Included Henriks annotations up to chapter 4, thanks Henrik
This commit is contained in:
@@ -1,17 +1,16 @@
|
||||
\section{EdDSA Signatures}
|
||||
\label{sec:eddsa}
|
||||
|
||||
This section takes a closer look at the differences between the existing EdDSA specifications and points out the differences between the standards and the original Schnorr signature scheme. This section is partly inspired by \cite{SP:BCJZ21}.
|
||||
This section takes a closer look at the differences between the existing EdDSA specifications and the original Schnorr signature scheme. This section is partly inspired by \cite{SP:BCJZ21}.
|
||||
|
||||
As mentioned above, there are two papers by Bernstein et. al., that define the EdDSA signature scheme \cite{CHES:BDLSY11,EPRINT:BJLSY15}. The 2015 paper \cite{EPRINT:BJLSY15} describes a more generic version of the EdDSA signature scheme than the original publication \cite{CHES:BDLSY11}. According to \cite{EPRINT:BJLSY15}, the EdDSA signature scheme is defined by 11 parameters, as shown in the table \ref{tab:parameter}. The paper also describes two variants of EdDSA. One is called PureEdDSA and the other is called HashEdDSA. HashEdDSA is a prehashing variant of the PureEdDSA signature scheme. This means that, in HashEdDSA, the message is being hashed by a hash function before it is signed or verified. Both variants can be described by the definition of the EdDSA signature scheme, by using a different perhash function. In PureEdDSA the prehash function is simply the identity function. Another important variation in the EdDSA standard is the decoding of the signature. \cite{EPRINT:BJLSY15} describes two variations on how signatures can be decoded during verification. Both variations are described further in this section, as they have a major impact on the security of the EdDSA signature scheme.
|
||||
As mentioned above, there are two papers by Bernstein et. al., that define the EdDSA signature scheme \cite{CHES:BDLSY11,EPRINT:BJLSY15}. The 2015 paper \cite{EPRINT:BJLSY15} describes a more generic version of the EdDSA signature scheme than the original publication \cite{CHES:BDLSY11}. According to \cite{EPRINT:BJLSY15}, the EdDSA signature scheme is defined by 11 parameters, as shown in table \ref{tab:parameter}. The paper also describes two variants of EdDSA. One is called PureEdDSA and the other is called HashEdDSA. HashEdDSA is a prehashing variant of the PureEdDSA signature scheme. This means that, in HashEdDSA, the message is being hashed by a hash function before it is signed or verified. Both variants can be described by the definition of the EdDSA signature scheme, by using a different perhash function. In PureEdDSA the prehash function is simply the identity function. Another important variation in the EdDSA standard is the decoding of the signature. \cite{EPRINT:BJLSY15} describes two variations on how signatures can be decoded during verification. Both variations are described further in this section, as they have a major impact on the security of the EdDSA signature scheme.
|
||||
|
||||
There also exist two major standards for the EdDSA signature scheme. The first is the RFC 8032, which was introduced by the IETF in 2017 \cite{josefsson_edwards-curve_2017}. n addition to publishing concrete parameterizations for the Ed25519 and Ed448 signature schemes, it also includes a variant of the EdDSA signature scheme that includes a context. The context is a separate string that can be used to separate the use of EdDSA between different protocols. As argued below, the inclusion of this context does not affect the security of the signature scheme and can be modeled as being part of the message.
|
||||
There also exist two major standards for the EdDSA signature scheme. The first one is the RFC 8032, which was introduced by the IETF in 2017 \cite{josefsson_edwards-curve_2017}. In addition to publishing concrete parameterizations for the Ed25519 and Ed448 signature schemes, it also includes a variant of the EdDSA signature scheme that includes a context. The context is a separate string that can be used to separate the use of EdDSA between different protocols. As argued below, the inclusion of this context does not affect the security of the signature scheme and can be modeled as being part of the message.
|
||||
|
||||
The 2023 FIPS 186-5 standard \cite{moody_digital_2023} also includes the EdDSA signature scheme as specified in the RFC 8032.
|
||||
The 2023 FIPS 186-5 standard \cite{moody_digital_2023} also includes the EdDSA signature scheme as specified in RFC 8032.
|
||||
|
||||
The EdDSA signature scheme is depicted in figure \ref{fig:eddsa}.
|
||||
|
||||
% TODO: Ist das ok hier einfach zu kopieren?
