Rewrote introduction
This commit is contained in:
@@ -30,7 +30,7 @@
|
||||
\newcommand{\simalg}{\textit{Sim}\xspace}
|
||||
|
||||
% Intermediate Game
|
||||
\newcommand{\igame}{\text{IDLOG}\xspace}
|
||||
\newcommand{\igame}{\text{Ed-IDLOG}\xspace}
|
||||
\newcommand{\ioracle}{\textit{Chall}\xspace}
|
||||
|
||||
% EdDSA procedures
|
||||
|
||||
@@ -1,18 +1,28 @@
|
||||
\section{Introduction}
|
||||
|
||||
The EdDSA signature scheme was first introduced in 2011 by Bernstein, Duif, Lange, Schwabe and Yang, instantiated as Ed25519 using the Edwards25519 twisted Edwards curve \cite{CHES:BDLSY11}. In 2015 Bernstein et. al. published a new paper, which introduced a more general version the EdDSA signature scheme \cite{EPRINT:BJLSY15}. Due to its high performance and small signature size, the EdDSA signature scheme is very popular and widely used in applications such as TLS, SSH and the Signal protocol. From these papers came standards such as RFC 8032 \cite{josefsson_edwards-curve_2017} and FIPS 186-5 \cite{moody_digital_2023}.
|
||||
The EdDSA signature scheme was first introduced in 2011 by Bernstein, Duif, Lange, Schwabe and Yang, instantiated as Ed25519 using the Edwards25519 twisted Edwards curve \cite{CHES:BDLSY11}. In 2015 Bernstein et al. published a new paper, which introduced a more general version the EdDSA signature scheme \cite{EPRINT:BJLSY15}. Due to its high performance and small signature size, the EdDSA signature scheme is very popular and widely used in applications such as TLS, SSH and the Signal protocol. From these papers came standards such as RFC 8032 \cite{josefsson_edwards-curve_2017} and FIPS 186-5 \cite{moody_digital_2023}.
|
||||
|
||||
The original paper focused on the performance of the signature scheme and did not provide a formal security analysis of the signature scheme. The EdDSA signature scheme is closely related to the Schnorr signature scheme. Although EdDSA is related to the Schnorr signature scheme, it contains some modifications that make the security proof of the Schnorr signature scheme inapplicable to EdDSA. Schnorr signature schemes are derived from a canonical identification scheme to which the Fiat-Schamir transformation is applied.
|
||||
The original paper focused on the performance of the signature scheme and did not provide a formal security analysis of the signature scheme. The EdDSA signature scheme is closely related to the Schnorr signature scheme. Although EdDSA is related to the Schnorr signature scheme, the security proofs for Schnorr signature schemes do not apply to EdDSA. The EdDSA signature scheme uses the key prefixing modification and calculates its commitments deterministically, which does not weaken the security \cite{AC:BelPoeSte16}. Besides these modifications, EdDSA also uses a different group structure, which is a prime order subgroup of a twisted Edwards curve, and clamps some bits of the private key to predefined values. Both of these modifications have not been well studied for the Schnorr signature scheme. The EdDSA signature scheme also specifies several variations of parsing the signature from a bitstring. One way of parsing the signature is to allow only one bitstring representation for a scalar and curve point, and another way is to allow multiple bitstring representations of the same scalar and curve point. This raises the question of whether the changes still result in a secure signature scheme.
|
||||
|
||||
The desired security notions for the signature scheme are EUF-CMA or SUF-CMA security. These security notions require that no adversary is able to provide a forged signature from an arbitrary set of valid signatures for arbitrary messages. While EUF-CMA requires a forged signature for a message for which the adversary does not have a valid signature, SUF-CMA also counts as valid forgeries message signature pairs that were not provided to the adversary.
