Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Elliptic Curve Digital Signature Algorithm

Elliptic Curve Digital Signature Algorithm

Third lesson for the Bitcoin and Blockchain Technology course of Milano-Bicocca and Politecnico di Milano

www.ametrano.net/bbt/

Ferdinando M. Ametrano

March 08, 2019
Tweet

More Decks by Ferdinando M. Ametrano

Other Decks in Technology

Transcript

  1. Bitcoin and
    Blockchain Technology
    Elliptic Curve Digital Signature Algorithm
    v2019.04.03
    Comments, corrections, and questions: https://drive.google.com/open?id=1MZu_4zbI8khdYhbGJg9SwWkNA5x-Tb_W
    © 2019 Digital Gold Institute

    View full-size slide

  2. Table of Contents
    1. Modular Arithmetic
    2. Algebra of Sets: Finite Field
    3. Elliptic Curves over Real Numbers
    4. Elliptic Curve over
    5. Asymmetric Cryptography on Elliptic Curves
    6. Digital Signature Protocol
    7. Elliptic Curve Digital Signature Algorithm
    © 2019 Digital Gold Institute 2/69

    View full-size slide

  3. Modular Arithmetic
    arithmetic for integers: numbers "wrap around" upon reaching the
    modulo value
    Example:
    ▪ 9+4 = 1 mod 12
    © 2019 Digital Gold Institute
    https://commons.wikimedia.org/wiki/File:Clock_group.svg
    3/69

    View full-size slide

  4. Congruence and Remainders
    If 1
    ≡ 1
    mod and 2
    ≡ 2
    mod then
    ▪ 1
    + 2
    ≡ 1
    + 2
    (mod )
    ▪ 1
    − 2
    ≡ 1
    − 2
    (mod )
    ▪ 1
    2
    ≡ 1
    2
    (mod )
    ▪ mod b mod ≡ mod
    ▪ mod b mod mod = () mod
    © 2019 Digital Gold Institute 4/69

    View full-size slide

  5. Table of Contents
    1. Modular Arithmetic
    2. Algebra of Sets: Finite Field
    3. Elliptic Curves over Real Numbers
    4. Elliptic Curve over
    5. Asymmetric Cryptography on Elliptic Curves
    6. Digital Signature Protocol
    7. Elliptic Curve Digital Signature Algorithm
    © 2019 Digital Gold Institute 5/69

    View full-size slide

  6. Group {F, +} (1/2)
    A group is a set F together with a binary operator + (also known as
    group law) with the following properties:
    ▪ Closure: for all a and b in F, a+b is also in F;
    ∀, ∈ , + ∈
    ▪ Identity: there exists a unique neutral element 0 in F, such
    that for every element a in F, the equation 0+a=a+0=a;
    ∃! 0, ∈ | 0 + = + 0 = , ∀ ∈
    ▪ Invertibility: for each a in F, there exists the inverse b in F,
    commonly denoted -a, such that a+b=b+a=0;
    ∀ ∈ , ∃ − | + (−) = (−) + = 0
    ▪ Associativity: for all a, b and c in F, (a+b)+c=a+(b+c);
    ∀, , ∈ , + + = + ( + )
    The number of elements in a group is the group order
    © 2019 Digital Gold Institute 6/69

    View full-size slide

  7. Additive or Multiplicative Notation
    Neutral
    Element
    Inverse
    Additive
    Notation
    Zero Opposite
    Multiplicative
    Notation
    Identity Inverse
    © 2019 Digital Gold Institute 7/69

    View full-size slide

  8. Group {F, +} (2/2)
    ▪ The set of all integer numbers under addition {ℤ, +} is an infinite
    order group
    ▪ The set of all integer numbers under multiplication {ℤ, ∙} is not a
    group (e.g. multiplicative inverse of 2 is not an integer)
    ▪ Τ
    ℤ ℤ : { 0, − 1 , +}, i.e. the set of integer numbers 0, − 1
    under addition modulo , is a group of order
    − 0 is the neutral element (also called zero)
    − The inverse of any element is − ,
    © 2019 Digital Gold Institute 8/69

    View full-size slide

  9. Commutative Group {F, +}
    A group {F, +} is commutative if for all a and b in F, a+b = b+a
    ∀, ∈ , + = +
    ▪ The set of all integer numbers under addition {ℤ, +} is a
    commutative group
    ▪ For any modulo , Τ
    ℤ ℤ : { 0, − 1 , +} is a commutative group
    © 2019 Digital Gold Institute 9/69

    View full-size slide

  10. Cyclic Group {F, +}
    A group {F, +} is cyclic if there is a generator element
    ∃ ∀ ∈ , ∃ = + ⋯ + ( )
    ▪ When the group order is prime, the group is cyclic: starting
    from any (non-zero) element and adding this element to itself
    successively, all elements of the set are recovered
    ▪ For any prime , Τ
    ℤ ℤ : { 0, − 1 , +} is a cyclic group; e.g. for
    = 7, { 0, 6 , +}:
    − starting from 3 the cycle is 3+3 %7=6; 6+3 %7=2; 2+3 %7=5; 5+3 %7=1;
    1+3 %7=4; 4+3 %7=0; 0+3 %7=3
    − starting from 2 the cycle is 2+2 %7=4; 4+2 %7=6; 6+2 %7=1; 1+2 %7=3;
    3+2 %7=5; 5+2 %7=0; 0+2 %7=2
    © 2019 Digital Gold Institute 10/69