|
||||
\begin{center}
|
||||
\begin{table}[!ht]
|
||||
\centering
|
||||
@@ -79,7 +78,7 @@ The message space $\messagespace$ is defined as a bitstring of arbitrary length.
|
||||
Looking at the RFC and FIPS standards, the context is passed to a "dom" function which concatenates the context with some additional data. The resulting data is then passed as additional data to each hash function call during signature generation and verification. Since the proofs are performed in the random oracle model, the position of the data in the hash function call, the actual content of the message, and the context are not relevant to the output of the random oracle call. Unless the reduction explicitly uses the content of the message, which it does not in this case. Therefore, the context can be modeled as part of the message.
|
||||
\subsection{Signature}
|
||||
|
||||
The signature is a defined as a $2b$ bitstrig of the encoded curve points $\groupelement{R}$ concatenated with the $b$-bit little endian encoding of the scalar $S$.
|
||||
The signature is defined as a $2b$ bitstring of the encoded curve points $\groupelement{R}$ concatenated with the $b$-bit little endian encoding of the scalar $S$.
|
||||
|
||||
The fact that $S$ is defined as $b$-bit little-endian encoding poses a problem. It is possible that the decoded $S$ is larger than the order $L$ of the generator. The original paper \cite{EPRINT:BJLSY15} proposes two ways to handle decoded $S$ values that are larger than $L$. The first approach is to replace $S$ with $S \pmod L$ and continue verifying the signature. This is called lax parsing. The other approach is to reject all $S$ values greater than $L$ and fail the signature verification in that case. Parsing the integer in this way is called strict parsing.
|
||||
|
||||
@@ -101,7 +100,7 @@ This may pose additional challenges, since working with group elements outside t
|
||||
|
||||
Instead of choosing the secret scalar uniformly at random, as done in most other schemes, the secret scalar is generated by hashing a random bitstring, fixing some bits of the hash result to a specific value and then interpreting $n$ bits of the result as the little endian representation of an integer.
|
||||
|
||||
To be more precise from the lower $b$ bit of the $2b$ bit the lowest $c$ bit are set to 0, where $c$ is the cofactor of the twisted Edwards cureve, and the $n$th bit is set to 1. Then the first $n$ bits are interpreted as the secret scalar $s$.
|
||||
To be more precise from the lower $b$ bits of the $2b$ bitstring the lowest $c$ bit are set to 0, where $c$ is the cofactor of the twisted Edwards curve, and the $n$th bit is set to 1. Then the first $n$ bits are interpreted as the secret scalar $s$.
|
||||
|
||||
This is strictly less secure, in the sense of the discrete logarithm problem, than choosing the secret scalar uniformly at random. It also makes proofs in the multi-user setting more challenging, since rerandomization of a public key is not easily possible and therefore the multi-user security of EdDSA cannot be easily reduced onto the single-user security of EdDSA.
|
||||
|
||||
@@ -159,14 +158,14 @@ The EdDSA' signature scheme is shown in figure \ref{fig:eddsa'}. The difference
|
||||
|
||||
\begin{theorem}
|
||||
\label{theorem:adveddsa'}
|
||||
Let $\adversary{A}$ be and adversary against SUF-CMA security of the EdDSA signature scheme. Then
|
||||
Let $\adversary{A}$ be an adversary against SUF-CMA security of the EdDSA signature scheme. Then
|
||||
|
||||
\[ \advantage{\text{EdDSA'},\adversary{A}}{\cma}(\secparamter) \leq \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) + \frac{2 (\hashqueries + 1)}{2^b}. \]
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}}
|
||||
|
||||
The different games used in the proof are depicted in figure \ref{fig:eddsa'games}. The proof uses the random oracle model. The main idea is that the values $h$ and $r_i$ look uniformly random to the adversary if he never queries the hash function with $k$ or a value starting with $h_b | ... | h_{2b-1}$. Since those values are unknown to the adversary it is only able to guess those values, which is unlikely due to the high entropy of those values. For this reason, these calls to the hash function can be replaced by sampling truly random values.
|
||||
The different games used in the proof are depicted in figure \ref{fig:eddsa'games}. The proof uses the random oracle model. The main idea is that the values $h$ and $r_i$ look uniformly random to the adversary if he never queries the hash function with $k$ or a value starting with $h_b | ... | h_{2b-1}$. Since those values are unknown to the adversary, it is only able to guess those values, which is unlikely due to the high entropy of them. For this reason, these calls to the hash function can be replaced by sampling truly random values.
