Added multi-user security proofs
This commit is contained in:
@@ -1,6 +1,6 @@
|
||||
\subsection{\igame $=>$ UF-NMA (ROM)}
|
||||
\subsection{\igame $\Rightarrow$ UF-NMA (ROM)}
|
||||
|
||||
This section shows that \igame implies the UF-NMA security if the EdDSA signature scheme using the Algebraic Group Model. The section starts by first providing an intuition if the proof followed by the detailed security proof.
|
||||
This section shows that \igame implies the UF-NMA security of the EdDSA signature scheme using the Random Oracle Model. The section starts by first providing introducing an intermediate game \igame followed by an intuition of the proof and the detailed security proof.
|
||||
|
||||
\paragraph{\underline{Introducing \igame}} The intermediate game \igame is introduced to create a separation between proofs in the random oracle model and the algebraic group model. This is archived by replacing the random oracle by the \ioracle oracle, which takes a commitment and outputs a challenge. This also strips away the message and focuses on the forgery of an arbitrary message. The \igame game is depicted in figure \ref{game:igame}.
|
||||
|
||||
@@ -19,7 +19,7 @@ This section shows that \igame implies the UF-NMA security if the EdDSA signatur
|
||||
\State $a \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$
|
||||
\State $\groupelement{A} \assign a \groupelement{B}$
|
||||
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
|
||||
\State \Return $\exists \groupelement{R}^*, \ch^*: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A} \wedge (\groupelement{R}^*, \ch^*) \in Q$
|
||||
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in Q: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A}$
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
@@ -36,9 +36,9 @@ This section shows that \igame implies the UF-NMA security if the EdDSA signatur
|
||||
|
||||
\begin{theorem}
|
||||
\label{theorem:adv_igame}
|
||||
Let $\adversary{A}$ be an adversary against $\text{UF-NMA}_{\text{EdDSA}}$. Then,
|
||||
Let $\adversary{A}$ be an adversary against $\text{UF-NMA}$. Then,
|
||||
|
||||
\[ \advantage{\adversary{A}}{UF-NMA}(\secparamter) = \advantage{\adversary{B}}{\igame}(\secparamter) \].
|
||||
\[ \advantage{\adversary{A}}{\text{UF-NMA}}(\secparamter) = \advantage{\adversary{B}}{\text{\igame}}(\secparamter) \].
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}} The adversary has to query the random oracle to get the hash value $H(\encoded{R} | \encoded{A} | m)$. The programmability of the random oracle can be used to embed the challenge from the \ioracle oracle into the answer of the random oracle. This way a valid forgery of a signature also provides a valid solution for the \igame game.
|
||||
@@ -51,6 +51,9 @@ This section shows that \igame implies the UF-NMA security if the EdDSA signatur
|
||||
\large
|
||||
\begin{algorithmic}[1]
|
||||
\State \underline{\game $G_0$}
|
||||
\State $(h_0, h_1, ..., h_{2b-1}) \randomsample \{0,1\}^{2b}$
|
||||
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
|
||||
\State $\groupelement{A} \assign s \groupelement{B}$
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp)}(\groupelement{A})$
|
||||
\State \Return $\verify(\groupelement{A}, \m^*,\signature^*)$
|
||||
\end{algorithmic}
|
||||
@@ -68,18 +71,19 @@ This section shows that \igame implies the UF-NMA security if the EdDSA signatur
|
||||
\end{figure}
|
||||
|
||||
\begin{proof}
|
||||
\item \paragraph{\underline{$G_0$}} Let $G_0$ be defined in figure \ref{fig:igame_implies_uf-nma} and let $G_0$ be $\text{UF-NMA}_{\text{EdDSA}}$. By definition,
|
||||
\item \paragraph{\underline{$G_0$}} Let $G_0$ be defined in figure \ref{fig:igame_implies_uf-nma} and let $G_0$ be $\text{UF-NMA}$. By definition,
|
||||
|
||||
\[ \advantage{\text{EdDSA}, \adversary{A}}{\text{UF-NMA}}(\secparamter) = \Pr[\text{UF-NMA}_{\text{EdDSA}}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
\[ \advantage{\text{EdDSA}, \adversary{A}}{\text{UF-NMA}}(\secparamter) = \Pr[\text{UF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
|
||||
\item $G_0$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||
\item $G_0$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||
|
||||
\begin{align}
|
||||
\Pr[G_0^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\igame}(\secparamter) \label{eq:adv_igame}
|
||||
\Pr[G_0^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\text{\igame}}(\secparamter) \label{eq:adv_igame}
|
||||
\end{align}.
|
||||
|
||||
\begin{figure}
|
||||
\hrule
|
||||
\vspace{1mm}
|
||||
\begin{multicols}{2}
|
||||
\large
|
||||
\begin{algorithmic}[1]
|
||||
@@ -103,7 +107,7 @@ This section shows that \igame implies the UF-NMA security if the EdDSA signatur
|
||||
\label{fig:adversary_igame}
|
||||
\end{figure}
|
||||
|
||||
\item To proof (\ref{eq:adv_igame}), we define an adversary $\adversary{B}$ attacking \igame that simulates $\adversary{A}$'s view in $G_0$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_igame} is run in the \igame game and adversary $\adversary{B}$ simulates the random oracle $H$ for the adversary $\adversary{A}$. $H$ is simulates perfectly.
|
||||
\item To proof (\ref{eq:adv_igame}), we define an adversary $\adversary{B}$ attacking \igame that simulates $\adversary{A}$'s view in $G_0$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_igame} is run in the \igame game and adversary $\adversary{B}$ simulates the random oracle $H$ for the adversary $\adversary{A}$. $H$ is simulated perfectly.
|
||||
|
||||
Finally, consider $\adversary{A}$'s output $(\m^*, \signature^* \assign (\encoded{R}, S))$. It is known that:
|
||||
|
||||
|
||||
Reference in New Issue
Block a user