Added multi-user security proofs
This commit is contained in:
@@ -1,11 +1,11 @@
|
||||
\subsection{UF-NMA $=>$ \cma (ROM)}
|
||||
\subsection{UF-NMA $\Rightarrow$ \cma (ROM)} \label{proof:uf-nma_implies_suf-cma}
|
||||
|
||||
% TODO: "intuition for the proof" vs. "intuition of the proof"?
|
||||
This section shows that the \cma security of EdDSA signature scheme implies the UF-NMA security of EdDSA signature scheme using the Random Oracle Model. The section starts by first providing an intuition for the proof followed by the detailed security proof.
|
||||
This section shows that the UF-NMA security of EdDSA signature scheme implies the \cma security of EdDSA signature scheme using the Random Oracle Model. The section starts by first providing an intuition for the proof followed by the detailed security proof.
|
||||
|
||||
\begin{theorem}
|
||||
\label{theorem:adv_uf-nma}
|
||||
Let $\adversary{A}$ be an adversary against $\cma_{\text{EdDSA}}$, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
|
||||
Let $\adversary{A}$ be an adversary against $\cma$, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
|
||||
|
||||
\[ \advantage{\adversary{A}}{\text{\cma}}(\secparamter) = \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter) - \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
|
||||
\end{theorem}
|
||||
@@ -23,6 +23,7 @@ The proof starts by providing an algorithm which generates correctly distributed
|
||||
|
||||
\begin{figure}
|
||||
\hrule
|
||||
\vspace{1mm}
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\simalg(\groupelement{A})}
|
||||
\State $\textbf{ch} \randomsample \{0,1\}^{2b}$
|
||||
@@ -44,24 +45,28 @@ The proof starts by providing an algorithm which generates correctly distributed
|
||||
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$} / \textcolor{green}{$G_3$}}
|
||||
\State $(h_0, h_1, ..., h_{2b-1}) \randomsample \{0,1\}^{2b}$
|
||||
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
|
||||
\State $A \assign s \groupelement{B}$
|
||||
\State $\groupelement{A} \assign s \groupelement{B}$
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp)}(\groupelement{A})$
|
||||
\State \Return $\verify(\groupelement{A}, \m^*,\signature^*) \wedge (\m^*, \signature^*) \notin Q$
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\oracle \sign($\m \in \messagespace$)}
|
||||
\Comment{$G_0 - G_2$}
|
||||
\State $(r'_0, r'_1, ..., r'_{2b-1}) = RF(h_b | ... | h_{2b-1} | \m)$
|
||||
\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
|
||||
\State $R \assign rB$
|
||||
\BeginBox[fill=lightgray]
|
||||
\BeginBox[draw=black]
|
||||
\State $S \assign (r + sH(\encoded{R} | \encoded{A} | \m)) \pmod L$
|
||||
\Comment{$G_0$}
|
||||
\EndBox
|
||||
\BeginBox[draw=blue]
|
||||
\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | \m] \neq \bot \textbf{ then}$
|
||||
\Comment{$G_1 - G_2$}
|
||||
\State \quad $bad \assign true$
|
||||
\BeginBox[draw=red,dashed]
|
||||
\State \quad $abort$
|
||||
\Comment{$G_2$}
|
||||
\EndBox
|
||||
\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | \m] = \bot \textbf{ then}$
|
||||
\State \quad $\sum[\encoded{R} | \encoded{A} | \m] \randomsample \{0,1\}^{2b}$
|
||||
@@ -84,6 +89,7 @@ The proof starts by providing an algorithm which generates correctly distributed
|
||||
%TODO: Nummer vor Oracle
|
||||
\BeginBox[draw=green]
|
||||
\State \underline{\oracle \sign($\m \in \messagespace$)}
|
||||
\Comment{$G_3$}
|
||||
\State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A})$
|
||||
\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | \m] \neq \bot \textbf{ then}$
|
||||
\State \quad $bad \assign true$
|
||||
@@ -101,24 +107,26 @@ The proof starts by providing an algorithm which generates correctly distributed
|
||||
\end{figure}
|
||||
|
||||
\begin{proof}
|
||||
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:uf-nma_implies_suf-cma_games} by excluding all boxes except the gray filled one and let $G_0$ be $\text{\cma}_{\text{EdDSA}}$. By definition,
|
||||
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:uf-nma_implies_suf-cma_games} by excluding all boxes except the black one and let $G_0$ be $\text{\cma}$. By definition,
|
||||
|
||||
\[ \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) = \Pr[\text{\cma}_{\text{EdDSA}}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
\[ \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) = \Pr[\text{\cma}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
|
||||
\item \paragraph{\underline{$G_1:$}} $G_1$ is now defined by replacing the gray filled box with the blue one. This change inlines the call to the hash function and introduces a bad flag, which is set in the case that the hash value is already set. This change is only conceptual, since it does not alter the behavior of the oracle. Hence,
|
||||
\item \paragraph{\underline{$G_1:$}} $G_1$ is now defined by replacing the black box with the blue one. This change inlines the call to the hash function and introduces a bad flag, which is set in the case that the hash value is already set. This change is only conceptual, since it does not alter the behavior of the oracle. Hence,
|
||||
|
||||
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \].
