Your search keyword '"Elliptic Curve Digital Signature Algorithm"' showing total 49 results

1. Efficient Online-friendly Two-Party ECDSA Signature

Author

Man Ho Au, Handong Cui, Tsz Hon Yuen, Haiyang Xue, and Xiang Xie

Subjects

Computer engineering, Oblivious transfer, Computer science, Ciphertext, Elliptic Curve Digital Signature Algorithm, Key (cryptography), Homomorphic encryption, Zero-knowledge proof, Signature (logic), Cryptographic nonce

Abstract

Two-party ECDSA signatures have received much attention due to their widespread deployment in cryptocurrencies. Depending on whether or not the message is required, we could divide two-party signing into two different phases, namely, offline and online. Ideally, the online phase should be made as lightweight as possible. At the same time, the cost of the offline phase should remain similar to that of a normal signature generation. However, the existing two-party protocols of ECDSA are not optimal: either their online phase requires decryption of a ciphertext, or their offline phase needs at least two executions of multiplicative-to-additive conversion which dominates the overall complexity. This paper proposes an online-friendly two-party ECDSA with a lightweight online phase and a single multiplicative-to-additive function in the offline phase. It is constructed by a novel design of a re-sharing of the secret key and a linear sharing of the nonce. Our scheme significantly improves previous protocols based on either oblivious transfer or homomorphic encryption. We implement our scheme and show that it outperforms prior online-friendly schemes (i.e., those have lightweight online cost) by a factor of roughly 2 to 9 in both communication and computation. Furthermore, our two-party scheme could be easily extended to the 2-out-of-n threshold ECDSA.

Published

2021

2. The Exact Security of BIP32 Wallets

Author

Poulami Das, Andreas Erwig, Julian Loss, Sebastian Faust, and Siavash Riahi

Subjects

Reduction (complexity), Digital Signature Algorithm, Cryptocurrency, Work (electrical), Computer science, Elliptic Curve Digital Signature Algorithm, Key derivation function, Concrete security, Key management, Computer security, computer.software_genre, computer

Abstract

In many cryptocurrencies, the problem of key management has become one of the most fundamental security challenges. Typically, keys are kept in designated schemes called wallets, whose main purpose is to store these keys securely. One such system is the BIP32 wallet (Bitcoin Improvement Proposal 32), which since its introduction in 2012 has been adopted by countless Bitcoin users and is one of the most frequently used wallet system today. Surprisingly, very little is known about the concrete security properties offered by this system. In this work, we propose the first formal analysis of the BIP32 system in its entirety and without any modification. Building on the recent work of Das et al. (CCS '19), we put forth a formal model for hierarchical deterministic wallet systems (such as BIP32) and give a security reduction in this model from the existential unforgeability of the ECDSA signature algorithm that is used in BIP32. We conclude by giving concrete security parameter estimates achieved by the BIP32 standard, and show that by moving to an alternative key derivation method we can achieve a tighter reduction offering an additional 20 bits of security (111 vs. 91 bits of security) at no additional costs.

Published

2021

3. An efficient multi-signature wallet in blockchain using bloom filter

Author

Jongbeen Han, Mansub Song, Yongseok Son, and Hyeonsang Eom

Subjects

Blockchain, business.industry, Interface (Java), Computer science, Elliptic Curve Digital Signature Algorithm, 020207 software engineering, 02 engineering and technology, Bloom filter, Storage efficiency, Digital signature, 020204 information systems, Digital asset, 0202 electrical engineering, electronic engineering, information engineering, business, Database transaction, Computer network

Abstract

A blockchain wallet is a financial application which provides an interface for managing a digital asset. In the blockchain wallet, a digital signature (single or multiple signatures) is used to sign a transaction. However, the wallet is often vulnerable to security attacks when a single-signature scheme is used, and there are performance issues when a multi-signature scheme is employed. To address these issues, we propose a new efficient multi-signature wallet that improves performance, storage efficiency, and privacy without modifying the blockchain protocol. The steps in the development of the wallet are as follows, we first design a blockchain wallet that supports multi-signature as a single-signature by using a threshold elliptic curve digital signature algorithm (T-ECDSA) for high validation performance. Second, for achieving high storage efficiency and privacy, we use a bloom-filter for transactions for ensuring a small transaction size and identifying the participant of a transactions without exposing participant information. Experimental results indicate that the proposed multi-signature wallet shows higher verification performance in a blockchain, with a small transaction size compared with existing wallets.

Published

2021

4. Verifiable Timed Signatures Made Practical

Author

Sri Aravinda Krishnan Thyagarajan, Aniket Kate, Adithya Bhat, Dominique Schröder, Giulio Malavolta, and Nico Döttling

Subjects

Theoretical computer science, Computer science, business.industry, Elliptic Curve Digital Signature Algorithm, Homomorphic encryption, 020206 networking & telecommunications, Cryptography, 02 engineering and technology, Construct (python library), Signature (logic), Channel (programming), 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Verifiable secret sharing, business, Protocol (object-oriented programming)

Abstract

A verifiable timed signature (VTS) scheme allows one to time-lock a signature on a known message for a given amount of time T such that after performing a sequential computation for time T anyone can extract the signature from the time-lock. Verifiability ensures that anyone can publicly check if a time-lock contains a valid signature on the message without solving it first, and that the signature can be obtained by solving the same for time T. This work formalizes VTS, presents efficient constructions compatible with BLS, Schnorr, and ECDSA signatures, and experimentally demonstrates that these constructions can be employed in practice. On a technical level, we design an efficient cut-and-choose protocol based on the homomorphic time-lock puzzles to prove the validity of a signature encapsulated in a time-lock puzzle. We also present a new efficient range proof protocol that significantly improves upon existing proposals in terms of the proof size, and is also of independent interest. While VTS is a versatile tool with numerous existing applications, we demonstrate VTS's applicability to resolve three novel challenging issues in the space of cryptocurrencies. Specifically,we show how VTS is the cryptographic cornerstone to construct:(i) Payment channel networks with improved on-chain unlinkability of users involved in a transaction, (ii) multi-party signing of transactions for cryptocurrencies without any on-chain notion oftime and (iii) cryptocurrency-enabled fair multi-party computation protocol.

Published

2020

5. UC Non-Interactive, Proactive, Threshold ECDSA with Identifiable Aborts

Author

Rosario Gennaro, Nikolaos Makriyannis, Udi Peled, Steven Goldfeder, and Ran Canetti

Subjects

Protocol (science), Identification (information), Computer science, Elliptic Curve Digital Signature Algorithm, State (computer science), Latency (engineering), Semantic security, Computer security, computer.software_genre, computer, Paillier cryptosystem, Random oracle

Abstract

Building on the Gennaro & Goldfeder and Lindell & Nof protocols (CCS '18), we present two threshold ECDSA protocols, for any number of signatories and any threshold, that improve as follows over the state of the art: -- For both protocols, only the last round requires knowledge of the message, and the other rounds can take place in a preprocessing stage, lending to a non-interactive threshold ECDSA protocol. -- Both protocols withstand adaptive corruption of signatories. Furthermore, they include a periodic refresh mechanism and offer full proactive security. -- Both protocols realize an ideal threshold signature functionality within the UC framework, in the global random oracle model, assuming Strong RSA, DDH, semantic security of the Paillier encryption, and a somewhat enhanced variant of existential unforgeability of ECDSA. -- Both protocols achieve accountability by identifying corrupted parties in case of failure to generate a valid signature. The two protocols are distinguished by the round-complexity and the identification process for detecting cheating parties. Namely: -- For the first protocol, signature generation takes only 4 rounds (down from the current state of the art of 8 rounds), but the identification process requires computation and communication that is quadratic in the number of parties. -- For the second protocol, the identification process requires computation and communication that is only linear in the number of parties, but signature generation takes 7 rounds. These properties (low latency, compatibility with cold-wallet architectures, proactive security, identifiable abort and composable security) make the two protocols ideal for threshold wallets for ECDSA-based cryptocurrencies.

