Minor improvements
This commit is contained in:
@@ -1,9 +1,9 @@
|
|||||||
\section{EdDSA Signatures}
|
\section{EdDSA Signatures}
|
||||||
\label{sec:eddsa}
|
\label{sec:eddsa}
|
||||||
|
|
||||||
This section takes a closer look at the differences between the existing EdDSA specifications and points out the differences between the standards and the original Schnorr signature scheme.
|
This section takes a closer look at the differences between the existing EdDSA specifications and points out the differences between the standards and the original Schnorr signature scheme. This section is partly inspired by \cite{SP:BCJZ21}.
|
||||||
|
|
||||||
As mentioned above, there are two papers by Bernstein et. al., that define the EdDSA signature scheme \cite{CHES:BDLSY11} \cite{EPRINT:BJLSY15}. The 2015 paper \cite{EPRINT:BJLSY15} describes a more generic version of the EdDSA signature scheme than the original publication \cite{CHES:BDLSY11}. According to \cite{EPRINT:BJLSY15}, the EdDSA signature scheme is defined by 11 parameters, as shown in the table \ref{tab:parameter}. The paper also describes two variants of EdDSA. One is called PureEdDSA and the other is called HashEdDSA. HashEdDSA is a prehashing variant of the PureEdDSA signature scheme. This means that, in HashEdDSA, the message is being hashed by a hash function before it is signed or verified. Both variants can be described by the definition of the EdDSA signature scheme, by using a different perhash function. In PureEdDSA the prehash function is simply the identity function. Another important variation in the EdDSA standard is the decoding of the signature. \cite{EPRINT:BJLSY15} describes two variations on how signatures can be decoded during verification. Both variations are described further in this section, as they have a major impact on the security of the EdDSA signature scheme.
|
As mentioned above, there are two papers by Bernstein et. al., that define the EdDSA signature scheme \cite{CHES:BDLSY11,EPRINT:BJLSY15}. The 2015 paper \cite{EPRINT:BJLSY15} describes a more generic version of the EdDSA signature scheme than the original publication \cite{CHES:BDLSY11}. According to \cite{EPRINT:BJLSY15}, the EdDSA signature scheme is defined by 11 parameters, as shown in the table \ref{tab:parameter}. The paper also describes two variants of EdDSA. One is called PureEdDSA and the other is called HashEdDSA. HashEdDSA is a prehashing variant of the PureEdDSA signature scheme. This means that, in HashEdDSA, the message is being hashed by a hash function before it is signed or verified. Both variants can be described by the definition of the EdDSA signature scheme, by using a different perhash function. In PureEdDSA the prehash function is simply the identity function. Another important variation in the EdDSA standard is the decoding of the signature. \cite{EPRINT:BJLSY15} describes two variations on how signatures can be decoded during verification. Both variations are described further in this section, as they have a major impact on the security of the EdDSA signature scheme.
|
||||||
|
|
||||||
There also exist two major standards for the EdDSA signature scheme. The first is the RFC 8032, which was introduced by the IETF in 2017 \cite{josefsson_edwards-curve_2017}. n addition to publishing concrete parameterizations for the Ed25519 and Ed448 signature schemes, it also includes a variant of the EdDSA signature scheme that includes a context. The context is a separate string that can be used to separate the use of EdDSA between different protocols. As argued below, the inclusion of this context does not affect the security of the signature scheme and can be modeled as being part of the message.
|
There also exist two major standards for the EdDSA signature scheme. The first is the RFC 8032, which was introduced by the IETF in 2017 \cite{josefsson_edwards-curve_2017}. n addition to publishing concrete parameterizations for the Ed25519 and Ed448 signature schemes, it also includes a variant of the EdDSA signature scheme that includes a context. The context is a separate string that can be used to separate the use of EdDSA between different protocols. As argued below, the inclusion of this context does not affect the security of the signature scheme and can be modeled as being part of the message.
