qDSA: Small and Secure Digital Signatures with Curve-based - PowerPoint PPT Presentation

qDSA: Small and Secure Digital Signatures with Curve-based Diffie-Hellman Key Pairs Joost Renes 1 Benjamin Smith 2 1 Radboud University 2 INRIA and Laboratoire d’Informatique de l’´ Ecole polytechnique 15 November 2017 15 November 2017 1 / 24

Curve-based crypto DH EdDSA 15 November 2017 2 / 24

Curve-based crypto DH EdDSA Q 1 , Q 2 15 November 2017 2 / 24

Curve-based crypto DH EdDSA x 1 , Q 2 15 November 2017 2 / 24

Curve-based crypto DH XEdDSA x 1 , x 2 15 November 2017 2 / 24

Curve-based crypto qDSA DH x 1 , x 2 15 November 2017 2 / 24

Curve-based crypto qDSA DH x 1 , x 2 15 November 2017 2 / 24

Outline (1) Quotient operations (2) The qDSA scheme (3) Instantiating with the x -line (4) Instantiating with Kummer surfaces 15 November 2017 3 / 24

Operations on quotient groups G G Operations G → G (G1) P �→ [ λ ] P (G2) ( P , Q ) �→ P + Q 15 November 2017 4 / 24

Operations on quotient groups G G Operations G → G G / ± 1 G / ± 1 (G1) P �→ [ λ ] P (G2) ( P , Q ) �→ P + Q Operations G / ± 1 → G / ± 1 15 November 2017 4 / 24

Operations on quotient groups G G Operations G → G G / ± 1 G / ± 1 (G1) P �→ [ λ ] P (G2) ( P , Q ) �→ P + Q Operations G / ± 1 → G / ± 1 15 November 2017 4 / 24

Operations on quotient groups G G Operations G → G G / ± 1 G / ± 1 x ( P ) (G1) P �→ [ λ ] P (G2) ( P , Q ) �→ P + Q Operations G / ± 1 → G / ± 1 15 November 2017 4 / 24

Operations on quotient groups { P , − P } G G Operations G → G G / ± 1 G / ± 1 x ( P ) (G1) P �→ [ λ ] P (G2) ( P , Q ) �→ P + Q Operations G / ± 1 → G / ± 1 15 November 2017 4 / 24

Operations on quotient groups { P , − P } { [ λ ] P , − [ λ ] P } G G Operations G → G G / ± 1 G / ± 1 x ( P ) (G1) P �→ [ λ ] P (G2) ( P , Q ) �→ P + Q Operations G / ± 1 → G / ± 1 15 November 2017 4 / 24

Operations on quotient groups { P , − P } { [ λ ] P , − [ λ ] P } G G Operations G → G G / ± 1 G / ± 1 x ( P ) x ([ λ ] P ) (G1) P �→ [ λ ] P (G2) ( P , Q ) �→ P + Q Operations G / ± 1 → G / ± 1 15 November 2017 4 / 24

Operations on quotient groups { P , − P } { [ λ ] P , − [ λ ] P } G G Operations G → G G / ± 1 G / ± 1 x ( P ) x ([ λ ] P ) (G1) P �→ [ λ ] P (G2) ( P , Q ) �→ P + Q Operations G / ± 1 → G / ± 1 (Q1) x ( P ) �→ x ([ λ ] P ) 15 November 2017 4 / 24

Operations on quotient groups G G Operations G → G G / ± 1 G / ± 1 ( x ( P ) , x ( Q )) (G1) P �→ [ λ ] P (G2) ( P , Q ) �→ P + Q Operations G / ± 1 → G / ± 1 (Q1) x ( P ) �→ x ([ λ ] P ) 15 November 2017 4 / 24

Operations on quotient groups {{ P , − P } , { Q , − Q }} G G Operations G → G G / ± 1 G / ± 1 ( x ( P ) , x ( Q )) (G1) P �→ [ λ ] P (G2) ( P , Q ) �→ P + Q Operations G / ± 1 → G / ± 1 (Q1) x ( P ) �→ x ([ λ ] P ) 15 November 2017 4 / 24

