Sabyasachi Karati - Academia.edu (original) (raw)
Uploads
Papers by Sabyasachi Karati
Digital signature schemes form the basis of trust in Internet communication. Shor (FOCS 1994) pro... more Digital signature schemes form the basis of trust in Internet communication. Shor (FOCS 1994) proposed quantum algorithms that can be used by a quantum computer to break the security of today’s widely used digital signature schemes, and this has fuelled intensive research on the design and implementation of post-quantum digital signatures. Hash-based digital signatures base their security on one-way functions that in practice are instantiated by hash functions. Hash-based signatures are widely studied and are part of NIST’s post-quantum standardization effort. In this paper we present a multi-target attack that we call Intermediate Secret-Guessing attack on two hash-based signatures: XMSS (Draft SP 800-208 that was considered by NIST for standardization), and K2SN-MSS (AsiaCCS 2019). The attack allows an adversary to forge a signature on an arbitrary message. We describe the intuition behind the attack and give details of its application on the attacked schemes together with corresp...
IACR Cryptol. ePrint Arch., 2019
Gaudry and Lubicz introduced the idea of Kummer line in 2009, and Karati and Sarkar proposed thre... more Gaudry and Lubicz introduced the idea of Kummer line in 2009, and Karati and Sarkar proposed three Kummer lines over prime fields in 2017. In this work, we explore the problem of secure and efficient scalar multiplications on binary field using Kummer line and investigate the possibilities of speedups using Kummer line compared to Koblitz curves, binary Edwards curve and Weierstrass curves. We propose a binary Kummer line BKL251 over binary field F2251 where the associated elliptic curve satisfies the required security conditions and offers 124.5-bit security which is the same as that of Binary Edwards curve BEd251 and Weierstrass curve CURVE2251. BKL251 has small curve parameter and small base point. We implement our software of BKL251 using the instruction PCLMULQDQ of modern Intel processors and batch software BBK251 using bitslicing technique. For fair comparison, we also implement the software BEd251 for binary Edwards curve. In both the implementations, scalar multiplications ...
IACR Cryptol. ePrint Arch., 2012
Randomizers are popularly used to prevent various types of attacks on batch-verification schemes.... more Randomizers are popularly used to prevent various types of attacks on batch-verification schemes. Recently, several algorithms based upon symbolic computation are proposed for the batch verification of ECDSA signatures. In this article, we demonstrate that the concept of randomizers can be easily embedded in these symbolic-computation algorithms. The performance degradation caused by randomizers is comparable with that associated with ECDSA*.
IACR Cryptol. ePrint Arch., 2019
With the rapid development of quantum technologies, quantumsafe cryptography has found significan... more With the rapid development of quantum technologies, quantumsafe cryptography has found significant attention. Hash-based signature schemes have been in particular of interest because of (i) the importance of digital signature as the main source of trust on the Internet, (ii) the fact that the security of these signatures relies on existence of one-way functions, which is the minimal assumption for signature schemes, and (iii) they can be efficiently implemented. Basic hash-based signatures are for a single message, but have been extended for signing multiple messages. In this paper we design a Multi-message Signature Scheme (MSS) based on an existing One-Time Signature (OTS) that we refer to as KSN-OTS. KSN uses SWIFFT, an additive homomorphic lattice-based hash function family with provable one-wayness property, as the oneway-function and achieves a short signature. We prove security of our proposed signature scheme in a new strengthened security model (multi-target multi-function)...
With the rapid development of quantum technologies, quantum-safe cryptography has found significa... more With the rapid development of quantum technologies, quantum-safe cryptography has found significant attention. Hash-based signature schemes have been in particular of interest because of (i) the importance of digital signature as the main source of trust on the Internet, (ii) the fact that the security of these signatures relies on existence of one-way functions, which is the minimal assumption for signature schemes, and (iii) they can be efficiently implemented. Basic hash-based signatures are for a single message, but have been extended for signing multiple messages. In this paper we design a Multi-message Signature Scheme (MSS) based on an existing One-Time Signature (OTS) that we refer to as KSN-OTS. KSN uses SWIFFT, an additive homomorphic lattice-based hash function family with provable one-wayness property, as the one-way-function and achieves a short signature. We prove security of our proposed signature scheme in a new strengthened security model (multi-target multi-functio...
