rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added concrete security

Browse Source
This commit is contained in:
Aaron Kaiser
2023-06-14 09:16:26 +02:00
parent 941ad86eff
commit 0123162433
6 changed files with 150 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
thesis/sections/edggm/sdlog.tex
View File

@@ -4,9 +4,9 @@ This section focuses on establishing a lower bound on the hardness of a modified
\begin{theorem}
\label{theorem:sdlog_ggm}
Let $n$ and $c$ be positive integers. Consider a twisted Edwards curve $\curve$ with a cofactor of $2^c$ and a generating set consisting of $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_m})$. Among these, let $\groupelement{B}$ be the generator of the largest prime order subgroup with an order of $L$. Let $\adversary{A}$ be a generic adversary making at most $\oraclequeries$ group operations. Then,
Let $n$ and $c$ be positive integers. Consider a twisted Edwards curve $\curve$ with a cofactor of $2^c$ and a generating set consisting of $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_m})$. Among these, let $\groupelement{B}$ be the generator of the largest prime order subgroup with an order of $L$. Let $\adversary{A}$ be a generic adversary making at most $\groupqueries$ group operations. Then,
\[ \advantage{\curve, n, c, L, \adversary{A}}{\sdlog} \leq \frac{(\oraclequeries + 3)^2 + 1}{2^{n-1-c}}. \]
\[ \advantage{\curve, n, c, L, \adversary{A}}{\sdlog} \leq \frac{(\groupqueries + 3)^2 + 1}{2^{n-1-c}}. \]
\end{theorem}
\paragraph{\underline{Proof Overview}} This proof closely resembles the original proof on the lower bound for the discrete logarithm problem by Shoup \cite{EC:Shoup97}. The initial step involves working with the discrete logarithms of group elements rather than the actual group elements themselves. In the generic group model, this is equivalent as each group element can be uniquely represented by its discrete logarithms with respect to a generating set. For consistency the generating set is denoted as $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_m})$, with $\groupelement{B}$ being the generator of the prime order subgroup and $\groupelement{E_2}$ to $\groupelement{E_m}$ being the generators of the other subgroups. Subsequently, the discrete logarithm in the prime order subgroup is replaced by an indeterminate. By doing this, the discrete logarithm in the prime order subgroup can be chosen after the adversary has provided their solution. As a result, the generic adversary can only guess the discrete logarithm in the prime order subgroup, since it is generated only after the adversary has already submitted their solution. Figure \ref{fig:sdlog_ggm} shows the \sdlog game in the generic group model.
@@ -197,9 +197,9 @@ This section focuses on establishing a lower bound on the hardness of a modified
\[ \prone{G_1^{\adversary{A}}} = \prone{G_2^{\adversary{A}}}. \]
\item \paragraph{\underline{$G_4:$}} $G_4$ terminates if the bad flag is activated. This bad flag signifies situations where collisions of discrete logarithms would not be identified by merely comparing polynomials without evaluating them. The likelihood of the bad flag being activated can be determined using the Schwartz-Zippel lemma. The set $\pset{P}$ is a set of all polynomials generated by the challenger and the polynomial $P$ represents the newly generated one. During the encoding of a newly generated group element the challenger checks that no two distinct polynomials evaluate to the same value at $a$. For a fixed $P_i \in \pset{P} \neq P$ we define $P^* = P_i - P$. If and only if $P_i(a) = P(a)$ then $P^*(a) = 0$. Since $P^* \neq 0$, the degree of $P^*$ being $1$ and $a$ being chosen uniformly at random from $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ the Schwarz-Zippel lemma can be used to calculate the probability that $P^*(a) = 0$, which is $\Pr[P^*(a) = 0] \leq \frac{1}{2^{n-1-c}}$. Since the set $\pset{P}$ can hold at most $\oraclequeries + 3$ many polynomials (one per DL call, and three by encoding the input to the adversary) by the Union bound over all polynomials in $\pset{P}$ the probability of bad being set, for each individual oracle query, is less or equal to $\frac{\oraclequeries + 3}{2^{n-1-c}}$. By the Union bound over all oracle queries the probability of bad being set to true is $\Pr[bad] \leq \frac{(\oraclequeries + 3)^2}{2^{n-1-c}}$. For this reason,
\item \paragraph{\underline{$G_4:$}} $G_4$ terminates if the bad flag is activated. This bad flag signifies situations where collisions of discrete logarithms would not be identified by merely comparing polynomials without evaluating them. The likelihood of the bad flag being activated can be determined using the Schwartz-Zippel lemma. The set $\pset{P}$ is a set of all polynomials generated by the challenger and the polynomial $P$ represents the newly generated one. During the encoding of a newly generated group element the challenger checks that no two distinct polynomials evaluate to the same value at $a$. For a fixed $P_i \in \pset{P} \neq P$ we define $P^* = P_i - P$. If and only if $P_i(a) = P(a)$ then $P^*(a) = 0$. Since $P^* \neq 0$, the degree of $P^*$ being $1$ and $a$ being chosen uniformly at random from $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ the Schwarz-Zippel lemma can be used to calculate the probability that $P^*(a) = 0$, which is $\Pr[P^*(a) = 0] \leq \frac{1}{2^{n-1-c}}$. Since the set $\pset{P}$ can hold at most $\groupqueries + 3$ many polynomials (one per DL call, and three by encoding the input to the adversary) by the Union bound over all polynomials in $\pset{P}$ the probability of bad being set, for each individual oracle query, is less or equal to $\frac{\groupqueries + 3}{2^{n-1-c}}$. By the Union bound over all oracle queries the probability of bad being set to true is $\Pr[bad] \leq \frac{(\groupqueries + 3)^2}{2^{n-1-c}}$. For this reason,
\[ |\prone{G_2^{\adversary{A}}} - \prone{G_3^{\adversary{A}}}| \leq \Pr[bad] \leq \frac{(\oraclequeries + 3)^2}{2^{n-1-c}}. \]
\[ |\prone{G_2^{\adversary{A}}} - \prone{G_3^{\adversary{A}}}| \leq \Pr[bad] \leq \frac{(\groupqueries + 3)^2}{2^{n-1-c}}. \]
For improved readability, $G_4$ is also depicted in \ref{fig:sdlog_games_ggm_2} by including only the black boxes and excluding all others. The subsequent game-hops are also illustrated in the same figure.