    View full-size slide

  11. Ring and Field {F, +, ∙}
    ▪ A ring is a commutative group with a second binary operator
    that is associative and with distributive properties making the
    two operators “compatible”
    ∀, , ∈ , + ∙ = ∙ + ∙
    ▪ A field is a ring such that the second operation, after throwing
    out the identity element of the first operation, satisfies all the
    commutative group properties
    ▪ Real numbers ℝ and rational numbers ℚ, with addition and
    multiplication, are fields of infinite order
    ▪ In a field you can add, subtract (i.e. add the additive opposite),
    multiply, and divide (i.e. multiply for the multiplicative inverse)
    © 2019 Digital Gold Institute 11/69

    View full-size slide

  12. The Finite Field Fp = {[0, p−1], +, ∙}
    ▪ We already established that for any modulo , { 0, − 1 , +} is a
    commutative (cyclic) group
    ▪ For any prime number , { , − 1 , ∙} is also a commutative
    group
    − 1 is the identity element
    − For any element there exist its inverse , such that
    = 1 . It is crucial here that is prime

    = { 0, − 1 , +,∙} is a finite field
    © 2019 Digital Gold Institute 12/69

    View full-size slide

  13. E.g.: The Finite Field F7
    {[0, 6], +} is a commutative group
    ▪ 4+3 %7 = 0 → 3 is the opposite of 4
    ▪ Subtraction must be interpreted as addition of the opposite
    2-4 %7 = 2+3 %7 = 5
    2-4 %7 =-2 %7 = 5
    {[1, 6], ∙} is a commutative group
    ▪ 4 ∙ 2 %7 = 1 → 2 is the inverse of 4
    ▪ Division must be interpreted as multiplication by the inverse
    5 ÷ 4 %7 = 5 ∙ 2 %7 = 3
    © 2019 Digital Gold Institute 13/69

    View full-size slide

  14. Fermat’s Little Theorem
    When is prime, for each :
    −1 = 1
    e.g. in ([1, 6], ∙ ) with = 3, 36 = 1:
    3^2 %7 = 3*3 %7 = 2
    3^3 %7 = 2*3 %7 = 6
    3^4 %7 = 6*3 %7 = 4
    3^5 %7 = 4*3 %7 = 5
    3^6 %7 = 5*3 %7 = 1
    © 2019 Digital Gold Institute 14/69

    View full-size slide

  15. Inverse Calculation
    ▪ So, it holds that the inverse of
    −1 = −1 ∙ 1 = −1 ∙ −1 = −2
    ▪ In Python
    a_inv = pow(a, p-2, p)
    © 2019 Digital Gold Institute 15/69

    View full-size slide

  16. Square root concept
    E.g. in 7
    :
    ▪ 2*2 %7 = 4 → 2 is a (even) square root of 4
    ▪ 5*5 %7 = 4 → 5 is a (odd) square root of 4
    ▪ 5 = -2 %7 → odd root is similar to negative root for integers
    ▪ 2 + 5 = 7 → even root + odd root = p
    © 2019 Digital Gold Institute 16/69

    View full-size slide

  17. The Finite Field F7
    © 2019 Digital Gold Institute
    opposite inverse odd sqrt even sqrt
    0 0 #N/A 0 0
    1 6 1 1 6
    2 5 4 3 4
    3 4 5 #N/A #N/A
    4 3 2 5 2
    5 2 3 #N/A #N/A
    6 1 6 #N/A #N/A
    17/69

    View full-size slide

  18. Homework
    Calculate the table of opposites, inverses, and square roots for the
    finite fields 19
    and 23
    Use mod_inv and mod_sqrt from github.com/dginst/btclib/numbertheory.py
    or Excel/VBA from github.com/dginst/bbt/excel/FiniteFields.xlsm
    © 2019 Digital Gold Institute 18/69

    View full-size slide

  19. Table of Contents
    1. Modular Arithmetic
    2. Algebra of Sets: Finite Field
    3. Elliptic Curves over Real Numbers
    4. Elliptic Curve over
    5. Asymmetric Cryptography on Elliptic Curves
    6. Digital Signature Protocol
    7. Elliptic Curve Digital Signature Algorithm
    © 2019 Digital Gold Institute 19/69

    View full-size slide

  20. Elliptic Curves over Real Numbers
    ▪ A formal definition would require algebraic geometry
    ▪ Defined by the Weierstrass equation:
    = + + , , ∈ ℝ
    ▪ The curve is non-singular if:
    ∆= −16 43 + 272 ≠ 0
    © 2019 Digital Gold Institute 20/69

    View full-size slide

  21. Elliptic Curve = − +
    a = -7
    b = 10
    ±
    = ± 3 − 7 + 10
    Negative y roots are in red,
    positive ones in blue
    © 2019 Digital Gold Institute
    -5
    -4
    -3
    -2
    -1
    0
    1
    2
    3
    4
    5
    -5 -4 -3 -2 -1 0 1 2 3 4
    21/69

    View full-size slide

  22. Point Addition P+Q=R
    © 2019 Digital Gold Institute
    https://cdn.rawgit.com/andreacorbellini/ecc/920b29a/interactive/reals-add.html
    22/69

