qdsa: Small and Secure Digital Signatures with Curve-based Diffie-Hellman Key Pairs

Size: px

Start display at page:

Download "qdsa: Small and Secure Digital Signatures with Curve-based Diffie-Hellman Key Pairs"

Virgil Willis
6 years ago
Views:

1 qdsa: Small and Secure Digital Signatures with Curve-based Diffie-Hellman Key Pairs Joost Renes 1 Benjamin Smith 2 1 Radboud University 2 INRIA and Laboratoire d Informatique de l École polytechnique 15 November November / 24

2 Curve-based crypto DH EdDSA 15 November / 24

3 Curve-based crypto DH EdDSA Q 1, Q 2 15 November / 24

4 Curve-based crypto DH EdDSA x 1, Q 2 15 November / 24

5 Curve-based crypto DH XEdDSA x 1, x 2 15 November / 24

6 Curve-based crypto DH qdsa x 1, x 2 15 November / 24

7 Curve-based crypto DH qdsa x 1, x 2 15 November / 24

8 Outline (1) Quotient operations (2) The qdsa scheme (3) Instantiating with the x-line (4) Instantiating with Kummer surfaces 15 November / 24

9 Operations on quotient groups G G Operations G G (G1) P [λ]p (G2) (P, Q) P + Q 15 November / 24

10 Operations on quotient groups G G Operations G G (G1) P [λ]p (G2) (P, Q) P + Q G/ ± 1 G/ ± 1 Operations G/ ± 1 G/ ± 1 15 November / 24

11 Operations on quotient groups G G Operations G G (G1) P [λ]p (G2) (P, Q) P + Q G/ ± 1 G/ ± 1 Operations G/ ± 1 G/ ± 1 15 November / 24

12 Operations on quotient groups G G Operations G G (G1) P [λ]p (G2) (P, Q) P + Q G/ ± 1 G/ ± 1 x(p) Operations G/ ± 1 G/ ± 1 15 November / 24

13 Operations on quotient groups {P, P} G G Operations G G (G1) P [λ]p (G2) (P, Q) P + Q G/ ± 1 G/ ± 1 x(p) Operations G/ ± 1 G/ ± 1 15 November / 24

14 Operations on quotient groups {P, P} G {[λ]p, [λ]p} G Operations G G (G1) P [λ]p (G2) (P, Q) P + Q G/ ± 1 G/ ± 1 x(p) Operations G/ ± 1 G/ ± 1 15 November / 24

15 Operations on quotient groups {P, P} G {[λ]p, [λ]p} G Operations G G (G1) P [λ]p (G2) (P, Q) P + Q G/ ± 1 G/ ± 1 x(p) x([λ]p) Operations G/ ± 1 G/ ± 1 15 November / 24

16 Operations on quotient groups {P, P} G {[λ]p, [λ]p} G Operations G G (G1) P [λ]p (G2) (P, Q) P + Q G/ ± 1 G/ ± 1 x(p) x([λ]p) Operations G/ ± 1 G/ ± 1 (Q1) x(p) x([λ]p) 15 November / 24

17 Operations on quotient groups G G Operations G G (G1) P [λ]p (G2) (P, Q) P + Q G/ ± 1 G/ ± 1 (x(p), x(q)) Operations G/ ± 1 G/ ± 1 (Q1) x(p) x([λ]p) 15 November / 24

18 Operations on quotient groups {{P, P}, {Q, Q}} G G Operations G G (G1) P [λ]p (G2) (P, Q) P + Q G/ ± 1 G/ ± 1 (x(p), x(q)) Operations G/ ± 1 G/ ± 1 (Q1) x(p) x([λ]p) 15 November / 24

19 Operations on quotient groups {{P, P}, {Q, Q}} G {±(P ± Q)} G Operations G G (G1) P [λ]p (G2) (P, Q) P + Q G/ ± 1 G/ ± 1 (x(p), x(q)) Operations G/ ± 1 G/ ± 1 (Q1) x(p) x([λ]p) 15 November / 24

20 Operations on quotient groups {{P, P}, {Q, Q}} G {±(P ± Q)} G Operations G G (G1) P [λ]p (G2) (P, Q) P + Q G/ ± 1 G/ ± 1 (x(p), x(q)) {x(p ± Q)} Operations G/ ± 1 G/ ± 1 (Q1) x(p) x([λ]p) 15 November / 24

