used uniform font for sets
This commit is contained in:
@@ -75,7 +75,7 @@ The commitment is chosen as the result of a hash function instead of uniformly a
|
|||||||
\begin{tabularx}{\textwidth}{@{}lX@{}}
|
\begin{tabularx}{\textwidth}{@{}lX@{}}
|
||||||
\textbf{Parameter} & \textbf{Description} \\
|
\textbf{Parameter} & \textbf{Description} \\
|
||||||
\hline
|
\hline
|
||||||
$q$ & An odd prime power $q$. EdDSA uses an elliptic curve over the finite field $\field{q}$. \\
|
$q$ & An odd prime power $q$. EdDSA uses an elliptic curve over the finite field $\mathbb{F}_{q}$. \\
|
||||||
$b$ & An integer $b$ with $2^{b-1} > q$. The bit size of encoded points on the twisted Edwards curve. \\
|
$b$ & An integer $b$ with $2^{b-1} > q$. The bit size of encoded points on the twisted Edwards curve. \\
|
||||||
$Enc(\inp)$ & A $(b-1)$-bit encoding of elements in the underlying finite field. \\
|
$Enc(\inp)$ & A $(b-1)$-bit encoding of elements in the underlying finite field. \\
|
||||||
$H(\inp)$ & A cryptographic hash function producing $2b$-bit output. \\
|
$H(\inp)$ & A cryptographic hash function producing $2b$-bit output. \\
|
||||||
@@ -203,7 +203,7 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
|
|||||||
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
|
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
|
||||||
\State $A \assign sB$
|
\State $A \assign sB$
|
||||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp)}(A)$
|
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp)}(A)$
|
||||||
\State \Return $\verify(A, \m^*,\signature^*) \wedge (\m^*, \signature^*) \notin Q$
|
\State \Return $\verify(A, \m^*,\signature^*) \wedge (\m^*, \signature^*) \notin \pset{Q}$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\columnbreak
|
\columnbreak
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}[1]
|
||||||
@@ -226,7 +226,7 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
|
|||||||
\State $R \assign rB$
|
\State $R \assign rB$
|
||||||
\State $S \assign (r + sH(\encoded{R} | \encoded{A} | m)) \pmod L$
|
\State $S \assign (r + sH(\encoded{R} | \encoded{A} | m)) \pmod L$
|
||||||
\State $\signature \assign (\encoded{R}, S)$
|
\State $\signature \assign (\encoded{R}, S)$
|
||||||
\State $Q \assign Q \cup \{(\m, \signature)\}$
|
\State $\pset{Q} \assign \pset{Q} \cup \{(\m, \signature)\}$
|
||||||
\State \Return $\signature$
|
\State \Return $\signature$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\end{multicols}
|
\end{multicols}
|
||||||
|
|||||||
@@ -21,13 +21,13 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat
|
|||||||
\State \quad $a_i \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$
|
\State \quad $a_i \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$
|
||||||
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
|
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
|
||||||
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
||||||
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in Q, i \in \{1,2,...,N\} \in : \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$
|
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in \pset{Q}, i \in \{1,2,...,N\} \in : \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\vspace{2mm}
|
\vspace{2mm}
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}[1]
|
||||||
\Statex \underline{\oracle \ioracle($\groupelement{R_i} \in \group{G}$)}
|
\Statex \underline{\oracle \ioracle($\groupelement{R_i} \in \group{G}$)}
|
||||||
\State $\ch_i \randomsample \{0,1\}^{2b}$
|
\State $\ch_i \randomsample \{0,1\}^{2b}$
|
||||||
\State $Q \assign Q \cup \{ (\groupelement{R}_i, \ch_i) \}$
|
\State $\pset{Q} \assign \pset{Q} \cup \{ (\groupelement{R}_i, \ch_i) \}$
|
||||||
\State \Return $\ch_i$
|
\State \Return $\ch_i$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\hrule
|
\hrule
|
||||||
|
|||||||
@@ -26,7 +26,7 @@ Again the programmability of the random oracle together with the \simalg algorit
|
|||||||
\State \quad $s_j \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_{j_i}$
