Batch Verification of Elliptic Curve Digital Signatures

This thesis investigates the efficiency of batching the verification of elliptic curve signatures. The first signature scheme considered is a modification of ECDSA proposed by Antipa et al.\ along with a batch verification algorithm by Cheon and Yi. Next, Bernstein's EdDSA signature scheme and the Bos-Coster multi-exponentiation algorithm are presented and the asymptotic runtime is examined. Following background on bilinear pairings, the Camenisch-Hohenberger-Pedersen (CHP) pairing-based signature scheme is presented in the Type 3 setting, along with the derivative BN-IBV due to Zhang, Lu, Lin, Ho and Shen. We proceed to count field operations for each signature scheme and an exact analysis of the results is given. When considered in the context of batch verification, we find that the Cheon-Yi and Bos-Coster methods have similar costs in practice (assuming the same curve model). We also find that when batch verifying signatures, CHP is only 11\% slower than EdDSA with Bos-Coster, a significant improvement over the gap in single verification cost between the two schemes

Analytical Study of Modified RSA Algorithms for Digital Signature

Digital signature has been providing security services to secure electronic transaction. Rivest Shamir Adleman (RSA) algorithm was most widely used to provide security technique for many applications, such as e-mails, electronic funds transfer, electronic data interchange, software distribution, data storage, electronic commerce and secure internet access. In order to include RSA cryptosystem proficiently in many protocols, it is desired to formulate faster encryption and decryption operations. This paper describes a systematic analysis of RSA and its variation schemes for Digital Signature. DOI: 10.17762/ijritcc2321-8169.15031

Performance of EdDSA and BLS Signatures in Committee-Based Consensus

We present the first performance comparison of EdDSA and BLS signatures in committee-based consensus protocols through large-scale geo-distributed benchmarks. Contrary to popular beliefs, we find that small deployments (less than 40 validators) can benefit from the small storage footprint of BLS multi-signatures while larger deployments should favor EdDSA to improve performance. As an independent contribution, we present a novel way for committee-based consensus protocols to verify BLS multi-signed certificates by manipulating the aggregated public key using pre-computed values

Truncated EdDSA/ECDSA Signatures

This note presents some techniques to slightly reduce the size of EdDSA and ECDSA signatures without lowering their security or breaking compatibility with existing signers, at the cost of an increase in signature verification time; verifying a 64-byte Ed25519 signature truncated to 60 bytes has an average cost of 4.1 million cycles on 64-bit x86 (i.e. about 35 times the cost of verifying a normal, untruncated signature)

Evaluation and implementation of the Ed25519 digital signature algorithm in rust

Mestrado de dupla diplomação com a UTFPR - Universidade Tecnológica Federal do ParanáCryptography can be classified as secret-key and public-key cryptography. Both have distinct features and differs in performance, complexity, flexibility and security. Secret-key cryptography, considering its simplicity and performance, is commonly used for securing communications. The invention of public-key cryptography made it possible to develop more flexible cryptographic schemes and algorithms, such as key exchanges and digital signatures, hence extending the possibilities and the field of cryptography. Cryptographic implementations are primordial for securing the Internet, and as a consequence, correctness, security and efficiency are more emphasized. In this sense, this work addresses the evaluation and the implementation of Ed25519, an instance of the Edwards-curve Digital Signature Algorithm for digital messages authentication. The implementation lies on Rust: a safe, modern, high-level and strongly-typed programming language. This work has two contributions: (i) an Ed25519 implementation in Rust that considers readability, modularity and ease of use, and (ii) an evaluation of the Ed25519 implementation from a security/performance perspective. The implementation was comprised by three modules: field arithmetic, curve arithmetic and the interface. The security perspective presented essential qualities of cryptographic implementations, such as functional correctness, memory safety, constant-time operations and usability. The performance evaluation showed low execution times and proved to be as fast as implementations written in C; Rust’s RAM consumption showed similar results in comparison to implementations written in C.A criptografia pode ser classificada em simétrica e assimétrica. Ambos diferem-se com relação ao desempenho, complexidade, flexibilidade e segurança. A criptografia simétrica é comumente utilizada para estabelecer comunicações secretas. A criptografia assimétrica foi capaz de ampliar as primitivas criptográficas ao possibilitar primitivas para assinaturas digitais e acordo de chaves. Implementações criptográficas são primordiais na proteção de comunicações e informações. Nesse sentido, a segurança, corretude e eficiência são priorizadas. Este trabalho aborda a avaliação e implementação do algoritmo de assinaturas digitais Ed25519, uma instância do Edwards-curve Digital Signature Algorithm. Este trabalho tem como objetivo realizar a implementação do algoritmo Ed25519 em Rust, uma linguagem de programação de alto nível, moderna e fortemente tipada, com foco em memory safety. Dessa forma, as contribuições são: (i) uma implementação do Ed25519 em Rust que suporta legibilidade, modularidade e facilidade de uso e (ii) a avaliação da implementação em termos de desempenho e segurança. O desenvolvimento envolveu a implementação de três módulos: aritmética de corpos, aritmética de curvas e interface. Na perspectiva da segurança, foi possível apresentar atributos essenciais às implementações criptográficas, tais como correctness, memory safety, usabilidade e operações em tempo constante. A implementação apresentou tempos de execução aceitáveis e próximos das implementações em C; além disso, Rust apresentou consumo de memória RAM similar às implementações em C

