eddsa signatures and ed25519
play

EdDSA signatures and Ed25519 Peter Schwabe Joint work with Daniel - PowerPoint PPT Presentation

Apr 10, 2024 •256 likes •1.16k views

EdDSA signatures and Ed25519 Peter Schwabe Joint work with Daniel J. Bernstein, Niels Duif, Tanja Lange, and Bo-Yin Yang March 20, 2012 CARAMEL seminar, INRIA Nancy A few words about Taiwan and Academia Sinica Taiwan ( ) is an

  1. EdDSA signatures and Ed25519 Peter Schwabe Joint work with Daniel J. Bernstein, Niels Duif, Tanja Lange, and Bo-Yin Yang March 20, 2012 CARAMEL seminar, INRIA Nancy

  2. A few words about Taiwan and Academia Sinica ◮ Taiwan ( 台 灣 ) is an island south of China ◮ About 36,200 km 2 large ◮ Territory of the Republic of China (not to be confused with the People’s Republic of China) ◮ Capital is Taipei ( 台北 ) ◮ Marine tropical climate EdDSA signatures and Ed25519 2

  3. A few words about Taiwan and Academia Sinica ◮ Taiwan ( 台 灣 ) is an island south of China ◮ About 36,200 km 2 large ◮ Territory of the Republic of China (not to be confused with the People’s Republic of China) ◮ Capital is Taipei ( 台北 ) ◮ Marine tropical climate ◮ 99 summits over 3000 meters (highest peak: 3952 m) ◮ Wildlife includes black bears, salmon, monkeys . . . EdDSA signatures and Ed25519 2

  4. A few words about Taiwan and Academia Sinica ◮ Taiwan ( 台 灣 ) is an island south of China ◮ About 36,200 km 2 large ◮ Territory of the Republic of China (not to be confused with the People’s Republic of China) ◮ Capital is Taipei ( 台北 ) ◮ Marine tropical climate ◮ 99 summits over 3000 meters (highest peak: 3952 m) ◮ Wildlife includes black bears, salmon, monkeys . . . ◮ Academia Sinica is a research facility funded by ROC ◮ About 30 institutes ◮ More than 800 principal investigators, about 900 postdocs and more than 2200 students EdDSA signatures and Ed25519 2

  5. Introduction – the NaCl library EdDSA signatures and Ed25519 3

  6. How it started ◮ My research during Ph.D. was within the European project CACE (Computer Aided Cryptography Engineering) ◮ One of the deliverables: Networking and Cryptography Library (NaCl, pronounced “salt”) EdDSA signatures and Ed25519 4

  7. How it started ◮ My research during Ph.D. was within the European project CACE (Computer Aided Cryptography Engineering) ◮ One of the deliverables: Networking and Cryptography Library (NaCl, pronounced “salt”) ◮ Aim of this library: High-speed, high-security, easy-to-use cryptographic protection for network communication EdDSA signatures and Ed25519 4

  8. How it started ◮ My research during Ph.D. was within the European project CACE (Computer Aided Cryptography Engineering) ◮ One of the deliverables: Networking and Cryptography Library (NaCl, pronounced “salt”) ◮ Aim of this library: High-speed, high-security, easy-to-use cryptographic protection for network communication ◮ We are willing to sacrifice compatibility to other crypto libraries EdDSA signatures and Ed25519 4

  9. How it started ◮ My research during Ph.D. was within the European project CACE (Computer Aided Cryptography Engineering) ◮ One of the deliverables: Networking and Cryptography Library (NaCl, pronounced “salt”) ◮ Aim of this library: High-speed, high-security, easy-to-use cryptographic protection for network communication ◮ We are willing to sacrifice compatibility to other crypto libraries ◮ At the end of 2010 the library contained ◮ the stream cipher Salsa20, ◮ the Poly1305 secret-key authenticator, and ◮ Curve25519 elliptic-curve Diffie-Hellman key-exchange software. EdDSA signatures and Ed25519 4

  10. How it started ◮ My research during Ph.D. was within the European project CACE (Computer Aided Cryptography Engineering) ◮ One of the deliverables: Networking and Cryptography Library (NaCl, pronounced “salt”) ◮ Aim of this library: High-speed, high-security, easy-to-use cryptographic protection for network communication ◮ We are willing to sacrifice compatibility to other crypto libraries ◮ At the end of 2010 the library contained ◮ the stream cipher Salsa20, ◮ the Poly1305 secret-key authenticator, and ◮ Curve25519 elliptic-curve Diffie-Hellman key-exchange software. ◮ This is wrapped in a crypto_box API that performs high-security public-key authenticated encryption ◮ This serves the typical one-to-one communication of most internet connections EdDSA signatures and Ed25519 4