|
\State \quad $s_j \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_{j_i}$
|
||||||
\State \quad $\groupelement{A_j} \assign s_j \groupelement{B}$
|
\State \quad $\groupelement{A_j} \assign s_j \groupelement{B}$
|
||||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp, \inp)}(\groupelement{A_1}, \groupelement{A_2},...,\groupelement{A_N})$
|
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp, \inp)}(\groupelement{A_1}, \groupelement{A_2},...,\groupelement{A_N})$
|
||||||
\State \Return $\exists j \in \{1,2,...,N\}: \verify(\groupelement{A_j}, \m^*,\signature^*) \wedge (\groupelement{A_j}, \m^*, \signature^*) \notin Q$
|
\State \Return $\exists j \in \{1,2,...,N\}: \verify(\groupelement{A_j}, \m^*,\signature^*) \wedge (\groupelement{A_j}, \m^*, \signature^*) \notin \pset{Q}$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\columnbreak
|
\columnbreak
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}[1]
|
||||||
@@ -52,7 +52,7 @@ Again the programmability of the random oracle together with the \simalg algorit
|
|||||||
\State $S \assign (r + s\sum[\encoded{R} | \encoded{A_j} | \m]) \pmod L$
|
\State $S \assign (r + s\sum[\encoded{R} | \encoded{A_j} | \m]) \pmod L$
|
||||||
\EndBox
|
\EndBox
|
||||||
\State $\signature \assign (\encoded{R}, S)$
|
\State $\signature \assign (\encoded{R}, S)$
|
||||||
\State $Q \assign Q \cup \{(\groupelement{A_j}, \m, \signature)\}$
|
\State $\pset{Q} \assign \pset{Q} \cup \{(\groupelement{A_j}, \m, \signature)\}$
|
||||||
\State \Return $\signature$
|
\State \Return $\signature$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\end{multicols}
|
\end{multicols}
|
||||||
@@ -75,7 +75,7 @@ Again the programmability of the random oracle together with the \simalg algorit
|
|||||||
\State \quad $abort$
|
\State \quad $abort$
|
||||||
\State $\sum[\encoded{R} | \encoded{A_j} | \m] = \textbf{ch}$
|
\State $\sum[\encoded{R} | \encoded{A_j} | \m] = \textbf{ch}$
|
||||||
\State $\signature \assign (\encoded{R}, S)$
|
\State $\signature \assign (\encoded{R}, S)$
|
||||||
\State $Q \assign Q \cup \{(\groupelement{A_j}, \m, \signature)\}$
|
\State $\pset{Q} \assign \pset{Q} \cup \{(\groupelement{A_j}, \m, \signature)\}$
|
||||||
\State \Return $\signature$
|
\State \Return $\signature$
|
||||||
\EndBox
|
\EndBox
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
@@ -126,7 +126,7 @@ Again the programmability of the random oracle together with the \simalg algorit
|
|||||||
\State \quad $abort$
|
\State \quad $abort$
|
||||||
\State $\sum[\encoded{R} | \encoded{A_j} | m] = \textbf{ch}$
|
\State $\sum[\encoded{R} | \encoded{A_j} | m] = \textbf{ch}$
|
||||||
\State $\signature \assign (\encoded{R}, S)$
|
\State $\signature \assign (\encoded{R}, S)$
|
||||||
\State $Q \assign Q \cup \{(\groupelement{A_j}, \m, \signature)\}$
|
\State $\pset{Q} \assign \pset{Q} \cup \{(\groupelement{A_j}, \m, \signature)\}$
|
||||||
\State \Return $\signature$
|
\State \Return $\signature$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\end{multicols}
|
\end{multicols}
|
||||||
@@ -157,7 +157,7 @@ Again the programmability of the random oracle together with the \simalg algorit
|
|||||||
|
|
||||||
\subsection{MU-UF-NMA $\Rightarrow$ $\text{MU-EUF-CMA}_{\text{EdDSA with lax parsing}}$ (ROM)}
|
\subsection{MU-UF-NMA $\Rightarrow$ $\text{MU-EUF-CMA}_{\text{EdDSA with lax parsing}}$ (ROM)}
|
||||||
|
|
||||||
This section shows that MU-UF-NMA security of EdDSA implies the MU-EUF-CMA security of EdDSA with lax parsing using in the random oracle model. This proof is very similar to the proof MU-SUF-CMA proof of EdDSA with strict parsing. The modification to the games are the same as in the proof above with the only modifications being in the win condition, which is $\exists j \in \{1,2,...,N\}: \verify(\groupelement{A_j}, \m^*) \wedge (\groupelement{A_j}, \m^*) \notin Q$. For this reason this proof starts at showing the existence of an adversary $\adversary{B}$ breaking MU-UF-NMA security.