    View full-size slide

  23. Point Doubling Q+Q=R
    © 2019 Digital Gold Institute
    https://cdn.rawgit.com/andreacorbellini/ecc/920b29a/interactive/reals-add.html
    23/69

    View full-size slide

  24. Algebraic Formulae
    Point Addition P+Q=R

    = −

    2



    = −




    Point Doubling Q+Q=R

    = 3
    2+
    2
    2
    − 2

    = 3
    2+
    2


    − 2
    © 2019 Digital Gold Institute 24/69

    View full-size slide

  25. Infinity Point
    (aka Group Identity or Neutral Element)
    Adding two points with the same
    x-coordinate (y-coordinates
    being the positive/negative
    roots of the same 3 + + )
    “shoots” at the infinity point ∞
    Doubling the point (x, 0) also
    shoots at ∞
    ∞ is the group neutral element:
    ▪ zero in additive notation
    ▪ identity in multiplicative
    notation
    © 2019 Digital Gold Institute
    https://en.wikipedia.org/wiki/Elliptic_curve#/media/File:ECClines.svg
    25/69

    View full-size slide

  26. Opposite of Point Q
    The infinity point is providing the opposite formula:
    + = 0 → = −
    = (,
    ) and − = (, −
    ) have the same coordinate.
    Therefore, their coordinates are the positive/negative roots of:
    ±
    = ± 3 + +
    So

    = −
    and − = , −
    For every , in the group, , − is also in the group
    © 2019 Digital Gold Institute 26/69

    View full-size slide

  27. Compressed Point Representation
    = ,
    For every , given 2 = 3 + + , two roots are possible:
    ±
    = ± 3 + +
    plus one single bit ෤

    = 0/1 is enough to describe the point:
    = (, ෤

    )
    © 2019 Digital Gold Institute 27/69

    View full-size slide

  28. Elliptic Curve Commutative Group
    ▪ With the addition operation, the points of an elliptic curve
    (augmented with ∞) are a commutative group
    ▪ The ∞ point is the neutral element, implicitly defining the
    opposite concept
    ▪ Arbitrarily named addition: it is simply the group law, and it
    could have been called multiplication instead
    − In multiplicative notation doubling would have been called
    squaring
    © 2019 Digital Gold Institute 28/69

    View full-size slide

  29. Point Multiplication =
    ▪ Point multiplication = ( ∈ ℕ) is a convenient notation for
    the repeated application of addition
    = + ⋯ + ( )
    ▪ Elliptic curve multiplication is not a binary operation on the set
    of curve points: it does not combine two points!
    ▪ Addition is the only elliptic curve group binary operation
    © 2019 Digital Gold Institute 29/69

    View full-size slide

  30. Double and Add Algorithm
    = 947 = 20 + 21 + 24 + 25 + 27 + 28 + 2 9 doublings
    = 947 = 1 + 2 + 16 + 32 + 128 + 256 + 512 6 additions
    9 doublings for the powers of two and 6 additions: polynomial in
    the number of bits representing m.
    Point multiplication
    947 = + 2 + 16 + 32 + 128 + 256 + 512 6 point additions
    9 doublings for the powers of two and 6 point additions: much
    better than 946 point additions!
    © 2019 Digital Gold Institute
    https://en.wikipedia.org/wiki/Elliptic_curve_point_multiplication
    30/69

    View full-size slide

  31. Discrete Logarithm Problem (DLP)
    A One Way Function
    For any ∈ ℕ, double&add provides an efficient computation of:
    =
    To infer from {, } is computationally unfeasible
    ▪ In additive notation, it is easy to “multiply” = , but difficult
    to “divide” = Τ

    ▪ It is called logarithm problem because in multiplicative notation
    it would have been = , so =

    © 2019 Digital Gold Institute 31/69

    View full-size slide

  32. Table of Contents
    1. Modular Arithmetic
    2. Algebra of Sets: Finite Field
    3. Elliptic Curves over Real Numbers
    4. Elliptic Curve over
    5. Asymmetric Cryptography on Elliptic Curves
    6. Digital Signature Protocol
    7. Elliptic Curve Digital Signature Algorithm
    © 2019 Digital Gold Institute 32/69

    View full-size slide

  33. Elliptic Curves Over Fp
    For cryptographic use, we consider the curve not over ℝ, but over
    a finite field
    :
    2 = 3 + +
    where 43 + 272 ≠ 0
    , , , ∈
    © 2019 Digital Gold Institute 33/69

    View full-size slide

  34. y2=x3−7x+10 over F263
    Symmetric with respect
    to = Τ
    2 = 131.5
    © 2019 Digital Gold Institute 34/69

    View full-size slide

  35. ▪ Geometric interpretation (line
    drawing) for sum still holds
    ▪ Adding same-x points shoots
    at infinity
    y2=x3−7x+10 over F263
    © 2019 Digital Gold Institute 35/69
    https://cdn.rawgit.com/andreacorbellini/ecc/920b29a/interactive/modk-add.html

    View full-size slide

  36. Opposite of Point Q
    + = 0 → = −
    = (,
    ) and − = (, −
    ) have the same coordinate.
    Therefore, the coordinates are the modulo even/odd roots of:
    ,
    = 3 + +
    ,
    So

