rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added concrete security

Browse Source
This commit is contained in:
Aaron Kaiser
2023-06-14 09:16:26 +02:00
parent 941ad86eff
commit 0123162433
6 changed files with 150 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
thesis/Abschlussarbeit.tex
View File

@@ -111,13 +111,13 @@ The two main theorems for the single user security of $\text{EdDSA}_{\text{sp}}$
\begin{theorem}[Security of EdDSA with strict parsing in the single-user setting]
Let $\adversary{A}$ be an adversary against the SUF-CMA security of EdDSA with strict parsing, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ a group of prime order $L$. Then,
\[ \advantage{\group{G}, \adversary{A}}{\text{SUF-CMA}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\sdlog}(\secparamter) + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
\[ \advantage{\group{G}, \adversary{A}}{\text{SUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
\end{theorem}
\begin{theorem}[Security of EdDSA with lax parsing in the single-user setting]
Let $\adversary{A}$ be an adversary against the SUF-CMA security of EdDSA with lax parsing, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ a group of prime order $L$. Then,
\[ \advantage{\group{G}, \adversary{A}}{\text{EUF-CMA}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\sdlog}(\secparamter) + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
\[ \advantage{\group{G}, \adversary{A}}{\text{EUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
\end{theorem}
The proof begins by showing that the UF-NMA security of EdDSA implies the SUF-CMA/EUF-CMA security of EdDSA with different types of parsing in the random oracle model. With this step, subsequent proofs can be performed without worrying about signature generation, and a unified chain of reduction can be used to prove the security of EdDSA with both parsing variants. Next, an algebraic intermediate game \igame is introduced. This intermediate game serves as a separation for proofs in the random oracle model and those in the algebraic group model. Finally, the intermediate game \igame is reduced to the special discrete logarithm variant \sdlog.
@@ -147,9 +147,9 @@ The chain of reductions can be depicted as:
\input{sections/edggm}
\section{Concrete Security of EdDSA}
\input{sections/concrete_security}
\section{Conclusion}
\input{sections/conclusion}
\newpage

1
thesis/macros.tex
View File

@@ -16,6 +16,7 @@
\newcommand{\agmgroupelement}[2]{[\groupelement{#1}]_{\overset{\rightharpoonup}{#2}}}
\newcommand{\group}[1]{\mathbb{#1}}
\newcommand{\oraclequeries}{q_o}
\newcommand{\groupqueries}{q_g}
\newcommand{\hashqueries}{q_h}
\newcommand{\test}{\overset{?}{=}}
\newcommand{\ch}{\textbf{ch}}

