Added multi-user security proofs
This commit is contained in:
@@ -132,8 +132,7 @@ The EdDSA' signature scheme is depicted in figure \ref{fig:eddsa'}. The differen
|
||||
|
||||
\begin{theorem}
|
||||
\label{theorem:adveddsa'}
|
||||
% TODO: Was soll ich hier schreiben?
|
||||
TODO. Then
|
||||
Let $\adversary{A}$ be and adversary against SUF-CMA security of the EdDSA signature scheme. Then
|
||||
|
||||
%TODO: richtigre Richtung?
|
||||
\[ \advantage{\text{EdDSA'},\adversary{A}}{\cma}(\secparamter) \leq \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) - \frac{2\hashqueries}{2^b} \]
|
||||
@@ -150,16 +149,19 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$} / \textcolor{green}{$G_3$} / \textcolor{orange}{$G_4$}}
|
||||
\State $k \randomsample \{0,1\}^b$
|
||||
\BeginBox[fill=lightgray]
|
||||
\BeginBox[draw=black]
|
||||
\State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$
|
||||
\Comment{$G_0$}
|
||||
\EndBox
|
||||
\BeginBox[draw=blue,fill=cyan]
|
||||
\BeginBox[draw=blue]
|
||||
\State $\textbf{if } \sum[k] = \bot \textbf{ then}$
|
||||
\Comment{$G_1 - G_3$}
|
||||
\State \quad $\sum[k] \randomsample \{0,1\}^{2b}$
|
||||
\State $(h_0, h_1, ..., h_{2b-1}) \assign \sum[k]$
|
||||
\EndBox
|
||||
\BeginBox[draw=orange]
|
||||
\State $(h_0, h_1, ..., h_{2b-1}) \randomsample \{0,1\}^{2b}$
|
||||
\Comment{$G_4$}
|
||||
\EndBox
|
||||
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
|
||||
\State $A \assign sB$
|
||||
@@ -169,16 +171,19 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\oracle \sign($m \in \messagespace$)}
|
||||
\BeginBox[fill=lightgray]
|
||||
\BeginBox[draw=black]
|
||||
\State $(r'_0, r'_1, ..., r'_{2b-1}) \assign H(h_b | ... | h_{2b-1} | m)$
|
||||
\Comment{$G_1$}
|
||||
\EndBox
|
||||
\BeginBox[draw=blue,fill=cyan]
|
||||
\BeginBox[draw=blue]
|
||||
\State $\textbf{if } \sum[h_b | ... | h_{2b-1} | m] = \bot \textbf{ then}$
|
||||
\Comment{$G_1 - G_3$}
|
||||
\State \quad $\sum[h_b | ... | h_{2b-1} | m] \randomsample \{0,1\}^{2b}$
|
||||
\State $(r'_0, r'_1, ..., r'_{2b-1}) \assign \sum[h_b | ... | h_{2b-1} | m]$
|
||||
\EndBox
|
||||
\BeginBox[draw=orange]
|
||||
\State $(r'_0, r'_1, ..., r'_{2b-1}) = RF(h_b | ... | h_{2b-1} | m)$
|
||||
\Comment{$G_4$}
|
||||
\EndBox
|
||||
\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
|
||||
\State $R \assign rB$
|
||||
@@ -192,14 +197,17 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
|
||||
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
|
||||
\BeginBox[draw=blue]
|
||||
\State $\textbf{if } m = k \textbf{ then}$
|
||||
\Comment{$G_1 - G_4$}
|
||||
\State \quad $bad_1 \assign true$
|
||||
\BeginBox[draw=red,dashed]
|
||||
\State \quad $abort$
|
||||
\Comment{$G_2 - G_4$}
|
||||
\EndBox
|
||||
\State $\textbf{if } m \text{ starts with } h_b|...|h_{2b-1} \textbf{ then}$
|
||||
\State \quad $bad_2 \assign true$
|
||||
\BeginBox[draw=green,dashed]
|
||||
\State \quad $abort$
|
||||
\Comment{$G_3 - G_4$}
|
||||
\EndBox
|
||||
\EndBox
|
||||
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
||||
@@ -212,11 +220,11 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
|
||||
\end{figure}
|
||||
|
||||
\begin{proof}
|
||||
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:eddsa'games} by excluding all boxes expect the grey filled ones and $G_0$ be $\cma_{\text{EdDSA}}$. By definition,
|
||||
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:eddsa'games} by excluding all boxes expect the black ones and $G_0$ be $\cma$. By definition,
|
||||
|
||||
\[ \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) = \Pr[\cma_{\text{EdDSA}}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
