rewrote multi-user proofs
This commit is contained in:
@@ -1,12 +1,12 @@
|
||||
\subsection{\somdl $\overset{\text{AGM}}{\Rightarrow}$ MU-\igame}
|
||||
|
||||
This section shows that \somdl implies MU-\igame using the Algebraic Group Model. The section starts by introducing a special variant of the one-more discrete logarithm problem followed by an intuition of the proof and at last giving a detailed security proof.
|
||||
This section shows that \somdl implies MU-\igame using the algebraic group model. The section starts by introducing a special variant of the one-more discrete logarithm problem followed by an intuition of the proof and at last giving a detailed security proof. The reduction cannot be directly performed using the \sdlog assumption, since the representation of the commitment contains more than one group element with unknown discrete logarithm, because the adversary against MU-\igame receives multiple public keys as input. Therefore, a new assumption, based on the one-more discrete logarithm assumption, has to be introduced.
|
||||
|
||||
\paragraph{\underline{Introducing \somdl}} Similar to \sdlog being a variant of the discrete logarithm problem the \somdl is a variant of the one-more discrete logarithm problem which represents the special distribution of secret keys resulting from the key generation algorithm of the EdDSA signature scheme. The only difference to the original one-more discrete logarithm game as introduced in \cite{JC:BNPS03} is that the secret scalars are chosen from the set $\{2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8\}$ which represents all valid secret scalars regarding the key generation algorithm. A lower bound on the hardness of the \somdl problem is further analyzed in section \ref{sec:somdl}. The \somdl game is depicted in figure \ref{fig:somdl}.
|
||||
\paragraph{\underline{Introducing \somdl}} Similar to \sdlog, which is a variant of the discrete logarithm problem the \somdl is a variant of the one-more discrete logarithm problem, which represents the special distribution of secret keys resulting from the key generation algorithm of the EdDSA signature scheme. The only differences to the original one-more discrete logarithm game as introduced in \cite{JC:BNPS03} are that the secret scalars are chosen from the set $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ which represents all valid secret scalars regarding the key generation algorithm and that the adversary is only able to query $N-1$ discrete logarithms of the challenge group elements at once. This modification makes the assumption weaker than the original one-more discrete logarithm assumption. A lower bound on the hardness of the \somdl problem is further analyzed in section \ref{sec:somdl}. The \somdl game is illustrated in figure \ref{fig:somdl}.
|
||||
|
||||
\begin{definition}[\somdl]
|
||||
\label{def:somdl}
|
||||
Let $n$ and $N$ be positive integer. For an adversary $\adversary{A}$ we define its advantage in the \somdl game as following:
|
||||
Let $n$ and $N$ be positive integer. For an adversary $\adversary{A}$, receiving $N$ challenge group elements, we define its advantage in the \somdl game as following:
|
||||
|
||||
\[ \advantage{\adversary{A}}{\text{\somdl}}(\secparamter) \assign | \Pr[\text{\somdl}^{\adversary{A}} \Rightarrow 1] |. \]
|
||||
\end{definition}
|
||||
@@ -20,16 +20,15 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
|
||||
\State \textbf{for} $i \in \{1,2,...,N\}$
|
||||
\State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$
|
||||
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
|
||||
\State $I \assign 0$
|
||||
\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{DL(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
||||
\State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N) \wedge I < N$
|
||||
\State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N)$
|
||||
\end{algorithmic}
|
||||
\vspace{2mm}
|
||||
\begin{algorithmic}
|
||||
\Statex \underline{\oracle $DL(i \in \{1,2,...,N\})$}
|
||||
\Statex \underline{\oracle $DL(j \in \{1,2,...,N\})$}
|
||||
\Comment{max. one query}
|
||||
\vspace{1mm}
|
||||
\State $I \assign I + 1$
|
||||
\State \Return $a_i$
|
||||
\State \Return $\{a_i|i \in \{1,2,...,N\}\backslash \{j\}\}$
|
||||
\end{algorithmic}
|
||||
\vspace{1mm}
|
||||
\hrule
|
||||
@@ -39,12 +38,12 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