21 Operations on quotient groups {{P, P}, {Q, Q}} G {±(P ± Q)} G Operations G G (G1) P [λ]p (G2) (P, Q) P + Q G/ ± 1 G/ ± 1 (x(p), x(q)) {x(p ± Q)} Operations G/ ± 1 G/ ± 1 (Q1) x(p) x([λ]p) (Q2) (x(p), x(q)) {x(p + Q), x(p Q)} 15 November / 24

22 Operations on quotient groups G G Operations G G (G1) P [λ]p (G2) (P, Q) P + Q G/ ± 1 G/ ± 1 Operations G/ ± 1 G/ ± 1 (Q1) x(p) x([λ]p) (Q2) (x(p), x(q)) {x(p + Q), x(p Q)} 15 November / 24

23 Schnorr signatures Starting point: Schnorr signatures [Sch89] (1) Schnorr identification scheme (group-based) (2) Apply Fiat-Shamir to make it non-interactive (3) Include message to create a signature scheme 15 November / 24

24 Schnorr signatures Starting point: Schnorr signatures [Sch89] (1) Schnorr identification scheme (group-based) (2) Apply Fiat-Shamir to make it non-interactive (3) Include message to create a signature scheme 15 November / 24

25 Schnorr identification on the quotient (qid) Prover(P, Q, α) Comm. Verifier(P, Q) 15 November / 24

26 Schnorr identification on the quotient (qid) Prover(P, Q, α) Comm. Verifier(P, Q) r R Z N 15 November / 24

27 Schnorr identification on the quotient (qid) Prover(P, Q, α) Comm. Verifier(P, Q) r R Z N R [r]p R 15 November / 24

28 Schnorr identification on the quotient (qid) Prover(P, Q, α) Comm. Verifier(P, Q) r R Z N R [r]p R c c R Z N 15 November / 24

29 Schnorr identification on the quotient (qid) Prover(P, Q, α) Comm. Verifier(P, Q) r R Z N R [r]p R c c R Z N s (r c α) mod N s 15 November / 24

30 Schnorr identification on the quotient (qid) Prover(P, Q, α) Comm. Verifier(P, Q) r R Z N R [r]p R c c R Z N s (r c α) mod N s R? = [s]p + [c]q 15 November / 24

31 Schnorr identification on the quotient (qid) Prover(x(P), x(q), α) Comm. Verifier(x(P), x(q)) r R Z N R [r]p R c c R Z N s (r c α) mod N s R? = [s]p + [c]q 15 November / 24

32 Schnorr identification on the quotient (qid) Prover(x(P), x(q), α) Comm. Verifier(x(P), x(q)) r R Z N x(r) x([r]p) x(r) c c R Z N s (r c α) mod N s R? = [s]p + [c]q 15 November / 24

33 Schnorr identification on the quotient (qid) Prover(x(P), x(q), α) Comm. Verifier(x(P), x(q)) r R Z N x(r) x([r]p) x(r) c c R Z N s (r c α) mod N s R? = [s]p + [c]q 15 November / 24

34 Schnorr identification on the quotient (qid) Prover(x(P), x(q), α) Comm. Verifier(x(P), x(q)) r R Z N x(r) x([r]p) x(r) c c R Z N s (r c α) mod N s x(r)? {x([s]p ± [c]q)} Need {x([s]p + [c]q), x([s]p [c]q)}.. possible on G / ±1! 15 November / 24

35 Schnorr identification on the quotient (qid) Prover(x(P), x(q), α) Comm. Verifier(x(P), x(q)) r R Z N x(r) x([r]p) x(r) c c R Z + N s (r c α) mod N s x(r)? {x([s]p ± [c]q)} Need {x([s]p + [c]q), x([s]p [c]q)}.. possible on G / ±1! 15 November / 24

36 qsig and qdsa qid (Schn. ID) Fiat-Shamir = qsig (Schn. sig.) 15 November / 24

37 qsig and qdsa (1) Include the public key in the challenge (2) Generate ephemeral secret r pseudo-randomly qid (Schn. ID) Fiat-Shamir = qsig (Schn. sig.) = qdsa (EdDSA) 15 November / 24

38 qsig and qdsa (1) Include the public key in the challenge (2) Generate ephemeral secret r pseudo-randomly qid (Schn. ID) Fiat-Shamir = qsig (Schn. sig.) = qdsa (EdDSA) Add countermeasures against side-channel attacks 15 November / 24

