\section{Related Work}

\paragraph{Standards for EdDSA} The EdDSA signature scheme was introduced in 2011 by Bernstein et al. as the specific instance Ed25519, which is the EdDSA signature scheme instantiated with the twisted Edwards curve Edwards25519 \cite{CHES:BDLSY11}. Later in 2015, with a paper by Bernstein et al., a more general version of EdDSA was introduced, which mainly lifted some restrictions on the underlying finite field of the elliptic curve \cite{EPRINT:BJLSY15}. It also introduced a prehashing variant of EdDSA called HashEdDSA, while the original version is called PureEdDSA. In HashEdDSA, the message is hashed before the signature algorithm is invoked. This has advantages on memory-constrained devices because it does not have to store the entire message. In 2017, the IETF published a standard for EdDSA in its RFC 8032 \cite{josefsson_edwards-curve_2017}. This standard removes some ambiguity regarding the decoding of integers and points of the elliptic curve during signature verification. It also introduces a new variant of the signature scheme that includes an additional parameter named context. In addition to standardizing a general version of EdDSA, the RFC included parameters for specific instantiations Ed25519 and Ed448. In 2023, this standard was adopted by the NIST in its "Digital Signature Standard (DSS)" FIPS 186-5 \cite{moody_digital_2023}.

\paragraph{Schnorr Signatures and Fiat-Schamir Transformation} The EdDSA and Schnorr signature schemes have a similar structure. The Schnorr signature scheme is a signature scheme introduced by Claus Peter Schnorr in 1991 \cite{JC:Schnorr91}. It has proven to be a robust and efficient signature scheme and has undergone several security analyses. The foundation of the Schnorr signature scheme is the canonical identification scheme.

A canonical identification scheme (CID), as defined in \cite{EC:AABN02}, is a three-way protocol between two parties. The prover attempts to prove the knowledge of a secret key to the verifier, who only knows the public key. This is done by exchanging three messages between the two parties. First, the prover initiates the protocol by sending a commitment $R$ to the verifier. The verifier respondes with a random challenge $\ch$ from a predefined challenge set $\textbf{CHSet}$. The prover then uses the commitment, the challenge, and its secret key to compute a response $s$. The verifier then can then use the commitment, challenge, and response together with the public key of the prover to verify the response and thereby verify that the prover is actually in the possession of the private key.

To obtain a signature scheme from the canonical identification scheme, it must be made non-interactive. This can be achieved using the Fiat-Schamir transformation. The transformation was introduced by Fiat and Schamir in 1986 \cite{C:FiaSha86}. The role of the verifier in the canonical identification scheme (besides verifying the solution) is to provide a challenge to the prover. This is a crucial part of the scheme's security, since otherwise the prover might be able to choose a commitment and a challenge in a way that allows him generate a valid solution without being in the possession of the secret key. 

The Fiat-Schamir transformation replaces the verifier with a pseudorandom function. This pseudorandom function takes the commitment and an arbitrary message as input and outputs the challenge. Now the challenge is computable by the prover without the need to interact with another party. This allows the prover to compute the solution. The commitment together with the solution can now be considered a signature for the message used to generate the challenge. To verify the signature, a verifier can use the same pseudorandom function to compute the challenge based on the commitment and the message, and apply the verification algorithm from the canonical identification scheme to verify the solution and thus the validity of the signature. In practice, a hash function is often used as the pseudorandom function. There are many proofs showing that the Fiat-Schamir transformation yields a secure signature scheme, using canonical identification schemes with different properties (e.g. \cite{C:OhtOka98,JC:PoiSte00,EC:AABN02}).

\paragraph{Related Proofs}  As mentioned above, there exists a paper proving the security of the Ed25519 signature scheme \cite{SP:BCJZ21}. In this paper, the authors extracted the underlying canonical identification scheme from EdDSA and used the reset lemma from \cite{C:BelPal02} to prove the impersonation security of the canonical identification scheme under the discrete logarithm assumption. This reduction turned out to be non-tight. They then reduced the EUF-CMA security of the Ed25519 signature scheme to the impersonation security of the underlying canonical identification scheme. To do this, they had to embed a challenge in one of the hash queries, further losing tightness.

A paper by Chalkias, Garillot and Nikolaenko analyzes the security of Ed25519 with respect to different signature decoding methods and the implementation of additional checks during the signature verification \cite{EPRINT:ChaGarNik20}. This paper also analyzes lesser known security properties such as strongly binding signatures, but already assumes SUF-CMA security of Ed25519. They also analyzed the impact of cofactorless vs. cofactored verification with respect to batch verification of Ed25519 signatures.

The multi-user security of EdDSA was briefly analyzed in a paper by Bernstein after he exposed a flaw in a tight multi-user security proof for the Schnorr signature scheme by Galbraith, Malone-Lee, and Smart \cite{EPRINT:Bernstein15}. In this paper, Bernstein provided a tight security proof for the multi-user security of key-prefixed Schnorr signatures. The EdDSA signature scheme is also a key-prefixed version of a Schnorr signature. However, due to the clamping introduced in the key generation algorithm of EdDSA, these results do not apply directly to EdDSA. Attempting to use the same method as in Bersteins paper would again result in a non-tight security proof, as already mentioned in the same paper.

In 2016, Kiltz et al. provided a tight bound on the multi-user security of Schorr signatures without the need for key-prefixing \cite{C:KilMasPan16}. The tightness was a result of the random self-reducibility property of the underlying canonical identification scheme. Again, this property cannot be achieved by EdDSA due to the clamping introduced by the key generation algorithm.

Fuchsbauer et al. generated a tight security proof for the Schnorr signature scheme by using the algebraic group model \cite{EC:FucPloSeu20}. They achieved this by using the representation of the commitment together with a forged signature to compute the discrete logarithm of the public key. This approach looks promising also for the EdDSA signature scheme.