masterthesis/thesis/Abschlussarbeit.tex

% !TeX spellcheck = en_US
\documentclass[
a4paper,
11pt, 
BCOR=6mm,
footsepline,
plainfootsepline,
DIV=12,
listof=totoc,
]{scrartcl}

\usepackage{thesisstyle}
\usepackage[noend]{algpseudocodex}
\usepackage{xcolor}
\usepackage{tikz}
\usepackage{multicol}
\usepackage{tabularx}
\usepackage[parfill]{parskip}
\usepackage[urlcolor=blue,hidelinks]{hyperref}
\usepackage[,hhmmss]{datetime}

\newtheorem{theorem}{Theorem}

\begin{document}
\include{macros.tex}
	
\thispagestyle{empty}


\begin{center}
\textbf{\huge{\vspace{3em}\\
A formal Security Analysis of the EdDSA Signature Scheme
\vspace{3mm}
}}

\end{center}

\vspace{4em}

\begin{figure}[h]
\centering
\includegraphics{Logo_RUB_BLAU_4c} 
\end{figure}

\vspace{4em}

\begin{center}\textbf{
{\Large{Ruhr-Universität Bochum\\}}
\vspace{2em}
{\large{Fakultät für Mathematik\\
\vspace{1em}
Lehrstuhl für Kryptographie}}\\
}
\vspace{8em}
{\Large{\textbf{
Masterarbeit
}}}\\
\vspace{1em}
{\textbf{von}}\\    
\vspace{1em}
{\large\textbf{
Aaron Kaiser\\
% TODO: remove compiletime notice
Compiled on \today\ at \currenttime
}}\\
\end{center}
\newpage

\thispagestyle{empty} \newpage\
\thispagestyle{empty} \newpage\



\begin{abstract}
 
abstract

\end{abstract}

\newpage

\thispagestyle{empty} \newpage\
\thispagestyle{empty} \newpage\

\setcounter{tocdepth}{2}
\tableofcontents %Inhaltsverzeichnis

\thispagestyle{empty} \newpage\
\thispagestyle{empty} \newpage\

%Hauptteil der Arbeit 

\section{Introduction}

Ed25519 is a signature scheme introduced by Bernstein, Duif, Lange, Schwabe, and Yang in 2012 \cite{JCEng:BDLSY12}. Ed25519 is a signature scheme defined for the Ed25519 twisted Edwards curve. In 2015 the paper "EdDSA for more curves" expanded the Ed25519 signature scheme to the more general EdDSA signature scheme \cite{EPRINT:BJLSY15}. Due to its high performance the EdDSA signature scheme is very popular and widely used in applications like TLS, SSH and the Signal protocol.

Despite the wide use of EdDSA there is little security analysis of this signature scheme. The EdDSA signature scheme is based on the Schnorr signature scheme, which uses the Fiat-Schamir transformation to create a signature scheme from a secure identification scheme. Even though the EdDSA scheme is close to the original Schnorr signature scheme the standard security proof of the Schnorr signature scheme does not apply. The paper "The Provable Security of Ed25519: Theory and Practice" by Brendel et al. shows the security of Ed25519 by extracting the underlying identification scheme and proofing the security of this scheme as well as the applied Fiat-Schamir transformation \cite{SP:BCJZ21}. Due to the use of the Reset Lemma this yields a non-tight security proof of the Ed25519 signature scheme.

This work uses a different approach to proof the security of the EdDSA signature scheme by using the Algebraic Group Model (AGM) to directly reduce the security of EdDSA signature scheme to a special variant of the discrete logarithm problem. This approach yields a tight security proof.

%TODO: result of thesis
TODO

\raggedbottom

\newpage
\section{Related Work}

\section{Notation}

\section{Preliminaries}

\subsection{Schnorr Signatures}

\subsection{Edwards Curves}

\subsection{Security Notions}

\subsubsection{Digital Signature Scheme}



\subsubsection{\cma}

\cma is a security notion for digital signature schemes. In this game the attacker is given access to a \Osign oracle, which generates valid signatures for arbitrary messages. The attacker wins the game if he is able to provide a message signature pair which is valid and was not generated by the \Osign oracle. The security game is depicted in figure \ref{game:cma}.

Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme. $SIG$ is \cma secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\cma}(k)$ is negligible in $\secparamter$.

\[ \advantage{SIG,\adversary{A}}{\cma}(\secparamter) \assign \prone{\cma^{\adversary{A}}} \leq \epsilon \]

\begin{figure}
	\hrule
	\begin{multicols}{2}
		\normalsize
		\begin{algorithmic}[1] 
			\State \underline{\game \cma}
			\State $(\pubkey, \privkey) \randomassign \keygen(1^\secparamter)$
			\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp)}(\pubkey)$
			\State \Return $\verify(\pubkey, \m^*, \signature^*) = 1 \wedge (\m^*, \signature^*) \notin M$
		\end{algorithmic}
		\columnbreak
		\begin{algorithmic}[1] 
			\Procedure{Sign}{$\m$}
			\State $\signature \randomassign \sign(\privkey, \m)$
			\State $M \assign M \cup \{(\m, \signature)\}$
			\State \Return $\signature$
			\EndProcedure
		\end{algorithmic}
	\end{multicols}
	\hrule
	\caption{\cma Security Game}
	\label{game:cma}
\end{figure}

\subsection{Random Oracle Model (ROM)}

\subsection{Algebraic Group Model (AGM)}

\subsection{Generic Group Model (GGM)}

\newpage
\section{EdDSA Signatures}

% TODO: Referenz zum ersten Paper 2011 oder lieber zum journal paper 2012?

This section takes a closer look at the existing specifications of the EdDSA signature scheme and specifies a version which will be analyzed in this thesis.

This work will take a closer look at the \cma security of the EdDSA signature scheme. EdDSA was introduced as the Ed25519 signature scheme using the twisted Edwards curve Edwards25519, which is birationally equivalent to the Weierstrass curve Curve25519 \cite{JCEng:BDLSY12}. Later in 2015 the paper "EdDSA for more Curves" by Bernstein et al. introduces a more general version of EdDSA \cite{EPRINT:BJLSY15}. The paper also introduces a variant of EdDSA using prehashing. The RFC 8032 "Edwards-Curve Digital Signature Algorithm (EdDSA)" from 2017 specifies a version of EdDSA with the inclusion of an additional input parameter \textit{context} for the \sign and \verify procedure \cite{josefsson_edwards-curve_2017}. This version was also included into the FIPS 186-5 "Digital Signature Standard (DSS)" standard \cite{moody_digital_2023}. 

In the prehashing variant of EdDSA the signature is calculated on the hash value of the message. The message is used twice during the generation of the signature. Thus the message needs to be buffered or transmitted twice during the generation of the signature. Therefore the prehashing variant offers an performance advantage on memory and bandwidth constraint devices. The context is an additional input parameter which has to be equal during generation and verification of the signature and is used to bind the signature to a given context.

Figure \ref{fig:eddsa} defines the EdDSA signature scheme. In this version the prehashing of the message is ommited since the main security proof will focus on the EdDSA version without prehashing. In this case the prehash function $H'(\inp)$ is the identity function. After proofing the security of the EdDSA signature scheme without prehashing it will be shown that EdDSA with prehashing is equally as secure assuming collision resistence of the prehash function $H'(\inp)$. 

\subsection{EdDSA Parameter}

The generic version of EdDSA from the "EdDSA for more Curves" paper, the RFC 8032 and the FIPS 186-5 standard is parameterized by the following 11 parameters \cite{EPRINT:BJLSY15} \cite{josefsson_edwards-curve_2017} \cite{moody_digital_2023}.

The list of the parameters can be found in table \ref{tab:parameter}.

The encoding function is assumed to be unambiguous. With each point on the twisted Edwards curve having exactly one bitstring representing that point and invalid bitstring being rejected during decoding of the point.

\subsection{Differences from Schnorr Signatures}

As already pointed out in \cite{SP:BCJZ21} there are some minor differences from traditional Schnorr signature which prevent already existing proofs of the Schnorr signature scheme to be applied to EdDSA. This section points out the differences of the EdDSA signature scheme from traditional Schnorr signature scheme.

