Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution...
Transcript of Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution...
![Page 1: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/1.jpg)
Elliptic Curve Hash (and Sign)ECOH (and the 1-up problem for ECDSA)
Daniel R. L. Brown
Certicom Research
ECC 2008, Utrecht, Sep 22-24 2008
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 1 / 43
![Page 2: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/2.jpg)
Outline
1 ECOHBackgroundEvolutionImplementationCFV
2 One-Up Problem for ECDSA
3 Conclusion
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 2 / 43
![Page 3: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/3.jpg)
ECOH
Elliptic Curve Only Hash
Definition (High level)
Pad message block Mi into a point Pi .
T =∑
i
Pi (1)
Do the same for T . Truncate to get hash H .
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 3 / 43
![Page 4: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/4.jpg)
ECOH Background
Motivation: SHA-3
Wang, Feng, Lai, Yu: collision FOUND in MD5.
Wang, Yin, Yu: 269 collision algorithm for SHA-1
Wang, Yao, Yao: 263 collision algorithm for SHA-1
NIST: please use SHA-2
NIST: is SHA-2 ok?
NIST: SHA-3 competition, AES-style
Some like to call “AHS”
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 4 / 43
![Page 5: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/5.jpg)
ECOH Background
Motivation: SHA-3
Wang, Feng, Lai, Yu: collision FOUND in MD5.
Wang, Yin, Yu: 269 collision algorithm for SHA-1
Wang, Yao, Yao: 263 collision algorithm for SHA-1
NIST: please use SHA-2
NIST: is SHA-2 ok?
NIST: SHA-3 competition, AES-style
Some like to call “AHS”
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 4 / 43
![Page 6: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/6.jpg)
ECOH Background
Motivation: SHA-3
Wang, Feng, Lai, Yu: collision FOUND in MD5.
Wang, Yin, Yu: 269 collision algorithm for SHA-1
Wang, Yao, Yao: 263 collision algorithm for SHA-1
NIST: please use SHA-2
NIST: is SHA-2 ok?
NIST: SHA-3 competition, AES-style
Some like to call “AHS”
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 4 / 43
![Page 7: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/7.jpg)
ECOH Background
Motivation: SHA-3
Wang, Feng, Lai, Yu: collision FOUND in MD5.
Wang, Yin, Yu: 269 collision algorithm for SHA-1
Wang, Yao, Yao: 263 collision algorithm for SHA-1
NIST: please use SHA-2
NIST: is SHA-2 ok?
NIST: SHA-3 competition, AES-style
Some like to call “AHS”
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 4 / 43
![Page 8: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/8.jpg)
ECOH Background
Motivation: SHA-3
Wang, Feng, Lai, Yu: collision FOUND in MD5.
Wang, Yin, Yu: 269 collision algorithm for SHA-1
Wang, Yao, Yao: 263 collision algorithm for SHA-1
NIST: please use SHA-2
NIST: is SHA-2 ok?
NIST: SHA-3 competition, AES-style
Some like to call “AHS”
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 4 / 43
![Page 9: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/9.jpg)
ECOH Background
Motivation: SHA-3
Wang, Feng, Lai, Yu: collision FOUND in MD5.
Wang, Yin, Yu: 269 collision algorithm for SHA-1
Wang, Yao, Yao: 263 collision algorithm for SHA-1
NIST: please use SHA-2
NIST: is SHA-2 ok?
NIST: SHA-3 competition, AES-style
Some like to call “AHS”
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 4 / 43
![Page 10: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/10.jpg)
ECOH Background
Motivation: SHA-3
Wang, Feng, Lai, Yu: collision FOUND in MD5.
Wang, Yin, Yu: 269 collision algorithm for SHA-1
Wang, Yao, Yao: 263 collision algorithm for SHA-1
NIST: please use SHA-2
NIST: is SHA-2 ok?
NIST: SHA-3 competition, AES-style
Some like to call “AHS”
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 4 / 43
![Page 11: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/11.jpg)
ECOH Background
Discrete Log Hash: CHP
Definition (Chaum, van Heijst, Pfitzmann (1991))
H(m, n) = mP + nQ
TheoremA collision in H gives logP(Q).
