◮ GnuPG. ◮ GNUnet. ◮ DNSCrypt. ◮ OpenBSD’s signify . Many independent interoperable implementations. EdDSA eprint.iacr.org/2015/677 Speakers: Daniel J. Bernstein (UIC, TU/e) and Tanja Lange (TU/e) 4

  9. A few examples of Ed25519 implementations Fast constant-time implementation from 2015 Chou: ◮ 57164 cycles for keygen on Intel Sandy Bridge. ◮ 63526 cycles for sign. ◮ 205741 cycles for (non-batch) verify. Compare to 430000 cycles for OpenSSL 1.0.2 ecdsap256 verify. Small constant-time implementations of Salsa20+Poly1305+X25519+SHA-512+Ed25519: ◮ 2013 Hutter–Schwabe “NaCl on 8-bit AVR microcontrollers”: 17366 bytes of object code. ◮ 2014 Bernstein–van Gastel–Janssen–Lange–Schwabe– Smetsers “TweetNaCl: a crypto library in 100 tweets”. EdDSA eprint.iacr.org/2015/677 Speakers: Daniel J. Bernstein (UIC, TU/e) and Tanja Lange (TU/e) 5

  10. New: EdDSA for more curves Ed25519 is an example of “EdDSA” defined in 2011 paper. 2015 Bernstein–Josefsson–Lange–Schwabe–Yang “EdDSA for more curves”: ◮ Easy extension of original EdDSA definition. ◮ Ed25519 is still an example! EdDSA eprint.iacr.org/2015/677 Speakers: Daniel J. Bernstein (UIC, TU/e) and Tanja Lange (TU/e) 6

  11. New: EdDSA for more curves Ed25519 is an example of “EdDSA” defined in 2011 paper. 2015 Bernstein–Josefsson–Lange–Schwabe–Yang “EdDSA for more curves”: ◮ Easy extension of original EdDSA definition. ◮ Ed25519 is still an example! ◮ Also allows Ed448-Goldilocks. ◮ Also allows Curve41417 and E-521. EdDSA eprint.iacr.org/2015/677 Speakers: Daniel J. Bernstein (UIC, TU/e) and Tanja Lange (TU/e) 6

  12. New: EdDSA for more curves Ed25519 is an example of “EdDSA” defined in 2011 paper. 2015 Bernstein–Josefsson–Lange–Schwabe–Yang “EdDSA for more curves”: ◮ Easy extension of original EdDSA definition. ◮ Ed25519 is still an example! ◮ Also allows Ed448-Goldilocks. ◮ Also allows Curve41417 and E-521. ◮ Also explicitly describes prehashing: e.g., GnuPG uses Ed25519-SHA-512 to sign SHA-256( m ). Note: Mixing SHA-256+SHA-512 is bad for code size! EdDSA eprint.iacr.org/2015/677 Speakers: Daniel J. Bernstein (UIC, TU/e) and Tanja Lange (TU/e) 6

  13. [switch to browser showing merged Python implementation for comparing details of signature proposals] EdDSA eprint.iacr.org/2015/677 Speakers: Daniel J. Bernstein (UIC, TU/e) and Tanja Lange (TU/e) 7

Recommend

EdDSA signatures and Ed25519 Peter Schwabe Joint work with Daniel J. Bernstein, Niels Duif,

EdDSA signatures and Ed25519 Peter Schwabe Joint work with Daniel J. Bernstein, Niels Duif,

EdDSA signatures and Ed25519 Peter Schwabe Joint work with Daniel J. Bernstein, Niels Duif, Tanja Lange, and Bo-Yin Yang March 20, 2012 CARAMEL seminar, INRIA Nancy A few words about Taiwan and Academia Sinica Taiwan ( ) is an

1.16k views • 90 slides
1 Properties of Bzier Curves Important Algorithms for Bzier Curves Affine invariance Convex

1 Properties of Bzier Curves Important Algorithms for Bzier Curves Affine invariance Convex

Topics Parametric curves and surfaces Polynomial curves Advanced Modeling 2 Rational curves Katja Bhler, Andrej Varchola, Eduard Tensor product surfaces Grller Triangular surfaces Institute of Computer Graphics and Algorithms Vienna

78 views • 6 slides
Curves http://www.ugrad.cs.ubc.ca/~cs314/Vjan2013 Reading FCG Chap 15 Curves Ch 13 2nd

Curves http://www.ugrad.cs.ubc.ca/~cs314/Vjan2013 Reading FCG Chap 15 Curves Ch 13 2nd

University of British Columbia CPSC 314 Computer Graphics Jan-Apr 2013 Tamara Munzner Curves http://www.ugrad.cs.ubc.ca/~cs314/Vjan2013 Reading FCG Chap 15 Curves Ch 13 2nd edition 2 Curves 3 Parametric Curves parametric form