\subsubsection{Group Structure}

The EdDSA signature scheme is defined using a twisted Edwards curve. Twisted Edwards curves always have a cofactor of at least 4. Traditional Schnorr signatures are constructed over a prime order field. Since there is no explicit check that points provided to the verify procedure resides in the prime order subgroup the standard proof of Schnorr signature schemes does not apply.

\subsubsection{Private Key Clamping}

\subsubsection{Key Prefixing}

\subsubsection{Deterministic Nonce Generation}

% TODO: Ist das ok hier einfach zu kopieren?
\begin{center}
	\begin{table}[t]
		\centering
		\begin{tabularx}{\textwidth}{@{}lX@{}}
			\textbf{Parameter} & \textbf{Description} \\
			\hline
			$q$ & An odd prime power $q$. EdDSA uses an elliptic curve over the finite field $\field{q}$. \\
			$b$ & An integer $b$ with $2^{b-1} > q$. The bit size of encoded points on the twisted Edwards curve. \\
			$Enc(\inp)$ & A $(b-1)$-bit encoding of elements in the underlying finite field. \\
			$H(\inp)$ & A cryptographic hash function producing $2b$-bit output. \\
			$c$ & The cofactor of the twisted Edwards curve. \\
			$n$ & The number of bits used for the secret scalar of the public key. \\
			$a, d$ & The curve parameter of the twisted Edwards curve. \\
			$B$ & A generator point of the prime order subgroup of $E$. \\
			$L$ & The order of the prime order subgroup. \\
			$H'(\inp)$ & A prehash function applied to the message prior to applying the \sign or \verify procedure.
		\end{tabularx}
	\caption{Parameter of the EdDSA signature scheme}
	\label{tab:parameter}
	\end{table}
\end{center}



\begin{figure}
	\hrule
	\begin{multicols}{3}
		\scriptsize
		\begin{algorithmic}[1] 
			\Procedure{KeyGen}{}
			\State $k \randomsample \{0,1\}^b$
			\State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$
			\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
			\State $A \assign sB$
			\State \Return (\encoded{$A$}, $k$)
			\EndProcedure
		\end{algorithmic}
		\columnbreak
		\begin{algorithmic}[1] 
			\Procedure{Sign}{$k$, $m$}
			\State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$
			\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
			\State $(r'_0, r'_1, ..., r'_{2b-1}) \assign H(h_b | ... | b_{2b-1} | m)$
			\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
			\State $R \assign rB$
			\State $S \assign (r + sH(\encoded{R} | \encoded{A} | m)) \pmod l$
			\State \Return $\sigma \assign (\encoded{R}, S)$
			\EndProcedure
		\end{algorithmic}
		\columnbreak
		\begin{algorithmic}[1] 
			\Procedure{Verify}{$\encoded{A}, \sigma \assign (\encoded{R}, S), m$}
			\State \Return $2^c SB \\= 2^c R + 2^c H(\encoded{R} | \encoded{A} | m)A$
			\EndProcedure
		\end{algorithmic}
	\end{multicols}
	\hrule
	\caption{Generic description of the algorithms \keygen, \sign and \verify used by the EdDSA signature scheme}
	\label{fig:eddsa}
\end{figure}

\subsection{Replacing Hash Function Calls}

To make working with the random oracle easier in the following proofs some calls to the hash function are being replaced with calls to a pseudo random generator and a pseudo random function. After that it will be shown that the advantage winning the \cma game of both versions of the signature scheme is roughly the same.


\newpage

\section{The Security of EdDSA in a Single-User Setting}

This section takes a look at the single-user security of EdDSA. This is done by showing the \cma security of EdDSA assuming the security of a special version of the DLog problem. This special version is derived from the key generation procedure. Section \ref{sec:sdlog} provides a concrete bound on the security of this version of the DLog problem, which is a result of the special key generation algorithm used by EdDSA.

The proof starts by showing that the UF-NMA security of EdDSA implies \cma security of EdDSA in the Random Oracle Model. Next a intermediate game is introduced onto which the UF-NMA securtiy of EdDSA is reduced. At last, the security of the intermediate game is reduced onto the security of a special version of DLog.