|
||||
|
||||
\paragraph{\underline{Formal Proof}}
|
||||
|
||||
@@ -250,11 +249,11 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
|
||||
\begin{proof}
|
||||
\item The proof will be conducted by gradually changing the game $G_0$, which is the SUF-CMA game for EdDSA, to $G_4$, which is the SUF-CMA game for EdDSA'. At each step it is argued that the change can be detected with at most negligible probability.
|
||||
|
||||
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:eddsa'games} by excluding all boxes expect the black one. Clearly $G_0$ is the $\cma$ game for EdDSA. By definition,
|
||||
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:eddsa'games} by excluding all boxes except the black one. Clearly $G_0$ is the $\cma$ game for EdDSA. By definition,
|
||||
|
||||
\[ \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) = \Pr[\cma_{\text{EdDSA}}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
|
||||
|
||||
\item \paragraph{\underline{$G_1:$}} Let $G_1$ be defined by additionally including all blue boxes and excluding the black boxes. This change inlines the hash function calls and introduces to if conditions in the random oracle that set a bad flag if the abort condition is true. The inlining of the hash function calls ensures that the challenger does not trigger the abort conditions itself. Since the behavior of the game does not change the changes are conceptual and the probability of winning the game is not affected. Hence,
|
||||
\item \paragraph{\underline{$G_1:$}} Let $G_1$ be defined by additionally including all blue boxes and excluding the black boxes. This change inlines the hash function calls and introduces two if conditions in the random oracle that set a bad flag if the abort condition is true. The inlining of the hash function calls ensures that the challenger does not trigger the abort conditions itself. Since the behavior of the game does not change, the changes are conceptual and the probability of winning the game is not affected. Hence,
|
||||
|
||||
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1]. \]
|
||||
|
||||
@@ -277,4 +276,4 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
|
||||
\item This proves theorem \ref{theorem:adveddsa'}.
|
||||
\end{proof}
|
||||
|
||||
The proof for the EUF-CMA security is the same for as the proof for the SUF-CM security, with the only difference being the win condition for the adversary. Now that EdDSA' has been introduced, and it has been shown that the for and adversary cannot distinguish between these signature schemes in the SUF-CMA and EUF-CMA setting, the EdDSA' signature scheme is used instead of the EdDSA signature scheme for the proofs in the following section. Using the EdDSA' makes the proofs in the random oracle model easier.
|
||||
The proof for the EUF-CMA security is the same as the proof for the SUF-CM security, with the only difference being the win condition for the adversary. Now that EdDSA' has been introduced, and it has been shown that the adversary cannot distinguish between these signature schemes in the SUF-CMA and EUF-CMA setting, the EdDSA' signature scheme is used instead of the EdDSA signature scheme for the proofs in the following section. Using EdDSA' makes the proofs in the random oracle model easier.
|
||||
@@ -17,7 +17,7 @@ Tight security proofs are desirable because they provide a better approximation
|
||||
|
||||
For the Schnorr signature scheme, a tight security reduction can be achieved by using the algebraic group model and the random oracle model to directly show the EUF-CMA security under the discrete logarithm assumption, as shown by Fuchsbauer et al. \cite{EC:FucPloSeu20}.
|
||||
|
||||
This is also the approach used in this thesis. A tight security proof for the EdDSA signature scheme can be achieved by utilizing the algebraic group model and random oracle model. However, some details of the EdDSA signature scheme have to be taken into account, which mainly is the different group structure and the key clamping, introduces by the key generation algorithm. Also, the way the signature is parsed has a major impact on the security guarantees of the EdDSA signature scheme. While allowing only one bitstring representation of a scalar, strict parsing, ensures SUF-CMA security, allowing multiple bitstring representations of the same scalar, lax parsing, results only in EUF-CMA security.
|
||||
This is also the approach used in this thesis. A tight security proof for the EdDSA signature scheme can be achieved by utilizing the algebraic group model and random oracle model. However, some details of the EdDSA signature scheme have to be taken into account, which mainly is the different group structure and the key clamping, introduced by the key generation algorithm. Also, the way the signature is parsed has a major impact on the security guarantees of the EdDSA signature scheme. By allowing only one bitstring representation of a scalar, strict parsing ensures SUF-CMA security, allowing multiple bitstring representations of the same scalar, lax parsing results only in EUF-CMA security.
