 안녕하세요, 여러분. 마지막 세션입니다. 두 번째는 아샤크릿입니다. 첫 번째는 QDSA, 스모 앤 시큐로 제타 시그너로 컵 베이스 디펫 링 키페어 입니다. 제... 제... 제... 제... 제... 제... 제... 제... 제... 제... 제... 감사합니다. 두 번째는 액Bu delivery 입니다.iro is not... Seok sins being... Seok sins being... tteokbokki... 무슨 일이� przyp CRISTO?�� birwoman 네. 오, 아, 나요. 네. 네. 네. 네. 네. 네. 네. 네. 네. 네. 네. 네. 네. 네. 네. 네. 네. 네. 네. 네. 네. 네. 네. 네. 네. 네. 두가 main, down, sides, one, two, and two have sides. The first is using these two distinct objects from an implementation perspective is not ideal. So these rely on different algorithms to scale the multiplication. So maybe the best example is you have curve 25519 for nifty how long and you add to 25519 for your eds, these algorithms. 다른 도전, 다른 도전, 다른 도전의 도전을 해야되기 때문에 모든 것이 To get a signature scheme, you'd have an edge coordinate plus a sign bit. You need to encode a fool of a dicker point somehow. The second point was actually solved, which is quite straightforward. Exit dsa. Instead of using a fool point as your public key, you use only an edge coordinate, and then you somehow deterministically retrieve a point from that. As you just take sign bit zero always, for example. You get a point, and you use that for your signature scheme. 두 번째는 우리의 작업을 하고 싶습니다. 그래서 오픈기술을 사용하는 것들은 그룹structure가 필요합니다. 다른 프로듀서가 필요합니다. QDSA가 필요합니다. 그 프로듀서가 필요한 것들은 QDSA가 필요한 것들은 QDSA가 필요한 것들은 QDSA가 필요한 것들은 QDSA가 필요한 것들은 QDSA가 필요한 것들은 QDSA가 필요한 것들은 QDSA가 필요한 것들은 QDSA가 필요한 것들은 QDSA가 필요한 것들은 QDSA가 필요한 것들은 QDSA가 필요한 것들은 QDSA가 필요한 것들은 QDSA가 필요한 것들은 QDSA가 필요한 것들은 QDSA가 필요한 것들은 QDSA가 필요한 것들은 QDSA가 필요한 것들은 QDSA가 필요한 것들은 QDSA가 필요한 것들은 QDSA가 필요한 것들은 두 third of our paper is about this June's two case, but now we'll focus on the elliptic case. Most things are analog and much easier to explain there. Okay, so a bit of a reminder on the Schumer arithmetic. So this is the basic setup of an elliptic curve. We have this nice picture over the real numbers. So these points form a group, so they have some group operation, which we write additively usually. We try to work these formulas out explicitly, but you see maybe you end up with some divisions by zeros sometimes, so you can differentiate between doublings and additions. So you think of it as two operations, so doubling and additions. And you can easily combine this, which is just a kind of scalar multiplication routine. So that's a double and add algorithm or something. Now if we want to do something similar on the Kuhmer line, so the Kuhmer line would be the exportance of the points on the elliptic curve. So you can project to this line. And what we want to do is we want to define similar operations on this line as opposed to on the elliptic curve. And the way we do this, we just abuse these pre-images that we have. So as long as these points are not like quarter two or at infinity, we'll have two pre-images. And for the doubling operation, for example, we can just double these two pre-images and project them to this X line. And then we can define the doubling operation on the line, by just sending this green point to the image of the doubling of the pre-images. Now it's just orange point on the line here. So we get a well-defined doubling operation there. And for addition, we can do something similar. So now we take two points on this line and we want to somehow add them together. We just look at the pre-images and we take all possible sums of these two points. And we project all of these to the X lines when we end up now with our two points. And these two points are the exportance of the sum and the difference of our two original points. But we cannot really distinguish between them. So we don't know which is which. So we've got kind of a pseudo-addition operation where given two points, we can get their sum and difference, but we cannot distinguish between the two. And this is maybe in a more familiar form. This is where the differential additions come from. So if you're given one of the two, so you're either given the sum or the difference, you're going to, of course, compute another one by just eliminating it. But it's this first operation which we'll use to define our signature scheme. So how do we define signatures from this? Well, the starting point is well, the classic snore signature. So the snore signature is kind of built up in a couple of steps. You start by defining a snore identification scheme, which is like a zero-mullage, an interactive zero-mullage proof. Based on a group, then you apply if it's a mere to make it non-interactive and you include some message somewhere and you can pick up a bit. With a signature scheme. So we just looked at this first part. So we tried to alter this identification scheme to get rid of the group structure there and just make it rely on a kuma variety instead. So how does snore identification work? Quick reminder. So it works in a group. So we have two points, a P and Q, to which both the prover and the verifier have access. And the prover also knows the discrete law of Q with the correct keys, that's this alpha. And in this protocol, the prover tries to prove knowledge of alpha without revealing anything about it. So the way it works, prover picks some scalar r, does a scalar multiplication with respect to the base point, gets some large r, sends that over. The verifier chooses some random challenge c, sends that back to the prover. And then the prover takes some combination of all the scalars in the ass. So r, c, and alpha, this is called s and s gets sent back to the verifier. And now this