rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Introduction section

Browse Source
This commit is contained in:
Aaron Kaiser
2023-05-15 16:19:20 +02:00
parent 82ca914eba
commit 53af382e8d
3 changed files with 26 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
thesis/Abschlussarbeit.tex
View File

@@ -94,20 +94,8 @@ abstract
%Hauptteil der Arbeit %Hauptteil der Arbeit
\section{Introduction} \input{sections/introduction}
Ed25519 is a signature scheme introduced by Bernstein, Duif, Lange, Schwabe, and Yang in 2012 \cite{JCEng:BDLSY12}. Ed25519 is a signature scheme defined for the Ed25519 twisted Edwards curve. In 2015 the paper "EdDSA for more curves" expanded the Ed25519 signature scheme to the more general EdDSA signature scheme \cite{EPRINT:BJLSY15}. Due to its high performance the EdDSA signature scheme is very popular and widely used in applications like TLS, SSH and the Signal protocol.
Despite the wide use of EdDSA there is little security analysis of this signature scheme. The EdDSA signature scheme is based on the Schnorr signature scheme, which uses the Fiat-Schamir transformation to create a signature scheme from a secure identification scheme. Even though the EdDSA scheme is close to the original Schnorr signature scheme the standard security proof of the Schnorr signature scheme does not apply. The paper "The Provable Security of Ed25519: Theory and Practice" by Brendel et al. shows the security of Ed25519 by extracting the underlying identification scheme and proofing the security of this scheme as well as the applied Fiat-Schamir transformation \cite{SP:BCJZ21}. Due to the use of the Reset Lemma this yields a non-tight security proof of the Ed25519 signature scheme.
This work uses a different approach to proof the security of the EdDSA signature scheme by using the Algebraic Group Model (AGM) to directly reduce the security of EdDSA signature scheme to a special variant of the discrete logarithm problem. This approach yields a tight security proof.
%TODO: result of thesis
TODO
\raggedbottom
\newpage
\section{Related Work} \section{Related Work}
\input{sections/preliminaries} \input{sections/preliminaries}

2
thesis/sections/eddsa.tex
View File

@@ -179,6 +179,8 @@ The EdDSA' signature scheme is depicted in figure \ref{fig:eddsa'}. The differen
The different games used in the proof are depicted in figure \ref{fig:eddsa'games}. The proof uses the random oracle model. The main idea that the values $h$ and $r_i$ look uniformly random to the adversary if he never queries the random oracle with $k$ or a value starting with $h_b | ... | h_{2b-1}$. Therefor those calls to the random oracle can be replaced with the sampling of truly random values. The different games used in the proof are depicted in figure \ref{fig:eddsa'games}. The proof uses the random oracle model. The main idea that the values $h$ and $r_i$ look uniformly random to the adversary if he never queries the random oracle with $k$ or a value starting with $h_b | ... | h_{2b-1}$. Therefor those calls to the random oracle can be replaced with the sampling of truly random values.
\paragraph{\underline{Formal Proof}}
\begin{figure} \begin{figure}
\hrule \hrule
\begin{multicols}{2} \begin{multicols}{2}

23
thesis/sections/introduction.tex Normal file
View File

@@ -0,0 +1,23 @@
\section{Introduction}
The EdDSA signature scheme was first introduced in 2011 by Bernstein, Duif, Lange, Schwabe and Yang, instantiated as Ed25519 using the Edwards25519 twisted Edwards curve, in the paper "High-speed high-security signatures" \cite{CHES:BDLSY11}. In 2015 Bernstein et. al. published the paper "EdDSA fore more curves", which introduced a more general version the EdDSA signature scheme \cite{EPRINT:BJLSY15}. Due to its high performance and small signature size, the EdDSA signature scheme is very popular and widely used in applications such as TLS, SSH and the Signal protocol. From these papers came standards such as RFC 8032 \cite{josefsson_edwards-curve_2017} and FIPS 186-5 \cite{moody_digital_2023}.
The original paper focused on the performance of the signature scheme and did not provide a formal security analysis of the signature scheme. The EdDSA signature scheme is closely related to the Schnorr signature scheme. Although EdDSA is related to the Schnorr signature scheme, it contains some modifications that make the security proof of the Schnorr signature scheme inapplicable to EdDSA. Schnorr signature schemes are derived from a canonical identification scheme to which the Fiat-Schamir transformation is applied.
The desired security notions for the signature scheme are EUF-CMA or SUF-CMA security. These security notions require that no adversary is able to provide a forged signature from an arbitrary set of valid signatures for arbitrary messages. While EUF-CMA requires a forged signature for a message for which the adversary does not have a valid signature, SUF-CMA also counts as valid forgeries message signature pairs that were not provided to the adversary.
In 2020, Brendel et. al. showed in the paper "The Provable Security of Ed25519: Theory and Practice" that Ed25519 satisfies EUF-CMA and SUF-CMA security, depending on which standard is used \cite{SP:BCJZ21}. They did this by extracting the underlying canonical identification scheme, proving its security, and then proving the security of the constructed signature scheme. Due to the use of the reset lemma, the provided security proof is not tight.
Tight security proofs are desirable because they provide a better approximation of the bit security of a signature scheme when instantiated with concrete primitives (such as groups or hash functions). A better approximation results in smaller parameters (such as the size of the group) yielding better bit security. This means that smaller primitives can be used to achieve the same level of security, and smaller primitives often result in more efficient cryptographic schemes.
This thesis achieves a tight security proof by using the algebraic group model to show the relationship between the EUF/SUF-CMA security of different versions of the EdDSA signature scheme and the discrete logarithm problem. By directly reducing the EUF/SUF-CMA security of the EdDSA signature scheme to the discrete logarithm, a tight security proof can be achieved since the reset lemma is not used for this approach.
Another important property of a signature scheme is its multi-security. When looking at practical applications of a signature scheme, not only one user is using the signature scheme, but many users are involved, all of whom have their own key pair. Most of the time an adversary is satisfied with compromising one of the users. This leaves the question of whether an adversary gains an advantage in compromising a single user if he is provided with many public keys and can request signatures for any of the public keys provided.
The main contribution of this thesis are the following:
\begin{enumerate}
\item Providing the first tight security proof for EdDSA in the single-user setting.
\item Providing the first tight security proof for EdDSA in the multi-user setting.
\item Showing the actual bit security of several widely used instantiations of the EdDSA signature scheme.
\end{enumerate}