From 3db0912f79e9856b1d4e699fefd7bc9152213461 Mon Sep 17 00:00:00 2001 From: Aaron Kaiser Date: Fri, 16 Jun 2023 12:46:37 +0200 Subject: [PATCH] Minor changes --- thesis/Abschlussarbeit.tex | 8 ++++---- thesis/sections/conclusion.tex | 2 +- thesis/sections/eddsa.tex | 10 +++++----- thesis/sections/introduction.tex | 10 +++++----- thesis/sections/notation.tex | 2 +- thesis/sections/preliminaries.tex | 13 +++++-------- thesis/sections/related_work.tex | 10 +++++----- thesis/sections/security_notions.tex | 8 ++++---- .../security_of_eddsa/dlog'_implies_gamez.tex | 2 +- .../security_of_eddsa/gamez_implies_uf-nma.tex | 2 +- .../security_of_eddsa/uf-nma_implies_suf-cma.tex | 14 +++++++------- 11 files changed, 39 insertions(+), 42 deletions(-) diff --git a/thesis/Abschlussarbeit.tex b/thesis/Abschlussarbeit.tex index 33ffb1e..b37a088 100644 --- a/thesis/Abschlussarbeit.tex +++ b/thesis/Abschlussarbeit.tex @@ -122,7 +122,7 @@ The two main theorems for the single-user security of $\text{EdDSA}_{\text{sp}}$ \[ \advantage{\group{G}, \adversary{A}}{\text{EUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \] \end{theorem} -The proof begins by showing that the UF-NMA security of EdDSA implies the SUF-CMA/EUF-CMA security of EdDSA with different types of parsing in the random oracle model. With this step, subsequent proofs can be performed without worrying about signature generation, and a unified chain of reduction can be used to prove the security of EdDSA with both parsing variants. Next, an algebraic intermediate game \igame is introduced. This intermediate game serves as a separation for proofs in the random oracle model and those in the algebraic group model. Finally, the intermediate game \igame is reduced to the special discrete logarithm variant \sdlog. +The proof begins by showing that the UF-NMA security of EdDSA implies the SUF-CMA/EUF-CMA security of EdDSA with different types of parsing, in the random oracle model. With this step, subsequent proofs can be performed without worrying about signature generation, and a unified chain of reduction can be used to prove the security of EdDSA with both parsing variants. Next, an algebraic intermediate game \igame is introduced. This intermediate game serves as a separation for proofs in the random oracle model and those in the algebraic group model. Finally, the intermediate game \igame is reduced to the special discrete logarithm variant \sdlog. The chain of reductions can be depicted as: @@ -136,11 +136,11 @@ By combining the loss of advantage during all of the proofs above, combined with \section{The Security of EdDSA in a Multi-User Setting} -In this section the multi-user security of the EdDSA signature scheme will be analyzed. A common approach for Schnorr-like signature schemes is to show it via the Random Self-reducibility property of the canonical identification scheme as done in \cite{C:KilMasPan16}. This approach does not work with the EdDSA signature scheme, since the reduction is not able to rerandomize a public key in a way preserving the distribution of the key generation algorithm. This is due to the fact that valid public key always has to have the n-th bit set. +Now that the single-user security of EdDSA got analyzed, we can take a look at its multi-user security. A common approach for Schnorr-like signature schemes is to show it using the random self-reducibility property of the canonical identification scheme as done in \cite{C:KilMasPan16}. This approach does not work with the EdDSA signature scheme as the underlying identification scheme does not have this random self-reducibility property, since the reduction is not able to rerandomize a public key in a way preserving the distribution of the key generation algorithm. This is due to the fact that valid secret scalar always has to have the n-th bit set. -Therefore, a similar approach to the proof in the single-user setting is used. It is not possible to reduce the \sdlog problem directly since the adversary gets multiple public keys and therefore might not provide a representation of the commitment looking like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A}$, which was needed for the discrete logarithm of the public key to be calculated. For this reason a variant of the one-more discrete logarithm assumption (OMDL) has to be used, as introduced in \cite{JC:BNPS03}. +Therefore, a similar approach to the proof in the single-user setting is used. It is not possible to reduce onto the \sdlog problem directly since the adversary gets multiple public keys and therefore might not provide a representation of the commitment looking like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A}$, which was needed for the discrete logarithm of the public key to be calculated. For this reason a variant of the one-more discrete logarithm assumption (OMDL) has to be used, as introduced in \cite{JC:BNPS03}. -The proof starts by showing that the MU-UF-NMA security of EdDSA implies MU-SUF-CMA security of EdDSA in the Random Oracle Model. Next an intermediate game is introduced onto which the MU-UF-NMA security of EdDSA is reduced. At last, the security of the intermediate game is reduced onto the security of the variant of the one-more discrete logarithm assumption. +The proof starts by showing that the MU-UF-NMA security of EdDSA implies MU-SUF-CMA security of EdDSA in the random oracle model. Next an intermediate game is introduced onto which the MU-UF-NMA security of EdDSA is reduced. At last, the security of the intermediate game is reduced onto the security of the variant of the one-more discrete logarithm assumption. The two main theorems for the multi-user security of $\text{EdDSA}_{\text{sp}}$ and $\text{EdDSA}_{\text{lp}}$ are: diff --git a/thesis/sections/conclusion.tex b/thesis/sections/conclusion.tex index 9177cbe..fed4eda 100644 --- a/thesis/sections/conclusion.tex +++ b/thesis/sections/conclusion.tex @@ -4,7 +4,7 @@ In this thesis it has been proven that EdDSA is tightly secure using the algebra It has also been proven that the most common instantiations Ed25519 and Ed448 provide 125-bit of security and 221-bit of security respectively. This is weaker than the original discrete logarithm problem for the elliptic curves used, but was to be expected considering the clamping of the private key. -Moreover, it has been proven that the signature scheme does not lose much of its security considering a multi-user setting. More specific, with a generous assumption of the existence of $2^{35} (\approx 35 \text{ billion})$ public keys the scheme loses only one bit of security. +Moreover, it has been proven that the signature scheme does not lose much of its security considering a multi-user setting. More specific, with a generous assumption of the existence of $2^{35} (\approx 32 \text{ billion})$ public keys the scheme loses only one bit of security. According to the results of this thesis, the EdDSA proved to be a secure signature scheme and that the modifications done to the original Schnorr signature scheme have very little affect on the security of the signature scheme. In fact, the only noticeable loss in security was introduced by the clamping of the private key. diff --git a/thesis/sections/eddsa.tex b/thesis/sections/eddsa.tex index 80e3124..6d2d897 100644 --- a/thesis/sections/eddsa.tex +++ b/thesis/sections/eddsa.tex @@ -69,13 +69,13 @@ The EdDSA signature scheme is depicted in figure \ref{fig:eddsa}. \subsection{Encoding of Group Elements} -The encoding function encodes points on the twisted Edwards curve into a b-bit bitstring and vice versa. It is assumed that when a b-bit bitstring is decoded, the resulting point is either a valid point on the twisted Edwards curve or the decoding will fail. In this way, decoding a b-bit bitstring into a cuve point implicitly ensures that the decoded point is a valid point on the specified twisted Edwards curve. The encoding function does not ensure that each point has exactly one bitstring representation. This means that there may be multiple bitstrings mapping to the same curve point during decoding. The effect of this is included in the analysis. +The encoding function encodes points on the