Proof.If H(a, b) = H(c , d), then
aP + bQ = cP + dQ (2)
and solving logP(Q) = a−cd−b
mod n.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 5 / 43
![Page 12: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/12.jpg)
ECOH Background
Discrete Log Hash: CHP
Definition (Chaum, van Heijst, Pfitzmann (1991))
H(m, n) = mP + nQ
TheoremA collision in H gives logP(Q).
Proof.If H(a, b) = H(c , d), then
aP + bQ = cP + dQ (2)
and solving logP(Q) = a−cd−b
mod n.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 5 / 43
![Page 13: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/13.jpg)
ECOH Background
Discrete Log Hash: CHP
Definition (Chaum, van Heijst, Pfitzmann (1991))
H(m, n) = mP + nQ
TheoremA collision in H gives logP(Q).
Proof.If H(a, b) = H(c , d), then
aP + bQ = cP + dQ (2)
and solving logP(Q) = a−cd−b
mod n.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 5 / 43
![Page 14: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/14.jpg)
ECOH Background
CHP Pros and Cons
Provably secure assuming ECDLP hard.
3m/2 EC adds per 2m bits.
Compression factor 2, must be iterated.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 6 / 43
![Page 15: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/15.jpg)
ECOH Background
Discrete Log Hash 2: MuHASH
Definition (Bellare and Micciancio (1997))
Let Pi = F (i‖Mi), where F is a “random oracle”. Let
H =∑
i
Pi (3)
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 7 / 43
![Page 16: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/16.jpg)
ECOH Background
MuHASH Advantages
One EC add per m bits.I E.g. 384 times faster than CHP.
Parallelizable.
Incremental:I H ′ = H − Pi + P ′
i
Provably secure, assuming ECDLP hard and F random oracle.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 8 / 43
![Page 17: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/17.jpg)
ECOH Background
MuHASH Disadvantages
Assumes F is a random oracle.
Insecure if F insecure.I Must already have a collision-resistant F .I SHA-1? SHA-2? SHA-3?
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 9 / 43
![Page 18: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/18.jpg)
ECOH Evolution
ECOH’s Design Rationale
Leverage from MuHASH:I Speed.I Parallelizability.I Incrementality.
Avoid reliance on pre-existing F .
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 10 / 43
![Page 19: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/19.jpg)
ECOH Evolution
EECH
Replace F by fixed key block cipher:
H =∑
i
F (i‖Mi) (4)
Encrypted Elliptic Curve Hash (EECH) born.
No collisions in F , guaranteed.
Model F by ideal cipher.
Rehash Bellare and Micciancio’s security proof.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 11 / 43
![Page 20: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/20.jpg)
ECOH Evolution
EECH
Replace F by fixed key block cipher:
H =∑
i
F (i‖Mi) (4)
Encrypted Elliptic Curve Hash (EECH) born.
No collisions in F , guaranteed.
Model F by ideal cipher.
Rehash Bellare and Micciancio’s security proof.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 11 / 43
![Page 21: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/21.jpg)
ECOH Evolution
EECH
Replace F by fixed key block cipher:
H =∑
i
F (i‖Mi) (4)
Encrypted Elliptic Curve Hash (EECH) born.
No collisions in F , guaranteed.
Model F by ideal cipher.
Rehash Bellare and Micciancio’s security proof.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 11 / 43
![Page 22: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/22.jpg)
ECOH Evolution
EECH
Replace F by fixed key block cipher:
H =∑
i
F (i‖Mi) (4)
Encrypted Elliptic Curve Hash (EECH) born.
No collisions in F , guaranteed.
Model F by ideal cipher.
Rehash Bellare and Micciancio’s security proof.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 11 / 43
![Page 23: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/23.jpg)
ECOH Evolution
EECH
Replace F by fixed key block cipher:
H =∑
i
F (i‖Mi) (4)
Encrypted Elliptic Curve Hash (EECH) born.
No collisions in F , guaranteed.