Published

2020

6. WI is Almost Enough: Contingent Payment All Over Again

Author

Miguel Ambrona, Masayuki Abe, and Ky Nguyen

Subjects

Computer science, media_common.quotation_subject, Elliptic Curve Digital Signature Algorithm, 0102 computer and information sciences, 02 engineering and technology, Mathematical proof, Payment, Computer security, computer.software_genre, 01 natural sciences, Digital goods, 010201 computation theory & mathematics, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Zero-knowledge proof, Impossibility, Protocol (object-oriented programming), computer, media_common, Vulnerability (computing)

Abstract

The problem of fair exchange consists of interchanging goods between two parties that do not trust each other. Despite known impossibility results, recent works leverage the block-chain and zero-knowledge proofs to implement zero-knowledge contingent payment (zkCP) systems that make fair exchange of digital goods possible. Implementing these systems in a secure and efficient way is a big challenge, as evidenced by several unsuccessful attempts from the literature. Campanelli et al. (ACM CCS 2017) discovered a vulnerability on an existing zkCP proposal based on SNARKs (succinct non-interactive arguments of knowledge) and suggested several repairs. Fuchsbauer (ACM CCS 2019) found a flaw in the mentioned countermeasures. In particular, he showed that witness-indistinguishability (WI) is not sufficient for the zkCP schemes proposed by Campanelli et al. to be secure. In this work, we observe that a slightly stronger notion of WI, that we coin trapdoor subversion WI (tS-WI), rules out Fuchsbauer's attack. We formally define security properties for CP systems and show that, under tS-WI, Campanelli et al.'s proposal indeed satisfies these properties. Additionally, we explore alternative approaches to implement ZK (other than SNARKs) and develop a prototype, using it to demonstrate their potential. Our new ideas result in a protocol to sell ECDSA signatures with contingent payment that can be executed in less than $150$ milliseconds over a LAN network.

Published

2020

7. Improving the Performance of Blockchain Based Digital Contract Using Niederreiter Method

Author

Ari Moesriami Barmawi and Edy Santoso

Subjects

Digital signature, Computer science, Data exchange, Elliptic Curve Digital Signature Algorithm, Cryptosystem, Communications security, Scalar multiplication, Computer security, computer.software_genre, Time complexity, computer, Quantum computer

Abstract

Nowadays the use of internet in daily life is increasing such that data exchange is frequently conducted. Especially in the case of business transactions, data communication security (such as for banking transaction, contract) is necessary. Sony, et al. [1] proposed a method for securing a contract by introducing ECDSA for signing a contract based on blockchain. However, Sony's method requires high time complexity and not resistant against quantum computing attacks. Therefore, this research proposed a method to reduce the time complexity and resistant against quantum computing attack. To overcome the quantum attack and reduce the time complexity of digital signing based on blockchain, McElliece Cryptosystem and digital signature based on Niederreiter are introduced for signing the contract. Since McElliece Cryptosystem and Niederreiter based signature uses scalar multiplication then the processing time is less than ECDSA. Based on the experiment result, it is proven that the execution time for signing process using the proposed method may reach up to 51.1% less than signing execution time of Sony's method, and for verification process up to 77.8% less than verification execution time of Sony's method. It is also proven that the proposed method is resistant against quantum attack.

Published

2020

8. A Group Authentication Scheme with Privacy-preserving for D2D Communications in 5G HetNets

Author

Maode Ma and Alican Ozhelvaci

Subjects

Computer science, business.industry, Key (cryptography), Elliptic Curve Digital Signature Algorithm, Systems architecture, Wireless, Mobile telephony, business, Encryption, Heterogeneous network, 5G, Computer network

Abstract

The next-generation mobile communication, which is 5G wireless mobile networks, has become the paradigm to bring not only solutions for the rising demand for huge data traffic, and massively connected devices such as IoT but also new services. One of the promising solutions is that device-to-device communications are expected to play a key role to improve efficiency and have low latency. Most importantly, D2D communications will be the key enabler for group-based services. However, the new case scenarios and new system architecture of 5G Heterogeneous Networks are vulnerable against various attacks since the 5G is still in the early stage. It is utmost important to have a secure and privacy-preserving scheme for D2D communications in 5G HetNets. Even though various research studies have been done by the researchers for D2D communications but many of them fail to address the heterogenous access scenarios, identity protection, and group authentication. In this paper, we propose a certificateless privacy-preserving authentication and key agreement scheme for D2D communications in 5G HetNets using identity-based encryption and elliptic curve digital signature algorithm (ECDSA) to achieve secure and robust communication. The proposed scheme has been analyzed in terms of security and performance. The result of the formal verification using AVISPA and performance analysis shows that the scheme is secure, lightweight and efficient.

Published

2020

9. A Lightweight D2D Authentication Scheme against Free-riding Attacks in 5G Cellular Network

Author

Man Chun Chow and Maode Ma

Subjects

Authenticated encryption, Computer science, business.industry, Authentication protocol, Key (cryptography), Cellular network, Elliptic Curve Digital Signature Algorithm, Mutual authentication, Elliptic curve cryptography, business, Replay attack, Computer network

Abstract

As a promising feature in 5G, device-to-device (D2D) communication is the technology allowing adjacent mobile devices to communicate directly without relaying the data over base stations. D2D technology can potentially increase the network capacity by offloading network traffic in a distributed manner. However, there are also new security challenges such as free-riding attack prevention, device anonymity protection and end-to-end data secrecy. Also, since there are many mobile devices which have limited computational resources in 5G cellular network, there is a need to develop a lightweight authentication protocol which addresses all these security requirements with low computational overhead. In this paper, we propose a lightweight D2D authentication and key agreement protocol based on elliptic curve cryptography (ECC). Specifically, our proposed scheme makes use of the elliptic curve digital signature algorithm (ECDSA), elliptic curve Diffie-Hellman (ECDH) and authenticated encryption with associate data (AEAD) to provide secure device discovery, mutual authentication, key agreement and data transmission for all 5G D2D devices. Our scheme is computationally lightweight to be supported in any resource-constrained 5G devices, and it can resist several active and passive protocol attacks including eavesdropping, replay attack, man-in-the-middle attack and free-riding attack. We analyze the security of our protocol with Scyther to show our scheme is resistant to these attacks. Finally, performance evaluation shows our scheme is efficient for both UEs and CN with rationally low computational costs.

Published

2020

10. SeCon-NG

Author

Eugene Frimpong and Antonios Michalas

Subjects

Secure communication, Symmetric-key algorithm, business.industry, Computer science, Key (cryptography), Elliptic Curve Digital Signature Algorithm, Key distribution, User Datagram Protocol, Cryptography, Elliptic curve cryptography, business, Computer network

Abstract

There is no doubt that the Internet of Things (IoT) has the power to change our world and drive us to a complete social evolution. In business and industry, there are thousands of IoT use cases and real-life IoT deployments across a variety of sectors (e.g. industry 4.0 and smart factories, smart cities, etc.). However, due to the vastly resource constrained nature of the devices used in IoT, implementing secure and privacy-preserving services, using for example standard asymmetric cryptographic algorithms, has been a real challenge. The majority of IoT devices on the market currently employ the use of various forms of symmetric cryptography such as key pre-distribution. The overall efficiency of such implementations correlate directly to the size of the IoT environment and the deployment method. In this paper, we implement a lightweight cryptographic library that can be used to secure communication protocols between multiple communicating nodes without the need for external trusted entities or a server. Our implementation is based on modifying the Elliptic-Curve Diffie-Hillman (ECDH) and Elliptic Curve Digital Signature Algorithm (ECDSA) components of the Tinycrypt cryptographic library. This work focuses on extending the functionalities of the User Datagram Protocol (UDP) broadcast application on the Contiki-NG Operating System (OS) platform.

Published

2020

11. Healthcare Center IoT Edge Gateway Based on Containerized Microservices

Author

Peeradach Laortum and Wiroon Sriborrirux

Subjects

Computer science, business.industry, 020208 electrical & electronic engineering, 010401 analytical chemistry, Elliptic Curve Digital Signature Algorithm, Cloud computing, 02 engineering and technology, Mutual authentication, Gateway (computer program), Microservices, Virtualization, computer.software_genre, 01 natural sciences, 0104 chemical sciences, Middleware (distributed applications), 0202 electrical engineering, electronic engineering, information engineering, business, computer, Edge computing, Computer network

Abstract

The growth of ubiquitous healthcare systems, particularly for general and residential healthcare, is increasing dramatically. One of the most significant components of such systems is the gateway, which acts as a middleware between Internet of Things (IoT) devices and cloud application services. Here, we propose an IoT edge gateway framework based on docker container technology as the legacy virtualization technology to empower microservice architectures for aiding multiple-device real-time monitoring in locations such as nursing homes and residential care centers. The framework is used to identify IoT devices and the gateway itself in home networks for restricting access only to authorized users and non-manipulated devices. We propose the use of state-of-the-art hardware-based security supporting the mutual authentication process with the Elliptic Curve Digital Signature Algorithm as well as integrity protection to validate the device, gateway, and cloud platform integrity to identify manipulation and detect unauthorized changes by signing these data. This approach can prevent man-in-the-middle attacks. As a result, we can implement each service located in this proposed IoT edge gateway framework to enhance capabilities in edge analytics by adding hardened security with the average latency time at 2.373 ms.