615 views • 32 slides
Neatening sketched strokes using piecewise French Curves James McCrae, Karan Singh French Curves

Neatening sketched strokes using piecewise French Curves James McCrae, Karan Singh French Curves

Neatening sketched strokes using piecewise French Curves James McCrae, Karan Singh French Curves Physical tools, used to model curves French Curves Smoothly connect pre-determined curve points French Curves French Curves Digital French

845 views • 42 slides
parametric spline curves 1 curves used in many contexts fonts (2D) animation paths (3D) shape

parametric spline curves 1 curves used in many contexts fonts (2D) animation paths (3D) shape

parametric spline curves 1 curves used in many contexts fonts (2D) animation paths (3D) shape modeling (3D) different representation implicit curves parametric curves (mostly used) 2D and 3D curves are mostly the same use vector notation

724 views • 35 slides
BEZIER CURVES 1 OUTLINE Introduce types of curves and surfaces Introduce the types of

BEZIER CURVES 1 OUTLINE Introduce types of curves and surfaces Introduce the types of

BEZIER CURVES 1 OUTLINE Introduce types of curves and surfaces Introduce the types of curves Interpolating Hermite Bezier B-spline Quadratic Bezier Curves Cubic Bezier Curves 2 ESCAPING FLATLAND

991 views • 38 slides
Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation Reduced customer confidence in NIST-standardized curves (FIPS 186-3) Industry moving to Perfect Forward Secrecy (PFS) ciphersuites (e.g. ECDHE)

306 views • 11 slides
Evaluation of Classifiers Evaluation of Classifiers ROC Curves ROC Curves Reject Curves Reject

Evaluation of Classifiers Evaluation of Classifiers ROC Curves ROC Curves Reject Curves Reject

Evaluation of Classifiers Evaluation of Classifiers ROC Curves ROC Curves Reject Curves Reject Curves Precision- -Recall Curves Recall Curves Precision Statistical Tests Statistical Tests Estimating the error rate of a classifier

565 views • 32 slides
CS 5 4 3 : Com puter Graphics Lecture 1 0 ( Part I I I ) : Curves Emmanuel Agu So Far

CS 5 4 3 : Com puter Graphics Lecture 1 0 ( Part I I I ) : Curves Emmanuel Agu So Far

CS 5 4 3 : Com puter Graphics Lecture 1 0 ( Part I I I ) : Curves Emmanuel Agu So Far Dealt with straight lines and flat surfaces Real world objects include curves Need to develop: Representations of curves Tools to render

300 views • 26 slides
Bzier Curves CPSC 453 Fall 2018 Sonny Chan Todays Outline Quadratic Bzier curves

Bzier Curves CPSC 453 Fall 2018 Sonny Chan Todays Outline Quadratic Bzier curves

Bzier Curves CPSC 453 Fall 2018 Sonny Chan Todays Outline Quadratic Bzier curves de Casteljau formulation Bernstein polynomial form Bzier splines Cubic Bzier curves Drawing Bzier curves freeform shape?

687 views • 37 slides
Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Elliptic curves over F q Introduction History length of ellipses why Elliptic curves? Fields Weierstra Equations Singular points The Discriminant E LLIPTIC CURVES OVER FINITE FIELDS Elliptic curves / F 2 Elliptic curves / F 3 The sum of

660 views • 32 slides
Smooth models for Suzuki and Ree Curves Abdulla Eid RICAM Workshop Algebraic curves over finite

Smooth models for Suzuki and Ree Curves Abdulla Eid RICAM Workshop Algebraic curves over finite

Smooth models for Suzuki and Ree Curves Abdulla Eid RICAM Workshop Algebraic curves over finite fields Linz, Austria, November 11-15, 2013 DL curves 1 / 35 Introduction Three important examples of algebraic curves over finite fields: The

625 views • 35 slides
Curves and Surfaces CMSC 635 January 15, 2013 Spline curves #/23

Curves and Surfaces CMSC 635 January 15, 2013 Spline curves #/23

A D V A N C E D C O M P U T E R G R A P H I C S A D V A N C E D C O M P U T E R G R A P H I C S To do Continue to work on ray programming assignment Start thinking about final project Curves and Surfaces CMSC 635

276 views • 6 slides
GARDEN CORNER CURVES INTRODUCTION Updat e: Garden Corner Curves Concept St udy Result

GARDEN CORNER CURVES INTRODUCTION Updat e: Garden Corner Curves Concept St udy Result

