224 lines
11 KiB
TeX
224 lines
11 KiB
TeX
% !TeX spellcheck = en_US
|
|
\documentclass[
|
|
a4paper,
|
|
11pt,
|
|
BCOR=6mm,
|
|
footsepline,
|
|
plainfootsepline,
|
|
DIV=12,
|
|
listof=totoc,
|
|
]{scrartcl}
|
|
|
|
\usepackage{thesisstyle}
|
|
\usepackage[noend]{algpseudocodex}
|
|
\usepackage{xcolor}
|
|
\usepackage{tikz}
|
|
\usepackage{multicol}
|
|
\usepackage{tabularx}
|
|
\usepackage[parfill]{parskip}
|
|
\usepackage[urlcolor=blue,hidelinks]{hyperref}
|
|
\usepackage[,hhmmss]{datetime}
|
|
\usepackage{float}
|
|
\usepackage{xspace}
|
|
\usepackage{mathtools}
|
|
|
|
\newtheorem{lemma}{Lemma}[section]
|
|
\newtheorem{theorem}{Theorem}[section]
|
|
\newtheorem{definition}{Definition}[section]
|
|
|
|
\begin{document}
|
|
\include{macros.tex}
|
|
|
|
\thispagestyle{empty}
|
|
|
|
|
|
\begin{center}
|
|
\textbf{\huge{\vspace{3em}\\
|
|
A formal Security Analysis of the EdDSA Signature Scheme
|
|
\vspace{3mm}
|
|
}}
|
|
|
|
\end{center}
|
|
|
|
\vspace{4em}
|
|
|
|
\begin{figure}[h]
|
|
\centering
|
|
\includegraphics{Logo_RUB_BLAU_4c}
|
|
\end{figure}
|
|
|
|
\vspace{4em}
|
|
|
|
\begin{center}\textbf{
|
|
{\Large{Ruhr-Universität Bochum\\}}
|
|
\vspace{2em}
|
|
{\large{Fakultät für Mathematik\\
|
|
\vspace{1em}
|
|
Lehrstuhl für Kryptographie}}\\
|
|
}
|
|
\vspace{8em}
|
|
{\Large{\textbf{
|
|
Masterarbeit
|
|
}}}\\
|
|
\vspace{1em}
|
|
{\textbf{von}}\\
|
|
\vspace{1em}
|
|
{\large\textbf{
|
|
Aaron Kaiser
|
|
}}\\
|
|
\end{center}
|
|
\newpage
|
|
|
|
\thispagestyle{empty} \newpage\
|
|
\thispagestyle{empty} \newpage\
|
|
|
|
|
|
|
|
\begin{abstract}
|
|
EdDSA is a signature scheme which is widely used in practice due to its high performance. Despite the wide adoption of EdDSA, no tight security proof exists for the signature scheme. The only existing security proof analyzes the signature scheme as a canonical identification scheme onto which the Fiat-Schamir transformation is being applied, yielding a non-tight security proof.
|
|
|
|
In this thesis the security of EdDSA is analyzed, utilizing the random oracel model and the algebraic group model. Using this two methods yields a tight security proof using special variants of the discrete logarithm problem. This variant is the result of the key generation algorithm used in EdDSA. The hardness of this variant of the discrete logarithm problem is then analyzed in the generic group model.
|
|
|
|
In addition a proof in the single-user setting, a proof in the multi-user setting is also performed. This proof uses a variant of the one-more discrete logarithm, also because of the key generation algorithm.
|
|
|
|
Finally, it is shown that Ed25519 - one widely used instantiation of EdDSA - provides 125 bit security in the single-user setting and 124 bit of security in the multi-user setting. Ed448 - also a widely used instantiation of EdDSA - provides 221 bits of security in the single-user setting and 220 bits of security in the multi-user setting.