|
||||||
|
|
||||||
@@ -111,7 +111,7 @@ Such a choice of the secret scalar should help to make the implementation consta
|
|||||||
|
|
||||||
\subsubsection{Key Prefixing}
|
\subsubsection{Key Prefixing}
|
||||||
|
|
||||||
The EdDSA signature scheme also includes the public key as an additional input to the hash function when generating the challenge. This change does not reduce the security of the signature scheme and is mainly related to the multi-user security of the signature scheme. Whether key prefixing actually improves multi-user security is much debated \cite{EPRINT:Bernstein15} \cite{C:KilMasPan16}.
|
The EdDSA signature scheme also includes the public key as an additional input to the hash function when generating the challenge. This change does not reduce the security of the signature scheme and is mainly related to the multi-user security of the signature scheme. Whether key prefixing actually improves multi-user security is much debated \cite{EPRINT:Bernstein15,C:KilMasPan16}.
|
||||||
|
|
||||||
\subsubsection{Deterministic Nonce Generation}
|
\subsubsection{Deterministic Nonce Generation}
|
||||||
|
|
||||||
|
|||||||
@@ -12,13 +12,14 @@ In a 2020 paper, Brendel et al. showed that Ed25519 satisfies EUF-CMA and SUF-CM
|
|||||||
|
|
||||||
Tightness is a property of a security proof. A security proof is said to be tight if the probability of success of an adversary $\adversary{B}$ attacking problem B, constructed from adversary $\adversary{A}$ attacking problem A, is at most smaller than the probability of success of $\adversary{A}$ by a small constant factor.
|
Tightness is a property of a security proof. A security proof is said to be tight if the probability of success of an adversary $\adversary{B}$ attacking problem B, constructed from adversary $\adversary{A}$ attacking problem A, is at most smaller than the probability of success of $\adversary{A}$ by a small constant factor.
|
||||||
|
|
||||||
|
%TODO: Umschreiben
|
||||||
Tight security proofs are desirable because they provide a better approximation of the bit security of a signature scheme when instantiated with concrete primitives (such as groups or hash functions)\cite{SAC:ChaMenSar11}. A better approximation results in smaller parameters (such as the size of the group) yielding better bit security. This means that, with tighter security proofs, smaller primitives can be used to achieve the same level of security, and smaller primitives often result in more faster computations and therefore more efficient cryptographic schemes.
|
Tight security proofs are desirable because they provide a better approximation of the bit security of a signature scheme when instantiated with concrete primitives (such as groups or hash functions)\cite{SAC:ChaMenSar11}. A better approximation results in smaller parameters (such as the size of the group) yielding better bit security. This means that, with tighter security proofs, smaller primitives can be used to achieve the same level of security, and smaller primitives often result in more faster computations and therefore more efficient cryptographic schemes.
|
||||||
|
|
||||||
For the Schnorr signature scheme, a tight security reduction can be achieved by using the algebraic group model and the random oracle model to directly show the EUF-CMA security under the discrete logarithm assumption, as shown by Fuchsbauer et al. in \cite{EC:FucPloSeu20}.
|
For the Schnorr signature scheme, a tight security reduction can be achieved by using the algebraic group model and the random oracle model to directly show the EUF-CMA security under the discrete logarithm assumption, as shown by Fuchsbauer et al. \cite{EC:FucPloSeu20}.
|
||||||
|
|
||||||
This is also the approach used in this thesis. A tight security proof for the EdDSA signature scheme can be achieved by utilizing the algebraic group model and random oracle model. However, some details of the EdDSA signature scheme have to be taken into account, which mainly is the different group structure and the key clamping, introduces by the key generation algorithm. Also, the way the signature is parsed has a major impact on the security guarantees of the EdDSA signature scheme. While allowing only one bitstring representation of a scalar, strict parsing, ensures SUF-CMA security, allowing multiple bitstring representations of the same scalar, lax parsing, results only in EUF-CMA security.
