WALNUT DIGITAL SIGNATURE ALGORITHM

Similar documents
Fast, Quantum-Resistant Public-Key Solutions for Constrained Devices Using Group Theoretic Cryptography

POST QUANTUM GROUP THEORETIC CRYPTOGRAPHY

Cryptanalysis of the Algebraic Eraser

A Practical Cryptanalysis of WalnutDSA TM

WalnutDSA TM : A Quantum-Resistant Digital Signature Algorithm

WalnutDSA TM : A Quantum-Resistant Digital Signature Algorithm

AN AUTHENTICATION SCHEME BASED ON THE TWISTED CONJUGACY PROBLEM

Cryptanalysis of the Anshel-Anshel-Goldfeld-Lemieux Key Agreement Protocol

Length Based Attack and Braid Groups: Cryptanalysis of Anshel-Anshel-Goldfeld Key Exchange Protocol

Introduction to Braid Group Cryptography

Colored Burau Matrices, E-multiplication, and the Algebraic Eraser Key Agreement Protocol

On the Legacy of Quantum Computation and Communication to Cryptography

A REDUCTION OF SEMIGROUP DLP TO CLASSIC DLP

Quantum-resistant cryptography

Blind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems

THE CONJUGACY SEARCH PROBLEM IN PUBLIC KEY CRYPTOGRAPHY: UNNECESSARY AND INSUFFICIENT

Non-abelian key agreement protocols

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Digital signature schemes

Katz, Lindell Introduction to Modern Cryptrography

The quantum threat to cryptography

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

Using shifted conjugacy in braid-based cryptography

McEliece and Niederreiter Cryptosystems That Resist Quantum Fourier Sampling Attacks

Quantum-secure symmetric-key cryptography based on Hidden Shifts

Public key exchange using semidirect product of (semi)groups

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

A brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

Using semidirect product of (semi)groups in public key cryptography

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Cryptographical Security in the Quantum Random Oracle Model

Lecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Cryptanalysis via algebraic spans

Lecture 1: Introduction to Public key cryptography

arxiv: v2 [math.gr] 23 Jun 2008

PUBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS

Post-Quantum Cryptography & Privacy. Andreas Hülsing

AN OVERVIEW OF BRAID GROUP CRYPTOGRAPHY

A new conic curve digital signature scheme with message recovery and without one-way hash functions

Thompson s group and public key cryptography

A New Hard Problem over Non- Commutative Finite Groups for Cryptographic Protocols

An Algebraic Framework for Cipher Embeddings

Some Security Comparisons of GOST R and ECDSA Signature Schemes

Elliptic Curve Cryptography

Points of High Order on Elliptic Curves ECDSA

FPGA-BASED ACCELERATOR FOR POST-QUANTUM SIGNATURE SCHEME SPHINCS-256

Chapter 8 Public-key Cryptography and Digital Signatures

McEliece type Cryptosystem based on Gabidulin Codes

Blockchain and Quantum Computing

Notes for Lecture 15

A New Key Exchange Protocol Based on DLP and FP in Centralizer Near-Ring

Length-Based Attacks for Certain Group Based Encryption Rewriting Systems

Errors, Eavesdroppers, and Enormous Matrices

Side-channel analysis in code-based cryptography

THE RSA CRYPTOSYSTEM

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Mathematical Foundations of Public-Key Cryptography

The Elliptic Curve in https

On the Complexity of the Hybrid Approach on HFEv-

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Exploring platform (semi)groups for noncommutative

ElGamal type signature schemes for n-dimensional vector spaces

Cryptanalysis of a key exchange protocol based on the endomorphisms ring End(Z p Z p 2)

MATH 158 FINAL EXAM 20 DECEMBER 2016

Batch Verification of ECDSA Signatures AfricaCrypt 2012 Ifrane, Morocco

Quantum-Safe Crypto Why & How? JP Aumasson, Kudelski Security

arxiv: v2 [cs.cr] 22 Oct 2016

Lecture Notes, Week 6

Quantum algorithms (CO 781, Winter 2008) Prof. Andrew Childs, University of Waterloo LECTURE 6: Quantum query complexity of the HSP

