Added multi-user security proofs
This commit is contained in:
@@ -132,8 +132,7 @@ The EdDSA' signature scheme is depicted in figure \ref{fig:eddsa'}. The differen
|
||||
|
||||
\begin{theorem}
|
||||
\label{theorem:adveddsa'}
|
||||
% TODO: Was soll ich hier schreiben?
|
||||
TODO. Then
|
||||
Let $\adversary{A}$ be and adversary against SUF-CMA security of the EdDSA signature scheme. Then
|
||||
|
||||
%TODO: richtigre Richtung?
|
||||
\[ \advantage{\text{EdDSA'},\adversary{A}}{\cma}(\secparamter) \leq \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) - \frac{2\hashqueries}{2^b} \]
|
||||
@@ -150,16 +149,19 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$} / \textcolor{green}{$G_3$} / \textcolor{orange}{$G_4$}}
|
||||
\State $k \randomsample \{0,1\}^b$
|
||||
\BeginBox[fill=lightgray]
|
||||
\BeginBox[draw=black]
|
||||
\State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$
|
||||
\Comment{$G_0$}
|
||||
\EndBox
|
||||
\BeginBox[draw=blue,fill=cyan]
|
||||
\BeginBox[draw=blue]
|
||||
\State $\textbf{if } \sum[k] = \bot \textbf{ then}$
|
||||
\Comment{$G_1 - G_3$}
|
||||
\State \quad $\sum[k] \randomsample \{0,1\}^{2b}$
|
||||
\State $(h_0, h_1, ..., h_{2b-1}) \assign \sum[k]$
|
||||
\EndBox
|
||||
\BeginBox[draw=orange]
|
||||
\State $(h_0, h_1, ..., h_{2b-1}) \randomsample \{0,1\}^{2b}$
|
||||
\Comment{$G_4$}
|
||||
\EndBox
|
||||
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
|
||||
\State $A \assign sB$
|
||||
@@ -169,16 +171,19 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\oracle \sign($m \in \messagespace$)}
|
||||
\BeginBox[fill=lightgray]
|
||||
\BeginBox[draw=black]
|
||||
\State $(r'_0, r'_1, ..., r'_{2b-1}) \assign H(h_b | ... | h_{2b-1} | m)$
|
||||
\Comment{$G_1$}
|
||||
\EndBox
|
||||
\BeginBox[draw=blue,fill=cyan]
|
||||
\BeginBox[draw=blue]
|
||||
\State $\textbf{if } \sum[h_b | ... | h_{2b-1} | m] = \bot \textbf{ then}$
|
||||
\Comment{$G_1 - G_3$}
|
||||
\State \quad $\sum[h_b | ... | h_{2b-1} | m] \randomsample \{0,1\}^{2b}$
|
||||
\State $(r'_0, r'_1, ..., r'_{2b-1}) \assign \sum[h_b | ... | h_{2b-1} | m]$
|
||||
\EndBox
|
||||
\BeginBox[draw=orange]
|
||||
\State $(r'_0, r'_1, ..., r'_{2b-1}) = RF(h_b | ... | h_{2b-1} | m)$
|
||||
\Comment{$G_4$}
|
||||
\EndBox
|
||||
\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
|
||||
\State $R \assign rB$
|
||||
@@ -192,14 +197,17 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
|
||||
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
|
||||
\BeginBox[draw=blue]
|
||||
\State $\textbf{if } m = k \textbf{ then}$
|
||||
\Comment{$G_1 - G_4$}
|
||||
\State \quad $bad_1 \assign true$
|
||||
\BeginBox[draw=red,dashed]
|
||||
\State \quad $abort$
|
||||
\Comment{$G_2 - G_4$}
|
||||
\EndBox
|
||||
\State $\textbf{if } m \text{ starts with } h_b|...|h_{2b-1} \textbf{ then}$
|
||||
\State \quad $bad_2 \assign true$
|
||||
\BeginBox[draw=green,dashed]
|
||||
\State \quad $abort$
|
||||
\Comment{$G_3 - G_4$}
|
||||
\EndBox
|
||||
\EndBox
|
||||
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
||||
@@ -212,11 +220,11 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
|
||||
\end{figure}
|
||||
|
||||
\begin{proof}
|
||||
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:eddsa'games} by excluding all boxes expect the grey filled ones and $G_0$ be $\cma_{\text{EdDSA}}$. By definition,
|
||||
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:eddsa'games} by excluding all boxes expect the black ones and $G_0$ be $\cma$. By definition,
|
||||
|
||||
\[ \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) = \Pr[\cma_{\text{EdDSA}}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
|
||||
\item \paragraph{\underline{$G_1:$}} Let $G_1$ be defined by additionally including all blue boxes and excluding the grey filled boxes. This change inlines calls to the random oracle and introduces to if conditions in the random oracle which are setting a bad flag if the condition is triggert. Since the behavior of the game does not change the changes are conceptual and the probability of winning the game is not affected. Hence,
|
||||
\item \paragraph{\underline{$G_1:$}} Let $G_1$ be defined by additionally including all blue boxes and excluding the black boxes. This change inlines calls to the random oracle and introduces to if conditions in the random oracle which are setting a bad flag if the condition is triggert. Since the behavior of the game does not change the changes are conceptual and the probability of winning the game is not affected. Hence,
|
||||
|
||||
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \].
|
||||
|
||||
@@ -229,12 +237,16 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
|
||||
\[ |\Pr[G_2^{\adversary{A}} \Rightarrow 1] - \Pr[G_3^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad_2] \leq \frac{\hashqueries}{2^b} \].
|
||||
|
||||
%TODO: Signatur von RF genauer beschreiben?
|
||||
\item \paragraph{\underline{$G_4:$}} $G_4$ replaces the blue filled boxes with the orange boxes. With this change the \cma game parameterized with the EdDSA' game is obtained. This change is only conceptual since the adversary is not able to query the random oracle with the inputs used for those calls and due to the nature of the random oracle model the adversary has no information on those values. Therefor an adversary can not differentiate between the values being the result of the hash function or chosen uniformly at random. Hence,
|
||||
\item \paragraph{\underline{$G_4:$}} $G_4$ replaces the blue boxes in the main game and the \Osign oracle with the orange boxes. This change is only conceptual since the adversary is not able to query the random oracle with the inputs used for those calls and due to the nature of the random oracle model the adversary has no information on those values. Therefore, an adversary can not differentiate between the values being the result of the hash function or chosen uniformly at random. Hence,
|
||||
|
||||
\[ \Pr[G_3^{\adversary{A}} \Rightarrow 1] = \Pr[G_4^{\adversary{A}} \Rightarrow 1] = \advantage{\text{EdDSA'},\adversary{A}}{\cma}(\secparamter) \].
|
||||
\[ \Pr[G_3^{\adversary{A}} \Rightarrow 1] = \Pr[G_4^{\adversary{A}} \Rightarrow 1] \].
