used uniform font for sets
This commit is contained in:
@@ -54,7 +54,7 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
|
||||
\State $a \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$
|
||||
\State $\groupelement{A} \assign a \groupelement{B}$
|
||||
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
|
||||
\State \Return $\exists \groupelement{R}^*, \ch^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - \ch^* \groupelement{A}) \wedge (\groupelement{R}^*, \ch^*) \in Q$
|
||||
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in \pset{Q}: \groupelement{R}^* = 2^c (s^* \groupelement{B} - \ch^* \groupelement{A})$
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
@@ -70,7 +70,7 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
|
||||
\Comment{$G_2$}
|
||||
\EndBox
|
||||
\EndBox
|
||||
\State $Q \assign Q \cup \{ (\groupelement{R}_i, \ch_i) \}$
|
||||
\State $\pset{Q} \assign \pset{Q} \cup \{ (\groupelement{R}_i, \ch_i) \}$
|
||||
\State \Return $\ch_i$
|
||||
\end{algorithmic}
|
||||
\end{multicols}
|
||||
@@ -85,8 +85,8 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
|
||||
\item \paragraph{\underline{AGM}} This proof takes place in the algebraic group model. Meaning that the adversary has to provide a representation along each group element it provides to the reduction. The adversary has to provide an element $\groupelement{R}$, which is an element in the prime order subgroup of the Twisted Edwards curve. Leaving the question whether the representation should be defined relative to the prime order subgroup or the Twisted Edwards curve. The answer to this question is that it is enough to provide the representation relative to the prime order subgroup. The reason for that is shown in the following paragraph.
|
||||
|
||||
The Twisted Edwards curve $\curve$ over the finite field $\field{q}$ is an finite abelian group. Even though the group $\curve$ might not be cyclic the fundamental theorem of finitely generated abelian groups tells us that each finite abelian groups can be uniquely decomposed into the direct product of cyclic subgroups \cite{karpfinger_hauptsatz_2021}. Meaning that $\curve$ can be represented as $\curve = \langle a_1 \rangle \bigotimes \langle a_2 \rangle \bigotimes ... \bigotimes \langle a_n \rangle$. The set of generators for each of the cyclic groups is called the generating set of $\curve$. Lets recall a well known theorem of algebra:
|
||||
\item \begin{theorem}[\cite{karpfinger_direkte_2021}]
|
||||
Let $N_1, ..., N_n$ be subgroups of an group $\group{G}$, following statements are equivalent:
|
||||
\item \begin{theorem}[Characterization of Inner Direct Products \cite{karpfinger_direkte_2021}]
|
||||
Let $N_1, ..., N_n$ be subgroups of an group $\group{G}$. Following statements are equivalent:
|
||||
|
||||
\begin{enumerate}[label=(\arabic*)]
|
||||
\item $N_1, ..., N_n \trianglelefteq \group{G}$ and $\group{G} = N_1 \bigotimes ... \bigotimes N_n$.
|
||||
@@ -113,7 +113,7 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
|
||||
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
|
||||
\item Finally, Game $G_2$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||
\item Finally, Game $G_2$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||
|
||||
\begin{align}
|
||||
\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G},\adversary{B}}{\sdlog}(\secparamter). \label{eq:advbsdlog}
|
||||
@@ -126,7 +126,7 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\textbf{Adversary} $\adversary{B}(\groupelement{A})$}
|
||||
\State $s^* \randomassign \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
|
||||
\State \textbf{If} $\nexists \agmgroupelement{R^*}{r^*}, \ch^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - \ch^* \groupelement{A}) \wedge (\agmgroupelement{R^*}{r^*}, \ch^*) \in Q$ \textbf{then}
|
||||
\State \textbf{If} $\nexists \agmgroupelement{R^*}{r^*}, \ch^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - \ch^* \groupelement{A}) \wedge (\agmgroupelement{R^*}{r^*}, \ch^*) \in \pset{Q}$ \textbf{then}
|
||||
\State \quad $abort$
|
||||
\State Let $R^* = r_1 \groupelement{B} + r_2 \groupelement{A}$
|
||||
\State \Return $(2^c s^* - r_1)(r_2 + 2^c \ch^*)^{-1}$
|
||||
@@ -139,7 +139,7 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
|
||||
\State \textbf{If} $2^c \ch_i \equiv -r_2 \pmod L$ \textbf{then}
|
||||
\State \quad $bad \assign true$
|
||||
\State \quad $abort$
|
||||
\State $Q \assign Q \cup \{ (\agmgroupelement{R_i}{r_i}, \ch_i) \}$
|
||||
\State $\pset{Q} \assign \pset{Q} \cup \{ (\agmgroupelement{R_i}{r_i}, \ch_i) \}$
|
||||
\State \Return $\ch_i$
|
||||
\end{algorithmic}
|
||||
\end{multicols}
|
||||
|
||||
@@ -19,13 +19,13 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur
|
||||
\State $a \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$
|
||||
\State $\groupelement{A} \assign a \groupelement{B}$
|
||||
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