|
||||
\item \paragraph{\underline{$G_1:$}} Let $G_1$ be defined by additionally including all blue boxes and excluding the grey filled boxes. This change inlines calls to the random oracle and introduces to if conditions in the random oracle which are setting a bad flag if the condition is triggert. Since the behavior of the game does not change the changes are conceptual and the probability of winning the game is not affected. Hence,
|
||||
\item \paragraph{\underline{$G_1:$}} Let $G_1$ be defined by additionally including all blue boxes and excluding the black boxes. This change inlines calls to the random oracle and introduces to if conditions in the random oracle which are setting a bad flag if the condition is triggert. Since the behavior of the game does not change the changes are conceptual and the probability of winning the game is not affected. Hence,
|
||||
|
||||
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \].
|
||||
|
||||
@@ -229,12 +237,16 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
|
||||
\[ |\Pr[G_2^{\adversary{A}} \Rightarrow 1] - \Pr[G_3^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad_2] \leq \frac{\hashqueries}{2^b} \].
|
||||
|
||||
%TODO: Signatur von RF genauer beschreiben?
|
||||
\item \paragraph{\underline{$G_4:$}} $G_4$ replaces the blue filled boxes with the orange boxes. With this change the \cma game parameterized with the EdDSA' game is obtained. This change is only conceptual since the adversary is not able to query the random oracle with the inputs used for those calls and due to the nature of the random oracle model the adversary has no information on those values. Therefor an adversary can not differentiate between the values being the result of the hash function or chosen uniformly at random. Hence,
|
||||
\item \paragraph{\underline{$G_4:$}} $G_4$ replaces the blue boxes in the main game and the \Osign oracle with the orange boxes. This change is only conceptual since the adversary is not able to query the random oracle with the inputs used for those calls and due to the nature of the random oracle model the adversary has no information on those values. Therefore, an adversary can not differentiate between the values being the result of the hash function or chosen uniformly at random. Hence,
|
||||
|
||||
\[ \Pr[G_3^{\adversary{A}} \Rightarrow 1] = \Pr[G_4^{\adversary{A}} \Rightarrow 1] = \advantage{\text{EdDSA'},\adversary{A}}{\cma}(\secparamter) \].
|
||||
\[ \Pr[G_3^{\adversary{A}} \Rightarrow 1] = \Pr[G_4^{\adversary{A}} \Rightarrow 1] \].
|
||||
|
||||
\item Now $G_4$ is the same as SUF-CMA parameterized with EdDSA'. Therefore, we have
|
||||
|
||||
\[ \Pr[G_4^{\adversary{A}} \Rightarrow 1] = \advantage{\text{EdDSA'},\adversary{A}}{\cma}(\secparamter) \].
|
||||
|
||||
\item This proves theorem \ref{theorem:adveddsa'}.
|
||||
\end{proof}
|
||||
|
||||
%TODO: Das kann man sicherlich schöner formulieren
|
||||
In the following proofs when referring to the EdDSA signature scheme actually the EdDSA' signature scheme is used to make the proof more staight forward. In the end when calculating the loss due to the reduction the loss introduced by the EdDSA' signature scheme will be included.
|
||||
In the following proofs when referring to the EdDSA signature scheme actually the EdDSA' signature scheme is used to make the proof more straight forward. In the end when calculating the loss due to the reduction the loss introduced by the EdDSA' signature scheme will be included.
|
||||
Reference in New Issue
Block a user