|
||||
|
||||
\item Now $G_4$ is the same as SUF-CMA parameterized with EdDSA'. Therefore, we have
|
||||
|
||||
\[ \Pr[G_4^{\adversary{A}} \Rightarrow 1] = \advantage{\text{EdDSA'},\adversary{A}}{\cma}(\secparamter) \].
|
||||
|
||||
\item This proves theorem \ref{theorem:adveddsa'}.
|
||||
\end{proof}
|
||||
|
||||
%TODO: Das kann man sicherlich schöner formulieren
|
||||
In the following proofs when referring to the EdDSA signature scheme actually the EdDSA' signature scheme is used to make the proof more staight forward. In the end when calculating the loss due to the reduction the loss introduced by the EdDSA' signature scheme will be included.
|
||||
In the following proofs when referring to the EdDSA signature scheme actually the EdDSA' signature scheme is used to make the proof more straight forward. In the end when calculating the loss due to the reduction the loss introduced by the EdDSA' signature scheme will be included.
|
||||
@@ -0,0 +1,124 @@
|
||||
\subsection{MU-\igame $\Rightarrow$ MU-UF-NMA (ROM)}
|
||||
|
||||
This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signature scheme using the Random Oracle Model. The section starts by first providing an intuition of the proof followed by the detailed security proof.
|
||||
|
||||
\paragraph{\underline{Introducing MU-\igame}} This game followed closely the definition of the \igame game. It again replaces the random oracle with the \ioracle oracle. The only difference to the \igame game is that the adversary gets access to $n$ public keys. The adversary again has to output a valid result for any commitment challenge pair generated by the \ioracle oracle for any of the public keys. The MU-\igame game is depicted in figure \ref{game:mu-igame}.
|
||||
|
||||
%TODO: Fix collision
|
||||
\begin{definition}[MU-\igame]
|
||||
Let $n$ and $n$ be positive integers. For an adversary $\adversary{A}$ we define its advantage in the MU-\igame as following:
|
||||
|
||||
\[ \advantage{\adversary{A}}{\text{MU-\igame}}(\secparamter) \assign | \Pr[\text{MU-\igame}^{\adversary{A}} \Rightarrow 1] | \].
|
||||
\end{definition}
|
||||
|
||||
\begin{figure}
|
||||
\hrule
|
||||
\vspace{1mm}
|
||||
\large
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\game \igame}
|
||||
\State \textbf{for} $i \in \{1,2,...,n\}$
|
||||
\State \quad $a_i \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$
|
||||
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
|
||||
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_n})$
|
||||
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in Q, i \in \{1,2,...,n\} \in : \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$
|
||||
\end{algorithmic}
|
||||
\vspace{2mm}
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\oracle \ioracle($\groupelement{R_i} \in \group{G}$)}
|
||||
\State $\ch_i \randomsample \{0,1\}^{2b}$
|
||||
\State $Q \assign Q \cup \{ (\groupelement{R}_i, \ch_i) \}$
|
||||
\State \Return $\ch_i$
|
||||
\end{algorithmic}
|
||||
\hrule
|
||||
\caption{MU-\igame}
|
||||
\label{game:mu-igame}
|
||||
\end{figure}
|
||||
|
||||
\begin{theorem}
|
||||
\label{theorem:adv_mu-igame}
|
||||
Let $\adversary{A}$ be an adversary against MU-\igame. Then,
|
||||
|
||||
\[ \advantage{\adversary{A}}{\text{MU-UF-NMA}}(\secparamter) = \advantage{\adversary{B}}{\text{MU-\igame}}(\secparamter) \].
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}} Like the single-user setting the adversary has to query the random oracle to get the hash value $H(\encoded{R}|\encoded{A_i}|m)$. Again the programmability of the random oracle can be used to embed the challenge from \ioracle oracle into the answer of the random oracle. By embedding the challenge from the \ioracle oracle answer into the answer of the random oracle a valid forgery of the signature also becomes a valid solution for the MU-\igame game.
|
||||
|
||||
\paragraph{\underline{Formal Proof}}
|
||||
|
||||
\begin{figure}
|
||||
\hrule
|
||||
\begin{multicols}{2}
|
||||
\large
|
||||
\begin{algorithmic}[1]
|
||||
\State \underline{\game $G_0$}
|
||||
\State \textbf{for} $i \in \{1,2,...,n\}$
|
||||
\State \quad $(h_{i_0}, h_{i_1}, ..., h_{i_{2b-1}}) \randomsample \{0,1\}^{2b}$
|
||||
\State \quad $s_i \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
|
||||
\State \quad $\groupelement{A_i} \assign s_i \groupelement{B}$
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_n})$
|
||||
\State \Return $\exists i \in \{1,2,...,n\}: \verify(\groupelement{A_i}, \m^*,\signature^*)$
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
|
||||
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
||||
\State \quad $\sum[m] \randomsample \{0,1\}^{2b}$
|
||||
\State \Return $\sum[m]$
|
||||
\end{algorithmic}
|
||||
\end{multicols}
|
||||
\hrule
|
||||
\caption{$G_0$}
|
||||
\label{fig:mu-igame_implies_mu-uf-nma}
|
||||
\end{figure}
|
||||
|
||||
\begin{proof}
|
||||
\item Let $G_0$ be defined in figure \ref{fig:mu-igame_implies_mu-uf-nma} and $G_0$ be MU-UF-NMA. By definition,
|
||||
|
||||
\[ \advantage{\text{EdDSA}, \adversary{A}}{\text{MU-UF-NMA}}(\secparamter) = \Pr[\text{MU-UF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
|
||||
\item $G_0$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||
|
||||
\begin{align}
|
||||
\Pr[G_0^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\text{MU-\igame}}(\secparamter) \label{eq:adv_mu-igame}
|
||||
\end{align}.
|
||||
|
||||
\begin{figure}
|
||||
\hrule
|
||||
\vspace{1mm}
|
||||
\large
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\textbf{Adversary} $\adversary{B}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_n})$}
|
||||
\State $(\m^*, \signature^* \assign (\encoded{R}, S)) \randomassign \adversary{A}^{H(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_n})$
|
||||
\State \Return $S$
|
||||
\end{algorithmic}
|
||||
\vspace{2mm}
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
|
||||
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
||||
\State \quad $\textbf{if } \encoded{R} | \encoded{A} | m' \assign m \wedge \groupelement{R}, \groupelement{A} \in \curve \textbf{ then}$
|
||||
\State \qquad $\sum[m] \randomsample \ioracle(2^c \groupelement{R})$
|
||||
\State \quad \textbf{else}
|
||||
\State \qquad $\sum[m] \randomsample \{0,1\}^{2b}$
|
||||
\State \Return $\sum[m]$
|
||||
\end{algorithmic}
|
||||
\hrule
|
||||
\caption{Adversary $\adversary{B}$ breaking \igame}
|
||||
\label{fig:adversary_mu-igame}
|
||||
\end{figure}
|
||||
|
||||
\item To proof (\ref{eq:adv_mu-igame}), we define an adversary $\adversary{B}$ attacking MU-\igame that simulates $\adversary{A}$'s view in $G_0$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_mu-igame} is run in the \igame game and adversary $\adversary{B}$ simulates the random oracle $H$ for the adversary $\adversary{A}$. $H$ is simulated perfectly.
