PDF Hosted at the Radboud Repository of the Radboud University Nijmegen
Total Page:16
File Type:pdf, Size:1020Kb
PDF hosted at the Radboud Repository of the Radboud University Nijmegen The following full text is a publisher's version. For additional information about this publication click this link. http://hdl.handle.net/2066/204182 Please be advised that this information was generated on 2021-09-24 and may be subject to change. Security on the Line: Modern Curve-based Cryptography Copyright c 2019 Joost Renes ISBN: 978–94–6323–695–9 Typeset using LATEX Cover design: Ilse Modder – www.ilsemodder.nl Printed by: Gildeprint – www.gildeprint.nl This work is part of the research programme TYPHOON with project number 13499, which is (partly) financed by the Netherlands Organisation for Scientific Research (NWO). Security on the Line: Modern Curve-based Cryptography Proefschrift ter verkrijging van de graad van doctor aan de Radboud Universiteit Nijmegen op gezag van de rector magnificus prof. dr. J.H.J.M. van Krieken, volgens besluit van het college van decanen in het openbaar te verdedigen op maandag 1 juli 2019 om 14.30 uur precies door Joost Roland Renes geboren op 26 juni 1991 te Harmelen Promotor Prof. dr. L. Batina Manuscriptcommissie Prof. dr. E.R. Verheul Prof. dr. S.D. Galbraith (University of Auckland, Nieuw-Zeeland) Prof. dr. A.J. Menezes (University of Waterloo, Canada) Dr. N. Heninger (University of California San Diego, Verenigde Staten) Dr. F. Vercauteren (KU Leuven, België) Acknowledgements A unique feature of doing a PhD is that by the end of it, one is expected to deliver a book detailing all personal contributions to the field of study. This inherently high- lights its individual nature, yet one would be wrong to think all these years are spent alone in a dark office (if anything, because no PhD student would ever be given their own office). My academic journey has given me the opportunity to experience life in many different places, and to visit far too many to list here. I would like to take this chance to thank those who have been there along the way to make it all the more worthwhile. First and foremost I would like to thank my promotor Lejla Batina. Her imme- diate enthusiasm convinced me to start on this path, and I have never felt a lack of professional or personal support during. I am very grateful to have had the chance to work with you and for the many exciting things that have happened because of it. During my PhD I have been lucky enough to work with great people. A special thanks goes out to Craig Costello, whom I met at the very beginning of my PhD. We not only collaborated on my first paper (and others after that), but you also gave me the opportunity to spend three great summers at Microsoft Research. In extension, I would like to thank Michael Naehrig for being a great (co-)mentor during said internships. I am proud of the work I have done with both of you, and slightly embarrassed of the persistent failures on the soccer field. I would also like to thank Brian LaMacchia, and the rest of the team, for repeatedly inviting me to the group and creating a great work environment. A final thanks to Ben Smith, whom I had the pleasure to work with and whose impressively detailed yet simple way of describing many topics has tremendously improved my understanding numerous times. I would like to thank the members of my reading committee Eric Verheul, Steven Galbraith, Alfred Menezes, Nadia Heninger and Fréderik Vercauteren for taking the time to go through this lengthy thesis. Also, I thank my co-authors Wouter Castryck, Huseyin Hisil, David Jao, Tanja Lange, Patrick Longa, Chloe Martindale, Lorenz vi Acknowledgements Panny, Peter Schwabe, David Urbanik and Fernando Virdia for their hard work and the great discussions along the way. A particular thanks to Fréderik Vercauteren and Steven Galbraith for inviting me to spend some time at their respective research groups, and to Lorenz Panny for his detailed and helpful comments on a preliminary version of the first part of this thesis. Despite all the moving around, most of my time has still been spent in Nijmegen. I have been a proud member of the Digital Security Group, all of whose (past) mem- bers I would like to thank for their warmth and kindness through coffee breaks, Friday beers and game nights. I am proud to have created many friendships that I am sure will last beyond the brief scope of a PhD. In particular, a special thanks goes out to Pedro, who has literally been there since day one on the job. It has been a pleasure to have shared an office for all this time, and I consider it a miracle that I have not gained weight over the years. I would also like to thank Louiza for her friendship and advice through the years, whom I was honored to be a