    = −
    and − = (, −
    )
    For every , in the group, , − is also in the group
    © 2019 Digital Gold Institute 36/69

    View full-size slide

  37. SEC Compressed Point Representation
    = (, )
    ▪ Uncompressed = , representation is
    For every , two roots are possible:
    ▪ Even root, compressed = , representation is
    ▪ Odd root, compressed = , representation is
    e.g. for y2= x3−7x+10 over F263
    (118, 192): 118 192 or 118
    (118, 71): 118 71 or 118
    © 2019 Digital Gold Institute
    http://www.secg.org/sec1-v2.pdf
    37/69

    View full-size slide

  38. Breaking Opposite Point Symmetry
    The symmetry between opposite points (same x-coordinate) can
    be resolved with alternative discrimination criteria for the y-
    coordinate:
    1. odd / even
    2. high / low
    The product of two numbers is a quadratic residue, i.e. does have
    square roots, when either both or none of its factors are quadratic
    residues. For prime, = 3 mod 4, the number −1 is not a quadratic
    residue mod . As such, if −1 ∙ is a quadratic residue mod then
    is not and vice versa. This provide the additional criterium:
    3. (when = 3 mod 4) quadratic residue / not a quadratic residue
    © 2019 Digital Gold Institute 38/69

    View full-size slide

  39. Hasse Theorem
    Note that the EC group order = #
    and the
    finite field’s
    prime are different numbers.
    Hasse theorem shows that:
    + 1 − 2 ≤ ≤ + 1 + 2
    e.g. for 263
    , = 263
    231 ≤ ≤ 296
    y2= x3−7x+10 over F263
    ▪ 280 points: 279 affine points plus ∞
    ▪ Odd number of affine points: = , 0 must be in the group,
    = −, 2 = ∞
    © 2019 Digital Gold Institute 39/69

    View full-size slide

  40. Elliptic Curves Over a Finite Field Fp
    ▪ The points on an elliptic curve over a finite field
    can have
    cyclic subgroups
    ▪ Starting from a point its associated cyclic subgroup can be
    explored
    ▪ If the subgroup has order , then = 0
    e.g. y2=x3−7x+10 over F263
    ▪ = (3,4) defines a subgroup of order 280
    ▪ = 66,233 = 2 ∙ (3,4) subgroup of order 140
    ▪ = 251,101 = 14 ∙ (3,4) subgroup of order 20
    © 2019 Digital Gold Institute 40/69

    View full-size slide

  41. 0
    50
    100
    150
    200
    250
    0 50 100 150 200 250
    y2=x3−7x+10 over F263
    © 2019 Digital Gold Institute
    20 (19 plus ∞) points subgroup
    generated by G=(251,101)
    41/69

    View full-size slide

  42. Prime Order for Elliptic Curves Over Fp
    ▪ If the EC group order is a prime we have a cyclic group with
    no subgroups
    ▪ Any point is a generator: adding successively, all the points
    in the group are recovered
    © 2019 Digital Gold Institute 42/69

    View full-size slide

  43. y2=x3+6x+9 over F263
    ▪ Symmetric with respect
    to = Τ
    2 = 131.5
    ▪ 269 points: 268 affine
    points plus ∞
    ▪ Even number of affine
    points: = , 0 is not
    in the group
    ▪ Group order = 269 is
    prime: no subgroups
    © 2019 Digital Gold Institute 43/69
    0
    50
    100
    150
    200
    250
    300
    0 50 100 150 200 250 300

    View full-size slide

  44. Bitcoin Curve: Koblitz Curve secp256k1
    ▪ SEC: Standards for Efficient Cryptography
    ▪ p256: number of bits in the prime field

    is defined by
    p = 2^256 - 2^32 - 2^9 - 2^8 - 2^7 - 2^6 - 2^4 – 1
    p = 2^256 - 2^32 - 997
    p = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F
    ▪ The elliptic curve defined over
    is 2 = 3 + 7
    ▪ The generation point G =
    04
    79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798
    483ADA77 26A3C465 5DA4FBFC 0E1108A8 FD17B448 A6855419 9C47D08F FB10D4B8
    ▪ The order of G is prime:
    n = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141
    © 2019 Digital Gold Institute
    SECG, SEC 2: Recommended Elliptic Curve Domain Parameters, http://www.secg.org/sec2-v2.pdf
    https://en.bitcoin.it/wiki/Secp256k1
    44/69

    View full-size slide

  45. Homework
    ▪ 2 = 3 + 2 + 2 over 17
    − List all its points
    − It does not have subgroups, why?
    ▪ 2 = 3 + 4 + 20 over 29
    − List all its points
    − What is the order of the group with generator (8,10)?
    Check https://github.com/dginst/btclib/tests/ec.py
    and/or https://github.com/dginst/bbt/excel/EC*.xlsm
    © 2019 Digital Gold Institute 45/69

    View full-size slide

  46. Table of Contents
    1. Modular Arithmetic
    2. Algebra of Sets: Finite Field
    3. Elliptic Curves over Real Numbers
    4. Elliptic Curve over
    5. Asymmetric Cryptography on Elliptic Curves
    6. Digital Signature Protocol
    7. Elliptic Curve Digital Signature Algorithm
    © 2019 Digital Gold Institute 46/69

