Advances in Cryptology – ASIACRYPT

2017: 23rd International Conference on

the Theory and Applications of
Cryptology and Information Security,
Hong Kong, China, December 3-7, 2017,
Proceedings, Part II 1st Edition
Tsuyoshi Takagi
Visit to download the full and correct content document:
https://textbookfull.com/product/advances-in-cryptology-asiacrypt-2017-23rd-internati
onal-conference-on-the-theory-and-applications-of-cryptology-and-information-securit
y-hong-kong-china-december-3-7-2017-proceedings/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Advances in Cryptology – ASIACRYPT 2017: 23rd

International Conference on the Theory and Applications
of Cryptology and Information Security, Hong Kong,
China, December 3-7, 2017, Proceedings, Part II 1st
Edition Tsuyoshi Takagi
https://textbookfull.com/product/advances-in-cryptology-
asiacrypt-2017-23rd-international-conference-on-the-theory-and-
applications-of-cryptology-and-information-security-hong-kong-
china-december-3-7-2017-proceedings/

Advances in Cryptology ASIACRYPT 2020 26th

International Conference on the Theory and Application
of Cryptology and Information Security Daejeon South
Korea December 7 11 2020 Proceedings Part II Shiho
Moriai
https://textbookfull.com/product/advances-in-cryptology-
asiacrypt-2020-26th-international-conference-on-the-theory-and-
application-of-cryptology-and-information-security-daejeon-south-
korea-december-7-11-2020-proceedings-part-ii-shih/

Advances in Cryptology ASIACRYPT 2020 26th

International Conference on the Theory and Application
of Cryptology and Information Security Daejeon South
Korea December 7 11 2020 Proceedings Part I Shiho
Moriai
https://textbookfull.com/product/advances-in-cryptology-
asiacrypt-2020-26th-international-conference-on-the-theory-and-
application-of-cryptology-and-information-security-daejeon-south-
korea-december-7-11-2020-proceedings-part-i-shiho/

Advances in Cryptology ASIACRYPT 2020 26th

International Conference on the Theory and Application
of Cryptology and Information Security Daejeon South
Korea December 7 11 2020 Proceedings Part III Shiho
Moriai
https://textbookfull.com/product/advances-in-cryptology-
asiacrypt-2020-26th-international-conference-on-the-theory-and-
application-of-cryptology-and-information-security-daejeon-south-
Advances in Cryptology – ASIACRYPT 2018: 24th
International Conference on the Theory and Application
of Cryptology and Information Security, Brisbane, QLD,
Australia, December 2–6, 2018, Proceedings, Part II
Thomas Peyrin
https://textbookfull.com/product/advances-in-cryptology-
asiacrypt-2018-24th-international-conference-on-the-theory-and-
application-of-cryptology-and-information-security-brisbane-qld-
australia-december-2-6-201-2/

Advances in Cryptology ASIACRYPT 2019 25th

International Conference on the Theory and Application
of Cryptology and Information Security Kobe Japan
December 8 12 2019 Proceedings Part II Steven D.
Galbraith
https://textbookfull.com/product/advances-in-cryptology-
asiacrypt-2019-25th-international-conference-on-the-theory-and-
application-of-cryptology-and-information-security-kobe-japan-
december-8-12-2019-proceedings-part-ii-steven-d-gal/

Cryptology and Network Security 16th International

Conference CANS 2017 Hong Kong China November 30
December 2 2017 Revised Selected Papers Srdjan Capkun

https://textbookfull.com/product/cryptology-and-network-
security-16th-international-conference-cans-2017-hong-kong-china-
november-30-december-2-2017-revised-selected-papers-srdjan-
capkun/

Advances in Cryptology – ASIACRYPT 2018: 24th

International Conference on the Theory and Application
of Cryptology and Information Security, Brisbane, QLD,
Australia, December 2–6, 2018, Proceedings, Part I
Thomas Peyrin
https://textbookfull.com/product/advances-in-cryptology-
asiacrypt-2018-24th-international-conference-on-the-theory-and-
application-of-cryptology-and-information-security-brisbane-qld-
australia-december-2-6-201/

Advances in Cryptology – ASIACRYPT 2018: 24th

International Conference on the Theory and Application
of Cryptology and Information Security, Brisbane, QLD,
Australia, December 2–6, 2018, Proceedings, Part III
Thomas Peyrin
https://textbookfull.com/product/advances-in-cryptology-
asiacrypt-2018-24th-international-conference-on-the-theory-and-
application-of-cryptology-and-information-security-brisbane-qld-
 Tsuyoshi Takagi
Thomas Peyrin (Eds.)
LNCS 10625

Advances in Cryptology –
ASIACRYPT 2017
23rd International Conference on the Theory
and Applications of Cryptology and Information Security
Hong Kong, China, December 3–7, 2017, Proceedings, Part II

123
Lecture Notes in Computer Science 10625
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board
David Hutchison
Lancaster University, Lancaster, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Friedemann Mattern
ETH Zurich, Zurich, Switzerland
John C. Mitchell
Stanford University, Stanford, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
C. Pandu Rangan
Indian Institute of Technology, Madras, India
Bernhard Steffen
TU Dortmund University, Dortmund, Germany
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max Planck Institute for Informatics, Saarbrücken, Germany
More information about this series at http://www.springer.com/series/7410
Tsuyoshi Takagi Thomas Peyrin (Eds.)
•

Advances in Cryptology –
ASIACRYPT 2017
23rd International Conference on the Theory
and Applications of Cryptology and Information Security
Hong Kong, China, December 3–7, 2017
Proceedings, Part II

123
Editors
Tsuyoshi Takagi Thomas Peyrin
The University of Tokyo Nanyang Technological University
Tokyo Singapore
Japan Singapore

ISSN 0302-9743 ISSN 1611-3349 (electronic)

Lecture Notes in Computer Science
ISBN 978-3-319-70696-2 ISBN 978-3-319-70697-9 (eBook)
https://doi.org/10.1007/978-3-319-70697-9

Library of Congress Control Number: 2017957984

LNCS Sublibrary: SL4 – Security and Cryptology

© International Association for Cryptologic Research 2017

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, express or implied, with respect to the material contained herein or for any errors or
omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in
published maps and institutional affiliations.

Printed on acid-free paper

This Springer imprint is published by Springer Nature

The registered company is Springer International Publishing AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
 Preface

ASIACRYPT 2017, the 23rd Annual International Conference on Theory and Appli-
cation of Cryptology and Information Security, was held in Hong Kong, SAR China,
during December 3–7, 2017.
The conference focused on all technical aspects of cryptology, and was sponsored
by the International Association for Cryptologic Research (IACR).
ASIACRYPT 2017 received 243 submissions from all over the world. The Program
Committee selected 67 papers (from which two were merged) for publication in the
proceedings of this conference. The review process was made by the usual
double-blind peer review by the Program Committee consisting of 48 leading experts
of the field. Each submission was reviewed by at least three reviewers, and five
reviewers were assigned to submissions co-authored by Program Committee members.
This year, the conference operated a two-round review system with rebuttal phase. In
the first-round review the Program Committee selected the 146 submissions that were
considered of value for proceeding to the second round. In the second-round review the
Program Committee further reviewed the submissions by taking into account their
rebuttal letter from the authors. All the selection process was assisted by 334 external
reviewers. These three-volume proceedings contain the revised versions of the papers
that were selected. The revised versions were not reviewed again and the authors are
responsible for their contents.
The program of ASIACRYPT 2017 featured three excellent invited talks. Dustin
Moody gave a talk entitled “The Ship Has Sailed: The NIST Post-Quantum Cryptog-
raphy ‘Competition’,” Wang Huaxiong spoke on “Combinatorics in Information-
Theoretic Cryptography,” and Pascal Paillier gave a third talk. The conference also
featured a traditional rump session that contained short presentations on the latest
research results of the field. The Program Committee selected the work “Identification
Protocols and Signature Schemes Based on Supersingular Isogeny Problems” by
Steven D. Galbraith, Christophe Petit, and Javier Silva for the Best Paper Award of
ASIACRYPT 2017. Two more papers, “Kummer for Genus One over Prime Order
Fields” by Sabyasachi Karati and Palash Sarkar, and “A Subversion-Resistant SNARK”
by Behzad Abdolmaleki, Karim Baghery, Helger Lipmaa, and Michał Zaja̧c were
solicited to submit the full versions to the Journal of Cryptology. The program chairs
selected Takahiro Matsuda and Bart Mennink for the Best PC Member Award.
Many people have contributed to the success of ASIACRYPT 2017. We would like
to thank the authors for submitting their research results to the conference. We are very
grateful to all of the Program Committee members as well as the external reviewers for
their fruitful comments and discussions on their areas of expertise. We are greatly
indebted to Duncan Wong and Siu Ming Yiu, the general co-chairs, for their efforts and
overall organization. We would also like to thank Allen Au, Catherine Chan,
Sherman S.M. Chow, Lucas Hui, Zoe Jiang, Xuan Wang, and Jun Zhang, the local
VI Preface

Organizing Committee, for their continuous supports. We thank Duncan Wong and Siu
Ming Yiu for expertly organizing and chairing the rump session.
Finally, we thank Shai Halevi for letting us use his nice software for supporting all
the paper submission and review process. We also thank Alfred Hofmann, Anna
Kramer, and their colleagues for handling the editorial process of the proceedings
published at Springer LNCS.