|
||||
|
||||
\begin{theorem}
|
||||
\label{theorem:adv_omdl'}
|
||||
Let $\adversary{A}$ be an adversary against \igame with $\group{G}$ being a cyclic group of prime order $L$, making at most $\oraclequeries$ oracle queries. Then
|
||||
Let $\adversary{A}$ be an adversary against \igame with $\group{G}$ being a cyclic group of prime order $L$, receiving $N$ public keys and making at most $\oraclequeries$ oracle queries. Then
|
||||
|
||||
\[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\somdl}(\secparamter) + \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}} In the multi-user setting the adversary gets access to not only the generator $\groupelement{B}$ and one public key $\groupelement{A}$ but rather a set of public keys $\groupelement{A_1}$ to $\groupelement{A_N}$. For this reason the representation of a group element, the adversary has to provide looks the following: $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$. Since there are multiple group elements with unknown discrete logarithms it is not possible to directly calculate the discrete logarithm of one of the public keys given a valid forgery of a signature. Upon receiving a valid solution the \textit{DL} oracle can be used to get the discrete logarithm of all the public keys except the one for which the solution is valid. This way it again possible to construct a representation looking like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_i}$. Then it is again possible to calculate the discrete logarithm of $\groupelement{A_i}$ and win the \somdl game.
|
||||
\paragraph{\underline{Proof Overview}} In the multi-user setting the adversary gets access to not only the generator $\groupelement{B}$ and one public key $\groupelement{A}$ but rather a set of public keys $\groupelement{A_1}$ to $\groupelement{A_N}$. For this reason the representation of a group element, the adversary has to provide, looks the following: $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$. Since there are multiple group elements with unknown discrete logarithms it is not possible to directly calculate the discrete logarithm of one of the public keys given a valid forgery of a signature. Upon receiving a valid solution the \textit{DL} oracle can be used to get the discrete logarithm of all the public keys except the one for which the solution is valid. This way it again possible to construct a representation looking like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_i}$. Then it is again possible to calculate the discrete logarithm of $\groupelement{A_i}$ and win the \somdl game.
|
||||
|
||||
\paragraph{\underline{Formal Proof}}
|
||||
|
||||
@@ -83,11 +82,11 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
|
||||
\end{figure}
|
||||
|
||||
\begin{proof}
|
||||
\item \paragraph{\underline{$G_0$:}} Let $G_0$ be defined in figure \ref{fig:omdl'_implies_mu-igame} by excluding all boxes and $G_0$ be MU-\igame. By definition,
|
||||
\item \paragraph{\underline{$G_0$:}} Let $G_0$ be defined in figure \ref{fig:omdl'_implies_mu-igame} by excluding all boxes. Clearly, $G_0$ is the MU-\igame. By definition,
|
||||
|
||||
\[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) = \Pr[\text{MU-\igame}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
|
||||
|
||||
\item \paragraph{\underline{$G_1$:}} $G_1$ is defined by including the if condition in the blue box setting a bad flag if the randomly chosen value $\ch$ fulfills $2^c \ch \equiv - r_i \pmod L$ for any $i \in \{2,3,...,N+1\}$. This represents challenges $\ch$ to which the solution might not be usable to break the discrete logarithm of one of the public keys due to $(r_i + 2^c \ch)$ not being invertible in $\field{L}$. Since only the bad flag being introduced this change does not influence the behavior of the game and is therefore only conceptual.
|
||||
\item \paragraph{\underline{$G_1$:}} $G_1$ is defined by including the if condition in the blue box, which sets a bad flag if the randomly chosen value $\ch$ fulfills $2^c \ch \equiv - r_i \pmod L$ for any $i \in \{2,3,...,N+1\}$. This represents challenges $\ch$ to which the solution might not be usable to break the discrete logarithm of one of the public keys, due to $(r_i + 2^c \ch)$ not being invertible in $\field{L}$. Since only the bad flag being introduced this change does not influence the behavior of the game and is therefore only conceptual.