Introduction to Elliptic Curve Cryptography

Algorithmic Number Theory and Public-key Cryptography

The Artin-Feistel Symmetric Cipher

Digital Signatures. Adam O Neill based on

International Electronic Journal of Pure and Applied Mathematics IEJPAM, Volume 9, No. 1 (2015)

Code-based Cryptography

New Variant of ElGamal Signature Scheme

Introduction to Quantum Safe Cryptography. ENISA September 2018

Public Key Cryptography

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Cryptanalysis of Simple Matrix Scheme for Encryption

Elliptic Curves and Cryptography

Blind Collective Signature Protocol

Cryptographic Primitives in Artin Groups of Finite Type

Key Recovery on Hidden Monomial Multivariate Schemes

Gurgen Khachatrian Martun Karapetyan

ENHANCING THE PERFORMANCE OF FACTORING ALGORITHMS

CPSC 467: Cryptography and Computer Security

Asymmetric Cryptography

Chapter 4 Asymmetric Cryptography

Week 12: Hash Functions and MAC

Some results in group-based cryptography

Mathematics of Public Key Cryptography

MATH 433 Applied Algebra Lecture 19: Subgroups (continued). Error-detecting and error-correcting codes.

On the Big Gap Between p and q in DSA

Elliptic Curve Cryptography and Security of Embedded Devices

Algorithms for ray class groups and Hilbert class fields

Efficient Key Agreement and Signature Schemes Using Compact Representations in GF (p 10 )

A LINEAR ATTACK ON A KEY EXCHANGE PROTOCOL USING EXTENSIONS OF MATRIX SEMIGROUPS

Fast Algorithm in ECC for Wireless Sensor Network

Transcription:

WALNUT DIGITAL SIGNATURE ALGORITHM Dorian Goldfeld SecureRF Corporation NATO Post Quantum Cryptography Workshop, September 27, 2016 1

INTRODUCING WALNUTDSA 2

INTRODUCING WALNUTDSA (joint work with Iris Anshel, Derek Atkins, Paul Gunnells) 3

INTRODUCING WALNUTDSA (joint work with Iris Anshel, Derek Atkins, Paul Gunnells) We introduce WalnutDSA a group theoretic digital signature algorithm with the following features: 4

INTRODUCING WALNUTDSA (joint work with Iris Anshel, Derek Atkins, Paul Gunnells) We introduce WalnutDSA a group theoretic digital signature algorithm with the following features: Very fast signature verification. 5

INTRODUCING WALNUTDSA (joint work with Iris Anshel, Derek Atkins, Paul Gunnells) We introduce WalnutDSA a group theoretic digital signature algorithm with the following features: Very fast signature verification. Running time is linear in key/signature size. 6

INTRODUCING WALNUTDSA (joint work with Iris Anshel, Derek Atkins, Paul Gunnells) We introduce WalnutDSA a group theoretic digital signature algorithm with the following features: Very fast signature verification. Running time is linear in key/signature size. Security is based on the hard problems of solving a novel equation over the braid group and reversing a certain representation of the braid group. 7

INTRODUCING WALNUTDSA (joint work with Iris Anshel, Derek Atkins, Paul Gunnells) We introduce WalnutDSA a group theoretic digital signature algorithm with the following features: Very fast signature verification. Running time is linear in key/signature size. Security is based on the hard problems of solving a novel equation over the braid group and reversing a certain representation of the braid group. WalnutDSA appears resistant to known attacks in group theoretic cryptography. 8

INTRODUCING WALNUTDSA (joint work with Iris Anshel, Derek Atkins, Paul Gunnells) We introduce WalnutDSA a group theoretic digital signature algorithm with the following features: Very fast signature verification. Running time is linear in key/signature size. Security is based on the hard problems of solving a novel equation over the braid group and reversing a certain representation of the braid group. WalnutDSA appears resistant to known attacks in group theoretic cryptography. Quantum Resistant 9

BRAIDS 10

BRAIDS Introduced by Emil Artin in 1921, a braid is a configuration of strands of the form: 11

BRAIDS Introduced by Emil Artin in 1921, a braid is a configuration of strands of the form: 12

THE ARTIN BRAID GROUP 13

THE ARTIN BRAID GROUP For, N 2, let B N denote the N-strand braid group with Artin generators {b 1, b 2,..., b N 1 }, subject to the following relations: 14

