PDF Hosted at the Radboud Repository of the Radboud University Nijmegen

Total Page:16

File Type:pdf, Size:1020Kb

PDF Hosted at the Radboud Repository of the Radboud University Nijmegen PDF hosted at the Radboud Repository of the Radboud University Nijmegen The following full text is a publisher's version. For additional information about this publication click this link. http://hdl.handle.net/2066/204182 Please be advised that this information was generated on 2021-09-24 and may be subject to change. Security on the Line: Modern Curve-based Cryptography Copyright c 2019 Joost Renes ISBN: 978–94–6323–695–9 Typeset using LATEX Cover design: Ilse Modder – www.ilsemodder.nl Printed by: Gildeprint – www.gildeprint.nl This work is part of the research programme TYPHOON with project number 13499, which is (partly) financed by the Netherlands Organisation for Scientific Research (NWO). Security on the Line: Modern Curve-based Cryptography Proefschrift ter verkrijging van de graad van doctor aan de Radboud Universiteit Nijmegen op gezag van de rector magnificus prof. dr. J.H.J.M. van Krieken, volgens besluit van het college van decanen in het openbaar te verdedigen op maandag 1 juli 2019 om 14.30 uur precies door Joost Roland Renes geboren op 26 juni 1991 te Harmelen Promotor Prof. dr. L. Batina Manuscriptcommissie Prof. dr. E.R. Verheul Prof. dr. S.D. Galbraith (University of Auckland, Nieuw-Zeeland) Prof. dr. A.J. Menezes (University of Waterloo, Canada) Dr. N. Heninger (University of California San Diego, Verenigde Staten) Dr. F. Vercauteren (KU Leuven, België) Acknowledgements A unique feature of doing a PhD is that by the end of it, one is expected to deliver a book detailing all personal contributions to the field of study. This inherently high- lights its individual nature, yet one would be wrong to think all these years are spent alone in a dark office (if anything, because no PhD student would ever be given their own office). My academic journey has given me the opportunity to experience life in many different places, and to visit far too many to list here. I would like to take this chance to thank those who have been there along the way to make it all the more worthwhile. First and foremost I would like to thank my promotor Lejla Batina. Her imme- diate enthusiasm convinced me to start on this path, and I have never felt a lack of professional or personal support during. I am very grateful to have had the chance to work with you and for the many exciting things that have happened because of it. During my PhD I have been lucky enough to work with great people. A special thanks goes out to Craig Costello, whom I met at the very beginning of my PhD. We not only collaborated on my first paper (and others after that), but you also gave me the opportunity to spend three great summers at Microsoft Research. In extension, I would like to thank Michael Naehrig for being a great (co-)mentor during said internships. I am proud of the work I have done with both of you, and slightly embarrassed of the persistent failures on the soccer field. I would also like to thank Brian LaMacchia, and the rest of the team, for repeatedly inviting me to the group and creating a great work environment. A final thanks to Ben Smith, whom I had the pleasure to work with and whose impressively detailed yet simple way of describing many topics has tremendously improved my understanding numerous times. I would like to thank the members of my reading committee Eric Verheul, Steven Galbraith, Alfred Menezes, Nadia Heninger and Fréderik Vercauteren for taking the time to go through this lengthy thesis. Also, I thank my co-authors Wouter Castryck, Huseyin Hisil, David Jao, Tanja Lange, Patrick Longa, Chloe Martindale, Lorenz vi Acknowledgements Panny, Peter Schwabe, David Urbanik and Fernando Virdia for their hard work and the great discussions along the way. A particular thanks to Fréderik Vercauteren and Steven Galbraith for inviting me to spend some time at their respective research groups, and to Lorenz Panny for his detailed and helpful comments on a preliminary version of the first part of this thesis. Despite all the moving around, most of my time has still been spent in Nijmegen. I have been a proud member of the Digital Security Group, all of whose (past) mem- bers I would like to thank for their warmth and kindness through coffee breaks, Friday beers and game nights. I am proud to have created many friendships that I am sure will last beyond the brief scope of a PhD. In particular, a special thanks goes out to Pedro, who has literally been there since day one on the job. It has been a pleasure to have shared an office for all this time, and I consider it a miracle that I have not gained weight over the years. I would also like to thank Louiza for her friendship and advice through the