December 2017 Tsuyoshi Takagi

Thomas Peyrin
 ASIACRYPT 2017

The 23rd Annual International Conference on Theory

and Application of Cryptology and Information Security

Sponsored by the International Association for Cryptologic Research (IACR)

December 3–7, 2017, Hong Kong, SAR China

General Co-chairs
Duncan Wong CryptoBLK Limited
Siu Ming Yiu The University of Hong Kong, SAR China

Program Co-chairs
Tsuyoshi Takagi University of Tokyo, Japan
Thomas Peyrin Nanyang Technological University, Singapore

Program Committee
Shweta Agrawal IIT Madras, India
Céline Blondeau Aalto University, Finland
Joppe W. Bos NXP Semiconductors, Belgium
Chris Brzuska TU Hamburg, Germany
Jie Chen East China Normal University, China
Sherman S.M. Chow The Chinese University of Hong Kong, SAR China
Kai-Min Chung Academia Sinica, Taiwan
Nico Döttling University of California, Berkeley, USA
Thomas Eisenbarth Worcester Polytechnic Institute, USA
Dario Fiore IMDEA Software Institute, Madrid, Spain
Georg Fuchsbauer Inria and ENS, France
Steven Galbraith Auckland University, New Zealand
Jian Guo Nanyang Technological University, Singapore
Viet Tung Hoang Florida State University, USA
Jérémy Jean ANSSI, France
Jooyoung Lee KAIST, South Korea
Dongdai Lin Chinese Academy of Sciences, China
Feng-Hao Liu Florida Atlantic University, USA
Stefan Mangard Graz University of Technology, Austria
Takahiro Matsuda AIST, Japan
Alexander May Ruhr University Bochum, Germany
Bart Mennink Radboud University, The Netherlands
VIII ASIACRYPT 2017

Amir Moradi Ruhr University Bochum, Germany

Pratyay Mukherjee Visa Research, USA
Mridul Nandi Indian Statistical Institute, India
Khoa Nguyen Nanyang Technological University, Singapore
Miyako Ohkubo NICT, Japan
Tatsuaki Okamoto NTT Secure Platform Laboratories, Japan
Arpita Patra Indian Institute of Science, India
Bart Preneel KU Leuven, Belgium
Matthieu Rivain CryptoExperts, France
Reihaneh Safavi-Naini University of Calgary, Canada
Yu Sasaki NTT Secure Platform Laboratories, Japan
Peter Schwabe Radboud University, The Netherlands
Fang Song Portland State University, USA
Francois-Xavier Standaert UCL, Belgium
Damien Stehlé ENS Lyon, France
Ron Steinfeld Monash University, Australia
Rainer Steinwandt Florida Atlantic University, USA
Mehdi Tibouchi NTT Secure Platform Laboratories, Japan
Dominique Unruh University of Tartu, Estonia
Gilles Van Assche STMicroelectronics, Belgium
Serge Vaudenay EPFL, Switzerland
Ingrid Verbauwhede KU Leuven, Belgium
Ivan Visconti University of Salerno, Italy
Lei Wang Shanghai Jiaotong University, China
Meiqin Wang Shandong University, China
Jiang Zhang State Key Laboratory of Cryptology, China

Additional Reviewers

Masayuki Abe Shi Bai Begül Bilgin

Arash Afshar Fatih Balli Olivier Blazy
Divesh Aggarwal Subhadeep Banik Johannes Bloemer
Shashank Agrawal Zhenzhen Bao Sonia Mihaela Bogos
Ahmad Ahmadi Hridam Basu Sasha Boldyreva
Mamun Akand Alberto Batistello Charlotte Bonte
Gorjan Alagic Balthazar Bauer Raphael Bost
Joel Alwen Carsten Baum Leif Both
Abdelrahaman Aly Georg T. Becker Florian Bourse
Miguel Ambrona Christof Beierle Sébastien Canard
Elena Andreeva Sonia Beläd Brent Carmer
Diego Aranha Fabrice Benhamouda Wouter Castryck
Nuttapong Attrapadung Francesco Berti Dario Catalano
Sepideh Avizheh Guido Bertoni Gizem Çetin
Saikrishna Sanjay Bhattacherjee Avik Chakraborti
Badrinarayanan Jean-Francois Biasse Nishanth Chandran
 ASIACRYPT 2017 IX

Melissa Chase Sebastian Faust Malika Izabachène

Binyi Chen Björn Fay Michael Jacobson
Cong Chen Serge Fehr Abhishek Jain
Long Chen Luca De Feo David Jao
Yi-Hsiu Chen Nils Fleischhacker Zhengfeng Ji
Yu Chen Jean-Pierre Flori Dingding Jia
Yu-Chi Chen Tore Kasper Frederiksen Shaoquan Jiang
Nai-Hui Chia Thomas Fuhr Anthony Journault
Gwangbae Choi Marc Fyrbiak Jean-Gabriel Kammerer
Wutichai Chongchitmate Tommaso Gagliardoni Sabyasachi Karati
Chi-Ning Chou Chaya Ganesh Handan Kilinç
Ashish Choudhury Flavio Garcia Dongwoo Kim
Chitchanok Pierrick Gaudry Jihye Kim
Chuengsatiansup Rémi Géraud Jon-Lark Kim
Hao Chung Satrajit Ghosh Sam Kim
Michele Ciampi Irene Giacomelli Taechan Kim
Thomas De Cnudde Benedikt Gierlichs Elena Kirshanova
Katriel Cohn-Gordon Junqing Gong Ágnes Kiss
Henry Corrigan-Gibbs Louis Goubin Fuyuki Kitagawa
Craig Costello Alex Grilo Susumu Kiyoshima
Geoffroy Couteau Hannes Gross Thorsten Kleinjung
Eric Crockett Vincent Grosso Miroslav Knezevic
Tingting Cui Chun Guo Alexander Koch
Edouard Cuvelier Hui Guo François Koeune
Joan Daemen Helene Haagh Konrad Kohbrok
Wei Dai Patrick Haddad Lisa Kohl
Pratish Datta Harry Halpin Ilan Komargodski
Bernardo David Shuai Han Yashvanth Kondi
Marguerite Delcourt Yoshikazu Hanatani Robert Kuebler
Jeroen Delvaux Jens Hermans Frédéric Lafitte
Yi Deng Gottfried Herold Ching-Yi Lai
David Derler Julia Hesse Russell W.F. Lai
Julien Devigne Felix Heuer Adeline Langlois
Claus Diem Minki Hhan Gregor Leander
Christoph Dobraunig Fumitaka Hoshino Changmin Lee
Yarkin Doroz Yin-Hsun Huang Hyung Tae Lee
Léo Ducas Zhenyu Huang Iraklis Leontiadis
Dung H. Duong Andreas Hülsing Tancrède Lepoint
Ratna Dutta Jung Yeon Hwang Debbie Leung
Stefan Dziembowski Ilia Iliashenko Yongqiang Li
Maria Eichlseder Mehmet Inci Jyun-Jie Liao
Muhammed Esgin Vincenzo Iovino Benoit Libert
Thomas Espitau Ai Ishida Fuchun Lin
Xiong Fan Takanori Isobe Wei-Kai Lin
Antonio Faonio Tetsu Iwata Patrick Longa
X ASIACRYPT 2017

