Introduction ECDSA Algorithm A Naive Algorithm for ECDSA Batch Verification A New Batch-verification Algorithm for ECDSA (S1) A More Efficient Batch-verification Algorithm (S2) Efficient Variants of S1 and S2 Experimental Results Conclusion References Batch Verification of ECDSA Signatures AfricaCrypt 2012 Ifrane, Morocco Sabyasachi Karati Department of Computer Science and Engineering Indian Institute of Technology Kharagpur, West Bengal, India. Sabyasachi Karati Batch Verification of ECDSA Signatures AfricaCrypt 2012 Ifrane, Morocco
37
Embed
Batch Verification of ECDSA Signatures AfricaCrypt … ECDSA Algorithm A Naive Algorithm for ECDSA Batch Veri cation A New Batch-veri cation Algorithm for ECDSA (S1) A More E cient
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
IntroductionECDSA Algorithm
A Naive Algorithm for ECDSA Batch VerificationA New Batch-verification Algorithm for ECDSA (S1)
A More Efficient Batch-verification Algorithm (S2)Efficient Variants of S1 and S2
Experimental ResultsConclusionReferences
Batch Verification of ECDSA SignaturesAfricaCrypt 2012Ifrane, Morocco
Sabyasachi Karati
Department of Computer Science and EngineeringIndian Institute of Technology
A Naive Algorithm for ECDSA Batch VerificationA New Batch-verification Algorithm for ECDSA (S1)
A More Efficient Batch-verification Algorithm (S2)Efficient Variants of S1 and S2
Experimental ResultsConclusionReferences
Outline
IntroductionBatch Verification
ECDSA AlgorithmECDSA Parameters
A Naive Algorithm for ECDSA Batch Verification
A New Batch-verification Algorithm for ECDSA (S1)Solving the Multivariate EquationsA Strategy for Faster Equation GenerationRetrieving the Unknown y -coordinatesAnalysis of Algorithm S1
A More Efficient Batch-verification Algorithm (S2)Analysis of Algorithm S2
A Naive Algorithm for ECDSA Batch VerificationA New Batch-verification Algorithm for ECDSA (S1)
A More Efficient Batch-verification Algorithm (S2)Efficient Variants of S1 and S2
Experimental ResultsConclusionReferences
Batch Verification
Batch Verification
I ECDSA* is unacceptable protocol because of the following reasons:I Yet not accepted as a standard.I Not applicable where interoperability is of concern.
I Batch verification of original ECDSA signatures turns out to be apractically important open research problem.
I The proposed algorithms are based upon symbolic manipulation onelliptic-curve points.
A Naive Algorithm for ECDSA Batch VerificationA New Batch-verification Algorithm for ECDSA (S1)
A More Efficient Batch-verification Algorithm (S2)Efficient Variants of S1 and S2
Experimental ResultsConclusionReferences
ECDSA Batch Verification Algorithm N
1. Compute wi = s−1i (mod n) for all i = 1, 2, . . . , t.
2. Compute ui = H(Mi )wi (mod n) for all i = 1, 2, . . . , t.3. Compute vi = riwi (mod n) for all i = 1, 2, . . . , t.4. Compute R ′ = (
∑ti=1 ui )P +
∑ti=1 viQi ∈ E (Fq).
Club together the points Qi from same signers during thecomputation of R ′. For example, if all the signatures belong to thesame signer, compute R ′ as (
∑ti=1 ui )P + (
∑ti=1 vi )Q.
5. For each i = 1, 2, . . . , t, if r 3i + ari + b is neither zero nor a quadratic
residue modulo q, reject the i-th signature, and remove it from thebatch.
6. For i = 1, . . . , t, compute the square roots of r 3i + ari + b modulo q.
7. For each square root yi of r 3i + ari + b for all i = 1, 2, . . . , t,if
R ′ =∑t
i=1(ri , yi ), accept all the signatures.8. Reject all the signatures.
A Naive Algorithm for ECDSA Batch VerificationA New Batch-verification Algorithm for ECDSA (S1)
A More Efficient Batch-verification Algorithm (S2)Efficient Variants of S1 and S2
Experimental ResultsConclusionReferences
Solving the Multivariate EquationsA Strategy for Faster Equation GenerationRetrieving the Unknown y-coordinatesAnalysis of Algorithm S1
Analysis of Algorithm S1
1. Running Time: The running time = Θ(m3) field operations.Algorithm S1 becomes impractical for bigger values of t.
2. Unique Solvability of the Linearized System:I The µ× µ system Mz = b is uniquely solvable if
det M = D(r1, r2, . . . , rt) 6= 0, where r1, r2, . . . , rt are symbols.I Assume, D is not identically zero.I δ = maximum degree of each individual ri in D.
I δ 6“
22t+3dlog2 te+2 + 3”“
22t−1−1 − 1”≈ 22t−1+2t+3dlog2 te+1.
I Maximum number of roots of D ≤ tδqt−1 and total number oft-tuples (r1, r2, . . . , rt) over Fq is qt .