|
||||
|
||||
Finally, consider $\adversary{A}$'s output $(\m^*, \signature^* \assign (\encoded{R}, S))$. It is known that:
|
||||
|
||||
\begin{align*}
|
||||
2^c S \groupelement{B} &= 2^c \groupelement{R} + 2^c H(\encoded{R} | \encoded{A_i} | m) \groupelement{A_i} \\
|
||||
2^c \groupelement{R} &= 2^c S \groupelement{B} - 2^c H(\encoded{R} | \encoded{A_i} | m) \groupelement{A_i} \\
|
||||
2^c \groupelement{R} &= 2^c S \groupelement{B} - 2^c \ioracle(2^c \groupelement{R}) \groupelement{A_i} \\
|
||||
\groupelement{R}' &= 2^c S \groupelement{B} - 2^c \ioracle(\groupelement{R}') \groupelement{A_i}
|
||||
\end{align*}
|
||||
|
||||
Therefore, $S$ is a valid solution for the MU-\igame game.
|
||||
|
||||
\item This proves theorem \ref{theorem:adv_mu-igame}.
|
||||
\end{proof}
|
||||
@@ -0,0 +1,150 @@
|
||||
\subsection{MU-UF-NMA $\Rightarrow$ MU-SUF-CMA (ROM)}
|
||||
|
||||
This section shows that the MU-UF-NMA security of the EdDSA signature scheme implies the MU-SUF-CMA security of the EdDSA signature scheme using the Random Oracle Model. The section starts with providing an intuition of the proof followed by the detailed security proof.
|
||||
|
||||
\begin{theorem}
|
||||
\label{theorem:adv_mu-uf-nma}
|
||||
Let $\adversary{A}$ be an adversary against MU-SUF-CMA, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
|
||||
|
||||
\[ \advantage{\adversary{A}}{\text{MU-\cma}}(\secparamter) = \advantage{\adversary{B}}{\text{MU-UF-NMA}}(\secparamter) - \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}} This proof follows closely the proof in section \ref{proof:uf-nma_implies_suf-cma}. The only difference of both security notions is the missing \Osign oracle in MU-UF-NMA. For this reason the reduction has to simulate the \Osign oracle without the knowledge of the private keys.
|
||||
|
||||
Again the programmability of the random oracle together with the \simalg algorithm is used to generate valid signatures. The different games are depicted in figure \ref{fig:mu-uf-nma_implies_mu-suf-cma_games}.
|
||||
|
||||
\paragraph{\underline{Formal Proof}}
|
||||
|
||||
\begin{figure}
|
||||
\hrule
|
||||
\begin{multicols}{2}
|
||||
\large
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$} / \textcolor{green}{$G_3$}}
|
||||
\State \textbf{for} $j \in \{1,2,...,n\}$
|
||||
\State \quad $(h_{j_0}, h_{j_1}, ..., h_{j_{2b-1}}) \randomsample \{0,1\}^{2b}$
|
||||
\State \quad $s_i \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_{j_i}$
|
||||
\State \quad $\groupelement{A_i} \assign s_i \groupelement{B}$
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp, \inp)}(\groupelement{A_1}, \groupelement{A_2},...,\groupelement{A_n})$
|
||||
\State \Return $\exists j \in \{1,2,...,n\}: \verify(\groupelement{A_j}, \m^*,\signature^*) \wedge (\groupelement{A_j}, \m^*, \signature^*) \notin Q$
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\oracle \sign($j \in \{1,2,...,n\}$, $\m \in \messagespace$)}
|
||||
\Comment{$G_0 - G_2$}
|
||||
\State $(r'_0, r'_1, ..., r'_{2b-1}) = RF(h_{j_b} | ... | h_{j_{2b-1}} | \m)$
|
||||
\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
|
||||
\State $R \assign rB$
|
||||
\BeginBox[draw=black]
|
||||
\State $S \assign (r + sH(\encoded{R} | \encoded{A_j} | \m)) \pmod L$
|
||||
\Comment{$G_0$}
|
||||
\EndBox
|
||||
\BeginBox[draw=blue]
|
||||
\State $\textbf{if } \sum[\encoded{R} | \encoded{A_j} | \m] \neq \bot \textbf{ then}$
|
||||
\Comment{$G_1 - G_2$}
|
||||
\State \quad $bad \assign true$
|
||||
\BeginBox[draw=red,dashed]
|
||||
\State \quad $abort$
|
||||
\Comment{$G_2$}
|
||||
\EndBox
|
||||
\State $\textbf{if } \sum[\encoded{R} | \encoded{A_j} | \m] = \bot \textbf{ then}$
|
||||
\State \quad $\sum[\encoded{R} | \encoded{A_j} | \m] \randomsample \{0,1\}^{2b}$
|
||||
\State $S \assign (r + s\sum[\encoded{R} | \encoded{A_j} | \m]) \pmod L$
|
||||
\EndBox
|
||||
\State $\signature \assign (\encoded{R}, S)$
|
||||
\State $Q \assign Q \cup \{(\groupelement{A_j}, \m, \signature)\}$
|
||||
\State \Return $\signature$
|
||||
\end{algorithmic}
|
||||
\end{multicols}
|
||||
\begin{multicols}{2}
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\oracle $H(\m \in \{0,1\}^*)$}
|
||||
\State $\textbf{if } \sum[\m] = \bot \textbf{ then}$
|
||||
\State \quad $\sum[\m] \randomsample \{0,1\}^{2b}$
|
||||
\State \Return $\sum[\m]$
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
%TODO: Nummer vor Oracle
|
||||
\BeginBox[draw=green]
|
||||
\State \underline{\oracle \sign($j \in \{1,2,...,n\}$, $\m \in \messagespace$)}
|
||||
\Comment{$G_3$}
|
||||
\State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A_j})$
|
||||
\State $\textbf{if } \sum[\encoded{R} | \encoded{A_j} | \m] \neq \bot \textbf{ then}$
|
||||
\State \quad $bad \assign true$
|
||||
\State \quad $abort$
|
||||
\State $\sum[\encoded{R} | \encoded{A_j} | \m] = \textbf{ch}$
|
||||
\State $\signature \assign (\encoded{R}, S)$
|
||||
\State $Q \assign Q \cup \{(\groupelement{A_j}, \m, \signature)\}$
|
||||
\State \Return $\signature$
|
||||
\EndBox
|
||||
\end{algorithmic}
|
||||
\end{multicols}
|
||||
\hrule
|
||||
\caption{Games $G_0 - G_3$}
|
||||
\label{fig:mu-uf-nma_implies_mu-suf-cma_games}
|
||||
\end{figure}
|
||||
|
||||
\begin{proof}
|
||||
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:mu-uf-nma_implies_mu-suf-cma_games} by excluding all boxes except the black one and $G_0$ be MU-SUF-CMA. By definition,
|
||||
|
||||
\[ \advantage{\text{EdDSA},\adversary{A}}{\text{MU-}\cma}(\secparamter) = \Pr[\text{\text{MU-}\cma}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
|
||||
\item \paragraph{\underline{$G_1:$}} $G_1$ now is defined by replacing the black box with the blue one. This change inlines the call to the hash function and introduces a bad flag, which is set if the hash value is already set. This change is only conceptual, since it does not alter the behavior of the oracle. Therefore,
|
||||
|
||||
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \].