Julian Loss Romain Poussier Pratik Soni

Steve Lu Ali Poustindouz Koutarou Suzuki
Xianhui Lu Emmanuel Prouff Alan Szepieniec
Atul Luykx Kexin Qiao Björn Tackmann
Chang Lv Baodong Qin Mostafa Taha
Vadim Lyubashevsky Sebastian Ramacher Raymond K.H. Tai
Monosij Maitra Somindu C. Ramanna Katsuyuki Takashima
Mary Maller Shahram Rasoolzadeh Atsushi Takayasu
Giorgia Azzurra Marson Divya Ravi Benjamin Hong
Marco Martinoli Francesco Regazzoni Meng Tan
Daniel Masny Jean-René Reinhard Qiang Tang
Sarah Meiklejohn Ling Ren Yan Bo Ti
Peihan Miao Joost Renes Yosuke Todo
Michele Minelli Oscar Reparaz Ni Trieu
Takaaki Mizuki Joost Rijneveld Roberto Trifiletti
Ahmad Moghimi Damien Robert Thomas Unterluggauer
Payman Mohassel Jérémie Roland John van de Wetering
Maria Chiara Molteni Arnab Roy Muthuramakrishnan
Seyyed Amir Mortazavi Sujoy Sinha Roy Venkitasubramaniam
Fabrice Mouhartem Vladimir Rozic Daniele Venturi
Köksal Mus Joeri de Ruiter Dhinakaran
Michael Naehrig Yusuke Sakai Vinayagamurthy
Ryo Nishimaki Amin Sakzad Vanessa Vitse
Anca Nitulescu Simona Samardjiska Damian Vizár
Luca Nizzardo Olivier Sanders Satyanarayana Vusirikala
Koji Nuida Pascal Sasdrich Sebastian Wallat
Kaisa Nyberg Alessandra Scafuro Alexandre Wallet
Adam O’Neill John Schanck Haoyang Wang
Tobias Oder Tobias Schneider Minqian Wang
Olya Ohrimenko Jacob Schuldt Wenhao Wang
Emmanuela Orsini Gil Segev Xiuhua Wang
Elisabeth Oswald Okan Seker Yuyu Wang
Elena Pagnin Binanda Sengupta Felix Wegener
Pascal Paillier Sourav Sengupta Puwen Wei
Jiaxin Pan Jae Hong Seo Weiqiang Wen
Alain Passelègue Masoumeh Shafienejad Mario Werner
Sikhar Patranabis Setareh Sharifian Benjamin Wesolowski
Roel Peeters Sina Shiehian Baofeng Wu
Chris Peikert Kazumasa Shinagawa David Wu
Alice Pellet-Mary Dave Singelée Keita Xagawa
Ludovic Perret Shashank Singh Zejun Xiang
Peter Pessl Javier Silva Chengbo Xu
Thomas Peters Luisa Siniscalchi Shota Yamada
Christophe Petit Daniel Slamanig Kan Yang
Duong Hieu Phan Benjamin Smith Kang Yang
Antigoni Polychroniadou Ling Song Kan Yasuda
 ASIACRYPT 2017 XI

Donggeon Yhee Aaram Yun Ren Zhang

Kazuki Yoneyama Mahdi Zamani Wentao Zhang
Kisoon Yoon Greg Zaverucha Yongjun Zhao
Yu Yu Cong Zhang Yuqing Zhu
Zuoxia Yu Jie Zhang
Henry Yuen Kai Zhang

Local Organizing Committee

Co-chairs
Duncan Wong CryptoBLK Limited
Siu Ming Yiu The University of Hong Kong, SAR China

Members
Lucas Hui (Chair) The University of Hong Kong, SAR China
Catherine Chan (Manager) The University of Hong Kong, SAR China
Jun Zhang The University of Hong Kong, SAR China
Xuan Wang Harbin Institute of Technology, Shenzhen, China
Zoe Jiang Harbin Institute of Technology, Shenzhen, China
Allen Au The Hong Kong Polytechnic University, SAR China
Sherman S.M. Chow The Chinese University of Hong Kong, SAR China
Invited Speakers
The Ship Has Sailed: the NIST Post-quantum
Cryptography “Competition”

Dustin Moody

Computer Security Division, National Institute of Standards and Technology

Abstract. In recent years, there has been a substantial amount of research on

quantum computers – machines that exploit quantum mechanical phenomena to
solve mathematical problems that are difficult or intractable for conventional
computers. If large-scale quantum computers are ever built, they will compro-
mise the security of many commonly used cryptographic algorithms. In par-
ticular, quantum computers would completely break many public-key
cryptosystems, including those standardized by NIST and other standards
organizations.
Due to this concern, many researchers have begun to investigate post-
quantum cryptography (also called quantum-resistant cryptography). The goal
of this research is to develop cryptographic algorithms that would be secure
against both quantum and classical computers, and can interoperate with
existing communications protocols and networks. A significant effort will be
required to develop, standardize, and deploy new post-quantum algorithms. In
addition, this transition needs to take place well before any large-scale quantum
computers are built, so that any information that is later compromised by
quantum cryptanalysis is no longer sensitive when that compromise occurs.
NIST has taken several steps in response to this potential threat. In 2015,
NIST held a public workshop and later published NISTIR 8105, Report on
Post-Quantum Cryptography, which shares NIST’s understanding of the status
of quantum computing and post-quantum cryptography. NIST also decided to
develop additional public-key cryptographic algorithms through a public stan-
dardization process, similar to the development processes for the hash function
SHA-3 and the Advanced Encryption Standard (AES). To begin the process,
NIST issued a detailed set of minimum acceptability requirements, submission
requirements, and evaluation criteria for candidate algorithms, available at http://
www.nist.gov/pqcrypto. The deadline for algorithms to be submitted was
November 30, 2017.
In this talk, I will share the rationale on the major decisions NIST has made,
such as excluding hybrid and (stateful) hash-based signature schemes. I will also
talk about some open research questions and their potential impact on the
standardization effort, in addition to some of the practical issues that arose while
creating the API. Finally, I will give some preliminary information about the
submitted algorithms, and discuss what we’ve learned during the first part of the
standardization process.
 Combinatorics in Information-Theoretic
Cryptography

Huaxiong Wang

School of Physical and Mathematical Sciences,

Nanyang Technological University, Singapore
hxwang@ntu.edu.sg

Abstract. Information-theoretic cryptography is an area that studies crypto-

graphic functionalities whose security does not rely on hardness assumptions
from computational intractability of mathematical problems. It covers a wide
range of cryptographic research topics such as one-time pad, authentication
code, secret sharing schemes, secure multiparty computation, private informa-
tion retrieval and post-quantum security etc., just to mention a few. Moreover,
many areas in complexity-based cryptography are well known to benefit or stem
from information-theoretic methods. On the other hand, combinatorics has been
playing an active role in cryptography, for example, the hardness of Hamiltonian
cycle existence in graph theory is used to design zero-knowledge proofs. In this
talk, I will focus on the connections between combinatorics and information-
theoretic cryptography. After a brief (incomplete) overview on their various
connections, I will present a few concrete examples to illustrate how combi-
natorial objects and techniques are applied to the constructions and characteri-
zations of information-theoretic schemes. Specifically, I will show
1. how perfect hash families and cover-free families lead to better performance
in certain secret sharing schemes;
2. how graph colouring from planar graphs is used in constructing secure
multiparty computation protocols over non-abelian groups;
3. how regular intersecting families are applied to the constructions of private
information retrieval schemes.

Part of this research was funded by Singapore Ministry of Education under Research Grant
MOE2016-T2-2-014(S).
 Contents – Part II

Asiacrypt 2017 Award Paper I

Kummer for Genus One over Prime Order Fields . . . . . . . . . . . . . . . . . . . . 3

Sabyasachi Karati and Palash Sarkar

Pairing-based Protocols

ABE with Tag Made Easy: Concise Framework and New Instantiations
in Prime-Order Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Jie Chen and Junqing Gong

Towards a Classification of Non-interactive Computational Assumptions

in Cyclic Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Essam Ghadafi and Jens Groth

An Efficient Pairing-Based Shuffle Argument . . . . . . . . . . . . . . . . . . . . . . . 97

Prastudy Fauzi, Helger Lipmaa, Janno Siim, and Michał Zając

Efficient Ring Signatures in the Standard Model . . . . . . . . . . . . . . . . . . . . . 128

Giulio Malavolta and Dominique Schröder

Quantum Algorithms

Grover Meets Simon – Quantumly Attacking the FX-construction. . . . . . . . . 161

Gregor Leander and Alexander May

Quantum Multicollision-Finding Algorithm . . . . . . . . . . . . . . . . . . . . . . . . 179

Akinori Hosoyamada, Yu Sasaki, and Keita Xagawa

An Efficient Quantum Collision Search Algorithm and Implications

on Symmetric Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
André Chailloux, María Naya-Plasencia, and André Schrottenloher

Quantum Resource Estimates for Computing Elliptic Curve

Discrete Logarithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Martin Roetteler, Michael Naehrig, Krysta M. Svore, and Kristin Lauter

Elliptic Curves

qDSA: Small and Secure Digital Signatures with Curve-Based

Diffie–Hellman Key Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Joost Renes and Benjamin Smith
XVIII Contents – Part II

A Simple and Compact Algorithm for SIDH with Arbitrary

Degree Isogenies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Craig Costello and Huseyin Hisil

Faster Algorithms for Isogeny Problems Using Torsion Point Images . . . . . . 330
Christophe Petit