THE ARTIN BRAID GROUP For, N 2, let B N denote the N-strand braid group with Artin generators {b 1, b 2,..., b N 1 }, subject to the following relations: b i b i+1 b i = b i+1 b i b i+1, (i = 1,..., N 2), b i b j = b j b i, ( i j 2). 15

THE ARTIN BRAID GROUP For, N 2, let B N denote the N-strand braid group with Artin generators {b 1, b 2,..., b N 1 }, subject to the following relations: b i b i+1 b i = b i+1 b i b i+1, (i = 1,..., N 2), b i b j = b j b i, ( i j 2). Every β B N is of the form β = b ɛ 1 i 1 b ɛ 2 i 2 where i j {1,..., N 1}, and ɛ j {±1}. b ɛ k i k, 16

PERMUTATION ASSOCIATED TO A BRAID Each braid β B N determines a permutation in S N. 17

PERMUTATION ASSOCIATED TO A BRAID Each braid β B N determines a permutation in S N. Let σ i S N be the i th simple transposition, which maps i i + 1, i + 1 i, (1 i N 1). 18

PERMUTATION ASSOCIATED TO A BRAID Each braid β B N determines a permutation in S N. Let σ i S N be the i th simple transposition, which maps i i + 1, i + 1 i, (1 i N 1). Then σ i is associated to the Artin generator b i. 19

PERMUTATION ASSOCIATED TO A BRAID Each braid β B N determines a permutation in S N. Let σ i S N be the i th simple transposition, which maps i i + 1, i + 1 i, (1 i N 1). Then σ i is associated to the Artin generator b i. The permutation associated to b ɛ 1 i 1 b ɛ 2 i 2 b ɛ k i k is just σ ɛ 1 i 1 σ ɛ 2 i 2 σ ɛ k i k 20

COLORED BURAU REPRESENTATION OF B N 21

COLORED BURAU REPRESENTATION OF B N Each b ±1 i is associated with the ordered pair ( CB(b i ) ±1 ), σ i where σi is the transposition (i, i + 1), 22

COLORED BURAU REPRESENTATION OF B N Each b ±1 i is associated with the ordered pair ( CB(b i ) ±1 ), σ i where σi is the transposition (i, i + 1), 1 1...... CB(b i ) = t i t i 1, CB(b 1 i ) = 1 1 1 t i+1 t i+1...... 1 1. 23

COLORED BURAU REPRESENTATION OF B N Each b ±1 i is associated with the ordered pair ( CB(b i ) ±1 ), σ i where σi is the transposition (i, i + 1), 1 1...... CB(b i ) = t i t i 1, CB(b 1 i ) = 1 1 1 t i+1 t i+1...... 1 1. By letting permutations act on the left on the matrices CB(b i ) (by permuting the variable entries), the ordered pairs ( CB(b i ) ±1, σ i ) form a semi-direct product which satisfy the braid relations. This gives a representation of B N. 24

Laurent Polynomial entry: Short random word of length 10 in B 4 S 4. What E-multiplication erases! 25

Laurent Polynomial entry: Short random word of length 10 in B 4 S 4. What E-multiplication erases! 26

E-MULTIPLICATION (denoted ) 27

E-MULTIPLICATION (denoted ) F q = finite field of q elements. 28

E-MULTIPLICATION (denoted ) F q = finite field of q elements. T = {τ 1,..., τ N } (F q ) N = set of T -values. 29

E-MULTIPLICATION (denoted ) F q = finite field of q elements. T = {τ 1,..., τ N } (F q ) N = set of T -values. m GL(N, F q ), σ S N. 30

E-MULTIPLICATION (denoted ) F q = finite field of q elements. T = {τ 1,..., τ N } (F q ) N = set of T -values. m GL(N, F q ), σ S N. E-multiplication by one Artin generator 31

E-MULTIPLICATION (denoted ) F q = finite field of q elements. T = {τ 1,..., τ N } (F q ) N = set of T -values. m GL(N, F q ), σ S N. E-multiplication by one Artin generator (m, σ) b i = m 1... τ σ(i) τ σ(i) 1... 1, σ (i, i + 1). 32

E-MULTIPLICATION (denoted ) F q = finite field of q elements. T = {τ 1,..., τ N } (F q ) N = set of T -values. m GL(N, F q ), σ S N. E-multiplication by one Artin generator (m, σ) b i = m 1... τ σ(i) τ σ(i) 1... 1, σ (i, i + 1). By iterating this computation we can compute the E-Multiplication of (m, σ) with an arbitrary braid element (finite product of Artin generators and their inverses). 33