Published

2020

12. Hardware-Backed Heist

Author

Keegan Ryan

Subjects

business.industry, Computer science, Elliptic Curve Digital Signature Algorithm, Vulnerability, Keystore, Cryptography, 02 engineering and technology, 020202 computer hardware & architecture, Public-key cryptography, Information sensitivity, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Side channel attack, Cache, Android (operating system), business, Computer hardware

Abstract

Trusted Execution Environments (TEEs) such as ARM TrustZone are in widespread use in both mobile and embedded devices, and they are used to protect sensitive secrets while often sharing the same computational hardware as untrusted code. Although there has been limited research in the area, the threat of microarchitectural attacks against ARM TrustZone has not been thoroughly studied. This is not the case for other TEEs, such as Intel SGX, where the security promises of the TEE have been violated numerous times by the academic community, showing that it is possible to use side-channel attacks to gain detailed insight into the microarchitectural behavior of trusted code. In this work, we show that TrustZone is susceptible to similar attacks, and we demonstrate the ability to achieve cache attacks with high temporal precision, high spatial precision, and low noise. These tools make it easy to monitor the data flow and code flow of TrustZone code with great resolution, and we apply our techniques to investigate the security of a real-world application. We examine ECDSA signing in Qualcomm's implementation of Android's hardware-backed keystore and identify a series of vulnerabilities that leak sensitive cryptographic information through shared microarchitectural structures. By using the powerful attacks developed in this paper, we are able to successfully extract this sensitive information and fully recover a 256-bit private key from Qualcomm's version of the hardware-backed keystore.

Published

2019

13. A Formal Treatment of Deterministic Wallets

Author

Poulami Das, Sebastian Faust, and Julian Loss

Subjects

Scheme (programming language), 050101 languages & linguistics, Security analysis, Cryptocurrency, Computer science, 05 social sciences, Elliptic Curve Digital Signature Algorithm, 02 engineering and technology, Computer security model, Computer security, computer.software_genre, Transfer (computing), 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, 0501 psychology and cognitive sciences, Database transaction, computer, computer.programming_language

Abstract

In cryptocurrencies such as Bitcoin or Ethereum, users control funds via secret keys. To transfer funds from one user to another, the owner of the money signs a new transaction that transfers the funds to the new recipient. This makes secret keys a highly attractive target for attacks, and has lead to prominent examples where millions of dollars worth in cryptocurrency have been stolen. To protect against these attacks, a widely used approach are so-called hot/cold wallets. In a hot/cold wallet system, the hot wallet is permanently connected to the network, while the cold wallet stores the secret key and is kept without network connection. In this work, we propose the first comprehensive security model for hot/cold wallets and develop wallet schemes that are provable secure within these models. At the technical level our main contribution is to provide a new provably secure ECDSA-based hot/cold wallet scheme that can be integrated into legacy cryptocurrencies such as Bitcoin. Our construction and security analysis uses a modular approach, where we show how to generically build secure hot/cold wallets from signature schemes that exhibit a rerandomizing property of the keys.

Published

2019

14. NDN-ABS

Author

Alexander Afanasyev, Reza Tourani, Sanjeev Kaushik Ramani, George Torres, and Satyajayant Misra

Subjects

business.industry, Network packet, Computer science, Elliptic Curve Digital Signature Algorithm, 020206 networking & telecommunications, Cryptography, 02 engineering and technology, Computer security, computer.software_genre, Certificate, Public-key cryptography, Information-centric networking, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Trust anchor, business, computer, Anonymity

Abstract

The Named Data Networking architecture mandates cryptographic signatures of packets at the network layer. Traditional RSA and ECDSA public key signatures require obtaining signer's NDN certificate (and, if needed, the next-level certificates of the trust chain) to validate the signatures. This potentially creates two problems. First, the communication channels must be active in order to retrieve the certificates, which is not always the case in disruptive and ad hoc environments. Second, the certificate identifies the individual producer and thus producer anonymity cannot be guaranteed if necessary.In this paper, we present NDN-ABS, an alternative NDN signatures design based on the attribute-based signatures, to addresses both these problems. With NDN-ABS, data packets can be verified without the need for any network retrieval (provided the trust anchor is pre-configured) and attributes can be designed to only identify application-defined high-level producer anonymity sets, thus ensuring individual producer's anonymity. The paper uses an illustrative smart-campus environment to define and evaluate the design and highlight how the NDN trust schema can manage the validity of NDN-ABS signatures. The paper also discusses performance limitations of ABS and potential ways they can be overcome in a production environment.

Published

2019

15. Post-Quantum Cryptography in Embedded Systems

Author

Juliane Krämer and Soundes Marzougui

Subjects

021110 strategic, defence & security studies, Post-quantum cryptography, business.industry, Computer science, 0211 other engineering and technologies, Elliptic Curve Digital Signature Algorithm, 02 engineering and technology, Signature (logic), Digital Signature Algorithm, Digital signature, 020204 information systems, Embedded system, 0202 electrical engineering, electronic engineering, information engineering, NIST, Use case, business, Quantum computer

Abstract

Quantum computers that can run Shor's algorithm are expected to become available in the next decade. These algorithms can be used to break conventional digital signature schemes (e.g. RSA or ECDSA), which are widely used in embedded systems today. This puts these systems at risk when they are used in safety-relevant long-term applications such as automotive systems or critical infrastructures. To mitigate this risk, classical digital signature schemes used must be replaced by schemes secure against quantum computer based attacks. We evaluate the submissions to the NIST competition for the future post-quantum secure digital signature standard with regard to their applicability to the most fundamental security use cases of embedded systems: secure boot and protection of intermediate keys. We analyze the requirements of these use cases on the underlying signature schemes, identify XMSS and qTESLA as the most fitting candidates, implement both schemes on a development board based on ARM Cortex-R5 microprocessors for embedded realtime applications, and evaluate the performance of our implementation.

Published

2019

16. MUSCLE

Author

Oguzhan Ersoy, Zekeriya Erkin, and Bjorn van der Laan

Subjects

Scheme (programming language), Blockchain, Smart contract, business.industry, Computer science, Distributed computing, Elliptic Curve Digital Signature Algorithm, 020207 software engineering, 02 engineering and technology, Oracle, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Web application, Verifiable secret sharing, The Internet, State (computer science), business, computer, computer.programming_language

Abstract

Smart contracts are applications that are deployed and executed on a blockchain's decentralised infrastructure. Many smart contract applications rely on data that resides outside the blockchain. However, while traditional web applications can communicate with trustworthy data sources directly through the Internet, this is not possible for smart contracts because their execution must be deterministic. Bringing external data into the blockchain has been a topic of research since the first introduction of Ethereum. A system that can provide this data to smart contracts is called an oracle. The primary requirement in designing oracles is that the authenticity of the data must be publicly verifiable, which can be achieved through signatures. However, transmitting data to the blockchain and performing the verification is costly, especially if applications require data from multiple sources. In that case, current approaches would need to retrieve the data from each source separately. In this paper, we present the concept of MUlti-Source oraCLE (MUSCLE) for retrieving data from multiple sources, which we believe to be the first to focus on the multi-source scenario. We implement five variants of MUSCLE, each using a different signature or aggregate signature scheme and compare their performance with two oracles that are based on TLS-N, which represents the current state of the art. Our results show that the ECDSA-based MUSCLE features the lowest total gas expenditure, while the BGLS-based oracle provides lower transaction and storage costs.

Published

2019

17. Fast Multiparty Threshold ECDSA with Fast Trustless Setup

Author

Rosario Gennaro and Steven Goldfeder

Subjects

Scheme (programming language), Key generation, business.industry, Computer science, Elliptic Curve Digital Signature Algorithm, 0102 computer and information sciences, 02 engineering and technology, 01 natural sciences, Signature (logic), Digital signature, 010201 computation theory & mathematics, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business, Communication complexity, computer, Protocol (object-oriented programming), Computer Science::Cryptography and Security, Computer network, computer.programming_language, Sign (mathematics)

Abstract

A threshold signature scheme enables distributed signing among n players such that any subgroup of size $t+1$ can sign, whereas any group with t or fewer players cannot. While there exist previous threshold schemes for the ECDSA signature scheme, we are the first protocol that supports multiparty signatures for any $t leq n$ with an efficient dealerless key generation. Our protocol is faster than previous solutions and significantly reduces the communication complexity as well. We prove our scheme secure against malicious adversaries with a dishonest majority. We implemented our protocol, demonstrating its efficiency and suitability to be deployed in practice.