39 qsig and qdsa (1) Include the public key in the challenge (2) Generate ephemeral secret r pseudo-randomly qid (Schn. ID) Fiat-Shamir = qsig (Schn. sig.) = qdsa (EdDSA) Add countermeasures against side-channel attacks (3) Fault attacks on ephemeral scalar multiplication Add randomness into hash for nonce generation 15 November / 24

40 qsig and qdsa (1) Include the public key in the challenge (2) Generate ephemeral secret r pseudo-randomly qid (Schn. ID) Fiat-Shamir = qsig (Schn. sig.) = qdsa (EdDSA) Add countermeasures against side-channel attacks (3) Fault attacks on ephemeral scalar multiplication Add randomness into hash for nonce generation (4) Fault attacks on base point (Mehdi s talk on Monday) Clamp, or add a small cofactor into the computation Verify correctness of base point 15 November / 24

41 Additional remarks (1) Security reduction. Similar to original Schnorr ID scheme (2) Unified keys. Identical key pairs for DH and qdsa (3) Key and signatures sizes. 32-byte keys, 64-byte signatures (requires work in genus 2!) (4) Verification. Two-dimensional scalar multiplication algorithms not available & no batching 15 November / 24

42 Back to curves Here, G the Jacobian group of a hyperelliptic curve of genus g Elliptic curves for g = 1, have J / ±1 = P 1 Hyperelliptic curves with g = 2, have J / ±1 = K For g 3 does not scale well (index calculus) 15 November / 24

43 Back to curves Here, G the Jacobian group of a hyperelliptic curve of genus g Elliptic curves for g = 1, have J / ±1 = P 1 Hyperelliptic curves with g = 2, have J / ±1 = K For g 3 does not scale well (index calculus) Need to define (1) x(p) x([λ]p) (usual way via Montgomery ladder) (2) {x(p), x(q)} {x(p + Q), x(p Q)} (3) For any x(p), a 32-byte representation of x(p) 15 November / 24

44 On the choice of model (g = 1) For elliptic curves common choice of Montgomery model E/F p : By 2 = x 3 + Ax 2 + x We obtain Curve25519 by defining p = , A = , B = 1 15 November / 24

45 Arithmetic on P 1 If x(p) = (X 1 : Z 1 ), x(p + Q) = (X 3 : Z 3 ), x(q) = (X 2 : Z 2 ), x(p Q) = (X 4 : Z 4 ), then xadd : X 3 X 4 = λ (X 1 X 2 Z 1 Z 2 ) 2, Z 3 Z 4 = λ (X 1 Z 2 X 2 Z 1 ) 2, 15 November / 24

46 Arithmetic on P 1 If x(p) = (X 1 : Z 1 ), x(p + Q) = (X 3 : Z 3 ), x(q) = (X 2 : Z 2 ), x(p Q) = (X 4 : Z 4 ), then xadd : xdbl : X 3 X 4 = λ (X 1 X 2 Z 1 Z 2 ) 2, Z 3 Z 4 = λ (X 1 Z 2 X 2 Z 1 ) 2, X 3 = µ (X 2 Z 2) 2, Z 3 = µ 4XZ ( X 2 + AXZ + Z 2) 15 November / 24

47 Biquadratic forms on P 1 In fact, have X 3 X 4 = B 00, B 00 = ν (X 1 X 2 Z 1 Z 2 ) 2, Z 3 Z 4 = B 11, B 11 = ν (X 1 Z 2 X 2 Z 1 ) 2, X 3 Z 4 + X 4 Z 3 = B 10, B 10 = ν [ (X 1 Z 2 X 2 Z 1 ) (X 1 Z 2 + X 2 Z 1 ) ] + 2AX 1 X 2 Z 1 Z 2, 15 November / 24

48 Biquadratic forms on P 1 In fact, have X 3 X 4 = B 00, B 00 = ν (X 1 X 2 Z 1 Z 2 ) 2, Z 3 Z 4 = B 11, B 11 = ν (X 1 Z 2 X 2 Z 1 ) 2, X 3 Z 4 + X 4 Z 3 = B 10, B 10 = ν [ (X 1 Z 2 X 2 Z 1 ) (X 1 Z 2 + X 2 Z 1 ) ie. ( X 3 X 4 ) X 3 Z 4 + X 4 Z 3 Z 3 Z 4 + 2AX 1 X 2 Z 1 Z 2 ], ( ) B00 = ν. B 10 B November / 24

