rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Minor improvements

Browse Source
This commit is contained in:
Aaron Kaiser
2023-05-25 16:42:45 +02:00
parent 456d77749f
commit 24bb0784aa
3 changed files with 8 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
thesis/sections/related_work.tex
View File

@@ -8,7 +8,7 @@ A canonical identification scheme (CID), as defined in \cite{EC:AABN02}, is a th
To obtain a signature scheme from the canonical identification scheme, it must be made non-interactive. This can be achieved using the Fiat-Schamir transformation. The transformation was introduced by Fiat and Schamir in 1986 \cite{C:FiaSha86}. The role of the verifier in the canonical identification scheme (besides verifying the solution) is to provide a challenge to the prover. This is a crucial part of the scheme's security, since otherwise the prover might be able to choose a commitment and a challenge in a way that allows him generate a valid solution without being in the possession of the secret key.
The Fiat-Schamir transformation replaces the verifier with a pseudorandom function. This pseudorandom function takes the commitment and an arbitrary message as input and outputs the challenge. Now the challenge is computable by the proofer without the need to interact with another party. This allows the proofer to compute the solution. The commitment together with the solution can now be considered a signature for the message used to generate the challenge. To verify the signature, a verifier can use the same pseudorandom function to compute the challenge based on the commitment and the message, and apply the verification algorithm from the canonical identification scheme to verify the solution and thus the validity of the signature. In practice, a hash function is often used as the pseudorandom function. There are many proofs sowing that the Fiat-Schamir transformation yields a secure signature scheme, using canonical identification schemes with different properties (e.g. \cite{C:OhtOka98} \cite{JC:PoiSte00} \cite{EC:AABN02}).
The Fiat-Schamir transformation replaces the verifier with a pseudorandom function. This pseudorandom function takes the commitment and an arbitrary message as input and outputs the challenge. Now the challenge is computable by the proofer without the need to interact with another party. This allows the proofer to compute the solution. The commitment together with the solution can now be considered a signature for the message used to generate the challenge. To verify the signature, a verifier can use the same pseudorandom function to compute the challenge based on the commitment and the message, and apply the verification algorithm from the canonical identification scheme to verify the solution and thus the validity of the signature. In practice, a hash function is often used as the pseudorandom function. There are many proofs sowing that the Fiat-Schamir transformation yields a secure signature scheme, using canonical identification schemes with different properties (e.g. \cite{C:OhtOka98,JC:PoiSte00,EC:AABN02}).
\paragraph{Related Proofs} As mentioned above, there exists an paper proving the security of the Ed25519 signature scheme \cite{SP:BCJZ21}. In this paper, the authors extracted the underlying canonical identification scheme from EdDSA and used the reset lemma from \cite{C:BelPal02} to prove the impersonation security of the canonical identification scheme under the discrete logarithm assumption. This reduction turned out to be non-tight. They then reduced the EUF-CMA security of the Ed25519 signature scheme to the impersonation security of the underlying canonical identification scheme. To do this, they had to embed a challenge in one of the hash queries, further losing tightness.
@@ -18,4 +18,4 @@ The multi-user security of EdDSA was briefly analyzed in a paper by Bernstein af
In 2016, Kiltz et al. provided a tight bound on the multi-user security of Schorr signatures without the need for key-prefixing \cite{C:KilMasPan16}. The tightness was a result of the random self-reducibility property of the underlying canonical identification scheme. Again, this property cannot be achieved by EdDSA due to the clamping introduced by the key generation algorithm.
Fuchsbauer et al. generated a tight security proof for the Schnorr signature scheme by using the algebraic group model. \cite{EC:FucPloSeu20} They achieved this by using the representation of the commitment together with a forged signature to compute the discrete logarithm of the public key. This approach looks promising also for the EdDSA signature scheme.
Fuchsbauer et al. generated a tight security proof for the Schnorr signature scheme by using the algebraic group model \cite{EC:FucPloSeu20}. They achieved this by using the representation of the commitment together with a forged signature to compute the discrete logarithm of the public key. This approach looks promising also for the EdDSA signature scheme.