rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Minor changes

Browse Source
This commit is contained in:
Aaron Kaiser
2023-06-16 12:46:37 +02:00
parent 6ad1c1e06a
commit 3db0912f79
11 changed files with 39 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
thesis/sections/eddsa.tex
View File

@@ -69,13 +69,13 @@ The EdDSA signature scheme is depicted in figure \ref{fig:eddsa}.
\subsection{Encoding of Group Elements}
The encoding function encodes points on the twisted Edwards curve into a b-bit bitstring and vice versa. It is assumed that when a b-bit bitstring is decoded, the resulting point is either a valid point on the twisted Edwards curve or the decoding will fail. In this way, decoding a b-bit bitstring into a cuve point implicitly ensures that the decoded point is a valid point on the specified twisted Edwards curve. The encoding function does not ensure that each point has exactly one bitstring representation. This means that there may be multiple bitstrings mapping to the same curve point during decoding. The effect of this is included in the analysis.
The encoding function encodes points on the twisted Edwards curve into a b-bit bitstring and vice versa. It is assumed that when a b-bit bitstring is decoded, the resulting point is either a valid point on the twisted Edwards curve or otherwise the decoding will fail. In this way, decoding a b-bit bitstring into a cuve point implicitly ensures that the decoded point is a valid point on the specified twisted Edwards curve. The encoding function does not ensure that each point has exactly one bitstring representation. This means that there may be multiple bitstrings mapping to the same curve point during decoding. The effect of this is included in the analysis.
\subsection{Message Space}
The message space $\messagespace$ is defined as a bitstring of arbitrary length. To make the proof applicable to the EdDSA variant with context, the context can be modeled as part of the message.
Looking at the RFC and FIPS standards, the context is passed to a "dom" function which concatenates the context with some additional data. The resulting data is then passed as additional data to each hash function call during signature generation and verification. Since the proofs are performed in the random oracle model, the position of the data in the hash function call, the actual content of the message, and the context are not relevant to the output of the random oracle call. Unless the reduction explicitly uses the content of the message, which it does not in this case. Therefore, the context can be modeled as part of the message.
Looking at the RFC and FIPS standards, the context is passed to a "dom" function which concatenates the context with some additional data. The resulting data is then passed as additional data to each hash function call during signature generation and verification. Since the proofs are performed in the random oracle model, the position of the data in the hash function call, the actual content of the message, and the context are not relevant to the output of the random oracle call, unless the reduction explicitly uses the content of the message, which it does not in this case. Therefore, the context can be modeled as being part of the message.
\subsection{Signature}
The signature is defined as a $2b$ bitstring of the encoded curve points $\groupelement{R}$ concatenated with the $b$-bit little endian encoding of the scalar $S$.
@@ -100,7 +100,7 @@ This may pose additional challenges, since working with group elements outside t
Instead of choosing the secret scalar uniformly at random, as done in most other schemes, the secret scalar is generated by hashing a random bitstring, fixing some bits of the hash result to a specific value and then interpreting $n$ bits of the result as the little endian representation of an integer.
To be more precise from the lower $b$ bits of the $2b$ bitstring the lowest $c$ bit are set to 0, where $c$ is the cofactor of the twisted Edwards curve, and the $n$th bit is set to 1. Then the first $n$ bits are interpreted as the secret scalar $s$.
To be more precise, from the lower $b$ bits of the $2b$ bitstring the lowest $c$ bit are set to 0, where $c$ is the cofactor of the twisted Edwards curve, and the $n$th bit is set to 1. Then the first $n$ bits are interpreted as the secret scalar $s$.
This is strictly less secure, in the sense of the discrete logarithm problem, than choosing the secret scalar uniformly at random. It also makes proofs in the multi-user setting more challenging, since rerandomization of a public key is not easily possible and therefore the multi-user security of EdDSA cannot be easily reduced onto the single-user security of EdDSA.
@@ -114,12 +114,12 @@ The EdDSA signature scheme also includes the public key as an additional input t
\subsubsection{Deterministic Nonce Generation}
The commitment is chosen as the result of a hash function instead of being chosen at random each time a signature is generated. This makes signature generation deterministic. Since the hash function is modeled as a random oracle, the deterministic generation of the commitment does not pose any additional security risk, since it can be replaced by a random function, as shown in \ref{sec:eddsa'_proof}.
The commitment is chosen as the result of a hash function instead of being chosen at random each time a signature is generated. This makes signature generation deterministic. Since the hash function can be modeled as a random oracle, the deterministic generation of the commitment does not pose any additional security risk, since it can be replaced by a random function, as shown in \ref{sec:eddsa'_proof}.
\subsection{Replacing Hash Function Calls}
\label{sec:eddsa'_proof}
To make it easier to work with the random oracle, the following proofs introduce a variant of the EdDSA signature scheme in which some calls to the random oracle are replaced by direct sampling of a value at random or by using a random function. It is then shown that the advantage of winning the \cma game is roughly the same in both versions of the signature scheme.
To make it easier to work with the random oracle, the following proofs introduce a variant of the EdDSA signature scheme in which some calls to the hash function are replaced by direct sampling of a value at random or by using a random function. It is then shown that the advantage of winning the \cma game is roughly the same in both versions of the signature scheme.
\paragraph{\underline{Introducing EdDSA'}}