|
||||
|
||||
Another important property of a signature scheme, also briefly mentioned in the paper \cite{SP:BCJZ21}, is its multi-security. When looking at practical applications of a signature scheme, not only one user is using the signature scheme, but many users are involved, all of whom have their own key pair. In most cases, an adversary is satisfied with compromising one of the users. This leaves the question of whether an adversary gains an advantage in compromising a single user if he is provided with many public keys and can request signatures for any of the provided public keys. The multi-user security of Schnorr-like signature schemes has been analyzed in several papers \cite{EPRINT:Bernstein15,C:KilMasPan16}, but none of them apply to EdDSA or give a tight reduction.
|
||||
|
||||
@@ -25,7 +25,7 @@ This thesis uses the same method of providing a tight security proof in the alge
|
||||
|
||||
Finally, a concrete security level for common instantiations of the EdDSA signature scheme is provided by analyzing the hardness of these variants of the discrete logarithm problem and the one-more discrete logarithm problem in the generic group model.
|
||||
|
||||
The main contribution of this thesis are the following:
|
||||
The main contributions of this thesis are the following:
|
||||
|
||||
\begin{enumerate}
|
||||
\item Providing the first tight security proof for EdDSA in the single-user setting.
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
\subsubsection{General Notation}
|
||||
|
||||
% TODO: Notation mit residual ring und finite field abklären.
|
||||
For an integer n, $\field{n}$ is defined as the residual ring $\mathbb{Z}/n\mathbb{Z}$. $a \randomsample A$ denotes sampling the element $a$ from an non-empty set $A$ uniformly at random. $\assign$ denotes a deterministic assignment of a variable. $\{0,1\}^n$ is a bitstring of length n, while $\{0,1\}^*$ denotes a finite bitstring of arbitrary length. $(x,y)$ is a tuple of the two elements $x$ and $y$. $\{x,y\}$ is a set of the elements $x$ and $y$. At the beginning of a game a set is initialized to be the empty set $\{\}$. $\sum$ denotes a table and $\sum[x]$ denotes the value of the table at position $x$. Each position of the table is uninitialized at the beginning of the game. An uninitialized position in the table is denote with the bottom symbol $\bot$. A function $f: \mathbb{N} \rightarrow \mathbb{R}$ is called negligible if there exists a $N \in \mathbb{N}$ for all polynomials $p$ so that $\forall n \geq N: f(n) < \frac{1}{p(n)}$. All algorithms are probabilistic polynomial time (ppt) unless stated otherwise. $o \randomassign \adversary{A}(I)$ denotes running the algorithm $\adversary{A}$ with input $I$ and uniformly random coins and $o$ describing its output. If $\adversary{A}$ has additionally access to an oracle $O$ this is denoted as $o \randomassign \adversary{A}^{O(\inp)}(I)$. A security game consists of a main procedure and optionally some oracle procedures. The main procedure runs and adversary $\adversary{A}$ given some inputs and access to the oracle procedures and getting some output from the adversary $\adversary{A}$. Based on the output of the adversary $\adversary{A}$ and its oracle calls the main procedure outputs $1$ or $0$ depending on whether the adversary $\adversary{A}$ won the game.
|
||||
For an integer n, $\field{n}$ is defined as the residual ring $\mathbb{Z}/n\mathbb{Z}$. $a \randomsample A$ denotes sampling the element $a$ from a non-empty set $A$ uniformly at random. $\assign$ denotes a deterministic assignment of a variable. $\{0,1\}^n$ is a bitstring of length n, while $\{0,1\}^*$ denotes a finite bitstring of arbitrary length. $(x,y)$ is a tuple of the two elements $x$ and $y$. $\{x,y\}$ is a set of the elements $x$ and $y$. At the beginning of a game a set is initialized to be the empty set $\{\}$. $\sum$ denotes a table and $\sum[x]$ denotes the value of the table at position $x$. Each position of the table is uninitialized at the beginning of the game. An uninitialized position in the table is denoted with the bottom symbol $\bot$. A function $f: \mathbb{N} \rightarrow \mathbb{R}$ is called negligible if there exists a $N \in \mathbb{N}$ for all polynomials $p$ so that $\forall n \geq N: f(n) < \frac{1}{p(n)}$. All algorithms are probabilistic polynomial time (ppt) unless stated otherwise. $o \randomassign \adversary{A}(I)$ denotes running the algorithm $\adversary{A}$ with input $I$ and uniformly random coins and $o$ describing its output. If $\adversary{A}$ has additionally access to an oracle $O$ this is denoted as $o \randomassign \adversary{A}^{O(\inp)}(I)$. A security game consists of a main procedure and optionally some oracle procedures. When the game is played, the main procedure is run and adversary $\adversary{A}$ is given some inputs and access to the oracle procedures. Based on the output of the adversary $\adversary{A}$ and its oracle calls, the main procedure outputs $1$ or $0$ depending on whether the adversary $\adversary{A}$ won the game.