|
||||
|
||||
In 2020, Brendel et. al. showed in the paper "The Provable Security of Ed25519: Theory and Practice" that Ed25519 satisfies EUF-CMA and SUF-CMA security, depending on which standard is used \cite{SP:BCJZ21}. They did this by extracting the underlying canonical identification scheme, proving its security, and then proving the security of the constructed signature scheme. Due to the use of the reset lemma, the provided security proof is not tight.
|
||||
The Schnorr signature scheme originates from a canonical identification scheme to which the Fiat-Schamir transformation is applied \cite{JC:Schnorr91}. This transformation transforms the interactive identification scheme into a non-interactive one by making some of the values deterministic. By making the values also dependent on a message, the resulting transcript of the canonical identification scheme can be interpreted as the signature for that message \cite{C:FiaSha86}.
|
||||
|
||||
Tight security proofs are desirable because they provide a better approximation of the bit security of a signature scheme when instantiated with concrete primitives (such as groups or hash functions). A better approximation results in smaller parameters (such as the size of the group) yielding better bit security. This means that, with tighter security proofs, smaller primitives can be used to achieve the same level of security, and smaller primitives often result in more efficient cryptographic schemes.
|
||||
In a 2020 paper, Brendel et al. showed that Ed25519 satisfies EUF-CMA and SUF-CMA security, depending on which EdDSA standard is used \cite{SP:BCJZ21}. They did this by extracting the underlying canonical identification scheme, proving its security, and then proving the security of the constructed signature scheme via the Fiat-Schamir transformation. Due to the use of the reset lemma, the provided security proof is not tight.
|
||||
|
||||
This thesis achieves a tight security proof by using the algebraic group model to show the relationship between the EUF/SUF-CMA security of different versions of the EdDSA signature scheme and the discrete logarithm problem. By directly reducing the EUF/SUF-CMA security of the EdDSA signature scheme to the discrete logarithm, a tight security proof can be achieved since the reset lemma is not used for this approach.
|
||||
Tightness is a property of a security proof. A security proof is said to be tight if the probability of success of an adversary $\adversary{B}$ attacking problem B, constructed from adversary $\adversary{A}$ attacking problem A, is at most smaller than the probability of success of $\adversary{A}$ by a small constant factor.
|
||||
|
||||
Another important property of a signature scheme is its multi-security. When looking at practical applications of a signature scheme, not only one user is using the signature scheme, but many users are involved, all of whom have their own key pair. Most of the time an adversary is satisfied with compromising one of the users. This leaves the question of whether an adversary gains an advantage in compromising a single user if he is provided with many public keys and can request signatures for any of the public keys provided.
|
||||
Tight security proofs are desirable because they provide a better approximation of the bit security of a signature scheme when instantiated with concrete primitives (such as groups or hash functions)\cite{SAC:ChaMenSar11}. A better approximation results in smaller parameters (such as the size of the group) yielding better bit security. This means that, with tighter security proofs, smaller primitives can be used to achieve the same level of security, and smaller primitives often result in more faster computations and therefore more efficient cryptographic schemes.
|
||||
|
||||
For the Schnorr signature scheme, a tight security reduction can be achieved by using the algebraic group model and the random oracle model to directly show the EUF-CMA security under the discrete logarithm assumption, as shown by Fuchsbauer et al. in \cite{EC:FucPloSeu20}.
|
||||
|
||||
This is also the approach used in this thesis. A tight security proof for the EdDSA signature scheme can be achieved by utilizing the algebraic group model and random oracle model. However, some details of the EdDSA signature scheme have to be taken into account, which mainly is the different group structure and the key clamping, introduces by the key generation algorithm. Also, the way the signature is parsed has a major impact on the security guarantees of the EdDSA signature scheme. While allowing only one bitstring representation of a scalar, strict parsing, ensures SUF-CMA security, allowing multiple bitstring representations of the same scalar, lax parsing, results only in EUF-CMA security.