|
This is also the approach used in this thesis. A tight security proof for the EdDSA signature scheme can be achieved by utilizing the algebraic group model and random oracle model. However, some details of the EdDSA signature scheme have to be taken into account, which mainly is the different group structure and the key clamping, introduces by the key generation algorithm. Also, the way the signature is parsed has a major impact on the security guarantees of the EdDSA signature scheme. While allowing only one bitstring representation of a scalar, strict parsing, ensures SUF-CMA security, allowing multiple bitstring representations of the same scalar, lax parsing, results only in EUF-CMA security.
|
||||||
|
|
||||||
Another important property of a signature scheme, also briefly mentioned in the paper \cite{SP:BCJZ21}, is its multi-security. When looking at practical applications of a signature scheme, not only one user is using the signature scheme, but many users are involved, all of whom have their own key pair. In most cases, an adversary is satisfied with compromising one of the users. This leaves the question of whether an adversary gains an advantage in compromising a single user if he is provided with many public keys and can request signatures for any of the provided public keys. The multi-user security of Schnorr-like signature schemes has been analyzed in several papers \cite{EPRINT:Bernstein15} \cite{C:KilMasPan16}, but none of them apply to EdDSA or give a tight reduction.
|
Another important property of a signature scheme, also briefly mentioned in the paper \cite{SP:BCJZ21}, is its multi-security. When looking at practical applications of a signature scheme, not only one user is using the signature scheme, but many users are involved, all of whom have their own key pair. In most cases, an adversary is satisfied with compromising one of the users. This leaves the question of whether an adversary gains an advantage in compromising a single user if he is provided with many public keys and can request signatures for any of the provided public keys. The multi-user security of Schnorr-like signature schemes has been analyzed in several papers \cite{EPRINT:Bernstein15,C:KilMasPan16}, but none of them apply to EdDSA or give a tight reduction.
|
||||||
|
|
||||||
This thesis uses the same method of providing a tight security proof in the algebraic group model and the random oracle model to prove the security of EdDSA in the multi-user setting under a variant of the one more discrete logarithm assumption, which also takes the key clamping of EdDSA into account.
|
This thesis uses the same method of providing a tight security proof in the algebraic group model and the random oracle model to prove the security of EdDSA in the multi-user setting under a variant of the one more discrete logarithm assumption, which also takes the key clamping of EdDSA into account.
|
||||||
|
|
||||||
|
|||||||
@@ -8,7 +8,7 @@ A canonical identification scheme (CID), as defined in \cite{EC:AABN02}, is a th
|
|||||||
|
|
||||||
To obtain a signature scheme from the canonical identification scheme, it must be made non-interactive. This can be achieved using the Fiat-Schamir transformation. The transformation was introduced by Fiat and Schamir in 1986 \cite{C:FiaSha86}. The role of the verifier in the canonical identification scheme (besides verifying the solution) is to provide a challenge to the prover. This is a crucial part of the scheme's security, since otherwise the prover might be able to choose a commitment and a challenge in a way that allows him generate a valid solution without being in the possession of the secret key.
|
To obtain a signature scheme from the canonical identification scheme, it must be made non-interactive. This can be achieved using the Fiat-Schamir transformation. The transformation was introduced by Fiat and Schamir in 1986 \cite{C:FiaSha86}. The role of the verifier in the canonical identification scheme (besides verifying the solution) is to provide a challenge to the prover. This is a crucial part of the scheme's security, since otherwise the prover might be able to choose a commitment and a challenge in a way that allows him generate a valid solution without being in the possession of the secret key.
|
||||||
|
|
||||||
The Fiat-Schamir transformation replaces the verifier with a pseudorandom function. This pseudorandom function takes the commitment and an arbitrary message as input and outputs the challenge. Now the challenge is computable by the proofer without the need to interact with another party. This allows the proofer to compute the solution. The commitment together with the solution can now be considered a signature for the message used to generate the challenge. To verify the signature, a verifier can use the same pseudorandom function to compute the challenge based on the commitment and the message, and apply the verification algorithm from the canonical identification scheme to verify the solution and thus the validity of the signature. In practice, a hash function is often used as the pseudorandom function. There are many proofs sowing that the Fiat-Schamir transformation yields a secure signature scheme, using canonical identification schemes with different properties (e.g. \cite{C:OhtOka98} \cite{JC:PoiSte00} \cite{EC:AABN02}).
