rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added conclusion

Browse Source
This commit is contained in:
Aaron Kaiser
2023-06-14 16:01:50 +02:00
parent 84b6119620
commit af6957b064
2 changed files with 16 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
thesis/sections/conclusion.tex
View File

@@ -1 +1,9 @@
\section{Conclusion}
In this thesis it has been proven that EdDSA is tightly secure using the algebraic group model and the random oracle model. An algebraic attacker does not gain an advantage by attacking the signature scheme instead of attacking the underlying discrete logarithm problem directly, when taking the clamping of the private key into account. When using strict parsing of signatures the EdDSA signature scheme ensures SUF-CMA security and when using lax parsing the signature scheme still provides EUF-CMA security.
It has also been proven that the most common instantiations Ed25519 and Ed448 provide 125-bit of security and 221-bit of security respectively. This is weaker than the original discrete logarithm problem for the elliptic curves used, but was to be expected considering the clamping of the private key.
Moreover, it has been proven that the signature scheme does not lose much of its security considering a multi-user setting. More specific, with a generous assumption of the existence of $2^{35} (\approx 35 \text{ billion})$ public keys the scheme loses only one bit of security.
According to the results of this thesis, the EdDSA proved to be a secure signature scheme and that the modifications done to the original Schnorr signature scheme have very little affect on the security of the signature scheme. In fact, the only noticeable loss in security was introduced by the clamping of the private key.

14
thesis/sections/concrete_security.tex
View File

@@ -20,10 +20,10 @@ This definition can be used to calculate the bit security of concrete instantiat
\begin{theorem}[Ed25519 Bit Security]
\label{theorem:ed25519}
The Ed25519 signature scheme provides 125 bit security in the single-user setting and 124 bit security in the multi-user setting against algebraic adversaries.
The Ed25519 signature scheme provides 125-bit security in the single-user setting and 124-bit security in the multi-user setting against algebraic adversaries.
\end{theorem}
Ed25519 is one of the most widely used instantiations of EdDSA. According to the RFC it is supposed to provide around 128 bit of security. It uses the twisted Edwards curve Ed25519 and SHA-512 as a hash function \cite{josefsson_edwards-curve_2017} \cite{moody_digital_2023}. This provides the following values, needed to calculate the security level of Ed25519 according to the security proof in this thesis:
Ed25519 is one of the most widely used instantiations of EdDSA. According to the RFC it is supposed to provide around 128-bit of security. It uses the twisted Edwards curve Ed25519 and SHA-512 as a hash function \cite{josefsson_edwards-curve_2017} \cite{moody_digital_2023}. This provides the following values, needed to calculate the security level of Ed25519 according to the security proof in this thesis:
\begin{center}
\begin{table}[ht]
@@ -55,7 +55,7 @@ Ed25519 is one of the most widely used instantiations of EdDSA. According to the
&\approx 2^{-125}
\end{align*}
This shows that Ed25519 provides $125$ bit security in the single-user setting.
This shows that Ed25519 provides $125$-bit security in the single-user setting.
To get a security level in the multi-user setting an upper bound on the number of instances $N$ is needed. In \cite{C:KilMasPan16} Kiltz et al. mentioned that the existance of at lease $N = 2^{30} (\approx 1 \text{ billion})$ public keys can be assumed. For the following calculations the number of instances is assumed to be $N \leq 2^{35}$. An adversary $\adversary{B}$ against \somdl has a constant probability of winning the game after about $2^{125}$ group operations. Hence, its runtime is upper bounded by $2^{125}$. The success ration can then be calculated in the same way as it has been done in the single-user setting.
@@ -70,7 +70,7 @@ Ed25519 is one of the most widely used instantiations of EdDSA. According to the
&\approx 2^{-124}
\end{align*}
This shows that Ed25519 provides $124$ bit security in the multi-user setting.
This shows that Ed25519 provides $124$-bit security in the multi-user setting.
\item This proofs theorem \ref{theorem:ed25519}.
\end{proof}
@@ -79,7 +79,7 @@ Ed25519 is one of the most widely used instantiations of EdDSA. According to the
\begin{theorem}[Ed448 Bit Security]
\label{theorem:ED448}
The Ed448 signature scheme provides 221 bit security in the single-user setting and 220 bit security in the multi-user setting against algebraic adversaries.
The Ed448 signature scheme provides 221-bit security in the single-user setting and 220-bit security in the multi-user setting against algebraic adversaries.
\end{theorem}
Another popular instantiation of the EdDSA signature scheme is Ed448. It uses the Ed448 twisted Edwards curve and SHAKE256 as hash function. It is supposed to provide around 224 bits of security and was also standardized by the IETF and NIST \cite{josefsson_edwards-curve_2017} \cite{moody_digital_2023}. The respective standards provide following values:
@@ -112,7 +112,7 @@ Another popular instantiation of the EdDSA signature scheme is Ed448. It uses th
&\approx 2^{-221}
\end{align*}
This shows that Ed448 provides $221$ bit security in the single-user setting.
This shows that Ed448 provides $221$-bit security in the single-user setting.
Now the same is done for the multi-user security of Ed448. This yields following upper bound for the success ration:
@@ -125,7 +125,7 @@ Another popular instantiation of the EdDSA signature scheme is Ed448. It uses th
&\approx 2^{-220}
\end{align*}
This shows that Ed448 provides $220$ bit security in the multi-user setting.
This shows that Ed448 provides $220$-bit security in the multi-user setting.
\item This proofs theorem \ref{theorem:ED448}.
\end{proof}