23 lines
3.8 KiB
TeX
23 lines
3.8 KiB
TeX
\section{Introduction}
|
|
|
|
The EdDSA signature scheme was first introduced in 2011 by Bernstein, Duif, Lange, Schwabe and Yang, instantiated as Ed25519 using the Edwards25519 twisted Edwards curve \cite{CHES:BDLSY11}. In 2015 Bernstein et. al. published a new paper, which introduced a more general version the EdDSA signature scheme \cite{EPRINT:BJLSY15}. Due to its high performance and small signature size, the EdDSA signature scheme is very popular and widely used in applications such as TLS, SSH and the Signal protocol. From these papers came standards such as RFC 8032 \cite{josefsson_edwards-curve_2017} and FIPS 186-5 \cite{moody_digital_2023}.
|
|
|
|
The original paper focused on the performance of the signature scheme and did not provide a formal security analysis of the signature scheme. The EdDSA signature scheme is closely related to the Schnorr signature scheme. Although EdDSA is related to the Schnorr signature scheme, it contains some modifications that make the security proof of the Schnorr signature scheme inapplicable to EdDSA. Schnorr signature schemes are derived from a canonical identification scheme to which the Fiat-Schamir transformation is applied.
|
|
|
|
The desired security notions for the signature scheme are EUF-CMA or SUF-CMA security. These security notions require that no adversary is able to provide a forged signature from an arbitrary set of valid signatures for arbitrary messages. While EUF-CMA requires a forged signature for a message for which the adversary does not have a valid signature, SUF-CMA also counts as valid forgeries message signature pairs that were not provided to the adversary.
|
|
|
|
In 2020, Brendel et. al. showed in the paper "The Provable Security of Ed25519: Theory and Practice" that Ed25519 satisfies EUF-CMA and SUF-CMA security, depending on which standard is used \cite{SP:BCJZ21}. They did this by extracting the underlying canonical identification scheme, proving its security, and then proving the security of the constructed signature scheme. Due to the use of the reset lemma, the provided security proof is not tight.
|
|
|
|
Tight security proofs are desirable because they provide a better approximation of the bit security of a signature scheme when instantiated with concrete primitives (such as groups or hash functions). A better approximation results in smaller parameters (such as the size of the group) yielding better bit security. This means that, with tighter security proofs, smaller primitives can be used to achieve the same level of security, and smaller primitives often result in more efficient cryptographic schemes.
|
|
|
|
This thesis achieves a tight security proof by using the algebraic group model to show the relationship between the EUF/SUF-CMA security of different versions of the EdDSA signature scheme and the discrete logarithm problem. By directly reducing the EUF/SUF-CMA security of the EdDSA signature scheme to the discrete logarithm, a tight security proof can be achieved since the reset lemma is not used for this approach.
|
|
|
|
Another important property of a signature scheme is its multi-security. When looking at practical applications of a signature scheme, not only one user is using the signature scheme, but many users are involved, all of whom have their own key pair. Most of the time an adversary is satisfied with compromising one of the users. This leaves the question of whether an adversary gains an advantage in compromising a single user if he is provided with many public keys and can request signatures for any of the public keys provided.
|
|
|
|
The main contribution of this thesis are the following:
|
|
|
|
\begin{enumerate}
|
|
\item Providing the first tight security proof for EdDSA in the single-user setting.
|
|
\item Providing the first tight security proof for EdDSA in the multi-user setting.
|
|
\item Showing the actual bit security of several widely used instantiations of the EdDSA signature scheme.
|
|
\end{enumerate} |