years, whom I was honored to be a paranimph for. I thank Joan Daemen and Peter Schwabe for their support and nice discussions related to teaching and research. I would like to thank my parents and my brothers for their continued support, for always giving me a place to return home to, and for being there during trying times. Finally, a heartfelt thanks to Anna for her love and invaluable support during the concluding months of this thesis, which have without a doubt been the most chal- lenging. I am proud to start the next journey by your side. Joost Renes Nijmegen, May 2019 Contents Acknowledgements v Introduction xiii List of Symbols xxiii 1 Background 1 I Elliptic and Hyperelliptic Curves 3 1 Algebraic Curves . .3 2 Curves of Genus 1 and 2 . .7 2.1 Elliptic Curves . .8 2.2 Hyperelliptic Curves of Genus 2 . 17 II Curve-based Cryptographic Protocols 21 1 Classical Cryptography . 21 1.1 Diffie–Hellman . 22 1.2 Schnorr Signatures . 23 2 Post-Quantum Cryptography . 25 2.1 Supersingular Isogeny Diffie–Hellman . 25 2.2 Ordinary Isogeny Diffie–Hellman . 27 2 Classical Cryptography 29 III Complete Addition Formulas for Prime Order Elliptic Curves 31 viii Contents 1 Introduction . 32 2 Complete Addition Formulas . 38 2.1 The General Case . 39 2.2 The Case a = −3 ........................... 42 2.3 The Case a = 0 ............................ 44 3 Some Intuition Towards Optimality . 44 3.1 Choice of Y = 0 for Bidegree (2, 2) Addition Laws . 46 3.2 Jacobian Coordinates . 47 4 Using These Formulas in Practice . 48 4.1 Application to Prime Order Curves . 48 4.2 Interoperability With Composite Order Curves . 50 4.3 An OpenSSL Implementation . 51 5 Hardware Implementations . 53 A Magma Verification Code for Parallel ADD ................. 56 IV mKummer: Efficient Hyperelliptic Signatures and Key Exchange 59 1 Introduction . 59 2 High-level Overview . 61 2.1 Signatures . 61 2.2 Diffie-Hellman Key Exchange. 64 3 Algorithms and Their Implementation . 64 3.1 The Field Fp .............................. 64 3.2 The Curve C and Its Theta Constants . 66 3.3 Compressed and Decompressed Elements of JC ......... 67 3.4 The Kummer Surface KC ...................... 69 3.5 Pseudo-addition on KC ....................... 69 4 Scalar Multiplication . 71 4.1 Pseudomultiplication on KC .................... 71 4.2 Point Recovery from KC to JC ................... 74 4.3 Full Scalar Multiplication on JC .................. 75 5 Results and Comparison . 77 V qDSA: Small and Secure Digital Signatures 81 1 Introduction . 82 2 The qDSA Signature Scheme . 83 2.1 The Kummer Variety Setting . 84 2.2 Basic Operations . 84 Contents ix 2.3 The qID Identification Protocol . 85 2.4 Applying Fiat–Shamir . 87 2.5 The qDSA Signature Scheme . 87 3 Implementing qDSA with Elliptic Curves . 90 3.1 Montgomery Curves . 90 3.2 Signature Verification . 91 3.3 Using Cryptographic Parameters . 92 4 Implementing qDSA with Kummer Surfaces . 92 4.1 Constants . 93 4.2 Fast Kummer Surfaces . 95 4.3 Deconstructing Pseudo-doubling . 95 5 Signature Verification on Kummer Surfaces . 98 5.1 Biquadratic Forms and Pseudo-addition . 98 5.2 Deriving Efficiently Computable Forms . 99 5.3 Signature Verification . 101 5.4 Using Cryptographic Parameters . 101 6 Kummer Point Compression . 103 6.1 The General Principle . 104 6.2 From Squared Kummers to Tetragonal Kummers . 105 6.3 Compression and Decompression for KSqr ............ 107 6.4 Using Cryptographic Parameters . 110 7 Implementation . 110 7.1 Core Functionality . 111 7.2 Comparison to Previous Work . 111 A Elliptic Implementation Details . 114 A.1 Pseudoscalar Multiplication . 114 A.2 The BVALUES Subroutine for Signature Verification . 114 B Kummer Surface Implementation Details . 116 B.1 Scalar Pseudomultiplication . 116 B.2 Subroutines for Signature Verification . 116 B.3 Subroutines for Compression and Decompression . 118 VI On Kummer Lines with Full Rational 2-torsion 121 1 Introduction . 121 2 Notation . 123 3 Maps between Kummer Lines . 125 3.1 Models with Rational 2-torsion . 126 x Contents 3.2 Actions of Points of Order 2 . 129 3.3 Hybrid Kummer Lines . 131 4 Isomorphism Classes over Finite Fields . 133 4.1 Identifying Kummer Lines . 133 4.2 Canonical Kummer Lines . 134 4.3 Squared and Intermediate Kummer Lines . 134 3 Post-Quantum Cryptography 137 VII Efficient Compression of SIDH Public Keys 139 1 Introduction . 140 2 Constructing Torsion Bases . 146 2.1 Square Roots, Cube Roots, and Elligator 2 . 147 eA 2.2 Generating a Torsion Basis for E(Fp2 )[2 ] ............ 148 eB 2.3 Generating a Torsion Basis for E(Fp2 )[3 ] ............ 149 3 The Tate Pairing Computation . 151 3.1 Optimized Miller Functions . 152 3.2 Parallel Pairing Computation and the Final Exponentiation . 155 4 Efficient Pohlig-Hellman in m`e ....................... 156 4.1 Arithmetic in the Cyclotomic Subgroup .