|
||||
|
||||
\subsubsection{Algebraic Notation}
|
||||
|
||||
|
||||
@@ -2,9 +2,9 @@
|
||||
|
||||
\subsection{Code-based reduction proofs}
|
||||
|
||||
To perform the security proof of the EdDSA signature scheme code based game playing proofs are used as introduced in \cite{EC:BelRog06}. For this proofs an adversary is tasked to play (and win) against a predefined game. The game is defined by a set of instructions which are executed consecutively. At one point the game calls the adversary with some input and gets some output from the adversary. The game then decides, depending on the output of the adversary, whether the adversary won or not. In addition the adversary might get oracle access to one or more procedures, meaning that the adversary is only able to observe the output of the procedure call given a specific input. Those procedures are called oracles. The advantage of the adversary in a game describes its ability to win the game more reliably than using generic attacks (e.g. guessing the answer to the game).
|
||||
To perform the security proof of the EdDSA signature scheme, code-based game playing proofs are used as introduced in \cite{EC:BelRog06}. In these proofs, an adversary is tasked to play (and win) against a predefined game. The game is defined by a set of instructions which are executed consecutively. At one point the game calls the adversary with some input and gets some output back from it. The game then decides, depending on the output of the adversary, whether it has won or not. In addition the adversary might get oracle access to one or more procedures, meaning that the adversary is only able to observe the output of the procedure call given a specific input. Those procedures are called oracles. The adversaries's advantage in a game is the adversaries's ability to win the game more reliably than through the use of generic attacks (e.g. guessing the answer to the game).
|
||||
|
||||
During the proof these games are being modified until an adversary against the modified game can also be used as an adversary against another game. This method is called a reduction proof. It shows that one problem (described by one game) can be reduced to another problem. In other words it says that if problem A can be reduced onto problem B any algorithm solving problem A can be transformed into an algorithm solving problem B.
|
||||
During the proof ,these games are being modified until an adversary against the modified game can also be used as an adversary against another game. This method is called a reduction proof. It shows that one problem (described by one game) can be reduced to another problem. In other words, it says that if problem A can be reduced onto problem B, any algorithm solving problem A can be transformed into an algorithm solving problem B.
|
||||
|
||||
\subsubsection{Identical-Until-Bad Games}
|
||||
|
||||
@@ -48,7 +48,7 @@ Especially the programmability of the random oracle will be used in the followin
|
||||
|
||||
\subsection{Algebraic Group Model (AGM)}
|
||||
|
||||
The algebraic group model was introduced in 2018 by Fuchsbauer et al. \cite{C:FucKilLos18}. In the algebraic group model, all adversaries are modeled as being algebraic. This means that the adversary has to know a representation for each group element regarding all group elements the adversary received from the challenger. This representation has to be provided to the challenger for every group element the adversary outputs or inputs as an oracle parameter. For example, if the adversary receives the group elements $\groupelement{A}$ and $\groupelement{B}$ from the challenger and at one point outputs group element $\groupelement{C}$ the adversary also has to output a vector $\overset{\rightharpoonup}{c} = (c_1, c_2)$ which satisfies: $\groupelement{C} = c_1 \groupelement{A} + c_2 \groupelement{B}$. For the game proofs the group element $\groupelement{C}$ and its representation $\overset{\rightharpoonup}{c}$ is denoted as $\agmgroupelement{C}{c}$.
|
||||
The algebraic group model was introduced in 2018 by Fuchsbauer et al. \cite{C:FucKilLos18}. In the algebraic group model, all adversaries are modeled as being algebraic. This means that the adversary has to know a representation for each group element regarding all group elements the adversary received from the challenger. This representation has to be provided to the challenger for every group element the adversary outputs or inputs as an oracle parameter. For example, if the adversary receives the group elements $\groupelement{A}$ and $\groupelement{B}$ from the challenger and at one point outputs group element $\groupelement{C}$ the adversary also has to output a vector $\overset{\rightharpoonup}{c} = (c_1, c_2)$ which satisfies: $\groupelement{C} = c_1 \groupelement{A} + c_2 \groupelement{B}$. For the game proofs, the group element $\groupelement{C}$, and its representation $\overset{\rightharpoonup}{c}$ is denoted as $\agmgroupelement{C}{c}$.