|
||||
|
||||
\item \paragraph{\underline{$G_2:$}} $G_2$ is defined by also introducing the abort instruction in the red box. Again without loss of generality it is assumed that the adversary only quries each public key message pair only once since the signatures are deterministic and the attacker would not gain any additional information by querying the \Osign oracle multiple times with the same input. Since the commitment $\groupelement{R}$ is the only unknown input to the hash function the probability of the bad flag being set for each individual \Osign query is at most $\frac{\hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
|
||||
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
|
||||
|
||||
\item \paragraph{\underline{$G_3:$}} In $G_3$ the \Osign oracle is replaced by the \Osign oracle in the green box. Instead of calculating the response using the secret key the \simalg algorithm is used to generate a tuple of commitment, challenge and response. Then the random oracle is programmed to output the specific challenge given $\encoded{R} | \encoded{A_j} | \m$ as an input. This change is only conceptual, since \simalg outputs a correctly distributed set and it was ruled out in earlier games that the random oracle was previously queries with this input. Hence,
|
||||
|
||||
\[ \Pr[G_2^{\adversary{A}} \Rightarrow 1] = \Pr[G_3^{\adversary{A}} \Rightarrow 1] \].
|
||||
|
||||
\item Finally, Game $G_3$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||
|
||||
\begin{align}
|
||||
\Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{MU-UF-NMA}}(\secparamter) \label{eq:adv_mu-uf-nma}
|
||||
\end{align}.
|
||||
|
||||
\begin{figure}
|
||||
\hrule
|
||||
\begin{multicols}{2}
|
||||
\large
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\textbf{Adversary} $\adversary{B}(\groupelement{A})$}
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp, \inp)}(\groupelement{A})$
|
||||
\State \Return $(\m^*, \signature^*)$
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\oracle \sign($j \in \{1,2,...,n\}$, $\m \in \messagespace$)}
|
||||
\State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A_j})$
|
||||
\State $\textbf{if } \sum[\encoded{R} | \encoded{A_j} | m] \neq \bot \textbf{ then}$
|
||||
\State \quad $bad \assign true$
|
||||
\State \quad $abort$
|
||||
\State $\sum[\encoded{R} | \encoded{A_j} | m] = \textbf{ch}$
|
||||
\State $\signature \assign (\encoded{R}, S)$
|
||||
\State $Q \assign Q \cup \{(\groupelement{A_j}, \m, \signature)\}$
|
||||
\State \Return $\signature$
|
||||
\end{algorithmic}
|
||||
\end{multicols}
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
|
||||
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
||||
\State \quad $\sum[m] \randomsample \{0,1\}^{2b}$
|
||||
\State \Return $\sum[m]$
|
||||
\end{algorithmic}
|
||||
\hrule
|
||||
\caption{Adversary $\adversary{B}$ breaking $\text{MU-UF-NMA}$}
|
||||
\label{fig:adversaryb_mu-uf-nma}
|
||||
\end{figure}
|
||||
|
||||
To prove (\ref{eq:adv_mu-uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{MU-UF-NMA}$ that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversaryb_mu-uf-nma} is run in the $\text{MU-UF-NMA}$ game and adversary $\adversary{B}$ simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly.
|
||||
|
||||
% TODO: Ist die Begründung ausreichend?
|
||||
Finally, consider $\adversary{A}$ output $(\m^*, \signature^*)$. Every valid signature outputted by adversary $\adversary{A}$ in the $\text{MU-\cma}$ setting is also a valid signature in the $\text{MU-UF-NMA}$ setting.
|
||||
|
||||
\item This proves theorem \ref{theorem:adv_mu-uf-nma}.
|
||||
\end{proof}
|
||||
@@ -0,0 +1 @@
|
||||
\subsection{\somdl $\Rightarrow$ MU-\igame (AGM)}
|
||||
@@ -0,0 +1 @@
|
||||
\section{MU-\igame $\Rightarrow$ MU-UF-NMA}
|
||||
@@ -1,39 +1,124 @@
|
||||
\subsection{Security Notions}
|
||||
|
||||
\subsubsection{Identical-until-bad Games}
|
||||
\subsubsection{Identical-Until-Bad Games}
|
||||
|
||||
\subsubsection{Digital Signature Scheme}
|
||||
|
||||
|
||||
|
||||
\subsubsection{\cma}
|
||||
|
||||
\cma is a security notion for digital signature schemes. In this game the attacker is given access to a \Osign oracle, which generates valid signatures for arbitrary messages. The attacker wins the game if he is able to provide a message signature pair which is valid and was not generated by the \Osign oracle. The security game is depicted in figure \ref{game:cma}.
|
||||
Strong Existential Unforgeability against Chosen Message Attack (\cma) is a security notion for digital signature schemes. In this game the adversary is given access to a \Osign oracle, which generates valid signatures for arbitrary messages. The adversary wins the game if he is able to provide a message signature pair which is valid and was not generated by the \Osign oracle. The security game is depicted in figure \ref{game:cma}.
|
||||
|
||||
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme. $SIG$ is \cma secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\cma}(\secparamter)$ is negligible in $\secparamter$.
|
||||
\begin{definition}[\cma]
|
||||
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme. $SIG$ is \cma secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{\cma}}(\secparamter)$ is negligible in $\secparamter$.
|
||||
|
||||
\[ \advantage{SIG,\adversary{A}}{\text{\cma}}(\secparamter) \assign \prone{\text{\cma}^{\adversary{A}}} \leq \epsilon \]
|
||||
\end{definition}
|
||||
|
||||
\[ \advantage{SIG,\adversary{A}}{\cma}(\secparamter) \assign \prone{\cma^{\adversary{A}}} \leq \epsilon \]
|
||||
|
||||
\begin{figure}
|
||||
\hrule
|
||||
\begin{multicols}{2}
|
||||
\normalsize
|
||||
\begin{algorithmic}[1]
|
||||
\State \underline{\game \cma}
|
||||
\Statex \underline{\game $\text{\cma}$}
|
||||
\State $(\pubkey, \privkey) \randomassign \keygen(1^\secparamter)$
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp)}(\pubkey)$
|
||||
\State \Return $\verify(\pubkey, \m^*, \signature^*) = 1 \wedge (\m^*, \signature^*) \notin M$
|
||||
\State \Return $\verify(\pubkey, \m^*, \signature^*) \test 1 \wedge (\m^*, \signature^*) \notin M$
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
\Procedure{Sign}{$\m$}
|
||||
\Statex \underline{\oracle \Osign($\m \in \messagespace$)}
|
||||
\State $\signature \randomassign \sign(\privkey, \m)$
|
||||
\State $M \assign M \cup \{(\m, \signature)\}$
|
||||
\State \Return $\signature$
|
||||
\EndProcedure
|
||||
\end{algorithmic}
|
||||
\end{multicols}
|
||||
\hrule
|
||||
\caption{\cma Security Game}
|
||||
\label{game:cma}
|
||||
\end{figure}
|
||||
|
||||
\subsubsection{UF-NMA}
|
||||
|
||||
Unforgeability against No Message Attack (UF-NMA) is a security notion for digital signature schemes. The difference to the \cma game is that the adversary does not get access to an \Osign oracle, which provides it with valid signatures for arbitrary messages. Like in the \cma setting the adversary is tasked to provide a valid signature for an arbitrary message. The game is depicted in figure \ref{game:uf-nma}.