REVERSING E-MULTIPLICATION IS HARD Braid group B N and symmetric group S N with N 8. 34

REVERSING E-MULTIPLICATION IS HARD Braid group B N and symmetric group S N with N 8. Finite field F q with q 32. 35

REVERSING E-MULTIPLICATION IS HARD Braid group B N and symmetric group S N with N 8. Finite field F q with q 32. β B N. 36

REVERSING E-MULTIPLICATION IS HARD Braid group B N and symmetric group S N with N 8. Finite field F q with q 32. β B N. (m, σ) = (Id, Id) β GL(N, F q ) S N. 37

REVERSING E-MULTIPLICATION IS HARD Braid group B N and symmetric group S N with N 8. Finite field F q with q 32. β B N. (m, σ) = (Id, Id) β GL(N, F q ) S N. Conjecture: It is infeasible to determine β from (m, σ) if the normal form of β is sufficiently long. 38

REVERSING E-MULTIPLICATION IS HARD Braid group B N and symmetric group S N with N 8. Finite field F q with q 32. β B N. (m, σ) = (Id, Id) β GL(N, F q ) S N. Conjecture: It is infeasible to determine β from (m, σ) if the normal form of β is sufficiently long. Quantum Resistance: As the length of the word β increases, the complexity of the Laurent polynomials occurring in the E-multiplication increases exponentially. It does not seem to be possible that E-Multiplication exhibits any type of simple periodicity, so it is very unlikely that inverting E-Multiplication can be achieved with a polynomial quantum algorithm. 39

CLOAKING ELEMENTS 40

CLOAKING ELEMENTS Let m GL(N, F q ) and σ S N. An element v in the pure braid subgroup of B N is termed a cloaking element of (m, σ) if 41

CLOAKING ELEMENTS Let m GL(N, F q ) and σ S N. An element v in the pure braid subgroup of B N is termed a cloaking element of (m, σ) if (m, σ) v = (m, σ). 42

CLOAKING ELEMENTS Let m GL(N, F q ) and σ S N. An element v in the pure braid subgroup of B N is termed a cloaking element of (m, σ) if (m, σ) v = (m, σ). The cloaking element is defined by the property that it essentially disappears when performing E-Multiplication. 43

CLOAKING ELEMENTS Let m GL(N, F q ) and σ S N. An element v in the pure braid subgroup of B N is termed a cloaking element of (m, σ) if (m, σ) v = (m, σ). The cloaking element is defined by the property that it essentially disappears when performing E-Multiplication. Remark: When E-Multiplication is viewed as a right action of B N on GL(N, F q ) S N then cloaking elements are stabilizers which form a subgroup of B N. 44

CLOAKED CONJUGACY SEARCH PROBLEM (CCSP)) 45

CLOAKED CONJUGACY SEARCH PROBLEM (CCSP)) The braid group B N and symmetric group S N with N 8. 46

CLOAKED CONJUGACY SEARCH PROBLEM (CCSP)) The braid group B N and symmetric group S N with N 8. Y, v 1, v 2 B N. 47

CLOAKED CONJUGACY SEARCH PROBLEM (CCSP)) The braid group B N and symmetric group S N with N 8. Y, v 1, v 2 B N. Assume v 1 cloaks (Id, Id) and v 2 cloaks (Id, Id) Y. 48

CLOAKED CONJUGACY SEARCH PROBLEM (CCSP)) The braid group B N and symmetric group S N with N 8. Y, v 1, v 2 B N. Assume v 1 cloaks (Id, Id) and v 2 cloaks (Id, Id) Y. Conjecture (CCSP): Assume A B N and Y 1 v 1 A Y v 2 are known. Then it is infeasible to determine Y if the normal forms of Y, v 1, v 2 are sufficiently long. 49

QUANTUM RESISTANCE OF CCSP 50

QUANTUM RESISTANCE OF CCSP Hidden Subgroup Problem The Hidden Subgroup Problem asks to find an unknown subgroup H G using calls to a known function on G which takes distinct constant values on distinct cosets of G/H. 51