The chain of reductions can be depicted as:

\[ \sdlog => \igame => UF-NMA_{EdDSA} => \cma_{EdDSA} \]

\subsection{UF-NMA $=>$ \cma (ROM)}

% TODO: "intuition for the proof" vs. "intuition of the proof"?
This section shows that the \cma security of EdDSA signature scheme implies the UF-NMA security of EdDSA signature scheme using the Random Oracle Model. The section starts by first providing an intuition for the proof followed by the detailed security proof.

\paragraph{Proof Overview} The UF-NMA security definition is close to the security definition of \cma but is missing the \Osign oracle. To show that UF-NMA security implies \cma security the reduction has to simulate the \Osign oracle without the knowledge of the private key. 

The EdDSA signature scheme is based on the Schnorr signature scheme which basis is a canonical identification scheme onto which the Fiat-Shamir transformation is applied. This means EdDSA roughly follows the structure of a canonical identification scheme by first calculating a commitment $R$, calculating a challenge $h$ using the hash function and then calculating the response $S$ based on commitment, challenge and secret key. The signature is the tuple of commitment and response. 

To generate a signature without the knowledge of the private key the challenge and the response are choosen randomly and the commitment is calculated based on the choosen challenge and response. The random oracle is then programmed to output the challenge given the commitment and the message as input. This way the resulting tuple of commitment and response is a valid signature for the given message.

\paragraph{Formal Proof}

\subsection{\igame $=>$ UF-NMA (ROM)}

This section shows that \igame implies the UF-NMA security if the EdDSA signature scheme using the Algebraic Group Model. The section starts by first providing an intuition if the proof followed by the detailed security proof.

\begin{figure}
	\hrule
	\begin{multicols}{2}
		\large
		\begin{algorithmic}[1] 
			\Statex \underline{\game \igame}
			\State \quad $a \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$
			\State \quad $\groupelement{A} \assign a \groupelement{B}$
			\State \quad $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$	
			\State \quad \Return $\exists \groupelement{R}^*, c^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - c^* \groupelement{A}) \wedge (\groupelement{R}^*, c^*) \in Q$		
		\end{algorithmic}
		\columnbreak
		\begin{algorithmic}[1] 
			\Statex \underline{\oracle \ioracle($\groupelement{R_i} \in \group{G}$)}
			\State \quad $chall_i \randomsample \{0,1\}^{2b}$
			\State \quad $Q \assign Q \cup \{ (\groupelement{R}_i, c_i) \}$
			\State \quad \Return $chall_i$
		\end{algorithmic}
	\end{multicols}
	\hrule
	\caption{\igame}
	\label{game:igame}
\end{figure}

\include{sections/security_of_eddsa/dlog'_implies_gamez}


\newpage
\section{The Security of EdDSA in a Multi-User Setting}

\section{The Ed-GGM}

\subsection{Bounds on \sdlog} \label{sec:sdlog}

\subsection{Bounds on OMDlog'}

\section{Concrete Security of EdDSA}

\section{Conclusion}

\newpage

\addcontentsline{toc}{section}{References}
\bibliographystyle{ieeetr}
\bibliography{cryptobib/abbrev0,cryptobib/crypto,./citation}

\newpage\


\newpage\



\section*{Ehrenwörtliche Erklärung}
\selectlanguage{ngerman}
\addcontentsline{toc}{section}{Ehrenwörtliche Erklärung}

\noindent
Hiermit versichere ich, 
%Name
wohnhaft 
%Adresse
dass ich die vorliegende Arbeit selbstständig verfasst und keine anderen als die angegebenen Quellen und Hilfsmittel benutzt habe,
dass alle Stellen der Arbeit, die wörtlich oder sinngemäß aus anderen Quellen übernommen wurden, als solche kenntlich gemacht sind und dass die Arbeit in gleicher 
oder ähnlicher Form noch keiner Prüfungsbehörde vorgelegt wurde.

\vspace{4\baselineskip}


\noindent
%Ort
\today\hspace{5.19625cm}\underline{\hspace{5.9cm}}\\
\phantom{\hspace{11.5cm}}{\small{
%Name
}}

\newpage\
\thispagestyle{empty}

\end{document}