    View full-size slide

  47. Asymmetric Cryptography: Different Families
    private key → one-way function → public key
    Different key generation algorithms are based on their own
    distinguishing one-way function:
    ▪ Integer factorization (1977), based on the difficulty of factoring
    large integers (e.g. RSA)
    ▪ Discrete Logarithm (1976), based on the intractability of the
    discrete logarithm problem on finite cyclic groups (e.g. Diffie
    and Hellman)
    ▪ Elliptic Curve (1985), based on the difficulty of computing the
    generalized logarithm problem on an elliptic curve (e.g. Bitcoin)
    © 2019 Digital Gold Institute 47/69

    View full-size slide

  48. Elliptic Curve Public/private Key
    ▪ A Public Key is one point on the elliptic curve
    ▪ A private key is the number ∈ [1, − 1] of additive steps from
    the generator point to arrive at point
    =
    ▪ → easy (double and add)
    → hard (discrete logarithm problem)
    ▪ In multiplicative notation would be called secret exponent
    =
    © 2019 Digital Gold Institute
    https://en.wikipedia.org/wiki/Elliptic_curve_cryptography
    48/69

    View full-size slide

  49. Number of Bitcoin Private Keys
    ▪ The order of elliptic curves can be determined in polynomial
    time
    ▪ secp256k1 has 115 792 089 237 316 195 423 570 985 008 687
    907 852 837 564 279 074 904 382 605 163 141 518 161 494
    336 ≈ 10⁷⁷ points (i.e. private/public key pairs)
    ▪ The observable universe contains 10⁸⁰ atoms
    ▪ Try to find keys with associated bitcoins at
    https://keys.lol/bitcoin
    Beware: better not to look for your keys…
    © 2019 Digital Gold Institute 49/69

    View full-size slide

  50. Break Elliptic Curve Cryptography
    The best known algorithms to break the EC discrete logarithm
    problem take steps proportional to 2 where is the number of
    bits of the key
    ▪ secp256k1 uses 256bit keys: 2128 steps are needed to break it
    ▪ An EC computation takes 1 million CPU cycles. A 3GHz CPU is
    able to process 211.55 EC computations per second
    ▪ A CPU can break the EC in 2116.45 seconds, or about 291.54 years,
    i.e. about 3,599,861,590,422,752,583,114,293,248 years
    ▪ Throwing a million CPUs at the problem would reduce the time
    by a million, leaving it at 3,599,861,590,422,752,583,114
    years, roughly 260,859,535,537 times the age of the universe
    © 2019 Digital Gold Institute 50/69

    View full-size slide

  51. Key Size At Comparable Security Levels
    © 2019 Digital Gold Institute
    Security Levels (bits)
    Symmetric 80 128 192 256
    RSA / DH 1024 3072 7680 15360
    ECC 160 256 384 512
    51/69

    View full-size slide

  52. Quantum Computing Resistance
    ▪ Hash functions and symmetric cryptography are resistant to
    quantum computing (key size doubling is enough). Asymmetric
    cryptography is not
    https://en.wikipedia.org/wiki/Grover%27s_algorithm
    https://en.wikipedia.org/wiki/Shor%27s_algorithm
    ▪ Real quantum computers are still distant in the future
    ▪ Quantum computing will impact on the security of financial
    system and nuclear weapon, not just bitcoin
    ▪ Quantum resistant cryptography is being developed
    https://en.wikipedia.org/wiki/Post-quantum_cryptography
    © 2019 Digital Gold Institute 52/69

    View full-size slide

  53. Table of Contents
    1. Modular Arithmetic
    2. Algebra of Sets: Finite Field
    3. Elliptic Curves over Real Numbers
    4. Elliptic Curve over
    5. Asymmetric Cryptography on Elliptic Curves
    6. Digital Signature Protocol
    7. Elliptic Curve Digital Signature Algorithm
    © 2019 Digital Gold Institute 53/69

    View full-size slide

  54. Digital Signature Protocol
    ▪ Public-key algorithm + digital signature scheme
    ▪ Message is only authenticated, not encrypted
    Source: Pedro Franco, “Understanding Bitcoin”, Wiley
    © 2019 Digital Gold Institute 54/69

    View full-size slide

  55. Digital Signature Scheme
    1. KeyGeneration(entropy) → {q, Q}
    Usually KeyGeneration(entropy) → q, as q→Q is easy
    2. Sign(msg, q) → signature
    3. Verify(msg, Q, signature) → True/False
    ▪ The signed message has not been altered (integrity)
    ▪ Only someone with the private key q can create a valid
    signature (authentication)
    ▪ The signer cannot deny the message signature (non-
    repudiation)
    ▪ Everyone can verify using the public key Q
    © 2019 Digital Gold Institute 55/69

    View full-size slide

  56. Signing the Message Digest
    ▪ Problem: signature generation/verification is quite slow:
    message length can be a problem
    ▪ Solution: sign the hash digest of the message
    ℎ = ℎℎ ,
    whose length is independent from the message’s size
    ▪ This can also provides message confidentiality
    ▪ If the can take only few values (e.g. {tail, head}), it can be
    concealed using secret salt :
    sign ℎ = ℎℎ || , later reveal both and
    © 2019 Digital Gold Institute 56/69