is the crucial bit. So now the verifier has to do this double scalar multiplication. So it has to be s times p plus c times q and checks whether it is equal to r. And if it does, the verifier believes that the prover knows alpha without revealing anything about alpha. All right. Almost like a trauma. Right, so here we want to get rid of this group structure. So instead, we only take export and let's just stay in the genus one round. So instead of having p and q, we only have access to their export. So x and p and x and q. And the protocol doesn't change that much. So the first part, the scalar multiplication was first done in the full group. But we still have a well-defined scalar multiplication in the Kuhmer line, just using the more proper manner. So using doublings and differential additions. It's a second operation which is a little more tricky. So as a first idea, you can think, well, we have r we can just project it to its export nets and we can take the sum and project it to the export net. But this doesn't work of course, because the verifier doesn't have access to p and q. So it cannot actually explicitly compute s times p plus c times q. So what it can do is it can compute either the sum or the difference of s times p or nc times q. So instead, we can verify whether the x coordinate of r is the x coordinate of y there. It's somewhere in different ways in things. And for this we need exactly this operation which I talked about before. So it's kind of pseudo addition which gives you either the sum or the difference. And this way you can, this way we define the identification part. But it's quite a small change through the original snore signature and it proved therefore it's also pretty analog. So now we want a signature scheme. So we take this qid identification scheme which is the snore identification analog. We apply it to the smear and we get a signature scheme which we call qc. So this is kind of the Kumar analog snore signatures. And now we do some more changes which are similar to what Ed BSA does the snore signature. So for example, we include public keys in some ashes against multi-target attacks and we make the nonce generation deterministic. So we use a hash function instead of random degenerating this. And this way we end up in a scheme called qdSA. So I want to make some remarks about this. So the first one I said is earlier the security proof is essentially the same. So you use two bits of security definitely. One for going down to the kuma variety. So you lose a sign there. And you lose another bits by only checking whether there's some or the difference. You're checking whether something's equal to some or the difference. So you lose another bit there. But you can see that you don't really use more at least in the simplest proof. So maybe the main benefit or a benefit is that the key pairs are now actually identical. So in theory you can take your curve to type of 19 key pair and you can sign a message with it. In practice you probably want to use different key pairs for different protocols for security reasons. But there's nothing theoretical blocking you do there. So keys are 32 bytes. Signature are 64 bytes. It's the same size as the original snore signatures. Egenius 2 you have to work a bit for this. So there are public keys for originally 48 bytes. But we did some compression algorithm to bring this down to 32 bytes. Which is not expensive. So maybe the main downside is that verification slows down a little. So originally we had a two dimensional scalable application there. s times p plus c times q. So you can apply all kinds of optimized algorithms which are faster than doing two stable applications separately. But for our algorithm this is not possible anymore. So you have to really do these two stable applications separately which will probably slow you down. Yeah so another remark I want to make is this kind of in response to responses we got on our paper. So we are giving a theoretical protocol which shows that you can do these signatures using kumars. Of course we are not claiming that somebody did some reference code some c code which you can run on many platforms. But if you want to run this in a context where you care about side channels so you want to run this on some embedded system of course you're going to want to add extra counter measures as well. We're not claiming that just running the textbook protocol is going to make you secure against every possible attack out there. But luckily all these counter measures that apply to the curve also apply to us in most cases. Okay so I want to make some remark on how actually to compute these things so I will look at the Montgomery curves which are kind of a good candidate for this. And the main operation we get sort of undefined is this taking two points and doing a pseudo addition so getting the sum or the difference. And since we can embed this into P1 on like the projected line we can represent all these points with two field elements so label them x1 z1 up to x4 z4. And now we have some operations which are very well known. Maybe they aren't always written in this way but since we have two bichordratic forms so B00 and B11 they're bichordratic in the coordinates of the input points so they're bichordratic in x1 and z1 and bichordratic in x2 and z2. And these define two relations between the sum and the difference mainly x4 is equal to some bichordratic form and z3 times z4 is also equal to some bichordratic form. And you