rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added multi-user security proofs

Browse Source
This commit is contained in:
Aaron Kaiser
2023-04-19 16:34:03 +02:00
parent d2765beab9
commit 0baf01b6ca
11 changed files with 459 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex
View File

@@ -1,4 +1,4 @@
\subsection{\sdlog $=>$ \igame (AGM)}
\subsection{\sdlog $\Rightarrow$ \igame (AGM)}
%TODO check if all c_i's are replaced by chall_i
@@ -16,8 +16,8 @@ The \sdlog game is a variant of the discrete logarithm game which represents the
\begin{figure}
%TODO: include padding
\hrule
\vspace{1mm}
\begin{algorithmic}[1]
\Statex \underline{\game \sdlog}
\State $a \randomsample \{ 2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8 \}$
@@ -25,6 +25,7 @@ The \sdlog game is a variant of the discrete logarithm game which represents the
\State $a' \randomassign \adversary{A}(\groupelement{A})$
\State \Return $a \test a'$
\end{algorithmic}
\vspace{1mm}
\hrule
\caption{\sdlog}
\label{fig:sdlog}
@@ -60,9 +61,11 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
\State $\ch_i \randomsample \{0,1\}^{2b}$
\BeginBox[draw=blue]
\State \textbf{If} $2^c \ch_i \equiv -r_2 \pmod L$ \textbf{then}
\Comment{$G_1 - G_2$}
\State \quad $bad \assign true$
\BeginBox[draw=red,dashed]
\State \quad $abort$
\Comment{$G_2$}
\EndBox
\EndBox
\State $Q \assign Q \cup \{ (\groupelement{R}_i, \ch_i) \}$
@@ -80,7 +83,7 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
\item \paragraph{\underline{AGM}} This proof takes place in the algebraic group model. Meaning that the adversary has to provide a representation along each group element it provides to the reduction. The adversary has to provide an element $\groupelement{R}$, which is an element in the prime order subgroup of the Twisted Edwards curve. Leaving the question whether the representation should be defined relative to the prime order subgroup or the Twisted Edwards curve. The answer to this question is that it is enough to provide the representation relative to the prime order subgroup. The reason for that is shown in the following paragraph.
The Twisted Edwards curve $\curve$ over the finite field $\field{q}$ is an finite abelian group. Even though the group $\curve$ might not be cyclic the fundamental theorem of finitely generated abelian groups tells us that each finite abelian groups can be uniquely decomposed into the direct product of cyclic subgroups \cite{karpfinger_hauptsatz_2021}. Meaning that $\curve$ can be represented as $\curve = \langle a_1 \rangle \bigotimes \langle a_2 \rangle \bigotimes ... \bigotimes \langle a_n \rangle$. The set of generators for each of the cyclic groups is called the generating set of $\curve$. Lets recall a well known theorem of algebra:
\item \begin{theorem}
\item \begin{theorem}[\cite{karpfinger_direkte_2021}]
Let $N_1, ..., N_n$ be subgroups of an group $\group{G}$, following statements are equivalent:
\begin{enumerate}[label=(\arabic*)]
@@ -89,9 +92,9 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
\[ x = a_i \cdot ... \cdot a_n, a_i \in N_i \]
\end{enumerate}
\end{theorem}.\cite{karpfinger_direkte_2021}
\end{theorem}
Due to Sylow theorems the decomposition has to include the large prime order subgroup $\group{G}$ used for EdDSA \cite{karpfinger_satze_2021} and since Twisted Edwards curve (like all Elliptic curves) are abelian each subgroup is also a normal subgroup. Together this means that the representation of each element $\groupelement{X} \in \curve$ is unique relative to the generating set. Since each element $\groupelement{Y} \in \group{G}$ can be represented as $\groupelement{Y} \assign y \groupelement{B}$, with $\groupelement{B}$ being the generator of the prime order subgroup, this has to be the only representation regarding the generation set. Meaning that an adversary in the algebraic group model has to provide a representation in the prime order subgroup $\group{G}$.
Due to Sylow's theorems the decomposition has to include the large prime order subgroup $\group{G}$ used for EdDSA \cite{karpfinger_satze_2021} and since Twisted Edwards curve (like all Elliptic curves) are abelian each subgroup is also a normal subgroup. Together this means that the representation of each element $\groupelement{X} \in \curve$ is unique relative to the generating set. Since each element $\groupelement{Y} \in \group{G}$ can be represented as $\groupelement{Y} \assign y \groupelement{B}$, with $\groupelement{B}$ being the generator of the prime order subgroup, this has to be the only representation regarding the generation set. Meaning that an adversary in the algebraic group model has to provide a representation in the prime order subgroup $\group{G}$.
The only two group elements in $\group{G}$ provided to the adversary are the public key $\groupelement{A}$ and the generator $\groupelement{B}$. Therefore the representation of the element $\groupelement{R}$, provided to the \ioracle oracle, looks like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A}$.