|
||||
|
||||
\begin{definition}[UF-NMA]
|
||||
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme. $SIG$ is UF-NMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{UF-NMA}}(\secparamter)$ is negligible in $\secparamter$.
|
||||
|
||||
\[ \advantage{SIG,\adversary{A}}{\text{UF-NMA}}(\secparamter) \assign \prone{\text{UF-NMA}^{\adversary{A}}} \leq \epsilon \]
|
||||
\end{definition}
|
||||
|
||||
\begin{figure}
|
||||
\hrule
|
||||
\vspace{1mm}
|
||||
\begin{algorithmic}[1]
|
||||
\State \underline{\game $\text{UF-NMA}$}
|
||||
\State $(\pubkey, \privkey) \randomassign \keygen(1^\secparamter)$
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp)}(\pubkey)$
|
||||
\State \Return $\verify(\pubkey, \m^*, \signature^*) \test 1$
|
||||
\end{algorithmic}
|
||||
\hrule
|
||||
\caption{UF-NMA Security Game}
|
||||
\label{game:uf-nma}
|
||||
\end{figure}
|
||||
|
||||
\subsubsection{MU-SUF-CMA}
|
||||
|
||||
MU-SUF-CMA is the multi-user variant of the SUF-CMA security notion. Instead of one public key the attacker gets $n$ public keys and is able to query signatures for arbitrary messages for any of the public keys. The goal of the adversary is to forge a signature for any of the public keys. The game is depicted in figure \ref{game:mu-suf-cma}.
|
||||
|
||||
%TODO: Parameter in definition (e.g. n-MU_SUF-CMA)
|
||||
\begin{definition}[MU-SUF-CMA]
|
||||
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $n$ be an integer. $SIG$ is n-MU-SUF-CMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{MU-SUF-CMA}}(\secparamter)$ is negligible in $\secparamter$.
|
||||
|
||||
\[ \advantage{SIG,\adversary{A}}{\text{MU-SUF-CMA}}(\secparamter) \assign \prone{\text{MU-SUF-CMA}^{\adversary{A}}} \leq \epsilon \]
|
||||
\end{definition}
|
||||
|
||||
\begin{figure}
|
||||
\hrule
|
||||
\begin{multicols}{2}
|
||||
\normalsize
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\game $\text{MU-SUF-CMA}$}
|
||||
\State \textbf{for} $i \in \{1,2,...,n\}$
|
||||
\State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp, \inp)}(\pubkey_1, \pubkey_2, ..., \pubkey_n)$
|
||||
\State \Return $\exists i \in \{1,2,...,n\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1 \wedge (\pubkey_i, \m^*, \signature^*) \notin M$
|
||||
% TODO: Fix formatation
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\oracle \Osign($i \in \{1,2,...,n\}$, $\m \in \messagespace$)}
|
||||
\State $\signature \randomassign \sign(\privkey_i, \m)$
|
||||
\State $M \assign M \cup \{(\pubkey_i, \m, \signature)\}$
|
||||
\State \Return $\signature$
|
||||
\end{algorithmic}
|
||||
\end{multicols}
|
||||
\hrule
|
||||
\caption{MU-SUF-CMA Security Game}
|
||||
\label{game:mu-suf-cma}
|
||||
\end{figure}
|
||||
|
||||
\subsubsection{MU-UF-NMA}
|
||||
|
||||
MU-UF-NMA is the multi-user variant of the UF-NMA security notion. Instead of one public key the adversary gets access to $n$ public keys and has to forge a signature for any of the public keys. Unlike the MU-SUF-CMA the adversary does not get access to a signing oracle. The game is depicted in figure \ref{game:mu-uf-nma}.
|
||||
|
||||
\begin{definition}[MU-UF-NMA]
|
||||
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $n$ be an integer. $SIG$ is n-MU-UF-NMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{MU-UF-NMA}}(\secparamter)$ is negligible in $\secparamter$.
|
||||
|
||||
\[ \advantage{SIG,\adversary{A}}{\text{MU-UF-NMA}}(\secparamter) \assign \prone{\text{MU-UF-NMA}^{\adversary{A}}} \leq \epsilon \]
|
||||
\end{definition}
|
||||
|
||||
\begin{figure}
|
||||
\hrule
|
||||
\vspace{1mm}
|
||||
\begin{algorithmic}[1]
|
||||
\State \underline{\game $\text{MU-UF-NMA}$}
|
||||
\State \textbf{for} $i \in \{1,2,...,n\}$
|
||||
\State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp)}(\pubkey_1, \pubkey_2, \pubkey_n)$
|
||||
\State \Return $\exists i \in \{1,2,...,n\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1$
|
||||
\end{algorithmic}
|
||||
\hrule
|
||||
\caption{MU-UF-NMA Security Game}
|
||||
\label{game:mu-uf-nma}
|
||||
\end{figure}
|
||||
@@ -1,4 +1,4 @@
|
||||
\subsection{\sdlog $=>$ \igame (AGM)}
|
||||
\subsection{\sdlog $\Rightarrow$ \igame (AGM)}
|
||||
|
||||
%TODO check if all c_i's are replaced by chall_i
|
||||
|
||||
@@ -16,8 +16,8 @@ The \sdlog game is a variant of the discrete logarithm game which represents the
|
||||
|
||||
|
||||
\begin{figure}
|
||||
%TODO: include padding
|
||||
\hrule
|
||||
\vspace{1mm}
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\game \sdlog}
|
||||
\State $a \randomsample \{ 2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8 \}$
|
||||
@@ -25,6 +25,7 @@ The \sdlog game is a variant of the discrete logarithm game which represents the
|
||||
\State $a' \randomassign \adversary{A}(\groupelement{A})$
|
||||
\State \Return $a \test a'$
|
||||
\end{algorithmic}
|
||||
\vspace{1mm}
|
||||
\hrule
|
||||
\caption{\sdlog}
|
||||
\label{fig:sdlog}
|
||||
@@ -60,9 +61,11 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
|
||||
\State $\ch_i \randomsample \{0,1\}^{2b}$
|
||||
\BeginBox[draw=blue]
|
||||
\State \textbf{If} $2^c \ch_i \equiv -r_2 \pmod L$ \textbf{then}
|
||||
\Comment{$G_1 - G_2$}
|
||||
\State \quad $bad \assign true$
|
||||
\BeginBox[draw=red,dashed]
|
||||
\State \quad $abort$
|
||||
\Comment{$G_2$}
|
||||
\EndBox
|
||||
\EndBox
|
||||
\State $Q \assign Q \cup \{ (\groupelement{R}_i, \ch_i) \}$
|
||||
@@ -80,7 +83,7 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
|
||||
\item \paragraph{\underline{AGM}} This proof takes place in the algebraic group model. Meaning that the adversary has to provide a representation along each group element it provides to the reduction. The adversary has to provide an element $\groupelement{R}$, which is an element in the prime order subgroup of the Twisted Edwards curve. Leaving the question whether the representation should be defined relative to the prime order subgroup or the Twisted Edwards curve. The answer to this question is that it is enough to provide the representation relative to the prime order subgroup. The reason for that is shown in the following paragraph.