QUANTUM RESISTANCE OF CCSP Hidden Subgroup Problem The Hidden Subgroup Problem asks to find an unknown subgroup H G using calls to a known function on G which takes distinct constant values on distinct cosets of G/H. Shor s quantum attack breaking RSA and other public key protocols such as ECC are essentially equivalent to the fact that there is a successful quantum attack on the Hidden Subgroup Problem for finite cyclic groups. 52

QUANTUM RESISTANCE OF CCSP Hidden Subgroup Problem The Hidden Subgroup Problem asks to find an unknown subgroup H G using calls to a known function on G which takes distinct constant values on distinct cosets of G/H. Shor s quantum attack breaking RSA and other public key protocols such as ECC are essentially equivalent to the fact that there is a successful quantum attack on the Hidden Subgroup Problem for finite cyclic groups. Since the braid group does not contain any non-trivial finite subgroups at all, there does not seem to be any viable way to connect to connect CCSP with HSP. 53

WALNUTDSA KEY GENERATION 54

WALNUTDSA KEY GENERATION WalnutDSA allows a signer with a fixed private/public key pair to create a digital signature associated to a given message which can be validated by anyone who knows the public key of the signer and the verification protocol. 55

WALNUTDSA KEY GENERATION WalnutDSA allows a signer with a fixed private/public key pair to create a digital signature associated to a given message which can be validated by anyone who knows the public key of the signer and the verification protocol. Public Information: 56

WALNUTDSA KEY GENERATION WalnutDSA allows a signer with a fixed private/public key pair to create a digital signature associated to a given message which can be validated by anyone who knows the public key of the signer and the verification protocol. Public Information: An integer N 8 and associated braid group B N. 57

WALNUTDSA KEY GENERATION WalnutDSA allows a signer with a fixed private/public key pair to create a digital signature associated to a given message which can be validated by anyone who knows the public key of the signer and the verification protocol. Public Information: An integer N 8 and associated braid group B N. A rewriting algorithm R: B N B N. 58

WALNUTDSA KEY GENERATION WalnutDSA allows a signer with a fixed private/public key pair to create a digital signature associated to a given message which can be validated by anyone who knows the public key of the signer and the verification protocol. Public Information: An integer N 8 and associated braid group B N. A rewriting algorithm R: B N B N. A finite field F q of q 32 elements. 59

WALNUTDSA KEY GENERATION WalnutDSA allows a signer with a fixed private/public key pair to create a digital signature associated to a given message which can be validated by anyone who knows the public key of the signer and the verification protocol. Public Information: An integer N 8 and associated braid group B N. A rewriting algorithm R: B N B N. A finite field F q of q 32 elements. T-values = {τ 1, τ 2,..., τ N } a set of invertible elements in F q. 60

WALNUTDSA KEY GENERATION WalnutDSA allows a signer with a fixed private/public key pair to create a digital signature associated to a given message which can be validated by anyone who knows the public key of the signer and the verification protocol. Public Information: An integer N 8 and associated braid group B N. A rewriting algorithm R: B N B N. A finite field F q of q 32 elements. T-values = {τ 1, τ 2,..., τ N } a set of invertible elements in F q. Signer s Private Key: Priv(S) B N. 61

WALNUTDSA KEY GENERATION WalnutDSA allows a signer with a fixed private/public key pair to create a digital signature associated to a given message which can be validated by anyone who knows the public key of the signer and the verification protocol. Public Information: An integer N 8 and associated braid group B N. A rewriting algorithm R: B N B N. A finite field F q of q 32 elements. T-values = {τ 1, τ 2,..., τ N } a set of invertible elements in F q. Signer s Private Key: Priv(S) B N. Signer s Public key: Pub(S) = ( Id, Id ) Priv(S), 62

WALNUTDSA SIGNATURE GENERATION 63

WALNUTDSA SIGNATURE GENERATION M is a hash of a message. 64

WALNUTDSA SIGNATURE GENERATION M is a hash of a message. E(M) is an encoding of M into the pure braid subgroup of B N. 65

WALNUTDSA SIGNATURE GENERATION M is a hash of a message. E(M) is an encoding of M into the pure braid subgroup of B N. Step 1: Generate the cloaking elements v 1 and v 2 which cloak ( Id, Id ) and Pub(S), respectively. 66

