Batch Verification of ECDSA Signatures AfricaCrypt 2012 Ifrane, Morocco

Transcription

1 Batch Verification of ECDSA Signatures AfricaCrypt 2012 Ifrane, Morocco Department of Computer Science and Engineering Indian Institute of Technology Kharagpur, West Bengal, India.

2 Outline Introduction Batch Verification ECDSA Parameters Solving the Multivariate Equations A Strategy for Faster Equation Generation Retrieving the Unknown y-coordinates Analysis of Algorithm S1 Analysis of Algorithm S2 Algorithm S1 Algorithm S2

3 Digital Signature Batch Verification The term Digital Signature was coined by Diffie and Hellman (1976). RSA was introduced at Digital Signature helps us to achieve both Source Authentication and Data Integrity. Digital Signature algorithms based on two popular pubic-key algorithms: RSA signature scheme: based on the difficulty of factoring large composite integers. ElGamal signature scheme: based on discrete logarithms problem.

4 Digital Signature Batch Verification Standards on ElGamal scheme: The digital signature algorithm (DSA). The elliptic curve digital signature algorithm (ECDSA). Verification an ElGamal-like signature needs at least 2 finite-field exponentiations (for DSA) or 2 elliptic-curve scalar multiplications (for ECDSA).

5 Batch Verification Batch Verification Batch verification is used to verify multiple digital signatures in time less than total individual verification time. Introduced by Naccache et. al. in EuroCrypt 94. Harn, in 1998, proposes an efficient scheme for the batch verification of RSA signatures. These protocols are not directly applicable to ECDSA signatures. ECDSA requires smaller key and signature sizes than DSA and RSA. ECDSA*, a modification of ECDSA, permits an easy adaptation of Naccache s method. Cheon and Yi report speedup up to 7 for same signer and 4 for different signers for batch verification of ECDSA* signatures.

6 Batch Verification Batch Verification ECDSA* is unacceptable protocol because of the following reasons: Yet not accepted as a standard. Not applicable where interoperability is of concern. Batch verification of original ECDSA signatures turns out to be a practically important open research problem. The proposed algorithms are based upon symbolic manipulation on elliptic-curve points.

7 Batch Verification Summary Several algorithms for batch verification of ECDSA signatures are proposed. One of them is based upon the naive idea of taking square roots in the underlying field We propose two other algorithms which replace square-root computations by symbolic manipulations to achieve better speedup. Maximum speedup is obtained above 6 for small ( 8) batch sizes and same signer.

8 ECDSA Parameters ECDSA Parameters ECDSA Parameters: q = Order of the prime field F q. E = An elliptic curve y 2 = x 3 + ax + b defined over the prime field F q. P = A random non-zero base point in E(F q ). n = The order of P, typically a prime. h = The cofactor E(F q ) /n. Assumptions: h = 1. E(Fq) is a cyclic group. P is a generator of E(Fq). The x-coordinates of a few points on E has two representatives modulo n.

9 ECDSA Parameters ECDSA Key-pair Generation Private key d (1, n 1). Public key Q = dp.

10 ECDSA Parameters s Generation of ECDSA signature (r, s) on a message M. 1. k = A randomly chosen element in the range [1, n 1] (the session key). 2. R = kp. 3. r = x(r) (the x-coordinate of R) reduced modulo n. 4. s = k 1 (H(M) + dr)(mod n) (where H is a cryptographic hash function like SHA-1). Verification of ECDSA signature (r, s) on a message M. 1. w = s 1 (mod n). 2. u = H(M)w (mod n). 3. v = rw (mod n). 4. R = up + vq. 5. Accept the signature if and only if x(r) = r (mod n).

11 For t signed messages (M i, r i, s i ), i = 1, 2,..., t, we have ( t t ) t R i = u i P + v i Q i. (1) i=1 i=1 If all the signatures belong to the same signer, we have Q 1 = Q 2 = = Q t = Q (say), and the last equation simplifies to: ( t t ) ( t ) R i = u i P + v i Q. (2) i=1 i=1 Reduces the number of scalar multiplications from 2t to an integer in the interval [2, t + 1]. x-coordinates of R i are known. Two y-coordinates corresponding to a given x-coordinate. Usually 2 t choices of the square roots. i=1 i=1

12 ECDSA Batch Verification Algorithm N 1. Compute w i = s 1 i (mod n) for all i = 1, 2,..., t. 2. Compute u i = H(M i )w i (mod n) for all i = 1, 2,..., t. 3. Compute v i = r i w i (mod n) for all i = 1, 2,..., t. 4. Compute R = ( t i=1 u i)p + t i=1 v iq i E(F q ). Club together the points Q i from same signers during the computation of R. For example, if all the signatures belong to the same signer, compute R as ( t i=1 u i)p + ( t i=1 v i)q. 5. For each i = 1, 2,..., t, if ri 3 + ar i + b is neither zero nor a quadratic residue modulo q, reject the i-th signature, and remove it from the batch. 6. For i = 1,..., t, compute the square roots of ri 3 + ar i + b modulo q. 7. For each square root y i of ri 3 + ar i + b for all i = 1, 2,..., t,if R = t i=1 (r i, y i ), accept all the signatures. 8. Reject all the signatures.