I Pr[A randomly chosen tuple (r1, r2, . . . , rt) is a root of D]6 tδqt−1/qt = tδ/q.
I If t 6 6, δ 6 254 and q > 2160, Pr ≤ 2−103.
3. Security Analysis: We have proved that Algorithm S1 is as secureas ECDSA* batch verification.
A Naive Algorithm for ECDSA Batch VerificationA New Batch-verification Algorithm for ECDSA (S1)
A More Efficient Batch-verification Algorithm (S2)Efficient Variants of S1 and S2
Experimental ResultsConclusionReferences
Analysis of Algorithm S2
Analysis of Algorithm S2
1. Running Time: The time complexity of Algorithm S2 is O(mt2)field operations, which is significantly better than the O(m3)operations needed by Algorithm S1. Moreover, Algorithm S2outperforms Algorithm N for a wide range of t and q.
2. Security Analysis: It was proved that Algorithm S2 is as secure asECDSA* batch verification.
A Naive Algorithm for ECDSA Batch VerificationA New Batch-verification Algorithm for ECDSA (S1)
A More Efficient Batch-verification Algorithm (S2)Efficient Variants of S1 and S2
Experimental ResultsConclusionReferences
Algorithm S1′Algorithm S2′
Algorithm S1′
I Replace the equations Rx = α and Ry = β by the two equationsx(R(1)) = x(R(2)) and y(R(1)) = y(R(2)), in Algorithm S1.
I The number of non-zero terms in x(R(1)) and y(R(1)) is 2τ−1 =√
m2 .
I Because of presence of R ′ = (α, β) on the right side of theexpression for R(2), x(R(2)) and y(R(2)) contain all (square-free)monomials in yτ+1, yτ+2, . . . , yt (both even and odd degrees).
I There are exactly 2bt/2c − 1 6√
m − 1 monomials.I There are only the even-degree monomials in y1, y2, . . . , yτ and all
monomials in yτ+1, yτ+2, . . . , yt .I keep on squaring the equation x(R(1)) = x(R(2)) (and y(R(1)) =
y(R(2))) to obtain a full-rank system of Θ(√
m) linearized variables.I Solving the system needs Θ(m3/2) field operations.I Call this efficient variant of S1 as S1′.I The security is same as S1.
A Naive Algorithm for ECDSA Batch VerificationA New Batch-verification Algorithm for ECDSA (S1)
A More Efficient Batch-verification Algorithm (S2)Efficient Variants of S1 and S2
Experimental ResultsConclusionReferences
References
I W. Diffie and M. Hellman, ‘New Directions in Cryptography’, IEEE Transactionson Information Theory, Vol. 22, 644–654, 1976.
I R. L. Rivest, A. Shamir and L. Adleman, ‘A method for obtaining digitalsignatures and pubic-key cryptosystem’, Communications of the ACM, Vol. 2,120–126, 1978.
I T. ElGamal, ‘A public-key cryptosystem and a signature scheme based ondiscrete logarithms’, IEEE Transactions on Information Theory, Vol. 31,469–472, 1985.
I NIST, ‘Digital Signature Standard (DSS)’,http://csrc.nist.gov/publications/drafts/fips 186-3/Draft-FIPS-186-3%20March2006.pdf, 2006.
I ANSI, ‘Public Key Cryptography for the Financial Services Industry: The EllipticCurve Digital Signature Algorithm (ECDSA)’, ANSI X9.62, approved January 7,1999.
I D. Johnson and A. Menezes, ‘The Elliptic Curve Digital Signature Algorithm(ECDSA)’, International Journal on Information Security, Vol. 1, 36–63, 2001.
A Naive Algorithm for ECDSA Batch VerificationA New Batch-verification Algorithm for ECDSA (S1)
A More Efficient Batch-verification Algorithm (S2)Efficient Variants of S1 and S2
Experimental ResultsConclusionReferences
References
I D. Naccache, D. M’Raihi, D. Rapheali and S. Vaudenay, ‘Can D.S.A. beimproved: Complexity trade-offs with the digital signature standard’,EuroCrypt’94, LNCS Vol. 950, 77–85, 1994.
I L. Harn, ‘Batch verifying multiple RSA digital signatures’, Electronics Letters,Vol. 34, No. 12, 1219–1220, 1998.
I M.-S. Hwang, I.-C. Lin, K.-F. Hwang, ‘Cryptanalysis of the Batch VerifyingMultiple RSA Digital Signatures’, Informatica, 2000, Vol. 11, No. 1, 15–19,2000.
I A. Antipa, D. Brown, R. Gallant, R. Lambert, R. Struik, and S. Vanstone,‘Accelerated verification of ECDSA signatures’, SAC 2005, LNCS Vol. 3897,307–318, 2006.
I J. H. Cheon and J. H. Yi, ‘Fast batch verification of multiple signatures’, PKC2007, LNCS Vol. 4450, 442–457, 2007.
I A. Das, D. Roy Choudhury, D. Bhattacharya, S. Rajavelu, R. Shorey and T.Thomas, ‘Authentication schemes for VANETs: A survey’, International Journalof Vehicle Information and Communication Systems, in press.