  11. How it started ◮ My research during Ph.D. was within the European project CACE (Computer Aided Cryptography Engineering) ◮ One of the deliverables: Networking and Cryptography Library (NaCl, pronounced “salt”) ◮ Aim of this library: High-speed, high-security, easy-to-use cryptographic protection for network communication ◮ We are willing to sacrifice compatibility to other crypto libraries ◮ At the end of 2010 the library contained ◮ the stream cipher Salsa20, ◮ the Poly1305 secret-key authenticator, and ◮ Curve25519 elliptic-curve Diffie-Hellman key-exchange software. ◮ This is wrapped in a crypto_box API that performs high-security public-key authenticated encryption ◮ This serves the typical one-to-one communication of most internet connections ◮ Still required at the end of 2010: One-to-many authentication, i.e. cryptographic signatures EdDSA signatures and Ed25519 4

  12. Designing a public-key signature scheme ◮ Core requirements: 128-bit security, fast signing, fast verification, secure software implementation ◮ Obvious candidates: RSA, ElGamal, DSA, ECDSA, Schnorr . . . EdDSA signatures and Ed25519 5

  13. Designing a public-key signature scheme ◮ Core requirements: 128-bit security, fast signing, fast verification, secure software implementation ◮ Obvious candidates: RSA, ElGamal, DSA, ECDSA, Schnorr . . . ◮ Conventional wisdom: ECC is faster than anything based on factoring or the DLP in Z ∗ n ◮ (Twisted) Edwards curves support very fast arithmetic ◮ Edwards addition is complete (important for secure implementations) ◮ Curve25519 has an Edwards representation and offers very high security EdDSA signatures and Ed25519 5

  14. Designing a public-key signature scheme ◮ Core requirements: 128-bit security, fast signing, fast verification, secure software implementation ◮ Obvious candidates: RSA, ElGamal, DSA, ECDSA, Schnorr . . . ◮ Conventional wisdom: ECC is faster than anything based on factoring or the DLP in Z ∗ n ◮ (Twisted) Edwards curves support very fast arithmetic ◮ Edwards addition is complete (important for secure implementations) ◮ Curve25519 has an Edwards representation and offers very high security ◮ Looks like “some” signature scheme using Edwards arithmetic on Curve25519 is a good choice EdDSA signatures and Ed25519 5

  15. One step back: Is ECC really faster than, e.g., RSA? ◮ RSA with public exponent e = 3 can verify signatures with just one modular multiplication and one squaring ◮ Very hard to beat with any elliptic-curve-based signature scheme EdDSA signatures and Ed25519 6

  16. One step back: Is ECC really faster than, e.g., RSA? ◮ RSA with public exponent e = 3 can verify signatures with just one modular multiplication and one squaring ◮ Very hard to beat with any elliptic-curve-based signature scheme ◮ Verification speed primarily matters in applications that need to verify many signatures ◮ Idea: To get close to RSA verification speed, support batch verification EdDSA signatures and Ed25519 6

  17. One step back: Is ECC really faster than, e.g., RSA? ◮ RSA with public exponent e = 3 can verify signatures with just one modular multiplication and one squaring ◮ Very hard to beat with any elliptic-curve-based signature scheme ◮ Verification speed primarily matters in applications that need to verify many signatures ◮ Idea: To get close to RSA verification speed, support batch verification ◮ Easier: Verify batches of signatures under the same public key ◮ Harder (but much more useful!): Verify batches of signatures under different public keys ◮ We don’t know where the NaCl library is used, so support the latter EdDSA signatures and Ed25519 6

  18. One step back: Is ECC really faster than, e.g., RSA? ◮ RSA with public exponent e = 3 can verify signatures with just one modular multiplication and one squaring ◮ Very hard to beat with any elliptic-curve-based signature scheme ◮ Verification speed primarily matters in applications that need to verify many signatures ◮ Idea: To get close to RSA verification speed, support batch verification ◮ Easier: Verify batches of signatures under the same public key ◮ Harder (but much more useful!): Verify batches of signatures under different public keys ◮ We don’t know where the NaCl library is used, so support the latter ◮ None of the above-mentioned schemes supports fast batch verification ◮ Schnorr signatures only require small changes (and have many nice features anyways) EdDSA signatures and Ed25519 6