1
thesis/sections/conclusion.tex Normal file
View File

@@ -0,0 +1 @@
\section{Conclusion}

132
thesis/sections/concrete_security.tex Normal file
View File

@@ -0,0 +1,132 @@
\section{Concrete Security of EdDSA}
Now that a security bound on the complexity of an adversary breaking EdDSA has been established the concrete security of the signature scheme can be analyzed. The security level of a cryptographic scheme can be determined by analysing the success ration of an adversary. The success ration of an attacker can be determined by analyzing its success probability and its runtime. The success ration is simply the advantage of an adversary devided by its runtime.
\begin{definition}[Success Ration]
Let adversary $\adversary{A}$ be an adversary with runtime Time($\adversary{A}$) and advantage $\advantage{\adversary{A}}{}$. Its success ration is defined as following:
\[ SR(\adversary{A}) = \frac{\advantage{\adversary{A}}{}}{Time(\adversary{A})}. \]
\end{definition}
With this definition of the success ration the bit security of a cryptographic scheme can be defined.
\begin{definition}[Bit Security]
A cryptographic scheme has $\kappa$ bit security if the success ration of all adversaries with a runtime $Time(\adversary{A}) \leq 2^\kappa$ is upper bounded by $2^{-\kappa}$.
\end{definition}
This definition can be used to calculate the bit security of concrete instantiations of EdDSA. The most popular instantations of EdDSA are Ed25519 and Ed443, as they are also specified in the RFC and the NIST standard.
\subsection{Ed25519}
\begin{theorem}[Ed25519 Bit Security]
\label{theorem:ed25519}
The Ed25519 signature scheme provides 125 bit security in the single-user setting and 124 bit security in the multi-user setting against algebraic adversaries.
\end{theorem}
Ed25519 is one of the most widely used instantiations of EdDSA. According to the RFC it is supposed to provide around 128 bit of security. It uses the twisted Edwards curve Ed25519 and SHA-512 as a hash function \cite{josefsson_edwards-curve_2017} \cite{moody_digital_2023}. This provides the following values, needed to calculate the security level of Ed25519 according to the security proof in this thesis:
\begin{center}
\begin{table}[ht]
\centering
\begin{tabularx}{\textwidth}{@{}lX@{}}
\textbf{Parameter} & \textbf{Value} \\
\hline
$b$ & $256$ \\
$n$ & $254$ \\
$c$ & $3$ \\
$L$ & $2^{252}+27742317777372353535851937790883648493$
\end{tabularx}
\caption{Parameter of Ed25519}
\label{tab:ed25519}
\end{table}
\end{center}
\begin{proof}
\item At first the runtime of the adversaries against Ed25519 in the single user setting is analyzed. The success probability of an adversary $\adversary{B}$ in the \sdlog game is $\advantage{\curve, n, c, L, \adversary{B}}{\sdlog} \leq \frac{(\groupqueries + 3)^2 + 1}{2^{n-1-c}}$. When instantiated with the values for Ed25519, an adversary $\adversary{B}$ is able to solve the \sdlog game with constant probability after about $2^{125}$ group operations. Therefore, the runtime of the adversary $\adversary{B}$ in the \sdlog game can be upper bounded by $2^{125}$. The runtime of an adversary $\adversary{A}$ against Ed25519 is roughly the same as the adversary $\adversary{B}$ against \sdlog and can therefore also be upper bounded by $2^{125}$. This, together with the advantage of adversary $\adversary{A}$, can be used to upper bound its success ration.
Since the runtime of the adversary is upper bounded by $2^{125}$ the amount of hash quries $\hashqueries$ and group operations $\groupqueries$ can also be upper bounded by $2^{125}$. A reasonable upper bound for the signing quries $\oraclequeries$ is $2^{64}$, as they are online and can not be computed by the adversary in secret. This provides following equation for the success ration:
\begin{align*}
SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\
&\leq \frac{\advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
&\leq \frac{\frac{(\groupqueries + 3)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
&\leq \frac{(2^{125} + 3)^2 + 1}{2^{250} 2^{125}} + \frac{2(2^{125} + 1)}{2^{256} 2^{125}} + \frac{2^{64} 2^{125} + 2^{64}}{2^{252} 2^{125}} \\
&\approx 2^{-125} + 2^{-316} + 2^{-189} \\
&\approx 2^{-125}
\end{align*}
