15 lines
4.9 KiB
TeX
15 lines
4.9 KiB
TeX
\section{Related Work}
|
|
|
|
\paragraph{Standards for EdDSA} The EdDSA signature scheme was introduced in 2011 by Bernstein et al. as the specific instance Ed25519, which is the EdDSA signature scheme instantiated with the twisted Edwards curve Edwards25519 \cite{CHES:BDLSY11}. Later in 2015, with a paper by Bernstein et al., a more general version of EdDSA was introduced, which mainly lifted some restrictions on the underlying finite field of the elliptic curve \cite{EPRINT:BJLSY15}. It also introduced a prehashing variant of EdDSA called HashEdDSA, while the original version is called PureEdDSA. In HashEdDSA, the message is hashed before the signature algorithm is invoked. This has advantages on memory-constrained devices because it does not have to store the entire message. In 2017, the IETF published a standard for EdDSA in its RFC 8032 \cite{josefsson_edwards-curve_2017}. This standard removes some ambiguity regarding the decoding of integers and points of the elliptic curve during signature verification. It also introduces a new variant of the signature scheme that includes an additional parameter named \context. In addition to standardizing a general version of EdDSA, the RFC included parameters for specific instantiations Ed25519 and Ed448. In 2023, this standard was adopted by the NIST in its "Digital Signature Standard (DSS)" FIPS 186-5 \cite{moody_digital_2023}.
|
|
|
|
\paragraph{Schnorr Signatures and Fiat-Schamir Transformation} The EdDSA and Schnorr signature schemes have a similar structure. The Schnorr signature scheme has been introduced by Claus Peter Schnorr in 1991 \cite{JC:Schnorr91}. It has proven to be a robust and efficient signature scheme and has undergone several security analyses \cite{EPRINT:Bernstein15,C:KilMasPan16,EC:FucPloSeu20,EC:PoiSte96,AC:PaiVer05,C:GarBhaLok08,EC:Seurin12}. The foundation of the Schnorr signature scheme is the canonical identification scheme \cite{EC:AABN02} to which the Fiat-Schamir transformation \cite{C:FiaSha86} is applied. There are many proofs showing that the Fiat-Schamir transformation yields a secure signature scheme, using canonical identification schemes with different properties (e.g. \cite{C:OhtOka98,JC:PoiSte00,EC:AABN02}).
|
|
|
|
\paragraph{Related Proofs} As mentioned above, there exists a paper proving the security of the Ed25519 signature scheme \cite{SP:BCJZ21}. In this paper, the authors extracted the underlying canonical identification scheme from EdDSA and used the reset lemma from \cite{C:BelPal02} to prove the impersonation security of the canonical identification scheme under the discrete logarithm assumption. This reduction turned out to be non-tight. They then reduced the EUF-CMA security of the Ed25519 signature scheme to the impersonation security of the underlying canonical identification scheme. To do this, they had to guess the position of the hash query in which they had to embed a challenge, further losing tightness.
|
|
|
|
A paper by Chalkias, Garillot and Nikolaenko analyzes the security of Ed25519 with respect to different signature decoding methods and the implementation of additional checks during the signature verification \cite{EPRINT:ChaGarNik20}. This paper also analyzes lesser known security properties such as strongly binding signatures, but already assumes SUF-CMA security of Ed25519. They also analyzed the impact of cofactorless vs. cofactored verification with respect to batch verification of Ed25519 signatures.
|
|
|
|
The multi-user security of EdDSA was briefly analyzed in a paper by Bernstein \cite{EPRINT:Bernstein15} after he exposed a flaw in a tight multi-user security proof for the Schnorr signature scheme by Galbraith, Malone-Lee, and Smart \cite{galbraith_public_2002}. In this paper, Bernstein provided a tight security proof for the multi-user security of key-prefixed Schnorr signatures. The EdDSA signature scheme is also a key-prefixed version of a Schnorr signature. However, due to the clamping introduced in the key generation algorithm of EdDSA, these results do not apply directly to EdDSA. Attempting to use the same method as in Bersteins paper would again result in a non-tight security proof, as already mentioned in the same paper.
|
|
|
|
In 2016, Kiltz et al. provided a tight bound on the multi-user security of Schorr signatures without the need for key-prefixing \cite{C:KilMasPan16}. The tightness was a result of the random self-reducibility property of the underlying canonical identification scheme. Again, this property cannot be achieved by EdDSA due to the clamping introduced by the key generation algorithm.
|
|
|
|
Fuchsbauer et al. generated a tight security proof for the Schnorr signature scheme by using the algebraic group model \cite{EC:FucPloSeu20}. They achieved this by using the representation of the commitment together with a forged signature to compute the discrete logarithm of the public key. This approach also looks promising for the EdDSA signature scheme and will be analysed in this thesis. |