rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Started with related work

Browse Source
This commit is contained in:
Aaron Kaiser
2023-05-17 11:40:36 +02:00
parent 782ed8028f
commit 08ccb32cb5
3 changed files with 9 additions and 131 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
thesis/sections/related_work.tex
View File

@@ -1 +1,9 @@
\section{Related Work}
\section{Related Work}
\paragraph{Schnorr Signatures} The EdDSA signature scheme is similar in structure to the Schnorr signature scheme. The Schnorr signature scheme is a signature scheme introduced by Claus Peter Schnorr in 1991 \cite{JC:Schnorr91}. The Schnorr signature scheme has proven to be a robust and efficient signature scheme and has undergone several security analyses. The foundation of the Schnorr signature scheme is the canonical identification scheme.
A canonical identification scheme (CID), as defined in \cite{EC:AABN02}, is a protocol between two parties. The prover attempts to prove the knowledge of a secret key to the verifier, who only knows the public key. This is done by exchanging three messages between the two parties. Fiirst, the prover initiates the protocol by sending a commitment $R$ to the verifier. The verifier respondes with a random challenge $\ch$ from a predefined challenge set $\textbf{CHSet}$. The prover then uses the commitment, the challenge, and its secret key to compute a response $s$. The verifier then can then use the commitment, challenge, and response together with the public key of the prover to verify the response and thereby verify that the prover is actually in the possession of the private key.
To obtain a signature scheme from the canonical identification scheme, it must be made non-interactive. This can be achieved using the Fiat-Schamir transformation. The transformation was introduced by Fiat and Schamir in 1986 \cite{C:FiaSha86}. The role of the verifier in the canonical identification scheme (besides verifying the solution) is to provide a challenge to the prover. This is a crucial part of the scheme's security, since otherwise the prover might be able to choose a commitment and a challenge in a way that allows him generate a valid solution without being in the possession of the secret key.
The Fiat-Schamir transformation replaces the verifier with a pseudorandom function. This pseudorandom function takes the commitment and an arbitrary message as input and outputs the challenge. Now the challenge is computable by the proofer without the need to interact with another party. This allows the proofer to compute the solution. The commitment together with the solution can now be considered a signature for the message used to generate the challenge. To verify the signature, a verifier can use the same pseudorandom function to compute the challenge based on the commitment and the message, and apply the verification algorithm from the canonical identification scheme to verify the solution and thus the validity of the signature. In practice, a hash function is often used as the pseudorandom function.