Model F by ideal cipher.
Rehash Bellare and Micciancio’s security proof.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 11 / 43
![Page 24: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/24.jpg)
ECOH Evolution
Oops: Not 1-way
Unlike MuHASH, F now invertible.
If adversary knows M1 and M3 but not M2, then
2‖M2 = F−1(H(M1, M2, M3)− F (1‖M1)− F (3‖M3)) (5)
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 12 / 43
![Page 25: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/25.jpg)
ECOH Evolution
Oops: Not 1-way
Unlike MuHASH, F now invertible.
If adversary knows M1 and M3 but not M2, then
2‖M2 = F−1(H(M1, M2, M3)− F (1‖M1)− F (3‖M3)) (5)
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 12 / 43
![Page 26: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/26.jpg)
ECOH Evolution
Fix it up.
Post-process with one-way function?I Scalar multiply?I EECH again?I Pairing?I Checksum in extra block?
Seems to thwart block inversion attack.
Interferes with incrementality.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 13 / 43
![Page 27: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/27.jpg)
ECOH Evolution
Ouch: Not collision resistant!
Let2‖D = F−1(F (1‖A) + F (2‖B)− F (1‖C )) (6)
Probability of index 2 appearing depends its bit length. Try thatmany C values, until it works.Then
F (1‖A) + F (2‖B) = F (1‖C ) + F (2‖D), (7)
i.e. a collision H(A, B) = H(C , D).Second preimage attack!
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 14 / 43
![Page 28: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/28.jpg)
ECOH Evolution
Fix it again.
Pad Mi , before applying F .
If F random enough, inverting will not give requisite padding.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 15 / 43
![Page 29: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/29.jpg)
ECOH Evolution
ECOH
Now that EECH is all fixed ...
just set F to the identity function.
Elliptic Curve Only Hash.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 16 / 43
![Page 30: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/30.jpg)
ECOH Evolution
ECOH
Now that EECH is all fixed ...
just set F to the identity function.
Elliptic Curve Only Hash.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 16 / 43
![Page 31: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/31.jpg)
ECOH Evolution
ECOH
Now that EECH is all fixed ...
just set F to the identity function.
Elliptic Curve Only Hash.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 16 / 43
![Page 32: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/32.jpg)
ECOH Evolution
ECOH vs. EECH
Purity of ECOH.
No dependence on ideal cipher model.
No performance cost of enciphering.I ECOH is already slow enough.
Is it more crazy to:I encrypt with a fixed key,I do nothing?
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 17 / 43
![Page 33: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/33.jpg)
ECOH Evolution
ECOH vs. EECH
Purity of ECOH.
No dependence on ideal cipher model.
No performance cost of enciphering.I ECOH is already slow enough.
Is it more crazy to:I encrypt with a fixed key,I do nothing?
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 17 / 43
![Page 34: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/34.jpg)
ECOH Evolution
ECOH vs. EECH
Purity of ECOH.
No dependence on ideal cipher model.
No performance cost of enciphering.I ECOH is already slow enough.
Is it more crazy to:I encrypt with a fixed key,I do nothing?
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 17 / 43
![Page 35: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/35.jpg)
ECOH Evolution
ECOH vs. EECH
Purity of ECOH.
No dependence on ideal cipher model.
No performance cost of enciphering.I ECOH is already slow enough.
Is it more crazy to:I encrypt with a fixed key,I do nothing?
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 17 / 43
![Page 36: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/36.jpg)
ECOH Evolution
ECOH vs. EECH
Purity of ECOH.
No dependence on ideal cipher model.
No performance cost of enciphering.I ECOH is already slow enough.
Is it more crazy to:I encrypt with a fixed key,I do nothing?
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 17 / 43
![Page 37: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/37.jpg)
ECOH Evolution
ECOH vs. EECH
Purity of ECOH.
No dependence on ideal cipher model.
No performance cost of enciphering.I ECOH is already slow enough.
Is it more crazy to:I encrypt with a fixed key,I do nothing?
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 17 / 43
![Page 38: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/38.jpg)
ECOH Evolution
ECOH vs. EECH
Purity of ECOH.
