Started with related work
This commit is contained in:
@@ -26,79 +26,6 @@ This means that the advantage to distinguish between two identical-until-bad gam
|
||||
|
||||
\input{sections/security_notions}
|
||||
|
||||
\subsection{Fiat-Shamir Transformation}
|
||||
|
||||
The Fiat-Schamir transformation is a transformation which creates a digital signature scheme from a canonical identification scheme. The transformation was introduces by Fiat-Schmir in 1986 \cite{C:FiaSha86}. To transform a canonical identification scheme into a signature scheme it has to be become non-interactive. The role of the verifier in the canonical identification scheme (besides verifying the solution) is to provide a challenge to the proofer. This is a crucial part for the security of the scheme since otherwise the proofer might be able to choose a commitment and solution in a way that lets him generate a valid transcript without being in the possession of the secret key.
|
||||
|
||||
The Fiat-Schamir transformation replaces the verifier by a pseudorandom function. This pseudorandom function takes the commitment and a a message as input and outputs the challenge. Now the challenge is computable by the proofer without the need to interact with another party. With this the proofer is able to calculate the response. The commitment together with the solution can now be considered a signature for that message. To verify the signature a verifier can use the same pseudorandom function to calculate the challenge based on the commitment and the message and apply the verification algorithm from the canonical identification scheme to verify the solution and thereby the validity of the signature. In practice a hash function is often used as the pseudorandom function. The Fiat-Schamir transformation is depicted in figure \ref{fig:fs-transformation}.
|
||||
|
||||
If the canonical identification scheme is IMP-PA secure then the digital signature scheme, resulting from the Fiat-Schamir transformation of that canonical identification scheme, is UF-CMA secure in the random oracle model (the meaning of the random oracle model will be explained in section \ref{sec:rom}) \cite{EC:PoiSte96}. %TODO: Ist das das richtige Paper?
|
||||
|
||||
\begin{figure}[H]
|
||||
\hrule
|
||||
\vspace{1mm}
|
||||
\begin{multicols}{3}
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\textbf{KeyGen}(par)}
|
||||
\State $(\pubkey, \privkey) \randomassign \keygen(1^\secparamter)$
|
||||
\State \Return $(\pubkey, \privkey)$
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\textbf{Sign}(\privkey, \m)}
|
||||
\State $(R, st) \randomassign P_1(\privkey)$
|
||||
\State $\ch \assign F(R|\m)$
|
||||
\State $s \assign P_2(\privkey, R, \ch, st)$
|
||||
\State \Return $(R, s)$
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\textbf{Verify}(\pubkey, \m, $\signature \assign (R,s)$)}
|
||||
\State $\ch \assign F(R|\m)$
|
||||
\State \Return $V(\pubkey, R, \ch, s)$
|
||||
\end{algorithmic}
|
||||
\end{multicols}
|
||||
|
||||
\hrule
|
||||
\caption{Fiat-Schamir transformation of a CID \assign (KeyGen, P, V)}
|
||||
\label{fig:fs-transformation}
|
||||
\end{figure}
|
||||
|
||||
\subsection{Schnorr Signatures}
|
||||
|
||||
The Schnorr signature scheme is a signature scheme which was introduced by Claus Peter Schnorr in 1991 \cite{JC:Schnorr91}. The Schnorr signature scheme proved to be a robust and efficient signature scheme. For two prime numbers $p$ and $q$ with $q|p-1$ and and element $g \in \field{p}$ with order $q$ the Schnorr signature scheme is depicted in figure \ref{fig:schorr}. Since the scheme is defined on $\field{p}$ multiplicative notation is used for this scheme as an exception.