13 ECDSA Batch Verification Algorithm N A single extra bit of information in an ECDSA signature can remove the ambiguity. Avoid the Θ(2 t ) overhead. This updated (and efficient) version of the naive algorithm will henceforth be denoted by Algorithm N.

14 Symbolic Computation of R = Solving the Multivariate Equations A Strategy for Faster Equation Generation Retrieving the Unknown y-coordinates Analysis of Algorithm S1 t i=1 Let R i = (x i, y i ), where x i = r i or x i = r i + n. x i = r i + n has a very low probability. So we assume x i = r i. yi 2 = ri 3 + ar i + b (mod q) (3) for all i = 1, 2,..., t. Elliptic Curve Point Addition rule: Let P1 = (h 1, k 1) and P 2 = (h 2, k 2), and P 1, P 2 0 and P 1 ±P 2. P1 + P 2 = (h, k) on E computed as follows: R i λ = (k 2 k 1)/(h 2 h 1), (4) h = λ 2 h 1 h 2, (5) k = λ(h 1 h) k 1. (6)

15 Symbolic Computation of R = Solving the Multivariate Equations A Strategy for Faster Equation Generation Retrieving the Unknown y-coordinates Analysis of Algorithm S1 t i=1 Apply addition formula repeatedly. R = t i=1 R i: ( gx (y 1, y 2,..., y t ) R = h x (y 1, y 2,..., y t ), g ) y (y 1, y 2,..., y t ), (7) h y (y 1, y 2,..., y t ) g x, g y, h x, h y are polynomials in F q [y 1, y 2,..., y t ]. In view of Eqn (3), y i -degrees 1 for all i = 1, 2,..., t. The denominator h x (y) = u(y 2, y 3,..., y t )y 1 + v(y 2, y 3,..., y t ). Multiplying both g x and h x by u(y 2, y 3,..., y t )y 1 v(y 2, y 3,..., y t ) and use Eqn (3). This eliminates y 1 from the denominator. Repeat this method successively to eliminate y 2, y 3,..., y t. R i

16 Symbolic Computation of R = Solving the Multivariate Equations A Strategy for Faster Equation Generation Retrieving the Unknown y-coordinates Analysis of Algorithm S1 t i=1 Represent the point R as a pair of polynomial expressions: R i R = (R x (y 1, y 2,..., y t ), R y (y 1, y 2,..., y t )) (8) Polynomials R x and R y linear individually with respect to all y i. Using Eqn (1) or Eqn (2), we compute R as R = (α, β) for some α, β F q. R x (y 1, y 2,..., y t ) = α, (9) R y (y 1, y 2,..., y t ) = β. (10)

17 Solving the Multivariate Equations Solving the Multivariate Equations A Strategy for Faster Equation Generation Retrieving the Unknown y-coordinates Analysis of Algorithm S1 We treat Eqns (9) and (10) as linear equations in the monomials y i, y i y j, y i y j y k. m = 2 t. Total number of such monomials is µ = 2 t 1 1 = m 2 1 in R x or R y. Rename these monomials as z 1, z 2,..., z µ. Rewrite Eqn (9) as ρ 1,1 z 1 + ρ 1,2 z ρ 1,µ z µ = α 1. (11) Repeatedly square both sides of this equation and use Eqn (3) to eliminate all squares of variables. We generate a total of µ linear equations. If the system is not of full rank, use of Eqn (10).

18 Solving the Multivariate Equations A Strategy for Faster Equation Generation Retrieving the Unknown y-coordinates Analysis of Algorithm S1 A Strategy for Faster Equation Generation Let ρ 1 z 1 + ρ 2 z ρ µ z µ = γ (12) Let f (z 1, z 2,..., z µ ) be any F q -linear combination of the monomials z 1, z 2,..., z µ. (ρ 1 z 1 + ρ 2 z ρ µ z µ )f (z 1, z 2,..., z µ ) = γf (z 1, z 2,..., z µ ) and use Eqn (3). This again yields a linear equation in z 1, z 2,..., z µ. Choice f (z 1, z 2,..., z µ ) = z i with a small degree of z i typically leads to a faster generation full-rank system. Only R x suffices to generate a uniquely solvable linearized system.