No dependence on ideal cipher model.
No performance cost of enciphering.I ECOH is already slow enough.
Is it more crazy to:I encrypt with a fixed key,I do nothing?
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 17 / 43
![Page 39: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/39.jpg)
ECOH Evolution
ECOH Security Proof?
Generic group model!I Detailed version in progress.
Big deal ...
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 18 / 43
![Page 40: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/40.jpg)
ECOH Evolution
ECOH Security Attack!?!
Semaev summation polynomial
fn(X1, . . . , Xn) = 0
if and only if there exist Yi with
(X1, Y1) + · · ·+ (Xn, Yn) = 0.
Degree in each variable 2n−2
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 19 / 43
![Page 41: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/41.jpg)
ECOH Evolution
Second Preimage Attack on ECOH
Given X3 and X4.
Find X1 and X2, such that
(X1, Y1) + (X2, Y2) = (X3, Y3) + (X4, Y4)
which impliesf4(X1, X2, X3, X4) = 0
Total degree 2(24−2) = 4.
Xi = ciZi + di , where Zi has low degree.
g(Z1, Z2) = 0
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 20 / 43
![Page 42: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/42.jpg)
ECOH Evolution
Security Proof??????
Semaev: low degree solutions to Summation polynomials can beused to solve ECDLP.
Contrapositive: if ECDLP hard, then hard to find low degreesolutions.
But: ECOH degrees much higher than Semaev degrees.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 21 / 43
![Page 43: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/43.jpg)
ECOH Evolution
Security Proof??????
Semaev: low degree solutions to Summation polynomials can beused to solve ECDLP.
Contrapositive: if ECDLP hard, then hard to find low degreesolutions.
But: ECOH degrees much higher than Semaev degrees.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 21 / 43
![Page 44: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/44.jpg)
ECOH Evolution
Security Proof??????
Semaev: low degree solutions to Summation polynomials can beused to solve ECDLP.
Contrapositive: if ECDLP hard, then hard to find low degreesolutions.
But: ECOH degrees much higher than Semaev degrees.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 21 / 43
![Page 45: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/45.jpg)
ECOH Implementation
Curve Choice
NIST recommended curves:I B-283,I B-409,I B-571.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 22 / 43
![Page 46: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/46.jpg)
ECOH Implementation
Why Binary?
y solved by quadratic equation involving x containing paddedmessage block.
Quadratic equations faster in binary fields than in prime fieldsI Use linear half-trace function (not square root)I Use look up tables.
Bonus: Intel announced AVX will include binary polynomialmultiplier.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 23 / 43
![Page 47: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/47.jpg)
ECOH Implementation
Why Binary?
y solved by quadratic equation involving x containing paddedmessage block.
Quadratic equations faster in binary fields than in prime fieldsI Use linear half-trace function (not square root)I Use look up tables.
Bonus: Intel announced AVX will include binary polynomialmultiplier.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 23 / 43
![Page 48: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/48.jpg)
ECOH Implementation
Why Binary?
y solved by quadratic equation involving x containing paddedmessage block.
Quadratic equations faster in binary fields than in prime fieldsI Use linear half-trace function (not square root)I Use look up tables.
Bonus: Intel announced AVX will include binary polynomialmultiplier.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 23 / 43
![Page 49: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/49.jpg)
ECOH Implementation
Why Binary?
y solved by quadratic equation involving x containing paddedmessage block.
Quadratic equations faster in binary fields than in prime fieldsI Use linear half-trace function (not square root)I Use look up tables.
Bonus: Intel announced AVX will include binary polynomialmultiplier.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 23 / 43
![Page 50: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/50.jpg)
ECOH Implementation
Why Binary?
y solved by quadratic equation involving x containing paddedmessage block.
Quadratic equations faster in binary fields than in prime fieldsI Use linear half-trace function (not square root)I Use look up tables.