Recommended publications
  • On Abelian Subgroups of Finitely Generated Metabelian
    J. Group Theory 16 (2013), 695–705 DOI 10.1515/jgt-2013-0011 © de Gruyter 2013 On abelian subgroups of finitely generated metabelian groups Vahagn H. Mikaelian and Alexander Y. Olshanskii Communicated by John S. Wilson To Professor Gilbert Baumslag to his 80th birthday Abstract. In this note we introduce the class of H-groups (or Hall groups) related to the class of B-groups defined by P. Hall in the 1950s. Establishing some basic properties of Hall groups we use them to obtain results concerning embeddings of abelian groups. In particular, we give an explicit classification of all abelian groups that can occur as subgroups in finitely generated metabelian groups. Hall groups allow us to give a negative answer to G. Baumslag’s conjecture of 1990 on the cardinality of the set of isomorphism classes for abelian subgroups in finitely generated metabelian groups. 1 Introduction The subject of our note goes back to the paper of P. Hall [7], which established the properties of abelian normal subgroups in finitely generated metabelian and abelian-by-polycyclic groups. Let B be the class of all abelian groups B, where B is an abelian normal subgroup of some finitely generated group G with polycyclic quotient G=B. It is proved in [7, Lemmas 8 and 5.2] that B H, where the class H of countable abelian groups can be defined as follows (in the present paper, we will call the groups from H Hall groups). By definition, H H if 2 (1) H is a (finite or) countable abelian group, (2) H T K; where T is a bounded torsion group (i.e., the orders of all ele- D ˚ ments in T are bounded), K is torsion-free, (3) K has a free abelian subgroup F such that K=F is a torsion group with trivial p-subgroups for all primes except for the members of a finite set .K/.
    [Show full text]
  • Nearly Isomorphic Torsion Free Abelian Groups
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Elsevier - Publisher Connector JOURNAL OF ALGEBRA 35, 235-238 (1975) Nearly Isomorphic Torsion Free Abelian Groups E. L. LADY University of Kansas, Lawrence, Kansas 66044* Communicated by D. Buchsbaum Received December 7, 1973 Let K be the Krull-Schmidt-Grothendieck group for the category of finite rank torsion free abelian groups. The torsion subgroup T of K is determined and it is proved that K/T is free. The investigation of T leads to the concept of near isomorphism, a new equivalence relation for finite rank torsion free abelian groups which is stronger than quasiisomorphism. If & is an additive category, then the Krull-Schmidt-Grothendieck group K(d) is defined by generators [A], , where A E &, and relations [A]& = m-2 + [af? Pwhenever A w B @ C. It is well-known that every element in K(&‘) can be written in the form [A],cJ - [Bls/ , and that [A],, = [B], ifandonlyifA @L = B @LforsomeLE.&. We let ,F denote the category of finite rank torsion free abelian groups, and we write K = K(3). We will write [G] rather than [G],7 for the class of [G] in K. If G, H ~9, then Hom(G, H) and End(G) will have the usual significance. For any other category ~9’, &(G, H) and d(G) will denote the corresponding group of $Z-homomorphisms and ring of cpJ-endomorphisms. We now proceed to define categories M and NP, where p is a prime number or 0.