This work considers the problem of fast and secure scalar multiplication using curves of genus on... more This work considers the problem of fast and secure scalar multiplication using curves of genus one defined over a field of prime order. Previous work by Gaudry and Lubicz in 2009 had suggested the use of the associated Kummer line to speed up scalar multiplication. In this work, we explore this idea in detail. The first task is to obtain an elliptic curve in Legendre form which satisfies necessary security conditions such that the associated Kummer line has small parameters and a base point with small coordinates. In turns out that the ladder step on the Kummer line supports parallelism and can be implemented very efficiently in constant time using the single-instruction multiple-data (SIMD) operations available in modern processors. For the 128-bit security level, this work presents three Kummer lines denoted as \(K_1:=\mathsf{KL2519(81,20)}\), \(K_2:=\mathsf{KL25519(82,77)}\) and \(K_3:=\mathsf{KL2663(260,139)}\) over the three primes \(2^{251}-9\), \(2^{255}-19\) and \(2^{266}-3\...
Journal of Cryptology
This work considers the problem of fast and secure scalar multiplication using curves of genus on... more This work considers the problem of fast and secure scalar multiplication using curves of genus one defined over a field of prime order. Previous work by Gaudry and Lubicz (Finite Fields Appl 15(2):246-260, 2009) had suggested the use of the associated Kummer line to speed up scalar multiplication. In the present work, we explore this idea in detail. The first task is to obtain an elliptic curve in Legendre form which satisfies necessary security conditions such that the associated Kummer line has small parameters and a base point with small coordinates. It turns out that the ladder step on the Kummer line supports parallelism and can be implemented very efficiently in constant time using the single-instruction multiple-data (SIMD) operations available in modern processors. For the 128-bit security level, this work presents three Kummer lines denoted as K 1 := KL2519(81, 20), K 2 := KL25519(82, 77) and K 3 := KL2663(260, 139) over the three primes 2 251 − 9, 2 255 − 19 and 2 266 − 3, respectively. Implementations of scalar multiplications for all three Kummer lines using Intel intrinsics have been done, and the code is publicly available. Timing results on the Skylake and the Haswell processors of Intel indicate that both fixed base and variable base scalar multiplications for K 1 and K 2 are faster than those achieved by Sandy2x, which is a highly optimised SIMD implementation in assembly of the well-known Curve25519. On Skylake, both fixed base and variable base scalar multiplications for K 3 are faster than Sandy2x, whereas on Haswell, fixed base scalar multiplication for K 3 is faster than Sandy2x while variable base scalar multiplication for both K 3 and Sandy2x takes roughly the same time. In practical terms, the particular Kummer lines that are introduced in this work are serious candidates for deployment and standardisation. We further illustrate the usefulness of the proposed Kummer lines by instantiating the quotient Digital Signature Algorithm on all the three Kummer lines.
Advances in Mathematics of Communications
Scalar multiplication on Legendre form elliptic curves can be speeded up in two ways. One can per... more Scalar multiplication on Legendre form elliptic curves can be speeded up in two ways. One can perform the bulk of the computation either on the associated Kummer line or on an appropriate twisted Edwards form elliptic curve. This paper provides details of moving to and from between Legendre form elliptic curves and associated Kummer line and moving to and from between Legendre form elliptic curves and related twisted Edwards form elliptic curves. Further, concrete twisted Edwards form elliptic curves are identified which correspond to known Kummer lines at the 128-bit security level which provide very fast scalar multiplication on modern architectures supporting SIMD operations.
Communications in Computer and Information Science, 2014
Lecture Notes in Computer Science, 2014
Several batch-verification algorithms for original ECDSA signatures are proposed for the first ti... more Several batch-verification algorithms for original ECDSA signatures are proposed for the first time in AfricaCrypt 2012. Two of these algorithms are based on the naive idea of taking square roots in the underlying fields, and the others perform symbolic manipulation to verify small batches of ECDSA signatures. In this paper, we use elliptic-curve summation polynomials to design a new ECDSA batch-verification algorithm which is theoretically and experimentally much faster than the symbolic algorithms of AfricaCrypt 2012. Our experiments on NIST prime and Koblitz curves demonstrate that our proposed algorithm increases the optimal batch size from seven to nine. We also mention how our algorithm can be adapted to Edwards curves.
Lecture Notes in Computer Science, 2014
Lecture Notes in Computer Science, 2014
Lecture Notes in Computer Science, 2012
In this paper, we study several algorithms for batch verification of ECDSA signatures. The first ... more In this paper, we study several algorithms for batch verification of ECDSA signatures. The first of these algorithms is based upon the naive idea of taking square roots in the underlying field. We also propose two new and efficient algorithms which replace square-root computations by symbolic manipulations. Experiments carried out on NIST prime curves demonstrate a maximum speedup of above six over individual verification if all the signatures in the batch belong to the same signer, and a maximum speedup of about two if the signatures in the batch belong to different signers, both achieved by a fast variant of our second symbolic-manipulation algorithm. In terms of security, all the studied algorithms are equivalent to standard ECDSA* batch verification. These algorithms are practical only for small ( 8) batch sizes. To the best of our knowledge, this is the first reported study on the batch verification of original ECDSA signatures.