Block Chains

Beyond Hellman’s Time-Memory Trade-Offs with Applications

to Proofs of Space. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Hamza Abusalah, Joël Alwen, Bram Cohen, Danylo Khilko,
Krzysztof Pietrzak, and Leonid Reyzin

The Sleepy Model of Consensus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380

Rafael Pass and Elaine Shi

Instantaneous Decentralized Poker. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

Iddo Bentov, Ranjit Kumaresan, and Andrew Miller

Multi-party Protocols

More Efficient Universal Circuit Constructions . . . . . . . . . . . . . . . . . . . . . . 443

Daniel Günther, Ágnes Kiss, and Thomas Schneider

Efficient Scalable Constant-Round MPC via Garbled Circuits . . . . . . . . . . . . 471

Aner Ben-Efraim, Yehuda Lindell, and Eran Omri

Overlaying Conditional Circuit Clauses for Secure Computation . . . . . . . . . . 499

W. Sean Kennedy, Vladimir Kolesnikov, and Gordon Wilfong

JIMU: Faster LEGO-Based Secure Computation Using Additive

Homomorphic Hashes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
Ruiyu Zhu and Yan Huang

Operating Modes Security Proofs

Analyzing Multi-key Security Degradation . . . . . . . . . . . . . . . . . . . . . . . . . 575

Atul Luykx, Bart Mennink, and Kenneth G. Paterson

Full-State Keyed Duplex with Built-In Multi-user Support . . . . . . . . . . . . . . 606

Joan Daemen, Bart Mennink, and Gilles Van Assche

Improved Security for OCB3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638

Ritam Bhaumik and Mridul Nandi
 Contents – Part II XIX

The Iterated Random Function Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . 667

Ritam Bhaumik, Nilanjan Datta, Avijit Dutta, Nicky Mouha,
and Mridul Nandi

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699

Asiacrypt 2017 Award Paper I
Kummer for Genus One over Prime Order Fields

Sabyasachi Karati1(B) and Palash Sarkar2

1
iCIS Lab, Department of Computer Science,
University of Calgary, Calgary, Canada
sabyasachi.karati@ucalgary.ca
2
Applied Statistics Unit, Indian Statistical Institute,
203, B.T. Road, Kolkata 700108, India
palash@isical.ac.in

Abstract. This work considers the problem of fast and secure scalar
multiplication using curves of genus one defined over a field of prime
order. Previous work by Gaudry and Lubicz in 2009 had suggested the
use of the associated Kummer line to speed up scalar multiplication. In
this work, we explore this idea in detail. The first task is to obtain an
elliptic curve in Legendre form which satisfies necessary security con-
ditions such that the associated Kummer line has small parameters
and a base point with small coordinates. In turns out that the ladder
step on the Kummer line supports parallelism and can be implemented
very efficiently in constant time using the single-instruction multiple-
data (SIMD) operations available in modern processors. For the 128-bit
security level, this work presents three Kummer lines denoted as K1 :=
KL2519(81, 20), K2 := KL25519(82, 77) and K3 := KL2663(260, 139) over
the three primes 2251 − 9, 2255 − 19 and 2266 − 3 respectively. Implemen-
tations of scalar multiplications for all the three Kummer lines using
Intel intrinsics have been done and the code is publicly available. Tim-
ing results on the recent Skylake and the earlier Haswell processors of
Intel indicate that both fixed base and variable base scalar multiplica-
tions for K1 and K2 are faster than those achieved by Sandy2x which is
a highly optimised SIMD implementation in assembly of the well known
Curve25519; for example, on Skylake, variable base scalar multiplica-
tion on K1 is faster than Curve25519 by about 25%. On Skylake, both
fixed base and variable base scalar multiplication for K3 are faster than
Sandy2x; whereas on Haswell, fixed base scalar multiplication for K3 is
faster than Sandy2x while variable base scalar multiplication for both
K3 and Sandy2x take roughly the same time. In fact, on Skylake, K3
is both faster and also offers about 5 bits of higher security compared
to Curve25519. In practical terms, the particular Kummer lines that are
introduced in this work are serious candidates for deployment and stan-
dardisation.

Keywords: Elliptic curve cryptography · Kummer line · Montgomery

curve · Scalar multiplication
S. Karati—Part of the work was done while the author was a post-doctoral fellow
at the Turing Laboratory of the Indian Statistical Institute.
Part supported by Alberta Innovates in the Province of Alberta, Canada.
c International Association for Cryptologic Research 2017
T. Takagi and T. Peyrin (Eds.): ASIACRYPT 2017, Part II, LNCS 10625, pp. 3–32, 2017.
https://doi.org/10.1007/978-3-319-70697-9_1
4 S. Karati and P. Sarkar

1 Introduction
Curve-based cryptography provides a platform for secure and efficient imple-
mentation of public key schemes whose security rely on the hardness of dis-
crete logarithm problem. Starting from the pioneering work of Koblitz [29] and
Miller [33] introducing elliptic curves and the work of Koblitz [30] introducing
hyperelliptic curves for cryptographic use, the last three decades have seen an
extensive amount of research in the area.
Appropriately chosen elliptic curves and genus two hyperelliptic curves are
considered to be suitable for practical implementation. Table 1 summarises fea-
tures for some of the concrete curves that have been proposed in the literature.
Arguably, the two most well known curves proposed till date for the 128-bit
security level are P-256 [37] and Curve25519 [2]. Also the secp256k1 curve [40]
has become very popular due to its deployment in the Bitcoin protocol. All of
these curves are in the setting of genus one over prime order fields. In particular,
we note that Curve25519 has been extensively deployed for various applications.
A listing of such applications can be found at [17]. So, from the point of view
of deployment, practitioners are very familiar with genus one curves over prime
order fields. Influential organisations, such as NIST, Brainpool, Microsoft (the
NUMS curve) have concrete proposals in this setting. See [5] for a further listing
of such primes and curves. It is quite likely that any future portfolio of proposals
by standardisation bodies will include at least one curve in the setting of genus
one over a prime field.

Our Contributions
The contribution of this paper is to propose new curves for the setting of genus
one over a prime order field. Actual scalar multiplication is done over the Kum-
mer line associated with such a curve. The idea of using Kummer line was pro-
posed by Gaudry and Lubicz [22]. They, however, were not clear about whether
competitive speeds can be obtained using this approach. Our main contribution
is to show that this can indeed be done using the single-instruction multiple-
data (SIMD) instructions available in modern processors. We note that the use
of SIMD instructions to speed up computation has been earlier proposed for
Kummer surface associated with genus two hyperelliptic curves [22]. The appli-
cation of this idea, however, to Kummer line has not been considered in the
literature. Our work fills this gap and shows that properly using SIMD instruc-
tions provides a competitive alternative to known curves in the setting of genus
one and prime order fields.
As in the case of Montgomery curve [34], scalar multiplication on the Kum-
mer line proceeds via a laddering algorithm. A ladder step corresponds to each
bit of the scalar and each such step consists of a doubling and a differential
addition irrespective of the value of the bit. As a consequence, it becomes easy
to develop code which runs in constant time. We describe and implement a vec-
torised version of the laddering algorithm which is also constant time. Our target
is the 128-bit security level.
 Kummer for Genus One over Prime Order Fields 5

Table 1. Features of some curves proposed in the last few years.

Reference Genus Form Field order Endomorphisms

NIST P-256 [37] 1 Weierstrass Prime No
Curve25519 [2] 1 Montgomery Prime No
secp256k1 [40] 1 Weierstrass Prime No
Brainpool [11] 1 Weierstrass Prime No
NUMS [41] 1 Twisted Edwards Prime No
Longa-Sica [32] 1 Twisted Edwards p2 Yes
Bos et al. [9] 2 Kummer Prime Yes
Bos et al. [10] 2 Kummer p2 yes
Hankerson et al. [26], 1 Weierstrass/Koblitz 2n Yes
Oliviera et al. [38]
Longa-Sica [32], 1 Twisted Edwards p2 Yes
Faz-Hernández et
al. [18]
Costello et al. [15] 1 Montgomery p2 Yes
Gaudry-Schost [23], 2 Kummer Prime No
Bernstein et al. [4]
Costello-Longa [14] 1 Twisted Edwards p2 Yes
Hankerson et al. [26], 1 Weierstrass/Koblitz 2n Yes
Oliviera et al. [39]
This work 1 Kummer Prime No

