masterthesis/thesis/Abschlussarbeit.tex

% !TeX spellcheck = en_US
\documentclass[
a4paper,
11pt, 
BCOR=6mm,
footsepline,
plainfootsepline,
DIV=12,
listof=totoc,
]{scrartcl}

\usepackage{thesisstyle}
\usepackage[noend]{algpseudocodex}
\usepackage{xcolor}
\usepackage{tikz}
\usepackage{multicol}
\usepackage{tabularx}
\usepackage[parfill]{parskip}
\usepackage[urlcolor=blue,hidelinks]{hyperref}
\usepackage[,hhmmss]{datetime}
\usepackage{float}
\usepackage{xspace}

\newtheorem{lemma}{Lemma}[section]
\newtheorem{theorem}{Theorem}[section]
\newtheorem{definition}{Definition}[section]

\begin{document}
\include{macros.tex}
	
\thispagestyle{empty}


\begin{center}
\textbf{\huge{\vspace{3em}\\
A formal Security Analysis of the EdDSA Signature Scheme
\vspace{3mm}
}}

\end{center}

\vspace{4em}

\begin{figure}[h]
\centering
\includegraphics{Logo_RUB_BLAU_4c} 
\end{figure}

\vspace{4em}

\begin{center}\textbf{
{\Large{Ruhr-Universität Bochum\\}}
\vspace{2em}
{\large{Fakultät für Mathematik\\
\vspace{1em}
Lehrstuhl für Kryptographie}}\\
}
\vspace{8em}
{\Large{\textbf{
Masterarbeit
}}}\\
\vspace{1em}
{\textbf{von}}\\    
\vspace{1em}
{\large\textbf{
Aaron Kaiser\\
% TODO: remove compiletime notice
Compiled on \today\ at \currenttime
}}\\
\end{center}
\newpage

\thispagestyle{empty} \newpage\
\thispagestyle{empty} \newpage\



\begin{abstract}
 
abstract

\end{abstract}

\newpage

\thispagestyle{empty} \newpage\
\thispagestyle{empty} \newpage\

\setcounter{tocdepth}{2}
\tableofcontents %Inhaltsverzeichnis

\thispagestyle{empty} \newpage\
\thispagestyle{empty} \newpage\

%Hauptteil der Arbeit 

\input{sections/introduction}

\input{sections/related_work}

\input{sections/preliminaries}

\input{sections/eddsa}

\section{The Security of EdDSA in a Single-User Setting}

This section takes a look at the single-user security of EdDSA. This is done by showing the \cma security of EdDSA assuming the security of a special version of the DLog problem. This special version is derived from the key generation procedure. Section \ref{sec:sdlog} provides a concrete bound on the security of this version of the DLog problem, which is a result of the special key generation algorithm used by EdDSA.

The proof starts by showing that the UF-NMA security of EdDSA implies \cma / EUF-CMA security of EdDSA in the Random Oracle Model. Whether EdDSA is \cma or EUF-CMA secure is decided by how the integer $S$ is decoded during the verification of the Signature. The use of strict parsing ensures \cma security while the use of lax parsing only guaranties EUF-CMA security. This will be further analyzed in the security proof. Next an intermediate game is introduced onto which the UF-NMA security of EdDSA is reduced. At last, the security of the intermediate game is reduced onto the security of a special version of the discrete logarithm problem.

The chain of reductions can be depicted as:

\[ \sdlog \Rightarrow \igame \Rightarrow \text{UF-NMA} \Rightarrow \cma_{\text{EdDSA with strict parsing}} / \text{EUF-CMA}_{\text{EdDSA with lax parsing}} \]

\input{sections/security_of_eddsa/uf-nma_implies_suf-cma}
\input{sections/security_of_eddsa/gamez_implies_uf-nma}
\input{sections/security_of_eddsa/dlog'_implies_gamez}


\section{The Security of EdDSA in a Multi-User Setting}

% TODO: citation: as introduced in ... (paper name or not?)
In this section the multi-user security of the EdDSA signature scheme will be analyzed. A common approach for Schnorr-like signature schemes is to show it via the Random Self-reducibility property of the canonical identification scheme as done in \cite{C:KilMasPan16}. This approach does not work with the EdDSA signature scheme, since the reduction is not able to rerandomize a public key in a way preserving the distribution of the key generation algorithm. This is due to the fact that valid public key always have to have the n-th bit set. Therefore, a similar approach to the single-user setting is used. It is not possible to reduce the \sdlog problem directly since the adversary gets multiple public keys and therefore might not provide a representation of the commitment looking like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A}$. For this reason a variant of the one-more discrete logarithm assumption (OMDL) has to be used as introduced in \cite{JC:BNPS03}.

The proof starts by showing that the MU-UF-NMA security of EdDSA implies MU-SUF-CMA security of EdDSA in the Random Oracle Model. Next an intermediate game is introduced onto which the MU-UF-NMA security of EdDSA is reduced. At last, the security of the intermediate game is reduced onto the security of the variant of the one-more discrete logarithm assumption.

The chain of reductions can be depicted as:

\[ \somdl \Rightarrow \text{MU-}\igame \Rightarrow \text{MU-UF-NMA} \Rightarrow \text{MU-SUF-CMA} \]

\input{sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma}
\input{sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma}
\input{sections/mu_security_of_eddsa/omdl'_implies_mu-gamez}

\input{sections/edggm}

\section{Concrete Security of EdDSA}

\section{Conclusion}

\newpage

\addcontentsline{toc}{section}{References}
\bibliographystyle{ieeetr}
\bibliography{cryptobib/abbrev0,cryptobib/crypto,./citation}

\newpage\


\newpage\



\section*{Ehrenwörtliche Erklärung}
\selectlanguage{ngerman}
\addcontentsline{toc}{section}{Ehrenwörtliche Erklärung}

\noindent
Hiermit versichere ich, 
%Name
wohnhaft 
%Adresse
dass ich die vorliegende Arbeit selbstständig verfasst und keine anderen als die angegebenen Quellen und Hilfsmittel benutzt habe,
dass alle Stellen der Arbeit, die wörtlich oder sinngemäß aus anderen Quellen übernommen wurden, als solche kenntlich gemacht sind und dass die Arbeit in gleicher 
oder ähnlicher Form noch keiner Prüfungsbehörde vorgelegt wurde.

\vspace{4\baselineskip}


\noindent
%Ort
\today\hspace{5.19625cm}\underline{\hspace{5.9cm}}\\
\phantom{\hspace{11.5cm}}{\small{
%Name
}}

\newpage\
\thispagestyle{empty}

\end{document}