    [Show full text]
  • THE TORSION in SYMMETRIC POWERS on CONGRUENCE SUBGROUPS of BIANCHI GROUPS Jonathan Pfaff, Jean Raimbault
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Archive Ouverte en Sciences de l'Information et de la Communication THE TORSION IN SYMMETRIC POWERS ON CONGRUENCE SUBGROUPS OF BIANCHI GROUPS Jonathan Pfaff, Jean Raimbault To cite this version: Jonathan Pfaff, Jean Raimbault. THE TORSION IN SYMMETRIC POWERS ON CONGRUENCE SUBGROUPS OF BIANCHI GROUPS. Transactions of the American Mathematical Society, Ameri- can Mathematical Society, 2020, 373 (1), pp.109-148. 10.1090/tran/7875. hal-02358132 HAL Id: hal-02358132 https://hal.archives-ouvertes.fr/hal-02358132 Submitted on 11 Nov 2019 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. THE TORSION IN SYMMETRIC POWERS ON CONGRUENCE SUBGROUPS OF BIANCHI GROUPS JONATHAN PFAFF AND JEAN RAIMBAULT Abstract. In this paper we prove that for a fixed neat principal congruence subgroup of a Bianchi group the order of the torsion part of its second cohomology group with coefficients in an integral lattice associated to the m-th symmetric power of the standard 2 representation of SL2(C) grows exponentially in m . We give upper and lower bounds for the growth rate.
    [Show full text]
  • Post-Quantum Cryptography
    Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at Chicago; Ruhr University Bochum & Technische Universiteit Eindhoven 12 September 2020 I Motivation #1: Communication channels are spying on our data. I Motivation #2: Communication channels are modifying our data. I Literal meaning of cryptography: \secret writing". I Achieves various security goals by secretly transforming messages. I Confidentiality: Eve cannot infer information about the content I Integrity: Eve cannot modify the message without this being noticed I Authenticity: Bob is convinced that the message originated from Alice Cryptography with symmetric keys AES-128. AES-192. AES-256. AES-GCM. ChaCha20. HMAC-SHA-256. Poly1305. SHA-2. SHA-3. Salsa20. Cryptography with public keys BN-254. Curve25519. DH. DSA. ECDH. ECDSA. EdDSA. NIST P-256. NIST P-384. NIST P-521. RSA encrypt. RSA sign. secp256k1. Cryptography / Sender Receiver \Alice" \Bob" Tsai Ing-Wen picture credit: By =q府, Attribution, Wikimedia. Donald Trump picture credit: By Shealah Craighead - White House, Public Domain, Wikimedia. Daniel J. Bernstein & Tanja Lange Post-quantum cryptography2 Cryptography with symmetric keys AES-128. AES-192. AES-256. AES-GCM. ChaCha20. HMAC-SHA-256. Poly1305. SHA-2. SHA-3. Salsa20. I Literal meaning of cryptography: \secret writing". Cryptography with public keys Achieves various security goals by secretly transforming messages. BN-254I . Curve25519. DH. DSA. ECDH. ECDSA. EdDSA. NIST P-256. NIST P-384. Confidentiality: Eve cannot infer information about the content NISTI P-521. RSA encrypt. RSA sign. secp256k1. I Integrity: Eve cannot modify the message without this being noticed I Authenticity: Bob is convinced that the message originated from Alice Cryptography / Sender Untrustworthy network Receiver \Alice" \Eve" \Bob" I Motivation #1: Communication channels are spying on our data.