|
This section shows that MU-UF-NMA security of EdDSA implies the MU-EUF-CMA security of EdDSA with lax parsing using in the random oracle model. This proof is very similar to the proof MU-SUF-CMA proof of EdDSA with strict parsing. The modification to the games are the same as in the proof above with the only modifications being in the win condition, which is $\exists j \in \{1,2,...,N\}: \verify(\groupelement{A_j}, \m^*) \wedge (\groupelement{A_j}, \m^*) \notin \pset{Q}$. For this reason this proof starts at showing the existence of an adversary $\adversary{B}$ breaking MU-UF-NMA security.
|
||||||
|
|
||||||
\begin{theorem}
|
\begin{theorem}
|
||||||
\label{theorem:adv2_mu-uf-nma}
|
\label{theorem:adv2_mu-uf-nma}
|
||||||
@@ -192,7 +192,7 @@ This section shows that MU-UF-NMA security of EdDSA implies the MU-EUF-CMA secur
|
|||||||
\State \quad $abort$
|
\State \quad $abort$
|
||||||
\State $\sum[\encoded{R} | \encoded{A_j} | m] = \textbf{ch}$
|
\State $\sum[\encoded{R} | \encoded{A_j} | m] = \textbf{ch}$
|
||||||
\State $\signature \assign (\encoded{R}, S)$
|
\State $\signature \assign (\encoded{R}, S)$
|
||||||
\State $Q \assign Q \cup \{(\groupelement{A_j}, \m)\}$
|
\State $\pset{Q} \assign \pset{Q} \cup \{(\groupelement{A_j}, \m)\}$
|
||||||
\State \Return $\signature$
|
\State \Return $\signature$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\end{multicols}
|
\end{multicols}
|
||||||
|
|||||||
@@ -17,7 +17,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
|
|||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}[1]
|
||||||
\Statex \underline{\game \somdl}
|
\Statex \underline{\game \somdl}
|
||||||
\State \textbf{for} $i \in \{1,2,...,N\}$
|
\State \textbf{for} $i \in \{1,2,...,N\}$
|
||||||
\State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8 \}$
|
\State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$
|
||||||
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
|
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
|
||||||
\State $I \assign 0$
|
\State $I \assign 0$
|
||||||
\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{DL(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{DL(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
||||||
@@ -58,7 +58,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
|
|||||||
\State \quad $a_i \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$
|
\State \quad $a_i \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$
|
||||||
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
|
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
|
||||||
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
||||||
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in Q, i \in \{1,2,...,N\}: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$
|
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in \pset{Q}, i \in \{1,2,...,N\}: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\vspace{2mm}
|
\vspace{2mm}
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}[1]
|
||||||
@@ -74,7 +74,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
|
|||||||
\Comment{$G_2$}
|
\Comment{$G_2$}
|
||||||
\EndBox
|
\EndBox
|
||||||
\EndBox
|
\EndBox
|
||||||
\State $Q \assign Q \cup \{ (\groupelement{R}, \ch) \}$
|
\State $\pset{Q} \assign \pset{Q} \cup \{ (\groupelement{R}, \ch) \}$
|
||||||
\State \Return $\ch$
|
\State \Return $\ch$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\hrule
|
\hrule
