DOCSLIB.ORG

Comparison of Innovative Signature Algorithms for Wsns

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Comparison of Innovative Signature Algorithms for Wsns Comparison of Innovative Signature Algorithms for WSNs Benedikt Driessen Axel Poschmann Christof Paar escrypt GmbH Horst-Görtz-Institute for Horst-Görtz-Institute for Lise-Meitner-Allee 4 IT-Security IT-Security 44801 Bochum, Germany Ruhr-University Bochum, Ruhr-University Bochum, [email protected] Germany Germany [email protected] [email protected] ABSTRACT the sensor nodes very efficiently. However, one problem with For many foreseen applications of Wireless Sensor Networks symmetric solutions is the key management: neither an in- (WSN) – for example monitoring the structural health of a dividual key (shared only between a sensor and the sink) nor bridge – message integrity is a crucial requirement. Usu- a network-wide key (shared between all sensors) is a suitable ally, security services such as message integrity are real- solution. The first approach, though it offers the highest re- ized by symmetric cryptography only, because asymmet- siliency, suffers from a significant pre-distribution overhead, ric cryptography is often stated as impracticable for WSN. whereas the latter one offers a good scalability with no re- However, the proposed solutions for symmetric key estab- siliency. Many probabilistic solutions have been proposed to lishment introduce a significant computation, storage, and– deal with these issues [3, 14, 21]. All these schemes introduce most important–communication overhead. Digital signa- a significant computation, storage, and – most important – tures and key-exchange based on asymmetric algorithms communication overhead. would be very valuable though. In the literature nearly only Using protocols based on asymmetric cryptography eases RSA and ECC are implemented and compared for sensor the establishment of keys. Furthermore, digital signatures nodes, though there exist a variety of innovative asymmetric with all their benefits can be realized by asymmetric cryp- algorithms. To close this gap, we investigated the efficiency tography. However, asymmetric algorithms such as RSA [26] and suitability of digital signature algorithms based on inno- have much longer operand lengths compared to symmetric algorithms (1024 bit vs 80 bit). This in turn results in three vative asymmetric primitives for WSN. We chose XTR-DSA orders of magnitude longer processing times on a typical 8- and NTRUSign and implemented both (as well as ECDSA) bit micro-controller such as compared to symmetric for MICAz motes. MICAz algorithms [10]. Consequently, despite the fact that the us- age of asymmetric cryptography would solve many problems, Categories and Subject Descriptors it is often stated as impracticable for WSN. E.3 [Data Encryption]: Public key cryptosystems; D.2.8 Beside RSA exist a variety of asymmetric algorithms, such [Software Engineering]: Metrics—performance measures as NTRU [13], XTR [19], ECC [23], and the so called MQ algorithms to name just a few. Interestingly, virtually all General Terms publications dealing with asymmetric algorithms for WSN have been focusing on RSA and ECC only. To close this Algorithms, Measurement, Performance, Security gap, we investigated the efficiency and suitability of dig- ital signature algorithms based on innovative asymmetric 1. INTRODUCTION primitives for WSN. We chose to evaluate the ECDSA [16] The benefits of Wireless Sensor Networks (WSN) are dis- scheme which is quite wide spread and well examined, XTR- cussed widely these days. The foreseen applications range DSA [18, 19, 28] because of its compact signatures and com- from military to vehicular scenarios. However, many of these parable speed, and NTRUSign [12, 15] due to its simple and applications process sensitive data, for example a WSN that fast core operation, promising significant computational ad- measures the structural health