|
||||
|
||||
\subsection{Generic Group Model (GGM)}
|
||||
|
||||
@@ -56,4 +56,4 @@ Unlike the random oracle model or the algebraic group model the generic group mo
|
||||
|
||||
The generic group model was first introduced by Shoup in 1997 \cite{EC:Shoup97}. In this paper, Shoup proved an information-theoretic lower bound for the discrete logarithm problem. He did that by replacing group elements with labels that are random bit strings. In this way he hid all group-specific representations of the elements. Group actions are only possible via oracles, which are provided to the adversary by the challenger. The only action the adversary can perform on its own is to compare elements for equality by comparing labels.
|
||||
|
||||
In 2005, Maurer proposed an alternative proposed an alternative definition of the generic group model \cite{IMA:Maurer05}. The proofs conducted in this thesis will use the generic group model as defined by Shoup.
|
||||
In 2005, Maurer proposed an alternative definition of the generic group model \cite{IMA:Maurer05}. The proofs conducted in this thesis will use the generic group model as defined by Shoup.
|
||||
@@ -2,17 +2,17 @@
|
||||
|
||||
\paragraph{Standards for EdDSA} The EdDSA signature scheme was introduced in 2011 by Bernstein et al. as the specific instance Ed25519, which is the EdDSA signature scheme instantiated with the twisted Edwards curve Edwards25519 \cite{CHES:BDLSY11}. Later in 2015, with a paper by Bernstein et al., a more general version of EdDSA was introduced, which mainly lifted some restrictions on the underlying finite field of the elliptic curve \cite{EPRINT:BJLSY15}. It also introduced a prehashing variant of EdDSA called HashEdDSA, while the original version is called PureEdDSA. In HashEdDSA, the message is hashed before the signature algorithm is invoked. This has advantages on memory-constrained devices because it does not have to store the entire message. In 2017, the IETF published a standard for EdDSA in its RFC 8032 \cite{josefsson_edwards-curve_2017}. This standard removes some ambiguity regarding the decoding of integers and points of the elliptic curve during signature verification. It also introduces a new variant of the signature scheme that includes an additional parameter named context. In addition to standardizing a general version of EdDSA, the RFC included parameters for specific instantiations Ed25519 and Ed448. In 2023, this standard was adopted by the NIST in its "Digital Signature Standard (DSS)" FIPS 186-5 \cite{moody_digital_2023}.
|
||||
|
||||
\paragraph{Schnorr Signatures and Fiat-Schamir Transformation} The EdDSA signature scheme is similar in structure to the Schnorr signature scheme. The Schnorr signature scheme is a signature scheme introduced by Claus Peter Schnorr in 1991 \cite{JC:Schnorr91}. The Schnorr signature scheme has proven to be a robust and efficient signature scheme and has undergone several security analyses. The foundation of the Schnorr signature scheme is the canonical identification scheme.
|
||||
\paragraph{Schnorr Signatures and Fiat-Schamir Transformation} The EdDSA and Schnorr signature schemes have a similar structure. The Schnorr signature scheme is a signature scheme introduced by Claus Peter Schnorr in 1991 \cite{JC:Schnorr91}. It has proven to be a robust and efficient signature scheme and has undergone several security analyses. The foundation of the Schnorr signature scheme is the canonical identification scheme.
|
||||
|
||||
A canonical identification scheme (CID), as defined in \cite{EC:AABN02}, is a three-way protocol between two parties. The prover attempts to prove the knowledge of a secret key to the verifier, who only knows the public key. This is done by exchanging three messages between the two parties. First, the prover initiates the protocol by sending a commitment $R$ to the verifier. The verifier respondes with a random challenge $\ch$ from a predefined challenge set $\textbf{CHSet}$. The prover then uses the commitment, the challenge, and its secret key to compute a response $s$. The verifier then can then use the commitment, challenge, and response together with the public key of the prover to verify the response and thereby verify that the prover is actually in the possession of the private key.