Journal of Cryptographic Engineering, 2014
Journal of Cryptographic Engineering, 2014
Digital signature schemes form the basis of trust in Internet communication. Shor (FOCS 1994) pro... more Digital signature schemes form the basis of trust in Internet communication. Shor (FOCS 1994) proposed quantum algorithms that can be used by a quantum computer to break the security of today’s widely used digital signature schemes, and this has fuelled intensive research on the design and implementation of post-quantum digital signatures. Hash-based digital signatures base their security on one-way functions that in practice are instantiated by hash functions. Hash-based signatures are widely studied and are part of NIST’s post-quantum standardization effort. In this paper we present a multi-target attack that we call Intermediate Secret-Guessing attack on two hash-based signatures: XMSS (Draft SP 800-208 that was considered by NIST for standardization), and K2SN-MSS (AsiaCCS 2019). The attack allows an adversary to forge a signature on an arbitrary message. We describe the intuition behind the attack and give details of its application on the attacked schemes together with corresp...
IACR Cryptol. ePrint Arch., 2019
Gaudry and Lubicz introduced the idea of Kummer line in 2009, and Karati and Sarkar proposed thre... more Gaudry and Lubicz introduced the idea of Kummer line in 2009, and Karati and Sarkar proposed three Kummer lines over prime fields in 2017. In this work, we explore the problem of secure and efficient scalar multiplications on binary field using Kummer line and investigate the possibilities of speedups using Kummer line compared to Koblitz curves, binary Edwards curve and Weierstrass curves. We propose a binary Kummer line BKL251 over binary field F2251 where the associated elliptic curve satisfies the required security conditions and offers 124.5-bit security which is the same as that of Binary Edwards curve BEd251 and Weierstrass curve CURVE2251. BKL251 has small curve parameter and small base point. We implement our software of BKL251 using the instruction PCLMULQDQ of modern Intel processors and batch software BBK251 using bitslicing technique. For fair comparison, we also implement the software BEd251 for binary Edwards curve. In both the implementations, scalar multiplications ...
IACR Cryptol. ePrint Arch., 2012
Randomizers are popularly used to prevent various types of attacks on batch-verification schemes.... more Randomizers are popularly used to prevent various types of attacks on batch-verification schemes. Recently, several algorithms based upon symbolic computation are proposed for the batch verification of ECDSA signatures. In this article, we demonstrate that the concept of randomizers can be easily embedded in these symbolic-computation algorithms. The performance degradation caused by randomizers is comparable with that associated with ECDSA*.
IACR Cryptol. ePrint Arch., 2019
With the rapid development of quantum technologies, quantumsafe cryptography has found significan... more With the rapid development of quantum technologies, quantumsafe cryptography has found significant attention. Hash-based signature schemes have been in particular of interest because of (i) the importance of digital signature as the main source of trust on the Internet, (ii) the fact that the security of these signatures relies on existence of one-way functions, which is the minimal assumption for signature schemes, and (iii) they can be efficiently implemented. Basic hash-based signatures are for a single message, but have been extended for signing multiple messages. In this paper we design a Multi-message Signature Scheme (MSS) based on an existing One-Time Signature (OTS) that we refer to as KSN-OTS. KSN uses SWIFFT, an additive homomorphic lattice-based hash function family with provable one-wayness property, as the oneway-function and achieves a short signature. We prove security of our proposed signature scheme in a new strengthened security model (multi-target multi-function)...
With the rapid development of quantum technologies, quantum-safe cryptography has found significa... more With the rapid development of quantum technologies, quantum-safe cryptography has found significant attention. Hash-based signature schemes have been in particular of interest because of (i) the importance of digital signature as the main source of trust on the Internet, (ii) the fact that the security of these signatures relies on existence of one-way functions, which is the minimal assumption for signature schemes, and (iii) they can be efficiently implemented. Basic hash-based signatures are for a single message, but have been extended for signing multiple messages. In this paper we design a Multi-message Signature Scheme (MSS) based on an existing One-Time Signature (OTS) that we refer to as KSN-OTS. KSN uses SWIFFT, an additive homomorphic lattice-based hash function family with provable one-wayness property, as the one-way-function and achieves a short signature. We prove security of our proposed signature scheme in a new strengthened security model (multi-target multi-functio...
This work considers the problem of fast and secure scalar multiplication using curves of genus on... more This work considers the problem of fast and secure scalar multiplication using curves of genus one defined over a field of prime order. Previous work by Gaudry and Lubicz in 2009 had suggested the use of the associated Kummer line to speed up scalar multiplication. In this work, we explore this idea in detail. The first task is to obtain an elliptic curve in Legendre form which satisfies necessary security conditions such that the associated Kummer line has small parameters and a base point with small coordinates. In turns out that the ladder step on the Kummer line supports parallelism and can be implemented very efficiently in constant time using the single-instruction multiple-data (SIMD) operations available in modern processors. For the 128-bit security level, this work presents three Kummer lines denoted as \(K_1:=\mathsf{KL2519(81,20)}\), \(K_2:=\mathsf{KL25519(82,77)}\) and \(K_3:=\mathsf{KL2663(260,139)}\) over the three primes \(2^{251}-9\), \(2^{255}-19\) and \(2^{266}-3\...