This shows that Ed25519 provides $125$ bit security in the single-user setting.
To get a security level in the multi-user setting an upper bound on the number of instances $N$ is needed. In \cite{C:KilMasPan16} Kiltz et al. mentioned that the existance of at lease $N = 2^{30} (\approx 1 \text{ billion})$ public keys can be assumed. For the following calculations the number of instances is assumed to be $N \leq 2^{35}$. An adversary $\adversary{B}$ against \somdl has a constant probability of winning the game after about $2^{125}$ group operations. Hence, its runtime is upper bounded by $2^{125}$. The success ration can then be calculated in the same way as it has been done in the single-user setting.
This provides a success ration of:
\begin{align*}
SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{MU-SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\
&\leq \frac{\advantage{\curve, n, c, L, \adversary{A}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
&\leq \frac{\frac{2(\groupqueries + N + 2)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
&\leq \frac{2 (2^{125} + 2^{35} + 2)^2 + 1}{2^{250} 2^{125}} + \frac{2(2^{125} + 1)}{2^{256} 2^{125}} + \frac{2^{64} 2^{125} + 2^{64} 2^{35}}{2^{252} 2^{125}} \\
&\approx 2^{-124} + 2^{-316} + 2^{-189} \\
&\approx 2^{-124}
\end{align*}
This shows that Ed25519 provides $124$ bit security in the multi-user setting.
\item This proofs theorem \ref{theorem:ed25519}.
\end{proof}
\subsection{Ed448}
\begin{theorem}[eD448 Bit Security]
\label{theorem:ED448}
The eD448 signature scheme provides 221 bit security in the single-user setting and 220 bit security in the multi-user setting against algebraic adversaries.
\end{theorem}
Another popular instantiation of the EdDSA signature scheme is Ed448. It uses the Ed448 twisted Edwards curve and SHAKE256 as hash function. It is supposed to provide around 224 bits of security and was also standardized by the IETF and NIST \cite{josefsson_edwards-curve_2017} \cite{moody_digital_2023}. The respective standards provide following values:
\begin{center}
\begin{table}[ht]
\centering
\begin{tabularx}{\textwidth}{@{}lX@{}}
\textbf{Parameter} & \textbf{Value} \\
\hline
$b$ & $456$ \\
$n$ & $447$ \\
$c$ & $2$ \\
$L$ & $2^{446} - 13818066809895115352007386748515426880336692474882178609894547503885$
\end{tabularx}
\caption{Parameter of Ed448}
\label{tab:ed448}
\end{table}
\end{center}
\begin{proof}
\item This can be used to upper bound the success ration of an adversary $\adversary{A}$ against Ed448. To begin, the runtime of an adversary $\adversary{B}$ against \sdlog is upper bounded, using the values from the Ed448 signature scheme. The adversary $\adversary{B}$ achieves a constant probability of winning the \sdlog game after $2^{223}$ group operations. This also upper bounds its runtime. Now the success ration of adversary $\adversary{A}$ against Ed448 can be calculated as following:
\begin{align*}
SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\
&\leq \frac{\advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
&\leq \frac{\frac{(\groupqueries + 3)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
&\leq \frac{(2^{223} + 3)^2 + 1}{2^{444} 2^{223}} + \frac{2(2^{223} + 1)}{2^{456} 2^{223}} + \frac{2^{64} 2^{223} + 2^{64}}{2^{446} 2^{223}} \\
&\approx 2^{-221} + 2^{-455} + 2^{-382} \\
&\approx 2^{-221}
\end{align*}
This shows that Ed448 provides $221$ bit security in the single-user setting.
Now the same is done for the multi-user security of Ed448. This yields following upper bound for the success ration:
\begin{align*}
SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{MU-SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\
&\leq \frac{\advantage{\curve, n, c, L, \adversary{A}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
&\leq \frac{\frac{2(\groupqueries + N + 2)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
&\leq \frac{2 (2^{223} + 2^{35} + 2)^2 + 1}{2^{444} 2^{223}} + \frac{2(2^{223} + 1)}{2^{456} 2^{223}} + \frac{2^{64} 2^{223} + 2^{64} 2^{35}}{2^{446} 2^{223}} \\
&\approx 2^{-220} + 2^{-445} + 2^{-382} \\
&\approx 2^{-220}
\end{align*}
This shows that Ed448 provides $220$ bit security in the multi-user setting.
\item This proofs theorem \ref{theorem:ED448}.
\end{proof}