Bonus: Intel announced AVX will include binary polynomialmultiplier.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 23 / 43
![Page 51: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/51.jpg)
ECOH Implementation
Reference implementation
Coded by Matt J. Campagna (who also helped with specificationof ECOH details)
Features:I Bit lookups for trace functionI Table lookups for squaring and half-traceI Basic shift-and-xor polynomial multiplyI Affine coordinates
Rate on a desktop: 0.14 MB/s
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 24 / 43
![Page 52: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/52.jpg)
ECOH Implementation
Possible optimizations
Other coordinates?I Not predicted to help.
Better multiplication:I Should help somewhat.
Simultaneous inversions:I Each solving for y requires inversion.I Each addition requires inversion.I These can be replaced a few inversion and a corresponding
number of multiplies.I Predicted speedup: maybe five times?
Parallelization
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 25 / 43
![Page 53: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/53.jpg)
ECOH Implementation
Hash with a Twist
Bernstein: x-only DH with “invalid” x thrown to the twist.
EECH/ECOH: every x maps to a point on curve or its twist
Get one total and twisted total
Sum these on curve over quadratic extension.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 26 / 43
![Page 54: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/54.jpg)
ECOH Implementation
Dreaming doesn’t hurt
0.14 MB/sx 5 (simultaneous inversion, etc.)x 10 (Intel AVX)x 10 (ten CPU multicore)=70 MB/sFaster than SHA-1?
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 27 / 43
![Page 55: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/55.jpg)
ECOH CFV
People who have helped me
Matt Campagna
Rene Struik
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 28 / 43
![Page 56: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/56.jpg)
ECOH CFV
Call for Volunteers
Implementers
Cryptanalysis
Security provers
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 29 / 43
![Page 57: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/57.jpg)
One-Up Problem for ECDSA
Convertible Group
DefinitionA group G and a function f : G → Z.
Use multiplicative notation for G .
Call f the conversion function.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 30 / 43
![Page 58: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/58.jpg)
One-Up Problem for ECDSA
One-Up Problem
DefinitionGiven a, b ∈ G , find c such that
c = abf (c) (8)
One is up: a1.
One c is up.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 31 / 43
![Page 59: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/59.jpg)
One-Up Problem for ECDSA
Convertible DSA
DefinitionLet g ∈ G have order n. Let h : {0, 1}∗ → Z be a hash function.Then (r , s) is a valid signature on message m ∈ {0, 1}∗ under publickey y ∈ G , only if gcd(s, n) = 1 and
r = f((
gh(m)y r)1/s mod n
). (9)
Includes DSA.
Includes ECDSA.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 32 / 43
![Page 60: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/60.jpg)
One-Up Problem for ECDSA
So what’s up with this problem?
TheoremIf the one-up problem for (G , f ) is solvable, then Convertible DSA for(G , f , g , h) is forgeable.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 33 / 43
![Page 61: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/61.jpg)
One-Up Problem for ECDSA
Hard up?
Conjecture
For the (G , f ) in ECDSA, solving the 1-up problem costs about ngroup operations and converstions.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 34 / 43
![Page 62: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/62.jpg)
One-Up Problem for ECDSA
Up’s enough?
ConjectureConvertible DSA resists universal forgery against key-only attacks(UF-KOA) if
1 Discrete logs hard in G.
2 One up hard in (G , f ).
3 Hash h mod n is rarely zero.
More powerful forgery attacks resisted if hash has further securityproperties (e.g. collision resistance).
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 35 / 43
![Page 63: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/63.jpg)
One-Up Problem for ECDSA
Up over log?
If discrete logs easy, ...
Can one-up problem be hard?
Maybe, if f ...
is random oracle.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 36 / 43
![Page 64: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/64.jpg)
One-Up Problem for ECDSA
Up under log?
In generic group model,
If advesary gets access to one-up oracle, then
Discrete logs still hard.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 37 / 43
![Page 65: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/65.jpg)
One-Up Problem for ECDSA
Semilog problem
Definition (ECC 2001, Advances in ECC)
A semilog of y is a pair (r , s) which would be valid signature underpublic key y if the message had hash equal to one.
