\section{Concrete Security of EdDSA}

Now that a security bound on the complexity of an adversary breaking EdDSA has been established the concrete security of the signature scheme can be analyzed. The security level of a cryptographic scheme can be determined by analysing the success ration of an adversary. The success ration of an attacker can be determined by analyzing its success probability and its runtime. The success ration is simply the advantage of an adversary devided by its runtime.

\begin{definition}[Success Ration]
	Let adversary $\adversary{A}$ be an adversary with runtime Time($\adversary{A}$) and advantage $\advantage{\adversary{A}}{}$. Its success ration is defined as following:
	
	\[ SR(\adversary{A}) = \frac{\advantage{\adversary{A}}{}}{Time(\adversary{A})}. \]
\end{definition}

With this definition of the success ration the bit security of a cryptographic scheme can be defined.

\begin{definition}[Bit Security]
	A cryptographic scheme has $\kappa$ bit security if the success ration of all adversaries with a runtime $Time(\adversary{A}) \leq 2^\kappa$ is upper bounded by $2^{-\kappa}$.
\end{definition}

This definition can be used to calculate the bit security of concrete instantiations of EdDSA. The most popular instantations of EdDSA are Ed25519 and Ed443, as they are also specified in the RFC and the NIST standard.

\subsection{Ed25519}

\begin{theorem}[Ed25519 Bit Security]
	\label{theorem:ed25519}
	The Ed25519 signature scheme provides 125 bit security in the single-user setting and 124 bit security in the multi-user setting against algebraic adversaries.
\end{theorem}

Ed25519 is one of the most widely used instantiations of EdDSA. According to the RFC it is supposed to provide around 128 bit of security. It uses the twisted Edwards curve Ed25519 and SHA-512 as a hash function \cite{josefsson_edwards-curve_2017} \cite{moody_digital_2023}. This provides the following values, needed to calculate the security level of Ed25519 according to the security proof in this thesis:

\begin{center}
	\begin{table}[ht]
		\centering
		\begin{tabularx}{\textwidth}{@{}lX@{}}
			\textbf{Parameter} & \textbf{Value} \\
			\hline
			$b$ & $256$ \\
			$n$ & $254$ \\
			$c$ & $3$ \\
			$L$ & $2^{252}+27742317777372353535851937790883648493$
		\end{tabularx}
		\caption{Parameter of Ed25519}
		\label{tab:ed25519}
	\end{table}
\end{center}

\begin{proof}
	\item At first the runtime of the adversaries against Ed25519 in the single user setting is analyzed. The success probability of an adversary $\adversary{B}$ in the \sdlog game is $\advantage{\curve, n, c, L, \adversary{B}}{\sdlog} \leq \frac{(\groupqueries + 3)^2 + 1}{2^{n-1-c}}$. When instantiated with the values for Ed25519, an adversary $\adversary{B}$ is able to solve the \sdlog game with constant probability after about $2^{125}$ group operations. Therefore, the runtime of the adversary $\adversary{B}$ in the \sdlog game can be upper bounded by $2^{125}$. The runtime of an adversary $\adversary{A}$ against Ed25519 is roughly the same as the adversary $\adversary{B}$ against \sdlog and can therefore also be upper bounded by $2^{125}$. This, together with the advantage of adversary $\adversary{A}$, can be used to upper bound its success ration.
	
	Since the runtime of the adversary is upper bounded by $2^{125}$ the amount of hash quries $\hashqueries$ and group operations $\groupqueries$ can also be upper bounded by $2^{125}$. A reasonable upper bound for the signing quries $\oraclequeries$ is $2^{64}$, as they are online and can not be computed by the adversary in secret. This provides following equation for the success ration:
	
	\begin{align*}
		SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\
		&\leq \frac{\advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
		&\leq \frac{\frac{(\groupqueries + 3)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\ 
		&\leq \frac{(2^{125} + 3)^2 + 1}{2^{250} 2^{125}} + \frac{2(2^{125} + 1)}{2^{256} 2^{125}} + \frac{2^{64} 2^{125} + 2^{64}}{2^{252} 2^{125}} \\
		&\approx 2^{-125} + 2^{-316} + 2^{-189} \\
		&\approx 2^{-125}
	\end{align*}
	
	This shows that Ed25519 provides $125$ bit security in the single-user setting.
	