|
||||||
@@ -129,7 +129,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
|
|||||||
\State \textbf{If} $\exists i \in \{2,3,...,N+1\}: 2^c \ch \equiv -r_i \pmod L$ \textbf{then}
|
\State \textbf{If} $\exists i \in \{2,3,...,N+1\}: 2^c \ch \equiv -r_i \pmod L$ \textbf{then}
|
||||||
\State \quad $bad \assign true$
|
\State \quad $bad \assign true$
|
||||||
\State \quad $abort$
|
\State \quad $abort$
|
||||||
\State $Q \assign Q \cup \{ (\groupelement{R}, \ch) \}$
|
\State $\pset{Q} \assign \pset{Q} \cup \{ (\groupelement{R}, \ch) \}$
|
||||||
\State \Return $\ch$
|
\State \Return $\ch$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\hrule
|
\hrule
|
||||||
|
|||||||
@@ -54,7 +54,7 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
|
|||||||
\State $a \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$
|
\State $a \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$
|
||||||
\State $\groupelement{A} \assign a \groupelement{B}$
|
\State $\groupelement{A} \assign a \groupelement{B}$
|
||||||
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
|
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
|
||||||
\State \Return $\exists \groupelement{R}^*, \ch^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - \ch^* \groupelement{A}) \wedge (\groupelement{R}^*, \ch^*) \in Q$
|
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in \pset{Q}: \groupelement{R}^* = 2^c (s^* \groupelement{B} - \ch^* \groupelement{A})$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\columnbreak
|
\columnbreak
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}[1]
|
||||||
@@ -70,7 +70,7 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
|
|||||||
\Comment{$G_2$}
|
\Comment{$G_2$}
|
||||||
\EndBox
|
\EndBox
|
||||||
\EndBox
|
\EndBox
|
||||||
\State $Q \assign Q \cup \{ (\groupelement{R}_i, \ch_i) \}$
|
\State $\pset{Q} \assign \pset{Q} \cup \{ (\groupelement{R}_i, \ch_i) \}$
|
||||||
\State \Return $\ch_i$
|
\State \Return $\ch_i$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\end{multicols}
|
\end{multicols}
|
||||||
@@ -85,8 +85,8 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
|
|||||||
\item \paragraph{\underline{AGM}} This proof takes place in the algebraic group model. Meaning that the adversary has to provide a representation along each group element it provides to the reduction. The adversary has to provide an element $\groupelement{R}$, which is an element in the prime order subgroup of the Twisted Edwards curve. Leaving the question whether the representation should be defined relative to the prime order subgroup or the Twisted Edwards curve. The answer to this question is that it is enough to provide the representation relative to the prime order subgroup. The reason for that is shown in the following paragraph.
|
\item \paragraph{\underline{AGM}} This proof takes place in the algebraic group model. Meaning that the adversary has to provide a representation along each group element it provides to the reduction. The adversary has to provide an element $\groupelement{R}$, which is an element in the prime order subgroup of the Twisted Edwards curve. Leaving the question whether the representation should be defined relative to the prime order subgroup or the Twisted Edwards curve. The answer to this question is that it is enough to provide the representation relative to the prime order subgroup. The reason for that is shown in the following paragraph.
