From 01a6bfded9b3cfd8ebc1437135b8e0b310b5884d Mon Sep 17 00:00:00 2001 From: Aaron Kaiser Date: Thu, 23 Feb 2023 11:31:42 +0100 Subject: [PATCH] Added some of the EdDSA parameters --- thesis/Abschlussarbeit.tex | 81 +++++++++++++++++++++++++++++++------- thesis/macros.tex | 3 ++ 2 files changed, 70 insertions(+), 14 deletions(-) diff --git a/thesis/Abschlussarbeit.tex b/thesis/Abschlussarbeit.tex index f0caecf..95b5b0c 100644 --- a/thesis/Abschlussarbeit.tex +++ b/thesis/Abschlussarbeit.tex @@ -11,6 +11,8 @@ listof=totoc, \usepackage{thesisstyle} \usepackage{algpseudocodex} +\usepackage{multicol} +\usepackage{tabularx} \begin{document} \include{macros.tex} @@ -113,23 +115,75 @@ TODO % TODO: Referenz zum ersten Paper 2011 oder lieber zum journal paper 2012? -This section takes a closer look at the existing specifications of the EdDSA signature scheme and specify a version which will be analyzed in this thesis. +This section takes a closer look at the existing specifications of the EdDSA signature scheme and specifies a version which will be analyzed in this thesis. -This work will take a closer look at the UF-CMA security of the EdDSA signature scheme. EdDSA was introduced as the Ed25519 signature scheme using the twisted Edwards curve Edwards25519, which is birationally equivalent to the Weierstrass curve Curve25519 \cite{JCEng:BDLSY12}. Later in 2015 the paper "EdDSA for more Curves" by Bernstein et al. introduces a more general version of EdDSA \cite{EPRINT:BJLSY15}. The RFC 8032 "Edwards-Curve Digital Signature Algorithm (EdDSA)" from 2017 also specifies a version of EdDSA with prehashing and the inclusion of a context \cite{josefsson_edwards-curve_2017}. This version was also included into the FIPS 186-5 "Digital Signature Standard (DSS)" standard \cite{moody_digital_2023}. +This work will take a closer look at the UF-CMA security of the EdDSA signature scheme. EdDSA was introduced as the Ed25519 signature scheme using the twisted Edwards curve Edwards25519, which is birationally equivalent to the Weierstrass curve Curve25519 \cite{JCEng:BDLSY12}. Later in 2015 the paper "EdDSA for more Curves" by Bernstein et al. introduces a more general version of EdDSA \cite{EPRINT:BJLSY15}. The paper also introduces a variant of EdDSA using prehashing. The RFC 8032 "Edwards-Curve Digital Signature Algorithm (EdDSA)" from 2017 specifies a version of EdDSA with the inclusion of an additional input parameter \textit{context} for the Sign and Verify procedure \cite{josefsson_edwards-curve_2017}. This version was also included into the FIPS 186-5 "Digital Signature Standard (DSS)" standard \cite{moody_digital_2023}. + +In the prehashing variant of EdDSA the signature is calculated on the hash value of the message. The message is used twice during the generation of the signature. Thus the message needs to be buffered or transmitted twice during the generation of the signature. Therefore the prehashing variant offers an performance advantage on memory and bandwidth constraint devices. The context is an additional input parameter which has to be equal during generation and verification of the signature and is used to bind the signature to a given context. + +\subsection{EdDSA Parameter} + +The generic version of EdDSA from the "EdDSA for more Curves" paper, the RFC 8032 and the FIPS 186-5 standard is parameterized by the following 11 parameters \cite{EPRINT:BJLSY15} \cite{josefsson_edwards-curve_2017} \cite{moody_digital_2023}. + +% TODO: Ist das ok hier einfach zu kopieren? +\begin{center} + \begin{table}[t] + \caption{text} + \label{tab:parameter} + \centering + \begin{tabularx}{\textwidth}{@{}lX@{}} + \textbf{Parameter} & \textbf{Description} \\ + \hline + $q$ & An odd prime power $q$. EdDSA uses an elliptic curve over the finite field $\mathbb{F}_q$ \\ + $b$ & An integer $b$ with $2^{b-1} > q$. EdDSA public keys have exactly b bits, and EdDSA signatures + have exactly 2b bits. $b$ + \end{tabularx} + \end{table} +\end{center} + + + +\begin{figure} + \caption{Generic description of the algorithms KeyGen, Sign and Verify used by the EdDSA signature scheme} + \label{fig:eddsa} + \hrule + \begin{multicols}{3} + \scriptsize + \begin{algorithmic}[1] + \Procedure{KeyGen}{} + \State $k \randomsample \{0,1\}^b$ + \State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$ + \State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$ + \State $A \assign sB$ + \State \Return (\encoded{$A$}, $k$) + \EndProcedure + \end{algorithmic} + \columnbreak + \begin{algorithmic}[1] + \Procedure{Sign}{$k$, $m$} + \State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$ + \State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$ + \State $(r'_0, r'_1, ..., r'_{2b-1}) \assign H(h_b | ... | b_{2b-1} | m)$ + \State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$ + \State $R \assign rB$ + \State $S \assign (r + sH(\encoded{R} | \encoded{A} | m)) \pmod l$ + \State \Return $\sigma \assign (\encoded{R}, S)$ + \EndProcedure + \end{algorithmic} + \columnbreak + \begin{algorithmic}[1] + \Procedure{Verify}{$\encoded{A}, \sigma \assign (\encoded{R}, S), m$} + \State \Return $2^c SB \\= 2^c R + 2^c H(\encoded{R} | \encoded{A} | m)A$ + \EndProcedure + \end{algorithmic} + \end{multicols} + \hrule +\end{figure} -\hrule -\begin{algorithmic}[1] - \Procedure{KeyGen}{pp} - \State Test - \State \Return key - \EndProcedure - \Statex - \Procedure{Sign}{key, message} - \EndProcedure -\end{algorithmic} -\hrule \newpage +\section{Notation} + \section{The Security of EdDSA in a Single-User Setting} \section{The Security of EdDSA in a Multi-User Setting} @@ -183,5 +237,4 @@ oder ähnlicher Form noch keiner Prüfungsbehörde vorgelegt wurde. \newpage\ \thispagestyle{empty} - \end{document} diff --git a/thesis/macros.tex b/thesis/macros.tex index e69de29..d7867ea 100644 --- a/thesis/macros.tex +++ b/thesis/macros.tex @@ -0,0 +1,3 @@ +\newcommand{\randomsample}{\overset{{\scriptscriptstyle\$}}{\leftarrow}} +\newcommand{\assign}{:=} +\newcommand{\encoded}[1]{\underline{#1}} \ No newline at end of file