rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Included Henriks annotations up to chapter 4, thanks Henrik

Browse Source
This commit is contained in:
Aaron Kaiser
2023-05-30 22:10:18 +02:00
parent 7b5a9598ac
commit cd19dbb4aa
6 changed files with 26 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
thesis/sections/introduction.tex
View File

@@ -17,7 +17,7 @@ Tight security proofs are desirable because they provide a better approximation
For the Schnorr signature scheme, a tight security reduction can be achieved by using the algebraic group model and the random oracle model to directly show the EUF-CMA security under the discrete logarithm assumption, as shown by Fuchsbauer et al. \cite{EC:FucPloSeu20}.
This is also the approach used in this thesis. A tight security proof for the EdDSA signature scheme can be achieved by utilizing the algebraic group model and random oracle model. However, some details of the EdDSA signature scheme have to be taken into account, which mainly is the different group structure and the key clamping, introduces by the key generation algorithm. Also, the way the signature is parsed has a major impact on the security guarantees of the EdDSA signature scheme. While allowing only one bitstring representation of a scalar, strict parsing, ensures SUF-CMA security, allowing multiple bitstring representations of the same scalar, lax parsing, results only in EUF-CMA security.
This is also the approach used in this thesis. A tight security proof for the EdDSA signature scheme can be achieved by utilizing the algebraic group model and random oracle model. However, some details of the EdDSA signature scheme have to be taken into account, which mainly is the different group structure and the key clamping, introduced by the key generation algorithm. Also, the way the signature is parsed has a major impact on the security guarantees of the EdDSA signature scheme. By allowing only one bitstring representation of a scalar, strict parsing ensures SUF-CMA security, allowing multiple bitstring representations of the same scalar, lax parsing results only in EUF-CMA security.
Another important property of a signature scheme, also briefly mentioned in the paper \cite{SP:BCJZ21}, is its multi-security. When looking at practical applications of a signature scheme, not only one user is using the signature scheme, but many users are involved, all of whom have their own key pair. In most cases, an adversary is satisfied with compromising one of the users. This leaves the question of whether an adversary gains an advantage in compromising a single user if he is provided with many public keys and can request signatures for any of the provided public keys. The multi-user security of Schnorr-like signature schemes has been analyzed in several papers \cite{EPRINT:Bernstein15,C:KilMasPan16}, but none of them apply to EdDSA or give a tight reduction.
@@ -25,7 +25,7 @@ This thesis uses the same method of providing a tight security proof in the alge
Finally, a concrete security level for common instantiations of the EdDSA signature scheme is provided by analyzing the hardness of these variants of the discrete logarithm problem and the one-more discrete logarithm problem in the generic group model.
The main contribution of this thesis are the following:
The main contributions of this thesis are the following:
\begin{enumerate}
\item Providing the first tight security proof for EdDSA in the single-user setting.