GARDEN CORNER CURVES Open House June 13, 2017 GARDEN CORNER CURVES INTRODUCTION Updat e: Garden Corner Curves Concept St udy Result s from Public Out reach Four draft alt ernat ives (including cost ) Next st eps Proj

340 views • 15 slides
Constructing cryptographic curves with complex multiplication Reinier Br oker

Constructing cryptographic curves with complex multiplication Reinier Br oker

Constructing cryptographic curves with complex multiplication Reinier Br oker Microsoft Research Fields Institute May 2009 Curves and crypto Curve cryptography comes in 2 flavours: standard : we want curves of prime order;

594 views • 36 slides
Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA MathFest Boulder, Colorado August 2003 http://www.math.mcgill.ca/darmon /slides/slides.html Elliptic Curves Definition : An elliptic curve over the

494 views • 26 slides
Topic 6: 3D Curves Intro to curve interpolation & approximation Polynomial

Topic 6: 3D Curves Intro to curve interpolation & approximation Polynomial

Topic 6: 3D Curves Intro to curve interpolation & approximation Polynomial interpolation Bzier curves Cardinal splines Interactive Design of Curves Goal: Expand the capabilities of shapes beyond lines and conics, simple

163 views • 13 slides
Curves and Splines Outline Hermite Splines Catmull-Rom Splines Bezier Curves

Curves and Splines Outline Hermite Splines Catmull-Rom Splines Bezier Curves

Curves and Splines Outline Hermite Splines Catmull-Rom Splines Bezier Curves Higher Continuity: Natural and B-Splines Drawing Splines Modeling Complex Shapes We want to build models of very complicated objects An

675 views • 50 slides
Algebraic and Geometric Computations with Rational Curves Elias TSIGARIDAS E.T. ( PolSys @

Algebraic and Geometric Computations with Rational Curves Elias TSIGARIDAS E.T. ( PolSys @

Algebraic and Geometric Computations with Rational Curves Elias TSIGARIDAS E.T. ( PolSys @ INRIA ) Rational Curves GC 2013 @ ACMAC Short intro to rational curves Outline Short intro to rational curves 1 Univariate real solving 2 Special

870 views • 50 slides
Reading CPSC 314 Computer Graphics FCG Chap 15 Curves Jan-Apr 2013 Ch 13 2nd edition

Reading CPSC 314 Computer Graphics FCG Chap 15 Curves Jan-Apr 2013 Ch 13 2nd edition

University of British Columbia Reading CPSC 314 Computer Graphics FCG Chap 15 Curves Jan-Apr 2013 Ch 13 2nd edition Tamara Munzner Curves http://www.ugrad.cs.ubc.ca/~cs314/Vjan2013 2 Parametric Curves parametric form for a line:

204 views • 8 slides
Jacobi Curves: Computing the Exact Topology of Arrangements of Non-Singular Algebraic Curves

Jacobi Curves: Computing the Exact Topology of Arrangements of Non-Singular Algebraic Curves

Jacobi Curves: Computing the Exact Topology of Arrangements of Non-Singular Algebraic Curves Nicola Wolpert Max-Planck-Institut f ur Informatik Stuhlsatzenhausweg 85 66123 Saarbr ucken, Germany nicola@mpi-sb.mpg.de March 26, 2003

255 views • 11 slides
On the Parameterization of Catmull-Rom Curves Cem Yuksel Scott Schaefer John Keyser

On the Parameterization of Catmull-Rom Curves Cem Yuksel Scott Schaefer John Keyser

On the Parameterization of Catmull-Rom Curves Cem Yuksel Scott Schaefer John Keyser Texas A&M University Catmull-Rom Curves P 3 P 1 P 0 P 2 Catmull-Rom Curves P 3 P 1 P 0 P 2 Catmull-Rom Curves Important Properties

889 views • 62 slides
Efficiently Computing Succinct Trade-off Curves Sergei Vassilvitskii Mihalis Yannakakis Outline

Efficiently Computing Succinct Trade-off Curves Sergei Vassilvitskii Mihalis Yannakakis Outline

Efficiently Computing Succinct Trade-off Curves Sergei Vassilvitskii Mihalis Yannakakis Outline Introduction Polynomial size trade off curves Construction of Pareto curves in 2-d Pareto curves in 3+ d Conclusion

622 views • 44 slides
Geometry of LMIs and determinantal representations of algebraic plane curves Didier HENRION

Geometry of LMIs and determinantal representations of algebraic plane curves Didier HENRION

Geometry of LMIs and determinantal representations of algebraic plane curves Didier HENRION LAAS-CNRS Toulouse, FR Czech Tech Univ Prague, CZ April 2007 Outline 1. LMIs and SDP 2. Geometry of LMI sets 3. Cubic curves 4. Contact curves 5.

1.05k views • 72 slides

More recommend