|
||||||
|
|
||||||
The Twisted Edwards curve $\curve$ over the finite field $\field{q}$ is an finite abelian group. Even though the group $\curve$ might not be cyclic the fundamental theorem of finitely generated abelian groups tells us that each finite abelian groups can be uniquely decomposed into the direct product of cyclic subgroups \cite{karpfinger_hauptsatz_2021}. Meaning that $\curve$ can be represented as $\curve = \langle a_1 \rangle \bigotimes \langle a_2 \rangle \bigotimes ... \bigotimes \langle a_n \rangle$. The set of generators for each of the cyclic groups is called the generating set of $\curve$. Lets recall a well known theorem of algebra:
|
The Twisted Edwards curve $\curve$ over the finite field $\field{q}$ is an finite abelian group. Even though the group $\curve$ might not be cyclic the fundamental theorem of finitely generated abelian groups tells us that each finite abelian groups can be uniquely decomposed into the direct product of cyclic subgroups \cite{karpfinger_hauptsatz_2021}. Meaning that $\curve$ can be represented as $\curve = \langle a_1 \rangle \bigotimes \langle a_2 \rangle \bigotimes ... \bigotimes \langle a_n \rangle$. The set of generators for each of the cyclic groups is called the generating set of $\curve$. Lets recall a well known theorem of algebra:
|
||||||
\item \begin{theorem}[\cite{karpfinger_direkte_2021}]
|
\item \begin{theorem}[Characterization of Inner Direct Products \cite{karpfinger_direkte_2021}]
|
||||||
Let $N_1, ..., N_n$ be subgroups of an group $\group{G}$, following statements are equivalent:
|
Let $N_1, ..., N_n$ be subgroups of an group $\group{G}$. Following statements are equivalent:
|
||||||
|
|
||||||
\begin{enumerate}[label=(\arabic*)]
|
\begin{enumerate}[label=(\arabic*)]
|
||||||
\item $N_1, ..., N_n \trianglelefteq \group{G}$ and $\group{G} = N_1 \bigotimes ... \bigotimes N_n$.
|
\item $N_1, ..., N_n \trianglelefteq \group{G}$ and $\group{G} = N_1 \bigotimes ... \bigotimes N_n$.
|
||||||
@@ -113,7 +113,7 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
|
|||||||
|
|
||||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||||
|
|
||||||
\item Finally, Game $G_2$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
\item Finally, Game $G_2$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||||
|
|
||||||
\begin{align}
|
\begin{align}
|
||||||
\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G},\adversary{B}}{\sdlog}(\secparamter). \label{eq:advbsdlog}
|
\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G},\adversary{B}}{\sdlog}(\secparamter). \label{eq:advbsdlog}
|
||||||
@@ -126,7 +126,7 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
|
|||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}[1]
|
||||||
\Statex \underline{\textbf{Adversary} $\adversary{B}(\groupelement{A})$}
|
\Statex \underline{\textbf{Adversary} $\adversary{B}(\groupelement{A})$}
|
||||||
\State $s^* \randomassign \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
|
\State $s^* \randomassign \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
|
||||||
\State \textbf{If} $\nexists \agmgroupelement{R^*}{r^*}, \ch^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - \ch^* \groupelement{A}) \wedge (\agmgroupelement{R^*}{r^*}, \ch^*) \in Q$ \textbf{then}
|
\State \textbf{If} $\nexists \agmgroupelement{R^*}{r^*}, \ch^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - \ch^* \groupelement{A}) \wedge (\agmgroupelement{R^*}{r^*}, \ch^*) \in \pset{Q}$ \textbf{then}
|
||||||
\State \quad $abort$
|
\State \quad $abort$
|
||||||
\State Let $R^* = r_1 \groupelement{B} + r_2 \groupelement{A}$
|
\State Let $R^* = r_1 \groupelement{B} + r_2 \groupelement{A}$
|
||||||
\State \Return $(2^c s^* - r_1)(r_2 + 2^c \ch^*)^{-1}$
|
\State \Return $(2^c s^* - r_1)(r_2 + 2^c \ch^*)^{-1}$
|
||||||
@@ -139,7 +139,7 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