Published

2018

18. Fast Secure Multiparty ECDSA with Practical Distributed Key Generation and Applications to Cryptocurrency Custody

Author

Yehuda Lindell and Ariel Nof

Subjects

Key generation, Cryptocurrency, Computer science, Elliptic Curve Digital Signature Algorithm, Homomorphic encryption, Key distribution, 020206 networking & telecommunications, 02 engineering and technology, computer.file_format, Computer security, computer.software_genre, Distributed key generation, 0202 electrical engineering, electronic engineering, information engineering, Secure multi-party computation, Key (cryptography), 020201 artificial intelligence & image processing, computer, Code signing

Abstract

ECDSA is a standardized signing algorithm that is widely used in TLS, code signing, cryptocurrency and more. Due to its importance, the problem of securely computing ECDSA in a distributed manner (known as threshold signing) has received considerable interest. However, despite this interest, there is still no full threshold solution for more than 2 parties (meaning that any t -out-of- n parties can sign, security is preserved for any t-1 or fewer corrupted parties, and tleq n can be any value thus supporting an honest minority) that has practical key distribution. This is due to the fact that all previous solutions for this utilize Paillier homomorphic encryption, and efficient distributed Paillier key generation for more than two parties is not known. In this paper, we present the first truly practical full threshold ECDSA signing protocol that has both fast signing and fast key distribution. This solves a years-old open problem, and opens the door to practical uses of threshold ECDSA signing that are in demand today. One of these applications is the construction of secure cryptocurrency wallets (where key shares are spread over multiple devices and so are hard to steal) and cryptocurrency custody solutions (where large sums of invested cryptocurrency are strongly protected by splitting the key between a bank/financial institution, the customer who owns the currency, and possibly a third-party trustee, in multiple shares at each). There is growing practical interest in such solutions, but prior to our work these could not be deployed today due to the need for distributed key generation.

Published

2018

19. On the Security of the PKCS#1 v1.5 Signature Scheme

Author

Alexander May, Saqib A. Kakvi, and Tibor Jager

Subjects

0301 basic medicine, Provable security, Theoretical computer science, Computer science, business.industry, PKCS, Hash function, Elliptic Curve Digital Signature Algorithm, Cryptography, 0102 computer and information sciences, 01 natural sciences, Padding, Random oracle, Digital Signature Algorithm, 03 medical and health sciences, 030104 developmental biology, Digital signature, 010201 computation theory & mathematics, business, PKCS #1

Abstract

The RSA PKCS#1 v1.5 signature algorithm is the most widely used digital signature scheme in practice. Its two main strengths are its extreme simplicity, which makes it very easy to implement, and that verification of signatures is significantly faster than for DSA or ECDSA. Despite the huge practical importance of RSA PKCS#1 v1.5 signatures, providing formal evidence for their security based on plausible cryptographic hardness assumptions has turned out to be very difficult. Therefore the most recent version of PKCS#1 (RFC 8017) even recommends a replacement the more complex and less efficient scheme RSA-PSS, as it is provably secure and therefore considered more robust. The main obstacle is that RSA PKCS#1 v1.5 signatures use a deterministic padding scheme, which makes standard proof techniques not applicable. We introduce a new technique that enables the first security proof for RSA-PKCS#1 v1.5 signatures. We prove full existential unforgeability against adaptive chosen-message attacks (EUF-CMA) under the standard RSA assumption. Furthermore, we give a tight proof under the Phi-Hiding assumption. These proofs are in the random oracle model and the parameters deviate slightly from the standard use, because we require a larger output length of the hash function. However, we also show how RSA-PKCS#1 v1.5 signatures can be instantiated in practice such that our security proofs apply. In order to draw a more complete picture of the precise security of RSA PKCS#1 v1.5 signatures, we also give security proofs in the standard model, but with respect to weaker attacker models (key-only attacks) and based on known complexity assumptions. The main conclusion of our work is that from a provable security perspective RSA PKCS#1 v1.5 can be safely used, if the output length of the hash function is chosen appropriately.

Published

2018

20. Hash-based signatures for the internet of things

Author

Paolo Palmieri

Subjects

Theoretical computer science, Computer science, Hash function, Elliptic Curve Digital Signature Algorithm, 020206 networking & telecommunications, 02 engineering and technology, Signature (logic), 020202 computer hardware & architecture, Digital Signature Algorithm, Digital signature, 0202 electrical engineering, electronic engineering, information engineering, Cryptographic hash function, Elliptic curve cryptography, Computer Science::Cryptography and Security, Key size

Abstract

While numerous digital signature schemes exist in the literature, most real-world system rely on RSA-based signature schemes or on the digital signature algorithm (DSA), including its elliptic curve cryptography variant ECDSA. In this position paper we review a family of alternative signature schemes, based on hash functions, and we make the case for their application in Internet of Things (IoT) settings. Hash-based signatures provide postquantum security, and only make minimal security assumptions, in general requiring only a secure cryptographic hash function. This makes them extremely flexible, as they can be implemented on top of any hash function that satisfies basic security properties. Hash-based signatures also feature numerous parameters defining aspects such as signing speed and key size, that enable trade-offs in constrained environments. Simplicity of implementation and customization make hash based signatures an attractive candidate for the IoT ecosystem, which is composed of a number of diverse, constrained devices.

Published

2018

21. A Subliminal Channel in EdDSA

Author

Alexander Hartl, Robert Annessi, and Tanja Zseby

Subjects

Network security, business.industry, Network packet, Computer science, 05 social sciences, Subliminal stimuli, Elliptic Curve Digital Signature Algorithm, Computer security, computer.software_genre, Clock synchronization, EdDSA, Digital signature, 0502 economics and business, Information leakage, 050211 marketing, business, computer, 050203 business & management, Computer network

Abstract

Subliminal channels in digital signatures provide a very effective method to clandestinely leak information from inside a system to a third party outside. Information can be hidden in signature parameters in a way that both network operators and legitimate receivers would not notice any suspicious traces. Subliminal channels have previously been discovered in other signatures, such as ElGamal and ECDSA. Those signatures are usually just sparsely exchanged in network protocols, e.g. during authentication, and their usability for leaking information is therefore limited. With the advent of high-speed signatures such as EdDSA, however, scenarios become feasible where numerous packets with individual signatures are transferred between communicating parties. This significantly increases the bandwidth for transmitting subliminal information. Examples are broadcast clock synchronization or signed sensor data export. A subliminal channel in signatures appended to numerous packets allows the transmission of a high amount of hidden information, suitable for large scale data exfiltration or even the operation of command and control structures.In this paper, we show the existence of a broadband subliminal channel in the EdDSA signature scheme. We then discuss the implications of the subliminal channel in practice using thee different scenarios: broadcast clock synchronization, signed sensor data export, and classic TLS. We perform several experiments to show the use of the subliminal channel and measure the actual bandwidth of the subliminal information that can be leaked. We then discuss the applicability of different countermeasures against subliminal channels from other signature schemes to EdDSA but conclude that none of the existing solutions can sufficiently protect against data exfiltration in network protocols secured by EdDSA.

Published

2017

22. Applications of elliptic curve cryptography

Author

Russell Harkanson and Yoohwan Kim

Subjects

021110 strategic, defence & security studies, ECC patents, Neural cryptography, Post-quantum cryptography, business.industry, 0211 other engineering and technologies, Elliptic Curve Digital Signature Algorithm, 020206 networking & telecommunications, Cryptography, 02 engineering and technology, Computer security, computer.software_genre, Computer engineering, 0202 electrical engineering, electronic engineering, information engineering, Curve25519, Hardware_ARITHMETICANDLOGICSTRUCTURES, Elliptic curve cryptography, business, computer, Mathematics, Key size

Abstract

Elliptic curve cryptography (ECC) is a relatively newer form of public key cryptography that provides more security per bit than other forms of cryptography still being used today. We explore the mathematical structure and operations of elliptic curves and how those properties make curves suitable tools for cryptography. A brief historical context is given followed by the safety of usage in production, as not all curves are free from vulnerabilities. Next, we compare ECC with other popular forms of cryptography for both key exchange and digital signatures, in terms of security and speed. Traditional applications of ECC, both theoretical and in-practice, are presented, including key exchange for web browser usage and DNSSEC. We examine multiple uses of ECC in a mobile context, including cellular phones and the Internet of Things. Modern applications of curves are explored, such as iris recognition, RFID, smart grid, as well as an application for E-health. Finally, we discuss how ECC stacks up in a post-quantum cryptography world.

Published

2017

23. Performance Comparison between Broadcast Authentication Methods for Vehicular Networks

Author

Alvin Lim and Kanika Grover

Subjects

Authentication, Vehicular ad hoc network, business.industry, Wireless ad hoc network, Computer science, Network packet, Authentication protocol, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Elliptic Curve Digital Signature Algorithm, Probabilistic logic, Wireless, business, Computer network

Abstract

For authenticating time critical broadcast messages, IEEE 1609.2 security standard for Vehicular Ad hoc Networks (VANETs) suggests the use of secure Elliptic Curve Digital Signature Algorithm (ECDSA). Since ECDSA has an expensive verification in terms of time, most commonly suggested alternate algorithms are TESLA and signature amortization. Unfortunately, these algorithms lack immediate authentication and non-repudiation. Therefore, we introduce a probabilistic verification scheme for an ECDSA-based authentication protocol. Using ns2 simulation tools, we compare the performance of all above-mentioned broadcast authentication algorithms. The results show with our proposed scheme, there is an increase in packet processed ratio over that of all the other algorithms.