19 Retrieving the Unknown y-coordinates Solving the Multivariate Equations A Strategy for Faster Equation Generation Retrieving the Unknown y-coordinates Analysis of Algorithm S1 The final step is the determination of the y-coordinates y i of the points R i. Solving the multivariate linear system for monomials. Use R y [Eqn (10)] to retrieve all the unknown y-coordinates. We accept all the signatures if and only x(r (1) ) = x(r (2) ) if yi 2 = ri 3 + ar i + b (mod q) for all i = 1, 2,..., t.

20 Solving the Multivariate Equations A Strategy for Faster Equation Generation Retrieving the Unknown y-coordinates Analysis of Algorithm S1 Example of linearized system where t = 3 ρ 1,1 ρ 2,1 ρ 3,1 ρ 1,2 ρ 2,2 ρ 3,2 ρ 1,3 ρ 2,3 ρ 3,3 z 1 z 2 z 3 = γ 1 γ 2 γ 3

21 Analysis of Algorithm S1 Solving the Multivariate Equations A Strategy for Faster Equation Generation Retrieving the Unknown y-coordinates Analysis of Algorithm S1 1. Running Time: The running time = Θ(m 3 ) field operations. Algorithm S1 becomes impractical for bigger values of t. 2. Unique Solvability of the Linearized System: The µ µ system Mz = b is uniquely solvable if det M = D(r 1, r 2,..., r t) 0, where r 1, r 2,..., r t are symbols. Assume, D is not identically zero. δ = maximum degree of each individual ri in D. δ 2 2t+3 log 2 t t t 1 +2t+3 log 2 t +1. Maximum number of roots of D tδq t 1 and total number of t-tuples (r 1, r 2,..., r t) over F q is q t. Pr[A randomly chosen tuple (r1, r 2,..., r t) is a root of D] tδq t 1 /q t = tδ/q. If t 6, δ 2 54 and q 2 160, Pr Security Analysis: We have proved that Algorithm S1 is as secure as ECDSA* batch verification.

22 Algorithm S2 Introduction Analysis of Algorithm S2 It was designed in order to avoid the linearization stage (O(m 2 t) field operations) and the Gaussian-elimination stage of Algorithm S1. Determine each y i correctly up to multiplication by ±1. Multivariate equation (linear in y i ) can be written as uy i + v = 0 (where u, v are polynomials in y 1,..., y i 1, y i+1,..., y t ). Multiplying this equation by uy i v so that ±y i satisfy u 2 yi 2 v 2 = ui 2(r i 3 + ar i + b) vi 2 = 0 [ yi 2 = ri 3 + ar i + b]. Like Algorithm S1, symbolically compute R = t i=1 R i = (R x, R y ) to arrive the multivariate equation R x α = 0. First eliminate y 1, and use substitution given by Eqn (3) for i = 2, 3,..., t to arrive at a linear multivariate equation in y 2, y 3,..., y t. Eliminate y i for i = 2, 3,..., t, using the same method. If the polynomial reduces to zero, accepts all the signatures.

23 Analysis of Algorithm S2 Analysis of Algorithm S2 1. Running Time: The time complexity of Algorithm S2 is O(mt 2 ) field operations, which is significantly better than the O(m 3 ) operations needed by Algorithm S1. Moreover, Algorithm S2 outperforms Algorithm N for a wide range of t and q. 2. Security Analysis: It was proved that Algorithm S2 is as secure as ECDSA* batch verification.

24 Algorithm S1 Algorithm S2 In Algorithm S1, the costliest steps are generating and solving the system of linearized equations, which needs Θ(m 3 ) field operations. In Algorithm S2, the symbolic computation of R = (R x, R y ) is the most time-consuming step(θ(mt 2 ) field operations). The elimination phase of S2 also needs Θ(mt 2 ) operations. Strategy to reduce the number of monomials in Algorithms S1 and S2: P Let R = t i=1 R i, R = (α, β) and τ = t/2. Symbolically compute the two sums: R (1) = P τ i=1 R i and R (2) = R P t i=τ+1 R i. R (1) and R (2) contain only Θ(2 τ ) = m) non-zero terms which need Θ(2 τ τ 2 ) to compute. Θ( mt 2 ) field operations which is significantly smaller than the Θ(mt 2 ) operations. The condition R = R is equivalent to R (1) = R (2).