|
|||||||
\State \textbf{If} $2^c \ch_i \equiv -r_2 \pmod L$ \textbf{then}
|
\State \textbf{If} $2^c \ch_i \equiv -r_2 \pmod L$ \textbf{then}
|
||||||
\State \quad $bad \assign true$
|
\State \quad $bad \assign true$
|
||||||
\State \quad $abort$
|
\State \quad $abort$
|
||||||
\State $Q \assign Q \cup \{ (\agmgroupelement{R_i}{r_i}, \ch_i) \}$
|
\State $\pset{Q} \assign \pset{Q} \cup \{ (\agmgroupelement{R_i}{r_i}, \ch_i) \}$
|
||||||
\State \Return $\ch_i$
|
\State \Return $\ch_i$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\end{multicols}
|
\end{multicols}
|
||||||
|
|||||||
@@ -19,13 +19,13 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur
|
|||||||
\State $a \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$
|
\State $a \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$
|
||||||
\State $\groupelement{A} \assign a \groupelement{B}$
|
\State $\groupelement{A} \assign a \groupelement{B}$
|
||||||
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
|
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
|
||||||
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in Q: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A}$
|
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in \pset{Q}: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A}$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\columnbreak
|
\columnbreak
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}[1]
|
||||||
\Statex \underline{\oracle \ioracle($\groupelement{R_i} \in \group{G}$)}
|
\Statex \underline{\oracle \ioracle($\groupelement{R_i} \in \group{G}$)}
|
||||||
\State $\ch_i \randomsample \{0,1\}^{2b}$
|
\State $\ch_i \randomsample \{0,1\}^{2b}$
|
||||||
\State $Q \assign Q \cup \{ (\groupelement{R}_i, \ch_i) \}$
|
\State $\pset{Q} \assign \pset{Q} \cup \{ (\groupelement{R}_i, \ch_i) \}$
|
||||||
\State \Return $\ch_i$
|
\State \Return $\ch_i$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\end{multicols}
|
\end{multicols}
|
||||||
|
|||||||
@@ -47,7 +47,7 @@ The proof starts by providing an algorithm which generates correctly distributed
|
|||||||
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
|
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
|
||||||
\State $\groupelement{A} \assign s \groupelement{B}$
|
\State $\groupelement{A} \assign s \groupelement{B}$
|
||||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp)}(\groupelement{A})$
|
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp)}(\groupelement{A})$
|
||||||
\State \Return $\verify(\groupelement{A}, \m^*,\signature^*) \wedge (\m^*, \signature^*) \notin Q$
|
\State \Return $\verify(\groupelement{A}, \m^*,\signature^*) \wedge (\m^*, \signature^*) \notin \pset{Q}$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\columnbreak
|
\columnbreak
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}[1]
|
||||||
@@ -73,7 +73,7 @@ The proof starts by providing an algorithm which generates correctly distributed
|
|||||||
\State $S \assign (r + s\sum[\encoded{R} | \encoded{A} | \m]) \pmod L$
|
\State $S \assign (r + s\sum[\encoded{R} | \encoded{A} | \m]) \pmod L$
|
||||||
\EndBox
|
\EndBox
|
||||||
\State $\signature \assign (\encoded{R}, S)$
|
\State $\signature \assign (\encoded{R}, S)$
|
||||||
\State $Q \assign Q \cup \{(\m, \signature)\}$
|
\State $\pset{Q} \assign \pset{Q} \cup \{(\m, \signature)\}$
|
||||||
\State \Return $\signature$
|
\State \Return $\signature$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\end{multicols}
|
\end{multicols}
|
||||||
@@ -96,7 +96,7 @@ The proof starts by providing an algorithm which generates correctly distributed
|
|||||||
\State \quad $abort$
|
\State \quad $abort$
|
||||||
\State $\sum[\encoded{R} | \encoded{A} | \m] = \textbf{ch}$
|
\State $\sum[\encoded{R} | \encoded{A} | \m] = \textbf{ch}$
|
||||||
\State $\signature \assign (\encoded{R}, S)$
|
\State $\signature \assign (\encoded{R}, S)$