Published

2016

24. Amplifying side channels through performance degradation

Author

Yuval Yarom, Katrina Falkner, Thomas Allan, Billy Bob Brumley, and Joop van de Pol

Subjects

Exploit, Computer science, business.industry, Elliptic Curve Digital Signature Algorithm, Information quality, 02 engineering and technology, Adversary, Computer security, computer.software_genre, 020202 computer hardware & architecture, Public-key cryptography, Digital Signature Algorithm, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business, Protocol (object-oriented programming), computer, TRACE (psycholinguistics)

Abstract

Interference between processes executing on shared hardware can be used to mount performance-degradation attacks. However, in most cases, such attacks offer little benefit for the adversary. In this paper, we demonstrate that software-based performance-degradation attacks can be used to amplify side-channel leaks, enabling the adversary to increase both the amount and the quality of information captured. We identify a new information leak in the OpenSSL implementation of the ECDSA digital signature algorithm, albeit seemingly unexploitable due to the limited granularity of previous trace procurement techniques. To overcome this imposing hurdle, we combine the information leak with a microarchitectural performance-degradation attack that can slow victims down by a factor of over 150. We demonstrate how this combination enables the amplification of a side-channel sufficiently to exploit this new information leak. Using the combined attack, an adversary can break a private key of the secp256k1 curve, used in the Bitcoin protocol, after observing only 6 signatures---a four-fold improvement over all previously described attacks.

Published

2016

25. On the Provable Security of (EC)DSA Signatures

Author

Eike Kiltz, Bertram Poettering, and Manuel Fersch

Subjects

Provable security, Security analysis, Theoretical computer science, Generic group model, Computer science, Elliptic Curve Digital Signature Algorithm, 020206 networking & telecommunications, 0102 computer and information sciences, 02 engineering and technology, 01 natural sciences, Signature (logic), Random oracle, Digital Signature Algorithm, Elliptic curve, IEEE P1363, 010201 computation theory & mathematics, 0202 electrical engineering, electronic engineering, information engineering, Algorithm

Abstract

Among the signature schemes most widely deployed in practice are the DSA (Digital Signature Algorithm) and its elliptic curves variant ECDSA. They are represented in many international standards, including IEEE P1363, ANSI X9.62, and FIPS 186-4. Their popularity stands in stark contrast to the absence of rigorous security analyses: Previous works either study modified versions of (EC)DSA or provide a security analysis of unmodified ECDSA in the generic group model. Unfortunately, works following the latter approach assume abstractions of non-algebraic functions over generic groups for which it remains unclear how they translate to the security of ECDSA in practice. For instance, it has been pointed out that prior results in the generic group model actually establish strong unforgeability of ECDSA, a property that the scheme de facto does not possess. As, further, no formal results are known for DSA, understanding the security of both schemes remains an open problem. In this work we propose GenericDSA, a signature framework that subsumes both DSA and ECDSA in unmodified form. It carefully models the "modulo q" conversion function of (EC)DSA as a composition of three independent functions. The two outer functions mimic algebraic properties in the function's domain and range, the inner one is modeled as a bijective random oracle. We rigorously prove results on the security of GenericDSA that indicate that forging signatures in (EC)DSA is as hard as solving discrete logarithms. Importantly, our proofs do not assume generic group behavior.

Published

2016

26. Attacking OpenSSL Implementation of ECDSA with a Few Signatures

Author

Qingfeng Cheng, Wenbo Wang, and Shuqin Fan

Subjects

010201 computation theory & mathematics, Computer science, Lattice (order), 0202 electrical engineering, electronic engineering, information engineering, Elliptic Curve Digital Signature Algorithm, Enumeration, 020207 software engineering, 0102 computer and information sciences, 02 engineering and technology, Lattice reduction, Scalar multiplication, 01 natural sciences, Algorithm

Abstract

In this work, we give a lattice attack on the ECDSA implementation in the latest version of OpenSSL, which implement the scalar multiplication by windowed Non-Adjacent Form method. We propose a totally different but more efficient method of extracting and utilizing information from the side-channel results, remarkably improving the previous attacks. First, we develop a new efficient method, which can extract almost all information from the side-channel results, obtaining 105.8 bits of information per signature on average for 256-bit ECDSA. Then in order to make the utmost of our extracted information, we translate the problem of recovering secret key to the Extended Hidden Number Problem, which can be solved by lattice reduction algorithms. Finally, we introduce the methods of elimination, merging, most significant digit recovering and enumeration to improve the attack. Our attack is mounted to the {series secp256k1} curve, and the result shows that only 4 signatures would be enough to recover the secret key if the Flush+Reload attack is implemented perfectly without any error,which is much better than the best known result needing at least 13 signatures.

Published

2016

27. ECDSA Key Extraction from Mobile Devices via Nonintrusive Physical Side Channels

Author

Lev Pachmanov, Daniel Genkin, Eran Tromer, Yuval Yarom, and Itamar Pipman

Subjects

business.industry, Computer science, Elliptic Curve Digital Signature Algorithm, 020206 networking & telecommunications, Cryptography, 02 engineering and technology, USB, law.invention, Elliptic curve, Power analysis, law, Embedded system, 0202 electrical engineering, electronic engineering, information engineering, Key (lock), 020201 artificial intelligence & image processing, Side channel attack, Android (operating system), business, Mobile device

Abstract

We show that elliptic-curve cryptography implementations on mobile devices are vulnerable to electromagnetic and power side-channel attacks. We demonstrate full extraction of ECDSA secret signing keys from OpenSSL and CoreBitcoin running on iOS devices, and partial key leakage from OpenSSL running on Android and from iOS's CommonCrypto. These non-intrusive attacks use a simple magnetic probe placed in proximity to the device, or a power probe on the phone's USB cable. They use a bandwidth of merely a few hundred kHz, and can be performed cheaply using an audio card and an improvised magnetic probe.

Published

2016

28. Efficient and Secure Implementation of Elliptic Curve Scalar Multiplication Against Power Analysis Attacks

Author

T. Sudhakar, A. Kannathal, and V. Natarajan

Subjects

Theoretical computer science, Computer science, 05 social sciences, Elliptic Curve Digital Signature Algorithm, 050801 communication & media studies, 02 engineering and technology, Scalar multiplication, 020202 computer hardware & architecture, Power analysis, 0508 media and communications, Computer engineering, 0202 electrical engineering, electronic engineering, information engineering, Curve25519, Key (cryptography), Cryptosystem, Elliptic curve cryptography, Computer Science::Cryptography and Security, Key size

Abstract

The Elliptic Curve Cryptosystems(ECC) are proved to be the cryptosystem of future generation because of its smaller key size and uncompromised security. It is well suited for applications running in resource-restricted devices such as smart cards. At present, there is no efficient algorithm or known sub-exponential algorithm to break ECC theoretically. However, a hardware implementation of ECC leaks secret key information due to power analysis attacks particularly differential power analysis attack(DPA). These attacks break the system with far less effort when compared to all other attacks based on algebraic weaknesses of the algorithms. There are many solutions to overcome the power analysis attack, but all the available solutions have their own advantages and disadvantages by compromising either its security or performance. In this paper, we present a secure and efficient algorithm to solve the elliptic curve scalar multiplication(ECSM) using initial points randomization and by delaying the point addition operation. The implementation results and performance analysis shows that the proposed algorithm is efficient and secure against power analysis attacks.

Published

2016

29. A Cautionary Note

Author

Johann Heyszl, Fabrizio De Santis, and Hermann Seuschek

Subjects

Theoretical computer science, Deterministic algorithm, Computer science, Random number generation, Hash function, Elliptic Curve Digital Signature Algorithm, 02 engineering and technology, Computer security, computer.software_genre, 020202 computer hardware & architecture, 0202 electrical engineering, electronic engineering, information engineering, Cryptographic hash function, 020201 artificial intelligence & image processing, Side channel attack, Elliptic curve cryptography, computer, Randomness, Computer Science::Cryptography and Security

Abstract

Two recent proposals by Bernstein and Pornin emphasize the use of deterministic signatures in DSA and its elliptic curve-based variants. Deterministic signatures derive the required ephemeral key value in a deterministic manner from the message to be signed and the secret key instead of using random number generators. The goal is to prevent severe security issues, such as the straight-forward secret key recovery from low quality random numbers. Recent developments have raised skepticism whether e.g. embedded or pervasive devices are able to generate randomness of sufficient quality. The main concerns stem from individual implementations lacking sufficient entropy source and standardized methods for random number generation with suspected back doors. While we support the goal of deterministic signatures, we are concerned about the fact that this has a significant influence on side-channel security of implementations. Specifically, attackers will be able to mount differential side-channel attacks on the additional use of the secret key in a cryptographic hash function to derive the deterministic ephemeral key. Previously, only a simple integer arithmetic function to generate the second signature parameter had to be protected, which is rather straight-forward. Hash functions are significantly more difficult to protect. In this contribution, we systematically explain how deterministic signatures introduce this new side-channel vulnerability.

