From 0c4179df4642a6a25061f13307f374b29de1ecba Mon Sep 17 00:00:00 2001 From: Aaron Kaiser Date: Wed, 14 Jun 2023 14:42:08 +0200 Subject: [PATCH] rewrote multi-user proofs --- thesis/sections/concrete_security.tex | 4 +-- thesis/sections/edggm.tex | 2 +- thesis/sections/edggm/omdl.tex | 12 +++---- .../mu-gamez_implies_mu-uf-nma.tex | 11 +++---- .../mu-uf-nma_implies_mu-suf-cma.tex | 26 +++++++++------- .../omdl'_implies_mu-gamez.tex | 31 ++++++++++--------- .../security_of_eddsa/dlog'_implies_gamez.tex | 2 +- .../gamez_implies_uf-nma.tex | 2 +- .../uf-nma_implies_suf-cma.tex | 8 ++--- 9 files changed, 50 insertions(+), 48 deletions(-) diff --git a/thesis/sections/concrete_security.tex b/thesis/sections/concrete_security.tex index 4272d05..b5ab4b6 100644 --- a/thesis/sections/concrete_security.tex +++ b/thesis/sections/concrete_security.tex @@ -77,9 +77,9 @@ Ed25519 is one of the most widely used instantiations of EdDSA. According to the \subsection{Ed448} -\begin{theorem}[eD448 Bit Security] +\begin{theorem}[Ed448 Bit Security] \label{theorem:ED448} - The eD448 signature scheme provides 221 bit security in the single-user setting and 220 bit security in the multi-user setting against algebraic adversaries. + The Ed448 signature scheme provides 221 bit security in the single-user setting and 220 bit security in the multi-user setting against algebraic adversaries. \end{theorem} Another popular instantiation of the EdDSA signature scheme is Ed448. It uses the Ed448 twisted Edwards curve and SHAKE256 as hash function. It is supposed to provide around 224 bits of security and was also standardized by the IETF and NIST \cite{josefsson_edwards-curve_2017} \cite{moody_digital_2023}. The respective standards provide following values: diff --git a/thesis/sections/edggm.tex b/thesis/sections/edggm.tex index 5e3b886..59f488d 100644 --- a/thesis/sections/edggm.tex +++ b/thesis/sections/edggm.tex @@ -2,7 +2,7 @@ The following section gives specific bounds on the difficulty of certain variations of the discrete logarithm and one-more discrete logarithm problems introduced in the previous proofs. These proofs are given in the generic group model. In the generic group model, group elements are represented as random bit strings, and the adversary can only perform group operations by invoking an oracle. -In order to build a generic group model for twisted Edwards curves, it's essential to examine the group structure. As shown in section \ref{sec:sdlog_imlies_igame}, a twisted Edwards curve can be decomposed into a collection of cyclic subgroups. The generating set for this twisted Edwards curve is defined as a set of generators for these cyclic subgroups. With a fixed generating set, any point on the twisted Edwards curve can be uniquely expressed as a linear combination of the generators in that set. Consequently, the adversary is given the entire generator set as a description of the twisted Edwards curve. In addition, the adversary has access to a group operation oracle, GOp, which, given two labels and a bit indicating whether the group elements should be added or subtracted, returns the label of the resulting group element. +In order to build a generic group model for twisted Edwards curves, it's essential to examine the group structure. As shown in section \ref{sec:sdlog_imlies_igame}, a twisted Edwards curve can be uniquely decomposed into a collection of cyclic subgroups. The generating set for this twisted Edwards curve is defined as a set of generators for these cyclic subgroups. With a fixed generating set, any point on the twisted Edwards curve can be uniquely expressed as a linear combination of the generators in that set. Consequently, the adversary is given the entire generator set as a description of the twisted Edwards curve. In addition, the adversary has access to a group operation oracle, GOp, which, given two labels and a bit indicating whether the group elements should be added or subtracted, returns the label of the resulting group element. The labels are bit string of length $\lceil \log_2(L) \rceil$, with $L$ being the order of the group. diff --git a/thesis/sections/edggm/omdl.tex b/thesis/sections/edggm/omdl.tex index f31abd8..231cb8d 100644 --- a/thesis/sections/edggm/omdl.tex +++ b/thesis/sections/edggm/omdl.tex @@ -2,7 +2,6 @@ This section provides a lower bound on the hardness of the modified version of the one-more discrete logarithm problem in the generic group model. The variant of the one-more discrete logarithm problem was introduced in the definition \ref{def:somdl}. \somdl differs from the original one-more discrete logarithm problem by only allowing the adversary to query the discrete logarithm of all challenges but one. Also the discrete logarithms are chosen from a predefined set that is the result of the special key generation algorithm used in EdDSA. The following proof uses the generic group model for twisted Edwards curves. There already exists a proof for the one-more discrete logarithm problem in the generic group model \cite{EPRINT:BauFucPlo21}. This proof provides a lower bound on the original definition of the one-more discrete logarithm problem. This proof is not directly applicable to this definition of \sdlog, since the secret scalars are not chosen uniformly at random from $\field{L}$ and the group structure is not just a prime order group. Also since a more restricted version of the one-more discrete logarithm problem is used a simpler proof, than that in \cite{EPRINT:BauFucPlo21} can be used, providing a better bound on \somdl. -% TODO: N in theorem \begin{theorem} \label{theorem:somdl_ggm} Let $n$, $N$, $c$ be positive integers. Consider a twisted Edwards curve $\curve$ with a cofactor of $2^c$ and a generating set consisting of $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_m})$. Among