improved digital signatures based on elliptic curve
play

Improved Digital Signatures Based on Elliptic Curve Endomorphism - PowerPoint PPT Presentation

Improved Digital Signatures Based on Elliptic Curve Endomorphism Rings Xiu Xu 3,4,5 Christopher Leonardi 1 Anzo Teh 1 David Jao 1,2 Kunpeng Wang 3,4,5 Wei Yu 3,4,5 Reza Azarderakhsh 6 [1] Department of Combinatorics and Optimization, University of


  1. Improved Digital Signatures Based on Elliptic Curve Endomorphism Rings Xiu Xu 3,4,5 Christopher Leonardi 1 Anzo Teh 1 David Jao 1,2 Kunpeng Wang 3,4,5 Wei Yu 3,4,5 Reza Azarderakhsh 6 [1] Department of Combinatorics and Optimization, University of Waterloo [2] evolutionQ, Inc., Waterloo, Ontario, Canada [3] State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China [4] Data Assurance and Communications Security Research Center, Beijing, China [5] School of Cyber Security, University of Chinese Academy of Sciences [6] Department of Computer and Electrical Engineering and Computer Science, Florida Atlantic University Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 1 / 20

  2. Introduction 1 Digital Signature Scheme 2 Elliptic Curve Background GPS Signatures Our Improvements 3 #1: Isogeny-to-Ideal #2: Ideal-to-Isogeny #3: Parallel Instances Performance Conclusion 4 Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 2 / 20

  3. Introduction Topic of discussion: Galbraith-Petit-Silva digital signature scheme (AsiaCrypt 2017). Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 3 / 20

  4. Introduction Topic of discussion: Galbraith-Petit-Silva digital signature scheme (AsiaCrypt 2017). Implementations are not widely available because: – one subroutine is mathematically complicated, and – signing would be too inefficient to be practical. Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 3 / 20

  5. Introduction Topic of discussion: Galbraith-Petit-Silva digital signature scheme (AsiaCrypt 2017). Implementations are not widely available because: – one subroutine is mathematically complicated, and – signing would be too inefficient to be practical. Our work presents three major ways to improve efficiency, and implements the scheme in SAGE. Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 3 / 20

  6. Digital Signature Scheme Elliptic Curve Background Elliptic curve E : y 2 = x 3 + ax + b over a finite field F p n is a finite Abelian group (operation is “+”, identity is ∞ ). Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 4 / 20

  7. Digital Signature Scheme Elliptic Curve Background Elliptic curve E : y 2 = x 3 + ax + b over a finite field F p n is a finite Abelian group (operation is “+”, identity is ∞ ). The m -torsion subgroup E [ m ] = { P ∈ E ( F p ) : [ m ] P = ∞} . Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 4 / 20

  8. Digital Signature Scheme Elliptic Curve Background Elliptic curve E : y 2 = x 3 + ax + b over a finite field F p n is a finite Abelian group (operation is “+”, identity is ∞ ). The m -torsion subgroup E [ m ] = { P ∈ E ( F p ) : [ m ] P = ∞} . If ∀ r ∈ N , E [ p r ] = {∞} , then E is called supersingular . Otherwise ∀ r ∈ N , E [ p r ] ∼ = Z / p r Z and is called ordinary . Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 4 / 20

  9. Digital Signature Scheme Elliptic Curve Background Elliptic curve E : y 2 = x 3 + ax + b over a finite field F p n is a finite Abelian group (operation is “+”, identity is ∞ ). The m -torsion subgroup E [ m ] = { P ∈ E ( F p ) : [ m ] P = ∞} . If ∀ r ∈ N , E [ p r ] = {∞} , then E is called supersingular . Otherwise ∀ r ∈ N , E [ p r ] ∼ = Z / p r Z and is called ordinary . The j -invariant is a unique element of F p n associated to each F p n -isomorphism family of elliptic curves. 4 a 3 j ( E ) = 1728 4 a 3 + 27 b 2 ∈ F p n Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 4 / 20

  10. Digital Signature Scheme Elliptic Curve Background Elliptic curve E : y 2 = x 3 + ax + b over a finite field F p n is a finite Abelian group (operation is “+”, identity is ∞ ). The m -torsion subgroup E [ m ] = { P ∈ E ( F p ) : [ m ] P = ∞} . If ∀ r ∈ N , E [ p r ] = {∞} , then E is called supersingular . Otherwise ∀ r ∈ N , E [ p r ] ∼ = Z / p r Z and is called ordinary . The j -invariant is a unique element of F p n associated to each F p n -isomorphism family of elliptic curves. 4 a 3 j ( E ) = 1728 4 a 3 + 27 b 2 ∈ F p n Supersingular elliptic curves are always defined over F p 2 . Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 4 / 20

  11. Digital Signature Scheme Elliptic Curve Background Isogenies are rational morphisms between elliptic curves, and have associated degrees. Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 5 / 20