of a bridge. Since adversaries vantages over the two other schemes. Despite this feature, can easily eavesdrop and also manipulate or inject messages, NTRUSign is often ignored because previous versions of this security is a crucial requirement for these applications. scheme have already been broken [8] and a rigorous security Protocols based on symmetric cryptography can assure proof has not been made, yet. integrity, authentity, and confidentiality of messages sent by A brief description of each schemes’ core arithmetic can be found in Section 2. For further details the interested reader is referred to the original publications and [7]. Section 3 is dedicated to briefly outlining the target platform, the tools Permission to make digital or hard copies of all or part of this work for used, and the main optimizations applied to the schemes. personal or classroom use is granted without fee provided that copies are Subsequently, our implementation results are presented and not made or distributed for profit or commercial advantage and that copies compared to other published implementation results in Sec- bear this notice and the full citation on the first page. To copy otherwise, to tion 4. Finally, in Section 5 we give our conclusions and republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. close the paper. WiSec’08, March 31–April 2, 2008, Alexandria, Virginia, USA. Copyright 2008 ACM 978-1-59593-814-5/08/03 ...$5.00. 2. CORE ARITHMETIC 2.2 XTR-DSA In this section we provide a brief overview of the arith- The XTR-DSA signature scheme is based on the XTR metic used by the signature schemes. Note that ECDSA and public key scheme. XTR has been proposed by Lenstra and XTR-DSA are based on the Digital Signature Algorithm Verheul in 2000 [19] and is an abbreviation for “Efficient and (DSA) which was specified in a U.S. Government “Federal Compact Subgroup Trace Representation” (ECSTR). XTR Information Processing Standard” (FIPS) called the “Digital uses the trace Tr(g) ∈ Zp2 of g ∈ Zp6 to represent and cal- Signature Standard” (DSS) [1]. NTRUSign is defined by a culate powers of elements of the order p2 − p + 1 subgroup standard for financial services [24]. Z∗ of p6 . p and q are primes where q is chosen such that q > 6 and q|p2 − p + 1 is satisfied. XTR’s main arithmetic 2.1 ECDSA is performed in the q order subgroup (“XTR-subgroup”) of 2 Z∗ The ECDSA scheme [16] is a signature scheme based on the p − p + 1 order subgroup (“XTR-supergroup”) of p6 . elliptic curve cryptography (ECC). An elliptic curve E over According to the authors of XTR, the scheme is able to the finite field K is defined by the simplified “Weierstrass achieve the same security level as RSA-1024 [26] by operat- Equation”, ing on XTR-subgroup elements with 160-170 bits size. The arithmetic in XTR is performed on elements 2 3 2 E(K): y = x + ax + b, char(K) 6= 2, 3 c = c1α + c2α ∈ Zp2 and an element t ∈ Zp is represented as −tα−tα2. We have observed that a complete XTR-DSA where a, b ∈ K. The points P = (x, y) ∈ E(K) on the el- signature scheme can be built on top of three atomic oper- liptic curve E form an abelian group, where certain rules ations which we denote by Op1(·), Op2(·), and Op3(·) in the (“group law”) apply. The following basic mathematical op- remainder of this document. The following arithmetic in erations are perfomed on points P ∈ E(K): Zp2 and Zp is performed by these operations: Addition Let P1 = (x1, y1),P2 = (x2, y2) ∈ E(K) be two Op1(x,y,z,w) This operation requires four elements w, x, distinct points. The sum Q = (x3, y3) = P1 + P2 is y, z ∈ Zp2 . The resulting element c ∈ Zp2 is computed defined as follows: using two multiplications in Zp2 , „ «2 p y2 − y1 c = Op1(x, y, z, w) = xz − yz + w. x3 = − x1 − x2, x2 − x1 The actual arithmetic is performed by finite field oper- ations in Zp. For this purpose four modular multipli- „ « 2 y2 − y1 cations in Zp are required. c = c1α+c2α is computed y3 = (x1 − x3) − y1. x2 − x1 by, c1 = w1 + (z1(y1 − x2 − y2) + z2(x2 − x1 + y2)) mod p, Doubling Let P = (x1, y1) ∈ E(K) be a point on E(K). The double Q = (x2, y2) = 2P is derived by the fol- c = w + (z (x − x + y ) + z (y − x − y )) mod p. lowing equation: 2 2 1 1 2 1 2 2 1 1 Op2(x) c = Op2(x) is computed by one squaring in Z 2 , „ 2 «2 p 3x1 + a x2 = − 2x1, 2 p 2y1 c = Op2(x) = x − 2x . Note that computation of xp does not require any „ 2 « Z p p p p 2p p 3x1 + a arithmetic in p, because x = x1α +x2α = x1α + y2 = (x1 − x2) − y1. 