Theorem (ECC 2001/Advances in ECC)
ECDSA resists UF-KOA if and only if semilog is hard and hash israrely zero.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 38 / 43
![Page 66: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/66.jpg)
One-Up Problem for ECDSA
Semilog = Fork(Log, 1up)
TheoremThe semilog problem, with one component is fixed, is equivalent to
the discrete log problem if r is fixed.
the 1-up problem if s is fixed.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 39 / 43
![Page 67: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/67.jpg)
One-Up Problem for ECDSA
Diffie-Hellman Disguised as One-Up
If f (x) = logg (x), then
One-up problem equivalent to DHP
This f is impractial, so
result is only theoretical.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 40 / 43
![Page 68: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/68.jpg)
One-Up Problem for ECDSA
One-Up as Obstacle
Pointcheval and Stern couldn’t prove ECDSA secure in randomoracle model, assuming only hard log.
Paillier and Vergnaud argued ECDSA couldn’t be proved securein the random oracle model, assuming hard log (unless one-morelog problem was easy).
Perhaps one-up problem was hidden obstacle.
Not possible to prove ECDSA secure given only hard log,because one-up could be easy.
In practice, though, one-up seems harder than log!
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 41 / 43
![Page 69: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/69.jpg)
One-Up Problem for ECDSA
One-Up as Obstacle
Pointcheval and Stern couldn’t prove ECDSA secure in randomoracle model, assuming only hard log.
Paillier and Vergnaud argued ECDSA couldn’t be proved securein the random oracle model, assuming hard log (unless one-morelog problem was easy).
Perhaps one-up problem was hidden obstacle.
Not possible to prove ECDSA secure given only hard log,because one-up could be easy.
In practice, though, one-up seems harder than log!
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 41 / 43
![Page 70: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/70.jpg)
One-Up Problem for ECDSA
One-Up as Obstacle
Pointcheval and Stern couldn’t prove ECDSA secure in randomoracle model, assuming only hard log.
Paillier and Vergnaud argued ECDSA couldn’t be proved securein the random oracle model, assuming hard log (unless one-morelog problem was easy).
Perhaps one-up problem was hidden obstacle.
Not possible to prove ECDSA secure given only hard log,because one-up could be easy.
In practice, though, one-up seems harder than log!
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 41 / 43
![Page 71: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/71.jpg)
One-Up Problem for ECDSA
One-Up as Obstacle
Pointcheval and Stern couldn’t prove ECDSA secure in randomoracle model, assuming only hard log.
Paillier and Vergnaud argued ECDSA couldn’t be proved securein the random oracle model, assuming hard log (unless one-morelog problem was easy).
Perhaps one-up problem was hidden obstacle.
Not possible to prove ECDSA secure given only hard log,because one-up could be easy.
In practice, though, one-up seems harder than log!
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 41 / 43
![Page 72: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/72.jpg)
One-Up Problem for ECDSA
One-Up as Obstacle
Pointcheval and Stern couldn’t prove ECDSA secure in randomoracle model, assuming only hard log.
Paillier and Vergnaud argued ECDSA couldn’t be proved securein the random oracle model, assuming hard log (unless one-morelog problem was easy).
Perhaps one-up problem was hidden obstacle.
Not possible to prove ECDSA secure given only hard log,because one-up could be easy.
In practice, though, one-up seems harder than log!
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 41 / 43
![Page 73: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/73.jpg)
One-Up Problem for ECDSA
ECDSA with ECOH
No bit twiddling — pure algebra.
Use the same curve for both.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 42 / 43
![Page 74: Elliptic Curve Hash (and Sign) - Hyperelliptic org · Outline 1 ECOH Background Evolution Implementation CFV 2 One-Up Problem for ECDSA 3 Conclusion Dan Brown (Certicom) Elliptic](https://reader034.fdocuments.in/reader034/viewer/2022051801/5add49ab7f8b9aa5088c9fca/html5/thumbnails/74.jpg)
Conclusion
Conclusion
ECC: not just for PKC and RNGs, anymore!
ECOH: who needs need bit twiddling, now?
ECDSA: One-up? Okay.
Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 43 / 43