rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Minor changes

Browse Source
This commit is contained in:
Aaron Kaiser
2023-06-14 16:30:09 +02:00
parent 97e842892c
commit fe577651cd
4 changed files with 2 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
thesis/sections/eddsa.tex
View File

@@ -3,7 +3,7 @@
This section takes a closer look at the differences between the existing EdDSA specifications and the original Schnorr signature scheme. This section is partly inspired by \cite{SP:BCJZ21}.
As mentioned above, there are two papers by Bernstein et. al., that define the EdDSA signature scheme \cite{CHES:BDLSY11,EPRINT:BJLSY15}. The 2015 paper \cite{EPRINT:BJLSY15} describes a more generic version of the EdDSA signature scheme than the original publication \cite{CHES:BDLSY11}. According to \cite{EPRINT:BJLSY15}, the EdDSA signature scheme is defined by 11 parameters, as shown in table \ref{tab:parameter}. The paper also describes two variants of EdDSA. One is called PureEdDSA and the other is called HashEdDSA. HashEdDSA is a prehashing variant of the PureEdDSA signature scheme. This means that, in HashEdDSA, the message is being hashed by a hash function before it is signed or verified. Both variants can be described by the definition of the EdDSA signature scheme, by using a different perhash function. In PureEdDSA the prehash function is simply the identity function. Another important variation in the EdDSA standard is the decoding of the signature. \cite{EPRINT:BJLSY15} describes two variations on how signatures can be decoded during verification. Both variations are described further in this section, as they have a major impact on the security of the EdDSA signature scheme.
As mentioned above, there are two papers by Bernstein et al., that define the EdDSA signature scheme \cite{CHES:BDLSY11,EPRINT:BJLSY15}. The 2015 paper \cite{EPRINT:BJLSY15} describes a more generic version of the EdDSA signature scheme than the original publication \cite{CHES:BDLSY11}. According to \cite{EPRINT:BJLSY15}, the EdDSA signature scheme is defined by 11 parameters, as shown in table \ref{tab:parameter}. The paper also describes two variants of EdDSA. One is called PureEdDSA and the other is called HashEdDSA. HashEdDSA is a prehashing variant of the PureEdDSA signature scheme. This means that, in HashEdDSA, the message is being hashed by a hash function before it is signed or verified. Both variants can be described by the definition of the EdDSA signature scheme, by using a different perhash function. In PureEdDSA the prehash function is simply the identity function. Another important variation in the EdDSA standard is the decoding of the signature. \cite{EPRINT:BJLSY15} describes two variations on how signatures can be decoded during verification. Both variations are described further in this section, as they have a major impact on the security of the EdDSA signature scheme.
There also exist two major standards for the EdDSA signature scheme. The first one is the RFC 8032, which was introduced by the IETF in 2017 \cite{josefsson_edwards-curve_2017}. In addition to publishing concrete parameterizations for the Ed25519 and Ed448 signature schemes, it also includes a variant of the EdDSA signature scheme that includes a context. The context is a separate string that can be used to separate the use of EdDSA between different protocols. As argued below, the inclusion of this context does not affect the security of the signature scheme and can be modeled as being part of the message.

1
thesis/sections/introduction.tex
View File

@@ -12,7 +12,6 @@ In a 2020 paper, Brendel et al. showed that Ed25519 satisfies EUF-CMA and SUF-CM
Tightness is a property of a security proof. A security proof is said to be tight if the probability of success of an adversary $\adversary{B}$ attacking problem B, constructed from adversary $\adversary{A}$ attacking problem A, is at most smaller than the probability of success of $\adversary{A}$ by a small constant factor.
%TODO: Umschreiben
Tight security proofs are desirable because they provide a better approximation of the bit security of a signature scheme when instantiated with concrete primitives (such as groups or hash functions)\cite{SAC:ChaMenSar11}. A better approximation results in smaller parameters (such as the size of the group) yielding better bit security. This means that, with tighter security proofs, smaller primitives can be used to achieve the same level of security, and smaller primitives often result in more faster computations and therefore more efficient cryptographic schemes.
For the Schnorr signature scheme, a tight security reduction can be achieved by using the algebraic group model and the random oracle model to directly show the EUF-CMA security under the discrete logarithm assumption, as shown by Fuchsbauer et al. \cite{EC:FucPloSeu20}.

2
thesis/sections/preliminaries.tex
View File

@@ -28,7 +28,7 @@ This means that the advantage to distinguish between two identical-until-bad gam
\subsection{Elliptic Curves}
The EdDSA signature scheme has been defined using twisted Edwards curves as the underlying group structure. Twisted Edwards curves are a special form of elliptic curves. For the proofs performed in this thesis, no specific properties of twisted Edwards curves are used. Therefore, they will not be introduced in great detail. For more details on twisted Edwards curves the paper "Twisted Edwards Curves" by Bernstein et. al, may be refereed \cite{EPRINT:BBJLP08}. The use of twisted Edwards curves in EdDSA is mainly for performance reasons \cite{CHES:BDLSY11}.
The EdDSA signature scheme has been defined using twisted Edwards curves as the underlying group structure. Twisted Edwards curves are a special form of elliptic curves. For the proofs performed in this thesis, no specific properties of twisted Edwards curves are used. Therefore, they will not be introduced in great detail. For more details on twisted Edwards curves, see the paper by Bernstein et al. \cite{EPRINT:BBJLP08}. The use of twisted Edwards curves in EdDSA is mainly for performance reasons \cite{CHES:BDLSY11}.
The proofs assume two properties of the underlying group structure, which are true for every elliptic curve. The first is that the underlying group is a generic group, which means that it is only possible to perform the well-defined group operation on the group elements, which is widely assumed to be true for elliptic curves. Elliptic curves often use additive group notation, which means that the group operation is called addition. The second assumption is, that the underlying group is an abelian group. Every elliptic curve is an abelian group.

1
thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex
View File

@@ -86,7 +86,6 @@ This method of simulating the \Osign oracle and the resulting loss of advantage
\end{algorithmic}
\columnbreak
\begin{algorithmic}
%TODO: Nummer vor Oracle
\BeginBox[draw=green]
\State \underline{\oracle \sign($\m \in \messagespace$)}
\Comment{$G_3$}