2y1 x2α, hence x1 and x2 are just swapped – only two mul- tiplications are performed instead, By using these basic operations we can construct two point c1 = x2(x2 − 2x1) − 2x2 mod p, multiplication methods, which are required by the ECDSA scheme. c2 = x1(x1 − 2x2) − 2x1 mod p. Single (scalar) point multiplication Let P ∈ E(K) be Op3(x) This operation is based on Op2(·) and can be com- a point on E(K), k ∈ ord(K) is an integer. Single puted as point multiplication Q = kP may be performed by k p 3 p+1 additions; Q = P + P + ··· + P . c = Op3(x) = (Op2(x) − x )x + 3 = x − 3x + 3. | {z } k We compute c1, c2 in two steps, first we compute t1, t2, t1 = x2(x2 − 2x1) − 3x2 mod p, Simultaneous (scalar) point multiplication Let P1,P2 ∈ E(K) be two distinct points on E(K) where k, l ∈ ord(K) are integers. Simultaneous point multiplica- t2 = x1(x1 − 2x2) − 3x1 mod p. tion Q = kP1 +lP2 may be performed by applying sin- From t1, t2 we can compute c1, c2 directly. By applying gle point multiplication to obtain X1 = kP1, X2 = lP2 the ideas of Karatsuba [2] we compute (x1x2), (t1t2), and adding X1 and X2; X1 + X2 = Q.
Load more

Recommended publications
  • Etsi Gr Qsc 001 V1.1.1 (2016-07)
    ETSI GR QSC 001 V1.1.1 (2016-07) GROUP REPORT Quantum-Safe Cryptography (QSC); Quantum-safe algorithmic framework 2 ETSI GR QSC 001 V1.1.1 (2016-07) Reference DGR/QSC-001 Keywords algorithm, authentication, confidentiality, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice The present document can be downloaded from: http://www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https://portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI.
    [Show full text]
  • Bilinear Map Cryptography from Progressively Weaker Assumptions
    Full version of an extended abstract published in Proceedings of CT-RSA 2013, Springer-Verlag, Feb. 2013. Available from the IACR Cryptology ePrint Archive as Report 2012/687. The k-BDH Assumption Family: Bilinear Map Cryptography from Progressively Weaker Assumptions Karyn Benson, Hovav Shacham ∗ Brent Watersy University of California, San Diego University of Texas at Austin fkbenson, [email protected] [email protected] February 4, 2013 Abstract Over the past decade bilinear maps have been used to build a large variety of cryptosystems. In addition to new functionality, we have concurrently seen the emergence of many strong assump- tions. In this work, we explore how to build bilinear map cryptosystems under progressively weaker assumptions. We propose k-BDH, a new family of progressively weaker assumptions that generalizes the de- cisional bilinear Diffie-Hellman (DBDH) assumption. We give evidence in the generic group model that each assumption in our family is strictly weaker than the assumptions before it. DBDH has been used for proving many schemes secure, notably identity-based and functional encryption schemes; we expect that our k-BDH will lead to generalizations of many such schemes. To illustrate the usefulness of our k-BDH family, we construct a family of selectively secure Identity-Based Encryption (IBE) systems based on it. Our system can be viewed as a generalization of the Boneh-Boyen IBE, however, the construction and proof require new ideas to fit the family. We then extend our methods to produces hierarchical IBEs and CCA security; and give a fully secure variant. In addition, we discuss the opportunities and challenges of building new systems under our weaker assumption family.