16
thesis/sections/edggm/omdl.tex
View File

@@ -5,9 +5,9 @@ This section provides a lower bound on the hardness of the modified version of t
% TODO: N in theorem
\begin{theorem}
\label{theorem:somdl_ggm}
Let $n$, $N$, $c$ be positive integers. Consider a twisted Edwards curve $\curve$ with a cofactor of $2^c$ and a generating set consisting of $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_m})$. Among these, let $\groupelement{B}$ be the generator of the largest prime order subgroup with an order of $L$. Let $\adversary{A}$ be a generic adversary receiving $N$ group elements as challenge and making at most $\oraclequeries$ group operations queries. Then,
Let $n$, $N$, $c$ be positive integers. Consider a twisted Edwards curve $\curve$ with a cofactor of $2^c$ and a generating set consisting of $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_m})$. Among these, let $\groupelement{B}$ be the generator of the largest prime order subgroup with an order of $L$. Let $\adversary{A}$ be a generic adversary receiving $N$ group elements as challenge and making at most $\groupqueries$ group operations queries. Then,
\[ \advantage{\curve, n, c, L, \adversary{A}}{\somdl} \leq \frac{2(\oraclequeries + N + 2)^2 + 1}{2^{n-1-c}}. \]
\[ \advantage{\curve, n, c, L, \adversary{A}}{\somdl} \leq \frac{2(\groupqueries + N + 2)^2 + 1}{2^{n-1-c}}. \]
\end{theorem}
\paragraph{\underline{Proof Overview}} This proof uses the same approach as the discrete logarithm proof in the generic group model by replacing the group elements with polynomials and choosing the challenge after the adversary provided its solution. The tricky part is that the adversary is able to query the discrete logarithms of the $N - 1$ group elements, provided to it as a challenge. The proof starts by replacing all group elements with multivariate polynomials representing their discrete logarithms. The indeterminants of those polynomials are the discrete logarithms of each group element, provided to the adversary as challenges. Once the adversary requests the discrete logarithms for all but one group element of the challenge those discrete logarithms are chosen uniformly at random and all polynomials are partially evaluated. This leaves polynomials with just one indeterminate, representing the discrete logarithm of the last challenge. This challenge is then chosen after the adversary provided its solution, leaving the adversay no option but to guess the remaining discrete logarithm. The \somdl game in the generic group model is depicted in figure \ref{fig:somdl_ggm}.
@@ -49,7 +49,7 @@ This section provides a lower bound on the hardness of the modified version of t
\paragraph{\underline{Formal Proof}}
\begin{figure}[h]
\begin{figure}[H]
\hrule
\vspace{2mm}
\begin{algorithmic}
@@ -127,7 +127,7 @@ This section provides a lower bound on the hardness of the modified version of t
\label{fig:somdl_games_ggm_1}
\end{figure}
\begin{figure}[h]
\begin{figure}[H]
\hrule
\vspace{2mm}
\begin{algorithmic}
@@ -219,9 +219,9 @@ This section provides a lower bound on the hardness of the modified version of t
\[ \prone{G_2^{\adversary{A}}} = \prone{G_3^{\adversary{A}}}. \]
\item \paragraph{\underline{$G_4:$}} In $G_4$ the abort instruction in the orange box is introduced, which is executed after the $bad_1$ flag is set. The $bad_1$ flag is set if distinct polynomials result in the same polynomial, after being partially evaluated. To calculate the probability of this happening the Schwart-Zippel lemma can be utilized. For every $R_i, R_j \in \pset{R} \wedge R_i \neq R_j$ a polynomial $R^* \assign R_i - R_j$ can be constructed. If and only if $R_i(\overset{\rightharpoonup}{a}) = R_j(\overset{\rightharpoonup}{a})$ then $R^*(\overset{\rightharpoonup}{a}) = 0$. Since $R^* \neq 0$, the degree of $R^*$ being $1$ and $\overset{\rightharpoonup}{a}$ being chosen uniformly at random from $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ the Schwartz-Zippel lemma can be used to calculate the probability of $R^*(\overset{\rightharpoonup}{a}) = 0$, which is $\Pr[R^*(\overset{\rightharpoonup}{a}) = 0] \leq \frac{1}{2^{n - 1 - c}}$. The challenger can generate at most $\oraclequeries + N + 2$ many polynomials, one per DL query and $N + 2$ for encoding the input to the adversary. By the Union bound over all $(\oraclequeries + N + 2)^2$ possible pairs of polynomials an upper bound on the $bad_1$ flag being set can be calculated as $\Pr[bad_1] \leq \frac{(\oraclequeries + N + 2)^2}{2^{n - 1 - c}}$. Since $G_3$ and $G_4$ are identical-until-bad games,