|
||||
|
||||
The Twisted Edwards curve $\curve$ over the finite field $\field{q}$ is an finite abelian group. Even though the group $\curve$ might not be cyclic the fundamental theorem of finitely generated abelian groups tells us that each finite abelian groups can be uniquely decomposed into the direct product of cyclic subgroups \cite{karpfinger_hauptsatz_2021}. Meaning that $\curve$ can be represented as $\curve = \langle a_1 \rangle \bigotimes \langle a_2 \rangle \bigotimes ... \bigotimes \langle a_n \rangle$. The set of generators for each of the cyclic groups is called the generating set of $\curve$. Lets recall a well known theorem of algebra:
|
||||
\item \begin{theorem}
|
||||
\item \begin{theorem}[\cite{karpfinger_direkte_2021}]
|
||||
Let $N_1, ..., N_n$ be subgroups of an group $\group{G}$, following statements are equivalent:
|
||||
|
||||
\begin{enumerate}[label=(\arabic*)]
|
||||
@@ -89,9 +92,9 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
|
||||
|
||||
\[ x = a_i \cdot ... \cdot a_n, a_i \in N_i \]
|
||||
\end{enumerate}
|
||||
\end{theorem}.\cite{karpfinger_direkte_2021}
|
||||
\end{theorem}
|
||||
|
||||
Due to Sylow theorems the decomposition has to include the large prime order subgroup $\group{G}$ used for EdDSA \cite{karpfinger_satze_2021} and since Twisted Edwards curve (like all Elliptic curves) are abelian each subgroup is also a normal subgroup. Together this means that the representation of each element $\groupelement{X} \in \curve$ is unique relative to the generating set. Since each element $\groupelement{Y} \in \group{G}$ can be represented as $\groupelement{Y} \assign y \groupelement{B}$, with $\groupelement{B}$ being the generator of the prime order subgroup, this has to be the only representation regarding the generation set. Meaning that an adversary in the algebraic group model has to provide a representation in the prime order subgroup $\group{G}$.
|
||||
Due to Sylow's theorems the decomposition has to include the large prime order subgroup $\group{G}$ used for EdDSA \cite{karpfinger_satze_2021} and since Twisted Edwards curve (like all Elliptic curves) are abelian each subgroup is also a normal subgroup. Together this means that the representation of each element $\groupelement{X} \in \curve$ is unique relative to the generating set. Since each element $\groupelement{Y} \in \group{G}$ can be represented as $\groupelement{Y} \assign y \groupelement{B}$, with $\groupelement{B}$ being the generator of the prime order subgroup, this has to be the only representation regarding the generation set. Meaning that an adversary in the algebraic group model has to provide a representation in the prime order subgroup $\group{G}$.
|
||||
|
||||
The only two group elements in $\group{G}$ provided to the adversary are the public key $\groupelement{A}$ and the generator $\groupelement{B}$. Therefore the representation of the element $\groupelement{R}$, provided to the \ioracle oracle, looks like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A}$.
|
||||
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
\subsection{\igame $=>$ UF-NMA (ROM)}
|
||||
\subsection{\igame $\Rightarrow$ UF-NMA (ROM)}
|
||||
|
||||
This section shows that \igame implies the UF-NMA security if the EdDSA signature scheme using the Algebraic Group Model. The section starts by first providing an intuition if the proof followed by the detailed security proof.
|
||||
This section shows that \igame implies the UF-NMA security of the EdDSA signature scheme using the Random Oracle Model. The section starts by first providing introducing an intermediate game \igame followed by an intuition of the proof and the detailed security proof.
|
||||
|
||||
\paragraph{\underline{Introducing \igame}} The intermediate game \igame is introduced to create a separation between proofs in the random oracle model and the algebraic group model. This is archived by replacing the random oracle by the \ioracle oracle, which takes a commitment and outputs a challenge. This also strips away the message and focuses on the forgery of an arbitrary message. The \igame game is depicted in figure \ref{game:igame}.
|
||||
|
||||
@@ -19,7 +19,7 @@ This section shows that \igame implies the UF-NMA security if the EdDSA signatur
|
||||
\State $a \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$
|
||||
\State $\groupelement{A} \assign a \groupelement{B}$
|
||||
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
|
||||
\State \Return $\exists \groupelement{R}^*, \ch^*: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A} \wedge (\groupelement{R}^*, \ch^*) \in Q$
|
||||
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in Q: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A}$
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
@@ -36,9 +36,9 @@ This section shows that \igame implies the UF-NMA security if the EdDSA signatur
|
||||
|
||||
\begin{theorem}
|
||||
\label{theorem:adv_igame}
|
||||
Let $\adversary{A}$ be an adversary against $\text{UF-NMA}_{\text{EdDSA}}$. Then,
|
||||
Let $\adversary{A}$ be an adversary against $\text{UF-NMA}$. Then,
|
||||
|
||||
\[ \advantage{\adversary{A}}{UF-NMA}(\secparamter) = \advantage{\adversary{B}}{\igame}(\secparamter) \].
|
||||
\[ \advantage{\adversary{A}}{\text{UF-NMA}}(\secparamter) = \advantage{\adversary{B}}{\text{\igame}}(\secparamter) \].