Choice of the Underlying Field: Our target is the 128-bit security level. To
this end, we consider three primes, namely, 2251 −9, 2255 −19 and 2266 −3. These
primes are abbreviated as p2519, p25519 and p2663 respectively. The underlying
field will be denoted as Fp where p is one of p2519, p25519 or p2663.
Choice of the Kummer Line: Following previous suggestions [3,9], we work in
the square-only setting. In this case, the parameters of the Kummer line are given
by two integers a2 and b2 . We provide appropriate Kummer lines for all three
of the primes p2519, p25519 and p2663. These are denoted as KL2519(81,20),
KL25519(82,77) and KL2663(260,139) respectively. In each case, we identify a
base point with small coordinates. The selection of the Kummer lines is done
using a search for curves achieving certain desired security properties. Later we
provide the details of these properties which indicate that the curves provide
security at the 128-bit security level.
SIMD Implementation: On Intel processors, it is possible to pack 4 64-bit
words into a single 256-bit quantity and then use SIMD instructions to simul-
taneously work on the 4 64-bit words. We apply this approach to carefully con-
sider various aspects of field arithmetic over Fp . SIMD instructions allow the
simultaneous computation of 4 multiplications in Fp and also 4 squarings in Fp .
6 S. Karati and P. Sarkar

The use of SIMD instructions dovetails very nicely with the scalar multiplication
algorithm over the Kummer line as we explain below.

x22 z22 x21 z12

x1 z1 x2 z2

H H
H H

x22 + z22 x22 − z22 x21 + z12 x21 − z12

x1 + z1 x1 − z1 x2 + z2 x2 − z2

∗ B2 ∗ A2 ∗ B2 ∗ A2
∗ ∗ ∗ ∗

∗ ∗ ∗ ∗
∗ − + −

H H (A − 2)/4 ∗ ∗ ∗

∗ z2 ∗ x2 ∗ b2 ∗ a2 + ∗ x

∗ ∗ ∗ ∗ ∗

x24 z42 x23 z32 x3 z3 z4

x4

Fig. 1. One ladder step on the Fig. 2. One ladder step on the Montgomery
Kummer line. curve.

Scalar Multiplication over the Kummer Line: A uniform, ladder style

algorithm is used. In terms of operation count, each ladder step requires 2 field
multiplications, 6 field squarings, 6 multiplications by parameters and 2 mul-
tiplications by base point coordinates [22]. In contrast, one ladder step on the
Montgomery curve requires 4 field multiplications, 4 squarings, 1 multiplication
by curve parameter and 1 multiplication by a base point coordinate. This had
led to Gaudry and Lubicz [22] commenting that Kummer line can be advanta-
geous provided that the advantage of trading off multiplications for squarings
is not offset by the extra multiplications by the parameters and the base point
coordinates.
Our choices of the Kummer lines ensure that the parameters and the base
point coordinates are indeed very small. This is not to suggest that the Kummer
line is only suitable for fixed based point scalar multiplication. The main advan-
tage arises from the structure of the ladder step on the Kummer line versus that
on the Montgomery curve.
An example of the ladder step on the Kummer line is shown in Fig. 1. In the
figure, the Hadamard transform H(u, v) is defined to be (u + v, u − v). Observe
that there are 4 layers of 4 simultaneous multiplications. The first layer consists
of 2 field multiplications and 2 squarings, while the third layer consists of 4
field squarings. Using 256-bit SIMD instructions, the 2 multiplications and the 2
squarings in the first layer can be computed simultaneously using an implemen-
tation of vectorised field multiplication while the third layer can be computed
using an implementation of vectorised field squaring. The second layer consists
 Kummer for Genus One over Prime Order Fields 7

only of multiplications by parameters and is computed using an implementation

of vectorised multiplication by constants. The fourth layer consists of two multi-
plications by parameters and two multiplications by base point coordinates. For
fixed base point, this layer can be computed using a single vectorised multipli-
cation by constants while for variable base point, this layer requires a vectorised
field multiplication. A major advantage of the ladder step on the Kummer line is
that the packing and unpacking into 256-bit quantities is done once each. Pack-
ing is done at the start of the scalar multiplication and unpacking is done at the
end. The entire scalar multiplication can be computed on the packed vectorised
quantities.
In contrast, the ladder step on the Montgomery curve is shown in Fig. 2
which has been reproduced from [2]. The structure of this ladder is not as regu-
lar as the ladder step on the Kummer line. This makes it difficult to optimally
group together the multiplications for SIMD implementation. Curve25519 is a
Montgomery curve. SIMD implementations of Curve25519 have been reported
in [7,12,16,19]. The work [16] forms four groups of independent multiplica-
tions/squarings with the first and the third group consisting of four multi-
plications/squarings each, the second group consisting of two multiplications
and the fourth group consists of a single multiplication. Interspersed with
these multiplications are two groups each consisting of four independent addi-
tions/subtractions. The main problem with this approach is that of repeated
packing/unpacking of data within a ladder step. This drawback will outweigh
the benefits of four simultaneous SIMD multiplications and this approach has
not been followed in later works [7,12,19]. These later implementations grouped
together only two independent multiplications. In particular, we note that the
well known Sandy2x implementation of Curve25519 is an SIMD implementa-
tion which is based on [12] and groups together only two multiplications. AVX2
based implementation of Curve25519 in [19] also groups together only 2 multi-
plications/squarings.
At a forum1 Tung Chou comments (perhaps oblivious of [16]) that it would
better to find four independent multiplications/squarings and vectorise them. As
discussed above, the previous works on SIMD implementation of Curve25519 do
not seem to have been able to identify this. On the other hand, for the ladder step
on the Kummer line shown in Fig. 1, performing vectorisation of 4 independent
multiplications/squarings comes quite naturally. This indicates that the ladder
step on the Kummer line is more SIMD friendly than the ladder step on the
Montgomery curve.
Implementation: We report implementations of all the three Kummer lines
KL2519(81,20), KL25519(82,77) and KL2663(260,139). The implementations are
in Intel intrinsics and use AVX2 instructions. On the recent Skylake processor,
both fixed and variable base scalar multiplications for all the three Kummer lines
are faster than Sandy2x which is the presently the best known SIMD implemen-
tation in assembly of Curve25519. On the earlier Haswell processor, both fixed
and variable base scalar multiplications for KL2519(81,20), KL25519(82,77) are
1
https://moderncrypto.org/mail-archive/curves/2015/000637.html.
8 S. Karati and P. Sarkar

faster than that of Sandy2x; fixed base scalar multiplication for KL2663(260,139)
is faster than that of Sandy2x while variable base scalar multiplication for both
KL2663(260,139) and Sandy2x take roughly the same time. Detailed timing
results are provided later.
At a broad level, the timing results reported in this work show that the avail-
ability of SIMD instructions leads to the following two practical consequences.

1. At the 128-bit security level, the choice of F2255 −19 as the base field is not the
fastest. If one is willing to sacrifice about 2 bits of security, then using F2251 −9
as the base field leads to about 25% speed up on the Skylake processor.
2. More generally, the ladder step on the Kummer line is faster than the ladder
step on the Montgomery curve. We have demonstrated this by implementing
on the Intel processors. Future work can explore this issue on other platforms
such as the ARM NEON architecture.

Due to page limit restrictions, we are unable to include all the details in this
version. These are provided in the full version [28].

2 Background

In this section, we briefly describe theta functions over genus one, Kummer
lines, Legendre form elliptic curves and their relations. In our description of the
background material, the full version [28] provides certain details which are not
readily available in the literature.

2.1 Theta Functions

In this and the next few sections, we provide a sketch of the mathematical back-
ground on theta functions over genus one and Kummer lines. Following previous
works [22,27,36] we define theta functions over the complex field. For crypto-
graphic purposes, our goal is to work over a prime field of large characteristic.
All the derivations that are used have a good reduction [22] and so it is possible
to use the Lefschetz principle [1,21] to carry over the identities proved over the
complex to those over a large characteristic field.
Let τ ∈ C having a positive imaginary part and w ∈ C. Let ξ1 , ξ2 ∈ Q. Theta
functions with characteristics ϑ[ξ1 , ξ2 ](w, τ ) are defined to be the following:
  
ϑ[ξ1 , ξ2 ](w, τ ) = exp πi(n + ξ1 )2 τ + 2πi(n + ξ1 )(w + ξ2 ) . (1)
n∈Z

For a fixed τ , the following theta functions are defined.

ϑ1 (w) = ϑ[0, 0](w, τ ) and ϑ2 (w) = ϑ [0, 1/2] (w, τ ).

Θ1 (w) = ϑ[0, 0](w, 2τ ) and Θ2 (w) = ϑ [1/2, 0] (w, 2τ ).
 Kummer for Genus One over Prime Order Fields 9

The following identities hold for the theta functions. Proofs are given in the
appendix of the full version [28].