paranimph for. I thank Joan Daemen and Peter Schwabe for their support and nice discussions related to teaching and research. I would like to thank my parents and my brothers for their continued support, for always giving me a place to return home to, and for being there during trying times. Finally, a heartfelt thanks to Anna for her love and invaluable support during the concluding months of this thesis, which have without a doubt been the most chal- lenging. I am proud to start the next journey by your side. Joost Renes Nijmegen, May 2019 Contents Acknowledgements v Introduction xiii List of Symbols xxiii 1 Background 1 I Elliptic and Hyperelliptic Curves 3 1 Algebraic Curves . .3 2 Curves of Genus 1 and 2 . .7 2.1 Elliptic Curves . .8 2.2 Hyperelliptic Curves of Genus 2 . 17 II Curve-based Cryptographic Protocols 21 1 Classical Cryptography . 21 1.1 Diffie–Hellman . 22 1.2 Schnorr Signatures . 23 2 Post-Quantum Cryptography . 25 2.1 Supersingular Isogeny Diffie–Hellman . 25 2.2 Ordinary Isogeny Diffie–Hellman . 27 2 Classical Cryptography 29 III Complete Addition Formulas for Prime Order Elliptic Curves 31 viii Contents 1 Introduction . 32 2 Complete Addition Formulas . 38 2.1 The General Case . 39 2.2 The Case a = −3 ........................... 42 2.3 The Case a = 0 ............................ 44 3 Some Intuition Towards Optimality . 44 3.1 Choice of Y = 0 for Bidegree (2, 2) Addition Laws . 46 3.2 Jacobian Coordinates . 47 4 Using These Formulas in Practice . 48 4.1 Application to Prime Order Curves . 48 4.2 Interoperability With Composite Order Curves . 50 4.3 An OpenSSL Implementation . 51 5 Hardware Implementations . 53 A Magma Verification Code for Parallel ADD ................. 56 IV mKummer: Efficient Hyperelliptic Signatures and Key Exchange 59 1 Introduction . 59 2 High-level Overview . 61 2.1 Signatures . 61 2.2 Diffie-Hellman Key Exchange. 64 3 Algorithms and Their Implementation . 64 3.1 The Field Fp .............................. 64 3.2 The Curve C and Its Theta Constants . 66 3.3 Compressed and Decompressed Elements of JC ......... 67 3.4 The Kummer Surface KC ...................... 69 3.5 Pseudo-addition on KC ....................... 69 4 Scalar Multiplication . 71 4.1 Pseudomultiplication on KC .................... 71 4.2 Point Recovery from KC to JC ................... 74 4.3 Full Scalar Multiplication on JC .................. 75 5 Results and Comparison . 77 V qDSA: Small and Secure Digital Signatures 81 1 Introduction . 82 2 The qDSA Signature Scheme . 83 2.1 The Kummer Variety Setting . 84 2.2 Basic Operations . 84 Contents ix 2.3 The qID Identification Protocol . 85 2.4 Applying Fiat–Shamir . 87 2.5 The qDSA Signature Scheme . 87 3 Implementing qDSA with Elliptic Curves . 90 3.1 Montgomery Curves . 90 3.2 Signature Verification . 91 3.3 Using Cryptographic Parameters . 92 4 Implementing qDSA with Kummer Surfaces . 92 4.1 Constants . 93 4.2 Fast Kummer Surfaces . 95 4.3 Deconstructing Pseudo-doubling . 95 5 Signature Verification on Kummer Surfaces . 98 5.1 Biquadratic Forms and Pseudo-addition . 98 5.2 Deriving Efficiently Computable Forms . 99 5.3 Signature Verification . 101 5.4 Using Cryptographic Parameters . 101 6 Kummer Point Compression . 103 6.1 The General Principle . 104 6.2 From Squared Kummers to Tetragonal Kummers . 105 6.3 Compression and Decompression for KSqr ............ 107 6.4 Using Cryptographic Parameters . 110 7 Implementation . 110 7.1 Core Functionality . 111 7.2 Comparison to Previous Work . 111 A Elliptic Implementation Details . 114 A.1 Pseudoscalar Multiplication . 114 A.2 The BVALUES Subroutine for Signature Verification . 114 B Kummer Surface Implementation Details . 116 B.1 Scalar Pseudomultiplication . 116 B.2 Subroutines for Signature Verification . 116 B.3 Subroutines for Compression and Decompression . 118 VI On Kummer Lines with Full Rational 2-torsion 121 1 Introduction . 121 2 Notation . 123 3 Maps between Kummer Lines . 125 3.1 Models with Rational 2-torsion . 126 x Contents 3.2 Actions of Points of Order 2 . 129 3.3 Hybrid Kummer Lines . 131 4 Isomorphism Classes over Finite Fields . 133 4.1 Identifying Kummer Lines . 133 4.2 Canonical Kummer Lines . 134 4.3 Squared and Intermediate Kummer Lines . 134 3 Post-Quantum Cryptography 137 VII Efficient Compression of SIDH Public Keys 139 1 Introduction . 140 2 Constructing Torsion Bases . 146 2.1 Square Roots, Cube Roots, and Elligator 2 . 147 eA 2.2 Generating a Torsion Basis for E(Fp2 )[2 ] ............ 148 eB 2.3 Generating a Torsion Basis for E(Fp2 )[3 ] ............ 149 3 The Tate Pairing Computation . 151 3.1 Optimized Miller Functions . 152 3.2 Parallel Pairing Computation and the Final Exponentiation . 155 4 Efficient Pohlig-Hellman in m`e ....................... 156 4.1 Arithmetic in the Cyclotomic Subgroup .