|
The Fiat-Schamir transformation replaces the verifier with a pseudorandom function. This pseudorandom function takes the commitment and an arbitrary message as input and outputs the challenge. Now the challenge is computable by the proofer without the need to interact with another party. This allows the proofer to compute the solution. The commitment together with the solution can now be considered a signature for the message used to generate the challenge. To verify the signature, a verifier can use the same pseudorandom function to compute the challenge based on the commitment and the message, and apply the verification algorithm from the canonical identification scheme to verify the solution and thus the validity of the signature. In practice, a hash function is often used as the pseudorandom function. There are many proofs sowing that the Fiat-Schamir transformation yields a secure signature scheme, using canonical identification schemes with different properties (e.g. \cite{C:OhtOka98,JC:PoiSte00,EC:AABN02}).
|
||||||
|
|
||||||
\paragraph{Related Proofs} As mentioned above, there exists an paper proving the security of the Ed25519 signature scheme \cite{SP:BCJZ21}. In this paper, the authors extracted the underlying canonical identification scheme from EdDSA and used the reset lemma from \cite{C:BelPal02} to prove the impersonation security of the canonical identification scheme under the discrete logarithm assumption. This reduction turned out to be non-tight. They then reduced the EUF-CMA security of the Ed25519 signature scheme to the impersonation security of the underlying canonical identification scheme. To do this, they had to embed a challenge in one of the hash queries, further losing tightness.
|
\paragraph{Related Proofs} As mentioned above, there exists an paper proving the security of the Ed25519 signature scheme \cite{SP:BCJZ21}. In this paper, the authors extracted the underlying canonical identification scheme from EdDSA and used the reset lemma from \cite{C:BelPal02} to prove the impersonation security of the canonical identification scheme under the discrete logarithm assumption. This reduction turned out to be non-tight. They then reduced the EUF-CMA security of the Ed25519 signature scheme to the impersonation security of the underlying canonical identification scheme. To do this, they had to embed a challenge in one of the hash queries, further losing tightness.
|
||||||
|
|
||||||
@@ -18,4 +18,4 @@ The multi-user security of EdDSA was briefly analyzed in a paper by Bernstein af
|
|||||||
|
|
||||||
In 2016, Kiltz et al. provided a tight bound on the multi-user security of Schorr signatures without the need for key-prefixing \cite{C:KilMasPan16}. The tightness was a result of the random self-reducibility property of the underlying canonical identification scheme. Again, this property cannot be achieved by EdDSA due to the clamping introduced by the key generation algorithm.
|
In 2016, Kiltz et al. provided a tight bound on the multi-user security of Schorr signatures without the need for key-prefixing \cite{C:KilMasPan16}. The tightness was a result of the random self-reducibility property of the underlying canonical identification scheme. Again, this property cannot be achieved by EdDSA due to the clamping introduced by the key generation algorithm.
|
||||||
|
|
||||||
Fuchsbauer et al. generated a tight security proof for the Schnorr signature scheme by using the algebraic group model. \cite{EC:FucPloSeu20} They achieved this by using the representation of the commitment together with a forged signature to compute the discrete logarithm of the public key. This approach looks promising also for the EdDSA signature scheme.
|
Fuchsbauer et al. generated a tight security proof for the Schnorr signature scheme by using the algebraic group model \cite{EC:FucPloSeu20}. They achieved this by using the representation of the commitment together with a forged signature to compute the discrete logarithm of the public key. This approach looks promising also for the EdDSA signature scheme.
|
||||||
Reference in New Issue
Block a user