2Θ1 (w1 + w2 )Θ1 (w1 − w2 ) = ϑ1 (w1 )ϑ1 (w2 ) + ϑ2 (w1 )ϑ2 (w2 );
(2)
2Θ2 (w1 + w2 )Θ2 (w1 − w2 ) = ϑ1 (w1 )ϑ1 (w2 ) − ϑ2 (w1 )ϑ2 (w2 );
ϑ1 (w1 + w2 )ϑ1 (w1 − w2 ) = Θ1 (2w1 )Θ1 (2w2 ) + Θ2 (2w1 )Θ2 (2w2 );
(3)
ϑ2 (w1 + w2 )ϑ2 (w1 − w2 ) = Θ1 (2w1 )Θ1 (2w2 ) − Θ2 (2w1 )Θ2 (2w2 ).

Putting w1 = w2 = w, we obtain

2Θ1 (2w)Θ1 (0) = ϑ1 (w)2 + ϑ2 (w)2 ; 2Θ2 (2w)Θ2 (0) = ϑ1 (w)2 − ϑ2 (w)2 ; (4)
ϑ1 (2w)ϑ1 (0) = Θ1 (2w)2 + Θ2 (2w)2 ; ϑ2 (2w)ϑ2 (0) = Θ1 (2w)2 − Θ2 (2w)2 . (5)

Putting w = 0 in (4), we obtain

2Θ1 (0)2 = ϑ1 (0)2 + ϑ2 (0)2 ; 2Θ2 (0)2 = ϑ1 (0)2 − ϑ2 (0)2 . (6)

2.2 Kummer Line

Let τ ∈ C having a positive imaginary part and denote by P1 (C) the projective
line over C. The Kummer line (K) associated with τ is the image of the map ϕ
from C to P1 (C) defined by

ϕ : w −→ (ϑ1 (w), ϑ2 (w)). (7)

Suppose that ϕ(w) = [ϑ1 (w) : ϑ2 (w)] is known for some w ∈ Fq . Using (4) it
is possible to compute Θ1 (2w) and Θ2 (2w) and then using (5) it is possible to
compute ϑ1 (2w) and ϑ2 (2w). So, from ϕ(w) it is possible to compute ϕ(2w) =
[ϑ1 (2w) : ϑ2 (2w)] without knowing the value of w.
Suppose that ϕ(w1 ) = [ϑ1 (w1 ) : ϑ2 (w1 )] and ϕ(w2 ) = [ϑ1 (w2 ) : ϑ2 (w2 )] are
known for some w1 , w2 ∈ Fq . Using (4), it is possible to obtain Θ1 (2w1 ), Θ1 (2w2 ),
Θ2 (2w1 ) and Θ2 (2w2 ). Then (3) allows the computation of ϑ1 (w1 + w2 )ϑ1 (w1 −
w2 ) and ϑ2 (w1 + w2 )ϑ2 (w1 − w2 ). Further, if ϕ(w1 − w2 ) = [ϑ1 (w1 − w2 ) :
ϑ2 (w1 − w2 )] is known, then it is possible to obtain ϕ(w1 + w2 ) = [ϑ1 (w1 + w2 ) :
ϑ2 (w1 + w2 )] without knowing the values of w1 and w2 .
The task of computing ϕ(2w) from ϕ(w) is called doubling and the task of
computing ϕ(w1 + w2 ) from ϕ(w1 ), ϕ(w2 ) and ϕ(w1 − w2 ) is called differential
(or pseudo) addition.

2.3 Square only Setting

Let P = ϕ(w) = [x : z] be a point on the Kummer line. As described above,
doubling computes the point 2P and suppose that 2P = [x3 : z3 ]. Further, sup-
pose that instead of [x : z], we have the values x2 and z 2 and after the doubling
we are interested in the values x23 and z32 . Then the doubling operation given by
(8) and (9) only involves the squared quantities ϑ1 (0)2 , ϑ2 (0)2 , Θ1 (0)2 , Θ2 (0)2
10 S. Karati and P. Sarkar

and x2 , z 2 . As a consequence, the double of [x : z] and [x : −z] are same. We

have
 2
x23 = b2 B 2 (x2 + z 2 )2 + A2 (x2 − z 2 )2 , (8)
 2 2 
2 2 2
z3 = a B (x + z ) − A (x − z )
2 2 2 2 2 2
. (9)

Similarly, consider that from P1 = ϕ(w1 ) = [x1 : z1 ], P2 = ϕ(w2 ) = [x2 : z2 ]

and P = P1 − P 2 = ϕ(w1 − w2 ) = [x : z] the requirement is to compute
P1 + P2 = ϕ(w1 + w2 ) = [x3 : z3 ]. If we have the values x21 , z12 , x22 , z22 and x2 , z 2
along with ϑ1 (0)2 , ϑ2 (0)2 , Θ1 (0)2 , Θ2 (0)2 then we can compute the values x23 and
z32 by Eqs. (10) and (11).
 2
x23 = z 2 B 2 (x21 + z12 )(x22 + z22 ) + A2 (x21 − z12 )(x22 − z22 ) , (10)
 2 2 2 2

z3 = x B (x1 + z1 )(x2 + z2 ) − A (x1 − z1 )(x2 − z2 ) .
2 2 2 2 2 2 2 2 2
(11)

This approach requires only squared values, i.e., it starts with squared values and
also returns squared values. Hence, this is called the square only setting. Note
that in the square only setting, [x2 : z 2 ] represents two points [x : ±z] on the
Kummer line. For the case of genus two, the square only setting was advocated
in [3,9] (see also [13]). To the best of our knowledge, the details of the square
only setting in genus one do not appear earlier in the literature.
Let

a2 = ϑ1 (0)2 , b2 = ϑ2 (0)2 , A2 = a2 + b2 and B 2 = a2 − b2 .

Then from (6) we obtain Θ1 (0)2 = A2 /2 and Θ2 (0)2 = B 2 /2. By Ka2 ,b2 we
denote the Kummer line having the parameters a2 and b2 .
Table 2 shows the Algorithms dbl and diffAdd for doubling and differential
addition. Details regarding correctness of the computation are provided in the
full version [28].

Table 2. Double and differential addition in the square-only setting.

In Ka2 ,b2 , the point [a2 : b2 ] (representing [a : ±b]) in the square only setting
acts as the identity element for the differential addition. The full version [28]
provides further details.
In the rest of the paper, we will work in the square only setting over a
Kummer line Ka2 ,b2 for some values of the parameters a2 and b2 .
 Kummer for Genus One over Prime Order Fields 11

Scalar Multiplication: Suppose P = [x21 : z12 ] and n be a positive integer. We

wish to compute nP = [x2n : zn2 ]. The method for doing this is given by Algorithm
scalarMult in Table 3. A conceptual description of a ladder step is given in Fig. 1.

Table 3. Scalar multiplication using a ladder.

2.4 Legendre Form Elliptic Curve

Let E be an elliptic curve and σ : E → E be the automorphism which maps a

point of E to its inverse, i.e., for (a, b) ∈ E, σ(a, b) = (a, −b).
For μ ∈ Fq , let

Eμ : Y 2 = X(X − 1)(X − μ) (12)

be an elliptic curve in the Legendre form. Let Ka2 ,b2 be a Kummer line such
that
a4
μ= . (13)
a4 − b4
An explicit map ψ : Ka2 ,b2 → Eμ /σ has been given in [22]. In the square only
setting, let [x2 : z 2 ] represent the points [x : ±z] of the Kummer line Ka2 ,b2 such
that [x2 : z 2 ] = [b2 : a2 ]. Recall that [a2 : b2 ] acts as the identity in Ka2 ,b2 . Then
from [22],

2 2
∞
 if [x2 : z 2 ] = [a2 : b2 ];
ψ([x : z ]) = 2 2
a x (14)
a2 x2 −b2 z 2 , . . . otherwise.

Given X = a2 x2 /(a2 x2 − b2 z 2 ), it is possible to find ±Y from the equation of E,

though it is not possible to uniquely determine the sign of Y . The inverse ψ −1 ,
maps a point not of order two of Eμ /σ to the squared coordinates of points in
Ka2 ,b2 . We have
 2 2
−1
[a : b ] if P = ∞;
ψ (P) = b2 X (15)
a2 (X−1) : 1 if P = (X, . . .).
12 S. Karati and P. Sarkar

Notation: We will use upper-case bold face letters to denote points of Eμ and
upper case normal letters to denote points of Ka2 ,b2 .
Consistency: Let Ka2 ,b2 and Eμ be such that (13) holds. Consider the point
T = (μ, 0) on Eμ . Note that T is a point of order two. Given any point P =
(X, . . .) of Eμ , let Q = P + T. Then it is easy to verify that

μ(X − 1)
Q= ,... .
X −μ

Consider the map ψ : Ka2 ,b2 → Eμ such that for points [x : ±z] represented by
[x2 : z 2 ] in the square only setting

 2 : z 2 ]) = ψ([x2 : z 2 ]) + T.
ψ([x (16)

The inverse map ψ−1 takes a point P of Eμ to squared coordinates in Ka2 ,b2 .
For any two points P1 , P2 on Eμ which are not of order two and P = P1 −P2
the following properties hold.
⎫
 2 : z 2 ]) = ψ(dbl(x
2 · ψ([x  , z )); ⎪
2 2
⎪
⎬
−1 −1
dbl ψ (P1 ) = ψ (2P1 ) ; (17)
 ⎪
⎪
−1 −1 −1 −1
diffAdd ψ (P1 ), ψ (P2 ), ψ (P) = ψ (P1 + P2 ) . ⎭

 ψ−1 ; the formulas for

The proofs for (17) can be derived from the formulas for ψ,
addition and doubling on Eμ ; and the formulas arising from dbl and diffAdd. This
involves simplifications of the intermediate expressions arising in these formulas.
Such expressions become quite large. In the appendix of the full version [28]
we provide a SAGE script which does the symbolic verification of the required
calculations.
The relations given by (17) have the following important consequence to
 ). Then ψ(nP
scalar multiplication. Suppose P is in Ka2 ,b2 and P = ψ(P  ) = nP.
Fig. 3 depicts this in pictorial form.