twisted Edwards curve into a b-bit bitstring and vice versa. It is assumed that when a b-bit bitstring is decoded, the resulting point is either a valid point on the twisted Edwards curve or otherwise the decoding will fail. In this way, decoding a b-bit bitstring into a cuve point implicitly ensures that the decoded point is a valid point on the specified twisted Edwards curve. The encoding function does not ensure that each point has exactly one bitstring representation. This means that there may be multiple bitstrings mapping to the same curve point during decoding. The effect of this is included in the analysis. \subsection{Message Space} The message space $\messagespace$ is defined as a bitstring of arbitrary length. To make the proof applicable to the EdDSA variant with context, the context can be modeled as part of the message. -Looking at the RFC and FIPS standards, the context is passed to a "dom" function which concatenates the context with some additional data. The resulting data is then passed as additional data to each hash function call during signature generation and verification. Since the proofs are performed in the random oracle model, the position of the data in the hash function call, the actual content of the message, and the context are not relevant to the output of the random oracle call. Unless the reduction explicitly uses the content of the message, which it does not in this case. Therefore, the context can be modeled as part of the message. +Looking at the RFC and FIPS standards, the context is passed to a "dom" function which concatenates the context with some additional data. The resulting data is then passed as additional data to each hash function call during signature generation and verification. Since the proofs are performed in the random oracle model, the position of the data in the hash function call, the actual content of the message, and the context are not relevant to the output of the random oracle call, unless the reduction explicitly uses the content of the message, which it does not in this case. Therefore, the context can be modeled as being part of the message. \subsection{Signature} The signature is defined as a $2b$ bitstring of the encoded curve points $\groupelement{R}$ concatenated with the $b$-bit little endian encoding of the scalar $S$. @@ -100,7 +100,7 @@ This may pose additional challenges, since working with group elements outside t Instead of choosing the secret scalar uniformly at random, as done in most other schemes, the secret scalar is generated by hashing a random bitstring, fixing some bits of the hash result to a specific value and then interpreting $n$ bits of the result as the little endian representation of an integer. -To be more precise from the lower $b$ bits of the $2b$ bitstring the lowest $c$ bit are set to 0, where $c$ is the cofactor of the twisted Edwards curve, and the $n$th bit is set to 1. Then the first $n$ bits are interpreted as the secret scalar $s$. +To be more precise, from the lower $b$ bits of the $2b$ bitstring the lowest $c$ bit are set to 0, where $c$ is the cofactor of the twisted Edwards curve, and the $n$th bit is set to 1. Then the first $n$ bits are interpreted as the secret scalar $s$. This is strictly less secure, in the sense of the discrete logarithm problem, than choosing the secret scalar uniformly at random. It also makes proofs in the multi-user setting more challenging, since rerandomization of a public key is not easily possible and therefore the multi-user security of EdDSA cannot be easily reduced onto the single-user security of EdDSA. @@ -114,12 +114,12 @@ The EdDSA signature scheme also includes the public key as an additional input t \subsubsection{Deterministic Nonce Generation} -The commitment is chosen as the result of a hash function instead of being chosen at random each time a signature is generated. This makes signature generation deterministic. Since the hash function is modeled as a random oracle, the deterministic generation of the commitment does not pose any additional security risk, since it can be replaced by a random function, as shown in \ref{sec:eddsa'_proof}. +The commitment is chosen as the result of a hash function instead of being chosen at random each time a signature is generated. This makes signature generation deterministic. Since the hash function can be modeled as a random oracle, the deterministic generation of the commitment does not pose any additional security risk, since it can be replaced by a random function, as shown in \ref{sec:eddsa'_proof}. \subsection{Replacing Hash Function Calls} \label{sec:eddsa'_proof} -To make it easier to work with the random oracle, the following proofs introduce a variant of the EdDSA signature scheme in which some calls to the random oracle are replaced by direct sampling of a value at random or by using a random function. It is then shown that the advantage of winning the \cma game is roughly the same in both versions of the signature scheme. +To make it easier to work with the random oracle, the following proofs introduce a variant of the EdDSA signature scheme in which some calls to the hash function are replaced by direct sampling of a value at random or by using a random function. It is then shown that the advantage of winning the \cma game is roughly the same in both versions of the signature scheme. \paragraph{\underline{Introducing EdDSA'}} diff --git a/thesis/sections/introduction.tex b/thesis/sections/introduction.tex index 597d245..1eb1a7c 100644 --- a/thesis/sections/introduction.tex +++ b/thesis/sections/introduction.tex @@ -4,7 +4,7 @@ The EdDSA signature scheme was first introduced in 2011 by Bernstein, Duif, Lang The original paper focused on the performance of the signature scheme and did not provide a formal security analysis of the signature scheme. The EdDSA signature scheme is closely related to the Schnorr signature scheme. Although EdDSA is related to the Schnorr signature scheme, the security proofs for Schnorr signature schemes do not apply to EdDSA. The EdDSA signature scheme uses the key prefixing modification and calculates its commitments deterministically, which does not weaken the security \cite{AC:BelPoeSte16}. Besides these modifications, EdDSA also uses a different group structure, which is a prime order subgroup of a twisted Edwards curve, and clamps some bits of the private key to predefined values. Both of these modifications have not been well studied for the Schnorr signature scheme. The EdDSA signature scheme also specifies several variations of parsing the signature from a bitstring. One way of parsing the signature is to allow only one bitstring representation for a scalar and curve point, and another way is to allow multiple bitstring representations of the same scalar and curve point. This raises the question of whether the changes still result in a secure signature scheme. -The desired security notions for the signature scheme are EUF-CMA or SUF-CMA security. These security notions require that no adversary is able to provide a forged signature from an arbitrary set of valid signatures for arbitrary messages. While EUF-CMA requires a forged signature for a message for which the adversary does not have a valid signature, SUF-CMA also counts as valid forgeries message signature pairs that were not provided to the adversary. +The desired security notions for signature schemes is EUF-CMA or SUF-CMA security. These security notions require that no adversary is able to provide a forged signature from an arbitrary set of valid signatures for arbitrary messages. While EUF-CMA requires a forged signature for a message for which the adversary did not obtain a valid signature, SUF-CMA also counts as valid forgeries message/signature pairs that were not provided to the adversary, meaning that the adversary also wins if he is able to generate a new valid signature for a message given an already valid signature for that message. The Schnorr signature scheme originates from a canonical identification scheme to which the Fiat-Schamir transformation is applied \cite{JC:Schnorr91}. This transformation transforms the interactive identification scheme