Published

2016

30. Mind Your Nonces Moving

Author

Shi Hongsong, Mingjie Liu, Hexin Li, and Jiazhe Chen

Subjects

Random number generation, business.industry, Computer science, Elliptic Curve Digital Signature Algorithm, Byte, Computer security, computer.software_genre, Digital Signature Algorithm, Public-key cryptography, Smart card, Chosen-ciphertext attack, business, Algorithm, computer, Replay attack, Cryptographic nonce

Abstract

This paper gives a partially-sharing nonces attack on SM2 Digital Signature Algorithm (SM2DSA). Templates, which are built in the scenario of no secrets known, are used to detect the collisions on the Most Significant Byte of the Nonces (MSBN). Targeting a real world smartcard with 8-bit precharged bus, the power consumption of data moving procedure after the random number generation is focused, on which the template building and matching phases are based. With the templates, we obtain a number of pairs of nonces whose first bytes are collided, then a lattice attack on SM2DSA is proposed to recover the private key. Experiments show that our attack works smoothly; our attack is the first implemented lattice attack on SM2DSA in a smartcard, which can also be extended to the other ECC algorithms like ECDSA.

Published

2015

31. Synthesis of Fault Attacks on Cryptographic Implementations

Author

Benjamin Grégoire, François Dupressoir, Pierre-Alain Fouque, Gilles Barthe, Jean-Christophe Zapalowicz, Institute IMDEA Software [Madrid], EMbedded SEcurity and Cryptography (EMSEC), SYSTÈMES LARGE ÉCHELLE (IRISA-D1), Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), CentraleSupélec-Télécom Bretagne-Université de Rennes 1 (UR1), Université de Rennes (UNIV-RENNES)-Université de Rennes (UNIV-RENNES)-Institut National de Recherche en Informatique et en Automatique (Inria)-École normale supérieure - Rennes (ENS Rennes)-Université de Bretagne Sud (UBS)-Centre National de la Recherche Scientifique (CNRS)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-CentraleSupélec-Télécom Bretagne-Université de Rennes 1 (UR1), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA), Institut Universitaire de France (IUF), Ministère de l'Education nationale, de l’Enseignement supérieur et de la Recherche (M.E.N.E.S.R.), Université de Rennes 1 (UR1), Université de Rennes (UNIV-RENNES), Mathematical, Reasoning and Software (MARELLE), Inria Sophia Antipolis - Méditerranée (CRISAM), Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria), Software certification with semantic analysis (CELTIQUE), LANGAGE ET GÉNIE LOGICIEL (IRISA-D4), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-Inria Rennes – Bretagne Atlantique, Institut National de Recherche en Informatique et en Automatique (Inria), Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Institut National de Recherche en Informatique et en Automatique (Inria)-Télécom Bretagne-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Institut National de Recherche en Informatique et en Automatique (Inria)-Télécom Bretagne-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Institut National de Recherche en Informatique et en Automatique (Inria)-Télécom Bretagne-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS), Université de Rennes (UR), Inria Rennes – Bretagne Atlantique, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-LANGAGE ET GÉNIE LOGICIEL (IRISA-D4), and Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Télécom Bretagne-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)

Subjects

Modular exponentiation, business.industry, Computer science, Distributed computing, Elliptic Curve Digital Signature Algorithm, Cryptography, Adversary, Computer security, computer.software_genre, Abstraction layer, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], Countermeasure, Physical access, Smart card, business, computer, Implementation

Abstract

International audience; Fault attacks are attacks in which an adversary with physical access to a cryptographic device, say a smartcard, tampers with the execution of an algorithm to retrieve secret mate-rial. Since the seminal Bellcore attack on modular exponen-tiation, there has been extensive work to discover new fault attacks against cryptographic schemes and develop counter-measures against such attacks. Originally focused on high-level algorithmic descriptions, these efforts increasingly fo-cus on concrete implementations. While lowering the ab-straction level leads to new fault attacks, it also makes their discovery significantly more challenging. In order to face this trend, it is therefore desirable to develop principled, tool-supported approaches that allow a systematic analy-sis of the security of cryptographic implementations against fault attacks. We propose, implement, and evaluate a new approach for finding fault attacks against cryptographic implementa-tions. Our approach is based on identifying implementation-independent mathematical properties, or fault conditions. We choose fault conditions so that it is possible to recover secret data purely by computing on sufficiently many data points that satisfy them. Fault conditions capture the essence of a large number of attacks from the literature, including lattice-based attacks on RSA. Moreover, they provide a ba-sis for discovering automatically new attacks: using fault conditions, we specify the problem of finding faulted imple-mentations as a program synthesis problem. Using a special-ized form of program synthesis, we discover multiple faulted attacks on RSA and ECDSA. Several of the attacks found by our tool are new, and of independent interest.

Published

2014

32. Beyond ECDSA and RSA

Author

Tim Güneysu, Thomas Pöppelmann, and Tobias Oder

Subjects

Neural cryptography, Post-quantum cryptography, business.industry, Computer science, Elliptic Curve Digital Signature Algorithm, Cryptography, Public-key cryptography, Quantum cryptography, Digital signature, Embedded system, Lattice-based cryptography, Elliptic curve cryptography, Security level, business, Key size, PKCS #1, Quantum computer

Abstract

All currently deployed asymmetric cryptography is broken with the advent of powerful quantum computers. We thus have to consider alternative solutions for systems with long-term security requirements (e.g., for long-lasting vehicular and avionic communication infrastructures). In this work we present an efficient implementation of BLISS, a recently proposed, post-quantum secure, and formally analyzed novel lattice-based signature scheme. We show that we can achieve a significant performance of 35.3 and 6 ms for signing and verification, respectively, at a 128-bit security level on an ARM Cortex-M4F microcontroller. This shows that lattice-based cryptography can be efficiently deployed on today's hardware and provides security solutions for many use cases that can even withstand future threats.

Published

2014

33. Hardware/Software Co-Design of Elliptic-Curve Cryptography for Resource-Constrained Applications

Author

Norbert Druml, Christian Kreiner, Christian Steger, Andrea Höller, and Tomaz Felicijan

Subjects

Public-key cryptography, Hardware architecture, Elliptic curve, Software, business.industry, Computer science, Embedded system, Elliptic Curve Digital Signature Algorithm, Key (cryptography), Cryptography, Elliptic curve cryptography, business

Abstract

ECC is an asymmetric encryption providing a comparably high cryptographic strength in relation to the key sizes employed. This makes ECC attractive for resource-constrained systems. While pure hardware solutions usually offer a good performance and a low power consumption, they are inflexible and typically lead to a high area.Here, we show a flexible design approach using a 163-bit GF(2m) elliptic curve and an 8-bit processor. We propose improvements to state-of-the-art software algorithms and present innovative hardware/software codesign variants. The proposed implementation offers highly competitive performance in terms of performance and area.

Published

2014

34. Implementation of SHA-1 and ECDSA for vehicular ad-hoc network using NS-3

Author

Jim Leone, Tae Oh, and Sinan Nacy

Subjects

Vehicular ad hoc network, Digital signature, business.industry, Network security, Computer science, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, SHA-1, Elliptic Curve Digital Signature Algorithm, Cellular network, Code (cryptography), business, Computer network, Network simulation

Abstract

VANET, the Vehicular Ad-Hoc Network, treats cars as nodes in a mobile network. Not surprisingly, VANET must be very secured since one of the network characteristics allows the network to be open to public. The digital signature used in VANET is the standard, ECDSA, or Elliptic Curve Digital Signature Algorithms. ECDSA provides network security by employing a digital signature for messages being transmitted over the network. An ECDSA developed in C++ is described here. VANET messages were sent using the NS-3 network simulator. Two scenarios were created to test the code and the differences before and after implementing the digital signature.