|
||||
|
||||
To obtain a signature scheme from the canonical identification scheme, it must be made non-interactive. This can be achieved using the Fiat-Schamir transformation. The transformation was introduced by Fiat and Schamir in 1986 \cite{C:FiaSha86}. The role of the verifier in the canonical identification scheme (besides verifying the solution) is to provide a challenge to the prover. This is a crucial part of the scheme's security, since otherwise the prover might be able to choose a commitment and a challenge in a way that allows him generate a valid solution without being in the possession of the secret key.
|
||||
|
||||
The Fiat-Schamir transformation replaces the verifier with a pseudorandom function. This pseudorandom function takes the commitment and an arbitrary message as input and outputs the challenge. Now the challenge is computable by the proofer without the need to interact with another party. This allows the proofer to compute the solution. The commitment together with the solution can now be considered a signature for the message used to generate the challenge. To verify the signature, a verifier can use the same pseudorandom function to compute the challenge based on the commitment and the message, and apply the verification algorithm from the canonical identification scheme to verify the solution and thus the validity of the signature. In practice, a hash function is often used as the pseudorandom function. There are many proofs sowing that the Fiat-Schamir transformation yields a secure signature scheme, using canonical identification schemes with different properties (e.g. \cite{C:OhtOka98,JC:PoiSte00,EC:AABN02}).
|
||||
The Fiat-Schamir transformation replaces the verifier with a pseudorandom function. This pseudorandom function takes the commitment and an arbitrary message as input and outputs the challenge. Now the challenge is computable by the prover without the need to interact with another party. This allows the prover to compute the solution. The commitment together with the solution can now be considered a signature for the message used to generate the challenge. To verify the signature, a verifier can use the same pseudorandom function to compute the challenge based on the commitment and the message, and apply the verification algorithm from the canonical identification scheme to verify the solution and thus the validity of the signature. In practice, a hash function is often used as the pseudorandom function. There are many proofs showing that the Fiat-Schamir transformation yields a secure signature scheme, using canonical identification schemes with different properties (e.g. \cite{C:OhtOka98,JC:PoiSte00,EC:AABN02}).
|
||||
|
||||
\paragraph{Related Proofs} As mentioned above, there exists an paper proving the security of the Ed25519 signature scheme \cite{SP:BCJZ21}. In this paper, the authors extracted the underlying canonical identification scheme from EdDSA and used the reset lemma from \cite{C:BelPal02} to prove the impersonation security of the canonical identification scheme under the discrete logarithm assumption. This reduction turned out to be non-tight. They then reduced the EUF-CMA security of the Ed25519 signature scheme to the impersonation security of the underlying canonical identification scheme. To do this, they had to embed a challenge in one of the hash queries, further losing tightness.
|
||||
\paragraph{Related Proofs} As mentioned above, there exists a paper proving the security of the Ed25519 signature scheme \cite{SP:BCJZ21}. In this paper, the authors extracted the underlying canonical identification scheme from EdDSA and used the reset lemma from \cite{C:BelPal02} to prove the impersonation security of the canonical identification scheme under the discrete logarithm assumption. This reduction turned out to be non-tight. They then reduced the EUF-CMA security of the Ed25519 signature scheme to the impersonation security of the underlying canonical identification scheme. To do this, they had to embed a challenge in one of the hash queries, further losing tightness.
|
||||
|
||||
A paper by Chalkias, Garillot and Nikolaenko analyzes the security of Ed25519 with respect to different signature decoding methods and the implementation of additional checks during the signature verification \cite{EPRINT:ChaGarNik20}. This paper also analyzes lesser known security properties such as strongly binding signatures, but already assumes SUF-CMA security of Ed25519. They also analyzes the impact of cofactorless vs. cofactored verification with respect to batch verification of Ed25519 signatures.
|
||||
A paper by Chalkias, Garillot and Nikolaenko analyzes the security of Ed25519 with respect to different signature decoding methods and the implementation of additional checks during the signature verification \cite{EPRINT:ChaGarNik20}. This paper also analyzes lesser known security properties such as strongly binding signatures, but already assumes SUF-CMA security of Ed25519. They also analyzed the impact of cofactorless vs. cofactored verification with respect to batch verification of Ed25519 signatures.
|
||||
|
||||
The multi-user security of EdDSA was briefly analyzed in a paper by Bernstein after he exposed a flaw in a tight multi-user security proof for the Schnorr signature scheme by Galbraith, Malone-Lee, and Smart \cite{EPRINT:Bernstein15}. In this paper, Bernstein provided a tight security proof for the multi-user security of key-prefixed Schnorr signatures. The EdDSA signature scheme is also a key-prefixed version of a Schnorr signature. However, due to the clamping introduced in the key generation algorithm of EdDSA, these results do not apply directly to EdDSA. Attempting to use the same method as in Bersteins paper would again result in a non-tight security proof, as already mentioned in the same paper.