    View full-size slide

  57. Digital Signature Process
    © 2019 Digital Gold Institute
    Message
    Hash Function
    Message Digest
    Signature
    Generation
    Private Key
    Public Key
    Signature
    Message
    Hash Function
    Message Digest
    Signature
    Verification
    Valid/Invalid
    Signature Generation Signature Verification
    57/69

    View full-size slide

  58. Digital Signature Algorithms
    ▪ RSA, the most widely used
    ▪ ElGamal signature. It has little use being computationally
    intensive and having large signature
    ▪ Schnorr signature: simplest scheme, the best one. Signing and
    verification are computationally efficient, signature is small.
    Limited usage because of US Patent 4,995,082 which finally
    expired in 2008
    ▪ Digital Signature Algorithm (DSA), quicker and smaller than
    RSA, designed to circumvent the Schnorr patent
    © 2019 Digital Gold Institute 58/69

    View full-size slide

  59. Table of Contents
    1. Modular Arithmetic
    2. Algebra of Sets: Finite Field
    3. Elliptic Curves over Real Numbers
    4. Elliptic Curve over
    5. Asymmetric Cryptography on Elliptic Curves
    6. Digital Signature Protocol
    7. Elliptic Curve Digital Signature Algorithm
    © 2019 Digital Gold Institute 59/69

    View full-size slide

  60. EC DSA: Sign Message
    1. Choose a nonce as secret ephemeral key
    0 < <
    2. = (
    ,
    ) =
    Point symmetry is usually resolved requiring
    to be odd, low, or quadratic residue; if not ← −.
    Bitcoin canonical 'low-s' encoding require (step 3) to be low.
    1. =
    mod
    2. = ℎ mod = ℎℎ mod
    3. = + −1 mod
    If = 0 or = 0 (extremely unlikely), then restart with a different
    The signature is (, ).
    must be secret: else = − −1mod
    © 2019 Digital Gold Institute 60/69

    View full-size slide

  61. EC DSA: Verify Signature
    Steps for the verification of (, ):
    1. = ℎ mod = ℎℎ mod
    2. = −1 mod
    3. = mod
    4. = mod
    5. , = +
    6. The signature is valid if = mod
    Roughly equivalent to:
    =
    +
    Unfortunately, −1 is unavoidable because cannot be recovered from =

    mod
    © 2019 Digital Gold Institute 61/69

    View full-size slide

  62. EC DSA: Correctness Proof
    =
    mod if = +
    1. = + from public key definition
    2. = +
    from signature verification [3] and [4]
    3. = +
    −1 from signature verification [2]
    4. = +
    +
    −1 from signature generation [5]
    5. =
    © 2019 Digital Gold Institute 62/69

    View full-size slide

  63. Ephemeral Key Used for Signing
    Reusing for different messages signed by the same
    = + −1 mod
    2
    = 2
    + −1 mod
    reveals both and :
    = Τ
    − 2
    − 2
    mod
    = − −1mod
    Sony PS3 hack: http://www.bbc.com/news/technology-12116051,
    Bitcoin Android Wallet 2013 hack: https://bitcoin.org/en/alert/2013-08-11-android
    Even slight biases in the generation of can reveal , after enough signatures
    must be a nonce, used only once per private key .
    Even better: avoid randomness at all and use instead a
    deterministic for each ℎ with salting (see RFC6979)
    = ℎℎ || mod
    © 2019 Digital Gold Institute 63/69

    View full-size slide

  64. EC DSA: Signature Malleability
    If (, ) is a valid signature, i.e. = mod
    then also (, − ) is a valid signature
    − =
    =
    +
    bitcoin canonical 'low-s' encoding solves this issue
    © 2019 Digital Gold Institute 64/69

    View full-size slide

  65. EC DSA: Public Key Recovery
    From the signature verification step 3, two implied public keys can
    be recovered:
    /
    = −1 (, /
    ) −
    © 2019 Digital Gold Institute 65/69

    View full-size slide

  66. EC DSA: Signature Forgery Attack
    An attacker can generate a -valid signature for a random
    message digest ℎ computed from a random signature (, )
    1. Pick , at will
    2. = +
    3. =
    mod
    4. = −1 mod
    5. ℎ = =
    Anyway, the attacker cannot control the semantics of the preimage
    message : a signature is relevant only for its , not ℎ
    © 2019 Digital Gold Institute 66/69

    View full-size slide

  67. Homework
    ▪ Calculate the Public key(s) from this valid DSA signature:
    # message m1 and its DSA signature {r, s}
    msg = "Paolo is afraid of ephemeral random numbers"
    r = 0xb94483fc4da2d9dd5de1b0999c38ac364c9d60bafe7c5151dade0c1b78cfcbf3
    S = 0x894ab8b28fd3400784aba4305b14d5afa5c623a6679ba9683c5ac2799b6edc6e
    ▪ A second DSA signature is computed in error using the same
    ephemeral key. Calculate the private key:
    # another message m2 and its DSA signature {r, s2}
    msg2 = "and Paolo is right to be afraid"
    r = 0xb94483fc4da2d9dd5de1b0999c38ac364c9d60bafe7c5151dade0c1b78cfcbf3
    s2 = 0x6f721ed1e10c4d41f52f7b5e5c1ed3f5359892695ea8410ccbc0a04038c12756
    © 2019 Digital Gold Institute
    See https://github.com/dginst/btclib/ec.py and https://github.com/dginst/btclib/dsa.py
    and/or https://colab.research.google.com/drive/1IxL0ecWxAI9lRXYdAXhDdg5BzsCW4MHd
    and/or see https://github.com/dginst/bbt/py-scripts/dsa_example.py (requires an installed btclib)
    67/69

