rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

some more small changes

Browse Source
This commit is contained in:
Aaron Kaiser
2023-02-27 17:36:42 +01:00
parent f85f29c221
commit e6acb62385
2 changed files with 17 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
thesis/Abschlussarbeit.tex
View File

@@ -113,6 +113,8 @@ TODO
\subsubsection{Digital Signature Scheme}
\subsubsection{\cma}
\cma is a security notion for digital signature schemes. In this game the attacker is given access to a \Osign oracle, which generates valid signatures for arbitrary messages. The attacker wins the game if he is able to provide a message signature pair which is valid and was not generated by the \Osign oracle. The security game is depicted in figure \ref{game:cma}.
@@ -130,7 +132,7 @@ Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme. $SIG$ is \c
\begin{algorithmic}[1]
\State \underline{\game \cma}
\State $(\pubkey, \privkey) \randomassign \keygen(1^\secparamter)$
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\cdot)}(\pubkey)$
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp)}(\pubkey)$
\State \Return $\verify(\pubkey, \m^*, \signature^*) = 1 \wedge (\m^*, \signature^*) \notin M$
\end{algorithmic}
\columnbreak
@@ -162,7 +164,7 @@ This work will take a closer look at the \cma security of the EdDSA signature sc
In the prehashing variant of EdDSA the signature is calculated on the hash value of the message. The message is used twice during the generation of the signature. Thus the message needs to be buffered or transmitted twice during the generation of the signature. Therefore the prehashing variant offers an performance advantage on memory and bandwidth constraint devices. The context is an additional input parameter which has to be equal during generation and verification of the signature and is used to bind the signature to a given context.
Figure \ref{fig:eddsa} defines the EdDSA signature scheme. In this version the prehashing of the message is ommited since the main security proof will focus on the EdDSA version without prehashing. In this case the prehash function $H'(\cdot)$ is the identity function. After proofing the security of the EdDSA signature scheme without prehashing it will be shown that EdDSA with prehashing is equally as secure assuming collision resistence of the prehash function $H'(\cdot)$.
Figure \ref{fig:eddsa} defines the EdDSA signature scheme. In this version the prehashing of the message is ommited since the main security proof will focus on the EdDSA version without prehashing. In this case the prehash function $H'(\inp)$ is the identity function. After proofing the security of the EdDSA signature scheme without prehashing it will be shown that EdDSA with prehashing is equally as secure assuming collision resistence of the prehash function $H'(\inp)$.
\subsection{EdDSA Parameter}
@@ -195,16 +197,16 @@ The EdDSA signature scheme is defined using a twisted Edwards curve. Twisted Edw
\begin{tabularx}{\textwidth}{@{}lX@{}}
\textbf{Parameter} & \textbf{Description} \\
\hline
$q$ & An odd prime power $q$. EdDSA uses an elliptic curve over the finite field $\mathbb{F}_q$. \\
$q$ & An odd prime power $q$. EdDSA uses an elliptic curve over the finite field $\field{F}_q$. \\
$b$ & An integer $b$ with $2^{b-1} > q$. The bit size of encoded points on the twisted Edwards curve. \\
$Enc(\cdot)$ & A $(b-1)$-bit encoding of elements in the underlying finite field. \\
$H(\cdot)$ & A cryptographic hash function producing $2b$-bit output. \\
$Enc(\inp)$ & A $(b-1)$-bit encoding of elements in the underlying finite field. \\
$H(\inp)$ & A cryptographic hash function producing $2b$-bit output. \\
$c$ & The cofactor of the twisted Edwards curve. \\
$n$ & The number of bits used for the secret scalar of the public key. \\
$a, d$ & The curve parameter of the twisted Edwards curve. \\
$B$ & A generator point of the prime order subgroup of $E$. \\
$l$ & The order of the prime order subgroup. \\
$H'(\cdot)$ & A prehash function applied to the message prior to applying the \sign or \verify procedure.
$H'(\inp)$ & A prehash function applied to the message prior to applying the \sign or \verify procedure.
\end{tabularx}
\end{table}
\end{center}
@@ -264,11 +266,12 @@ The proof starts by showing that the UF-NMA security of EdDSA implies \cma secur
The chain of reductions can be depicted as:
\[ DLog' => Game Z => UF-NMA_{EdDSA} => \cma_{EdDSA} \]
\[ DLog' => \igame => UF-NMA_{EdDSA} => \cma_{EdDSA} \]
\subsection{UF-NMA $=>$ \cma (ROM)}
In this section I will show that the \cma security of EdDSA signature scheme implies the UF-NMA security of EdDSA signature scheme using the Random Oracle Model. I first start by providing an intuition for the proof followed by the detailed security proof.
% TODO: "intuition for the proof" vs. "intuition of the proof"?
This section shows that the \cma security of EdDSA signature scheme implies the UF-NMA security of EdDSA signature scheme using the Random Oracle Model. The section starts by providing an intuition for the proof followed by the detailed security proof.
\paragraph{Proof Overview} The UF-NMA security definition is close to the security definition of \cma but is missing the \Osign oracle. To show that UF-NMA security implies \cma security the reduction has to simulate the \Osign oracle without the knowledge of the private key.
@@ -278,6 +281,9 @@ To generate a signature without the knowledge of the private key the challenge a
\paragraph{Formal Proof}
\subsection{\igame $=>$ UF-NAM}
\newpage
\section{The Security of EdDSA in a Multi-User Setting}
\section{The Ed-GGM}