|
||||
|
||||
\begin{figure}[H]
|
||||
\hrule
|
||||
\vspace{1mm}
|
||||
\begin{multicols}{3}
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\textbf{KeyGen}(par)}
|
||||
\State $x \randomsample \field{q}$
|
||||
\State \Return $(X \assign g^x, x)$
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\textbf{Sign}($s$, \m)}
|
||||
\State $r \randomsample \field{q}$
|
||||
\State $R \assign g^r$
|
||||
\State $\ch \assign H(R|m)$
|
||||
\State $s \assign r + s \ch \pmod q$
|
||||
\State \Return $(R, s)$
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\textbf{Verify}(\pubkey, \m, $\signature \assign (R,s)$)}
|
||||
\State $\ch \assign F(R|\m)$
|
||||
\State \Return $R \test g^s X^{-H(R|m)}$
|
||||
\end{algorithmic}
|
||||
\end{multicols}
|
||||
|
||||
\hrule
|
||||
\caption{Schnorr Signature Scheme}
|
||||
\label{fig:schorr}
|
||||
\end{figure}
|
||||
|
||||
\subsection{Elliptic Curves}
|
||||
|
||||
\subsection{Random Oracle Model (ROM)}
|
||||
|
||||
@@ -1 +1,9 @@
|
||||
\section{Related Work}
|
||||
\section{Related Work}
|
||||
|
||||
\paragraph{Schnorr Signatures} The EdDSA signature scheme is similar in structure to the Schnorr signature scheme. The Schnorr signature scheme is a signature scheme introduced by Claus Peter Schnorr in 1991 \cite{JC:Schnorr91}. The Schnorr signature scheme has proven to be a robust and efficient signature scheme and has undergone several security analyses. The foundation of the Schnorr signature scheme is the canonical identification scheme.
|
||||
|
||||
A canonical identification scheme (CID), as defined in \cite{EC:AABN02}, is a protocol between two parties. The prover attempts to prove the knowledge of a secret key to the verifier, who only knows the public key. This is done by exchanging three messages between the two parties. Fiirst, the prover initiates the protocol by sending a commitment $R$ to the verifier. The verifier respondes with a random challenge $\ch$ from a predefined challenge set $\textbf{CHSet}$. The prover then uses the commitment, the challenge, and its secret key to compute a response $s$. The verifier then can then use the commitment, challenge, and response together with the public key of the prover to verify the response and thereby verify that the prover is actually in the possession of the private key.
|
||||
|
||||
To obtain a signature scheme from the canonical identification scheme, it must be made non-interactive. This can be achieved using the Fiat-Schamir transformation. The transformation was introduced by Fiat and Schamir in 1986 \cite{C:FiaSha86}. The role of the verifier in the canonical identification scheme (besides verifying the solution) is to provide a challenge to the prover. This is a crucial part of the scheme's security, since otherwise the prover might be able to choose a commitment and a challenge in a way that allows him generate a valid solution without being in the possession of the secret key.
|
||||
|
||||
The Fiat-Schamir transformation replaces the verifier with a pseudorandom function. This pseudorandom function takes the commitment and an arbitrary message as input and outputs the challenge. Now the challenge is computable by the proofer without the need to interact with another party. This allows the proofer to compute the solution. The commitment together with the solution can now be considered a signature for the message used to generate the challenge. To verify the signature, a verifier can use the same pseudorandom function to compute the challenge based on the commitment and the message, and apply the verification algorithm from the canonical identification scheme to verify the solution and thus the validity of the signature. In practice, a hash function is often used as the pseudorandom function.
|
||||
@@ -1,60 +1,3 @@
|
||||
\subsection{Canonical Identification Scheme}
|
||||
|
||||
A canonical identification scheme (CID), as defined in \cite{EC:AABN02}, is a protocol between two parties. The prover tries to proof the knowledge of a secret key to the verfier which only knows the public key. This is achieved by exchanging three messages between the two parties. At first the prover starts the protocol by sending a commitment $R$ to the verifier. The verifer answers with a random challenge $\ch$ from a predefined challenge set $\textbf{CHSet}$. The prover then uses the commitment, challenge and its secret key to calculate a response $s$. The verifier then can use the commitment, challenge and response together with the public key of the prover to verify the response and thereby whether the prover is actually in the possession of the private key.