into a non-interactive one by making some of the values deterministic. By making the values also dependent on a message, the resulting transcript of the canonical identification scheme can be interpreted as the signature for that message \cite{C:FiaSha86}. @@ -12,15 +12,15 @@ In a 2020 paper, Brendel et al. showed that Ed25519 satisfies EUF-CMA and SUF-CM Tightness is a property of a security proof. A security proof is said to be tight if the probability of success of an adversary $\adversary{B}$ attacking problem B, constructed from adversary $\adversary{A}$ attacking problem A, is at most smaller than the probability of success of $\adversary{A}$ by a small constant factor. -Tight security proofs are desirable because they prove the security of multiple instantiations of a cryptographic scheme. In practice, cryptographic schemes are instantiated with primitives that are efficient in order to obtain an overall efficient scheme. If a security proof is not tight, it may not provide meaningful bounds on the security of the scheme, since it may be instantiated with efficient primitives that have parameters too small for the security proof to apply, and the use of less efficient schemes may be undesirable for performance reasons. +Tight security proofs are desirable because they prove the security of multiple instantiations of a cryptographic scheme. In practice, cryptographic schemes are instantiated with primitives that are efficient in order to obtain an overall efficient scheme. If a security proof is not tight, it may not provide meaningful bounds on the security of the scheme, since it may be instantiated with efficient primitives that have parameters too small for the security proof to provide a meaningful bound. The use of less efficient primitives, to which the security proof provides meaningful bounds, may be undesirable for performance reasons. -For the Schnorr signature scheme, a tight security reduction can be achieved by using the algebraic group model and the random oracle model to directly show the EUF-CMA security under the discrete logarithm assumption, as shown by Fuchsbauer et al. \cite{EC:FucPloSeu20}. +For the Schnorr signature scheme, a tight security reduction can be achieved by using the algebraic group model and the random oracle model to directly show the EUF-CMA security using the discrete logarithm assumption, as shown by Fuchsbauer et al. \cite{EC:FucPloSeu20}. -This is also the approach used in this thesis. A tight security proof for the EdDSA signature scheme can be achieved by utilizing the algebraic group model and random oracle model. However, some details of the EdDSA signature scheme have to be taken into account, which mainly is the different group structure and the key clamping, introduced by the key generation algorithm. Also, the way the signature is parsed has a major impact on the security guarantees of the EdDSA signature scheme. By allowing only one bitstring representation of a scalar, strict parsing ensures SUF-CMA security, allowing multiple bitstring representations of the same scalar, lax parsing results only in EUF-CMA security. +This is also the approach used in this thesis. A tight security proof for the EdDSA signature scheme can be achieved by utilizing the algebraic group model and random oracle model. However, some details of the EdDSA signature scheme have to be taken into account, which mainly is the different group structure and the key clamping, introduced by the key generation algorithm. Also, the way the signature is parsed has a major impact on the security guarantees of the EdDSA signature scheme. By allowing only one bitstring representation of a scalar, strict parsing ensures SUF-CMA security. Allowing multiple bitstring representations of the same scalar, lax parsing, results only in EUF-CMA security. Another important property of a signature scheme, also briefly mentioned in the paper \cite{SP:BCJZ21}, is its multi-security. When looking at practical applications of a signature scheme, not only one user is using the signature scheme, but many users are involved, all of whom have their own key pair. In most cases, an adversary is satisfied with compromising one of the users. This leaves the question of whether an adversary gains an advantage in compromising a single user if he is provided with many public keys and can request signatures for any of the provided public keys. The multi-user security of Schnorr-like signature schemes has been analyzed in several papers \cite{EPRINT:Bernstein15,C:KilMasPan16}, but none of them apply to EdDSA or give a tight reduction. -This thesis uses the same method of providing a tight security proof in the algebraic group model and the random oracle model to prove the security of EdDSA in the multi-user setting under a variant of the one more discrete logarithm assumption, which also takes the key clamping of EdDSA into account. +This thesis uses the same method of providing a tight security proof in the algebraic group model and the random oracle model to prove the security of EdDSA in the multi-user setting using a variant of the one more discrete logarithm assumption, which also takes the key clamping of EdDSA into account. Finally, a concrete security level for common instantiations of the EdDSA signature scheme is provided by analyzing the hardness of these variants of the discrete logarithm problem and the one-more discrete logarithm problem in the generic group model. diff --git a/thesis/sections/notation.tex b/thesis/sections/notation.tex index 7db47f3..a1aa780 100644 --- a/thesis/sections/notation.tex +++ b/thesis/sections/notation.tex @@ -3,7 +3,7 @@ \subsubsection{General Notation} % TODO: Notation mit residual ring und finite field abklären. -For an integer n, $\field{n}$ is defined as the residual ring $\mathbb{Z}/n\mathbb{Z}$. $a \randomsample A$ denotes sampling the element $a$ from a non-empty set $A$ uniformly at random. $\assign$ denotes a deterministic assignment of a variable. $\{0,1\}^n$ is a bitstring of length n, while $\{0,1\}^*$ denotes a finite bitstring of arbitrary length. $(x,y)$ is a tuple of the two elements $x$ and $y$. $\{x,y\}$ is a set of the elements $x$ and $y$. At the beginning of a game a set is initialized to be the empty set $\{\}$. $\sum$ denotes a table and $\sum[x]$ denotes the value of the table at position $x$. Each position of the table is uninitialized at the beginning of the game. An uninitialized position in the table is denoted with the bottom symbol $\bot$. A function $f: \mathbb{N} \rightarrow \mathbb{R}$ is called negligible if there exists a $N \in \mathbb{N}$ for all polynomials $p$ so that $\forall n \geq N: f(n) < \frac{1}{p(n)}$. All algorithms are probabilistic polynomial time (ppt) unless stated otherwise. $o \randomassign \adversary{A}(I)$ denotes running the algorithm $\adversary{A}$ with input $I$ and uniformly random coins and $o$ describing its output. If $\adversary{A}$ has additionally access to an oracle $O$ this is denoted as $o \randomassign \adversary{A}^{O(\inp)}(I)$. A security game consists of a main procedure and optionally some oracle procedures. When the game is played, the main procedure is run and adversary $\adversary{A}$ is given some inputs and access to the oracle procedures. Based on the output of the adversary $\adversary{A}$ and its oracle calls, the main procedure outputs $1$ or $0$ depending on whether the adversary $\adversary{A}$ won the game. +For an integer n, $\field{n}$ is defined as the residual ring $\mathbb{Z}/n\mathbb{Z}$. $a \randomsample A$ denotes sampling the element $a$ from a non-empty set $A$ uniformly at random. $\assign$ denotes a deterministic assignment of a variable. $\{0,1\}^n$ is a bitstring of length n, while $\{0,1\}^*$ denotes a finite bitstring of arbitrary length. $(x,y)$ is a tuple of the two elements $x$ and $y$. $\{x,y\}$ is a set of the elements $x$ and $y$. At the beginning of a game a set is initialized to be the empty set $\{\}$. $\sum$ denotes a table and $\sum[x]$ denotes the value of the table at position $x$. Each position of the table is uninitialized at the beginning of the game. An uninitialized position in the table is denoted