can easily see that if you know x3 and z3 you can kind of divide out by these and you get some kind of xad operation assuming that things don't vanish. So an issue is that things do vanish so sometimes things become zero and in that case you need a third relation which is kind of hidden usually but you can use this relation to define some x double operation so then this gives you this ladder. And if you rewrite this a little you get some kind of matrix identity. So this is a projective identity so up to some simultaneous scalar these things are equal. And now if you look at the first column so the first row kind of the top left part says x3 times x4 and the second row of the first column is projectively it says x3 plus x4. So there's a relation between the product and the sum of the x4 and it's up to sum and difference. So what this defines essentially is some quadratic equation for which the coefficients are exactly this bi quadratic forms which I defined earlier. So now if we want to find x3 and z3 and x4 and z4 we simply have to compute these three bi quadratic forms and we can solve this quadratic equation. And since it's quadratic equation over some fields it likes to have exactly two solutions and these solutions will be the sum and the difference. So this would require computing square roots but in our identification scheme we don't have to explicitly compute these things we are given a point and we have to check whether it's the sum or the difference. So all we have to do is evaluate it evaluate this quadratic equation x to the point that we are given and then it will tell us whether it's the sum or the difference. Which is, yeah. So this matrix identity here is its identity of two by two matrices whereas this which leads essentially to this one quadratic equation if we move the gene is two this two by two matrix becomes four by four matrix and now every off diagonal bi quadratic form so this matrix is completely symmetric so we have ten bi quadratic forms in a four by four matrix then and every off diagonal which they are six is kind of defined in exactly one quadratic equation in this case and so instead of having to check one we have to check six but if all those six vanished we still end up with either some or the difference in that case. So computationally this is actually quite cheap so in genus one if you look at the cost for verification you do two separate state of multiplication so one state of multiplication or one ladder routine costs like two and a half thousand multiplications so two of these just kind of cost you five thousand multiplications so and then to compute these bi quadratic forms and evaluate this quadratic cost you 12 multiplications so here m means full multiplications s means squaring and c means multiplication by constant and in genus two your state of multiplication requires like eight thousand multiplications so you need sixteen thousand for the two of these we actually need about 180 to do this verification routine so these costs are quite negligible in a full scheme of things correct we still have time yes yeah so we implemented this in c and we ran this on some small platforms so one of them was the avr and mega that's the only one I'll talk about here so we instantiated this with square root of 5.19 kind of a popular curve out there and you can see if you compare this to an x to 5.19 the implementation out there which I mentioned it all actually signing speeds up and you need much less stack but if you compare this to 4q which is a very recent implementation by Liudal they're signing is much faster this is because they use all kind of fixed based fixed based data multiplication routine which allows them to speed up a lot but this comes at the cost well first of all at the cost of a lot of stacks a lot of memory during the algorithm but moreover I didn't want to plot it in a graph because it's kind of hard to compare but their implementations are much larger so they use their code set code bases are much larger because they have to implement many different things so really what we're going for here is very simple to implement small algorithm yeah we compare to verification we are still much better at 2.5.9t make a break at 4q we are getting slower so we well more than twice as slow I guess but we use much less stack space so much less memory yeah so finally you can look at the genes 2 case as well there's not much to compare to we did an implementation last year by kind of using the decoding they were covering to it and then moving back so there you see that the signing speak wise is quite similar but again memory wise we save a lot and also that the implementation is again a bit smaller for verification you see what you'd expect so verification a little bit slower but much more memory efficient Any questions? So you described the protocol the ID protocol is the Schnorr signature but it's really ECDSA I mean Schnorr signature hashes this value right and checks the hash value rather than checking the quality of points well yeah I think they're all kind of variants I think the original Snorr paper doesn't do the hash but also introduces a version which does the hash but with the hash you can reduce the signature size so you can make the signature shorter by checking hash value instead of checking yes so that wouldn't actually work in our case yeah exactly you can't do it yes so we get rid of this hash yeah but yeah so Any other questions or comments? okay thanks again