  19. One step back: Is ECC really faster than, e.g., RSA? ◮ RSA with public exponent e = 3 can verify signatures with just one modular multiplication and one squaring ◮ Very hard to beat with any elliptic-curve-based signature scheme ◮ Verification speed primarily matters in applications that need to verify many signatures ◮ Idea: To get close to RSA verification speed, support batch verification ◮ Easier: Verify batches of signatures under the same public key ◮ Harder (but much more useful!): Verify batches of signatures under different public keys ◮ We don’t know where the NaCl library is used, so support the latter ◮ None of the above-mentioned schemes supports fast batch verification ◮ Schnorr signatures only require small changes (and have many nice features anyways) ⇒ Start with Schnorr signatures, modify as required EdDSA signatures and Ed25519 6

Recommend

Modern ECC signatures Many papers have explored Curve25519/Ed25519 speed. 2011

Modern ECC signatures Many papers have explored Curve25519/Ed25519 speed. 2011

1 2 Modern ECC signatures Many papers have explored Curve25519/Ed25519 speed. 2011 BernsteinDuifLange SchwabeYang: e.g. 2015 Chou software: Ed25519 signature scheme = on Intel Sandy Bridge (2011), EdDSA using conservative

2.15k views • 125 slides
Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties Signatures Signatures with various functionality/properties Constructions come in different flavors (well sample each flavor): Signatures

1.55k views • 131 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
Let's use Ed25519 with GnuPG 2.1 and Gnuk Token! Niibe Yutaka One of New Features in GnuPG 2.1

Let's use Ed25519 with GnuPG 2.1 and Gnuk Token! Niibe Yutaka One of New Features in GnuPG 2.1

Let's use Ed25519 with GnuPG 2.1 and Gnuk Token! Niibe Yutaka One of New Features in GnuPG 2.1 ECC: Elliptic Curve Cryptography New algorithm for public key crypto Benefit Smaller key size for equivalent strength NOTE:

433 views • 16 slides
EdDSA for more curves Daniel J. Bernstein, University of Illinois at Chicago; TU/e Simon

EdDSA for more curves Daniel J. Bernstein, University of Illinois at Chicago; TU/e Simon

EdDSA for more curves Daniel J. Bernstein, University of Illinois at Chicago; TU/e Simon Josefsson, Simon Josefsson Datakonsult Tanja Lange, Technische Universiteit Eindhoven Peter Schwabe, Radboud Universiteit Bo-Yin Yang, Academia Sinica

352 views • 13 slides
Cryptographic Engineering An example of post-quantum crypto Radboud University, Nijmegen, The

Cryptographic Engineering An example of post-quantum crypto Radboud University, Nijmegen, The

Cryptographic Engineering An example of post-quantum crypto Radboud University, Nijmegen, The Netherlands Spring 2015 Crypto today Ephemeral ECDH on 256 -bit curve to compute shared key Use EdDSA signatures for public-key

1.43k views • 109 slides
Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Motivation Research Question Results Conclusion Notes Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures Siamak Shahandashti 1 Rei Safavi-Naini 2 1 SCSSE & CCISR, Uni

465 views • 46 slides
BIP32-Ed25519 Dmitry Khovratovich Jason Law University of Luxembourg Evernym, Inc. April 30th,

BIP32-Ed25519 Dmitry Khovratovich Jason Law University of Luxembourg Evernym, Inc. April 30th,

BIP32-Ed25519 Dmitry Khovratovich Jason Law University of Luxembourg Evernym, Inc. April 30th, 2017 Story of BIP32 Bitcoin wallet: Need of multiple addresses to minimize privacy leakage, every address is used just once; Single secret

633 views • 16 slides
1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Digital Signatures have looked at message authentication but does not address issues of lack of trust Chapter 13 Digital Signatures digital signatures provide the ability to:

361 views • 3 slides
Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils Fleischhacker Johannes Krupp Giulio Malavolta Jonas Schneider Dominique Schr oder Mark Simkin March 7, 2016 Sanitizable Signatures