    [Show full text]
  • Circuit-Extension Handshakes for Tor Achieving Forward Secrecy in a Quantum World
    Proceedings on Privacy Enhancing Technologies ; 2016 (4):219–236 John M. Schanck*, William Whyte, and Zhenfei Zhang Circuit-extension handshakes for Tor achieving forward secrecy in a quantum world Abstract: We propose a circuit extension handshake for 2. Anonymity: Some one-way authenticated key ex- Tor that is forward secure against adversaries who gain change protocols, such as ntor [13], guarantee that quantum computing capabilities after session negotia- the unauthenticated peer does not reveal their iden- tion. In doing so, we refine the notion of an authen- tity just by participating in the protocol. Such pro- ticated and confidential channel establishment (ACCE) tocols are deemed one-way anonymous. protocol and define pre-quantum, transitional, and post- 3. Forward Secrecy: A protocol provides forward quantum ACCE security. These new definitions reflect secrecy if the compromise of a party’s long-term the types of adversaries that a protocol might be de- key material does not affect the secrecy of session signed to resist. We prove that, with some small mod- keys negotiated prior to the compromise. Forward ifications, the currently deployed Tor circuit extension secrecy is typically achieved by mixing long-term handshake, ntor, provides pre-quantum ACCE security. key material with ephemeral keys that are discarded We then prove that our new protocol, when instantiated as soon as the session has been established. with a post-quantum key encapsulation mechanism, Forward secret protocols are a particularly effective tool achieves the stronger notion of transitional ACCE se- for resisting mass surveillance as they resist a broad curity. Finally, we instantiate our protocol with NTRU- class of harvest-then-decrypt attacks.
    [Show full text]
  • Protecting Public Keys and Signature Keys
    Public-key cryptography offers certain advantages, providing the keys can be 3 adequately protected. For every security threat there must be an appropriate j countermeasure. Protecting Public Keys and Signature Keys Dorothy E. Denning, Purdue University With conventional one-key cryptography, the sender Consider an application environment in which each and receiver of a message share a secret encryption/ user has an intelligent terminal or personal workstation decryption key that allows both parties to encipher (en- where his private key is stored and all cryptographic crypt) and decipher (decrypt) secret messages transmitted operations are performed. This terminal is connected to between them. By separating the encryption and decryp- a nationwide network through a shared host, as shown in tion keys, public-key (two-key) cryptography has two at- Figure 1. The public-key directory is managed by a net- tractive properties that conventional cryptography lacks: work key server. Users communicate with each other or the ability to transmit messages in secrecy without any prior exchange of a secret key, and the ability to imple- ment digital signatures that are legally binding. Public- key encryption alone, however, does not guarantee either message secrecy or signatures. Unless the keys are ade- quately protected, a penetrator may be able to read en- crypted messages or forge signatures. This article discusses the problem ofprotecting keys in a nationwide network using public-key cryptography for secrecy and digital signatures. Particular attention is given to detecting and recovering from key compromises, especially when a high level of security is required. Public-key cryptosystems The concept of public-key cryptography was intro- duced by Diffie and Hellman in 1976.1 The basic idea is that each user A has a public key EA, which is registered in a public directory, and a private key DA, which is known only to the user.
    [Show full text]
  • Secure Remote Password (SRP) Authentication
    Secure Remote Password (SRP) Authentication Tom Wu Stanford University [email protected] Authentication in General ◆ What you are – Fingerprints, retinal scans, voiceprints ◆ What you have – Token cards, smart cards ◆ What you know – Passwords, PINs 2 Password Authentication ◆ Concentrates on “what you know” ◆ No long-term client-side storage ◆ Advantages – Convenience and portability – Low cost ◆ Disadvantages – People pick “bad” passwords – Most password methods are weak 3 Problems and Issues ◆ Dictionary attacks ◆ Plaintext-equivalence ◆ Forward secrecy 4 Dictionary Attacks ◆ An off-line, brute force guessing attack conducted by an attacker on the network ◆ Attacker usually has a “dictionary” of commonly-used passwords to try ◆ People pick easily remembered passwords ◆ “Easy-to-remember” is also “easy-to-guess” ◆ Can be either passive or active 5 Passwords in the Real World ◆ Entropy is less than most people think ◆ Dictionary words, e.g. “pudding”, “plan9” – Entropy: 20 bits or less ◆ Word pairs or phrases, e.g. “hate2die” – Represents average password quality – Entropy: around 30 bits ◆ Random printable text, e.g. “nDz2\u>O” – Entropy: slightly over 50 bits 6 Plaintext-equivalence ◆ Any piece of data that can be used in place of the actual password is “plaintext- equivalent” ◆ Applies to: – Password databases and files – Authentication servers (Kerberos KDC) ◆ One compromise brings entire system down 7 Forward Secrecy ◆ Prevents one compromise from causing further damage Compromising Should Not Compromise Current password Future passwords Old password Current password Current password Current or past session keys Current session key Current password 8 In The Beginning... ◆ Plaintext passwords – e.g. unauthenticated Telnet, rlogin, ftp – Still most common method in use ◆ “Encoded” passwords – e.g.