|
||||
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in Q: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A}$
|
||||
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in \pset{Q}: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A}$
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\oracle \ioracle($\groupelement{R_i} \in \group{G}$)}
|
||||
\State $\ch_i \randomsample \{0,1\}^{2b}$
|
||||
\State $Q \assign Q \cup \{ (\groupelement{R}_i, \ch_i) \}$
|
||||
\State $\pset{Q} \assign \pset{Q} \cup \{ (\groupelement{R}_i, \ch_i) \}$
|
||||
\State \Return $\ch_i$
|
||||
\end{algorithmic}
|
||||
\end{multicols}
|
||||
|
||||
@@ -47,7 +47,7 @@ The proof starts by providing an algorithm which generates correctly distributed
|
||||
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
|
||||
\State $\groupelement{A} \assign s \groupelement{B}$
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp)}(\groupelement{A})$
|
||||
\State \Return $\verify(\groupelement{A}, \m^*,\signature^*) \wedge (\m^*, \signature^*) \notin Q$
|
||||
\State \Return $\verify(\groupelement{A}, \m^*,\signature^*) \wedge (\m^*, \signature^*) \notin \pset{Q}$
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
@@ -73,7 +73,7 @@ The proof starts by providing an algorithm which generates correctly distributed
|
||||
\State $S \assign (r + s\sum[\encoded{R} | \encoded{A} | \m]) \pmod L$
|
||||
\EndBox
|
||||
\State $\signature \assign (\encoded{R}, S)$
|
||||
\State $Q \assign Q \cup \{(\m, \signature)\}$
|
||||
\State $\pset{Q} \assign \pset{Q} \cup \{(\m, \signature)\}$
|
||||
\State \Return $\signature$
|
||||
\end{algorithmic}
|
||||
\end{multicols}
|
||||
@@ -96,7 +96,7 @@ The proof starts by providing an algorithm which generates correctly distributed
|
||||
\State \quad $abort$
|
||||
\State $\sum[\encoded{R} | \encoded{A} | \m] = \textbf{ch}$
|
||||
\State $\signature \assign (\encoded{R}, S)$
|
||||
\State $Q \assign Q \cup \{(\m, \signature)\}$
|
||||
\State $\pset{Q} \assign \pset{Q} \cup \{(\m, \signature)\}$
|
||||
\State \Return $\signature$
|
||||
\EndBox
|
||||
\end{algorithmic}
|
||||
@@ -123,7 +123,7 @@ The proof starts by providing an algorithm which generates correctly distributed
|
||||
|
||||
\[ \Pr[G_2^{\adversary{A}} \Rightarrow 1] = \Pr[G_3^{\adversary{A}} \Rightarrow 1]. \]
|
||||
|
||||
\item Finally, Game $G_3$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||
\item Finally, Game $G_3$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||
|
||||
\begin{align}
|
||||
\Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter). \label{eq:adv_uf-nma}
|
||||
@@ -147,7 +147,7 @@ The proof starts by providing an algorithm which generates correctly distributed
|
||||
\State \quad $abort$
|
||||
\State $\sum[\encoded{R} | \encoded{A} | m] = \textbf{ch}$
|
||||
\State $\signature \assign (\encoded{R}, S)$
|
||||
\State $Q \assign Q \cup \{(\m, \signature)\}$
|
||||
\State $\pset{Q} \assign \pset{Q} \cup \{(\m, \signature)\}$
|
||||
\State \Return $\signature$
|
||||
\end{algorithmic}
|
||||
\end{multicols}
|
||||
@@ -178,7 +178,7 @@ The proof starts by providing an algorithm which generates correctly distributed
|
||||
|
||||
\subsection{UF-NMA $\Rightarrow$ $\text{EUF-CMA}_{\text{EdDSA with lax parsing}}$ (ROM)}
|
||||
|
||||
This section shows that the UF-NMA security of EdDSA implies the EUF-CMA security of EdDSA with lax parsing using the random oracle model. This proof is very similar to the proof of the SUF-CMA security of EdDSA with strict parsing. The modification of the games are the same as in the proof above with the only difference being the win condition, which is $\verify(\groupelement{A}, \m^*,\signature^*) \wedge \m^* \notin Q$. For this reason this proofs starts at showing the existence of an adversary $\adversary{B}$ breaking UF-NMA security.
|
||||
This section shows that the UF-NMA security of EdDSA implies the EUF-CMA security of EdDSA with lax parsing using the random oracle model. This proof is very similar to the proof of the SUF-CMA security of EdDSA with strict parsing. The modification of the games are the same as in the proof above with the only difference being the win condition, which is $\verify(\groupelement{A}, \m^*,\signature^*) \wedge \m^* \notin \pset{Q}$. For this reason this proofs starts at showing the existence of an adversary $\adversary{B}$ breaking UF-NMA security.
|
||||
|
||||
\begin{theorem}
|
||||
\label{theorem:adv2_uf-nma}
|
||||
@@ -213,7 +213,7 @@ This section shows that the UF-NMA security of EdDSA implies the EUF-CMA securit
|
||||
\State \quad $abort$
|
||||
\State $\sum[\encoded{R} | \encoded{A} | m] = \textbf{ch}$
|
||||
\State $\signature \assign (\encoded{R}, S)$
|
||||
\State $Q \assign Q \cup \{\m\}$
|
||||
\State $\pset{Q} \assign \pset{Q} \cup \{\m\}$
|
||||
\State \Return $\signature$
|
||||
\end{algorithmic}
|
||||
\end{multicols}
|
||||
|
||||
Reference in New Issue
Block a user