ECDSA/EdDSA
- 1. DSA and Ring Signatures Jacob Brazeal Elliptic Curves Digital Signatures (ECDSA) The EdDSA Signature Scheme www.egmon.com.br DSA and Ring Signatures Jacob Brazeal Clemson University 4/3/2019
- 2. DSA and Ring Signatures Jacob Brazeal Elliptic Curves Digital Signatures (ECDSA) The EdDSA Signature Scheme www.egmon.com.br Monero Monero is a cryptocurrency created in 2014. It has a market cap of > $1 billion It uses an obfuscated blockchain Encrypted transaction amounts, one-time addresses. Transactions are grouped and signed by multiple people at once (ring signature), so it’s hard to tell which sender authorized which specific transaction.
- 3. DSA and Ring Signatures Jacob Brazeal Elliptic Curves Digital Signatures (ECDSA) The EdDSA Signature Scheme www.egmon.com.br Elliptic Curves A finite field Fp, where p is a prime number, is the set formed by {0, 1, 2..., p − 1} with arithmetic operations (+, ×) calculated mod p. An elliptic curve over a finite field is normally expressed as a set of points (x, y) satisfying a Weierstraß equation: y2 = x3 + ax + b where a, b, x, y, ∈ Fp
- 4. DSA and Ring Signatures Jacob Brazeal Elliptic Curves Digital Signatures (ECDSA) The EdDSA Signature Scheme www.egmon.com.br Twisted Edwards Curves Monero uses a different form of an elliptic curve called a twisted Edwards Curve. This curve is the set of points (x, y) satisfying ax2 + y2 = 1 + dx2 y2 where a, d, x, y, ∈ Fp
- 5. DSA and Ring Signatures Jacob Brazeal Elliptic Curves Digital Signatures (ECDSA) The EdDSA Signature Scheme www.egmon.com.br Addition on Twisted Edwards Curves Let P1 = (x1, y1) and P2 = (x2, y2) be two points on a Twisted Edwards Curve. Then addition is defined as: x3 = x1y2 + y1x2 1 + dx1x2y1y2 mod p y3 = y1y2 − ax1x2 1 − dx1x2y1y2 mod p This yields an abelian group.
- 6. DSA and Ring Signatures Jacob Brazeal Elliptic Curves Digital Signatures (ECDSA) The EdDSA Signature Scheme www.egmon.com.br Discrete Log Problem Let P be a point on the curve, then calculating the scalar product nP is easy The discrete log problem is hard: given two points P1 and P2, find n such than P1 = nP2.
- 7. DSA and Ring Signatures Jacob Brazeal Elliptic Curves Digital Signatures (ECDSA) The EdDSA Signature Scheme www.egmon.com.br Elliptic curves vs. RSA The discrete log problem is also used to refer to inverting exponentiation over a multiplicative group, which is the original setting of some of the algorithms used here. But elliptic curves are faster than multiplicative gorups because we can safely use smaller keys.
- 8. DSA and Ring Signatures Jacob Brazeal Elliptic Curves Digital Signatures (ECDSA) The EdDSA Signature Scheme www.egmon.com.br Public/private key cryptography Let G be a generator of the curve: for every point P on the curve, there exists a scalar n such that P = nG. The order of the curve is the smallest positive integer N such that NG is the identity element. Pick a random scalar k where 1 < k < N. This is the private key; the public key is the point K = kG.
- 9. DSA and Ring Signatures Jacob Brazeal Elliptic Curves Digital Signatures (ECDSA) The EdDSA Signature Scheme www.egmon.com.br Diffie-Hellman key exchange Alice and Bob generate private/public key pairs (kA, KA) and (kB, KB), and exchange public keys. Clearly, it holds that S = kAKB = kAkBG = kBkAG = kBKA. So Alice calculates S = kAKB and Bob calculates S = kBKA, and S is a shared secret, since kA and kB are both hard to calculate for an external observer.
- 10. DSA and Ring Signatures Jacob Brazeal Elliptic Curves Digital Signatures (ECDSA) The EdDSA Signature Scheme www.egmon.com.br Digital Signatures: ECDSA Suppose Alice has a private/public key pair (k, K). To sign a message m): Find a hash of the message h = H(m). Generate a random integer r where 1 < r < N and compute P = (x, y) = rG. If r = 0 try again. Calculate s = r−1 (h + xk) mod N. The signature is (x, s).
- 11. DSA and Ring Signatures Jacob Brazeal Elliptic Curves Digital Signatures (ECDSA) The EdDSA Signature Scheme www.egmon.com.br Verifying the signature Compute u1 = s−1 h and u2 = s−1 x Let Q = u1G + u2K (a point on the curve) The signature is valid iff the first coordinate of Q = (xQ, yQ) satisfies xQ = x mod p .
- 12. DSA and Ring Signatures Jacob Brazeal Elliptic Curves Digital Signatures (ECDSA) The EdDSA Signature Scheme www.egmon.com.br Proof of correctness We’re going to show that the computed Q is equal to rG = R = (x, y). Q = u1G + u2K (1) = s−1 hG + s−1 xkG (2) = s−1 (h + xk)G (3) Since s = r−1 (h + xk), r = s−1 (h + xk), so Q = rG. We know the original signer had the private key because he could factor K in to kG.
- 13. DSA and Ring Signatures Jacob Brazeal Elliptic Curves Digital Signatures (ECDSA) The EdDSA Signature Scheme www.egmon.com.br Using Edwards curves for signatures Monero use a specific Twisted Edwards curve, Ed25519. It is defined over the prime field F2255−19 as: −x2 + y2 = 1 − 121665 121666 x2 y2 It’s important to use good elliptic curves - not all of them are secure. For example, if the order of the curve equals the order of the prime field, then the curve is vulnerable (Smart’s Attack). The order of Ed25519 is: 23 × 72370055773322622139731865 6304299424085711635937990760 6001950938285454250989
- 14. DSA and Ring Signatures Jacob Brazeal Elliptic Curves Digital Signatures (ECDSA) The EdDSA Signature Scheme www.egmon.com.br The EdDSA signature scheme Use hashes instead of random numbers to avoid attacks on our random number generator No array lookups or branches that could allow Spectre-style attacks Let hk be a hash H(k) of the signer’s private key k. Compute r as hash r = H(hk, m). Calculate R = rG and s = (r + H(R, K, m) × k) The signature is the pair (R, s)
- 15. DSA and Ring Signatures Jacob Brazeal Elliptic Curves Digital Signatures (ECDSA) The EdDSA Signature Scheme www.egmon.com.br Verification Compute h = H(R, K, m) If the equality (2c s)G = 2c R + 2c H(R, K, m)K holds then the signature is valid. Here c is 3; it corresponds to the power of 2 in the order of the curve.
- 16. DSA and Ring Signatures Jacob Brazeal Elliptic Curves Digital Signatures (ECDSA) The EdDSA Signature Scheme www.egmon.com.br Correctness The following equality is true: 2c sG = 2c ((r + H(R, K, m) × k) × G (4) = 2c R + 2c H(R, K, m) × K) (5)