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}} The adversary has to query the random oracle to get the hash value $H(\encoded{R} | \encoded{A} | m)$. The programmability of the random oracle can be used to embed the challenge from the \ioracle oracle into the answer of the random oracle. This way a valid forgery of a signature also provides a valid solution for the \igame game.
|
||||
@@ -51,6 +51,9 @@ This section shows that \igame implies the UF-NMA security if the EdDSA signatur
|
||||
\large
|
||||
\begin{algorithmic}[1]
|
||||
\State \underline{\game $G_0$}
|
||||
\State $(h_0, h_1, ..., h_{2b-1}) \randomsample \{0,1\}^{2b}$
|
||||
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
|
||||
\State $\groupelement{A} \assign s \groupelement{B}$
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp)}(\groupelement{A})$
|
||||
\State \Return $\verify(\groupelement{A}, \m^*,\signature^*)$
|
||||
\end{algorithmic}
|
||||
@@ -68,18 +71,19 @@ This section shows that \igame implies the UF-NMA security if the EdDSA signatur
|
||||
\end{figure}
|
||||
|
||||
\begin{proof}
|
||||
\item \paragraph{\underline{$G_0$}} Let $G_0$ be defined in figure \ref{fig:igame_implies_uf-nma} and let $G_0$ be $\text{UF-NMA}_{\text{EdDSA}}$. By definition,
|
||||
\item \paragraph{\underline{$G_0$}} Let $G_0$ be defined in figure \ref{fig:igame_implies_uf-nma} and let $G_0$ be $\text{UF-NMA}$. By definition,
|
||||
|
||||
\[ \advantage{\text{EdDSA}, \adversary{A}}{\text{UF-NMA}}(\secparamter) = \Pr[\text{UF-NMA}_{\text{EdDSA}}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
\[ \advantage{\text{EdDSA}, \adversary{A}}{\text{UF-NMA}}(\secparamter) = \Pr[\text{UF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
|
||||
\item $G_0$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||
\item $G_0$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||
|
||||
\begin{align}
|
||||
\Pr[G_0^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\igame}(\secparamter) \label{eq:adv_igame}
|
||||
\Pr[G_0^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\text{\igame}}(\secparamter) \label{eq:adv_igame}
|
||||
\end{align}.
|
||||
|
||||
\begin{figure}
|
||||
\hrule
|
||||
\vspace{1mm}
|
||||
\begin{multicols}{2}
|
||||
\large
|
||||
\begin{algorithmic}[1]
|
||||
@@ -103,7 +107,7 @@ This section shows that \igame implies the UF-NMA security if the EdDSA signatur
|
||||
\label{fig:adversary_igame}
|
||||
\end{figure}
|
||||
|
||||
\item To proof (\ref{eq:adv_igame}), we define an adversary $\adversary{B}$ attacking \igame that simulates $\adversary{A}$'s view in $G_0$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_igame} is run in the \igame game and adversary $\adversary{B}$ simulates the random oracle $H$ for the adversary $\adversary{A}$. $H$ is simulates perfectly.
|
||||
\item To proof (\ref{eq:adv_igame}), we define an adversary $\adversary{B}$ attacking \igame that simulates $\adversary{A}$'s view in $G_0$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_igame} is run in the \igame game and adversary $\adversary{B}$ simulates the random oracle $H$ for the adversary $\adversary{A}$. $H$ is simulated perfectly.
|
||||
|
||||
Finally, consider $\adversary{A}$'s output $(\m^*, \signature^* \assign (\encoded{R}, S))$. It is known that:
|
||||
|
||||
|
||||
@@ -1,11 +1,11 @@
|
||||
\subsection{UF-NMA $=>$ \cma (ROM)}
|
||||
\subsection{UF-NMA $\Rightarrow$ \cma (ROM)} \label{proof:uf-nma_implies_suf-cma}
|
||||
|
||||
% TODO: "intuition for the proof" vs. "intuition of the proof"?
|
||||
This section shows that the \cma security of EdDSA signature scheme implies the UF-NMA security of EdDSA signature scheme using the Random Oracle Model. The section starts by first providing an intuition for the proof followed by the detailed security proof.
|
||||
This section shows that the UF-NMA security of EdDSA signature scheme implies the \cma security of EdDSA signature scheme using the Random Oracle Model. The section starts by first providing an intuition for the proof followed by the detailed security proof.
|
||||
|
||||
\begin{theorem}
|
||||
\label{theorem:adv_uf-nma}
|
||||
Let $\adversary{A}$ be an adversary against $\cma_{\text{EdDSA}}$, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
|
||||
Let $\adversary{A}$ be an adversary against $\cma$, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
|
||||
|
||||
\[ \advantage{\adversary{A}}{\text{\cma}}(\secparamter) = \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter) - \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
|
||||
\end{theorem}
|
||||
@@ -23,6 +23,7 @@ The proof starts by providing an algorithm which generates correctly distributed
|
||||
|
||||
\begin{figure}
|
||||
\hrule
|
||||
\vspace{1mm}
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\simalg(\groupelement{A})}
|
||||
\State $\textbf{ch} \randomsample \{0,1\}^{2b}$
|
||||
@@ -44,24 +45,28 @@ The proof starts by providing an algorithm which generates correctly distributed
|
||||
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$} / \textcolor{green}{$G_3$}}
|
||||
\State $(h_0, h_1, ..., h_{2b-1}) \randomsample \{0,1\}^{2b}$
|
||||
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
|
||||
\State $A \assign s \groupelement{B}$
|
||||
\State $\groupelement{A} \assign s \groupelement{B}$
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp)}(\groupelement{A})$
|
||||
\State \Return $\verify(\groupelement{A}, \m^*,\signature^*) \wedge (\m^*, \signature^*) \notin Q$
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\oracle \sign($\m \in \messagespace$)}
|
||||
\Comment{$G_0 - G_2$}
|
||||
\State $(r'_0, r'_1, ..., r'_{2b-1}) = RF(h_b | ... | h_{2b-1} | \m)$
|
||||
\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
|
||||
\State $R \assign rB$
|
||||
\BeginBox[fill=lightgray]
|
||||
\BeginBox[draw=black]
|
||||
\State $S \assign (r + sH(\encoded{R} | \encoded{A} | \m)) \pmod L$
|
||||
\Comment{$G_0$}
|
||||
\EndBox
|
||||
\BeginBox[draw=blue]
|
||||
\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | \m] \neq \bot \textbf{ then}$
|
||||
\Comment{$G_1 - G_2$}
|
||||
\State \quad $bad \assign true$
|
||||
\BeginBox[draw=red,dashed]
|
||||
\State \quad $abort$
|
||||
\Comment{$G_2$}
|
||||
\EndBox
|
||||
\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | \m] = \bot \textbf{ then}$
|
||||
\State \quad $\sum[\encoded{R} | \encoded{A} | \m] \randomsample \{0,1\}^{2b}$
|
||||
@@ -84,6 +89,7 @@ The proof starts by providing an algorithm which generates correctly distributed
|
||||
%TODO: Nummer vor Oracle
|
||||
\BeginBox[draw=green]
|
||||
\State \underline{\oracle \sign($\m \in \messagespace$)}
|
||||
\Comment{$G_3$}
|
||||
\State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A})$
|
||||
\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | \m] \neq \bot \textbf{ then}$
|
||||
\State \quad $bad \assign true$
|
||||
@@ -101,24 +107,26 @@ The proof starts by providing an algorithm which generates correctly distributed
|
||||
\end{figure}
|
||||
|
||||
\begin{proof}
|
||||
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:uf-nma_implies_suf-cma_games} by excluding all boxes except the gray filled one and let $G_0$ be $\text{\cma}_{\text{EdDSA}}$. By definition,
|
||||
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:uf-nma_implies_suf-cma_games} by excluding all boxes except the black one and let $G_0$ be $\text{\cma}$. By definition,
|
||||
|
||||
\[ \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) = \Pr[\text{\cma}_{\text{EdDSA}}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
\[ \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) = \Pr[\text{\cma}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
|
||||
\item \paragraph{\underline{$G_1:$}} $G_1$ is now defined by replacing the gray filled box with the blue one. This change inlines the call to the hash function and introduces a bad flag, which is set in the case that the hash value is already set. This change is only conceptual, since it does not alter the behavior of the oracle. Hence,
|
||||
\item \paragraph{\underline{$G_1:$}} $G_1$ is now defined by replacing the black box with the blue one. This change inlines the call to the hash function and introduces a bad flag, which is set in the case that the hash value is already set. This change is only conceptual, since it does not alter the behavior of the oracle. Hence,
|
||||
|
||||
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \].