with the bottom symbol $\bot$. A function $f: \mathbb{N} \rightarrow \mathbb{R}$ is called negligible if there exists a $N \in \mathbb{N}$ so that for all polynomials $p$: $\forall n \geq N: f(n) < \frac{1}{p(n)}$ is true. All algorithms are probabilistic polynomial time (ppt) unless stated otherwise. $o \randomassign \adversary{A}(I)$ denotes running the algorithm $\adversary{A}$ with input $I$ with uniform random coins and $o$ describing its output. If $\adversary{A}$ has additionally access to an oracle $O$ this is denoted as $o \randomassign \adversary{A}^{O(\inp)}(I)$. A security game consists of a main procedure and optionally some oracle procedures. When the game is played, the main procedure is run and adversary $\adversary{A}$ is given some inputs and access to the oracle procedures. Based on the output of the adversary $\adversary{A}$ and its oracle calls, the main procedure outputs $1$ or $0$ depending on whether the adversary $\adversary{A}$ won the game. \subsubsection{Algebraic Notation} diff --git a/thesis/sections/preliminaries.tex b/thesis/sections/preliminaries.tex index e552523..401cd61 100644 --- a/thesis/sections/preliminaries.tex +++ b/thesis/sections/preliminaries.tex @@ -2,9 +2,9 @@ \subsection{Code-based reduction proofs} -To perform the security proof of the EdDSA signature scheme, code-based game playing proofs are used as introduced in \cite{EC:BelRog06}. In these proofs, an adversary is tasked to play (and win) against a predefined game. The game is defined by a set of instructions which are executed consecutively. At one point the game calls the adversary with some input and gets some output back from it. The game then decides, depending on the output of the adversary, whether it has won or not. In addition the adversary might get oracle access to one or more procedures, meaning that the adversary is only able to observe the output of the procedure call given a specific input. Those procedures are called oracles. The adversaries's advantage in a game is the adversaries's ability to win the game more reliably than through the use of generic attacks (e.g. guessing the answer to the game). +To perform the security proof of the EdDSA signature scheme, code-based game playing proofs are used. as introduced in \cite{EC:BelRog06}. In these proofs, an adversary is tasked to play (and win) against a predefined game. The game is defined by a set of instructions which are executed consecutively. At one point the game calls the adversary with some input and gets some output back from it. The game then decides, depending on the output of the adversary, whether it has won or not. In addition the adversary might get oracle access to one or more procedures, meaning that the adversary is only able to observe the output of the procedure call given a specific input. Those procedures are called oracles. The adversaries's advantage in a game is the adversaries's ability to win the game more reliably than through the use of generic attacks, such as guessing the answer to the game. -During the proof ,these games are being modified until an adversary against the modified game can also be used as an adversary against another game. This method is called a reduction proof. It shows that one problem (described by one game) can be reduced to another problem. In other words, it says that if problem A can be reduced onto problem B, any algorithm solving problem A can be transformed into an algorithm solving problem B. +During the proof, these games are being modified until an adversary against the modified game can also be used as an adversary against another game. This method is called a reduction proof. It shows that one problem (described by one game) can be reduced to another problem. In other words, it says that if problem A can be reduced onto problem B, any algorithm solving problem A can be transformed into an algorithm solving problem B. \subsubsection{Identical-Until-Bad Games} @@ -30,7 +30,7 @@ This means that the advantage to distinguish between two identical-until-bad gam The EdDSA signature scheme has been defined using twisted Edwards curves as the underlying group structure. Twisted Edwards curves are a special form of elliptic curves. For the proofs performed in this thesis, no specific properties of twisted Edwards curves are used. Therefore, they will not be introduced in great detail. For more details on twisted Edwards curves, see the paper by Bernstein et al. \cite{EPRINT:BBJLP08}. The use of twisted Edwards curves in EdDSA is mainly for performance reasons \cite{CHES:BDLSY11}. -The proofs assume two properties of the underlying group structure, which are true for every elliptic curve. The first is that the underlying group is a generic group, which means that it is only possible to perform the well-defined group operation on the group elements, which is widely assumed to be true for elliptic curves. Elliptic curves often use additive group notation, which means that the group operation is called addition. The second assumption is, that the underlying group is an abelian group. Every elliptic curve is an abelian group. +The proofs assume two properties of the underlying group structure, which are true for every elliptic curve. The first is that the underlying group is a generic group, which means that it is only possible to perform the well-defined group operation on the group elements, which is widely assumed to be true for elliptic curves. The second assumption is, that the underlying group is an abelian group. Every elliptic curve is an abelian group. Elliptic curves often use additive group notation, which means that the group operation is called addition. Elliptic curves also have a property called the cofactor. The cofactor of an elliptic curve refers to the number of points on the elliptic curve divided by the number of points in a particular subgroup. The EdDSA signature scheme is not defined to use the entire twisted Edwards curve but instead uses the largest prime order subgroup of that twisted Edwards curve. Therefore, if the number of points on the twisted Edwards curve is $N$ and the order of the prime order subgroup is $L$, the cofactor with respect to this subgroup is $\frac{N}{L}$. @@ -41,14 +41,11 @@ Some of the following proofs are conducted in the random oracle model. The rando To simulate a truly random function in polynomial time, a process called "lazy-sampling" can be used. Lazy-sampling means that the challenger has a table that starts out empty. When the adversary queries a value from the random oracle, the challenger checks if that input is in the table. If the input is in the table, the challenger returns the output value according to the table. Otherwise, the challenger chooses an output value from a uniform random distribution and inserts it into the table for that particular input value. The challenger then returns that value. -This method allows the challenger to observe and influence the behavior of the adversary. Since the random oracle behaves like a truly random function, the adversary must query the random oracle to know the output value for a given input value. Therefore, the challenger can observe any input value to the random oracle. Also, the challenger has the ability to program specific output values of the random oracle, as long as it is correctly distributed and is consistent. Consistent means that at no time should the random oracle output two different values for the same input value. - -%TODO: Kann man das so schreiben? -Especially the programmability of the random oracle will be used in the following proofs and should be kept in mind. +The random oracle paradigm allows the challenger to observe and influence the behavior of the adversary. Since the random oracle behaves like a truly random function, the adversary must query the random oracle to know the output value for a given input value. Therefore, the challenger can observe any input value the adversary would have used to the hash function. Also, the challenger has the ability to program specific output values of the random oracle, as long as it is correctly distributed and consistent. Consistent means that at no time should