25 Algorithm S1 Introduction Algorithm S1 Algorithm S2 Replace the equations R x = α and R y = β by the two equations x(r (1) ) = x(r (2) ) and y(r (1) ) = y(r (2) ), in Algorithm S1. The number of non-zero terms in x(r (1) ) and y(r (1) ) is 2 τ 1 = m 2. Because of presence of R = (α, β) on the right side of the expression for R (2), x(r (2) ) and y(r (2) ) contain all (square-free) monomials in y τ+1, y τ+2,..., y t (both even and odd degrees). There are exactly 2 t/2 1 m 1 monomials. There are only the even-degree monomials in y 1, y 2,..., y τ and all monomials in y τ+1, y τ+2,..., y t. keep on squaring the equation x(r (1) ) = x(r (2) ) (and y(r (1) ) = y(r (2) )) to obtain a full-rank system of Θ( m) linearized variables. Solving the system needs Θ(m 3/2 ) field operations. Call this efficient variant of S1 as S1. The security is same as S1.

26 Algorithm S2 Introduction Algorithm S1 Algorithm S2 Replace the starting equation φ = R x α of Algorithm S2 with Then repeatedly eliminate y 1, y 2,..., y t. φ = x(r (1) ) x(r (2) ). (13) Initial expression of φ contains much less number of monomials than in the original Algorithm S2. Elimination of y 1 makes φ almost full through introduction of many new monomials in φ. The theoretical running time of S2, same as that of S2, is Θ(mt 2 ) field operations. Still, the effects of our heuristic are clearly noticeable in practical implementations. Call this efficient variant of S2 as S2.

27 Implemented using the GP/PARI calculator. Choice of this implementation platform is dictated by 1. the symbolic-computation facilities. 2. an easy user interface All experiments are carried out in a 2.33 MHz Xeon server. Mandriva Linux Version The GNU C compiler is used for compiling the GP/PARI calculator.

28 The maximum speedup achieved is 6.20 in the case of same signer. The maximum speedup achieved is 1.70 in the case of different signers. Both these records are achieved by Algorithm S2 for the curve P-521 and for the batch size t = 7.

29 Small curve P-192 and Same signer

30 Small curve P-192 and Different signers

31 Large curve P-521 and Same signer

32 Large curve P-521 and and Different signers

33 There are several ways to extend our study, some of which are listed below. We described a way to reduce the running time of the symbolic-addition phase of Algorithm S2 from O(mt 2 ) to O( mt 2 ). An analogous speedup for the elimination phase would be very useful. Our best symbolic-computation algorithm runs in O(mt 2 ) time. Removal of a factor of t would be useful to achieve higher speedup values. It is of interest to study our algorithms in conjunction with the earlier works on ECDSA*. Our batch verification algorithms can be easily ported to other curves (like the Koblitz and Pseudorandom families recommended by NIST).

34 W. Diffie and M. Hellman, New Directions in Cryptography, IEEE Transactions on Information Theory, Vol. 22, , R. L. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and pubic-key cryptosystem, Communications of the ACM, Vol. 2, , T. ElGamal, A public-key cryptosystem and a signature scheme based on discrete logarithms, IEEE Transactions on Information Theory, Vol. 31, , NIST, Digital Signature Standard (DSS), /Draft-FIPS-186-3%20 March2006.pdf, ANSI, Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA), ANSI X9.62, approved January 7, D. Johnson and A. Menezes, The Elliptic Curve Digital Signature Algorithm (ECDSA), International Journal on Information Security, Vol. 1, 36 63, 2001.

35 D. Naccache, D. M Raihi, D. Rapheali and S. Vaudenay, Can D.S.A. be improved: Complexity trade-offs with the digital signature standard, EuroCrypt 94, LNCS Vol. 950, 77 85, L. Harn, Batch verifying multiple RSA digital signatures, Electronics Letters, Vol. 34, No. 12, , M.-S. Hwang, I.-C. Lin, K.-F. Hwang, Cryptanalysis of the Batch Verifying Multiple RSA Digital Signatures, Informatica, 2000, Vol. 11, No. 1, 15 19, A. Antipa, D. Brown, R. Gallant, R. Lambert, R. Struik, and S. Vanstone, Accelerated verification of ECDSA signatures, SAC 2005, LNCS Vol. 3897, , J. H. Cheon and J. H. Yi, Fast batch verification of multiple signatures, PKC 2007, LNCS Vol. 4450, , A. Das, D. Roy Choudhury, D. Bhattacharya, S. Rajavelu, R. Shorey and T. Thomas, Authentication schemes for VANETs: A survey, International Journal of Vehicle Information and Communication Systems, in press.

36 NIST, Recommended elliptic curves for federal government use, July NIST, Secure Hash Standard (SHS), /fips 180-3/draft fips June pdf,2007. PARI Group, PARI/GP Development Headquarters,

37 Thank You!