    View full-size slide

  68. Bibliography
    ▪ Christof Paar and Jan Pelzl, “Understanding Cryptography”, Springer,
    chapter 8, 9, 10
    ▪ Pedro Franco, “Understanding Bitcoin”, Wiley, chapter 5
    ▪ Andreas Antonopoulos, “Mastering Bitcoin” 2nd edition, O'Reilly,
    chapter 4 (https://github.com/bitcoinbook/bitcoinbook)
    ▪ A. Narayanan et al., “Bitcoin and Cryptocurrencies Technologies”,
    Princeton, chapter 1
    ▪ Standards for Efficient Cryptography (SEC), (http://www.secg.org/)
    − Elliptic Curve Cryptography, (http://www.secg.org/sec1-v2.pdf)
    − Recommended Elliptic Curve Domain Parameters
    (http://www.secg.org/sec2-v2.pdf)
    ▪ NIST, Digital Signature Standard,
    (http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf)
    © 2019 Digital Gold Institute 68/69

    View full-size slide

  69. Takeaways
    ▪ Elliptic curve multiplication = is the one-way function
    converting private key → public key
    − One way is easy because of doble and add
    − Reverse way is a hard discrete logarithm problem
    ▪ Digital signatures provide message integrity, authentication, and
    nonrepudiation
    ▪ Bitcoin’s transactions are signed using DSA
    ▪ DSA is malleable, susceptible to signature forgery
    ▪ Schnorr is technically superior: it has not been used so far
    because of patent
    ▪ Never reuse ephemeral key in signature
    © 2019 Digital Gold Institute 69/69

    View full-size slide

  70. Ferdinando M. Ametrano
    [email protected]
    Paolo Mazzocchi
    [email protected]
    www.github.com/dginst
    www.facebook.com/DigitalGoldInstitute
    www.twitter.com/DigitalGoldInst
    www.dgi.org/feed.xml
    [email protected]
    www.dgi.io
    www.linkedin.com/company/digital-gold-institute
    "Scarcity in the Digital Realm"

    View full-size slide

  71. Annex
    1. EC Computations
    2. Schnorr
    © 2019 Digital Gold Institute 71/69

    View full-size slide

  72. Double and Add Algorithm
    def mult(m, Q):
    if m == 0 or Q.y == 0: # Infinity point in affine coordinates
    return 1, 0 # return Infinity point
    if m % 2 == 1: # addition when m is odd
    return add(Q, mult(m - 1, Q))
    else: # doubling when m is even
    return mult(m//2, add(Q, Q))
    Easy… but recursive functions are not optimal…
    © 2019 Digital Gold Institute 72/69

    View full-size slide

  73. Double and Add Algorithm
    def mult(m, Q):
    if m == 0 or Q.y == 0: # Infinity point in affine coordinates
    return 1, 0 # return Infinity point
    R = 1, 0 # initialize as infinity point
    while m > 0: # use binary representation of m
    if m & 1: # if least significant bit is 1
    R = add(R, Q) # then add current Q
    m = m >> 1 # remove the bit just accounted for
    Q = add(Q, Q) # double Q for next step
    return R
    © 2019 Digital Gold Institute 73/69

    View full-size slide

  74. Annex
    1. EC Computations
    2. Schnorr
    © 2019 Digital Gold Institute 74/69

    View full-size slide

  75. Schnorr Identification Protocol
    ▪ A prover proves to a verifier the knowledge of the discrete
    logarithm of Q without revealing q
    ▪ Proof in zero knowledge: the verifier learns nothing about q
    from the proof (except the fact that the prover knows q)
    A Zero-Knowledge Proof (ZKP) requires 3 properties:
    1. Completeness: the proof convinces a honest verifier
    2. Zero-knowledgeness: the proof does not leak information, i.e.
    verifier can fake transcript
    3. Soundness: a proof can only be produced by a prover who
    knows the private key, i.e. the prover can fake knowledge only
    with negligible probability
    © 2019 Digital Gold Institute 75/69

    View full-size slide

  76. ▪ K
    ▪ Choose random c<|H|
    ▪ s (aka solution)
    ▪ K = sG+cQ
    Zero Knowledge Proof of Discrete Logarithm
    Prover
    ▪ Q = qG
    ▪ Choose random k<|G|
    ▪ kG = K
    ▪ c (aka challenge)
    ▪ s = k-c*q
    Verifier
    © 2019 Digital Gold Institute 76/69
    kG = K = sG+cQ = sG+cqG = (s+cq)G
    kG = (s+cq)G
    k = s+cq

    View full-size slide

  77. ▪ {K, s}; c = hash(K)
    ▪ K = sG+cQ
    Non-interactive Proof of Discrete Logarithm
    Schnorr Identification Protocol
    Prover
    ▪ Q = qG
    ▪ Choose random k<|G|
    ▪ kG = K
    ▪ c = hash(K)
    ▪ s = k-c*q
    Verifier
    © 2019 Digital Gold Institute 77/69
    kG = K = sG+cQ = sG+cqG = (s+cq)G
    kG = (s+cq)G
    k = s+cq

