Added SUF-CMA security notion
This commit is contained in:
@@ -109,6 +109,40 @@ TODO
|
||||
|
||||
\subsection{Security Notions}
|
||||
|
||||
\subsection{Digital Signature Scheme}
|
||||
|
||||
\subsubsection{\cma}
|
||||
|
||||
\cma is a security notion for digital signature schemes. In this game the attacker is given access to a \Osign oracle, which generates valid signatures for arbitrary messages. The attacker wins the game if he is able to provide a message signature pair which is valid and was not generated by the \Osign oracle. The security game is depicted in figure \ref{game:cma}
|
||||
|
||||
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme. $SIG$ is \cma secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\cma}(k)$ is negligible in k.
|
||||
|
||||
\[ \advantage{SIG,\adversary{A}}{\cma}(k) \assign \prone{\cma^{\adversary{A}}} \leq \epsilon \]
|
||||
|
||||
\begin{figure}
|
||||
\caption{\cma Security Game}
|
||||
\label{game:cma}
|
||||
\hrule
|
||||
\begin{multicols}{2}
|
||||
\normalsize
|
||||
\begin{algorithmic}[1]
|
||||
\State \underline{\game \cma}
|
||||
\State $(\pubkey, \privkey) \randomassign \keygen(1^k)$
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\cdot)}(\pubkey)$
|
||||
\State \Return $\verify(\pubkey, \m^*, \signature^*) = 1 \wedge (\m^*, \signature^*) \notin M$
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
\Procedure{Sign}{$\m$}
|
||||
\State $\signature \randomassign \sign(\privkey, \m)$
|
||||
\State $M \assign M \cup {(\m, \signature)}$
|
||||
\State \Return $\signature$
|
||||
\EndProcedure
|
||||
\end{algorithmic}
|
||||
\end{multicols}
|
||||
\hrule
|
||||
\end{figure}
|
||||
|
||||
\subsection{Random Oracle Model (ROM)}
|
||||
|
||||
\subsection{Algebraic Group Model (AGM)}
|
||||
@@ -124,7 +158,7 @@ TODO
|
||||
|
||||
This section takes a closer look at the existing specifications of the EdDSA signature scheme and specifies a version which will be analyzed in this thesis.
|
||||
|
||||
This work will take a closer look at the UF-CMA security of the EdDSA signature scheme. EdDSA was introduced as the Ed25519 signature scheme using the twisted Edwards curve Edwards25519, which is birationally equivalent to the Weierstrass curve Curve25519 \cite{JCEng:BDLSY12}. Later in 2015 the paper "EdDSA for more Curves" by Bernstein et al. introduces a more general version of EdDSA \cite{EPRINT:BJLSY15}. The paper also introduces a variant of EdDSA using prehashing. The RFC 8032 "Edwards-Curve Digital Signature Algorithm (EdDSA)" from 2017 specifies a version of EdDSA with the inclusion of an additional input parameter \textit{context} for the \sign and \verify procedure \cite{josefsson_edwards-curve_2017}. This version was also included into the FIPS 186-5 "Digital Signature Standard (DSS)" standard \cite{moody_digital_2023}.
|
||||
This work will take a closer look at the \cma security of the EdDSA signature scheme. EdDSA was introduced as the Ed25519 signature scheme using the twisted Edwards curve Edwards25519, which is birationally equivalent to the Weierstrass curve Curve25519 \cite{JCEng:BDLSY12}. Later in 2015 the paper "EdDSA for more Curves" by Bernstein et al. introduces a more general version of EdDSA \cite{EPRINT:BJLSY15}. The paper also introduces a variant of EdDSA using prehashing. The RFC 8032 "Edwards-Curve Digital Signature Algorithm (EdDSA)" from 2017 specifies a version of EdDSA with the inclusion of an additional input parameter \textit{context} for the \sign and \verify procedure \cite{josefsson_edwards-curve_2017}. This version was also included into the FIPS 186-5 "Digital Signature Standard (DSS)" standard \cite{moody_digital_2023}.
|
||||
|
||||
In the prehashing variant of EdDSA the signature is calculated on the hash value of the message. The message is used twice during the generation of the signature. Thus the message needs to be buffered or transmitted twice during the generation of the signature. Therefore the prehashing variant offers an performance advantage on memory and bandwidth constraint devices. The context is an additional input parameter which has to be equal during generation and verification of the signature and is used to bind the signature to a given context.
|
||||
|
||||
@@ -217,32 +251,36 @@ The EdDSA signature scheme is defined using a twisted Edwards curve. Twisted Edw
|
||||
|
||||
\subsection{Replacing Hash Function Calls}
|
||||
|
||||
To make working with the random oracle easier in the following proofs I will replace some calls to the hash function with calls to a pseudo random generator and a pseudo random function. I then show that the advantage winning the \cma game of both versions of the EdDSA signature scheme is roughly the same.