the random oracle output two different values for the same input value. \subsection{Algebraic Group Model (AGM)} -The algebraic group model was introduced in 2018 by Fuchsbauer et al. \cite{C:FucKilLos18}. In the algebraic group model, all adversaries are modeled as being algebraic. This means that the adversary has to know a representation for each group element regarding all group elements the adversary received from the challenger. This representation has to be provided to the challenger for every group element the adversary outputs or inputs as an oracle parameter. For example, if the adversary receives the group elements $\groupelement{A}$ and $\groupelement{B}$ from the challenger and at one point outputs group element $\groupelement{C}$ the adversary also has to output a vector $\overset{\rightharpoonup}{c} = (c_1, c_2)$ which satisfies: $\groupelement{C} = c_1 \groupelement{A} + c_2 \groupelement{B}$. For the game proofs, the group element $\groupelement{C}$, and its representation $\overset{\rightharpoonup}{c}$ is denoted as $\agmgroupelement{C}{c}$. +The algebraic group model was introduced in 2018 by Fuchsbauer et al. \cite{C:FucKilLos18}. In the algebraic group model, all adversaries are modeled as being algebraic. This means that the adversary has to know a representation for each group element regarding all group elements the adversary received from the challenger. This representation has to be provided to the challenger for every group element the adversary outputs or inputs as an parameter to an oracle query. For example, if the adversary receives the group elements $\groupelement{A}$ and $\groupelement{B}$ from the challenger and at one point outputs group element $\groupelement{C}$ the adversary also has to output a vector $\overset{\rightharpoonup}{c} = (c_1, c_2)$ which satisfies: $\groupelement{C} = c_1 \groupelement{A} + c_2 \groupelement{B}$. For the game proofs, the group element $\groupelement{C}$, and its representation $\overset{\rightharpoonup}{c}$ is denoted as $\agmgroupelement{C}{c}$. \subsection{Generic Group Model (GGM)} diff --git a/thesis/sections/related_work.tex b/thesis/sections/related_work.tex index f5e16f5..fb65598 100644 --- a/thesis/sections/related_work.tex +++ b/thesis/sections/related_work.tex @@ -1,16 +1,16 @@ \section{Related Work} -\paragraph{Standards for EdDSA} The EdDSA signature scheme was introduced in 2011 by Bernstein et al. as the specific instance Ed25519, which is the EdDSA signature scheme instantiated with the twisted Edwards curve Edwards25519 \cite{CHES:BDLSY11}. Later in 2015, with a paper by Bernstein et al., a more general version of EdDSA was introduced, which mainly lifted some restrictions on the underlying finite field of the elliptic curve \cite{EPRINT:BJLSY15}. It also introduced a prehashing variant of EdDSA called HashEdDSA, while the original version is called PureEdDSA. In HashEdDSA, the message is hashed before the signature algorithm is invoked. This has advantages on memory-constrained devices because it does not have to store the entire message. In 2017, the IETF published a standard for EdDSA in its RFC 8032 \cite{josefsson_edwards-curve_2017}. This standard removes some ambiguity regarding the decoding of integers and points of the elliptic curve during signature verification. It also introduces a new variant of the signature scheme that includes an additional parameter named context. In addition to standardizing a general version of EdDSA, the RFC included parameters for specific instantiations Ed25519 and Ed448. In 2023, this standard was adopted by the NIST in its "Digital Signature Standard (DSS)" FIPS 186-5 \cite{moody_digital_2023}. +\paragraph{Standards for EdDSA} The EdDSA signature scheme was introduced in 2011 by Bernstein et al. as the specific instance Ed25519, which is the EdDSA signature scheme instantiated with the twisted Edwards curve Edwards25519 \cite{CHES:BDLSY11}. Later in 2015, with a paper by Bernstein et al., a more general version of EdDSA was introduced, which mainly lifted some restrictions on the underlying finite field of the elliptic curve \cite{EPRINT:BJLSY15}. It also introduced a prehashing variant of EdDSA called HashEdDSA, while the original version is called PureEdDSA. In HashEdDSA, the message is hashed before the signature algorithm is invoked. This has advantages on memory-constrained devices because it does not have to store the entire message. In 2017, the IETF published a standard for EdDSA in its RFC 8032 \cite{josefsson_edwards-curve_2017}. This standard removes some ambiguity regarding the decoding of integers and points of the elliptic curve during signature verification. It also introduces a new variant of the signature scheme that includes an additional parameter named "context". In addition to standardizing a general version of EdDSA, the RFC included parameters for specific instantiations Ed25519 and Ed448. In 2023, this standard was adopted by the NIST in its "Digital Signature Standard (DSS)" FIPS 186-5 \cite{moody_digital_2023}. -\paragraph{Schnorr Signatures and Fiat-Schamir Transformation} The EdDSA and Schnorr signature schemes have a similar structure. The Schnorr signature scheme is a signature scheme introduced by Claus Peter Schnorr in 1991 \cite{JC:Schnorr91}. It has proven to be a robust and efficient signature scheme and has undergone several security analyses. The foundation of the Schnorr signature scheme is the canonical identification scheme. +\paragraph{Schnorr Signatures and Fiat-Schamir Transformation} The EdDSA and Schnorr signature schemes have a similar structure. The Schnorr signature scheme has been introduced by Claus Peter Schnorr in 1991 \cite{JC:Schnorr91}. It has proven to be a robust and efficient signature scheme and has undergone several security analyses. The foundation of the Schnorr signature scheme is the canonical identification scheme. -A canonical identification scheme (CID), as defined in \cite{EC:AABN02}, is a three-way protocol between two parties. The prover attempts to prove the knowledge of a secret key to the verifier, who only knows the public key. This is done by exchanging three messages between the two parties. First, the prover initiates the protocol by sending a commitment $R$ to the verifier. The verifier respondes with a random challenge $\ch$ from a predefined challenge set $\textbf{CHSet}$. The prover then uses the commitment, the challenge, and its secret key to compute a response $s$. The verifier then can then use the commitment, challenge, and response together with the public key of the prover to verify the response and thereby verify that the prover is actually in the possession of the private key. +A canonical identification scheme (CID), as defined in \cite{EC:AABN02}, is a three-way protocol between two parties. The prover attempts to prove the knowledge of a secret key to the verifier, who only knows the public key. This is done by exchanging three messages between the two parties. First, the prover initiates the protocol by sending a commitment $R$ to the verifier. The verifier respondes with a random challenge $\ch$ from a predefined challenge set $\textbf{CHSet}$. The prover then uses the commitment, the challenge, and its secret key to compute a response $s$. The verifier then can use the commitment, challenge, and response together with the public key of the prover to verify the response and thereby verify that the prover is actually in the possession of the private key. To obtain a signature scheme from the canonical identification scheme, it must be made non-interactive. This can be achieved using the Fiat-Schamir transformation. The transformation was introduced by Fiat and Schamir in 1986 \cite{C:FiaSha86}. The role of the verifier in the canonical identification scheme (besides verifying the solution) is to provide a challenge to the prover. This is a crucial part of the scheme's security, since otherwise the prover might be able to choose a commitment and a challenge in a way that allows him generate a valid solution without being in the possession of the secret key. The Fiat-Schamir transformation replaces the verifier with a pseudorandom