these, let $\groupelement{B}$ be the generator of the largest prime order subgroup with an order of $L$. Let $\adversary{A}$ be a generic adversary receiving $N$ group elements as challenge and making at most $\groupqueries$ group operations queries. Then, @@ -26,7 +25,8 @@ This section provides a lower bound on the hardness of the modified version of t \vspace{1mm} \begin{algorithmic} \Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)} - \State \Return $\{a_i | i \in \{1,2,...,N\} \backslash j\}$ + \Comment{max. one query} + \State \Return $\{a_i | i \in \{1,2,...,N\} \backslash \{j\}\}$ \end{algorithmic} \vspace{1mm} \begin{algorithmic} @@ -93,7 +93,7 @@ This section provides a lower bound on the hardness of the modified version of t \State \quad $\sum[R_i(\overset{\rightharpoonup}{a}) + S_i] = \sum[P_i]$ \State \quad $P_i \assign R_i(\overset{\rightharpoonup}{a}) + S_i$ \EndBox - \State \Return $\{a_i | i \in \{1,2,...,N\} \backslash j\}$ + \State \Return $\{a_i | i \in \{1,2,...,N\} \backslash \{j\}\}$ \end{algorithmic} \vspace{1mm} \begin{algorithmic} @@ -143,7 +143,7 @@ This section provides a lower bound on the hardness of the modified version of t \BeginBox[draw=orange] \State \textbf{for } $i \in \{1,2,...,N\}$ \Comment{$G_8$} - \State \quad \textbf{if } $a_i \neq \bot$ + \State \quad \textbf{if } $a_i = \bot$ \State \qquad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$ \EndBox \BeginBox[draw=blue] @@ -161,7 +161,7 @@ This section provides a lower bound on the hardness of the modified version of t \begin{algorithmic} \Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)} \BeginBox[draw=orange] - \State \textbf{for } $i \in \{1,2,...,N\} \backslash j$ + \State \textbf{for } $i \in \{1,2,...,N\} \backslash \{j\}$ \Comment{$G_8$} \State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$ \EndBox @@ -174,7 +174,7 @@ This section provides a lower bound on the hardness of the modified version of t \State \textbf{for } $P_i \in \pset{P}$ \State \quad $\sum[R_i(\overset{\rightharpoonup}{a}) + S_i] = \sum[P_i]$ \State \quad $P_i \assign R_i(\overset{\rightharpoonup}{a}) + S_i$ - \State \Return $\{a_i | i \in \{1,2,...,N\} \backslash j\}$ + \State \Return $\{a_i | i \in \{1,2,...,N\} \backslash \{j\}\}$ \end{algorithmic} \vspace{1mm} \begin{algorithmic} diff --git a/thesis/sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma.tex b/thesis/sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma.tex index 0362f9e..70adf35 100644 --- a/thesis/sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma.tex +++ b/thesis/sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma.tex @@ -2,11 +2,10 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signature scheme using the Random Oracle Model. The section starts by first providing an intuition of the proof followed by the detailed security proof. -\paragraph{\underline{Introducing MU-\igame}} This game followed closely the definition of the \igame game. It again replaces the random oracle with the \ioracle oracle. The only difference to the \igame game is that the adversary gets access to $n$ public keys. The adversary again has to output a valid result for any commitment challenge pair generated by the \ioracle oracle for any of the public keys. The MU-\igame game is depicted in figure \ref{game:mu-igame}. +\paragraph{\underline{Introducing MU-\igame}} This game followed closely the definition of the \igame game. It again replaces the random oracle with the \ioracle oracle. The only difference to the \igame game is that the adversary gets access to $N$ public keys. The adversary again has to output a valid result for any commitment challenge pair generated by the \ioracle oracle for any of the public keys. The MU-\igame game is depicted in figure \ref{game:mu-igame}. -%TODO: Fix collision \begin{definition}[MU-\igame] - Let $n$ and $N$ be positive integers. For an adversary $\adversary{A}$ we define its advantage in the MU-\igame as following: + Let $n$ and $N$ be positive integers. For an adversary $\adversary{A}$, receiving $N$ public keys as input, we define its advantage in the MU-\igame as following: \[ \advantage{\adversary{A}}{\text{MU-\igame}}(\secparamter) \assign | \Pr[\text{MU-\igame}^{\adversary{A}} \Rightarrow 1] |. \] \end{definition} @@ -42,7 +41,7 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat \[ \advantage{\adversary{A}}{\text{MU-UF-NMA}}(\secparamter) = \advantage{\adversary{B}}{\text{MU-\igame}}(\secparamter). \] \end{theorem} -\paragraph{\underline{Proof Overview}} Like the single-user setting the adversary has to query the random oracle to get the hash value $H(\encoded{R}|\encoded{A_i}|m)$. Again the programmability of the random oracle can be used to embed the challenge from \ioracle oracle into the answer of the random oracle. By embedding the challenge from the \ioracle oracle answer into the answer of the random oracle a valid forgery of the signature also becomes a valid solution for the MU-\igame game. +\paragraph{\underline{Proof Overview}} Like the single-user setting the adversary has to query the random oracle to get the hash value $H(\encoded{R}|\encoded{A_i}|m)$. Again the programmability of the random oracle can be used to embed the challenge from \ioracle oracle into the answer of the random oracle. By embedding the challenge from the \ioracle oracle answer into the answer of the random oracle, a valid forgery of the signature also becomes a valid solution for the MU-\igame game. \paragraph{\underline{Formal Proof}} @@ -73,7 +72,7 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat \end{figure} \begin{proof} - \item Let $G_0$ be defined in figure \ref{fig:mu-igame_implies_mu-uf-nma} and $G_0$ be MU-UF-NMA. By definition, + \item Let $G_0$ be defined in figure \ref{fig:mu-igame_implies_mu-uf-nma}. Then $G_0$ is the same