    [Show full text]
  • Secure Authentication Protocol for Internet of Things Achraf Fayad
    Secure authentication protocol for Internet of Things Achraf Fayad To cite this version: Achraf Fayad. Secure authentication protocol for Internet of Things. Networking and Internet Archi- tecture [cs.NI]. Institut Polytechnique de Paris, 2020. English. NNT : 2020IPPAT051. tel-03135607 HAL Id: tel-03135607 https://tel.archives-ouvertes.fr/tel-03135607 Submitted on 9 Feb 2021 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Protocole d’authentification securis´ e´ pour les objets connectes´ These` de doctorat de l’Institut Polytechnique de Paris prepar´ ee´ a` Tel´ ecom´ Paris Ecole´ doctorale n◦626 Ecole´ doctorale de l’Institut Polytechnique de Paris (EDIPP) Specialit´ e´ de doctorat : Reseaux,´ informations et communications NNT : 2020IPPAT051 These` present´ ee´ et soutenue a` Palaiseau, le 14 decembre´ 2020, par ACHRAF FAYAD Composition du Jury : Ken CHEN Professeur, Universite´ Paris 13 Nord President´ Pascal LORENZ Professeur, Universite´ de Haute-Alsace (UHA) Rapporteur Ahmed MEHAOUA Professeur, Universite´ Paris Descartes Rapporteur Lyes KHOUKHI Professeur, Ecole´ Nationale Superieure´ d’Ingenieurs´ de Examinateur Caen-ENSICAEN Ahmad FADLALLAH Associate Professor, University of Sciences and Arts in Lebanon Examinateur (USAL) Rida KHATOUN Maˆıtre de conferences,´ Tel´ ecom´ Paris Directeur de these` Ahmed SERHROUCHNI Professeur, Tel´ ecom´ Paris Co-directeur de these` Badis HAMMI Associate Professor, Ecole´ pour l’informatique et les techniques Invite´ avancees´ (EPITA) 626 Acknowledgments First, I would like to thank my thesis supervisor Dr.
    [Show full text]
  • Math 521 – Homework 5 Due Thursday, September 26, 2019 at 10:15Am
    Math 521 { Homework 5 Due Thursday, September 26, 2019 at 10:15am Problem 1 (DF 5.1.12). Let I be any nonempty index set and let Gi be a group for each i 2 I. The restricted direct product or direct sum of the groups Gi is the set of elements of the direct product which are the identity in all but finitely many components, that is, the Q set of elements (ai)i2I 2 i2I Gi such that ai = 1i for all but a finite number of i 2 I, where 1i is the identity of Gi. (a) Prove that the restricted direct product is a subgroup of the direct product. (b) Prove that the restricted direct produce is normal in the direct product. (c) Let I = Z+, let pi denote the ith prime integer, and let Gi = Z=piZ for all i 2 Z+. Show that every element of the restricted direct product of the Gi's has finite order but the direct product Q G has elements of infinite order. Show that in this i2Z+ i example, the restricted direct product is the torsion subgroup of Q G . i2Z+ i Problem 2 (≈DF 5.5.8). (a) Show that (up to isomorphism), there are exactly two abelian groups of order 75. (b) Show that the automorphism group of Z=5Z×Z=5Z is isomorphic to GL2(F5), where F5 is the field Z=5Z. What is the size of this group? (c) Show that there exists a non-abelian group of order 75. (d) Show that there is no non-abelian group of order 75 with an element of order 25.
    [Show full text]
  • Alternative Elliptic Curve Representations
    Alternative Elliptic Curve Representations draft-struik-lwig-curve-representations-00 René Struik Struik Security Consultancy E-mail: [email protected] IETF 101draft-struik – London,-lwig-curve- representationsUK, March-002018 1 Outline 1. The ECC Algorithm Zoo – NIST curve P-256, ECDSA – Curve25519 – Ed25519 2. Implementation Detail 3. How to Reuse Code 4. How to Reuse Existing Standards 5. Conclusions draft-struik-lwig-curve-representations-00 2 ECC Algorithm Zoo (1) NIST curves: Curve model: Weierstrass curve Curve equation: y2 = x3 + ax + b (mod p) Base point: G=(Gx, Gy) Scalar multiplication: addition formulae using, e.g., mixed Jacobian coordinates Point representation: both coordinates of point P=(X, Y) (affine coordinates) 0x04 || X || Y in most-significant-bit/octet first order Examples: NIST P-256 (ANSI X9.62, NIST SP 800-56a, SECG, etc.); Brainpool256r1 (RFC 5639) ECDSA: Signature: R || s in most-significant-bit/octet first order Signing equation: e = s k + d r (mod n), where e=Hash(m) Example: ECDSA, w/ P-256 and SHA-256 (FIPS 186-4, ANSI X9.62, etc.) Note: message m pre-hashed draft-struik-lwig-curve-representations-00 3 ECC Algorithm Zoo (2) CFRG curves: Curve model: Montgomery curve Curve equation: By2 = x3 + Ax2 + x (mod p) Base point: G=(Gx, Gy) Scalar multiplication: Montgomery ladder, using projective coordinates [X: :Z] Point representation: x-coordinate of point P=(X, Y) (x-coordinate-only) X in least-significant-octet, most-significant-bit first order Examples: Curve25519, Curve448 (RFC 7748) DH Key agreement:
    [Show full text]
  • On the Growth of Torsion in the Cohomology of Arithmetic Groups
    ON THE GROWTH OF TORSION IN THE COHOMOLOGY OF ARITHMETIC GROUPS A. ASH, P. E. GUNNELLS, M. MCCONNELL, AND D. YASAKI Abstract. Let G be a semisimple Lie group with associated symmetric space D, and let Γ G be a cocompact arithmetic group. Let L be a lattice in- side a ZΓ-module⊂ arising from a rational finite-dimensional complex representa- tion of G. Bergeron and Venkatesh recently gave a precise conjecture about the growth of the order of the torsion subgroup Hi(Γk; L )tors as Γk ranges over a tower of congruence subgroups of Γ. In particular they conjectured that the ra- tio log Hi(Γk; L )tors /[Γ:Γk] should tend to a nonzero limit if and only if i = (dim(D|) 1)/2 and G| is a group of deficiency 1. Furthermore, they gave a precise expression− for the limit. In this paper, we investigate computationally the cohomol- ogy of several (non-cocompact) arithmetic groups, including GLn(Z) for n = 3, 4, 5 and GL2(O) for various rings of integers, and observe its growth as a function of level. In all cases where our dataset is sufficiently large, we observe excellent agree- ment with the same limit as in the predictions of Bergeron–Venkatesh. Our data also prompts us to make two new conjectures on the growth of torsion not covered by the Bergeron–Venkatesh conjecture. 1. Introduction 1.1. Let G be a connected semisimple Q-group with group of real points G = G(R). Suppose Γ G(Q) is an arithmetic subgroup and M is a ZΓ-module arising from a rational finite-dimensional⊂ complex representation of G.
    [Show full text]
  • Security Analysis of the Signal Protocol Student: Bc
    ASSIGNMENT OF MASTER’S THESIS Title: Security Analysis of the Signal Protocol Student: Bc. Jan Rubín Supervisor: Ing. Josef Kokeš Study Programme: Informatics Study Branch: Computer Security Department: Department of Computer Systems Validity: Until the end of summer semester 2018/19 Instructions 1) Research the current instant messaging protocols, describe their properties, with a particular focus on security. 2) Describe the Signal protocol in detail, its usage, structure, and functionality. 3) Select parts of the protocol with a potential for security vulnerabilities. 4) Analyze these parts, particularly the adherence of their code to their documentation. 5) Discuss your findings. Formulate recommendations for the users. References Will be provided by the supervisor. prof. Ing. Róbert Lórencz, CSc. doc. RNDr. Ing. Marcel Jiřina, Ph.D. Head of Department Dean Prague January 27, 2018 Czech Technical University in Prague Faculty of Information Technology Department of Computer Systems Master’s thesis Security Analysis of the Signal Protocol Bc. Jan Rub´ın Supervisor: Ing. Josef Kokeˇs 1st May 2018 Acknowledgements First and foremost, I would like to express my sincere gratitude to my thesis supervisor, Ing. Josef Kokeˇs,for his guidance, engagement, extensive know- ledge, and willingness to meet at our countless consultations. I would also like to thank my brother, Tom´aˇsRub´ın,for proofreading my thesis. I cannot express enough gratitude towards my parents, Lenka and Jaroslav Rub´ınovi, who supported me both morally and financially through my whole studies. Last but not least, this thesis would not be possible without Anna who re- lentlessly supported me when I needed it most. Declaration I hereby declare that the presented thesis is my own work and that I have cited all sources of information in accordance with the Guideline for adhering to ethical principles when elaborating an academic final thesis.
