33 lines
7.3 KiB
TeX
33 lines
7.3 KiB
TeX
\section{Introduction}
|
|
|
|
The EdDSA signature scheme was first introduced in 2011 by Bernstein, Duif, Lange, Schwabe and Yang, instantiated as Ed25519 using the Edwards25519 twisted Edwards curve \cite{CHES:BDLSY11}. In 2015 Bernstein et al. published a new paper, which introduced a more general version the EdDSA signature scheme \cite{EPRINT:BJLSY15}. Due to its high performance and small signature size, the EdDSA signature scheme is very popular and widely used in applications such as TLS, SSH and the Signal protocol. From these papers came standards such as RFC 8032 \cite{josefsson_edwards-curve_2017} and FIPS 186-5 \cite{moody_digital_2023}.
|
|
|
|
The original paper focused on the performance of the signature scheme and did not provide a formal security analysis of the signature scheme. The EdDSA signature scheme is closely related to the Schnorr signature scheme. Although EdDSA is related to the Schnorr signature scheme, the security proofs for Schnorr signature schemes do not apply to EdDSA. The EdDSA signature scheme uses the key prefixing modification and calculates its commitments deterministically, which does not weaken the security \cite{AC:BelPoeSte16}. Besides these modifications, EdDSA also uses a different group structure, which is a prime order subgroup of a twisted Edwards curve, and clamps some bits of the private key to predefined values. Both of these modifications have not been well studied for the Schnorr signature scheme. The EdDSA signature scheme also specifies several variations of parsing the signature from a bitstring. One way of parsing the signature is to allow only one bitstring representation for a scalar and curve point, and another way is to allow multiple bitstring representations of the same scalar and curve point. This raises the question of whether the changes still result in a secure signature scheme.
|
|
|
|
The desired security notions for signature schemes is EUF-CMA or SUF-CMA security. These security notions require that no adversary is able to provide a forged signature from an arbitrary set of valid signatures for arbitrary messages. While EUF-CMA requires a forged signature for a message for which the adversary did not obtain a valid signature, SUF-CMA also counts as valid forgeries message/signature pairs that were not provided to the adversary, meaning that the adversary also wins if he is able to generate a new valid signature for a message given an already valid signature for that message.
|
|
|
|
The Schnorr signature scheme originates from a canonical identification scheme to which the Fiat-Schamir transformation is applied \cite{JC:Schnorr91}. This transformation transforms the interactive identification scheme into a non-interactive one by making some of the values deterministic. By making the values also dependent on a message, the resulting transcript of the canonical identification scheme can be interpreted as the signature for that message \cite{C:FiaSha86}.
|
|
|
|
In a 2020 paper, Brendel et al. showed that Ed25519 satisfies EUF-CMA and SUF-CMA security, depending on which EdDSA standard is used \cite{SP:BCJZ21}. They did this by extracting the underlying canonical identification scheme, proving its security, and then proving the security of the constructed signature scheme via the Fiat-Schamir transformation. Due to the use of the reset lemma, the provided security proof is not tight.
|
|
|
|
Tightness is a property of a security proof. A security proof is said to be tight if the probability of success of an adversary $\adversary{B}$ attacking problem B, constructed from adversary $\adversary{A}$ attacking problem A, is at most smaller than the probability of success of $\adversary{A}$ by a small constant factor.
|
|
|
|
Tight security proofs are desirable because they tightly bind the hardness of the underlying assumption to the security of a cryptographic scheme. Without a tight security proof, it is not ruled out that an adversary may be discovered who needs considerably less effort to break the security of a cryptographic scheme compared to adversaries against its underlying assumption \cite{SAC:ChaMenSar11}. For that reason, much larger parameters must be used to securely instantiate the cryptographic scheme compared to the parameters needed to achieve the same level of security in the underlying assumption. This is undesired in practice, as usually a scheme becomes less efficient the larger its parameters are chosen.
|
|
|
|
For the Schnorr signature scheme, a tight security reduction can be achieved by using the algebraic group model and the random oracle model to directly show the EUF-CMA security using the discrete logarithm assumption, as shown by Fuchsbauer et al. \cite{EC:FucPloSeu20}, instead of analyzing it as a canonical identification scheme onto which the Fiat-Schamir transformation is applied.
|
|
|
|
This thesis uses a similar approach to the one in the paper by Fuchsbauer et al. \cite{EC:FucPloSeu20} to achieve a tight security proof for EdDSA. The tight security proof is achieved by utilizing the algebraic group model and the random oracle model. However, some details of the EdDSA signature scheme have to be taken into account, which mainly is the different group structure and the key clamping, introduced by the key generation algorithm. Also, the way the signature is parsed has a major impact on the security guarantees of the EdDSA signature scheme. There are two variations how to parse the signature. One is called strict parsing and the other one is called lax parsing. Strict parsing allows only one bitstring representation of a scalar value, while lax parsing allows multiple bitstring representations of the same scalar value. Strict parsing ensures SUF-CMA security, while lax parsing only ensures EUF-CMA security.
|
|
|
|
Another important property of a signature scheme, also briefly mentioned in \cite{SP:BCJZ21}, is its multi-security. When looking at practical applications of a signature scheme, not only one user is using the signature scheme, but many users are involved, all of whom have their own key pair. In most cases, an adversary is satisfied with compromising one of the users. This leaves the question whether an adversary gains an advantage in compromising a single user if he is provided with many public keys and can request signatures for any of the provided public keys. The multi-user security of Schnorr-like signature schemes has been analyzed in several papers \cite{EPRINT:Bernstein15,C:KilMasPan16}, but none of them apply to EdDSA or give a tight reduction.
|
|
|
|
This thesis uses the same method of providing a tight security proof in the algebraic group model and the random oracle model to prove the security of EdDSA in the multi-user setting using a variant of the one more discrete logarithm assumption, which also takes the key clamping of EdDSA into account.
|
|
|
|
Finally, a concrete security level for common instantiations of the EdDSA signature scheme is provided by analyzing the hardness of these variants of the discrete logarithm problem and the one-more discrete logarithm problem in the generic group model.
|
|
|
|
The main contributions of this thesis are the following:
|
|
|
|
\begin{enumerate}
|
|
\item Providing the first tight security proof for EdDSA in the single-user setting.
|
|
\item Providing the first tight security proof for EdDSA in the multi-user setting.
|
|
\item Showing the actual bit security of several widely used instantiations of the EdDSA signature scheme.
|
|
\end{enumerate} |