|
||||
|
||||
\item \paragraph{\underline{$G_2:$}} $G_2$ also includes the abort condition in the red box. The abort condition is triggered if the $bad$ flag is set. Without loss of generality it is assumed that the adversary queries the \sign oracle only once with each message since the signature generated is deterministic and an adversary would not gain more information by multiple queries with the same message. For each individual sign query the probability for the $bad$ flag to be set is at most $\frac{\hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. The only parameter, which is unknown to the adversary prior to calling the \sign oracle is the commitment $R$. For an adversary to trigger the abort condition he has to guess the commitment $\groupelement{R}$ used during on of the \sign queries. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $\groupelement{R}$. $r'$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ when multiplied with the generator $\groupelement{B}$. At first there are $2^{2b}$ possible values for $r'$. After the reduction module $L$ there are $min\{2^{2b}, L\}$ possible values left for $r'$. In the case that the values $L$ is smaller than $2^{2b}$ (this is the case in most instantiations of EdDSA) then the $r'$'s are not uniformly distributed in $\field{L}$. Since an adversary could use this information the min entropy of $\groupelement{R}$ has to be considered, which takes this into account. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
|
||||
\item \paragraph{\underline{$G_2:$}} $G_2$ also includes the abort instruction in the red box. The abort condition is triggered if the $bad$ flag is set. Without loss of generality it is assumed that the adversary queries the \sign oracle only once with each message since the signature generated is deterministic and an adversary would not gain more information by multiple queries with the same message. For each individual sign query the probability for the $bad$ flag to be set is at most $\frac{\hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. The only parameter, which is unknown to the adversary prior to calling the \sign oracle is the commitment $R$. For an adversary to trigger the abort condition he has to guess the commitment $\groupelement{R}$ used during on of the \sign queries. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $\groupelement{R}$. $r'$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ when multiplied with the generator $\groupelement{B}$. At first there are $2^{2b}$ possible values for $r'$. After the reduction module $L$ there are $min\{2^{2b}, L\}$ possible values left for $r'$. In the case that the values $L$ is smaller than $2^{2b}$ (this is the case in most instantiations of EdDSA) then the $r'$'s are not uniformly distributed in $\field{L}$. Since an adversary could use this information the min entropy of $\groupelement{R}$ has to be considered, which takes this into account. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
|
||||
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
|
||||
|
||||
\item \paragraph{\underline{$G_3:$}} $G_3$ replaces the \sign oracle by the \sign oracle in the green box. This change is only conceptual. \simalg outputs a correctly distributed tuple $(R, \textbf{ch}, S)$ with $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c \textbf{ch} \groupelement{A}$ and it was ruled out that $H(\encoded{R} | \encoded{A} | \m)$ is set prior to calling the \sign oracle the random oracle can be programmed to output $\textbf{ch}$ upon calling $H(\encoded{R} | \encoded{A} | m)$. Therefore, it is ensured that $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c H(\encoded{R} | \encoded{A} | \m) \groupelement{A}$, which means that $\signature \assign (\encoded{R}, S)$ is a valid signature for the message $\m$ and was generated without the usage of the private key $s$.
|
||||
\item \paragraph{\underline{$G_3:$}} $G_3$ replaces the \sign oracle by the \sign oracle in the green box. This change is only conceptual. \simalg outputs a correctly distributed tuple $(R, \textbf{ch}, S)$ with $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c \textbf{ch} \groupelement{A}$ and it was ruled out that $H(\encoded{R} | \encoded{A} | \m)$ is set prior to calling the \sign oracle the random oracle can be programmed to output $\textbf{ch}$ upon calling $H(\encoded{R} | \encoded{A} | m)$. Therefore, it is ensured that $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c H(\encoded{R} | \encoded{A} | \m) \groupelement{A}$, which means that $\signature \assign (\encoded{R}, S)$ is a valid signature for the message $\m$ and was generated without the usage of the private key $s$. Therefore,
|
||||
|
||||
\[ \Pr[G_2^{\adversary{A}} \Rightarrow 1] = \Pr[G_3^{\adversary{A}} \Rightarrow 1] \].
|
||||
|
||||
\item Finally, Game $G_3$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||
|
||||
\begin{align}
|
||||
\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter) \label{eq:adv_uf-nma}
|
||||
\Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter) \label{eq:adv_uf-nma}
|
||||
\end{align}.
|
||||
|
||||
\begin{figure}
|
||||
@@ -150,14 +158,14 @@ The proof starts by providing an algorithm which generates correctly distributed
|
||||
\State \Return $\sum[m]$
|
||||
\end{algorithmic}
|
||||
\hrule
|
||||
\caption{Adversary $\adversary{B}$ breaking $\text{UF-NMA}_{\text{EdDSA}}$}
|
||||
\caption{Adversary $\adversary{B}$ breaking $\text{UF-NMA}$}
|
||||
\label{fig:adversarybuf-nma}
|
||||
\end{figure}
|
||||
|
||||
To prove (\ref{eq:adv_uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{UF-NMA}_{\text{EdDSA}}$ that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversarybuf-nma} is run in the $\text{UF-NMA}_{\text{EdDSA}}$ game and adversary $\adversary{B}$ simulates \sign for adversary $\adversary{A}$. \sign is simulated perfectly.
|
||||
To prove (\ref{eq:adv_uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{UF-NMA}$ that simulates $\adversary{A}$'s view in $G_3$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversarybuf-nma} is run in the $\text{UF-NMA}$ game and adversary $\adversary{B}$ simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly.
|
||||
|
||||
% TODO: Ist die Begründung ausreichend?
|
||||
Finally, consider $\adversary{A}$ output $(\m^*, \signature^*)$. Every valid signature outputted by adversary $\adversary{A}$ in the $\text{\cma}_{\text{EdDSA}}$ setting is also a valid signature in the $\text{UF-NMA}_{\text{EdDSA}}$ setting.
|
||||
Finally, consider $\adversary{A}$ output $(\m^*, \signature^*)$. Every valid signature outputted by adversary $\adversary{A}$ in the $\text{\cma}$ setting is also a valid signature in the $\text{UF-NMA}$ setting.
|
||||
|
||||
\item This proves theorem \ref{theorem:adv_uf-nma}.
|
||||
\end{proof}
|
||||
Reference in New Issue
Block a user