577 views • 46 slides
Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s users require only secretkeys users require n 2 secretkeys Privately verifiable and non-transferable Same signature

764 views • 53 slides
Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the

Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the

Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the Importance of Leptonic Decays for Higgs Discovery) Brooks Thomas (The University of Arizona) Shufang Su & BT [arXiv:0903.0667] What do we know about

375 views • 26 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-25 1 Outline Recap: security experiments Message space extension One-time signatures One-time signatures from one-way functions Digital

1.07k views • 48 slides
Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976 Diffie Hellman: Public-key signatures would allow verification by anyone, not just signer. Cool! Can we build a signature system? 1977 Rivest

743 views • 33 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-03-03 1 Outline Why assumptions? Efficient one-time signatures Digital Signatures 2020-03-03 2 Recap: Lamport EUF-1-CMA secure

1.14k views • 37 slides
The Petition 11 614 signatures so far, on-line and hard copy Raised in Parliament by Jacob

The Petition 11 614 signatures so far, on-line and hard copy Raised in Parliament by Jacob

The Petition 11 614 signatures so far, on-line and hard copy Raised in Parliament by Jacob Rees-Mogg Submitted to 10 Downing Street 21 March www.change.org Geographical spread of signatures Distribution of Signatures Bath East of

483 views • 13 slides
Mediated Signatures - Towards Advanced Undeniability of Digital Data in Technical Digital

Mediated Signatures - Towards Advanced Undeniability of Digital Data in Technical Digital

M. Kutyowski Mediated Signatures - Towards Advanced Undeniability of Digital Data in Technical Digital Signatures Qualified Signatures and Legal Framework Validity of the Signature Standard Implementation Risk Issues Reasons of

436 views • 42 slides
Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis

Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis

Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis Hofheinz ETH Zrich Quantum computers Grovers algorithm: speed up searches (N O(N)) Bigger problem for cryptography: Shors algorithm

468 views • 15 slides
Signatures and grammars Signatures and grammars Why manual disambiguation in SDF?

Signatures and grammars Signatures and grammars Why manual disambiguation in SDF?

Signatures and grammars Signatures and grammars Why manual disambiguation in SDF? Associativity of binary operators y g y y Fully declarative definition of syntax Priorities between binary operators Implicit disambiguation

281 views • 6 slides
Why attribute-based signatures? The kind of authentication required in an attribute-based system

Why attribute-based signatures? The kind of authentication required in an attribute-based system

Attribute-Based Signatures Hemanta K. Maji Manoj Prabhakaran Mike Rosulek November 22, 2010 Abstract We introduce Attribute-Based Signatures (ABS) , a versatile primitive that allows a party to sign a message with fine-grained

864 views • 35 slides
DTTF/NB479: Dszquphsbqiz Day 29 Announcements: Questions? This week: Digital signatures, DSA

DTTF/NB479: Dszquphsbqiz Day 29 Announcements: Questions? This week: Digital signatures, DSA

DTTF/NB479: Dszquphsbqiz Day 29 Announcements: Questions? This week: Digital signatures, DSA Flipping coins over the phone Why are digital signatures important? Compare with paper signatures Danger: Eve would like to use your

423 views • 7 slides
DTTF/NB479: Dszquphsbqiz Day 30 Announcements: Questions? This week: Digital signatures, DSA

DTTF/NB479: Dszquphsbqiz Day 30 Announcements: Questions? This week: Digital signatures, DSA

DTTF/NB479: Dszquphsbqiz Day 30 Announcements: Questions? This week: Digital signatures, DSA Coin flipping over the phone RSA Signatures allow you to recover the message from the signature; ElGamal signatures dont ElGamal Sig

410 views • 14 slides
Synchronized Aggregate Signatures from the RSA Assumption Brent Waters Susan Hohenberger

Synchronized Aggregate Signatures from the RSA Assumption Brent Waters Susan Hohenberger

Synchronized Aggregate Signatures from the RSA Assumption Brent Waters Susan Hohenberger Aggregate Signatures [Boneh-Gentry-Lynn-Shacham03] Idea: Compress several signatures into one PK 3 PK 1 PK 2 PK n M 3 M 1 M 2 M n Sig 1 Sig 2 Sig

646 views • 23 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-05-19 1 Outline Waters signatures Overview over course topics General remarks Digital Signatures 2020-05-19 2 Recap:

250 views • 20 slides

More recommend