|
|
|
|
\end{abstract}
|
|
|
|
\newpage
|
|
|
|
\thispagestyle{empty} \newpage\
|
|
\thispagestyle{empty} \newpage\
|
|
|
|
\setcounter{tocdepth}{2}
|
|
\tableofcontents %Inhaltsverzeichnis
|
|
|
|
\thispagestyle{empty} \newpage\
|
|
\thispagestyle{empty} \newpage\
|
|
|
|
%Hauptteil der Arbeit
|
|
|
|
\input{sections/introduction}
|
|
|
|
\input{sections/related_work}
|
|
|
|
\input{sections/preliminaries}
|
|
|
|
\input{sections/eddsa}
|
|
|
|
\section{The Security of EdDSA in a Single-User Setting}
|
|
|
|
This section takes a closer look at the single-user security of the EdDSA signature scheme. This is done by showing the SUF-CMA and EUF-CMA security of EdDSA with different styles of signature parsing. The security based on the \sdlog assumption. The \sdlog assumption is a variation of the original discrete logarithm problem, which takes the key clamping during the key generation algorithm of EdDSA into account.
|
|
|
|
The two main theorems for the single-user security of $\text{EdDSA}_{\text{sp}}$ and $\text{EdDSA}_{\text{lp}}$ are:
|
|
|
|
\begin{theorem}[Security of EdDSA with strict parsing in the single-user setting]
|
|
\label{theorem:eddsa_sp_su}
|
|
Let $\adversary{A}$ be an adversary against the SUF-CMA security of EdDSA with strict parsing, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
|
|
|
|
\[ \advantage{\group{G}, \adversary{A}}{\text{SUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
|
|
\end{theorem}
|
|
|
|
\begin{theorem}[Security of EdDSA with lax parsing in the single-user setting]
|
|
\label{theorem:eddsa_lp_su}
|
|
Let $\adversary{A}$ be an adversary against the EUF-CMA security of EdDSA with lax parsing, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
|
|
|
|
\[ \advantage{\group{G}, \adversary{A}}{\text{EUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
|
|
\end{theorem}
|
|
|
|
The proof begins by showing that the EUF-NMA security of EdDSA implies the SUF-CMA/EUF-CMA security of EdDSA with different types of parsing, in the random oracle model. With this step, subsequent proofs can be performed without worrying about signature generation, and a unified chain of reduction can be used to prove the security of EdDSA with both parsing variants. Next, an algebraic intermediate game \igame is introduced. This intermediate game serves as a separation for proofs in the random oracle model and those in the algebraic group model. Finally, the intermediate game \igame is reduced to the special discrete logarithm variant \sdlog.
|
|
|
|
The chain of reductions can be depicted as:
|
|
|
|
\[ \sdlog \overset{\text{AGM}}{\Rightarrow} \igame \overset{\text{ROM}}{\Rightarrow} \text{EUF-NMA} \overset{\text{ROM}}{\Rightarrow} \cma_{\text{EdDSA sp}} / \text{EUF-CMA}_{\text{EdDSA lp}} \]
|
|
|
|
\input{sections/security_of_eddsa/uf-nma_implies_suf-cma}
|
|
\input{sections/security_of_eddsa/gamez_implies_uf-nma}
|
|
\input{sections/security_of_eddsa/dlog'_implies_gamez}
|
|
|
|
By combining the loss of advantage during all of the proofs above, combined with the loss introduced by EdDSA', a proof for theorem \ref{theorem:eddsa_sp_su} and \ref{theorem:eddsa_lp_su} is obtained.
|
|
|
|
\section{The Security of EdDSA in a Multi-User Setting}
|
|
|
|
Now that the single-user security of EdDSA got analyzed, we can take a look at its multi-user security. A common approach for Schnorr-like signature schemes is to show it using the random self-reducibility property of the canonical identification scheme as done in \cite{C:KilMasPan16}. This approach does not work with the EdDSA signature scheme as the underlying identification scheme does not have this random self-reducibility property, since the reduction is not able to rerandomize a public key in a way preserving the distribution of the key generation algorithm. This is due to the fact that valid secret scalar always has to have the n-th bit set.
|
|
|
|
Therefore, a similar approach to the proof in the single-user setting is used. It is not possible to reduce onto the \sdlog problem directly since the adversary gets multiple public keys and therefore might not provide a representation of the commitment looking like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A}$, which was needed for the discrete logarithm of the public key to be calculated. For this reason a variant of the one-more discrete logarithm assumption (OMDL) has to be used, as introduced in \cite{JC:BNPS03}.