    [Show full text]
  • NSS: an NTRU Lattice –Based Signature Scheme
    ISSN(Online) : 2319 - 8753 ISSN (Print) : 2347 - 6710 International Journal of Innovative Research in Science, Engineering and Technology (An ISO 3297: 2007 Certified Organization) Vol. 4, Issue 4, April 2015 NSS: An NTRU Lattice –Based Signature Scheme S.Esther Sukila Department of Mathematics, Bharath University, Chennai, Tamil Nadu, India ABSTRACT: Whenever a PKC is designed, it is also analyzed whether it could be used as a signature scheme. In this paper, how the NTRU concept can be used to form a digital signature scheme [1] is described. I. INTRODUCTION Digital Signature Schemes The notion of a digital signature may prove to be one of the most fundamental and useful inventions of modern cryptography. A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. The creator of a message can attach a code, the signature, which guarantees the source and integrity of the message. A valid digital signature gives a recipient reason to believe that the message was created by a known sender and that it was not altered in transit. Digital signatures are commonly used for software distribution, financial transactions etc. Digital signatures are equivalent to traditional handwritten signatures. Properly implemented digital signatures are more difficult to forge than the handwritten type. 1.1A digital signature scheme typically consists of three algorithms A key generationalgorithm, that selects a private key uniformly at random from a set of possible private keys. The algorithm outputs the private key and a corresponding public key. A signing algorithm, that given a message and a private key produces a signature.
    [Show full text]
  • Lattice-Based Cryptography - a Comparative Description and Analysis of Proposed Schemes
    Lattice-based cryptography - A comparative description and analysis of proposed schemes Einar Løvhøiden Antonsen Thesis submitted for the degree of Master in Informatics: programming and networks 60 credits Department of Informatics Faculty of mathematics and natural sciences UNIVERSITY OF OSLO Autumn 2017 Lattice-based cryptography - A comparative description and analysis of proposed schemes Einar Løvhøiden Antonsen c 2017 Einar Løvhøiden Antonsen Lattice-based cryptography - A comparative description and analysis of proposed schemes http://www.duo.uio.no/ Printed: Reprosentralen, University of Oslo Acknowledgement I would like to thank my supervisor, Leif Nilsen, for all the help and guidance during my work with this thesis. I would also like to thank all my friends and family for the support. And a shoutout to Bliss and the guys there (you know who you are) for providing a place to relax during stressful times. 1 Abstract The standard public-key cryptosystems used today relies mathematical problems that require a lot of computing force to solve, so much that, with the right parameters, they are computationally unsolvable. But there are quantum algorithms that are able to solve these problems in much shorter time. These quantum algorithms have been known for many years, but have only been a problem in theory because of the lack of quantum computers. But with recent development in the building of quantum computers, the cryptographic world is looking for quantum-resistant replacements for today’s standard public-key cryptosystems. Public-key cryptosystems based on lattices are possible replacements. This thesis presents several possible candidates for new standard public-key cryptosystems, mainly NTRU and ring-LWE-based systems.