	To get a security level in the multi-user setting an upper bound on the number of instances $N$ is needed. In \cite{C:KilMasPan16} Kiltz et al. mentioned that the existance of at lease $N = 2^{30} (\approx 1 \text{ billion})$ public keys can be assumed. For the following calculations the number of instances is assumed to be $N \leq 2^{35}$. An adversary $\adversary{B}$ against \somdl has a constant probability of winning the game after about $2^{125}$ group operations. Hence, its runtime is upper bounded by $2^{125}$. The success ration can then be calculated in the same way as it has been done in the single-user setting.
	
	This provides a success ration of:
	
	\begin{align*}
		SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{MU-SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\
		&\leq \frac{\advantage{\curve, n, c, L, \adversary{A}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
		&\leq \frac{\frac{2(\groupqueries + N + 2)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
		&\leq \frac{2 (2^{125} + 2^{35} + 2)^2 + 1}{2^{250} 2^{125}} + \frac{2(2^{125} + 1)}{2^{256} 2^{125}} + \frac{2^{64} 2^{125} + 2^{64} 2^{35}}{2^{252} 2^{125}} \\
		&\approx 2^{-124} + 2^{-316} + 2^{-189} \\
		&\approx 2^{-124}
	\end{align*}
	
	This shows that Ed25519 provides $124$ bit security in the multi-user setting.
	
	\item This proofs theorem \ref{theorem:ed25519}.
\end{proof}

\subsection{Ed448}

\begin{theorem}[eD448 Bit Security]
	\label{theorem:ED448}
	The eD448 signature scheme provides 221 bit security in the single-user setting and 220 bit security in the multi-user setting against algebraic adversaries.
\end{theorem}

Another popular instantiation of the EdDSA signature scheme is Ed448. It uses the Ed448 twisted Edwards curve and SHAKE256 as hash function. It is supposed to provide around 224 bits of security and was also standardized by the IETF and NIST \cite{josefsson_edwards-curve_2017} \cite{moody_digital_2023}. The respective standards provide following values:

\begin{center}
	\begin{table}[ht]
		\centering
		\begin{tabularx}{\textwidth}{@{}lX@{}}
			\textbf{Parameter} & \textbf{Value} \\
			\hline
			$b$ & $456$ \\
			$n$ & $447$ \\
			$c$ & $2$ \\
			$L$ & $2^{446} - 13818066809895115352007386748515426880336692474882178609894547503885$
		\end{tabularx}
		\caption{Parameter of Ed448}
		\label{tab:ed448}
	\end{table}
\end{center}

\begin{proof}
	\item This can be used to upper bound the success ration of an adversary $\adversary{A}$ against Ed448. To begin, the runtime of an adversary $\adversary{B}$ against \sdlog is upper bounded, using the values from the Ed448 signature scheme. The adversary $\adversary{B}$ achieves a constant probability of winning the \sdlog game after $2^{223}$ group operations. This also upper bounds its runtime. Now the success ration of adversary $\adversary{A}$ against Ed448 can be calculated as following:
	
	\begin{align*}
		SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\
		&\leq \frac{\advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
		&\leq \frac{\frac{(\groupqueries + 3)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\ 
		&\leq \frac{(2^{223} + 3)^2 + 1}{2^{444} 2^{223}} + \frac{2(2^{223} + 1)}{2^{456} 2^{223}} + \frac{2^{64} 2^{223} + 2^{64}}{2^{446} 2^{223}} \\
		&\approx 2^{-221} + 2^{-455} + 2^{-382} \\
		&\approx 2^{-221}
	\end{align*}
	
	This shows that Ed448 provides $221$ bit security in the single-user setting.
	
	Now the same is done for the multi-user security of Ed448. This yields following upper bound for the success ration:
	
	\begin{align*}
		SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{MU-SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\
		&\leq \frac{\advantage{\curve, n, c, L, \adversary{A}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
		&\leq \frac{\frac{2(\groupqueries + N + 2)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
		&\leq \frac{2 (2^{223} + 2^{35} + 2)^2 + 1}{2^{444} 2^{223}} + \frac{2(2^{223} + 1)}{2^{456} 2^{223}} + \frac{2^{64} 2^{223} + 2^{64} 2^{35}}{2^{446} 2^{223}} \\
		&\approx 2^{-220} + 2^{-445} + 2^{-382} \\
		&\approx 2^{-220}
	\end{align*}
	
	This shows that Ed448 provides $220$ bit security in the multi-user setting.
	
	\item This proofs theorem \ref{theorem:ED448}.
\end{proof}