WALNUTDSA SIGNATURE GENERATION M is a hash of a message. E(M) is an encoding of M into the pure braid subgroup of B N. Step 1: Generate the cloaking elements v 1 and v 2 which cloak ( Id, Id ) and Pub(S), respectively. Step 2: Compute Sig = R ( Priv(S) 1 v 1 E(M) Priv(S) v 2 ), a rewritten braid. 67

WALNUTDSA SIGNATURE GENERATION M is a hash of a message. E(M) is an encoding of M into the pure braid subgroup of B N. Step 1: Generate the cloaking elements v 1 and v 2 which cloak ( Id, Id ) and Pub(S), respectively. Step 2: Compute Sig = R ( Priv(S) 1 v 1 E(M) Priv(S) v 2 ), a rewritten braid. Step 3: The final signature for the message M is the ordered pair (Sig, M). 68

WALNUTDSA SIGNATURE VERIFICATION 69

WALNUTDSA SIGNATURE VERIFICATION The signature (Sig, M) is verified as follows: 70

WALNUTDSA SIGNATURE VERIFICATION The signature (Sig, M) is verified as follows: Step 1: Generate the encoded message E(M). 71

WALNUTDSA SIGNATURE VERIFICATION The signature (Sig, M) is verified as follows: Step 1: Generate the encoded message E(M). Step 2: Evaluate Pub(E(M)) := ( Id, Id ) E(M). 72

WALNUTDSA SIGNATURE VERIFICATION The signature (Sig, M) is verified as follows: Step 1: Generate the encoded message E(M). Step 2: Evaluate Pub(E(M)) := ( Id, Id ) E(M). Step 3: Evaluate Pub(S) Sig. 73

WALNUTDSA SIGNATURE VERIFICATION The signature (Sig, M) is verified as follows: Step 1: Generate the encoded message E(M). Step 2: Evaluate Pub(E(M)) := ( Id, Id ) E(M). Step 3: Evaluate Pub(S) Sig. Step 4: Verify the equality MatrixPart ( Pub(S) Sig ) = MatrixPart ( Pub(E(M)) ) MatrixPart ( Pub(S) ), 74

WALNUTDSA SIGNATURE VERIFICATION The signature (Sig, M) is verified as follows: Step 1: Generate the encoded message E(M). Step 2: Evaluate Pub(E(M)) := ( Id, Id ) E(M). Step 3: Evaluate Pub(S) Sig. Step 4: Verify the equality MatrixPart ( Pub(S) Sig ) = MatrixPart ( Pub(E(M)) ) MatrixPart ( Pub(S) ), where the matrix multiplication on the right is performed over the finite field. The signature is valid if this equality holds. If the results are not equal then the signature validation has failed. 75

LINEAR RUNNING TIME OF SIGNATURE VERIFICATION 76

LINEAR RUNNING TIME OF SIGNATURE VERIFICATION The bulk of Signature Verification only requires E-Multiplication computations. 77

LINEAR RUNNING TIME OF SIGNATURE VERIFICATION The bulk of Signature Verification only requires E-Multiplication computations. E-multiplication by one Artin generator can be performed in one clock cycle. 78

LINEAR RUNNING TIME OF SIGNATURE VERIFICATION The bulk of Signature Verification only requires E-Multiplication computations. E-multiplication by one Artin generator can be performed in one clock cycle. Most of the running time of Signature Verification is taken up by computing L successive E-Multiplications, each by one Artin generator, where L is the number of Artin generators of the Signature (Sig). 79

LINEAR RUNNING TIME OF SIGNATURE VERIFICATION The bulk of Signature Verification only requires E-Multiplication computations. E-multiplication by one Artin generator can be performed in one clock cycle. Most of the running time of Signature Verification is taken up by computing L successive E-Multiplications, each by one Artin generator, where L is the number of Artin generators of the Signature (Sig). WalnutDSA Signature Verification is extremely fast and the running time is linear in the Signature length. 80

GROVER S QUANTUM SEARCH ALGORITHM (GQSA) 81

GROVER S QUANTUM SEARCH ALGORITHM (GQSA) GQSA finds an element in an unordered N element set in time O ( N 1 2 ). 82

GROVER S QUANTUM SEARCH ALGORITHM (GQSA) GQSA finds an element in an unordered N element set in time O ( N 1 2 ). GQSA can find the private key in a cryptosystem with a square root speed-up in running time and cuts the security in half. 83