|
||||
|
||||
\begin{definition}[CID]
|
||||
A canonical identification scheme $\text{CID} = (\keygen, P, V)$ is a tuple of algorithms.
|
||||
|
||||
\begin{itemize}[label={}]
|
||||
\item \textbf{\keygen}: The key generation algorithm, which upon receiving the schema parameter as an input outputs a matching tuple of public and private key.
|
||||
\item \textbf{P}: A set of two algorithms $P_1$ and $P_2$. $P_1$ receives the private key as input and outputs a set containing the commitment and a state. $P_2$ receives as input the secret key, the commitment, the challenge and the state and outputs the response.
|
||||
\item \textbf{V}: V is the verification algorithm which upon receiving the public key, the commitment, the challenge and the response outputs a bit representing whether the response is valid for the set of parameters.
|
||||
\end{itemize}
|
||||
|
||||
For the canonical identification scheme to be correct it is required that $\forall (\pubkey, \privkey) \in \keygen(par), (R, st) \in P_1(\privkey), \ch \in \textbf{CHSet}, s \in P_2(\privkey, R, \ch, st): V(\pubkey, R, \ch, s) = 1$.
|
||||
\end{definition}
|
||||
|
||||
\subsubsection{IMP-PA}
|
||||
|
||||
On security notion for a canonical identification scheme is the impersonation security against passive attackers (IMP-PA). For this security notion the adversary is tasked with impersonating the prover by outputting a valid solution $s$ for a randomly chosen challenge $\ch$ but allowing to request an arbitrary amount of valid transcripts from the challenger. The accompanying game is depicted in figure \ref{game:imp-pa}.
|
||||
|
||||
\begin{figure}[h]
|
||||
\hrule
|
||||
\begin{multicols}{2}
|
||||
\normalsize
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\game $\text{IMP-PA}$}
|
||||
\State $(\pubkey, \privkey) \randomassign \keygen(1^\secparamter)$
|
||||
\State $s^* \randomassign \adversary{A}^{Tran, Ch(\inp)}(\pubkey)$
|
||||
\State \Return $\exists (R^*, \ch^*) \in Q: V(\pubkey, R^*, \ch^*, s^*) \test 1$
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\oracle Ch($R^*$)}
|
||||
\Comment{one query}
|
||||
\State $\ch^* \randomassign \textbf{CHSet}$
|
||||
\State $Q \assign \{(R^*, \ch^*)\}$
|
||||
\State \Return $\ch^*$
|
||||
\end{algorithmic}
|
||||
\end{multicols}
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\oracle Tran}
|
||||
\State $(R, st) \randomassign P_1(\privkey)$
|
||||
\State $\ch \randomsample \textbf{CHSet}$
|
||||
\State $s \assign P_2(\privkey, R, \ch, st)$
|
||||
\State \Return $(R, \ch, s)$
|
||||
\end{algorithmic}
|
||||
\hrule
|
||||
\caption{IMP-PA Security Game}
|
||||
\label{game:imp-pa}
|
||||
\end{figure}
|
||||
|
||||
\begin{definition}[IMP-PA]
|
||||
Let $\text{CID} = (\keygen, P, V)$ be a canonical signature scheme. \textit{CID} is IMP-PA secure if for all ppt adversaries $\adversary{A}$ $\advantage{\textit{CID},\adversary{A}}{\text{IMP-PA}}(\secparamter)$ is negligible in $\secparamter$.
|
||||
|
||||
\[ \advantage{\textit{CID},\adversary{A}}{\text{IMP-PA}}(\secparamter) \assign \prone{\text{IMP-PA}^{\adversary{A}}} \leq \epsilon \]
|
||||
\end{definition}
|
||||
|
||||
\subsection{Digital Signature Scheme}
|
||||
|
||||
A digital signature scheme is a method to ensure the authenticity of data. The signer, which is in the possession of a private key, generates a signature for specific message. The verifier then is able to verify the authenticity of this data using the public key and the generated signature.
|
||||
|
||||
Reference in New Issue
Block a user