|
||||
|
||||
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1]. \]
|
||||
|
||||
@@ -112,10 +111,10 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
|
||||
\State \quad $abort$
|
||||
\State Let $\groupelement{R^*} = r^*_1 \groupelement{B} + r^*_2 \groupelement{A_1} + ... + r^*_{N+1} \groupelement{A_N}$
|
||||
\State $r_b \assign r_1$
|
||||
\State $(a_1, ..., a_{i-1}, a_{i+1}, ..., a_N) \randomassign DL(i)$
|
||||
\State \textbf{for} $j \in \{1,2,...,N\} \backslash \{i\}$
|
||||
\State \quad $a_j \assign \textit{DL}(\groupelement{A_j})$
|
||||
\Comment{$\groupelement{A_j} = a_j \groupelement{B}$}
|
||||
\State \quad $r_b \assign r_b + r_{j+1} a_j$
|
||||
\Comment{$\groupelement{A_j} = a_j \groupelement{B}$}
|
||||
\State $a_i \assign (2^c s^* - r_b)(r_i + 2^c \ch^*)^{-1}$
|
||||
\Comment{$\groupelement{R^*} = r_b \groupelement{B} + r_i \groupelement{A_i}$}
|
||||
\State \Return $(a_1, a_2, ..., a_N)$
|
||||
@@ -139,7 +138,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
|
||||
|
||||
To prove (\ref{eq:adv_omdl'}), we define an adversary $\adversary{B}$ attacking \somdl that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_omdl'} is run in the \somdl game and adversary $\adversary{B}$ simulates \ioracle for adversary $\adversary{A}$. \ioracle is simulated perfectly.
|
||||
|
||||
Finally, consider $\adversary{A}$'s output $s^*$. It is known that $\groupelement{R^*} = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$ for one of the public keys and one tuple $(R^*, \ch^*)$ generated by the \ioracle oracle. Using the \textit{DL} oracle we can get the discrete logarithms of all public keys but the one for which $s^*$ is a valid solution in the MU-\igame game. This way the \textit{DL} oracle gets called exactly $N-1$ times which is smaller than $N$ which is required by the \somdl game. Together with the representation of $R^*$ provided during the \ioracle oracle call and the discrete logarithms of the public keys we are able to generate a representation of $R^*$ looking like $\groupelement{R^*} = r_b \groupelement{B} + r_i \groupelement{A_i}$. By equating both equations we get:
|
||||
Finally, consider $\adversary{A}$'s output $s^*$. It is known that $\groupelement{R^*} = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$ for one of the public keys and one tuple $(R^*, \ch^*)$ generated by the \ioracle oracle. Using the \textit{DL} oracle we can get the discrete logarithms of all public keys but the one, for which $s^*$ is a valid solution in the MU-\igame game. Together with the representation of $R^*$, provided during the \ioracle oracle call, and the discrete logarithms of the public keys we are able to generate a representation of $R^*$, which looks like $\groupelement{R^*} = r_b \groupelement{B} + r_i \groupelement{A_i}$. By equating both equations we get:
|
||||
|
||||
\begin{align*}
|
||||
r_b \groupelement{B} + r_i \groupelement{A_i} &= 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i} \\
|
||||
@@ -149,5 +148,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
|
||||
|
||||
Assuming that $r_i + 2^c \ch^*$ is invertible in $\field{L}$ (i.e., not equal to 0), which is ensured by the abort in $G_2$ for all $i$, both equations can be used to calculate the discrete logarithm of $A_i$. Together with the discrete logarithms of the other public keys, which were obtained by the \textit{DL} oracle, the adversary $\adversary{B}$ is able to craft a valid solution for the \somdl challenger.
|
||||
|
||||
\item The runtime of adversary $\adversary{B}$ is roughly the same as the runtime of adversary $\adversary{A}$. In the main procedure the adversary $\adversary{B}$ calls adversary $\adversary{A}$, queries the DL oracle and performs some simple calculations to obtain the discrete logarithm of all public keys. In the \ioracle the adversary simply samples a 2b bitstring uniformly at random.
|
||||
|
||||
\item This proves theorem \ref{theorem:adv_omdl'}.
|
||||
\end{proof}
|
||||
Reference in New Issue
Block a user