    View full-size slide

  78. ▪ {K, s}; c = hash(K||msg)
    ▪ K = sG+cQ
    Non-interactive Proof of Discrete Logarithm
    Schnorr Signature Algorithm
    Prover
    ▪ Q = qG
    ▪ Choose random k<|G|
    ▪ kG = K
    ▪ c = hash(K||msg)
    ▪ s = k-c*q
    Verifier
    © 2019 Digital Gold Institute 78/69
    kG = K = sG+cQ = sG+cqG = (s+cq)G
    kG = (s+cq)G
    k = s+cq

    View full-size slide

  79. ▪ {K, s}; c = hash(Q||K||msg)
    ▪ K = sG+cQ
    Non-interactive Proof of Discrete Logarithm
    Schnorr Signature Algorithm
    Prover
    ▪ Q = qG
    ▪ Choose random k<|G|
    ▪ kG = K
    ▪ c = hash(Q||K||msg)
    ▪ s = k-c*q
    Verifier
    © 2019 Digital Gold Institute 79/69
    kG = K = sG+cQ = sG+cqG = (s+cq)G
    kG = (s+cq)G
    k = s+cq

    View full-size slide

  80. EC Schnorr SA: Generation
    0. ℎ = ℎℎ()
    1. Choose a nonce as secret ephemeral key
    0 < <
    2. = (
    ,
    ) =
    Point symmetry is usually resolved requiring
    to be odd, low, or quadratic residue; if not ← −.
    In the bitcoin case
    must be a quadratic residue
    1. = ℎℎ
    ||||ℎ mod
    2. = − mod
    The ℎ signature is (, ), encodable as
    , when the
    simmetry is someway fixed.
    must be secret: else = − −1 mod
    © 2019 Digital Gold Institute 80/69

    View full-size slide

  81. EC Schnorr SA: Verification
    Steps for the verification of (
    , ):
    1. = ℎℎ
    ||||ℎ mod
    2. The signature is valid if − =

    © 2019 Digital Gold Institute 81/69

    View full-size slide

  82. EC Schnorr SA: Correctness Proof
    ▪ = −
    ▪ − = −
    ▪ − = −
    ▪ − = −
    © 2019 Digital Gold Institute 82/69

    View full-size slide

  83. Schnorr SA Properties
    ▪ If the discrete logarithm problem is hard, in the random oracle
    model there is a proof that Schnorr signature cannot be forged
    ▪ Intuitively, signature forgery attack is impossible because
    = ℎℎ
    ||||ℎ mod ,
    differently from DSA where = ℎ = ℎℎ mod
    ▪ There is no way to malleate the signature, as is fully specified
    (no y-coordinate ambiguity)
    ▪ Signature verification does not use modular inverse: fast
    ▪ Many {, ℎ, (
    , )} can be efficiently batch verified at once
    ▪ Signature verification is linear → additive signature: sum of
    signatures on the same ℎ is equivalent to single signature
    with sum of keys
    ▪ Easier multi-sig and threshold schemes
    © 2019 Digital Gold Institute 83/69

    View full-size slide

  84. Ephemeral Key Used for Signing
    For Schnorr too, reusing for different messages signed by the
    same reveals both and :
    1
    = − 1
    mod
    2
    = − 2
    mod
    = 1
    − 2
    2
    − 1
    −1 mod
    Even slight biases in the generation of can reveal , after enough signatures
    must be a nonce, used only once per private key .
    Even better: avoid randomness at all and use instead a
    deterministic for each ℎ with salting (see RFC6979)
    = ℎℎ ||ℎ mod
    © 2019 Digital Gold Institute 84/69

    View full-size slide

  85. Extra Homework
    Two Schnorr signatures are computed in error using the same
    ephemeral key. Calculate the private key:
    # 32-bytes message h1 and its SSA signature {K.x, s1}
    h1 = 0x9788fd27b3aafd1bd1591a1158ce2d8bdc37ab4040dddb64e64d17616e69ce2b
    r = 0x968cc26ddaeadb4a7c573a9f391cf78b955816b0b86a6700ae19a8ae19dc31cf
    s1 = 0x69c2022c2e1170b9b1ce9d4ccb6271e579800aa4d955ecf7ea183fb620e48322
    # another 32-bytes message h2 and its SSA signature {K.x, s2}
    h2 = 0x7adb91982ec03ef87efcae7f0199aefa231d8855e0bd03319460e58c0bd18049
    r = 0x968cc26ddaeadb4a7c573a9f391cf78b955816b0b86a6700ae19a8ae19dc31cf
    s2 = 0x52d9f94c2538ae4c2ee3fd23e34a3603d10652aef1f2ec5ee4327ec4ea532b6e
    © 2019 Digital Gold Institute
    See https://github.com/dginst/btclib/ec.py and https://github.com/dginst/btclib/ssa.py
    and/or see https://github.com/dginst/bbt/py-scripts/ssa_example.py (requires an installed btclib)
    85/69

    View full-size slide

  86. Bibliography
    ▪ BIP-Schnorr (Bitcoin Schnorr signature standardization)
    https://github.com/sipa/bips/blob/bip-schnorr/bip-
    schnorr.mediawiki
    © 2019 Digital Gold Institute 86/69

    View full-size slide