|
||||
|
||||
\item \paragraph{\underline{$G_2:$}} $G_2$ also includes the abort condition in the red box. The abort condition is triggered if the $bad$ flag is set. Without loss of generality it is assumed that the adversary queries the \sign oracle only once with each message since the signature generated is deterministic and an adversary would not gain more information by multiple queries with the same message. For each individual sign query the probability for the $bad$ flag to be set is at most $\frac{\hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. The only parameter, which is unknown to the adversary prior to calling the \sign oracle is the commitment $R$. For an adversary to trigger the abort condition he has to guess the commitment $\groupelement{R}$ used during on of the \sign queries. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $\groupelement{R}$. $r'$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ when multiplied with the generator $\groupelement{B}$. At first there are $2^{2b}$ possible values for $r'$. After the reduction module $L$ there are $min\{2^{2b}, L\}$ possible values left for $r'$. In the case that the values $L$ is smaller than $2^{2b}$ (this is the case in most instantiations of EdDSA) then the $r'$'s are not uniformly distributed in $\field{L}$. Since an adversary could use this information the min entropy of $\groupelement{R}$ has to be considered, which takes this into account. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
|
||||
\item \paragraph{\underline{$G_2:$}} $G_2$ also includes the abort instruction in the red box. The abort condition is triggered if the $bad$ flag is set. Without loss of generality it is assumed that the adversary queries the \sign oracle only once with each message since the signature generated is deterministic and an adversary would not gain more information by multiple queries with the same message. For each individual sign query the probability for the $bad$ flag to be set is at most $\frac{\hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. The only parameter, which is unknown to the adversary prior to calling the \sign oracle is the commitment $R$. For an adversary to trigger the abort condition he has to guess the commitment $\groupelement{R}$ used during on of the \sign queries. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $\groupelement{R}$. $r'$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ when multiplied with the generator $\groupelement{B}$. At first there are $2^{2b}$ possible values for $r'$. After the reduction module $L$ there are $min\{2^{2b}, L\}$ possible values left for $r'$. In the case that the values $L$ is smaller than $2^{2b}$ (this is the case in most instantiations of EdDSA) then the $r'$'s are not uniformly distributed in $\field{L}$. Since an adversary could use this information the min entropy of $\groupelement{R}$ has to be considered, which takes this into account. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
|
||||
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
|
||||
|
||||
\item \paragraph{\underline{$G_3:$}} $G_3$ replaces the \sign oracle by the \sign oracle in the green box. This change is only conceptual. \simalg outputs a correctly distributed tuple $(R, \textbf{ch}, S)$ with $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c \textbf{ch} \groupelement{A}$ and it was ruled out that $H(\encoded{R} | \encoded{A} | \m)$ is set prior to calling the \sign oracle the random oracle can be programmed to output $\textbf{ch}$ upon calling $H(\encoded{R} | \encoded{A} | m)$. Therefore, it is ensured that $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c H(\encoded{R} | \encoded{A} | \m) \groupelement{A}$, which means that $\signature \assign (\encoded{R}, S)$ is a valid signature for the message $\m$ and was generated without the usage of the private key $s$.
|
||||
\item \paragraph{\underline{$G_3:$}} $G_3$ replaces the \sign oracle by the \sign oracle in the green box. This change is only conceptual. \simalg outputs a correctly distributed tuple $(R, \textbf{ch}, S)$ with $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c \textbf{ch} \groupelement{A}$ and it was ruled out that $H(\encoded{R} | \encoded{A} | \m)$ is set prior to calling the \sign oracle the random oracle can be programmed to output $\textbf{ch}$ upon calling $H(\encoded{R} | \encoded{A} | m)$. Therefore, it is ensured that $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c H(\encoded{R} | \encoded{A} | \m) \groupelement{A}$, which means that $\signature \assign (\encoded{R}, S)$ is a valid signature for the message $\m$ and was generated without the usage of the private key $s$. Therefore,
|
||||
|
||||
\[ \Pr[G_2^{\adversary{A}} \Rightarrow 1] = \Pr[G_3^{\adversary{A}} \Rightarrow 1] \].
|
||||
|
||||
\item Finally, Game $G_3$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||
|
||||
\begin{align}
|
||||
\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter) \label{eq:adv_uf-nma}
|
||||
\Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter) \label{eq:adv_uf-nma}
|
||||
\end{align}.
|
||||
|
||||
\begin{figure}
|
||||
@@ -150,14 +158,14 @@ The proof starts by providing an algorithm which generates correctly distributed
|
||||
\State \Return $\sum[m]$
|
||||
\end{algorithmic}
|
||||
\hrule
|
||||
\caption{Adversary $\adversary{B}$ breaking $\text{UF-NMA}_{\text{EdDSA}}$}
|
||||
\caption{Adversary $\adversary{B}$ breaking $\text{UF-NMA}$}
|
||||
\label{fig:adversarybuf-nma}
|
||||
\end{figure}
|
||||
|
||||
To prove (\ref{eq:adv_uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{UF-NMA}_{\text{EdDSA}}$ that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversarybuf-nma} is run in the $\text{UF-NMA}_{\text{EdDSA}}$ game and adversary $\adversary{B}$ simulates \sign for adversary $\adversary{A}$. \sign is simulated perfectly.
|
||||
To prove (\ref{eq:adv_uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{UF-NMA}$ that simulates $\adversary{A}$'s view in $G_3$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversarybuf-nma} is run in the $\text{UF-NMA}$ game and adversary $\adversary{B}$ simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly.
|
||||
|
||||
% TODO: Ist die Begründung ausreichend?
|
||||
Finally, consider $\adversary{A}$ output $(\m^*, \signature^*)$. Every valid signature outputted by adversary $\adversary{A}$ in the $\text{\cma}_{\text{EdDSA}}$ setting is also a valid signature in the $\text{UF-NMA}_{\text{EdDSA}}$ setting.
|
||||
Finally, consider $\adversary{A}$ output $(\m^*, \signature^*)$. Every valid signature outputted by adversary $\adversary{A}$ in the $\text{\cma}$ setting is also a valid signature in the $\text{UF-NMA}$ setting.
|
||||
|
||||
\item This proves theorem \ref{theorem:adv_uf-nma}.
|
||||
\end{proof}
|
||||
Reference in New Issue
Block a user