Journal of Cryptology
This work considers the problem of fast and secure scalar multiplication using curves of genus on... more This work considers the problem of fast and secure scalar multiplication using curves of genus one defined over a field of prime order. Previous work by Gaudry and Lubicz (Finite Fields Appl 15(2):246-260, 2009) had suggested the use of the associated Kummer line to speed up scalar multiplication. In the present work, we explore this idea in detail. The first task is to obtain an elliptic curve in Legendre form which satisfies necessary security conditions such that the associated Kummer line has small parameters and a base point with small coordinates. It turns out that the ladder step on the Kummer line supports parallelism and can be implemented very efficiently in constant time using the single-instruction multiple-data (SIMD) operations available in modern processors. For the 128-bit security level, this work presents three Kummer lines denoted as K 1 := KL2519(81, 20), K 2 := KL25519(82, 77) and K 3 := KL2663(260, 139) over the three primes 2 251 − 9, 2 255 − 19 and 2 266 − 3, respectively. Implementations of scalar multiplications for all three Kummer lines using Intel intrinsics have been done, and the code is publicly available. Timing results on the Skylake and the Haswell processors of Intel indicate that both fixed base and variable base scalar multiplications for K 1 and K 2 are faster than those achieved by Sandy2x, which is a highly optimised SIMD implementation in assembly of the well-known Curve25519. On Skylake, both fixed base and variable base scalar multiplications for K 3 are faster than Sandy2x, whereas on Haswell, fixed base scalar multiplication for K 3 is faster than Sandy2x while variable base scalar multiplication for both K 3 and Sandy2x takes roughly the same time. In practical terms, the particular Kummer lines that are introduced in this work are serious candidates for deployment and standardisation. We further illustrate the usefulness of the proposed Kummer lines by instantiating the quotient Digital Signature Algorithm on all the three Kummer lines.
Advances in Mathematics of Communications
Scalar multiplication on Legendre form elliptic curves can be speeded up in two ways. One can per... more Scalar multiplication on Legendre form elliptic curves can be speeded up in two ways. One can perform the bulk of the computation either on the associated Kummer line or on an appropriate twisted Edwards form elliptic curve. This paper provides details of moving to and from between Legendre form elliptic curves and associated Kummer line and moving to and from between Legendre form elliptic curves and related twisted Edwards form elliptic curves. Further, concrete twisted Edwards form elliptic curves are identified which correspond to known Kummer lines at the 128-bit security level which provide very fast scalar multiplication on modern architectures supporting SIMD operations.
Communications in Computer and Information Science, 2014
Lecture Notes in Computer Science, 2014
Several batch-verification algorithms for original ECDSA signatures are proposed for the first ti... more Several batch-verification algorithms for original ECDSA signatures are proposed for the first time in AfricaCrypt 2012. Two of these algorithms are based on the naive idea of taking square roots in the underlying fields, and the others perform symbolic manipulation to verify small batches of ECDSA signatures. In this paper, we use elliptic-curve summation polynomials to design a new ECDSA batch-verification algorithm which is theoretically and experimentally much faster than the symbolic algorithms of AfricaCrypt 2012. Our experiments on NIST prime and Koblitz curves demonstrate that our proposed algorithm increases the optimal batch size from seven to nine. We also mention how our algorithm can be adapted to Edwards curves.
Lecture Notes in Computer Science, 2014
Lecture Notes in Computer Science, 2014
Lecture Notes in Computer Science, 2012
In this paper, we study several algorithms for batch verification of ECDSA signatures. The first ... more In this paper, we study several algorithms for batch verification of ECDSA signatures. The first of these algorithms is based upon the naive idea of taking square roots in the underlying field. We also propose two new and efficient algorithms which replace square-root computations by symbolic manipulations. Experiments carried out on NIST prime curves demonstrate a maximum speedup of above six over individual verification if all the signatures in the batch belong to the same signer, and a maximum speedup of about two if the signatures in the batch belong to different signers, both achieved by a fast variant of our second symbolic-manipulation algorithm. In terms of security, all the studied algorithms are equivalent to standard ECDSA* batch verification. These algorithms are practical only for small ( 8) batch sizes. To the best of our knowledge, this is the first reported study on the batch verification of original ECDSA signatures.
Journal of Cryptographic Engineering, 2014
Journal of Cryptographic Engineering, 2014