ψ +T −T ψ −1
P P Q Q P P

∗n ∗n ∗n ∗n

−1
ψ +T −T ψ
Pn Pn Qn Qn Pn Pn

Fig. 3. Consistency of scalar multiplications on Eµ and Ka2 ,b2 .

Relation Between the Discrete Logarithm Problems: Suppose the Kum-

mer line Ka2 ,b2 is chosen such that the corresponding curve Eμ has a cyclic
Another random document with
no related content on Scribd:
The Project Gutenberg eBook of English and
American tool builders
 This ebook is for the use of anyone anywhere in the United
States and most other parts of the world at no cost and with
almost no restrictions whatsoever. You may copy it, give it away
or re-use it under the terms of the Project Gutenberg License
included with this ebook or online at www.gutenberg.org. If you
are not located in the United States, you will have to check the
laws of the country where you are located before using this
eBook.

Title: English and American tool builders

Author: Joseph Wickham Roe

Release date: November 5, 2023 [eBook #72046]

Language: English

Original publication: New York: McGraw Hill Book Company,

1916

Credits: deaurider, Harry Lamé and the Online Distributed

Proofreading Team at https://www.pgdp.net (This file
was produced from images generously made available
by The Internet Archive)

*** START OF THE PROJECT GUTENBERG EBOOK ENGLISH

AND AMERICAN TOOL BUILDERS ***
 Please see the Transcriber’s Notes
at the end of this text.
New original cover art included with
this eBook is granted to the public
domain.

ENGLISH AND AMERICAN TOOL

BUILDERS
Henry Maudslay
English and American
Tool Builders

By
JOSEPH WICKHAM ROE
Museum of the Peaceful Arts, City of New York,
Professor of Industrial Engineering,
New York University

First Printed in 1916

Reprinted in 1926

McGRAW-HILL BOOK COMPANY, Inc.

NEW YORK: 370 SEVENTH AVENUE
LONDON: 6 & 8 BOUVERIE ST., E. C. 4
1926

Copyright, 1916
BY
 Joseph Wickham Roe

First published May, 1916

Republished March, 1926

“Man is a Tool-using Animal. Weak in himself, and of small stature, he

stands on a basis, at most for the flattest-soled, of some half-square foot,
insecurely enough; has to straddle out his legs, lest the very wind
supplant him. Feeblest of bipeds! Three quintals are a crushing load for
him; the steer of the meadow tosses him aloft, like a waste rag.
Nevertheless he can use Tools, can devise Tools: with these the granite
mountain melts into light dust before him; seas are his smooth highway,
winds and fire his unwearying steeds. Nowhere do you find him without
Tools; without Tools he is nothing, with Tools he is all.”
Carlyle: “Sartor Resartus,” Chap. IV.
 PREFACE

The purpose of this book is to bring out the importance of the work
and influence of the great tool builders. Few realize that their art is
fundamental to all modern industrial arts. Without machine tools
modern machinery could not be built. Little is known by the general
public as to who the great tool builders were, and less is known of
their lives and work.
History takes good care of soldiers, statesmen and authors. It is
even kind to engineers like Watt, Fulton and Stephenson, who have
conspicuously and directly affected society at large. But little is
known, even among mechanics, of the men whose work was mainly
within the engineering profession, and who served other engineers
rather than the general public. The lives and the personalities of men
like Maudslay, Nasmyth and Eli Whitney, can hardly fail of interest to
the mechanic of today. They were busy men and modest, whose
records are mainly in iron and steel, and in mechanical devices
which are used daily with little thought of their origin.
In following the history of English and American tool builders, the
query arises as to whether there might not have been important
contributions to tool building from other countries. Others have
contributed to some degree, but practically all of the creative work in
tool building has been done in these two countries. Although the
French were pioneers in many mechanical improvements, they have
always shown an aptitude for refinements and ingenious novelties
rather than for commercial production on a large scale. They have
influenced other nations more through their ideas than through their
machinery. The Swiss are clever artisans, particularly in fine work,
but they have excelled in personal skill, operating on a small scale,
rather than in manufacturing. Germany has, under the Empire,
developed splendid mechanics, but the principal machine tools had
taken shape before 1870, when the Empire began. The history of
English and American tool building, therefore, covers substantially
the entire history of the art.
Almost the only book upon tool builders and their work is Samuel
Smiles’ “Industrial Biography,” which is out of print and little known. It
is an admirable and interesting book, and a mine of information upon
the English tool builders down to about 1850. The writer has used it
freely and would urge those who are interested in the subject to go
to it for further information on the early mechanics. It was written,
however, over fifty years ago and contains nothing about modern
developments or about the American tool builders who have
contributed so much.
The writer has tried to trace the origin and rise of tool building in
America and to give something of its spread in recent years. The
industrial life of the United States is so vast that a comprehensive
history of even a single industry, such as tool building, would run far
beyond the limits of one volume. This book, therefore, is confined to
the main lines of influence in tool building and to the personalities
and cities which have been most closely identified with it. The later
history of American tool building has never been written. For this the
writer has had to rely largely upon personal information from those
who are familiar with it, and who have had a part in it.
Part of the material contained in this book has appeared from time
to time in the American Machinist, and the writer would acknowledge
his indebtedness most of all to Mr. L. P. Alford, the editor of that
journal. His help and counsel have given these pages much of such
value as they possess. So many have helped with information,
corrections and suggestions that acknowledgments can be made
only to a few. The writer would particularly thank Mr. L. D.
Burlingame, Mr. Ned Lawrence, Mr. James Hartness, Mr. Coleman
Sellers and Mr. Clarence Bement.
If these pages serve to stimulate interest in the lives and work of
the tool builders, to whom we owe much, they will fulfill the hope of
the writer.
Sheffield Scientific School,
Yale University,
October, 1915.
 AUTHOR’S NOTE

In reprinting this book certain minor corrections have been made.

In the later chapters references occur here and there to the “present”
condition of various plants and firms. After careful consideration, it
seems wise to let these statements stand as they were written in
1915. Interest in this subject centers chiefly on the early history of
the plants and firms rather than on recent changes. To revise the
statements, bringing them up to date, would add little. With the ever
shifting status of a live industry, the statements, so revised, would
remain correct for only a short time. Therefore, when a reference is
made to present conditions it should be understood to cover those at
the beginning of the World War, which is a natural dividing point in
our industrial history.
The general predictions made in the last two paragraphs of the
book have been borne out by the developments in American
toolbuilding since that time.
Museum of the Peaceful Arts,
City of New York,
February, 1926.
 TABLE OF CONTENTS

PAGE
Chapter I. Influence of the Early Tool Builders 1
Chapter II. Wilkinson and Bramah 11
Chapter III. Bentham and Brunel 22
Chapter IV. Henry Maudslay 33
Chapter V. Inventors of the Planer 50
Chapter VI. Gearing and Millwork 63
Chapter VII. Fairbairn and Bodmer 71
Chapter VIII. James Nasmyth 81
Chapter IX. Whitworth 98
Chapter X. Early American Mechanics 109
Chapter XI. The Rise of Interchangeable Manufacture 128
Chapter XII. Whitney and North 145
Chapter XIII. The Colt Armory 164
Chapter XIV. The Colt Workman—Pratt & Whitney 173
Chapter XV. Robbins & Lawrence 186
Chapter XVI. The Brown & Sharpe Manufacturing
Company 202
Chapter XVII. Central New England 216
Chapter XVIII. The Naugatuck Valley 231
Chapter XIX. Philadelphia 239
Chapter XX. The Western Tool Builders 261
Appendix A 281
Appendix B, The Jennings Gun 292
A Partial Bibliography on Tool Building 295
 LIST OF ILLUSTRATIONS