|
||||
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
\subsection{Digital Signature Scheme}
|
||||
|
||||
A digital signature scheme is a method to ensure the authenticity of data. The signer, which is in the possession of a private key, generates a signature for specific message. The verifier then is able to verify the authenticity of this data using the public key and the generated signature.
|
||||
A digital signature scheme is a method to ensure the authenticity of data. The signer, which is in the possession of a private key, generates a signature for a specific message. The verifier is then able to verify the authenticity of this data using the public key and the generated signature.
|
||||
|
||||
\begin{definition}
|
||||
A digital signature scheme SIG = (\keygen,\sign,\verify) is a tuple of algorithms.
|
||||
@@ -11,15 +11,15 @@ A digital signature scheme is a method to ensure the authenticity of data. The s
|
||||
\item \textbf{\verify}: The verification algorithm, which upon receiving the public key, the message and the signature decides whether the signature is valid for the specific set of input parameters.
|
||||
\end{itemize}
|
||||
|
||||
For the digital signature scheme to be correct it is required that $\forall (\pubkey, \privkey) \in \keygen(par), \m \in \messagespace, \signature \in \sign(\privkey, \m): \verify(\pubkey, \m, \signature) = 1$
|
||||
For the digital signature scheme to be correct, it is required that $\forall (\pubkey, \privkey) \in \keygen(par), \m \in \messagespace, \signature \in \sign(\privkey, \m): \verify(\pubkey, \m, \signature) = 1$
|
||||
\end{definition}
|
||||
|
||||
A common security notion for digital signature schemes is the existential unforgeability under chosen message attack security (EUF-CMA). It requires that no adversary is able to forge a signature, for a given key, on a message for which they have not been provided with a valid signature. A stronger notion that is often used is strong unforgeability under chosen message attack (SUF-CMA), which only requires the adversary to provide a message signature pair that has not been provided to the adversary. With this security notion, the adversary also wins if it is able to forge a new valid signature from an already valid one. Both of these notions are in the single-user setting. In the multi-user setting of these security notions, the adversary is supplied with $N$ public keys and had to forge a signature for one of those public keys. In the following, the multi-user definitions of the EUF-CMA and SUF-CMA security notions are defined, respectively MU-EUF-CMA and SUF-CMA. The single-user variant of these security notions can be seen as a special case of the multi-user definitions with $N=1$.
|
||||
A common security notion for digital signature schemes is the existential unforgeability under chosen message attack security (EUF-CMA). It requires that no adversary is able to forge a signature, for a given key, on a message for which they have not been provided with a valid signature. A stronger notion that is often used is strong unforgeability under chosen message attack (SUF-CMA), which only requires the adversary to provide a message signature pair that has not been provided to the adversary. With this security notion, the adversary also wins if it is able to forge a new valid signature from an already valid one. Both of these notions are in the single-user setting. In the multi-user setting of these security notions, the adversary is supplied with $N$ public keys and has to forge a signature for one of those public keys. In the following, the multi-user definitions of the EUF-CMA and SUF-CMA security notions are defined, respectively MU-EUF-CMA and MU-SUF-CMA. The single-user variant of these security notions can be seen as a special case of the multi-user definitions with $N=1$.
|
||||
|
||||
\subsubsection{MU-EUF-CMA}
|
||||
|
||||
\begin{definition}[MU-EUF-CMA]
|
||||
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the MU-EUF-CMA game be defined in figure \ref{game:mu-euf-cma}. $SIG$ is MU-SUF-CMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{MU-EUF-CMA}}(\secparamter)$ is negligible in $\secparamter$.
|
||||
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the MU-EUF-CMA game be defined in figure \ref{game:mu-euf-cma}. $SIG$ is MU-EUF-CMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{MU-EUF-CMA}}(\secparamter)$ is negligible in $\secparamter$.
|
||||
|
||||
\[ \advantage{SIG,\adversary{A}}{\text{MU-EUF-CMA}}(\secparamter) \assign \prone{\text{MU-EUF-CMA}^{\adversary{A}}} \leq negl(\secparamter) \]
|
||||
\end{definition}
|
||||
|
||||
Reference in New Issue
Block a user