\item \paragraph{\underline{$G_4:$}} In $G_4$ the abort instruction in the orange box is introduced, which is executed after the $bad_1$ flag is set. The $bad_1$ flag is set if distinct polynomials result in the same polynomial, after being partially evaluated. To calculate the probability of this happening the Schwart-Zippel lemma can be utilized. For every $R_i, R_j \in \pset{R} \wedge R_i \neq R_j$ a polynomial $R^* \assign R_i - R_j$ can be constructed. If and only if $R_i(\overset{\rightharpoonup}{a}) = R_j(\overset{\rightharpoonup}{a})$ then $R^*(\overset{\rightharpoonup}{a}) = 0$. Since $R^* \neq 0$, the degree of $R^*$ being $1$ and $\overset{\rightharpoonup}{a}$ being chosen uniformly at random from $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ the Schwartz-Zippel lemma can be used to calculate the probability of $R^*(\overset{\rightharpoonup}{a}) = 0$, which is $\Pr[R^*(\overset{\rightharpoonup}{a}) = 0] \leq \frac{1}{2^{n - 1 - c}}$. The challenger can generate at most $\groupqueries + N + 2$ many polynomials, one per DL query and $N + 2$ for encoding the input to the adversary. By the Union bound over all $(\groupqueries + N + 2)^2$ possible pairs of polynomials an upper bound on the $bad_1$ flag being set can be calculated as $\Pr[bad_1] \leq \frac{(\groupqueries + N + 2)^2}{2^{n - 1 - c}}$. Since $G_3$ and $G_4$ are identical-until-bad games,
\[ |\prone{G_3^{\adversary{A}}} - \prone{G_4^{\adversary{A}}}| \leq \frac{(\oraclequeries + N + 2)^2}{2^{n - 1 - c}}. \]
\[ |\prone{G_3^{\adversary{A}}} - \prone{G_4^{\adversary{A}}}| \leq \frac{(\groupqueries + N + 2)^2}{2^{n - 1 - c}}. \]
To improve the readability, $G_4$ is also depicted in figure \ref{fig:sdlog_games_ggm_2} by only including the black boxes. The following game-hops are illustrated in the same figure.
@@ -235,9 +235,9 @@ This section provides a lower bound on the hardness of the modified version of t
In the case where the adversary did not queried the DL oracle the adversary has no information on any of the discrete logarithms. All polynomials in $\pset{P}$ are in $\field{Z}[N_1, ..., Z_N]$. In this case the Schwartz-Zippel lemma can be applied, since the all discrete logarithms are chosen uniformly at random and the adversary has no information on them, prior to them being chosen.
The probability of $bad_2$ being true can be calculated using the Schwartz-Zippel lemma, as described in the game-hop to $G_4$. With the Union bound over all polynomial pairs in $\pset{P}$ the probability of $bad_2$ being true is $\Pr[bad_2] \leq \frac{(\oraclequeries + N + 2)^2}{2^{n - 1 - c}}$. $G_5$ and $G_6$ are identical-until-bad games, therefore:
The probability of $bad_2$ being true can be calculated using the Schwartz-Zippel lemma, as described in the game-hop to $G_4$. With the Union bound over all polynomial pairs in $\pset{P}$ the probability of $bad_2$ being true is $\Pr[bad_2] \leq \frac{(\groupqueries + N + 2)^2}{2^{n - 1 - c}}$. $G_5$ and $G_6$ are identical-until-bad games, therefore:
\[ |\prone{G_5^{\adversary{A}}} - \prone{G_6^{\adversary{A}}}| \leq \frac{(\oraclequeries + N + 2)^2}{2^{n - 1 - c}}. \]
\[ |\prone{G_5^{\adversary{A}}} - \prone{G_6^{\adversary{A}}}| \leq \frac{(\groupqueries + N + 2)^2}{2^{n - 1 - c}}. \]
\item \paragraph{\underline{$G_7:$}} $G_7$ removes the evaluation of polynomials in the Enc procedure. It is argued that this change is only conceptual. When the evaluation of polynomials is removed, the polynomials are compared directly. Group elements represented by different polynomials are assigned different labels by the challenger. This is equivalent to the original definition as long as different polynomials do not evaluate to the same value, when evaluated with the discrete logarithms. This inconsistency in the simulation can be detected by the adversary when it gets some information on the discrete logarithms. This can either be during the query to the DL oracle or after the adversary provided its solution. In both cases there is an if condition checking for this inconsistency. If such an inconsistency is detected the game aborts. This change is only conceptual, since the different polynomials correspond to different group elements, in the cases where the game does not abort, and since the adversary only sees the labels it cannot detect whether the challenger works with polynomials or concrete discrete logarithms. Hence,