as MU-UF-NMA with EdDSA. By definition, \[ \advantage{\text{EdDSA}, \adversary{A}}{\text{MU-UF-NMA}}(\secparamter) = \Pr[\text{MU-UF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \] @@ -107,7 +106,7 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat \label{fig:adversary_mu-igame} \end{figure} - \item To proof (\ref{eq:adv_mu-igame}), we define an adversary $\adversary{B}$ attacking MU-\igame that simulates $\adversary{A}$'s view in $G_0$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_mu-igame} is run in the \igame game and adversary $\adversary{B}$ simulates the random oracle $H$ for the adversary $\adversary{A}$. $H$ is simulated perfectly. + \item To proof (\ref{eq:adv_mu-igame}), we define an adversary $\adversary{B}$ attacking MU-\igame that simulates $\adversary{A}$'s view in $G_0$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_mu-igame} is run in the \igame game and adversary $\adversary{B}$ simulates the random oracle $H$ for the adversary $\adversary{A}$. $H$ is perfectly simulated because the \ioracle oracle also outputs a uniformly random 2b-bit bitstring. For this reason, $H$ returns a uniformly random 2b-bit bitstring for all queries, as expected. Finally, consider $\adversary{A}$'s output $(\m^*, \signature^* \assign (\encoded{R}, S))$. It is known that: diff --git a/thesis/sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma.tex b/thesis/sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma.tex index 812de96..e8c66fb 100644 --- a/thesis/sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma.tex +++ b/thesis/sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma.tex @@ -1,17 +1,15 @@ \subsection{MU-UF-NMA $\overset{\text{ROM}}{\Rightarrow}$ $\text{MU-SUF-CMA}_{\text{EdDSA sp}}$} -This section shows that the MU-UF-NMA security of the EdDSA signature scheme implies the MU-SUF-CMA security of the EdDSA signature scheme using the Random Oracle Model. The section starts with providing an intuition of the proof followed by the detailed security proof. +This section shows that the MU-UF-NMA security of the EdDSA signature scheme implies the MU-SUF-CMA security of the EdDSA signature scheme using the random oracle model. The section starts with providing an intuition of the proof, followed by the detailed security proof. \begin{theorem} \label{theorem:adv_mu-uf-nma} - Let $n$ and $N$ be positive integer and $\adversary{A}$ an adversary against MU-SUF-CMA, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then, + Let $n$ and $N$ be positive integer and $\adversary{A}$ an adversary against MU-SUF-CMA, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then, \[ \advantage{\adversary{A}}{\text{MU-\cma}}(\secparamter) \leq \advantage{\adversary{B}}{\text{MU-UF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \] \end{theorem} -\paragraph{\underline{Proof Overview}} This proof follows closely the proof in section \ref{proof:uf-nma_implies_suf-cma}. The only difference of both security notions is the missing \Osign oracle in MU-UF-NMA. For this reason the reduction has to simulate the \Osign oracle without the knowledge of the private keys. - -Again the programmability of the random oracle together with the \simalg algorithm is used to generate valid signatures. The different games are depicted in figure \ref{fig:mu-uf-nma_implies_mu-suf-cma_games}. +\paragraph{\underline{Proof Overview}} This proof closely follows the proof in section \ref{proof:uf-nma_implies_suf-cma}. The only difference of both security notions is the absence of the \Osign oracle in MU-UF-NMA. For this reason, the reduction must simulate the \Osign oracle without the knowledge of the private keys. This is achieved by generating a valid and well-distributed tuple of commitment, challenge, and response using the \simalg procedure, introduced in section \ref{proof:uf-nma_implies_suf-cma}, and then programming the random oracle to output that challenge for the corresponding input. The different games are shown in figure \ref{fig:mu-uf-nma_implies_mu-suf-cma_games}. \paragraph{\underline{Formal Proof}} @@ -85,19 +83,19 @@ Again the programmability of the random oracle together with the \simalg algorit \end{figure} \begin{proof} - \item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:mu-uf-nma_implies_mu-suf-cma_games} by excluding all boxes except the black one and $G_0$ be MU-SUF-CMA. By definition, + \item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:mu-uf-nma_implies_mu-suf-cma_games} by excluding all boxes except the black one. $G_0$ is the MU-SUF-CMA for EdDSA. By definition, \[ \advantage{\text{EdDSA},\adversary{A}}{\text{MU-}\cma}(\secparamter) = \Pr[\text{\text{MU-}\cma}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \] - \item \paragraph{\underline{$G_1:$}} $G_1$ now is defined by replacing the black box with the blue one. This change inlines the call to the hash function and introduces a bad flag, which is set if the hash value is already set. This change is only conceptual, since it does not alter the behavior of the oracle. Therefore, + \item \paragraph{\underline{$G_1:$}} $G_1$ now is defined by replacing the black box with the blue one. This change inlines the call to the hash function and introduces a bad flag, which is set if the hash value is already set. The bad flag being set represents cases where the adversary already queried the random oracle for the challenge used for that signature and therefore the random oracle cannot be programmed. This results in the challenger not being able to produce a valid signature. This change is only conceptual, as it does not alter the behavior of the oracle. Therefore, \[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1]. \] - \item \paragraph{\underline{$G_2:$}} $G_2$ is defined by also introducing the abort instruction in the red box. Again without