    [Show full text]
  • Implementation and Performance Evaluation of XTR Over Wireless Network
    Implementation and Performance Evaluation of XTR over Wireless Network By Basem Shihada [email protected] Dept. of Computer Science 200 University Avenue West Waterloo, Ontario, Canada (519) 888-4567 ext. 6238 CS 887 Final Project 19th of April 2002 Implementation and Performance Evaluation of XTR over Wireless Network 1. Abstract Wireless systems require reliable data transmission, large bandwidth and maximum data security. Most current implementations of wireless security algorithms perform lots of operations on the wireless device. This result in a large number of computation overhead, thus reducing the device performance. Furthermore, many current implementations do not provide a fast level of security measures such as client authentication, authorization, data validation and data encryption. XTR is an abbreviation of Efficient and Compact Subgroup Trace Representation (ECSTR). Developed by Arjen Lenstra & Eric Verheul and considered a new public key cryptographic security system that merges high level of security GF(p6) with less number of computation GF(p2). The claim here is that XTR has less communication requirements, and significant computation advantages, which indicate that XTR is suitable for the small computing devices such as, wireless devices, wireless internet, and general wireless applications. The hoping result is a more flexible and powerful secure wireless network that can be easily used for application deployment. This project presents an implementation and performance evaluation to XTR public key cryptographic system over wireless network. The goal of this project is to develop an efficient and portable secure wireless network, which perform a variety of wireless applications in a secure manner. The project literately surveys XTR mathematical and theoretical background as well as system implementation and deployment over wireless network.
    [Show full text]
  • Basics of Digital Signatures &
    > DOCUMENT SIGNING > eID VALIDATION > SIGNATURE VERIFICATION > TIMESTAMPING & ARCHIVING > APPROVAL WORKFLOW Basics of Digital Signatures & PKI This document provides a quick background to PKI-based digital signatures and an overview of how the signature creation and verification processes work. It also describes how the cryptographic keys used for creating and verifying digital signatures are managed. 1. Background to Digital Signatures Digital signatures are essentially “enciphered data” created using cryptographic algorithms. The algorithms define how the enciphered data is created for a particular document or message. Standard digital signature algorithms exist so that no one needs to create these from scratch. Digital signature algorithms were first invented in the 1970’s and are based on a type of cryptography referred to as “Public Key Cryptography”. By far the most common digital signature algorithm is RSA (named after the inventors Rivest, Shamir and Adelman in 1978), by our estimates it is used in over 80% of the digital signatures being used around the world. This algorithm has been standardised (ISO, ANSI, IETF etc.) and been extensively analysed by the cryptographic research community and you can say with confidence that it has withstood the test of time, i.e. no one has been able to find an efficient way of cracking the RSA algorithm. Another more recent algorithm is ECDSA (Elliptic Curve Digital Signature Algorithm), which is likely to become popular over time. Digital signatures are used everywhere even when we are not actually aware, example uses include: Retail payment systems like MasterCard/Visa chip and pin, High-value interbank payment systems (CHAPS, BACS, SWIFT etc), e-Passports and e-ID cards, Logging on to SSL-enabled websites or connecting with corporate VPNs.
    [Show full text]
  • DRAFT Special Publication 800-56A, Recommendation for Pair-Wise Key
    The attached DRAFT document (provided here for historical purposes) has been superseded by the following publication: Publication Number: NIST Special Publication (SP) 800-56A Revision 2 Title: Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography Publication Date: 05/13/2013 • Final Publication: https://doi.org/10.6028/NIST.SP.800-56Ar2 (which links to http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar2.pdf). • Information on other NIST Computer Security Division publications and programs can be found at: http://csrc.nist.gov/ The following information was posted with the attached DRAFT document: Aug 20, 2012 SP 800-56 A Rev.1 DRAFT Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography (Draft Revision) NIST announces the release of draft revision of Special Publication 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography. SP 800-56A specifies key-establishment schemes based on the discrete logarithm problem over finite fields and elliptic curves, including several variations of Diffie-Hellman and MQV key establishment schemes. The revision is made on the March 2007 version. The main changes are listed in Appendix D. Please submit comments to 56A2012rev-comments @ nist.gov with "Comments on SP 800-56A (Revision)" in the subject line. The comment period closes on October 31, 2012. NIST Special Publication 800-56A Recommendation for Pair-Wise August 2012 Key-Establishment Schemes Using Discrete Logarithm Cryptography (Draft Revision) Elaine Barker, Lily Chen, Miles Smid and Allen Roginsky C O M P U T E R S E C U R I T Y Abstract This Recommendation specifies key-establishment schemes based on the discrete logarithm problem over finite fields and elliptic curves, including several variations of Diffie-Hellman and MQV key establishment schemes.