Operations on quotient groups {{ P , − P } , { Q , − Q }} {± ( P ± Q ) } G G Operations G → G G / ± 1 G / ± 1 ( x ( P ) , x ( Q )) (G1) P �→ [ λ ] P (G2) ( P , Q ) �→ P + Q Operations G / ± 1 → G / ± 1 (Q1) x ( P ) �→ x ([ λ ] P ) 15 November 2017 4 / 24

Operations on quotient groups {{ P , − P } , { Q , − Q }} {± ( P ± Q ) } G G Operations G → G G / ± 1 G / ± 1 ( x ( P ) , x ( Q )) { x ( P ± Q ) } (G1) P �→ [ λ ] P (G2) ( P , Q ) �→ P + Q Operations G / ± 1 → G / ± 1 (Q1) x ( P ) �→ x ([ λ ] P ) 15 November 2017 4 / 24

Operations on quotient groups {{ P , − P } , { Q , − Q }} {± ( P ± Q ) } G G Operations G → G G / ± 1 G / ± 1 ( x ( P ) , x ( Q )) { x ( P ± Q ) } (G1) P �→ [ λ ] P (G2) ( P , Q ) �→ P + Q Operations G / ± 1 → G / ± 1 (Q1) x ( P ) �→ x ([ λ ] P ) (Q2) ( x ( P ) , x ( Q )) �→ { x ( P + Q ) , x ( P − Q ) } 15 November 2017 4 / 24

Operations on quotient groups G G Operations G → G G / ± 1 G / ± 1 (G1) P �→ [ λ ] P (G2) ( P , Q ) �→ P + Q Operations G / ± 1 → G / ± 1 (Q1) x ( P ) �→ x ([ λ ] P ) (Q2) ( x ( P ) , x ( Q )) �→ { x ( P + Q ) , x ( P − Q ) } 15 November 2017 4 / 24

Schnorr signatures Starting point: Schnorr signatures [Sch89] (1) Schnorr identification scheme (group-based) (2) Apply Fiat-Shamir to make it non-interactive (3) Include message to create a signature scheme 15 November 2017 5 / 24

Schnorr signatures Starting point: Schnorr signatures [Sch89] (1) Schnorr identification scheme (group-based) (2) Apply Fiat-Shamir to make it non-interactive (3) Include message to create a signature scheme 15 November 2017 5 / 24

Schnorr identification on the quotient (qID) Prover ( P , Q , α ) Comm. Verifier ( P , Q ) 15 November 2017 6 / 24

Schnorr identification on the quotient (qID) Prover ( P , Q , α ) Comm. Verifier ( P , Q ) r ← R Z ∗ N 15 November 2017 6 / 24

Schnorr identification on the quotient (qID) Prover ( P , Q , α ) Comm. Verifier ( P , Q ) r ← R Z ∗ N R ← [ r ] P R 15 November 2017 6 / 24

Schnorr identification on the quotient (qID) Prover ( P , Q , α ) Comm. Verifier ( P , Q ) r ← R Z ∗ N R ← [ r ] P R c c ← R Z N 15 November 2017 6 / 24

Schnorr identification on the quotient (qID) Prover ( P , Q , α ) Comm. Verifier ( P , Q ) r ← R Z ∗ N R ← [ r ] P R c c ← R Z N s ← ( r − c · α ) mod N s 15 November 2017 6 / 24

Schnorr identification on the quotient (qID) Prover ( P , Q , α ) Comm. Verifier ( P , Q ) r ← R Z ∗ N R ← [ r ] P R c c ← R Z N s ← ( r − c · α ) mod N s R ? = [ s ] P + [ c ] Q 15 November 2017 6 / 24

Schnorr identification on the quotient (qID) Prover ( x ( P ) , x ( Q ) , α ) Comm. Verifier ( x ( P ) , x ( Q )) r ← R Z ∗ N R ← [ r ] P R c c ← R Z N s ← ( r − c · α ) mod N s R ? = [ s ] P + [ c ] Q 15 November 2017 6 / 24