Henry Maudslay Frontispiece

Fig. 1. Smeaton’s Boring Machine, Carron
Iron Works, 1769 Facing page 2
Fig. 2. French Lathes of about 1772 Facing page 2
Fig. 3. French Slide-Rest, 1772 Facing page 6
Fig. 4. French Lathe for Turning Ovals,
1772 Facing page 6
Fig. 5. Genealogy of the Early English Tool
Builders page 7
Fig. 6. John Wilkinson Facing page 14
Fig. 7. Wilkinson’s Boring Machine Facing page 14
Fig. 8. Eminent Men of Science Living in
1807-8 Facing page 20
Fig. 9. Sir Samuel Bentham Facing page 22
Fig. 10. Sir Marc Isambard Brunel Facing page 26
Fig. 11. Brunel’s Mortising Machine Facing page 30
Fig. 12. Brunel’s Shaping Machine Facing page 30
Fig. 13. French Screw-Cutting Lathe,
Previous to 1569 page 37
Fig. 14. French Screw-Cutting Lathe, about
1740 page 37
Fig. 15. Maudslay’s Screw-Cutting Lathe,
about 1797 Facing page 42
Fig. 16. Maudslay’s Screw-Cutting Lathe,
about 1800 Facing page 42
Fig. 17. French Planing Machine by
Nicholas Forq, 1751 Facing page 50
Fig. 18. Matthew Murray Facing page 58
Fig. 19. Richard Roberts Facing page 58
Fig. 20. Roberts’ Planer, Built in 1817 Facing page 60
Fig. 21. Roberts’ Back-Geared Lathe Facing page 60
Fig. 22. James Nasmyth Facing page 82
Fig. 23. First Sketch of the Steam Hammer,
November 24, 1839 Facing page 94
Fig. 24. Model of the First Steam Hammer Facing page 94
Fig. 25. Sir Joseph Whitworth Facing page 102
Fig. 26. Samuel Slater Facing page 122
Fig. 27. Genealogy of the New England Gun
Makers page 139
Fig. 28. The First Milling Machine, Built by
Eli Whitney about 1818 Facing page 142
Fig. 29. Blanchard “Gun-Stocking” Lathe,
Built in 1818 for the Springfield
Armory Facing page 142
Fig. 30. Eli Whitney Facing page 152
Fig. 31. Samuel Colt Facing page 164
Fig. 32. The Colt Armory Facing page 168
Fig. 33. Root’s Chucking Lathe, about 1855 Facing page 170
Fig. 34. Root’s Splining Machine, about
1855 Facing page 170
Fig. 35. Francis A. Pratt Facing page 178
Fig. 36. Amos Whitney Facing page 178
Fig. 37. Genealogy of the Robbins &
Lawrence Shop page 187
Fig. 38. Robbins & Lawrence Armory,
Windsor, Vt. Facing page 190
Fig. 39. Frederick W. Howe Facing page 196
Fig. 40. Richard S. Lawrence Facing page 196
Fig. 41. James Hartness Facing page 198
Fig. 42. Joseph R. Brown Facing page 202
Fig. 43. First Universal Milling Machine,
1862 Facing page 208
Fig. 44. Early Micrometer Calipers Facing page 212
Fig. 45. Genealogy of the Worcester Tool page 223
Builders
Fig. 46. Lucius W. Pond Facing page 228
Fig. 47. Salmon W. Putnam Facing page 228
Fig. 48. Hiram W. Hayden Facing page 232
Fig. 49. Israel Holmes Facing page 232
Fig. 50. Genealogy of the Naugatuck Brass
Industry page 235
Fig. 51. William Sellers Facing page 248
Fig. 52. Coleman Sellers Facing page 252
Fig. 53. William B. Bement Facing page 252
Fig. 54. Worcester R. Warner Facing page 262
Fig. 55. Ambrose Swasey Facing page 262
Fig. 56. The “Mult-au-matic” Lathe, 1914 Facing page 276
Fig. 57. Machine Tool Building Area of the
United States, 1915 page 279
ENGLISH AND AMERICAN TOOL
BUILDERS
 CHAPTER I
INFLUENCE OF THE EARLY TOOL BUILDERS
Well-informed persons are aware of the part which machinery in
general has had on modern industrial life. But the profound influence
which machine tools have had in that development is scarcely
realized, even by tool builders themselves.
Three elements came into industrial life during the latter part of the
eighteenth century. First, the development of modern banking and
the stock company brought out the small private hoards from their
hiding places, united them, and made them available for industrial
undertakings operating on the scale called for by modern
requirements. Second, Watt’s development of the steam engine and
its application to the production of continuous rotative motion gave
the requisite source of power. But neither the steam engine itself nor
the machinery of production was possible until the third element,
modern machine tools, supplied the means of working metals
accurately and economically.
It is well to glance for a moment at the problems which were
involved in building the first steam engine. Watt had been working for
several years on the steam engine when the idea of the separate
condenser came to him on that famous Sunday afternoon walk on
the Glasgow Green, in the spring of 1765, and, to use his own
words, “in the course of one or two days the invention was thus far
(that is, as a pumping engine) complete in my mind.”[1] He was a
skilled instrument maker and his first small model was fairly
successful, but when he undertook “the practice of mechanics in
great,” his skill and all the skill of those about him was incapable of
boring satisfactorily a cylinder 6 inches in diameter and 2 feet long;
and he had finally to resort to one which was hammered. For ten
weary years he struggled to realize his plans in a full-sized engine,
unable to find either the workmen or the tools which could make it a
commercial success. His chief difficulty lay in keeping the piston
tight. He “wrapped it around with cork, oiled rags, tow, old hats,
paper, and other things, but still there were open spaces left,
sufficient to let the air in and the steam out.”[2] Small wonder! for we
find him complaining that in an 18-inch diameter cylinder, “at the
worst place the long diameter exceeded the short by three-eighths of
an inch.” When Smeaton first saw the engine he reported to the
Society of Engineers that “neither the tools nor the workmen existed
that could manufacture so complex a machine with sufficient
precision.”[3]
[1] Smiles: “Boulton & Watt,” pp. 97, 98. London, 1904.
[2] Ibid., p. 114.
[3] Ibid., p. 186.

Smeaton himself had designed a boring machine in 1769 for the

Carron Iron Works for machining cannon, an illustration of which is
given in Fig. 1.[4] It consisted of a head with inserted cutters mounted
on a long, light, overhung boring bar. The work was forced forward
on a rude carriage, as shown. The method of supporting the cutter
head, indicated in the section, shows an ingenious attempt to obtain
a movable support from an inaccurate surface. One need hardly say
that the work resulting was inaccurate.
[4] “Engineer,” London, March 4, 1910; p. 217. Drawn from the
description given in Farey’s “Treatise on the Steam Engine.”
 Figure 1. Smeaton’s Boring Machine

Carron Iron Works, 1769

Figure 2. French Lathes of about 1772

 Fortunately, in 1774, John Wilkinson, of Bersham, hit upon the
idea, which had escaped both Smeaton and Watt, of making the
boring bar heavier, running it clear through the cylinder and giving it
a fixed support at the outboard end as shown in Fig. 7. The
superiority of this arrangement was at once manifest, and in 1776
Boulton wrote that “Mr. Wilkinson has bored us several cylinders
almost without error; that of 50 inches diameter, which we have put
up at Tipton, does not err the thickness of an old shilling in any
part.”[5] For a number of years, Wilkinson cast and bored all the
cylinders for Boulton & Watt.
[5] Farey: “Treatise on the Steam Engine,” p. 328. 1827.

The importance to Boulton & Watt of the timely aid of Wilkinson’s

boring machine can hardly be overestimated. It made the steam
engine a commercial success, and was probably the first metal-
working tool capable of doing large, heavy work with anything like
present-day accuracy.[6]
[6] Watt’s beautiful parallel motion, invented in 1785, was made
necessary by the fact that there were no planers to machine a crosshead
and guides. Planers were not developed until thirty years later.

We hardly realize the crudity of the tools available in the

eighteenth century. In all machinery the principal members were of
wood, as that could be worked by the hand tools then in use. The
fastenings and smaller parts only were of metal, and consisted of
castings and forgings fitted by hand. There were some lathes of the
very simplest type. Most of them were “pole” lathes, operated by a
cord reaching from a foot treadle, around the work itself, and up to a
pole or wooden spring attached to the ceiling. The work rotated
alternately forward and backward, and was caught with a hand tool
each time as it came forward. Two are shown in Fig. 2, one at the
back and one at the left. Only the very best forms had continuous
motion from a direct drive on the live spindle, as shown at the right of
the same figure. This figure is reproduced from the French
Dictionnaire des Sciences, published in 1772. Such lathes were
almost useless for metal cutting, as they lacked both the necessary
power and a holding device strong enough and accurate enough to