8
thesis/sections/edggm/sdlog.tex
View File

@@ -4,9 +4,9 @@ This section focuses on establishing a lower bound on the hardness of a modified
\begin{theorem}
\label{theorem:sdlog_ggm}
Let $n$ and $c$ be positive integers. Consider a twisted Edwards curve $\curve$ with a cofactor of $2^c$ and a generating set consisting of $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_m})$. Among these, let $\groupelement{B}$ be the generator of the largest prime order subgroup with an order of $L$. Let $\adversary{A}$ be a generic adversary making at most $\oraclequeries$ group operations. Then,
Let $n$ and $c$ be positive integers. Consider a twisted Edwards curve $\curve$ with a cofactor of $2^c$ and a generating set consisting of $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_m})$. Among these, let $\groupelement{B}$ be the generator of the largest prime order subgroup with an order of $L$. Let $\adversary{A}$ be a generic adversary making at most $\groupqueries$ group operations. Then,
\[ \advantage{\curve, n, c, L, \adversary{A}}{\sdlog} \leq \frac{(\oraclequeries + 3)^2 + 1}{2^{n-1-c}}. \]
\[ \advantage{\curve, n, c, L, \adversary{A}}{\sdlog} \leq \frac{(\groupqueries + 3)^2 + 1}{2^{n-1-c}}. \]
\end{theorem}
\paragraph{\underline{Proof Overview}} This proof closely resembles the original proof on the lower bound for the discrete logarithm problem by Shoup \cite{EC:Shoup97}. The initial step involves working with the discrete logarithms of group elements rather than the actual group elements themselves. In the generic group model, this is equivalent as each group element can be uniquely represented by its discrete logarithms with respect to a generating set. For consistency the generating set is denoted as $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_m})$, with $\groupelement{B}$ being the generator of the prime order subgroup and $\groupelement{E_2}$ to $\groupelement{E_m}$ being the generators of the other subgroups. Subsequently, the discrete logarithm in the prime order subgroup is replaced by an indeterminate. By doing this, the discrete logarithm in the prime order subgroup can be chosen after the adversary has provided their solution. As a result, the generic adversary can only guess the discrete logarithm in the prime order subgroup, since it is generated only after the adversary has already submitted their solution. Figure \ref{fig:sdlog_ggm} shows the \sdlog game in the generic group model.
@@ -197,9 +197,9 @@ This section focuses on establishing a lower bound on the hardness of a modified
\[ \prone{G_1^{\adversary{A}}} = \prone{G_2^{\adversary{A}}}. \]
\item \paragraph{\underline{$G_4:$}} $G_4$ terminates if the bad flag is activated. This bad flag signifies situations where collisions of discrete logarithms would not be identified by merely comparing polynomials without evaluating them. The likelihood of the bad flag being activated can be determined using the Schwartz-Zippel lemma. The set $\pset{P}$ is a set of all polynomials generated by the challenger and the polynomial $P$ represents the newly generated one. During the encoding of a newly generated group element the challenger checks that no two distinct polynomials evaluate to the same value at $a$. For a fixed $P_i \in \pset{P} \neq P$ we define $P^* = P_i - P$. If and only if $P_i(a) = P(a)$ then $P^*(a) = 0$. Since $P^* \neq 0$, the degree of $P^*$ being $1$ and $a$ being chosen uniformly at random from $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ the Schwarz-Zippel lemma can be used to calculate the probability that $P^*(a) = 0$, which is $\Pr[P^*(a) = 0] \leq \frac{1}{2^{n-1-c}}$. Since the set $\pset{P}$ can hold at most $\oraclequeries + 3$ many polynomials (one per DL call, and three by encoding the input to the adversary) by the Union bound over all polynomials in $\pset{P}$ the probability of bad being set, for each individual oracle query, is less or equal to $\frac{\oraclequeries + 3}{2^{n-1-c}}$. By the Union bound over all oracle queries the probability of bad being set to true is $\Pr[bad] \leq \frac{(\oraclequeries + 3)^2}{2^{n-1-c}}$. For this reason,
\item \paragraph{\underline{$G_4:$}} $G_4$ terminates if the bad flag is activated. This bad flag signifies situations where collisions of discrete logarithms would not be identified by merely comparing polynomials without evaluating them. The likelihood of the bad flag being activated can be determined using the Schwartz-Zippel lemma. The set $\pset{P}$ is a set of all polynomials generated by the challenger and the polynomial $P$ represents the newly generated one. During the encoding of a newly generated group element the challenger checks that no two distinct polynomials evaluate to the same value at $a$. For a fixed $P_i \in \pset{P} \neq P$ we define $P^* = P_i - P$. If and only if $P_i(a) = P(a)$ then $P^*(a) = 0$. Since $P^* \neq 0$, the degree of $P^*$ being $1$ and $a$ being chosen uniformly at random from $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ the Schwarz-Zippel lemma can be used to calculate the probability that $P^*(a) = 0$, which is $\Pr[P^*(a) = 0] \leq \frac{1}{2^{n-1-c}}$. Since the set $\pset{P}$ can hold at most $\groupqueries + 3$ many polynomials (one per DL call, and three by encoding the input to the adversary) by the Union bound over all polynomials in $\pset{P}$ the probability of bad being set, for each individual oracle query, is less or equal to $\frac{\groupqueries + 3}{2^{n-1-c}}$. By the Union bound over all oracle queries the probability of bad being set to true is $\Pr[bad] \leq \frac{(\groupqueries + 3)^2}{2^{n-1-c}}$. For this reason,
\[ |\prone{G_2^{\adversary{A}}} - \prone{G_3^{\adversary{A}}}| \leq \Pr[bad] \leq \frac{(\oraclequeries + 3)^2}{2^{n-1-c}}. \]
\[ |\prone{G_2^{\adversary{A}}} - \prone{G_3^{\adversary{A}}}| \leq \Pr[bad] \leq \frac{(\groupqueries + 3)^2}{2^{n-1-c}}. \]
For improved readability, $G_4$ is also depicted in \ref{fig:sdlog_games_ggm_2} by including only the black boxes and excluding all others. The subsequent game-hops are also illustrated in the same figure.