|
||||
|
||||
Another important property of a signature scheme, also briefly mentioned in the paper \cite{SP:BCJZ21}, is its multi-security. When looking at practical applications of a signature scheme, not only one user is using the signature scheme, but many users are involved, all of whom have their own key pair. In most cases, an adversary is satisfied with compromising one of the users. This leaves the question of whether an adversary gains an advantage in compromising a single user if he is provided with many public keys and can request signatures for any of the provided public keys. The multi-user security of Schnorr-like signature schemes has been analyzed in several papers \cite{EPRINT:Bernstein15} \cite{C:KilMasPan16}, but none of them apply to EdDSA or give a tight reduction.
|
||||
|
||||
This thesis uses the same method of providing a tight security proof in the algebraic group model and the random oracle model to prove the security of EdDSA in the multi-user setting under a variant of the one more discrete logarithm assumption, which also takes the key clamping of EdDSA into account.
|
||||
|
||||
Finally, a concrete security level for common instantiations of the EdDSA signature scheme is provided by analyzing the hardness of these variants of the discrete logarithm problem and the one-more discrete logarithm problem in the generic group model.
|
||||
|
||||
The main contribution of this thesis are the following:
|
||||
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
\section{Related Work}
|
||||
|
||||
\paragraph{Standards for EdDSA} The EdDSA signature scheme was introduced in 2011 by Bernstein et. al. as the specific instance Ed25519, which is the EdDSA signature scheme instantiated with the twisted Edwards curve Edwards25519 \cite{CHES:BDLSY11}. Later in 2015, with the paper "EdDSA for more curves" by Bernstein et. al., a more general version of EdDSA was introduced, which mainly lifted some restrictions on the underlying finite field of the elliptic curve \cite{EPRINT:BJLSY15}. It also introduced a prehashing variant of EdDSA called HashEdDSA, while the original version is called PureEdDSA. In HashEdDSA, the message is hashed before the signature algorithm is invoked. This has advantages on memory-constrained devices because it does not have to store the entire message. In 2017, the IETF published a standard for EdDSA in its RFC 8032 \cite{josefsson_edwards-curve_2017}. This standard removes some ambiguity regarding the decoding of integers and points of the elliptic curve during signature verification. It also introduces a new variant of the signature scheme that includes an additional parameter named context. In addition to standardizing a general version of EdDSA, the RFC included parameters for specific instantiations Ed25519 and Ed448. In 2023, this standard was adopted by the NIST in its "Digital Signature Standard (DSS)" FIPS 186-5 \cite{moody_digital_2023}.
|
||||
\paragraph{Standards for EdDSA} The EdDSA signature scheme was introduced in 2011 by Bernstein et al. as the specific instance Ed25519, which is the EdDSA signature scheme instantiated with the twisted Edwards curve Edwards25519 \cite{CHES:BDLSY11}. Later in 2015, with a paper by Bernstein et al., a more general version of EdDSA was introduced, which mainly lifted some restrictions on the underlying finite field of the elliptic curve \cite{EPRINT:BJLSY15}. It also introduced a prehashing variant of EdDSA called HashEdDSA, while the original version is called PureEdDSA. In HashEdDSA, the message is hashed before the signature algorithm is invoked. This has advantages on memory-constrained devices because it does not have to store the entire message. In 2017, the IETF published a standard for EdDSA in its RFC 8032 \cite{josefsson_edwards-curve_2017}. This standard removes some ambiguity regarding the decoding of integers and points of the elliptic curve during signature verification. It also introduces a new variant of the signature scheme that includes an additional parameter named context. In addition to standardizing a general version of EdDSA, the RFC included parameters for specific instantiations Ed25519 and Ed448. In 2023, this standard was adopted by the NIST in its "Digital Signature Standard (DSS)" FIPS 186-5 \cite{moody_digital_2023}.
|
||||
|
||||
\paragraph{Schnorr Signatures and Fiat-Schamir Transformation} The EdDSA signature scheme is similar in structure to the Schnorr signature scheme. The Schnorr signature scheme is a signature scheme introduced by Claus Peter Schnorr in 1991 \cite{JC:Schnorr91}. The Schnorr signature scheme has proven to be a robust and efficient signature scheme and has undergone several security analyses. The foundation of the Schnorr signature scheme is the canonical identification scheme.