Bringing data minimization to digital wallets at scale with general-purpose zero-knowledge proofs

Today, digital identity management for individuals is either inconvenient and error-prone or creates undesirable lock-in effects and violates privacy and security expectations. These shortcomings inhibit the digital transformation in general and seem particularly concerning in the context of novel applications such as access control for decentralized autonomous organizations and identification in the Metaverse. Decentralized or self-sovereign identity (SSI) aims to offer a solution to this dilemma by empowering individuals to manage their digital identity through machine-verifiable attestations stored in a "digital wallet" application on their edge devices. However, when presented to a relying party, these attestations typically reveal more attributes than required and allow tracking end users' activities. Several academic works and practical solutions exist to reduce or avoid such excessive information disclosure, from simple selective disclosure to data-minimizing anonymous credentials based on zero-knowledge proofs (ZKPs). We first demonstrate that the SSI solutions that are currently built with anonymous credentials still lack essential features such as scalable revocation, certificate chaining, and integration with secure elements. We then argue that general-purpose ZKPs in the form of zk-SNARKs can appropriately address these pressing challenges. We describe our implementation and conduct performance tests on different edge devices to illustrate that the performance of zk-SNARK-based anonymous credentials is already practical. We also discuss further advantages that general-purpose ZKPs can easily provide for digital wallets, for instance, to create "designated verifier presentations" that facilitate new design options for digital identity infrastructures that previously were not accessible because of the threat of man-in-the-middle attacks

Lightweight EdDSA Signature Verification for the Ultra-Low-Power Internet of Things

EdDSA is a digital signature scheme based on elliptic curves in Edwards form that is supported in the latest incarnation of the TLS protocol (i.e. TLS version 1.3). The straightforward way of verifying an EdDSA signature involves a costly double-scalar multiplication of the form kP - lQ where P is a "fixed" point (namely the generator of the underlying elliptic-curve group) and Q is only known at run time. This computation makes a verification not only much slower than a signature generation, but also more memory demanding. In the present paper we compare two implementations of EdDSA verification using Ed25519 as case study; the first is speed-optimized, while the other aims to achieve low RAM footprint. The speed-optimized variant performs the double-scalar multiplication in a simultaneous fashion and uses a Joint-Sparse Form (JSF) representation for the two scalars. On the other hand, the memory-optimized variant splits the computation of kP - lQ into two separate parts, namely a fixed-base scalar multiplication that is carried out using a standard comb method with eight pre-computed points, and a variable-base scalar multiplication, which is executed by means of the conventional Montgomery ladder on the birationally-equivalent Montgomery curve. Our experiments with a 16-bit ultra-low-power MSP430 microcontroller show that the separated method is 24% slower than the simultaneous technique, but reduces the RAM footprint by 40%. This makes the separated method attractive for "lightweight" cryptographic libraries, in particular if both Ed25519 signature generation/verification and X25519 key exchange need to be supported

Digital Signatures for PTP Using Transparent Clocks

Smart grids use synchronous real-time measurements from phasor measurement units (PMU) across portions of a grid to provide grid-wide integrity. Achieving synchronicity requires either accurate GPS clocks at each PMU or a high-resolution clock synchronization protocol, such as the Precision Time Protocol (PTP), specified in IEEE 1588 with the power profile in IEEE C37.238-2011. PTP does not natively include measures to provide authenticity or integrity for timestamps transmitted across an Ethernet network, though there has been recent work in providing end-to-end integrity of transmitted timestamps. However, PTP for use in the smart grid requires a version of the protocol in which network switches update the trusted timestamp in flight, meaning that an end-to-end approach is no longer sufficient. We propose two methods to provide for the integrity of the transmitted and updated timestamps as well as to ensure the authority of all network devices altering the time. In the first, we amend the PTP standard to include signatures as part of the time packet itself at the cost of increased jitter in the system. In the second, we transmit these signatures over a wireless network, reducing congestion on the original network. We test both methods on a simulated PTP switch intended for experimentation only and demonstrate that the use of a second network dedicated to verification-related information is better for current networks, as including signatures in the original packet causes more jitter than is acceptable for synchronizing PMUs in particular

Digital Signatures for PTP Using Transparent Clocks

Smart grids use synchronous real-time measurements from phasor measurement units (PMU) across portions of a grid to provide grid-wide integrity. Achieving synchronicity requires either accurate GPS clocks at each PMU or a high-resolution clock synchronization protocol, such as the Precision Time Protocol (PTP), specified in IEEE 1588 with the power profile in IEEE C37.238-2011. PTP does not natively include measures to provide authenticity or integrity for timestamps transmitted across an Ethernet network, though there has been recent work in providing end-to-end integrity of transmitted timestamps. However, PTP for use in the smart grid requires a version of the protocol in which network switches update the trusted timestamp in flight, meaning that an end-to-end approach is no longer sufficient. We propose two methods to provide for the integrity of the transmitted and updated timestamps as well as to ensure the authority of all network devices altering the time. In the first, we amend the PTP standard to include signatures as part of the time packet itself at the cost of increased jitter in the system. In the second, we transmit these signatures over a wireless network, reducing congestion on the original network. We test both methods on a simulated PTP switch intended for experimentation only and demonstrate that the use of a second network dedicated to verification-related information is better for current networks, as including signatures in the original packet causes more jitter than is acceptable for synchronizing PMUs in particular