function. This pseudorandom function takes the commitment and an arbitrary message as input and outputs the challenge. Now the challenge is computable by the prover without the need to interact with another party. This allows the prover to compute the solution. The commitment together with the solution can now be considered a signature for the message used to generate the challenge. To verify the signature, a verifier can use the same pseudorandom function to compute the challenge based on the commitment and the message, and apply the verification algorithm from the canonical identification scheme to verify the solution and thus the validity of the signature. In practice, a hash function is often used as the pseudorandom function. There are many proofs showing that the Fiat-Schamir transformation yields a secure signature scheme, using canonical identification schemes with different properties (e.g. \cite{C:OhtOka98,JC:PoiSte00,EC:AABN02}). -\paragraph{Related Proofs} As mentioned above, there exists a paper proving the security of the Ed25519 signature scheme \cite{SP:BCJZ21}. In this paper, the authors extracted the underlying canonical identification scheme from EdDSA and used the reset lemma from \cite{C:BelPal02} to prove the impersonation security of the canonical identification scheme under the discrete logarithm assumption. This reduction turned out to be non-tight. They then reduced the EUF-CMA security of the Ed25519 signature scheme to the impersonation security of the underlying canonical identification scheme. To do this, they had to embed a challenge in one of the hash queries, further losing tightness. +\paragraph{Related Proofs} As mentioned above, there exists a paper proving the security of the Ed25519 signature scheme \cite{SP:BCJZ21}. In this paper, the authors extracted the underlying canonical identification scheme from EdDSA and used the reset lemma from \cite{C:BelPal02} to prove the impersonation security of the canonical identification scheme under the discrete logarithm assumption. This reduction turned out to be non-tight. They then reduced the EUF-CMA security of the Ed25519 signature scheme to the impersonation security of the underlying canonical identification scheme. To do this, they had to guess the position of the hash query in which they had to embed a challenge, further losing tightness. A paper by Chalkias, Garillot and Nikolaenko analyzes the security of Ed25519 with respect to different signature decoding methods and the implementation of additional checks during the signature verification \cite{EPRINT:ChaGarNik20}. This paper also analyzes lesser known security properties such as strongly binding signatures, but already assumes SUF-CMA security of Ed25519. They also analyzed the impact of cofactorless vs. cofactored verification with respect to batch verification of Ed25519 signatures. @@ -18,4 +18,4 @@ The multi-user security of EdDSA was briefly analyzed in a paper by Bernstein af In 2016, Kiltz et al. provided a tight bound on the multi-user security of Schorr signatures without the need for key-prefixing \cite{C:KilMasPan16}. The tightness was a result of the random self-reducibility property of the underlying canonical identification scheme. Again, this property cannot be achieved by EdDSA due to the clamping introduced by the key generation algorithm. -Fuchsbauer et al. generated a tight security proof for the Schnorr signature scheme by using the algebraic group model \cite{EC:FucPloSeu20}. They achieved this by using the representation of the commitment together with a forged signature to compute the discrete logarithm of the public key. This approach looks promising also for the EdDSA signature scheme. \ No newline at end of file +Fuchsbauer et al. generated a tight security proof for the Schnorr signature scheme by using the algebraic group model \cite{EC:FucPloSeu20}. They achieved this by using the representation of the commitment together with a forged signature to compute the discrete logarithm of the public key. This approach also looks promising for the EdDSA signature scheme and will be analysed in this thesis. \ No newline at end of file diff --git a/thesis/sections/security_notions.tex b/thesis/sections/security_notions.tex index 47b4c5f..a1d75d1 100644 --- a/thesis/sections/security_notions.tex +++ b/thesis/sections/security_notions.tex @@ -6,15 +6,15 @@ A digital signature scheme is a method to ensure the authenticity of data. The s A digital signature scheme SIG = (\keygen,\sign,\verify) is a tuple of algorithms. \begin{itemize}[label={}] - \item \textbf{\keygen}: The key generation algorithm, which upon receiving the schema parameter as input outputs a matching tuple of public and private key. - \item \textbf{\sign}: The signature algorithm, which upon receiving the secret key and the message outputs a signature for that message. + \item \textbf{\keygen}: The key generation algorithm, which upon receiving the schemas parameter as input outputs a matching tuple of public and private key. + \item \textbf{\sign}: The signature algorithm, which upon receiving the secret key and the message, outputs a signature for that message. \item \textbf{\verify}: The verification algorithm, which upon receiving the public key, the message and the signature decides whether the signature is valid for the specific set of input parameters. \end{itemize} For the digital signature scheme to be correct, it is required that $\forall (\pubkey, \privkey) \in \keygen(par), \m \in \messagespace, \signature \in \sign(\privkey, \m): \verify(\pubkey, \m, \signature) = 1$ \end{definition} -A common security notion for digital signature schemes is the existential unforgeability under chosen message attack security (EUF-CMA). It requires that no adversary is able to forge a signature, for a given key, on a message for which they have not been provided with a valid signature. A stronger notion that is often used is strong unforgeability under chosen message attack (SUF-CMA), which only requires the adversary to provide a message signature pair that has not been provided to the adversary. With this security notion, the adversary also wins if it is able to forge a new valid signature from an already valid one. Both of these notions are in the single-user setting. In the multi-user setting of these security notions, the adversary is supplied with $N$ public keys and has to forge a signature for one of those public keys. In the following, the multi-user definitions of the EUF-CMA and SUF-CMA security notions are defined, respectively MU-EUF-CMA and MU-SUF-CMA. The single-user variant of these security notions can be seen as a special case of the multi-user definitions with $N=1$. +A common security notion for digital signature schemes is the existential unforgeability under chosen message attack (EUF-CMA) security. It requires that no adversary is able to forge a signature, for a given public key, for a message to which they have not been provided with a valid signature. A stronger notion, that is often used, is strong unforgeability under chosen message attack (SUF-CMA), which only requires the adversary to provide a message signature pair that has not been provided to the adversary. With this security notion, the adversary also wins if it is able to forge a new valid signature from an already valid one. Both of these notions are in the single-user setting. In the multi-user setting of these security notions, the adversary is supplied with $N$ public keys and has to forge a signature for one of those public keys. In the following, the multi-user definitions of the EUF-CMA and SUF-CMA security notions are defined, respectively MU-EUF-CMA and MU-SUF-CMA. The single-user variant of these security notions can be seen as a special case of the multi-user definitions with $N=1$. \subsubsection{MU-EUF-CMA} @@ -105,7 +105,7 @@ The MU-UF-NMA security game is similar to the MU-EUF-CMA game. The only differen \subsection{Security Assumptions} -This thesis proves the security of the EdDSA signature scheme under two assumptions. The single-user security of EdDSA can be proved under the discrete logarithm assumption, while the multi-user