masterthesis/thesis/Abschlussarbeit.tex

% !TeX spellcheck = en_US
\documentclass[
a4paper,
11pt, 
BCOR=6mm,
footsepline,
plainfootsepline,
DIV=12,
listof=totoc,
]{scrartcl}

\usepackage{thesisstyle}
\usepackage[noend]{algpseudocodex}
\usepackage{xcolor}
\usepackage{tikz}
\usepackage{multicol}
\usepackage{tabularx}
\usepackage[parfill]{parskip}
\usepackage[urlcolor=blue,hidelinks]{hyperref}
\usepackage[,hhmmss]{datetime}

\newtheorem{theorem}{Theorem}[section]
\newtheorem{definition}{Definition}[section]

\begin{document}
\include{macros.tex}
	
\thispagestyle{empty}


\begin{center}
\textbf{\huge{\vspace{3em}\\
A formal Security Analysis of the EdDSA Signature Scheme
\vspace{3mm}
}}

\end{center}

\vspace{4em}

\begin{figure}[h]
\centering
\includegraphics{Logo_RUB_BLAU_4c} 
\end{figure}

\vspace{4em}

\begin{center}\textbf{
{\Large{Ruhr-Universität Bochum\\}}
\vspace{2em}
{\large{Fakultät für Mathematik\\
\vspace{1em}
Lehrstuhl für Kryptographie}}\\
}
\vspace{8em}
{\Large{\textbf{
Masterarbeit
}}}\\
\vspace{1em}
{\textbf{von}}\\    
\vspace{1em}
{\large\textbf{
Aaron Kaiser\\
% TODO: remove compiletime notice
Compiled on \today\ at \currenttime
}}\\
\end{center}
\newpage

\thispagestyle{empty} \newpage\
\thispagestyle{empty} \newpage\



\begin{abstract}
 
abstract

\end{abstract}

\newpage

\thispagestyle{empty} \newpage\
\thispagestyle{empty} \newpage\

\setcounter{tocdepth}{2}
\tableofcontents %Inhaltsverzeichnis

\thispagestyle{empty} \newpage\
\thispagestyle{empty} \newpage\

%Hauptteil der Arbeit 

\section{Introduction}

Ed25519 is a signature scheme introduced by Bernstein, Duif, Lange, Schwabe, and Yang in 2012 \cite{JCEng:BDLSY12}. Ed25519 is a signature scheme defined for the Ed25519 twisted Edwards curve. In 2015 the paper "EdDSA for more curves" expanded the Ed25519 signature scheme to the more general EdDSA signature scheme \cite{EPRINT:BJLSY15}. Due to its high performance the EdDSA signature scheme is very popular and widely used in applications like TLS, SSH and the Signal protocol.

Despite the wide use of EdDSA there is little security analysis of this signature scheme. The EdDSA signature scheme is based on the Schnorr signature scheme, which uses the Fiat-Schamir transformation to create a signature scheme from a secure identification scheme. Even though the EdDSA scheme is close to the original Schnorr signature scheme the standard security proof of the Schnorr signature scheme does not apply. The paper "The Provable Security of Ed25519: Theory and Practice" by Brendel et al. shows the security of Ed25519 by extracting the underlying identification scheme and proofing the security of this scheme as well as the applied Fiat-Schamir transformation \cite{SP:BCJZ21}. Due to the use of the Reset Lemma this yields a non-tight security proof of the Ed25519 signature scheme.

This work uses a different approach to proof the security of the EdDSA signature scheme by using the Algebraic Group Model (AGM) to directly reduce the security of EdDSA signature scheme to a special variant of the discrete logarithm problem. This approach yields a tight security proof.

%TODO: result of thesis
TODO

\raggedbottom

\newpage
\section{Related Work}

\section{Notation}

\section{Preliminaries}

\subsection{Schnorr Signatures}

\subsection{Edwards Curves}

\include{sections/security_notions}

\subsection{Random Oracle Model (ROM)}

\subsection{Algebraic Group Model (AGM)}

\subsection{Generic Group Model (GGM)}

\include{sections/eddsa}

\section{The Security of EdDSA in a Single-User Setting}

This section takes a look at the single-user security of EdDSA. This is done by showing the \cma security of EdDSA assuming the security of a special version of the DLog problem. This special version is derived from the key generation procedure. Section \ref{sec:sdlog} provides a concrete bound on the security of this version of the DLog problem, which is a result of the special key generation algorithm used by EdDSA.

The proof starts by showing that the UF-NMA security of EdDSA implies \cma security of EdDSA in the Random Oracle Model. Next a intermediate game is introduced onto which the UF-NMA securtiy of EdDSA is reduced. At last, the security of the intermediate game is reduced onto the security of a special version of DLog.

The chain of reductions can be depicted as:

\[ \sdlog => \igame => UF-NMA_{EdDSA} => \cma_{EdDSA} \]

\include{sections/security_of_eddsa/uf-nma_implies_suf-cma}
\include{sections/security_of_eddsa/gamez_implies_uf-nma}
\include{sections/security_of_eddsa/dlog'_implies_gamez}


\newpage
\section{The Security of EdDSA in a Multi-User Setting}

\section{The Ed-GGM}

\subsection{Bounds on \sdlog} \label{sec:sdlog}

\subsection{Bounds on OMDlog'}

\section{Concrete Security of EdDSA}

\section{Conclusion}

\newpage

\addcontentsline{toc}{section}{References}
\bibliographystyle{ieeetr}
\bibliography{cryptobib/abbrev0,cryptobib/crypto,./citation}

\newpage\


\newpage\



\section*{Ehrenwörtliche Erklärung}
\selectlanguage{ngerman}
\addcontentsline{toc}{section}{Ehrenwörtliche Erklärung}

\noindent
Hiermit versichere ich, 
%Name
wohnhaft 
%Adresse
dass ich die vorliegende Arbeit selbstständig verfasst und keine anderen als die angegebenen Quellen und Hilfsmittel benutzt habe,
dass alle Stellen der Arbeit, die wörtlich oder sinngemäß aus anderen Quellen übernommen wurden, als solche kenntlich gemacht sind und dass die Arbeit in gleicher 
oder ähnlicher Form noch keiner Prüfungsbehörde vorgelegt wurde.

\vspace{4\baselineskip}


\noindent
%Ort
\today\hspace{5.19625cm}\underline{\hspace{5.9cm}}\\
\phantom{\hspace{11.5cm}}{\small{
%Name
}}

\newpage\
\thispagestyle{empty}

\end{document}