Schnorr identification on the quotient (qID) Prover ( x ( P ) , x ( Q ) , α ) Comm. Verifier ( x ( P ) , x ( Q )) r ← R Z ∗ N x ( R ) ← x ([ r ] P ) x ( R ) c c ← R Z N s ← ( r − c · α ) mod N s R ? = [ s ] P + [ c ] Q 15 November 2017 6 / 24

Schnorr identification on the quotient (qID) Prover ( x ( P ) , x ( Q ) , α ) Comm. Verifier ( x ( P ) , x ( Q )) r ← R Z ∗ N x ( R ) ← x ([ r ] P ) x ( R ) c c ← R Z N s ← ( r − c · α ) mod N s R ? = [ s ] P + [ c ] Q 15 November 2017 6 / 24

Schnorr identification on the quotient (qID) Prover ( x ( P ) , x ( Q ) , α ) Comm. Verifier ( x ( P ) , x ( Q )) r ← R Z ∗ N x ( R ) ← x ([ r ] P ) x ( R ) c c ← R Z N s ← ( r − c · α ) mod N s ? x ( R ) ∈ { x ([ s ] P ± [ c ] Q ) } Need { x ([ s ] P + [ c ] Q ) , x ([ s ] P − [ c ] Q ) } .. possible on G / ± 1! 15 November 2017 6 / 24

Schnorr identification on the quotient (qID) Prover ( x ( P ) , x ( Q ) , α ) Comm. Verifier ( x ( P ) , x ( Q )) r ← R Z ∗ N x ( R ) ← x ([ r ] P ) x ( R ) c ← R Z + c N s ← ( r − c · α ) mod N s ? x ( R ) ∈ { x ([ s ] P ± [ c ] Q ) } Need { x ([ s ] P + [ c ] Q ) , x ([ s ] P − [ c ] Q ) } .. possible on G / ± 1! 15 November 2017 6 / 24

qSIG and qDSA Fiat-Shamir qID qSIG = ⇒ (Schn. ID) (Schn. sig.) 15 November 2017 7 / 24

qSIG and qDSA (1) Include the public key in the challenge (2) Generate ephemeral secret r pseudo-randomly Fiat-Shamir qID qSIG qDSA = ⇒ = ⇒ (Schn. ID) (Schn. sig.) (EdDSA) 15 November 2017 7 / 24

qSIG and qDSA (1) Include the public key in the challenge (2) Generate ephemeral secret r pseudo-randomly Fiat-Shamir qID qSIG qDSA = ⇒ = ⇒ (Schn. ID) (Schn. sig.) (EdDSA) Add countermeasures against side-channel attacks 15 November 2017 7 / 24

qSIG and qDSA (1) Include the public key in the challenge (2) Generate ephemeral secret r pseudo-randomly Fiat-Shamir qID qSIG qDSA = ⇒ = ⇒ (Schn. ID) (Schn. sig.) (EdDSA) Add countermeasures against side-channel attacks (3) Fault attacks on ephemeral scalar multiplication ◮ Add randomness into hash for nonce generation 15 November 2017 7 / 24

qSIG and qDSA (1) Include the public key in the challenge (2) Generate ephemeral secret r pseudo-randomly Fiat-Shamir qID qSIG qDSA = ⇒ = ⇒ (Schn. ID) (Schn. sig.) (EdDSA) Add countermeasures against side-channel attacks (3) Fault attacks on ephemeral scalar multiplication ◮ Add randomness into hash for nonce generation (4) Fault attacks on base point (Mehdi’s talk on Monday) ◮ Clamp, or add a small cofactor into the computation ◮ Verify correctness of base point 15 November 2017 7 / 24

Additional remarks (1) Security reduction. Similar to original Schnorr ID scheme (2) Unified keys. Identical key pairs for DH and qDSA (3) Key and signatures sizes. 32-byte keys, 64-byte signatures (requires work in genus 2!) (4) Verification. Two-dimensional scalar multiplication algorithms not available & no batching 15 November 2017 8 / 24

Back to curves Here, G the Jacobian group of a hyperelliptic curve of genus g ◮ Elliptic curves for g = 1, have J / ± 1 = P 1 ◮ Hyperelliptic curves with g = 2, have J / ± 1 = K ◮ For g ≥ 3 does not scale well (index calculus) 15 November 2017 9 / 24