rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Differences from Schnorr Signatures

Browse Source
This commit is contained in:
Aaron Kaiser
2023-02-23 17:44:00 +01:00
parent 01a6bfded9
commit 836559aa34
1 changed files with 33 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
thesis/Abschlussarbeit.tex
View File

@@ -13,6 +13,7 @@ listof=totoc,
\usepackage{algpseudocodex} \usepackage{algpseudocodex}
\usepackage{multicol} \usepackage{multicol}
\usepackage{tabularx} \usepackage{tabularx}
\usepackage[parfill]{parskip}
\begin{document} \begin{document}
\include{macros.tex} \include{macros.tex}
@@ -121,22 +122,50 @@ This work will take a closer look at the UF-CMA security of the EdDSA signature
In the prehashing variant of EdDSA the signature is calculated on the hash value of the message. The message is used twice during the generation of the signature. Thus the message needs to be buffered or transmitted twice during the generation of the signature. Therefore the prehashing variant offers an performance advantage on memory and bandwidth constraint devices. The context is an additional input parameter which has to be equal during generation and verification of the signature and is used to bind the signature to a given context. In the prehashing variant of EdDSA the signature is calculated on the hash value of the message. The message is used twice during the generation of the signature. Thus the message needs to be buffered or transmitted twice during the generation of the signature. Therefore the prehashing variant offers an performance advantage on memory and bandwidth constraint devices. The context is an additional input parameter which has to be equal during generation and verification of the signature and is used to bind the signature to a given context.
Figure \ref{fig:eddsa} defines the EdDSA signature scheme. In this version the prehashing of the message is ommited since the main security proof will focus on the EdDSA version without prehashing. In this case the prehash function $H'(\cdot)$ is the identity function. After proofing the security of the EdDSA signature scheme without prehashing I will show that EdDSA with prehashing is equally as secure assuming collision resistence of the prehash function $H'(\cdot)$.
%TODO: Ichform?
\subsection{EdDSA Parameter} \subsection{EdDSA Parameter}
The generic version of EdDSA from the "EdDSA for more Curves" paper, the RFC 8032 and the FIPS 186-5 standard is parameterized by the following 11 parameters \cite{EPRINT:BJLSY15} \cite{josefsson_edwards-curve_2017} \cite{moody_digital_2023}. The generic version of EdDSA from the "EdDSA for more Curves" paper, the RFC 8032 and the FIPS 186-5 standard is parameterized by the following 11 parameters \cite{EPRINT:BJLSY15} \cite{josefsson_edwards-curve_2017} \cite{moody_digital_2023}.
The list of the parameters can be found in table \ref{tab:parameter}.
The encoding function is assumed to be unambiguous. With each point on the twisted Edwards curve having exactly one bitstring representing that point and invalid bitstring being rejected during decoding of the point.
\subsection{Differences from Schnorr Signatures}
As already pointed out in \cite{SP:BCJZ21} there are some minor differences from traditional Schnorr signature which prevent already existing proofs of the Schnorr signature scheme to be applied to EdDSA. This section points out the differences of the EdDSA signature scheme from traditional Schnorr signature scheme.
\subsubsection{Group Structure}
The EdDSA signature scheme is defined using a twisted Edwards curve. Twisted Edwards curves always have a cofactor of at least 4. Traditional Schnorr signatures are constructed over a prime order field. Since there is no explicit check that points provided to the verify procedure resides in the prime order subgroup the standard proof of Schnorr signature schemes does not apply.
\subsubsection{Private Key Clamping}
\subsubsection{Key Prefixing}
\subsubsection{Deterministic Nonce Generation}
% TODO: Ist das ok hier einfach zu kopieren? % TODO: Ist das ok hier einfach zu kopieren?
\begin{center} \begin{center}
\begin{table}[t] \begin{table}[t]
\caption{text} \caption{Parameter of the EdDSA signature scheme}
\label{tab:parameter} \label{tab:parameter}
\centering \centering
\begin{tabularx}{\textwidth}{@{}lX@{}} \begin{tabularx}{\textwidth}{@{}lX@{}}
\textbf{Parameter} & \textbf{Description} \\ \textbf{Parameter} & \textbf{Description} \\
\hline \hline
$q$ & An odd prime power $q$. EdDSA uses an elliptic curve over the finite field $\mathbb{F}_q$ \\ $q$ & An odd prime power $q$. EdDSA uses an elliptic curve over the finite field $\mathbb{F}_q$. \\
$b$ & An integer $b$ with $2^{b-1} > q$. EdDSA public keys have exactly b bits, and EdDSA signatures $b$ & An integer $b$ with $2^{b-1} > q$. The bit size of encoded points on the twisted Edwards curve. \\
have exactly 2b bits. $b$ $Enc(\cdot)$ & A $(b-1)$-bit encoding of elements in the underlying finite field. \\
$H(\cdot)$ & A cryptographic hash function producing $2b$-bit output. \\
$c$ & The cofactor of the twisted Edwards curve. \\
$n$ & The number of bits used for the secret scalar of the public key. \\
$a, d$ & The curve parameter of the twisted Edwards curve. \\
$B$ & A generator point of the prime order subgroup of $E$. \\
$l$ & The order of the prime order subgroup. \\
$H'(\cdot)$ & A prehash function applied to the message prior to applying the sign or verify procedure.
\end{tabularx} \end{tabularx}
\end{table} \end{table}
\end{center} \end{center}