|
|
|
|
The proof starts by showing that the MU-EUF-NMA security of EdDSA implies MU-SUF-CMA security of EdDSA in the random oracle model. Next an intermediate game is introduced onto which the MU-EUF-NMA security of EdDSA is reduced. At last, the security of the intermediate game is reduced onto the security of the variant of the one-more discrete logarithm assumption.
|
|
|
|
The two main theorems for the multi-user security of $\text{EdDSA}_{\text{sp}}$ and $\text{EdDSA}_{\text{lp}}$ are:
|
|
|
|
\begin{theorem}[Security of EdDSA with strict parsing in the multi-user setting]
|
|
\label{theorem:eddsa_sp_mu}
|
|
Let $\adversary{A}$ be an adversary against the MU-SUF-CMA security of EdDSA with strict parsing, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
|
|
|
|
\[ \advantage{\group{G}, \adversary{A}}{\text{MU-SUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
|
|
\end{theorem}
|
|
|
|
\begin{theorem}[Security of EdDSA with lax parsing in the multi-user setting]
|
|
\label{theorem:eddsa_lp_mu}
|
|
Let $\adversary{A}$ be an adversary against the MU-EUF-CMA security of EdDSA with lax parsing, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
|
|
|
|
\[ \advantage{\group{G}, \adversary{A}}{\text{MU-EUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
|
|
\end{theorem}
|
|
|
|
The chain of reductions can be depicted as:
|
|
|
|
\[ \somdl \overset{\text{AGM}}{\Rightarrow} \igame \overset{\text{ROM}}{\Rightarrow} \text{MU-EUF-NMA} \overset{\text{ROM}}{\Rightarrow} MU-\cma_{\text{EdDSA sp}} / \text{MU-EUF-CMA}_{\text{EdDSA lp}} \]
|
|
|
|
\input{sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma}
|
|
\input{sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma}
|
|
\input{sections/mu_security_of_eddsa/omdl'_implies_mu-gamez}
|
|
|
|
By combining the loss of advantage during all of the proofs above, combined with the loss introduced by EdDSA', a proof for theorem \ref{theorem:eddsa_sp_mu} and \ref{theorem:eddsa_lp_mu} is obtained.
|
|
|
|
\input{sections/edggm}
|
|
|
|
\input{sections/concrete_security}
|
|
|
|
\input{sections/conclusion}
|
|
|
|
\newpage
|
|
|
|
\addcontentsline{toc}{section}{References}
|
|
\bibliographystyle{ieeetr}
|
|
\bibliography{cryptobib/abbrev0,cryptobib/crypto,./citation}
|
|
|
|
\newpage\
|
|
|
|
|
|
\newpage\
|
|
|
|
|
|
|
|
\section*{Ehrenwörtliche Erklärung}
|
|
\selectlanguage{ngerman}
|
|
\addcontentsline{toc}{section}{Ehrenwörtliche Erklärung}
|
|
|
|
\noindent
|
|
Hiermit versichere ich,
|
|
%Name
|
|
Aaron Kaiser
|
|
wohnhaft
|
|
%Adresse
|
|
Universitätsstr. 110, 44799 Bochum, dass ich die vorliegende Arbeit selbstständig verfasst und keine anderen als die angegebenen Quellen und Hilfsmittel benutzt habe,
|
|
dass alle Stellen der Arbeit, die wörtlich oder sinngemäß aus anderen Quellen übernommen wurden, als solche kenntlich gemacht sind und dass die Arbeit in gleicher
|
|
oder ähnlicher Form noch keiner Prüfungsbehörde vorgelegt wurde.
|
|
|
|
\vspace{4\baselineskip}
|
|
|
|
|
|
\noindent
|
|
%Ort
|
|
Bochum,
|
|
\today\hspace{5.19625cm}\underline{\hspace{5.9cm}}\\
|
|
\phantom{\hspace{11.5cm}}{\small{
|
|
%Name
|
|
Aaron Kaiser
|
|
}}
|
|
|
|
\newpage\
|
|
\thispagestyle{empty}
|
|
|
|
\end{document}
|