|
||||
|
||||
@@ -12,10 +12,10 @@ The Fiat-Schamir transformation replaces the verifier with a pseudorandom functi
|
||||
|
||||
\paragraph{Related Proofs} As mentioned above, there exists an paper proving the security of the Ed25519 signature scheme \cite{SP:BCJZ21}. In this paper, the authors extracted the underlying canonical identification scheme from EdDSA and used the reset lemma from \cite{C:BelPal02} to prove the impersonation security of the canonical identification scheme under the discrete logarithm assumption. This reduction turned out to be non-tight. They then reduced the EUF-CMA security of the Ed25519 signature scheme to the impersonation security of the underlying canonical identification scheme. To do this, they had to embed a challenge in one of the hash queries, further losing tightness.
|
||||
|
||||
The paper "Taming the many EdDSAs" by Chalkias, Garillot and Nikolaenko analyzes the security of Ed25519 with respect to different signature decoding methods and the implementation of additional checks during the signature verification \cite{EPRINT:ChaGarNik20}. This paper also analyzes lesser known security properties such as strongly binding signatures, but already assumes SUF-CMA security of Ed25519. They also analyzes the impact of cofactorless vs. cofactored verification with respect to batch verification of Ed25519 signatures.
|
||||
A paper by Chalkias, Garillot and Nikolaenko analyzes the security of Ed25519 with respect to different signature decoding methods and the implementation of additional checks during the signature verification \cite{EPRINT:ChaGarNik20}. This paper also analyzes lesser known security properties such as strongly binding signatures, but already assumes SUF-CMA security of Ed25519. They also analyzes the impact of cofactorless vs. cofactored verification with respect to batch verification of Ed25519 signatures.
|
||||
|
||||
The multi-user security of EdDSA was briefly analyzed in a paper by Bernstein after he exposed a flaw in a tight multi-user security proof for the Schnorr signature scheme by Galbraith, Malone-Lee, and Smart \cite{EPRINT:Bernstein15}. In this paper, Bernstein provided a tight security proof for the multi-user security of key-prefixed Schnorr signatures. The EdDSA signature scheme is also a key-prefixed version of a Schnorr signature. However, due to the clamping introduced in the key generation algorithm of EdDSA, these results do not apply directly to EdDSA. Attempting to use the same method as in Bersteins paper would again result in a non-tight security proof, as already mentioned in the same paper.
|
||||
|
||||
In 2016, Kiltz et. al. provided a tight bound on the multi-user security of Schorr signatures without the need for key-prefixing \cite{C:KilMasPan16}. The tightness was a result of the random self-reducibility property of the underlying canonical identification scheme. Again, this property cannot be achieved by the EdDSA due to the clamping introduced by the key generation algorithm.
|
||||
In 2016, Kiltz et al. provided a tight bound on the multi-user security of Schorr signatures without the need for key-prefixing \cite{C:KilMasPan16}. The tightness was a result of the random self-reducibility property of the underlying canonical identification scheme. Again, this property cannot be achieved by EdDSA due to the clamping introduced by the key generation algorithm.
|
||||
|
||||
Instead, a different approach must be taken to abtain a tight security proof of the EdDSA signature scheme. Similar to a paper by Fuchsbauer et. al. \cite{EC:FucPloSeu20}, the algebraic group model is used to directly prove the security of the EdDSA signature scheme under the discrete logarithm assumption in the single-user setting and the one-more discrete logarithm assumption in the multi-user setting.
|
||||
Fuchsbauer et al. generated a tight security proof for the Schnorr signature scheme by using the algebraic group model. \cite{EC:FucPloSeu20} They achieved this by using the representation of the commitment together with a forged signature to compute the discrete logarithm of the public key. This approach looks promising also for the EdDSA signature scheme.
|
||||
Reference in New Issue
Block a user