    [Show full text]
  • A Study on the Security of Ntrusign Digital Signature Scheme
    A Thesis for the Degree of Master of Science A Study on the Security of NTRUSign digital signature scheme SungJun Min School of Engineering Information and Communications University 2004 A Study on the Security of NTRUSign digital signature scheme A Study on the Security of NTRUSign digital signature scheme Advisor : Professor Kwangjo Kim by SungJun Min School of Engineering Information and Communications University A thesis submitted to the faculty of Information and Commu- nications University in partial fulfillment of the requirements for the degree of Master of Science in the School of Engineering Daejeon, Korea Jan. 03. 2004 Approved by (signed) Professor Kwangjo Kim Major Advisor A Study on the Security of NTRUSign digital signature scheme SungJun Min We certify that this work has passed the scholastic standards required by Information and Communications University as a thesis for the degree of Master of Science Jan. 03. 2004 Approved: Chairman of the Committee Kwangjo Kim, Professor School of Engineering Committee Member Jae Choon Cha, Assistant Professor School of Engineering Committee Member Dae Sung Kwon, Ph.D NSRI M.S. SungJun Min 20022052 A Study on the Security of NTRUSign digital signature scheme School of Engineering, 2004, 43p. Major Advisor : Prof. Kwangjo Kim. Text in English Abstract The lattices have been studied by cryptographers for last decades, both in the field of cryptanalysis and as a source of hard problems on which to build encryption schemes. Interestingly, though, research about building secure and efficient
    [Show full text]
  • Elliptic Curve Cryptography and Digital Rights Management
    Lecture 14: Elliptic Curve Cryptography and Digital Rights Management Lecture Notes on “Computer and Network Security” by Avi Kak ([email protected]) March 9, 2021 5:19pm ©2021 Avinash Kak, Purdue University Goals: • Introduction to elliptic curves • A group structure imposed on the points on an elliptic curve • Geometric and algebraic interpretations of the group operator • Elliptic curves on prime finite fields • Perl and Python implementations for elliptic curves on prime finite fields • Elliptic curves on Galois fields • Elliptic curve cryptography (EC Diffie-Hellman, EC Digital Signature Algorithm) • Security of Elliptic Curve Cryptography • ECC for Digital Rights Management (DRM) CONTENTS Section Title Page 14.1 Why Elliptic Curve Cryptography 3 14.2 The Main Idea of ECC — In a Nutshell 9 14.3 What are Elliptic Curves? 13 14.4 A Group Operator Defined for Points on an Elliptic 18 Curve 14.5 The Characteristic of the Underlying Field and the 25 Singular Elliptic Curves 14.6 An Algebraic Expression for Adding Two Points on 29 an Elliptic Curve 14.7 An Algebraic Expression for Calculating 2P from 33 P 14.8 Elliptic Curves Over Zp for Prime p 36 14.8.1 Perl and Python Implementations of Elliptic 39 Curves Over Finite Fields 14.9 Elliptic Curves Over Galois Fields GF (2n) 52 14.10 Is b =0 a Sufficient Condition for the Elliptic 62 Curve6 y2 + xy = x3 + ax2 + b to Not be Singular 14.11 Elliptic Curves Cryptography — The Basic Idea 65 14.12 Elliptic Curve Diffie-Hellman Secret Key 67 Exchange 14.13 Elliptic Curve Digital Signature Algorithm (ECDSA) 71 14.14 Security of ECC 75 14.15 ECC for Digital Rights Management 77 14.16 Homework Problems 82 2 Computer and Network Security by Avi Kak Lecture 14 Back to TOC 14.1 WHY ELLIPTIC CURVE CRYPTOGRAPHY? • As you saw in Section 12.12 of Lecture 12, the computational overhead of the RSA-based approach to public-key cryptography increases with the size of the keys.
    [Show full text]