Published

2013

35. ECvisual

Author

Ching-Kuang Shene, Melissa S. Keranen, Jean Mayo, Jun Tao, and Jun Ma

Subjects

Theoretical computer science, business.industry, Computer science, Elliptic Curve Digital Signature Algorithm, Cryptography, Plaintext, Encryption, Prime (order theory), Elliptic curve, Finite field, Cipher, Counting points on elliptic curves, Hardware_ARITHMETICANDLOGICSTRUCTURES, Elliptic curve cryptography, business

Abstract

This paper describes a visualization tool ECvisual that helps students understand and instructors teach elliptic curve based ciphers. This tool permits the user to visualize elliptic curves over the real field and over a finite field of prime order, perform arithmetic operations, do encryption and decryption, and convert plaintext to a point on an elliptic curve. The demo mode of ECvisual can be used for classroom presentation and self-study. With the practice mode, the user may go through steps in finite field computations, encryption, decryption and plaintext conversion. The user may compute the output for each operation check each answer for correctness. This helps students understand the primitive operations and how they are used in an elliptic curve cipher. The opportunity for self-study provides an instructor greater flexibility in selecting a lecture pace for this detail-filled material. Classroom evaluation was positive and very encouraging.

Published

2012

36. Fault attack to the elliptic curve digital signature algorithm with multiple bit faults

Author

Guido Bertoni, Andrea Palomba, Alessandro Barenghi, Gerardo Pelosi, and Luca Breveglieri

Subjects

cryptography, Cryptographic primitive, Modular arithmetic, Computer science, Distributed computing, Elliptic Curve Digital Signature Algorithm, security, Fault injection, Elliptic curve, ECDSA, fault injection attack, digital signature, Key (cryptography), Fault model, Elliptic curve cryptography, INF, countermeasure, Algorithm, side channel attack, Computer Science::Cryptography and Security

Abstract

Elliptic curve cryptosystems proved to be well suited for securing systems with constrained resources like embedded and portable devices. In a fault attack, errors are induced during the computation of a cryptographic primitive, and the faulty results are collected to derive information about the secret key stored into the device in a non-readable way. Scenarios where the secure devices are seized by an opponent are quite common. Consequently, it is possible for an attacker to induce changes in the working environment of the device to cause alterations in the computation of the cryptographic primitive. We introduce a new fault model and attack methodology to recover the secret key employed in implementations of the Elliptic Curve Digital Signature Algorithm. Our attack exploits the information leakage induced when altering the execution of the modular arithmetic operations used in the signature primitive and does not rely on the properties of the underlying elliptic curve mathematical structure, thus being applicable to curves defined on both prime fields and binary fields. The attack is easily reproducible with low cost fault injection technologies relying on transient errors placed within a single datapath width of the target architecture.

Published

2011

37. Elliptic curve for data protection

Author

Wasim A. Al-Hamdani

Subjects

Theoretical computer science, business.industry, Computer science, Elliptic curve Diffie–Hellman, Elliptic Curve Digital Signature Algorithm, Cryptography, Elliptic curve, Counting points on elliptic curves, Curve25519, Hardware_ARITHMETICANDLOGICSTRUCTURES, Elliptic curve cryptography, business, Computer Science::Cryptography and Security, Key size

Abstract

The cryptography of elliptical curve (ECC) is an approach in cryptography public key based on the algebraic structure of elliptical curves on the finished fields; a smaller group can be used to obtain the same level of security as RSA-based. In this article a simple presentation on cryptography with focus on elliptic curve algorithm, examine its security, benefits and its functions with privacy issues. The last part of this article is "protection and privacy components", for each component the article look at privacy issue then examine the elliptic curve angle to be used with the component. These work results in using elliptic curve in multipart security (or single party) is more efficient in key size, speed and retrieve encrypted information.

Published

2011

38. Flooding-resilient broadcast authentication for VANETs

Author

Aravind V. Iyer, Ahren Studer, Adrian Perrig, Chen Chen, Bhargav R. Bellur, Fan Bai, and Hsu-Chun Hsiao

Subjects

Vehicular ad hoc network, Digital signature, Software deployment, Computer science, business.industry, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Broadcast communication network, Elliptic Curve Digital Signature Algorithm, Communication source, business, Beacon, Computer network, Flooding (computer networking)

Abstract

Digital signatures are one of the fundamental security primitives in Vehicular Ad-Hoc Networks (VANETs) because they provide authenticity and non-repudiation in broadcast communication. However, the current broadcast authentication standard in VANETs is vulnerable to signature flooding: excessive signature verification requests that exhaust the computational resources of victims. In this paper, we propose two efficient broadcast authentication schemes, Fast Authentication (FastAuth) and Selective Authentication (SelAuth), as two countermeasures to signature flooding. FastAuth secures periodic single-hop beacon messages. By exploiting the sender's ability to predict its own future beacons, FastAuth enables 50 times faster verification than previous mechanisms using the Elliptic Curve Digital Signature Algorithm. SelAuth secures multi-hop applications in which a bogus signature may spread out quickly and impact a significant number of vehicles. SelAuth pro- vides fast isolation of malicious senders, even under a dynamic topology, while consuming only 15%--30% of the computational resources compared to other schemes. We provide both analytical and experimental evaluations based on real traffic traces and NS-2 simulations. With the near-term deployment plans of VANET on all vehicles, our approaches can make VANETs practical.

Published

2011

39. Elliptic curve cryptography

Author

Sheetal Kalra, Sandeep K. Sood, Kiran Deep Singh, and Given Names Deactivated Family Name Deactivated

Subjects

business.industry, Elliptic Curve Digital Signature Algorithm, Cryptography, Data_CODINGANDINFORMATIONTHEORY, Digital signature, Computer engineering, Curve25519, Counting points on elliptic curves, Hardware_ARITHMETICANDLOGICSTRUCTURES, Elliptic curve cryptography, business, Key exchange, Key size, Mathematics, Computer network

Abstract

Elliptic curve cryptosystems are based on ECDLP (Elliptic curve discrete logarithm problem) for their security. The best known method to solve ECDLP (pollard's rho algorithm) is fully exponential therefore Elliptic Curve Cryptosystems require substantially smaller key sizes for equivalent security as compared to other public key cryptosystems (RSA, DSA). This paper discusses the technique of Elliptic Curve Cryptography (ECC). Due to its computational benefits such as faster computation, low power and memory consumption, bandwidth saving, ECC is best suited for mobile/wireless environments. The application of ECC in mobile devices and wireless networks has been discussed in the paper. A survey of various protocols based on ECC has been done in the paper which clearly depicts its increasing acceptance over other public key cryptosystems.

Published

2011

40. FPGA implementation of binary edwards curve usingternary representation

Author

Ayantika Chatterjee and Indranil Sengupta

Subjects

Standard cell, business.industry, Edwards curve, Elliptic Curve Digital Signature Algorithm, Cryptography, Parallel computing, Computer Science::Hardware Architecture, Lookup table, Curve25519, Hardware_ARITHMETICANDLOGICSTRUCTURES, Elliptic curve cryptography, Field-programmable gate array, business, Mathematics

Abstract

Elliptic curve cryptography (ECC) has proven its superiority, since it was proposed in the domain of Public-Key Cryptography [1]. Further, Edwards curve adds a new paradigm to ECC in terms of speed and security against exceptional point attacks. This curve has been recently extended to Binary Edwards Curves (BEC), due to efficiency of implementation in GF(2m) fields and to harvest the advantages of a unified and complete scalar point multiplication on the family of BEC. In spite of achieving the unification, it introduces more challenges to the designer to reduce the computation time and trade-off the area in efficient way. This work reports an implementation of BEC processor with an effort to better utilize the look-up table (LUT) of the FPGA. The design further implements the ternary algorithm to increase the efficiency. However, to the best of our knowledge there exists no previous implementations of BEC on FPGA platform. The proposed design has been implemented for state-of-the-art GF(2233) fields. The performance of the design has been found to compare favorably with the existing designs on standard cell ASIC libraries, in spite of being implemented on FPGA platform.

Published

2011

41. A new variant vision on ECDSA

Author

R. Shanmugalakshmi and M. Prabu

Subjects

Scheme (programming language), Digital Signature Algorithm, Computer science, Elliptic Curve Digital Signature Algorithm, New variant, computer, Algorithm, Signature (logic), computer.programming_language

Abstract

This paper describes a new variant level of signature scheme on ECDSA. In support of this scheme, a study of on a number of schemes was done. The number of scheme includes Lamport, Fail stop, Schnorr, and DSA etc. In this study three schemes, DSA, ECDSA and variant ECDSA are taken for a comparative study. From that comparison, the paper tries to develop a new scheme on ECDSA. Finally, It was found out that, variant signature on ECDSA is better than other schemes.