security of EdDSA requires the stronger one-more discrete logarithm assumption. Both security assumptions are presented in this section. +This thesis proves the security of the EdDSA signature scheme using two assumptions. The single-user security of EdDSA can be proved using the discrete logarithm assumption, while the multi-user security of EdDSA requires the stronger one-more discrete logarithm assumption. Both security assumptions are presented in this section. \subsubsection{Discrete Logarithm Problem} diff --git a/thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex b/thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex index 0c8bb5c..c1fde32 100644 --- a/thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex +++ b/thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex @@ -107,7 +107,7 @@ The adversary must call the \ioracle oracle with a commitment $\groupelement{R}$ \[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1]. \] - \item \paragraph{\underline{$G_2:$}} The game $G_2$ is aborted if the bad flag is set. For each individual \ioracle query, the $bad$ flag is set with probability at most $\frac{1}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. $\ch_i$ is chosen by the game after the adversary has provided the representation of $\groupelement{R_i}$ and thus the value of $r_2$. This way the adversary has no way to choose $\ch_i$ after $r_2$ and therefore cannot influence the probability of the abort being triggered. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $\ch_i \pmod L$. $\ch_i$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ during the if condition check. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have + \item \paragraph{\underline{$G_2:$}} The game $G_2$ is aborted if the bad flag is set. For each individual \ioracle query, the $bad$ flag is set with probability at most $\frac{1}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. $\ch_i$ is chosen by the game after the adversary has provided the representation of $\groupelement{R_i}$ and thus the value of $r_2$. This way the adversary has no way to choose $\ch_i$ after $r_2$ and therefore cannot influence the probability of the abort being triggered. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $\ch_i \pmod L$. $\ch_i$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ during the if condition check. By the union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have \[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \] diff --git a/thesis/sections/security_of_eddsa/gamez_implies_uf-nma.tex b/thesis/sections/security_of_eddsa/gamez_implies_uf-nma.tex index 645c355..259eb10 100644 --- a/thesis/sections/security_of_eddsa/gamez_implies_uf-nma.tex +++ b/thesis/sections/security_of_eddsa/gamez_implies_uf-nma.tex @@ -2,7 +2,7 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signature scheme using the random oracle model. The section begins with the introduction of an intermediate game \igame, followed by an intuition of the proof and the detailed security proof. -\paragraph{\underline{Introducing \igame}} The intermediate game \igame is introduced to create a separation between proofs in the random oracle model and the algebraic group model. This is achieved by replacing the random oracle with the \ioracle oracle, which takes a commitment and issues a challenge. This also removes the message and focuses on forging an arbitrary signature. The \igame game is shown in figure \ref{game:igame}. +\paragraph{\underline{Introducing \igame}} The intermediate game \igame is introduced to create a separation between proofs in the random oracle model and the algebraic group model. This is achieved by replacing the random oracle with the \ioracle oracle, which takes a commitment and issues a challenge. This also removes the message and focuses on forging an arbitrary signature. The \igame game is shown in figure \ref{game:igame}. The game has been inspired by the IDLOG game from \cite{C:KilMasPan16}. \begin{definition}[\igame] For an adversary $\adversary{A}$. The advantage of $\adversary{A}$ in the \igame game is defined as following: diff --git a/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex b/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex index 8714c0d..b2ad310 100644 --- a/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex +++ b/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex @@ -15,7 +15,7 @@ The EdDSA signature scheme is based on the Schnorr signature scheme, which is a To generate a signature without knowing the private key, the challenge and response are chosen randomly, and the commitment is calculated based on the chosen challenge and response. The random oracle is then programmed to output the challenge given the commitment and the message as input. In this way, the resulting tuple of challenge and response is a valid signature for the given message. -For the reduction to be able to program the random oracle, the adversary must not have queried the hash function with this exact input before asking for the signature. Since the input to the hash query includes the commitment, which is unknown to the adversary prior to the \Osign query, and the result of a random function, the adversary can only guess it, which introduces the loss of advantage. +For the reduction to be able to program the random oracle, the adversary must not have queried the hash function with this exact input before asking for the signature. Since the input to the hash query includes the commitment, which is the result of a random function and therefore unknown to the adversary prior to the \Osign query. For this reason, the adversary can only guess it. This method of simulating the \Osign oracle and the resulting loss of advantage was first introduced in \cite{SP:BCJZ21}. @@ -112,7 +112,7 @@ This method of simulating the \Osign oracle and the resulting loss of advantage \[ \advantage{\group{G},\adversary{A}}{\cma}(\secparamter) = \Pr[\text{\cma}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \] - \item \paragraph{\underline{$G_1:$}} $G_1$ is now defined by replacing the black box with the blue one. This change inlines the call to the hash function and introduces a bad flag in the \Osign oracle, which is set in case the hash value for the challenge is already set before the \Osign oracle is called. In this cases the adversary already queried the challenge for that signature resulting in the challenger not being able to program the random oracle on that input. Without being able to program the random oracle the challenger is not able to generate a valid signature, without knowing the private key. This change is only conceptual, since it does not change the behavior of the oracle and only changes internal variables of the game. Therefore, + \item \paragraph{\underline{$G_1:$}} $G_1$ is now defined by replacing the black box with the blue one. This change inlines the call to the hash function and introduces a bad flag in the \Osign oracle, which is set in case the hash value for the challenge is already set before the \Osign oracle is called. In this cases the adversary already queried the challenge for that signature, resulting in the challenger not being able to program the random oracle on that input. Without being able to program the random oracle the challenger is not able to generate a valid signature, without knowing the private key. This change is only conceptual, since it does not change the behavior of the oracle and only changes internal variables of the game. Therefore, \[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1]. \] @@ -120,7 +120,7 @@ This method of simulating the \Osign oracle and the resulting loss of advantage \[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \] - \item \paragraph{\underline{$G_3:$}} $G_3$ replaces the \sign oracle with the \sign oracle in the green box. Now the signature is not generated by using the secret key, but by using the \simalg procedure and manually setting the result of the hash function call. This change is conceptual only. \simalg returns a correctly distributed tuple $(R, \ch, S)$ with $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c \ch \groupelement{A}$ and it has been excluded that $H(\encoded{R} | \encoded{A} | \m)$ is set before calling the \sign oracle, so that the random oracle can be programmed to output $\ch$ when calling $H(\encoded{R} | \encoded{A} | m)$. This ensures that $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c H(\encoded{R} | \encoded{A} | \m) \groupelement{A}$, which means that $\signature \assign (\encoded{R}, S)$ is a valid signature for the message $\m$ and was generated without using the private key $s$. Therefore, + \item \paragraph{\underline{$G_3:$}} $G_3$ replaces the \sign oracle with the \sign oracle in the green box. Now the signature is not generated by using the secret key, but by using the \simalg procedure and manually setting the result of the hash function call. This change is conceptual only. \simalg returns a correctly distributed tuple $(R, \ch, S)$, with $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c \ch \groupelement{A}$, and it has been excluded that $H'(\encoded{R} | \encoded{A} | \m)$ is set before calling the \sign oracle, so that the random oracle can be programmed to output $\ch$ when calling $H'(\encoded{R} | \encoded{A} | m)$. This ensures that $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c H'(\encoded{R} | \encoded{A} | \m) \groupelement{A}$, which means that $\signature \assign (\encoded{R}, S)$ is a valid signature for the message $\m$ and was generated without using the private key $s$. Therefore, \[ \Pr[G_2^{\adversary{A}} \Rightarrow 1] = \Pr[G_3^{\adversary{A}} \Rightarrow 1]. \] @@ -163,9 +163,9 @@ This method of simulating the \Osign oracle and the resulting loss of advantage \label{fig:adversarybuf-nma} \end{figure} - To prove (\ref{eq:adv_uf-nma}), an adversary $\adversary{B}$ is defined that attacks $\text{UF-NMA}$ simulating the view of $\adversary{A}$ in $G_3$. The adversary $\adversary{B}$, formally defined in figure \ref{fig:adversarybuf-nma}, is run in the $\text{UF-NMA}$ game, and the adversary $\adversary{B}$ simulates \Osign for the adversary $\adversary{A}$. \Osign is simulated perfectly. The hash queries of $\adversary{A}$ are forwarded to the UF-NMA challenger. + To prove (\ref{eq:adv_uf-nma}), an adversary $\adversary{B}$ is defined that attacks $\text{UF-NMA}$ simulating the view of $\adversary{A}$ in $G_3$. The adversary $\adversary{B}$, formally defined in figure \ref{fig:adversarybuf-nma}, is run in the $\text{UF-NMA}$ game, and the adversary $\adversary{B}$ simulates \Osign for the adversary $\adversary{A}$. \Osign is simulated perfectly. The hash queries of $\adversary{A}$ are forwarded to the UF-NMA challenger, when not set by the reduction itself. - Finally, consider $\adversary{A}$'s output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. It is known that $2^c S^* \groupelement{B} = 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}$. If strict parsing is used to decode $S$ from the signature, it is known that $0 \leq S < L$. Therefore, for every $R$, $\m$ pair, there is only one valid encoded $S$ that satisfies the equation. This means that a new and valid signature cannot be generated by simply changing the $S$ value of an already valid signature. Therefore, $R$ or $m$ must also be changed in order to create a new valid signature from another. Since $R$ and $m$ are inputs to the hash query used to generate the challenge, the result of this hash query is passed from the $H$ hash oracle provided to the adversary $\adversary{B}$ instead of being set by $\adversary{B}$ itself. Also, the existence of multiple encodings of the commitment $\groupelement{R}$ does not pose a problem, since if another representation of the same $\groupelement{R}$ is chosen, its hash value has not been set by $\adversary{B}$ and therefore must have been passed from the UF-NMA challenger. For this reason, $H'(\encoded{R^*}|\encoded{A}|m^*) = H(\encoded{R^*}|\encoded{A}|m^*)$. Therefore, + Finally, consider $\adversary{A}$'s output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. It is known that $2^c S^* \groupelement{B} = 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}$. If strict parsing is used to decode $S$ from the signature, it is known that $0 \leq S < L$. Therefore, for every $R$, $\m$ pair, there is only one valid encoded $S$ that satisfies the equation. This means that a new and valid signature cannot be generated by simply changing the $S$ value of an already valid signature. Therefore, $R$ or $m$ must also be changed in order to create a new valid signature from another. Since $R$ and $m$ are inputs to the hash query used to generate the challenge, the result of this hash query is passed from the $H$ hash oracle provided to the adversary $\adversary{B}$ instead of being set by $\adversary{B}$ itself. Also, the existence of multiple encodings of the commitment $\groupelement{R}$ does not pose a problem, since if another representation of the same $\groupelement{R}$ is chosen, its hash value for the corresponding challenge has not been set by $\adversary{B}$ and therefore must have been passed from the UF-NMA challenger. For this reason, $H'(\encoded{R^*}|\encoded{A}|m^*) = H(\encoded{R^*}|\encoded{A}|m^*)$. Therefore, \begin{align*} 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}\\ @@ -231,9 +231,9 @@ This section shows that the UF-NMA security of EdDSA implies the EUF-CMA securit \label{fig:adversary_b_suf-nma} \end{figure} - To prove (\ref{eq:adv2_uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{UF-NMA}$ that simulates the view of $\adversary{A}$ in $G_3$. The adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_b_suf-nma} is run in the $\text{UF-NMA}$ game and the adversary $\adversary{B}$ simulates \Osign for the adversary $\adversary{A}$. \Osign is simulated perfectly. The hash queries of $\adversary{A}$ are forwarded to the UF-NMA challenger. + To prove (\ref{eq:adv2_uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{UF-NMA}$ that simulates the view of $\adversary{A}$ in $G_3$. The adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_b_suf-nma} is run in the $\text{UF-NMA}$ game and the adversary $\adversary{B}$ simulates \Osign for the adversary $\adversary{A}$. \Osign is simulated perfectly. The hash queries of $\adversary{A}$ are forwarded to the UF-NMA challenger, when not set by the reduction itself. - Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. It is known that $2^c S^* \groupelement{B} = 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}$. The same argument as in the proof above cannot be used, since the lax parser could map multiple $2b$-bit bitstrings onto the same $S^* \pmod L$. Therefore, the adversary $\adversary{A}$ could generate a new valid signature from one generated by \Osign simply by choosing a different bitstring representation of the same $S^* \pmod L$. Since in this case $\sum[\encoded{R^*}|\encoded{A}|m^*]$ was set by the adversary $\adversary{B}$, this signature is not valid for the UF-NMA challenger. However, since we are in the EUF-CMA setting, we require the adversary $\adversary{A}$ to provide a signature for a message $m^*$ for which it has not requested a signature from the \Osign oracle. Since the signature for the message $m^*$ was not requested in the Sign oracle, the output of $H'(\encoded{R^*}|\encoded{A}|m^*)$ was not set by the adversary B, but was forwarded from the $H$ hash oracle. For this reason, $H'(\encoded{R^*}|\encoded{A}|m^*) = H(\encoded{R^*}|\encoded{A}|m^*)$. Therefore, + Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. It is known that $2^c S^* \groupelement{B} = 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}$. Because we are in the EUF-CMA setting, the adversary $\adversary{A}$ is required to provide a signature for a message $m^*$ for which it has not requested a signature from the \Osign oracle. Since the signature for the message $m^*$ was not requested in the Sign oracle, the output of $H'(\encoded{R^*}|\encoded{A}|m^*)$ was not set by the adversary B, but must have been forwarded from the $H$ hash oracle. For this reason, $H'(\encoded{R^*}|\encoded{A}|m^*) = H(\encoded{R^*}|\encoded{A}|m^*)$. Therefore, \begin{align*} 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}\\