From 8650907a7507003a0a147168a93112f80fccfcfa Mon Sep 17 00:00:00 2001 From: Aaron Kaiser Date: Thu, 2 Mar 2023 11:23:26 +0100 Subject: [PATCH] removed old TODO comments --- thesis/Abschlussarbeit.tex | 5 ----- 1 file changed, 5 deletions(-) diff --git a/thesis/Abschlussarbeit.tex b/thesis/Abschlussarbeit.tex index e6143e8..d1bcd49 100644 --- a/thesis/Abschlussarbeit.tex +++ b/thesis/Abschlussarbeit.tex @@ -87,8 +87,6 @@ abstract %Hauptteil der Arbeit -% TODO: Make citation links clickable - \section{Introduction} Ed25519 is a signature scheme introduced by Bernstein, Duif, Lange, Schwabe, and Yang in 2012 \cite{JCEng:BDLSY12}. Ed25519 is a signature scheme defined for the Ed25519 twisted Edwards curve. In 2015 the paper "EdDSA for more curves" expanded the Ed25519 signature scheme to the more general EdDSA signature scheme \cite{EPRINT:BJLSY15}. Due to its high performance the EdDSA signature scheme is very popular and widely used in applications like TLS, SSH and the Signal protocol. @@ -265,7 +263,6 @@ To make working with the random oracle easier in the following proofs some calls This section takes a look at the single-user security of EdDSA. This is done by showing the \cma security of EdDSA assuming the security of a special version of the DLog problem. This special version is derived from the key generation procedure. Section \ref{sec:sdlog} provides a concrete bound on the security of this version of the DLog problem, which is a result of the special key generation algorithm used by EdDSA. -% TODO: richtige Richtung? The proof starts by showing that the UF-NMA security of EdDSA implies \cma security of EdDSA in the Random Oracle Model. Next a intermediate game is introduced onto which the UF-NMA securtiy of EdDSA is reduced. At last, the security of the intermediate game is reduced onto the security of a special version of DLog. The chain of reductions can be depicted as: @@ -397,7 +394,6 @@ Game $G_0$ is defined in Figure \ref{fig:igamewithabort} by ignoring all boxes. Let $\adversary{A}$ be an adversary that solves \igame with $\group{G}$ being a cyclic group of prime order $L$, making at most $\oraclequeries$ oracle queries. Then % TODO: hard bezüglich ggen - % TODO: min entropy von {0,1}^{2b} mod L? \[ \advantage{\igame}{\adversary{A}} \leq \advantage{\sdlog}{\adversary{B}} - \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \] \end{theorem} @@ -410,7 +406,6 @@ Game $G_0$ is defined in Figure \ref{fig:igamewithabort} by ignoring all boxes. \[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \] - % TODO: wählen von \item \paragraph{\underline{$G_2:$}} Game $G_2$ aborts if the flag bad is set. For each individual \ioracle query the bad flag is set with probability at most $\frac{1}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ being the min entropy of $c \pmod L$ since $c$ is chosen from $\{0,1\}^{2b}$ uniformly at random and then reduced modulo $L$ in the check during the if condition. By the Union bound over all $\oraclequeries$ queries we obtain $\Pr[bad] = \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have \[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]