49 Biquadratic forms on P 1 In fact, have X 3 X 4 = B 00, B 00 = ν (X 1 X 2 Z 1 Z 2 ) 2, Z 3 Z 4 = B 11, B 11 = ν (X 1 Z 2 X 2 Z 1 ) 2, X 3 Z 4 + X 4 Z 3 = B 10, B 10 = ν [ (X 1 Z 2 X 2 Z 1 ) (X 1 Z 2 + X 2 Z 1 ) ie. ( X 3 X 4 ) X 3 Z 4 + X 4 Z 3 Z 3 Z 4 + 2AX 1 X 2 Z 1 Z 2 ], ( ) B00 = ν. B 10 B 11 Thus (X 3 : Z 3 ) and (X 4 : Z 4 ) are the unique solutions to B 11 X 2 2 B 10 XZ + B 00 Z 2 = 0 15 November / 24

50 Summarizing verification on P 1 Given a signature (x(r) s) on M w.r.t. x(q) (1) c H(x(R) M) (2) x(t 0 ) x([s]p) (3) x(t 1 ) x([c]q) (4) Compute all B 00, B 10, B 11 for x(t 0 ) and x(t 1 ) (5) Check that x(r) vanishes on B 11 X 2 2 B 10 XZ + B 00 Z 2 (ie. x(r) {x(t 0 + T 1 ), x(t 0 T 1 )}) 15 November / 24

51 On the choice of model (g = 2) Gaudry-Schost curve [GS12] E/F :y 2 = x x x x x and its squared Kummer surface [CC86] ( K : 4E 2 x xyzt = 2 + y 2 + z 2 + t 2 F (xt + yz) G(xz + yt) H(xy + zt) ) 15 November / 24

52 Arithmetic on K If x(p) = (x 1 : y 1 : z 1 : t 1 ), x(p + Q) = (x 3 : y 3 : z 3 : t 3 ), x(q) = (x 2 : y 2 : z 2 : t 2 ), x(p Q) = (x 4 : y 4 : z 4 : t 4 ), then [Gau07; Ber+14] x 3 x 4 = ν ε 1 (x + y + z + t ) 2, y 3 y 4 = ν ε 2 (x + y z t ) 2, z 3 z 4 = ν ε 3 (x y + z t ) 2, t 3 t 4 = ν ε 4 (x y z + t ) 2, where xadd : x = ε 1 (x 1 + y 1 + z 1 + t 1 ) (x 2 + y 2 + z 2 + t 2 ) y = ε 2 (x 1 + y 1 z 1 t 1 ) (x 2 + y 2 z 2 t 2 ) z = ε 3 (x 1 y 1 + z 1 t 1 ) (x 2 y 2 + z 2 t 2 ) t = ε 4 (x 1 y 1 z 1 + t 1 ) (x 2 y 2 z 2 + t 2 ) 15 November / 24

53 Quadratic identities on K These formulas give rise to an identity [Cos11] 2x 3 x 4 B 00 2y 3 y 4 2z 3 z 4 = ν B 11 B 22 2t 3 t 4 B November / 24

54 Quadratic identities on K These formulas give rise to an identity [Cos11] 2x 3 x 4 B 00 σ(x, y) 2y 3 y 4 σ(x, z) σ(y, z) 2z 3 z 4 = ν B 10 B 11 B 20 B 21 B 22 σ(x, t) σ(y, t) σ(z, t) 2t 3 t 4 B 30 B 31 B 32 B 33 where σ(a, b) = a 3 b 4 + a 4 b November / 24

55 Quadratic identities on K These formulas give rise to an identity [Cos11] 2x 3 x 4 B 00 σ(x, y) 2y 3 y 4 σ(x, z) σ(y, z) 2z 3 z 4 = ν B 10 B 11 B 20 B 21 B 22 σ(x, t) σ(y, t) σ(z, t) 2t 3 t 4 B 30 B 31 B 32 B 33 where σ(a, b) = a 3 b 4 + a 4 b 3. are the unique solutions to Thus (x 3 : y 3 : z 3 : t 3 ), (x 4 : y 4 : z 4 : t 4 ) B 11 x 2 2 B 10 xy + B 00 y 2 = 0, B 22 x 2 2 B 20 xz + B 00 z 2 = 0, B 33 x 2 2 B 30 xt + B 00 t 2 = 0, B 22 y 2 2 B 21 yz + B 11 z 2 = 0, B 33 y 2 2 B 31 yt + B 11 t 2 = 0, B 33 z 2 2 B 32 zt + B 22 t 2 = 0 15 November / 24