  12. Digital Signature Scheme Elliptic Curve Background Isogenies are rational morphisms between elliptic curves, and have associated degrees. e.g. E ( F 23 ) : y 2 = x 3 + x , E ′ ( F 23 ) : y 2 = x 3 + 13 φ : E ( F 23 ) → E ′ ( F 23 ) , deg( φ ) = 3 � x 3 + 10 x 2 + 16 x + 10 , ( x 3 + 15 x 2 + 15 x + 14) y � φ ( x , y ) = x 2 + 10 x + 2 x 3 + 15 x 2 + 6 x + 10 Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 5 / 20

  13. Digital Signature Scheme Elliptic Curve Background Isogenies are rational morphisms between elliptic curves, and have associated degrees. e.g. E ( F 23 ) : y 2 = x 3 + x , E ′ ( F 23 ) : y 2 = x 3 + 13 φ : E ( F 23 ) → E ′ ( F 23 ) , deg( φ ) = 3 � x 3 + 10 x 2 + 16 x + 10 , ( x 3 + 15 x 2 + 15 x + 14) y � φ ( x , y ) = x 2 + 10 x + 2 x 3 + 15 x 2 + 6 x + 10 Isogenies can be composed: if φ : E 1 → E 2 has degree d 1 , and ψ : E 2 → E 3 has degree d 2 , then ψ ◦ φ : E 1 → E 3 has degree d 1 d 2 . Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 5 / 20

  14. Digital Signature Scheme Elliptic Curve Background Isogenies are rational morphisms between elliptic curves, and have associated degrees. e.g. E ( F 23 ) : y 2 = x 3 + x , E ′ ( F 23 ) : y 2 = x 3 + 13 φ : E ( F 23 ) → E ′ ( F 23 ) , deg( φ ) = 3 � x 3 + 10 x 2 + 16 x + 10 , ( x 3 + 15 x 2 + 15 x + 14) y � φ ( x , y ) = x 2 + 10 x + 2 x 3 + 15 x 2 + 6 x + 10 Isogenies can be composed: if φ : E 1 → E 2 has degree d 1 , and ψ : E 2 → E 3 has degree d 2 , then ψ ◦ φ : E 1 → E 3 has degree d 1 d 2 . The endomorphism ring of an elliptic curve, End( E ), is the (non-commutative) ring of all isogenies from E to itself. Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 5 / 20

  15. Digital Signature Scheme Elliptic Curve Background Isogenies are rational morphisms between elliptic curves, and have associated degrees. e.g. E ( F 23 ) : y 2 = x 3 + x , E ′ ( F 23 ) : y 2 = x 3 + 13 φ : E ( F 23 ) → E ′ ( F 23 ) , deg( φ ) = 3 � x 3 + 10 x 2 + 16 x + 10 , ( x 3 + 15 x 2 + 15 x + 14) y � φ ( x , y ) = x 2 + 10 x + 2 x 3 + 15 x 2 + 6 x + 10 Isogenies can be composed: if φ : E 1 → E 2 has degree d 1 , and ψ : E 2 → E 3 has degree d 2 , then ψ ◦ φ : E 1 → E 3 has degree d 1 d 2 . The endomorphism ring of an elliptic curve, End( E ), is the (non-commutative) ring of all isogenies from E to itself. Right ideals of End( E ) are associated to isogenies with domain E . Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 5 / 20

  16. Digital Signature Scheme Elliptic Curve Background Isogenies are rational morphisms between elliptic curves, and have associated degrees. e.g. E ( F 23 ) : y 2 = x 3 + x , E ′ ( F 23 ) : y 2 = x 3 + 13 φ : E ( F 23 ) → E ′ ( F 23 ) , deg( φ ) = 3 � x 3 + 10 x 2 + 16 x + 10 , ( x 3 + 15 x 2 + 15 x + 14) y � φ ( x , y ) = x 2 + 10 x + 2 x 3 + 15 x 2 + 6 x + 10 Isogenies can be composed: if φ : E 1 → E 2 has degree d 1 , and ψ : E 2 → E 3 has degree d 2 , then ψ ◦ φ : E 1 → E 3 has degree d 1 d 2 . The endomorphism ring of an elliptic curve, End( E ), is the (non-commutative) ring of all isogenies from E to itself. Right ideals of End( E ) are associated to isogenies with domain E . Knowledge of an elliptic curve’s endomorphism ring can be used as Trapdoor Information. Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 5 / 20

  17. Digital Signature Scheme Elliptic Curve Background Hard and Easy Problems with Isogenies Consider a supersingular E ( F p 2 ), and a hash function H which outputs isogenies with domain E . End( E ) known End( E ) unknown Preimage resistant � � 2 nd Preimage resistant X � Collision resistant X � Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 6 / 20

  18. Digital Signature Scheme Elliptic Curve Background Easy Problems Hard Problems Let E ( F p 2 ) be a supersingular elliptic curve. Given E , compute an arbitrary isogeny with domain E and smooth degree (e.g. 2 m ). 1 Kohel, Lauter, Petit, Tignol “On the quaternion ℓ -isogeny path problem”, 2014. Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 7 / 20

Recommend


More recommend