loss of generality it is assumed that the adversary only quries each public key message pair only once since the signatures are deterministic and the attacker would not gain any additional information by querying the \Osign oracle multiple times with the same input. Since the commitment $\groupelement{R}$ is the only unknown input to the hash function the probability of the bad flag being set for each individual \Osign query is at most $\frac{\hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have + \item \paragraph{\underline{$G_2:$}} $G_2$ is defined by also introducing the abort instruction in the red box. Again, without loss of generality it is assumed that the adversary only queries each public key/message pair only once since the signatures are deterministic and the attacker would not gain any additional information by querying the \Osign oracle multiple times with the same input. Since the commitment $\groupelement{R}$ is the only unknown input to the hash function, the probability of the bad flag being set for each individual \Osign query is at most $\frac{\hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have \[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \] - \item \paragraph{\underline{$G_3:$}} In $G_3$ the \Osign oracle is replaced by the \Osign oracle in the green box. Instead of calculating the response using the secret key the \simalg algorithm is used to generate a tuple of commitment, challenge and response. Then the random oracle is programmed to output the specific challenge given $\encoded{R} | \encoded{A_j} | \m$ as an input. This change is only conceptual, since \simalg outputs a correctly distributed set and it was ruled out in earlier games that the random oracle was previously queries with this input. Hence, + \item \paragraph{\underline{$G_3:$}} In $G_3$ the \Osign oracle is replaced by the \Osign oracle in the green box. Instead of calculating the response using the secret key, the \simalg algorithm is used to generate a tuple of commitment, challenge, and response. Then the random oracle is programmed to output the specific challenge given $\encoded{R} | \encoded{A_j} | \m$ as an input. This change is only conceptual, since \simalg outputs a correctly distributed set and it was ruled out in earlier games that the random oracle was previously queries with this input. Hence, \[ \Pr[G_2^{\adversary{A}} \Rightarrow 1] = \Pr[G_3^{\adversary{A}} \Rightarrow 1]. \] @@ -151,16 +149,18 @@ Again the programmability of the random oracle together with the \simalg algorit Since the public keys and the results of the hash queries are forwarded from the MU-UF-NMA challenger the forged signature from $\adversary{A}$ in the MU-\cma game is also a valid forgery for the MU-UF-NMA challenger. + \item In the main procedure the adversary $\adversary{B}$ simply calls adversary $\adversary{A}$ and outputs its forged signature. To simulate the hash function $\adversary{B}$ simply forwards the queries to adversary $\adversary{A}$ and to a signature $\adversary{B}$ obtains the pair of commitment, challenge, and solution from the \simalg procedure, which is just samples two values and calculates the last one using a simple equation, and then programs its random oracle. Therefore, the runtime of adversary $\adversary{B}$ is roughly the same as the runtime of adversary $\adversary{A}$. + \item This proves theorem \ref{theorem:adv_mu-uf-nma}. \end{proof} \subsection{MU-UF-NMA $\overset{\text{ROM}}{\Rightarrow}$ $\text{MU-EUF-CMA}_{\text{EdDSA lp}}$} -This section shows that MU-UF-NMA security of EdDSA implies the MU-EUF-CMA security of EdDSA with lax parsing using in the random oracle model. This proof is very similar to the proof MU-SUF-CMA proof of EdDSA with strict parsing. The modification to the games are the same as in the proof above with the only modifications being in the win condition, which is $\exists j \in \{1,2,...,N\}: \verify(\groupelement{A_j}, \m^*) \wedge (\groupelement{A_j}, \m^*) \notin \pset{Q}$. For this reason this proof starts at showing the existence of an adversary $\adversary{B}$ breaking MU-UF-NMA security. +This section shows that MU-UF-NMA security of EdDSA implies the MU-EUF-CMA security of EdDSA with lax parsing using in the random oracle model. This proof is very similar to the proof MU-SUF-CMA proof of EdDSA with strict parsing. The modification to the games are the same as in the proof above with the only modifications being in the win condition, which is $\exists j \in \{1,2,...,N\}: \verify(\groupelement{A_j}, \m^*) \wedge (\groupelement{A_j}, \m^*) \notin \pset{Q}$. For this reason this proof starts at showing the existence of an adversary $\adversary{B}$ breaking MU-UF-NMA security. Similar to the proof in the single-user setting, the SUF-CMA security of EdDSA with lax parsing cannot be shown, as there are multiple valid encodings of $S$ for one signature. This way the adversary would be able to generate a new valid signature from an obtained one by simply choosing a different encoding of $S$. This would result in the output of $H'(\encoded{R^*}|\encoded{A}|m^*)$ being programmed by the reduction itself and therefore the signature not being valid for the UF-NMA challenger. \begin{theorem} \label{theorem:adv2_mu-uf-nma} - Let $n$ and $N$ be positive integer and $\adversary{A}$ an adversary against MU-EUF-CMA, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then, + Let $n$ and $N$ be positive integer and $\adversary{A}$ an adversary against MU-EUF-CMA, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then, \[ \advantage{\adversary{A}}{\text{MU-EUF-CMA}}(\secparamter) \leq \advantage{\adversary{B}}{\text{MU-UF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \] \end{theorem} @@ -208,7 +208,7 @@ This section shows that MU-UF-NMA security of EdDSA implies the MU-EUF-CMA secur