GROVER S QUANTUM SEARCH ALGORITHM (GQSA) GQSA finds an element in an unordered N element set in time O ( N 1 2 ). GQSA can find the private key in a cryptosystem with a square root speed-up in running time and cuts the security in half. GQSA can be defeated by increasing the key size. 84

GROVER S QUANTUM SEARCH ALGORITHM (GQSA) GQSA finds an element in an unordered N element set in time O ( N 1 2 ). GQSA can find the private key in a cryptosystem with a square root speed-up in running time and cuts the security in half. GQSA can be defeated by increasing the key size. WalnutDSA Signature Verification runs in linear time in the signature length. GQSA can be defeated by doubling the signature length, which results in double the computation time. 85

GROVER S QUANTUM SEARCH ALGORITHM (GQSA) GQSA finds an element in an unordered N element set in time O ( N 1 2 ). GQSA can find the private key in a cryptosystem with a square root speed-up in running time and cuts the security in half. GQSA can be defeated by increasing the key size. WalnutDSA Signature Verification runs in linear time in the signature length. GQSA can be defeated by doubling the signature length, which results in double the computation time. By comparison ECDSA runs in quadratic time. Defeating GQSA requires a four fold increase in computation time. 86

SECURITY DISCUSSION 87

SECURITY DISCUSSION The recent attack of Ben-Zvi Blackburn Tsaban (BBT) ( A practical cryptanalysis of the Algebraic Eraser, CRYPTO 2016) does not seem to apply to WalnutDSA because the signature is a braid and there are no commuting subgroups involved, Hence, the linear algebraic attacks as in BBT to solve CCSP or to forge a signature are not applicable. 88

SECURITY DISCUSSION The recent attack of Ben-Zvi Blackburn Tsaban (BBT) ( A practical cryptanalysis of the Algebraic Eraser, CRYPTO 2016) does not seem to apply to WalnutDSA because the signature is a braid and there are no commuting subgroups involved, Hence, the linear algebraic attacks as in BBT to solve CCSP or to forge a signature are not applicable. Length attacks of the type proposed by Myasnikov Ushakov (2009) or Garber-Kaplan-Teicher-Tsaban-Vishnu (2005) do not appear to facilitate solving CCSP if the keys are sufficiently large. First of all, as pointed out by Gunnells (2011), the length attack only works effectively for short conjugates. Secondly, the placement of the unknown cloaking elements v 1, v 2 in the braid word Y 1 v 1 A Y v 2 seems to completely thwart any type of length attack for the conjugacy problem. 89

SECURITY DISCUSSION 90

SECURITY DISCUSSION Note that if the cloaking elements v 1, v 2 are trivial then CCSP reduces to the ordinary conjugacy search problem (CSP). If an attacker can determine the cloaking elements v 1, v 2 then it is easy to see that CCSP again reduces to CSP and fast methods for solving for Y were obtained in Gebhardt A new approach to the conjugacy problem in Garside groups, (2005) provided the super summit set of the conjugate Y was not too large. 91

Performance of WalnutDSA Verification B 8 F 32, 2 128 Security level (equivalent to ECC P256) Platform Clock WalnutDSA ECDSA Gain MHz ROM 1 RAM 1 Cycles Time 2 ROM 1 RAM 1 Time 2 (Time) MSP430 8 3244 236 370944 46 3 20-30K 2-5K 1000-3000 21-63x 8051 24.5 3370 312 864101 35.3 ARM M3 48 2952 272 275563 5.7 4 7168 540 233 40.8x FPGA 50 2500 0.05 5 2.08 41.6x 1 ROM/RAM in Bytes 2 Time is in milliseconds. 3 C.P.L. Gouvêa and J. López, Software implementation of Pairing-Based Cryptography on sensor networks using the MSP430 micro controller, Progress in Cryptology, Indocrypt 2009 4 Wenger, Unterluggauer, and Werner in 8/16/32 Shades of Elliptic Curve Cryptography on Embedded Processors in Progress in Cryptology, Indocrypt 2013 5 Jian Huang, Hao Li, and Phil Sweany, An FPGA Implementation of Elliptic Curve Cryptography for Future Secure Web Transaction, 2007. 92

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback