rewrote multi-user proofs
This commit is contained in:
@@ -158,7 +158,7 @@ The adversary must call the \ioracle oracle with a commitment $\groupelement{R}$
|
||||
|
||||
Assuming that $r_2 + 2^c \ch^*$ is invertible in $\field{L}$ (i.e. not equal to $0$), which is ensured due to the abort in $G_2$, both equations can be used to calculate the discrete logarithm of $\groupelement{A}$.
|
||||
|
||||
\item Obviously, the runtime of $\adversary{B}$ is ppt. The \ioracle just samples the challenge uniformly at random and returns it after checking the abort condition, which is ppt. After $\adversary{A}$ has provided its solution, adversary $\adversary{B}$ just does some additions, multiplications, and an inversion, which is all ppt.
|
||||
\item Obviously, the runtime of $\adversary{B}$ is roughly the same as the runtime of $\adversary{A}$. The \ioracle just samples the challenge uniformly at random and returns it after checking the abort condition. After $\adversary{A}$ has provided its solution, adversary $\adversary{B}$ just does some additions, multiplications, and an inversion, which does not add much to its runtime.
|
||||
|
||||
\item This proves theorem \ref{theorem:advgamez}.
|
||||
\end{proof}
|
||||
@@ -122,7 +122,7 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur
|
||||
|
||||
Therefore, $S$ is a valid solution for the \igame game.
|
||||
|
||||
\item The runtime of adversary $\adversary{B}$ is clearly ppt, since it just outputs the solution of adversary $\adversary{A}$, and in the random oracle it either calls the \ioracle oracle or samples a value uniformly at random.
|
||||
\item The runtime of adversary $\adversary{B}$ is roughly the same as the runtime of adversary $\adversary{A}$, since it just outputs the solution of $\adversary{A}$, and in the random oracle it either calls the \ioracle oracle or samples a value uniformly at random.
|
||||
|
||||
\item This proves theorem \ref{theorem:adv_igame}.
|
||||
\end{proof}
|
||||
@@ -113,7 +113,7 @@ This method of simulating the \Osign oracle and the resulting loss of advantage
|
||||
|
||||
\[ \advantage{\group{G},\adversary{A}}{\cma}(\secparamter) = \Pr[\text{\cma}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
|
||||
|
||||
\item \paragraph{\underline{$G_1:$}} $G_1$ is now defined by replacing the black box with the blue one. This change inlines the call to the hash function and introduces a bad flag in the \Osign oracle, which is set in case the hash value for the challenge is already set before the \Osign oracle is called. This change is only conceptual, since it does not change the behavior of the oracle and only changes internal variables of the game. Therefore,
|
||||
\item \paragraph{\underline{$G_1:$}} $G_1$ is now defined by replacing the black box with the blue one. This change inlines the call to the hash function and introduces a bad flag in the \Osign oracle, which is set in case the hash value for the challenge is already set before the \Osign oracle is called. In this cases the adversary already queried the challenge for that signature resulting in the challenger not being able to program the random oracle on that input. Without being able to program the random oracle the challenger is not able to generate a valid signature, without knowing the private key. This change is only conceptual, since it does not change the behavior of the oracle and only changes internal variables of the game. Therefore,
|
||||
|
||||
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1]. \]
|
||||
|
||||
@@ -175,14 +175,14 @@ This method of simulating the \Osign oracle and the resulting loss of advantage
|
||||
|
||||
This means that the forged signature of the adversary $\adversary{A}$ is also a valid signature in the UF-NMA game.
|
||||
|
||||
\item The runtime of the adversary $\adversary{B}$ is ppt and dominated by the runtime of $\adversary{A}$. Simulating a \Osign query simply executes the ppt procedure \simalg and sets the hash function output, the hash function $H'$ simply forwards the query to the $H$ hash function, and the adversary $\adversary{B}$ simply calls $\adversary{A}$ and outputs its forged signature.
|
||||
\item The runtime of adversary $\adversary{B}$ is roughly the same as the runtime of adversary $\adversary{A}$. Simulating a \Osign query simply executes the ppt procedure \simalg and sets the hash function output, the hash function $H'$ simply forwards the query to the $H$ hash function, and the adversary $\adversary{B}$ simply calls $\adversary{A}$ and outputs its forged signature.
|
||||
|
||||
\item This proves theorem \ref{theorem:adv_uf-nma}.
|
||||
\end{proof}
|
||||
|
||||
\subsection{UF-NMA $\overset{\text{ROM}}{\Rightarrow} \text{SUF-CMA}_{\text{EdDSA lp}}$}
|
||||
|
||||
This section shows that the UF-NMA security of EdDSA implies the EUF-CMA security of EdDSA with lax parsing using the random oracle model. This proof is very similar to the proof of the SUF-CMA security of EdDSA with strict parsing. The modification of the games is the same as in the proof above, with the only difference being the winning condition, which is $\verify(\groupelement{A}, \m^*,\signature^*) \wedge \m^* \notin \pset{Q}$. For this reason, this proof begins by showing the existence of an adversary $\adversary{B}$ who breaks UF-NMA security. The SUF-CMA security cannot be proved because there may be multiple encodings of $S$ that map to the same $S \pmod L$, and therefore a new valid signature could be forged from an old one by simply choosing a different encoding of $S$, which would cause the output $H'(\encoded{R^*}|\encoded{A}|m^*)$ to be set by $\adversary{B}$, and therefore the forged signature would not be a valid signature for the UF-NMA challenger.
|
||||
This section shows that the UF-NMA security of EdDSA implies the EUF-CMA security of EdDSA with lax parsing using the random oracle model. This proof is very similar to the proof of the SUF-CMA security of EdDSA with strict parsing. The modification of the games is the same as in the proof above, with the only difference being the winning condition, which is $\verify(\groupelement{A}, \m^*,\signature^*) \wedge \m^* \notin \pset{Q}$. For this reason, this proof begins by showing the existence of an adversary $\adversary{B}$ who breaks UF-NMA security. The SUF-CMA security cannot be proved because there may be multiple encodings of $S$ that map to the same $S \pmod L$, and therefore a new valid signature could be forged from an old one by simply choosing a different encoding of $S$, which would cause the output $H'(\encoded{R^*}|\encoded{A}|m^*)$ to be set by the reduction itself, and therefore the forged signature would not be a valid signature for the UF-NMA challenger.
|
||||
|
||||
\begin{theorem}
|
||||
\label{theorem:adv2_uf-nma}
|
||||
@@ -243,7 +243,7 @@ This section shows that the UF-NMA security of EdDSA implies the EUF-CMA securit
|
||||
|
||||
This means that the forged signature of the adversary $\adversary{A}$ is also a valid signature in the UF-NMA game.
|
||||
|
||||
\item Since the adversary $\adversary{B}$ is the same as in the proof above the runtime is also ppt.
|
||||
\item Since the adversary $\adversary{B}$ is the same as in the proof above, the runtime is roughly the same as the runtime of $\adversary{A}$, for the same reasons.
|
||||
|
||||
\item This proves theorem \ref{theorem:adv2_uf-nma}.
|
||||
\end{proof}
|
||||
Reference in New Issue
Block a user