56 Summarizing verification on K Given a signature (x(r) s) on M w.r.t. x(q) (1) c H(x(R) M) (2) x(t 0 ) x([s]p) (3) x(t 1 ) x([c]q) (4) Compute all B IJ for x(t 0 ) and x(t 1 ) (5) Check 6 quadratic polynomial equations in x(r) 15 November / 24

57 Efficiency of the B IJ Computing the B IJ on K does not look great. 15 November / 24

58 Efficiency of the B IJ Computing the B IJ on K does not look great. We have [CC86] K H K Int Ĉ [Gau07] K Gau 15 November / 24

59 Efficiency of the B IJ Computing the B IJ on K does not look great. We have [CC86] K H K Int Ĉ [Gau07] K Gau The forms B Gau IJ on K Gau are nice, but need extra constants Pulling back all the way via H Ĉ destroys nice symmetry 15 November / 24

60 Efficiency of the B IJ Computing the B IJ on K does not look great. We have [CC86] K H K Int Ĉ [Gau07] K Gau The forms B Gau IJ on K Gau are nice, but need extra constants Pulling back all the way via H Ĉ destroys nice symmetry Solution: Pull back B Gau IJ via Ĉ, evaluate at H(x(P)) 15 November / 24

61 Cost of computing biquadratic forms g Func. M S C 1 2 Check Ladder Check Ladder Table: Cost of B IJ 15 November / 24

62 Point compression Signatures (x(r) s) Have K P 3, so x(r) = (x : y : z : t) = ( x t : y t : z t : 1) (if t 0) At first sight need 48 bytes to represent x(r) Compressing further seems to require solving a quartic 15 November / 24

63 Point compression Signatures (x(r) s) Have K P 3, so x(r) = (x : y : z : t) = ( x t : y t : z t : 1) (if t 0) At first sight need 48 bytes to represent x(r) Compressing further seems to require solving a quartic But have a projection π : K P 2 as a double cover 15 November / 24

64 Point compression Take the four nodes N 0,..., N 3 and an isomorphism N 0 (0 : 0 : 0 : 1), N 1 (0 : 0 : 1 : 0), N 2 (0 : 1 : 0 : 0), N 3 (1 : 0 : 0 : 0). 15 November / 24

65 Point compression Take the four nodes N 0,..., N 3 and an isomorphism N 0 (0 : 0 : 0 : 1), N 1 (0 : 0 : 1 : 0), N 2 (0 : 1 : 0 : 0), N 3 (1 : 0 : 0 : 0). Then K : 4C xyzt = r1 2(xy + zt)2 + r2 2(xz + yt)2 + r3 2 (xt + yz)2 2r 1 s 1 ((x 2 + y 2 )zt + xy(z 2 + t 2 )) 2r 2 s 2 ((x 2 + z 2 )yt + xz(y 2 + t 2 )) 2r 3 s 3 ((x 2 + t 2 )yz + xt(y 2 + z 2 )) 15 November / 24

66 Point compression Take the four nodes N 0,..., N 3 and an isomorphism N 0 (0 : 0 : 0 : 1), N 1 (0 : 0 : 1 : 0), N 2 (0 : 1 : 0 : 0), N 3 (1 : 0 : 0 : 0). Then K : 4C xyzt = r1 2(xy + zt)2 + r2 2(xz + yt)2 + r3 2 (xt + yz)2 2r 1 s 1 ((x 2 + y 2 )zt + xy(z 2 + t 2 )) 2r 2 s 2 ((x 2 + z 2 )yt + xz(y 2 + t 2 )) 2r 3 s 3 ((x 2 + t 2 )yz + xt(y 2 + z 2 )) Quadratic in all its variables! Projection away from N 0 is π : (x : y : z : t) (x : y : z) which we can represent in 32 bytes. 15 November / 24