    [Show full text]
  • Multi-Party Encrypted Messaging Protocol Design Document, Release 0.3-2-Ge104946
    Multi-Party Encrypted Messaging Protocol design document Release 0.3-2-ge104946 Mega Limited, Auckland, New Zealand Guy Kloss <[email protected]> arXiv:1606.04593v1 [cs.CR] 14 Jun 2016 11 January 2016 CONTENTS 1 Strongvelope Multi-Party Encrypted Messaging Protocol 2 1.1 Intent.......................................... ....... 2 1.2 SecurityProperties.............................. ............ 2 1.3 ScopeandLimitations ............................. ........... 3 1.4 Assumptions ..................................... ........ 3 1.5 Messages........................................ ....... 3 1.6 Terminology ..................................... ........ 4 2 Cryptographic Primitives 5 2.1 KeyPairforAuthentication . ............. 5 2.2 KeyAgreement.................................... ........ 5 2.3 (Sender)KeyEncryption. ............ 5 2.4 MessageAuthentication . ............ 6 2.5 MessageEncryption ............................... .......... 6 3 Message Encryption 7 3.1 SenderKeyExchange ............................... ......... 7 3.2 ContentEncryption............................... ........... 8 4 Protocol Encoding 9 4.1 TLVTypes ........................................ ...... 9 4.2 MessageSignatures ............................... .......... 10 4.3 MessageTypes.................................... ........ 10 4.4 KeyedMessages ................................... ........ 10 4.5 FollowupMessages ................................ ......... 10 4.6 AlterParticipantMessages. .............. 11 4.7 LegacySenderKeyEncryption . ............ 11 4.8 SenderKeystoInclude...
    [Show full text]
  • Practical Fault Attack Against the Ed25519 and Eddsa Signature Schemes
    Practical fault attack against the Ed25519 and EdDSA signature schemes Yolan Romailler, Sylvain Pelissier Kudelski Security Cheseaux-sur-Lausanne, Switzerland fyolan.romailler,[email protected] main advantages is that its scalar multiplication can be Abstract—The Edwards-curve Digital Signature Algorithm implemented without secret dependent branch and lookup, (EdDSA) was proposed to perform fast public-key digital avoiding the risk of side-channel leakage. More recently, a signatures as a replacement for the Elliptic Curve Digital Signature Algorithm (ECDSA). Its key advantages for em- new digital signature algorithm, namely Ed25519 [6], was bedded devices are higher performance and straightforward, proposed based on the curve edwards25519, i.e., the Edward secure implementations. Indeed, neither branch nor lookup twist of Curve25519. This algorithm was then generalized operations depending on the secret values are performed to other curves and called EdDSA [7]. Due to its various during a signature. These properties thwart many side-channel advantages [7], EdDSA was quickly implemented in many attacks. Nevertheless, we demonstrate here that a single-fault attack against EdDSA can recover enough private key material products and libraries, such as OpenSSH [8]. It was also to forge valid signatures for any message. We demonstrate a recently formally defined in RFC 8032 [9]. practical application of this attack against an implementation The authors of EdDSA did not make any claims about its on Arduino Nano. To the authors’ best knowledge this is the security against fault attacks. However, its resistance to fault first practical fault attack against EdDSA or Ed25519. attacks is discussed in [10]–[12] and taken into account by Keywords-EdDSA; Ed25519; fault attack; digital signature Perrin in [13].
    [Show full text]
  • (Not) to Design and Implement Post-Quantum Cryptography
    SoK: How (not) to Design and Implement Post-Quantum Cryptography James Howe1 , Thomas Prest1 , and Daniel Apon2 1 PQShield, Oxford, UK. {james.howe,thomas.prest}@pqshield.com 2 National Institute of Standards and Technology, USA. [email protected] Abstract Post-quantum cryptography has known a Cambrian explo- sion in the last decade. What started as a very theoretical and mathe- matical area has now evolved into a sprawling research ˝eld, complete with side-channel resistant embedded implementations, large scale de- ployment tests and standardization e˙orts. This study systematizes the current state of knowledge on post-quantum cryptography. Compared to existing studies, we adopt a transversal point of view and center our study around three areas: (i) paradigms, (ii) implementation, (iii) deployment. Our point of view allows to cast almost all classical and post-quantum schemes into just a few paradigms. We highlight trends, common methodologies, and pitfalls to look for and recurrent challenges. 1 Introduction Since Shor's discovery of polynomial-time quantum algorithms for the factoring and discrete logarithm problems, researchers have looked at ways to manage the potential advent of large-scale quantum computers, a prospect which has become much more tangible of late. The proposed solutions are cryptographic schemes based on problems assumed to be resistant to quantum computers, such as those related to lattices or hash functions. Post-quantum cryptography (PQC) is an umbrella term that encompasses the design, implementation, and integration of these schemes. This document is a Systematization of Knowledge (SoK) on this diverse and progressive topic. We have made two editorial choices.
    [Show full text]