To prove (\ref{eq:adv2_mu-uf-nma}), we define an adversary $\adversary{B}$ attacking MU-UF-NMA that simulates $\adversary{A}$'s view on $G_3$. Adversary $\adversary{B}$, formally defined in figure \ref{fig:adversary_b_mu-uf-nma}, is run in the MU-UF-NMA game and simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly. - Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. Every valid signature outputted by adversary $\adversary{A}$ has to fulfill following equation for one public key $\groupelement{A_i}$: $2^c S \groupelement{B} = 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}$. Like in the single-user setting the adversary can create a new valid signature from an already valid one by choosing a different bitstring representation of the $S$ value that maps to the same $S \pmod L$. Since we are in the MU-EUF-CMA setting the adversary has to forge a signature for a message $m^*$ and public key $A_i$ to which it has not queried a signature before. For this reason the output of $H'(\encoded{R}|\encoded{A_i}|m)$ has not been set by the adversary $\adversary{B}$ but was forwarded from the $H$ hash oracle provided by the MU-UF-NMA challenger. For this reason $H'(\encoded{R^*}|\encoded{A_i}|m^*) = H(\encoded{R^*}|\encoded{A_i}|m^*)$. Therefore, + Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. Every valid signature outputted by adversary $\adversary{A}$ has to fulfill following equation for one public key $\groupelement{A_i}$: $2^c S \groupelement{B} = 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}$. Like in the single-user setting the adversary can create a new valid signature from an already valid one by choosing a different bitstring representation of the $S$ value that maps to the same $S \pmod L$. Since we are in the MU-EUF-CMA setting the adversary has to forge a signature for a message $m^*$ and public key $A_i$ to which it has not queried a signature before. For this reason, the output of $H'(\encoded{R^*}|\encoded{A_i}|m^*)$ has not been set by the adversary $\adversary{B}$, but was forwarded from the $H$ hash oracle provided by the MU-UF-NMA challenger. For this reason $H'(\encoded{R^*}|\encoded{A_i}|m^*) = H(\encoded{R^*}|\encoded{A_i}|m^*)$. Therefore, \begin{align*} 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A_i}|m^*) \groupelement{A_i}\\ @@ -217,6 +217,8 @@ This section shows that MU-UF-NMA security of EdDSA implies the MU-EUF-CMA secur This shows that the forged signature from adversary $\adversary{A}$ is also a valid forged signature for the MU-UF-NMA challenger. + \item Since the adversary $\adversary{B}$ is the same as in the proof above, its runtime is roughly the same as the runtime of adversary $\adversary{A}$, for the same reason. + \item This proofs theorem \ref{theorem:adv2_mu-uf-nma}. \end{proof} \ No newline at end of file diff --git a/thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex b/thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex index 89a51fe..5469832 100644 --- a/thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex +++ b/thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex @@ -1,12 +1,12 @@ \subsection{\somdl $\overset{\text{AGM}}{\Rightarrow}$ MU-\igame} -This section shows that \somdl implies MU-\igame using the Algebraic Group Model. The section starts by introducing a special variant of the one-more discrete logarithm problem followed by an intuition of the proof and at last giving a detailed security proof. +This section shows that \somdl implies MU-\igame using the algebraic group model. The section starts by introducing a special variant of the one-more discrete logarithm problem followed by an intuition of the proof and at last giving a detailed security proof. The reduction cannot be directly performed using the \sdlog assumption, since the representation of the commitment contains more than one group element with unknown discrete logarithm, because the adversary against MU-\igame receives multiple public keys as input. Therefore, a new assumption, based on the one-more discrete logarithm assumption, has to be introduced. -\paragraph{\underline{Introducing \somdl}} Similar to \sdlog being a variant of the discrete logarithm problem the \somdl is a variant of the one-more discrete logarithm problem which represents the special distribution of secret keys resulting from the key generation algorithm of the EdDSA signature scheme. The only difference to the original one-more discrete logarithm game as introduced in \cite{JC:BNPS03} is that the secret scalars are chosen from the set $\{2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8\}$ which represents all valid secret scalars regarding the key generation algorithm. A lower bound on the hardness of the \somdl problem is further analyzed in section \ref{sec:somdl}. The \somdl game is depicted in figure \ref{fig:somdl}. +\paragraph{\underline{Introducing \somdl}} Similar to \sdlog, which is a variant of the discrete logarithm problem the \somdl is a variant of the one-more discrete logarithm problem, which represents the special distribution of secret keys resulting from the key generation algorithm of the EdDSA signature scheme. The only differences to the original one-more discrete logarithm game as introduced in \cite{JC:BNPS03} are that the secret scalars are chosen from the set $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ which represents all valid secret scalars regarding the key generation algorithm and that the adversary is only able to query $N-1$ discrete logarithms of the challenge group elements at once. This modification makes the assumption weaker than the original one-more discrete logarithm assumption. A lower bound on the hardness of the \somdl problem is further analyzed in section \ref{sec:somdl}. The \somdl game is illustrated in figure \ref{fig:somdl}. \begin{definition}[\somdl] \label{def:somdl} - Let $n$ and $N$ be positive integer. For an adversary $\adversary{A}$ we define its advantage in the \somdl game as following: + Let $n$ and $N$ be positive integer. For an adversary $\adversary{A}$, receiving $N$ challenge group elements, we define its advantage in the \somdl game as following: \[ \advantage{\adversary{A}}{\text{\somdl}}(\secparamter) \assign | \Pr[\text{\somdl}^{\adversary{A}} \Rightarrow 1] |. \] \end{definition} @@ -20,16 +20,15 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model \State \textbf{for} $i \in \{1,2,...,N\}$ \State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$ \State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$ - \State $I \assign 0$ \State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{DL(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$ - \State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N) \wedge I < N$ + \State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N)$ \end{algorithmic} \vspace{2mm} \begin{algorithmic} - \Statex \underline{\oracle $DL(i \in \{1,2,...,N\})$} + \Statex \underline{\oracle $DL(j \in \{1,2,...,N\})$} + \Comment{max. one query} \vspace{1mm} - \State $I \assign I + 1$ - \State \Return $a_i$ + \State \Return $\{a_i|i \in \{1,2,...,N\}\backslash \{j\}\}$ \end{algorithmic} \vspace{1mm} \hrule @@ -39,12 +38,12 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model \begin{theorem} \label{theorem:adv_omdl'} - Let $\adversary{A}$ be an adversary against \igame with $\group{G}$ being a cyclic group of prime order $L$, making at most $\oraclequeries$ oracle queries. Then + Let $\adversary{A}$ be an adversary against \igame with $\group{G}$ being a cyclic group of prime order $L$, receiving $N$ public keys and making at most $\oraclequeries$ oracle queries. Then \[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\somdl}(\secparamter) + \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \] \end{theorem} -\paragraph{\underline{Proof Overview}} In the multi-user setting the adversary gets access to not only the generator $\groupelement{B}$ and one public key $\groupelement{A}$ but rather a set of public keys $\groupelement{A_1}$ to $\groupelement{A_N}$. For this reason the representation of a group element, the adversary has to provide looks the following: $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$. Since there are multiple group elements with unknown discrete logarithms it is not possible to directly calculate the discrete logarithm of one of the public keys given a valid forgery of a signature. Upon receiving a valid solution the \textit{DL} oracle can be used to get the discrete logarithm of all the public keys except the one for which the solution is valid. This way it again possible to construct a representation looking like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_i}$. Then it is again possible to calculate the discrete logarithm of $\groupelement{A_i}$ and win the \somdl game. +\paragraph{\underline{Proof Overview}} In the multi-user setting the adversary gets access to not only the generator $\groupelement{B}$ and one public key $\groupelement{A}$ but rather a set of public keys $\groupelement{A_1}$ to $\groupelement{A_N}$. For this reason the representation of a group element, the adversary has to provide, looks the following: $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$. Since there are multiple group elements with unknown discrete logarithms it is not possible to directly calculate the discrete logarithm of one of the public keys given a valid forgery of a signature. Upon receiving a valid solution the \textit{DL} oracle can be used to get the discrete logarithm of all the public keys except the one for which the solution is valid. This way it again possible to construct a representation looking like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_i}$. Then it is again possible to calculate the discrete logarithm of $\groupelement{A_i}$ and win the \somdl game. \paragraph{\underline{Formal Proof}} @@ -83,11 +82,11 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model \end{figure} \begin{proof} - \item \paragraph{\underline{$G_0$:}} Let $G_0$ be defined in figure \ref{fig:omdl'_implies_mu-igame} by excluding all boxes and $G_0$ be MU-\igame. By definition, + \item \paragraph{\underline{$G_0$:}} Let $G_0$ be defined in figure \ref{fig:omdl'_implies_mu-igame} by excluding all boxes. Clearly, $G_0$ is the MU-\igame. By definition, \[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) = \Pr[\text{MU-\igame}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \] - \item \paragraph{\underline{$G_1$:}} $G_1$ is defined by including the if condition in the blue box setting a bad flag if the randomly chosen value $\ch$ fulfills $2^c \ch \equiv - r_i \pmod L$ for any $i \in \{2,3,...,N+1\}$. This represents challenges $\ch$ to which the solution might not be usable to break the discrete logarithm of one of the public keys due to $(r_i + 2^c \ch)$ not being invertible in $\field{L}$. Since only the bad flag being introduced this change does not influence the behavior of the game and is therefore only conceptual. + \item \paragraph{\underline{$G_1$:}} $G_1$ is defined by including the if condition in the blue box, which sets a bad flag if the randomly chosen value $\ch$ fulfills $2^c \ch \equiv - r_i \pmod L$ for any $i \in \{2,3,...,N+1\}$. This represents challenges $\ch$ to which the solution might not be usable to break the discrete logarithm of one of the public keys, due to $(r_i + 2^c \ch)$ not being invertible in $\field{L}$. Since only the bad flag being introduced this change does not influence the behavior of the game and is therefore only conceptual. \[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1]. \] @@ -112,10 +111,10 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model \State \quad $abort$ \State Let $\groupelement{R^*} = r^*_1 \groupelement{B} + r^*_2 \groupelement{A_1} + ... + r^*_{N+1} \groupelement{A_N}$ \State $r_b \assign r_1$ + \State $(a_1, ..., a_{i-1}, a_{i+1}, ..., a_N) \randomassign DL(i)$ \State \textbf{for} $j \in \{1,2,...,N\} \backslash \{i\}$ - \State \quad $a_j \assign \textit{DL}(\groupelement{A_j})$ - \Comment{$\groupelement{A_j} = a_j \groupelement{B}$} \State \quad $r_b \assign r_b + r_{j+1} a_j$ + \Comment{$\groupelement{A_j} = a_j \groupelement{B}$} \State $a_i \assign (2^c s^* - r_b)(r_i + 2^c \ch^*)^{-1}$ \Comment{$\groupelement{R^*} = r_b \groupelement{B} + r_i \groupelement{A_i}$} \State \Return $(a_1, a_2, ..., a_N)$ @@ -139,7 +138,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model To prove (\ref{eq:adv_omdl'}), we define an adversary $\adversary{B}$ attacking \somdl that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_omdl'} is run in the \somdl game and adversary $\adversary{B}$ simulates \ioracle for adversary $\adversary{A}$. \ioracle is simulated perfectly. - Finally, consider $\adversary{A}$'s output $s^*$. It is known that $\groupelement{R^*} = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$ for one of the public keys and one tuple $(R^*, \ch^*)$ generated by the \ioracle oracle. Using the \textit{DL} oracle we can get the discrete logarithms of all public keys but the one for which $s^*$ is a valid solution in the MU-\igame game. This way the \textit{DL} oracle gets called exactly $N-1$ times which is smaller than $N$ which is required by the \somdl game. Together with the representation of $R^*$ provided during the \ioracle oracle call and the discrete logarithms of the public keys we are able to generate a representation of $R^*$ looking like $\groupelement{R^*} = r_b \groupelement{B} + r_i \groupelement{A_i}$. By equating both equations we get: + Finally, consider $\adversary{A}$'s output $s^*$. It is known that $\groupelement{R^*} = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$ for one of the public keys and one tuple $(R^*, \ch^*)$ generated by the \ioracle oracle. Using the \textit{DL} oracle we can get the discrete logarithms of all public keys but the one, for which $s^*$ is a valid solution in the MU-\igame game. Together with the representation of $R^*$, provided during the \ioracle oracle call, and the discrete logarithms of the public keys we are able to generate a representation of $R^*$, which looks like $\groupelement{R^*} = r_b \groupelement{B} + r_i \groupelement{A_i}$. By equating both equations we get: \begin{align*} r_b \groupelement{B} + r_i \groupelement{A_i} &= 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i} \\ @@ -149,5 +148,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model Assuming that $r_i + 2^c \ch^*$ is invertible in $\field{L}$ (i.e., not equal to 0), which is ensured by the abort in $G_2$ for all $i$, both equations can be used to calculate the discrete logarithm of $A_i$. Together with the discrete logarithms of the other public keys, which were obtained by the \textit{DL} oracle, the adversary $\adversary{B}$ is able to craft a valid solution for the \somdl challenger. + \item The runtime of adversary $\adversary{B}$ is roughly the same as the runtime of adversary $\adversary{A}$. In the main procedure the adversary $\adversary{B}$ calls adversary $\adversary{A}$, queries the DL oracle and performs some simple calculations to obtain the discrete logarithm of all public keys. In the \ioracle the adversary simply samples a 2b bitstring uniformly at random. + \item This proves theorem \ref{theorem:adv_omdl'}. \end{proof} \ No newline at end of file diff --git a/thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex b/thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex index d390b2b..874b9c1 100644 --- a/thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex +++ b/thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex @@ -158,7 +158,7 @@ The adversary must call the \ioracle oracle with a commitment $\groupelement{R}$ Assuming that $r_2 + 2^c \ch^*$ is invertible in $\field{L}$ (i.e. not equal to $0$), which is ensured due to the abort in $G_2$, both equations can be used to calculate the discrete logarithm of $\groupelement{A}$. - \item Obviously, the runtime of $\adversary{B}$ is ppt. The \ioracle just samples the challenge uniformly at random and returns it after checking the abort condition, which is ppt. After $\adversary{A}$ has provided its solution, adversary $\adversary{B}$ just does some additions, multiplications, and an inversion, which is all ppt. + \item Obviously, the runtime of $\adversary{B}$ is roughly the same as the runtime of $\adversary{A}$. The \ioracle just samples the challenge uniformly at random and returns it after checking the abort condition. After $\adversary{A}$ has provided its solution, adversary $\adversary{B}$ just does some additions, multiplications, and an inversion, which does not add much to its runtime. \item This proves theorem \ref{theorem:advgamez}. \end{proof} \ No newline at end of file diff --git a/thesis/sections/security_of_eddsa/gamez_implies_uf-nma.tex b/thesis/sections/security_of_eddsa/gamez_implies_uf-nma.tex index 77a0afc..8ae9a42 100644 --- a/thesis/sections/security_of_eddsa/gamez_implies_uf-nma.tex +++ b/thesis/sections/security_of_eddsa/gamez_implies_uf-nma.tex @@ -122,7 +122,7 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur Therefore, $S$ is a valid solution for the \igame game. - \item The runtime of adversary $\adversary{B}$ is clearly ppt, since it just outputs the solution of adversary $\adversary{A}$, and in the random oracle it either calls the \ioracle oracle or samples a value uniformly at random. + \item The runtime of adversary $\adversary{B}$ is roughly the same as the runtime of adversary $\adversary{A}$, since it just outputs the solution of $\adversary{A}$, and in the random oracle it either calls the \ioracle oracle or samples a value uniformly at random. \item This proves theorem \ref{theorem:adv_igame}. \end{proof} \ No newline at end of file diff --git a/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex b/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex index 3535021..4b31100 100644 --- a/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex +++ b/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex @@ -113,7 +113,7 @@ This method of simulating the \Osign oracle and the resulting loss of advantage \[ \advantage{\group{G},\adversary{A}}{\cma}(\secparamter) = \Pr[\text{\cma}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \] - \item \paragraph{\underline{$G_1:$}} $G_1$ is now defined by replacing the black box with the blue one. This change inlines the call to the hash function and introduces a bad flag in the \Osign oracle, which is set in case the hash value for the challenge is already set before the \Osign oracle is called. This change is only conceptual, since it does not change the behavior of the oracle and only changes internal variables of the game. Therefore, + \item \paragraph{\underline{$G_1:$}} $G_1$ is now defined by replacing the black box with the blue one. This change inlines the call to the hash function and introduces a bad flag in the \Osign oracle, which is set in case the hash value for the challenge is already set before the \Osign oracle is called. In this cases the adversary already queried the challenge for that signature resulting in the challenger not being able to program the random oracle on that input. Without being able to program the random oracle the challenger is not able to generate a valid signature, without knowing the private key. This change is only conceptual, since it does not change the behavior of the oracle and only changes internal variables of the game. Therefore, \[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1]. \] @@ -175,14 +175,14 @@ This method of simulating the \Osign oracle and the resulting loss of advantage This means that the forged signature of the adversary $\adversary{A}$ is also a valid signature in the UF-NMA game. - \item The runtime of the adversary $\adversary{B}$ is ppt and dominated by the runtime of $\adversary{A}$. Simulating a \Osign query simply executes the ppt procedure \simalg and sets the hash function output, the hash function $H'$ simply forwards the query to the $H$ hash function, and the adversary $\adversary{B}$ simply calls $\adversary{A}$ and outputs its forged signature. + \item The runtime of adversary $\adversary{B}$ is roughly the same as the runtime of adversary $\adversary{A}$. Simulating a \Osign query simply executes the ppt procedure \simalg and sets the hash function output, the hash function $H'$ simply forwards the query to the $H$ hash function, and the adversary $\adversary{B}$ simply calls $\adversary{A}$ and outputs its forged signature. \item This proves theorem \ref{theorem:adv_uf-nma}. \end{proof} \subsection{UF-NMA $\overset{\text{ROM}}{\Rightarrow} \text{SUF-CMA}_{\text{EdDSA lp}}$} -This section shows that the UF-NMA security of EdDSA implies the EUF-CMA security of EdDSA with lax parsing using the random oracle model. This proof is very similar to the proof of the SUF-CMA security of EdDSA with strict parsing. The modification of the games is the same as in the proof above, with the only difference being the winning condition, which is $\verify(\groupelement{A}, \m^*,\signature^*) \wedge \m^* \notin \pset{Q}$. For this reason, this proof begins by showing the existence of an adversary $\adversary{B}$ who breaks UF-NMA security. The SUF-CMA security cannot be proved because there may be multiple encodings of $S$ that map to the same $S \pmod L$, and therefore a new valid signature could be forged from an old one by simply choosing a different encoding of $S$, which would cause the output $H'(\encoded{R^*}|\encoded{A}|m^*)$ to be set by $\adversary{B}$, and therefore the forged signature would not be a valid signature for the UF-NMA challenger. +This section shows that the UF-NMA security of EdDSA implies the EUF-CMA security of EdDSA with lax parsing using the random oracle model. This proof is very similar to the proof of the SUF-CMA security of EdDSA with strict parsing. The modification of the games is the same as in the proof above, with the only difference being the winning condition, which is $\verify(\groupelement{A}, \m^*,\signature^*) \wedge \m^* \notin \pset{Q}$. For this reason, this proof begins by showing the existence of an adversary $\adversary{B}$ who breaks UF-NMA security. The SUF-CMA security cannot be proved because there may be multiple encodings of $S$ that map to the same $S \pmod L$, and therefore a new valid signature could be forged from an old one by simply choosing a different encoding of $S$, which would cause the output $H'(\encoded{R^*}|\encoded{A}|m^*)$ to be set by the reduction itself, and therefore the forged signature would not be a valid signature for the UF-NMA challenger. \begin{theorem} \label{theorem:adv2_uf-nma} @@ -243,7 +243,7 @@ This section shows that the UF-NMA security of EdDSA implies the EUF-CMA securit This means that the forged signature of the adversary $\adversary{A}$ is also a valid signature in the UF-NMA game. - \item Since the adversary $\adversary{B}$ is the same as in the proof above the runtime is also ppt. + \item Since the adversary $\adversary{B}$ is the same as in the proof above, the runtime is roughly the same as the runtime of $\adversary{A}$, for the same reasons. \item This proves theorem \ref{theorem:adv2_uf-nma}. \end{proof} \ No newline at end of file