rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Rewritings due to feedback

Browse Source
This commit is contained in:
Aaron Kaiser
2023-06-21 18:45:32 +02:00
parent 3db0912f79
commit 0d3218440b
19 changed files with 167 additions and 163 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
thesis/sections/eddsa.tex
View File

@@ -3,13 +3,13 @@
This section takes a closer look at the differences between the existing EdDSA specifications and the original Schnorr signature scheme. This section is partly inspired by \cite{SP:BCJZ21}.
As mentioned above, there are two papers by Bernstein et al., that define the EdDSA signature scheme \cite{CHES:BDLSY11,EPRINT:BJLSY15}. The 2015 paper \cite{EPRINT:BJLSY15} describes a more generic version of the EdDSA signature scheme than the original publication \cite{CHES:BDLSY11}. According to \cite{EPRINT:BJLSY15}, the EdDSA signature scheme is defined by 11 parameters, as shown in table \ref{tab:parameter}. The paper also describes two variants of EdDSA. One is called PureEdDSA and the other is called HashEdDSA. HashEdDSA is a prehashing variant of the PureEdDSA signature scheme. This means that, in HashEdDSA, the message is being hashed by a hash function before it is signed or verified. Both variants can be described by the definition of the EdDSA signature scheme, by using a different perhash function. In PureEdDSA the prehash function is simply the identity function. Another important variation in the EdDSA standard is the decoding of the signature. \cite{EPRINT:BJLSY15} describes two variations on how signatures can be decoded during verification. Both variations are described further in this section, as they have a major impact on the security of the EdDSA signature scheme.
As mentioned above, there are two papers by Bernstein et al., that define the EdDSA signature scheme \cite{CHES:BDLSY11,EPRINT:BJLSY15}. The 2015 paper \cite{EPRINT:BJLSY15} describes a more generic version of the EdDSA signature scheme than the original publication \cite{CHES:BDLSY11}. According to \cite{EPRINT:BJLSY15}, the EdDSA signature scheme is defined by 11 parameters, as shown in table \ref{tab:parameter}. The paper also describes two variants of EdDSA. One is called PureEdDSA and the other is called HashEdDSA. HashEdDSA is a prehashing variant of the PureEdDSA signature scheme. This means that, in HashEdDSA, the message is being hashed by a hash function before it is signed or verified. Both variants can be described by the definition of the EdDSA signature scheme, by using a different preqhash function. In PureEdDSA the prehash function is simply the identity function. Another important variation in the EdDSA standard is the decoding of the signature. \cite{EPRINT:BJLSY15} describes two variations on how signatures can be decoded during verification. Both variations are described further in this section, as they have a major impact on the security of the EdDSA signature scheme.
There also exist two major standards for the EdDSA signature scheme. The first one is the RFC 8032, which was introduced by the IETF in 2017 \cite{josefsson_edwards-curve_2017}. In addition to publishing concrete parameterizations for the Ed25519 and Ed448 signature schemes, it also includes a variant of the EdDSA signature scheme that includes a context. The context is a separate string that can be used to separate the use of EdDSA between different protocols. As argued below, the inclusion of this context does not affect the security of the signature scheme and can be modeled as being part of the message.
The 2023 FIPS 186-5 standard \cite{moody_digital_2023} also includes the EdDSA signature scheme as specified in RFC 8032.
The EdDSA signature scheme is depicted in figure \ref{fig:eddsa}.
A version of the EdDSA signature scheme, representing all mentioned standards, is depicted in figure \ref{fig:eddsa}.
\begin{center}
\begin{table}[!ht]
@@ -24,7 +24,7 @@ The EdDSA signature scheme is depicted in figure \ref{fig:eddsa}.
$c$ & The cofactor of the twisted Edwards curve. \\
$n$ & The number of bits used for the secret scalar of the public key. \\
$a, d$ & The curve parameter of the twisted Edwards curve. \\
$B$ & A generator point of the prime order subgroup of $E$. \\
$\groupelement{B}$ & A generator point of the prime order subgroup of $E$. \\
$L$ & The order of the prime order subgroup. \\
$H'(\inp)$ & A prehash function applied to the message prior to applying the \sign or \verify procedure.
\end{tabularx}
@@ -75,7 +75,7 @@ The encoding function encodes points on the twisted Edwards curve into a b-bit b
The message space $\messagespace$ is defined as a bitstring of arbitrary length. To make the proof applicable to the EdDSA variant with context, the context can be modeled as part of the message.
Looking at the RFC and FIPS standards, the context is passed to a "dom" function which concatenates the context with some additional data. The resulting data is then passed as additional data to each hash function call during signature generation and verification. Since the proofs are performed in the random oracle model, the position of the data in the hash function call, the actual content of the message, and the context are not relevant to the output of the random oracle call, unless the reduction explicitly uses the content of the message, which it does not in this case. Therefore, the context can be modeled as being part of the message.
Looking at the RFC and FIPS standards, the context is passed to a "dom" function which concatenates the context with some additional data. The resulting data is then passed as additional data to each hash function call during signature generation and verification. Since the proofs are performed in the random oracle model, the position of the data in the hash function call, the actual content of the message, and the context are not relevant to the distribution of the random oracle. The context can be modeled as being part of the message, since the random oracle has the same uniform random distribution with or without the context.
\subsection{Signature}
The signature is defined as a $2b$ bitstring of the encoded curve points $\groupelement{R}$ concatenated with the $b$-bit little endian encoding of the scalar $S$.