|
||||||
\State $Q \assign Q \cup \{(\m, \signature)\}$
|
\State $\pset{Q} \assign \pset{Q} \cup \{(\m, \signature)\}$
|
||||||
\State \Return $\signature$
|
\State \Return $\signature$
|
||||||
\EndBox
|
\EndBox
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
@@ -123,7 +123,7 @@ The proof starts by providing an algorithm which generates correctly distributed
|
|||||||
|
|
||||||
\[ \Pr[G_2^{\adversary{A}} \Rightarrow 1] = \Pr[G_3^{\adversary{A}} \Rightarrow 1]. \]
|
\[ \Pr[G_2^{\adversary{A}} \Rightarrow 1] = \Pr[G_3^{\adversary{A}} \Rightarrow 1]. \]
|
||||||
|
|
||||||
\item Finally, Game $G_3$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
\item Finally, Game $G_3$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||||
|
|
||||||
\begin{align}
|
\begin{align}
|
||||||
\Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter). \label{eq:adv_uf-nma}
|
\Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter). \label{eq:adv_uf-nma}
|
||||||
@@ -147,7 +147,7 @@ The proof starts by providing an algorithm which generates correctly distributed
|
|||||||
\State \quad $abort$
|
\State \quad $abort$
|
||||||
\State $\sum[\encoded{R} | \encoded{A} | m] = \textbf{ch}$
|
\State $\sum[\encoded{R} | \encoded{A} | m] = \textbf{ch}$
|
||||||
\State $\signature \assign (\encoded{R}, S)$
|
\State $\signature \assign (\encoded{R}, S)$
|
||||||
\State $Q \assign Q \cup \{(\m, \signature)\}$
|
\State $\pset{Q} \assign \pset{Q} \cup \{(\m, \signature)\}$
|
||||||
\State \Return $\signature$
|
\State \Return $\signature$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\end{multicols}
|
\end{multicols}
|
||||||
@@ -178,7 +178,7 @@ The proof starts by providing an algorithm which generates correctly distributed
|
|||||||
|
|
||||||
\subsection{UF-NMA $\Rightarrow$ $\text{EUF-CMA}_{\text{EdDSA with lax parsing}}$ (ROM)}
|
\subsection{UF-NMA $\Rightarrow$ $\text{EUF-CMA}_{\text{EdDSA with lax parsing}}$ (ROM)}
|
||||||
|
|
||||||
This section shows that the UF-NMA security of EdDSA implies the EUF-CMA security of EdDSA with lax parsing using the random oracle model. This proof is very similar to the proof of the SUF-CMA security of EdDSA with strict parsing. The modification of the games are the same as in the proof above with the only difference being the win condition, which is $\verify(\groupelement{A}, \m^*,\signature^*) \wedge \m^* \notin Q$. For this reason this proofs starts at showing the existence of an adversary $\adversary{B}$ breaking UF-NMA security.
|
This section shows that the UF-NMA security of EdDSA implies the EUF-CMA security of EdDSA with lax parsing using the random oracle model. This proof is very similar to the proof of the SUF-CMA security of EdDSA with strict parsing. The modification of the games are the same as in the proof above with the only difference being the win condition, which is $\verify(\groupelement{A}, \m^*,\signature^*) \wedge \m^* \notin \pset{Q}$. For this reason this proofs starts at showing the existence of an adversary $\adversary{B}$ breaking UF-NMA security.
|
||||||
|
|
||||||
\begin{theorem}
|
\begin{theorem}
|
||||||
\label{theorem:adv2_uf-nma}
|
\label{theorem:adv2_uf-nma}
|
||||||
@@ -213,7 +213,7 @@ This section shows that the UF-NMA security of EdDSA implies the EUF-CMA securit
|
|||||||
\State \quad $abort$
|
\State \quad $abort$
|
||||||
\State $\sum[\encoded{R} | \encoded{A} | m] = \textbf{ch}$
|
\State $\sum[\encoded{R} | \encoded{A} | m] = \textbf{ch}$
|
||||||
\State $\signature \assign (\encoded{R}, S)$
|
\State $\signature \assign (\encoded{R}, S)$
|
||||||
\State $Q \assign Q \cup \{\m\}$
|
\State $\pset{Q} \assign \pset{Q} \cup \{\m\}$
|
||||||
\State \Return $\signature$
|
\State \Return $\signature$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\end{multicols}
|
\end{multicols}
|
||||||
|
|||||||
Reference in New Issue
Block a user