67 Point compression Take the four nodes N 0,..., N 3 and an isomorphism N 0 (0 : 0 : 0 : 1), N 1 (0 : 0 : 1 : 0), N 2 (0 : 1 : 0 : 0), N 3 (1 : 0 : 0 : 0). Then K : 4C xyzt = r1 2(xy + zt)2 + r2 2(xz + yt)2 + r3 2 (xt + yz)2 2r 1 s 1 ((x 2 + y 2 )zt + xy(z 2 + t 2 )) 2r 2 s 2 ((x 2 + z 2 )yt + xz(y 2 + t 2 )) 2r 3 s 3 ((x 2 + t 2 )yz + xt(y 2 + z 2 )) Quadratic in all its variables! Projection away from N 0 is π : (x : y : z : t) (x : y : z) which we can represent in 32 bytes. Recovery is solving a quadratic, ie. computing a square root 15 November / 24

68 Implementing the scheme g. Ref. Object. Function. CC. Stack. 1 This Curve25519 sign 14 M 512 B [NLD15] Ed25519 sign 19 M B [Liu+17] FourQ sign 5 M B Table: AVR ATmega comparison (rounded) 15 November / 24

69 Implementing the scheme g. Ref. Object. Function. CC. Stack. 1 This Curve25519 verify 25 M 644 B [NLD15] Ed25519 verify 31 M B [Liu+17] FourQ verify 11 M B Table: AVR ATmega comparison (rounded) 15 November / 24

70 Implementing the scheme g. Ref. Object. Function. CC. Stack. 2 This GS sign 10 M 417 B [Ren+16] GS sign 10 M 926 B Table: AVR ATmega comparison (rounded) 15 November / 24

71 Implementing the scheme g. Ref. Object. Function. CC. Stack. 2 This GS verify 20 M 609 B [Ren+16] GS verify 16 M 992 B Table: AVR ATmega comparison (rounded) 15 November / 24

72 Thanks! Questions? 15 November / 24

73 References I [Ber+14] [CC86] [Cos11] [Gau07] Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange and Peter Schwabe. Kummer Strikes Back: New DH Speed Records. In: Advances in Cryptology ASIACRYPT Ed. by Palash Sarkar and Tetsu Iwata. Vol LNCS. SV, 2014, pp David V. Chudnovsky and Gregory V. Chudnovsky. Sequences of numbers generated by addition in formal groups and new primality and factorization tests. In: Adv. in Appl. Math. 7 (1986), pp Romain Cosset. Applications des fonctions theta à la cryptographie sur les courbes hyperelliptiques. https: //tel.archives-ouvertes.fr/tel /file/main.pdf. PhD thesis. Université Henri Poincaré - Nancy I, Pierrick Gaudry. Fast genus 2 arithmetic based on Theta functions. In: J. Mathematical Cryptology 1.3 (2007). pp November / 24

74 References II [GS12] [Liu+17] [NLD15] Pierrick Gaudry and Eric Schost. Genus 2 point counting over prime fields. In: J. Symb. Comput (2012), pp doi: /j.jsc url: Zhe Liu, Patrick Longa, Geovandro Pereira, Oscar Reparaz and Hwajeong Seo. FourQ on embedded devices with strong countermeasures against side-channel attacks. Cryptology eprint Archive, Report 2017/ Erick Nascimento, Julio López and Ricardo Dahab. Efficient and Secure Elliptic Curve Cryptography for 8-bit AVR Microcontrollers. In: Security, Privacy, and Applied Cryptography Engineering. Ed. by Rajat Subhra Chakraborty, Peter Schwabe and Jon Solworth. Vol LNCS. Springer, 2015, pp November / 24

75 References III [Ren+16] [Sch89] Joost Renes, Peter Schwabe, Benjamin Smith and Lejla Batina. µkummer: Efficient Hyperelliptic Signatures and Key Exchange on Microcontrollers. In: Cryptographic Hardware and Embedded Systems - CHES th International Conference, Santa Barbara, CA, USA, August 17-19, 2016, Proceedings. 2016, pp doi: / _15. url: Claus-Peter Schnorr. Efficient Identification and Signatures for Smart Cards. In: Advances in Cryptology - CRYPTO 89. Ed. by Gilles Brassard. Vol LNCS. Springer, 1989, pp November / 24

µkummer: efficient hyperelliptic signatures and key exchange on microcontrollers

µkummer: efficient hyperelliptic signatures and key exchange on microcontrollers Joost Renes 1 Peter Schwabe 1 Benjamin Smith 2 Lejla Batina 1 1 Digital Security Group, Radboud University, The Netherlands