Published

2010

42. A GF(p) elliptic curve group operator resistant against side channel attacks

Author

Monjur Alam, Dipanwita RoyChowdhury, Santosh Ghosh, and Indranil Sengupta

Subjects

Elliptic curve, Power analysis, Timing attack, Elliptic curve point multiplication, Curve25519, Elliptic Curve Digital Signature Algorithm, Side channel attack, Arithmetic, Elliptic curve cryptography, Mathematics

Abstract

This paper deals with FPGA and ASIC implementations of side-channel attack resistant elliptic curve cryptosystems defined over GF(p). The elegance of the design lies in the fact that all operations are performed in binary number system, thus reducing conversion overheads of existing architectures. In our implementation, point addition and point doubling operations are performed in affine coordinates. They are performed using same amount of computation, which provides a secure design against timing and power analysis attacks. Implementation and side-channel analysis results are compared with related existing designs.

Published

2008

43. Pre-authentication filters

Author

Qi Dong, Peng Ning, and Donggang Liu

Subjects

Public-key cryptography, Key distribution in wireless sensor networks, Authentication, Digital signature, Computer science, business.industry, Sensor node, Key (cryptography), Elliptic Curve Digital Signature Algorithm, business, Wireless sensor network, Computer network

Abstract

Recent studies have demonstrated that it is possible to perform public key cryptographic operations on the resource-constrained sensor platforms. However, the significant resource consumption imposed by public key cryptographic operations makes such mechanisms easy targets of Denial- of Service (DoS) attacks. For example, if digital signatures such as ECDSA are used directly for broadcast authentication without further protection, an attacker can simply broadcast forged packets and force the receiving nodes to perform a large number of unnecessary signature verifications, eventually exhausting their battery power. This paper studies how to deal with such DoS attacks when signatures are used for broadcast authentication in sensor networks. In particular, this paper presents two filtering techniques, a group-based filter and a key chain-based filter, to handle DoS attacks against signature verification. Both methods can significantly reduce the number of unnecessary signature verifications that a sensor node has to perform. The analytical results also show that these two techniques are efficient and effective for resource-constrained sensor networks.

Published

2008

44. Comparison of innovative signature algorithms for WSNs

Author

Christof Paar, Axel Poschmann, and Benedikt Driessen

Subjects

Public-key cryptography, Key distribution in wireless sensor networks, Symmetric-key algorithm, Digital signature, Computer science, business.industry, Elliptic Curve Digital Signature Algorithm, Overhead (computing), NTRUSign, business, Wireless sensor network, Algorithm, Computer network

Abstract

For many foreseen applications of Wireless Sensor Networks (WSN) - for example monitoring the structural health of a bridge - message integrity is a crucial requirement. Usually, security services such as message integrity are realized by symmetric cryptography only, because asymmetric cryptography is often stated as impracticable for WSN. However, the proposed solutions for symmetric key establishment introduce a significant computation, storage, and - most important - communication overhead. Digital signatures and key-exchange based on asymmetric algorithms would be very valuable though. In the literature nearly only RSA and ECC are implemented and compared for sensor nodes, though there exist a variety of innovative asymmetric algorithms. To close this gap, we investigated the efficiency and suitability of digital signature algorithms based on innovative asymmetric primitives for WSN. We chose XTR-DSA and NTRUSign and implemented both (as well as ECDSA) for MICAz motes.

Published

2008

45. Side-channel resistant system-level design flow for public-key cryptography

Author

Bart Preneel, Kazuo Sakiyama, Elke De Mulder, and Ingrid Verbauwhede

Subjects

Public-key cryptography, Engineering, Electronic system-level design and verification, Power analysis, Computer engineering, business.industry, Real-time computing, Datapath, Elliptic Curve Digital Signature Algorithm, Side channel attack, Elliptic curve cryptography, business, Hamming code

Abstract

In this paper, we propose a new design methodology to assess the risk for side-channel attacks, more specifically timing analysis and simple power analysis, at an early design stage. This method is illustrated with the design of an elliptic curve cryptographic processor. It also allows to evaluate the quality of countermeasures against these attacks by evaluating hamming distances for eachsignal and each register in a partial functional domain (e.g. datapath or controller). Thus a first order side-channel-resistant design can be obtained with system-level design in which the simulation can run faster than conventional HDL simulations.

Published

2007

46. Multi-segment GF (2 m ) multiplication and its application to elliptic curve cryptography

Author

Dong-Ho Lee and Jong-Soo Oh

Subjects

Multiplication algorithm, Elliptic curve point multiplication, Coprocessor, Elliptic Curve Digital Signature Algorithm, Curve25519, Multiplication, Hardware_ARITHMETICANDLOGICSTRUCTURES, Elliptic curve cryptography, Arithmetic, Scalar multiplication, Mathematics

Abstract

Scalar multiplication is the most time consuming computation in elliptic curve cryptography (ECC). ECC coprocessors provide computational support for the scalar multiplication algorithm. In this paper, we propose an efficient multi-segment GF(2m) multiplication method and discuss its application for ECC. The proposed method is particularly effective when the underlying technology provides an efficient realization of dual-port RAM block structures. We implemented ECC coprocessors in FPGA development environments to compare the resource usages of the ECC processors which use the proposed multi-segment multipliers and others using the digit-serial multipliers. The experimental results show that the proposed multi-segment multiplication method requires significantly less FPGA resources for the same multiplication performance in ECC implementations.

Published

2007

47. Signcryption based on elliptic curve and its multi-party schemes

Author

Xiaoyuan Yang, Yiliang Han, and Yupu Hu

Subjects

Adaptive chosen-ciphertext attack, Distributed key generation, Computer science, Distributed computing, Hash function, Key (cryptography), Elliptic Curve Digital Signature Algorithm, Cryptosystem, Algorithm, Threshold cryptosystem, Signcryption

Abstract

A new signcryption based on elliptic curve cryptosystems that combines ECDSA and PSCE-1 is presented. The signcryption scheme is a publicly verifiable scheme which can be verified by the third party after the specific recipient removes his key information. Analysis shows that the proposed scheme is secure against the adaptive chosen ciphertext attack. The signcryption saves the communication cost at least 1.25 times and enhances computation cost 1.19 times over ECDSA-then-PSCE-1. Compared with other signcryption schemes, such as Y. Zheng's ECSCS, the new signcryption uses a uniform elliptic curve cryptosystem platform instead of four kinds of cryptosystem components: hash function, keyed hash function, symmetric cipher and elliptic curve. While keeping high security and efficiency, the scheme can be implemented in software and hardware at low price because of above advantages. Based on the presented signcryption, a broadcast scheme for multiple recipients and a threshold scheme with Key Distributed Generation for multiple senders are also proposed.

Published

2004

48. An FPGA implementation of an elliptic curve processor GF(2 m )

Author

Bart Preneel, Nele Mentens, and S.B. Ors

Subjects

Elliptic curve, Modular arithmetic, Clock rate, Curve25519, Elliptic Curve Digital Signature Algorithm, Multiplication, Systolic array, Parallel computing, Hardware_ARITHMETICANDLOGICSTRUCTURES, Elliptic curve cryptography, Arithmetic, Mathematics

Abstract

This paper describes a hardware implementation of an arithmetic processor which is efficient for elliptic curve (EC) cryptosystems, which are becoming increasingly popular as an alternative for public key cryptosystems based on factoring. The modular multiplication is implemented using a Montgomery modular multiplication in a systolic array architecture, which has the advantage that the clock frequency becomes independent of the bit length m.

Published

2004

49. Generic implementations of elliptic curve cryptography using partial reduction

Author

Nils Gura, Sheueling Chang Shantz, and Hans Eberle

Subjects

Theoretical computer science, Computer science, Elliptic curve Diffie–Hellman, Elliptic Curve Digital Signature Algorithm, Cryptographic protocol, Prime (order theory), Schoof–Elkies–Atkin algorithm, Elliptic curve, Elliptic curve point multiplication, Jacobian curve, Curve25519, Counting points on elliptic curves, Multiplication, Hardware_ARITHMETICANDLOGICSTRUCTURES, Elliptic curve cryptography, Arithmetic, Key size

Abstract

Elliptic Curve Cryptography (ECC) is evolving as an attractive alternative to other public-key schemes such as RSA by offering the smallest key size and the highest strength per bit. The importance of ECC has been recognized by the US government and the standards bodies NIST and SECG. Standards for preferred elliptic curves over prime fields GF(p) and binary polynomial fields GF(2m) as well as the Elliptic Curve Digital Signature Algorithm (ECDSA) have been created. A security protocol based on ECC requires support for different curves representing different security levels. This is particularly true for server applications that are exposed to requests for secure connections with different parameters generated by a multitude of client devices. Reported implementations of ECC over GF(2m) typically choose to implement each curve as a special case so that modular reduction can be optimized, thus improving the overall performance. In contrast, this paper focuses on generic implementations of ECC point multiplication for arbitrary curves over GF(2m). We present a novel reduction algorithm that allows hardware and software implementations for variable field degrees m. Though not as high in performance as an implementation optimized for a specific curve, it offers an attractive solution to supporting infrequently used curves or curves not known at the time of the implementation.

Published

2002