\section{Conclusion}

In this thesis it has been proven that EdDSA is tightly secure using the algebraic group model and the random oracle model. An algebraic attacker does not gain an advantage by attacking the signature scheme instead of attacking the underlying discrete logarithm problem directly, when taking the clamping of the private key into account. When using strict parsing of signatures the EdDSA signature scheme ensures SUF-CMA security and when using lax parsing the signature scheme still provides EUF-CMA security.

It has also been proven that the most common instantiations Ed25519 and Ed448 provide 125-bit of security and 221-bit of security respectively. This is weaker than the original discrete logarithm problem for the elliptic curves used, but was to be expected considering the clamping of the private key.

Moreover, it has been proven that the signature scheme does not lose much of its security considering a multi-user setting. More specific, with a generous assumption of the existence of $2^{35} (\approx 35 \text{ billion})$ public keys the scheme loses only one bit of security.

According to the results of this thesis, the EdDSA proved to be a secure signature scheme and that the modifications done to the original Schnorr signature scheme have very little affect on the security of the signature scheme. In fact, the only noticeable loss in security was introduced by the clamping of the private key.

\paragraph{Acknowledgments}

Many thanks to Dominik Hartmann and Eike Kiltz for the many discussions that helped me during this thesis.