|
||||
|
||||
|
||||
\newpage
|
||||
|
||||
\section{The Security of EdDSA in a Single-User Setting}
|
||||
|
||||
This section takes a look at the single-user security of EdDSA. This is done by showing the UF-CMA security of EdDSA assuming the security of a special version of the DLog problem. This special version is derived from the key generation procedure. Section \ref{sec:dlog'} provides a concrete bound on the security of this version of the DLog problem.
|
||||
This section takes a look at the single-user security of EdDSA. This is done by showing the \cma security of EdDSA assuming the security of a special version of the DLog problem. This special version is derived from the key generation procedure. Section \ref{sec:dlog'} provides a concrete bound on the security of this version of the DLog problem.
|
||||
|
||||
% TODO: Ichform?
|
||||
% TODO: richtige Richtung?
|
||||
% TODO: "onto which I will reduce the UF-NMA security" kann man das so schreiben?
|
||||
The proof starts by showing that the UF-NMA security of EdDSA implies UF-CMA security of EdDSA in the Random Oracle Model. Next I introduce an intermediate game on which I will reduce the UF-NMA security. At last, I will show that this intermediate game implies security regarding the special version of the DLog problem.
|
||||
The proof starts by showing that the UF-NMA security of EdDSA implies \cma security of EdDSA in the Random Oracle Model. Next I introduce an intermediate game on which I will reduce the UF-NMA security. At last, I will show that this intermediate game implies security regarding the special version of the DLog problem.
|
||||
|
||||
The chain of reductions can be depicted as:
|
||||
|
||||
\[ DLog' => Game Z => UF-NMA_{EdDSA} => UF-CMA_{EdDSA} \]
|
||||
\[ DLog' => Game Z => UF-NMA_{EdDSA} => \cma_{EdDSA} \]
|
||||
|
||||
\subsection{UF-NMA $=>$ UF-CMA (ROM)}
|
||||
\subsection{UF-NMA $=>$ \cma (ROM)}
|
||||
|
||||
In this section I will show that the UF-CMA security of EdDSA signature scheme implies the UF-NMA security of EdDSA signature scheme using the Random Oracle Model. I first start by providing an intuition for the proof followed by the detailed security proof.
|
||||
In this section I will show that the \cma security of EdDSA signature scheme implies the UF-NMA security of EdDSA signature scheme using the Random Oracle Model. I first start by providing an intuition for the proof followed by the detailed security proof.
|
||||
|
||||
\paragraph{intuition} The UF-NMA security definition is close to the security definition of UF-CMA but is missing the \Osign oracle. To show that UF-NMA security implies UF-CMA security the reduction has to simulate the \Osign oracle without the knowledge of the private key.
|
||||
\paragraph{Proof Overview} The UF-NMA security definition is close to the security definition of \cma but is missing the \Osign oracle. To show that UF-NMA security implies \cma security the reduction has to simulate the \Osign oracle without the knowledge of the private key.
|
||||
|
||||
The EdDSA signature scheme is based on the Schnorr signature scheme which basis is a canonical identification scheme onto which the Fiat-Shamir transformation is applied. This means EdDSA roughly follows the scheme by first calculating a commitment $R$, calculating a challenge $h$ using the hash function and then calculating the response $S$ based on commitment and challenge. The signature is the tuple of commitment and response.
|
||||
|
||||
To generate a signature without the knowledge of the private key I choose the challenge and the response randomly, calculate the commitment based on the choosen challenge and response and then program the random oracle to output the challenge given the commitment and the message as input. This way the resulting tuple of commitment and response is a valid signature for this message.
|
||||
|
||||
\paragraph{Formal Proof}
|
||||
|
||||
\section{The Security of EdDSA in a Multi-User Setting}
|
||||
|
||||
\section{The Ed-GGM}
|
||||
|
||||
@@ -1,11 +1,24 @@
|
||||
% Games
|
||||
\newcommand{\game}{\textbf{Game} }
|
||||
\newcommand{\randomsample}{\overset{{\scriptscriptstyle\$}}{\leftarrow}}
|
||||
\newcommand{\randomassign}{\leftarrow}
|
||||
\newcommand{\assign}{:=}
|
||||
\newcommand{\encoded}[1]{\underline{#1}}
|
||||
\newcommand{\m}{m}
|
||||
\newcommand{\signature}{\sigma}
|
||||
\newcommand{\pubkey}{pk}
|
||||
\newcommand{\privkey}{sk}
|
||||
|
||||
% EdDSA procedures
|
||||
\newcommand{\keygen}{KeyGen }
|
||||
\newcommand{\sign}{Sign }
|
||||
\newcommand{\verify}{Verify }
|
||||
|
||||
% Security Notions
|
||||
\newcommand{\cma}{SUF-CMA }
|
||||
\newcommand{\adversary}[1]{\mathcal{#1}}
|
||||
\newcommand{\advantage}[2]{Adv_{#1}^{#2}}
|
||||
\newcommand{\prone}[1]{Pr[#1 \Rightarrow 1]}
|
||||
|
||||
% Oracle
|
||||
\newcommand{\Osign}{\textit{Sign} }
|
||||
Reference in New Issue
Block a user