rewrote multi-user proofs
This commit is contained in:
@@ -113,7 +113,7 @@ This method of simulating the \Osign oracle and the resulting loss of advantage
|
||||
|
||||
\[ \advantage{\group{G},\adversary{A}}{\cma}(\secparamter) = \Pr[\text{\cma}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
|
||||
|
||||
\item \paragraph{\underline{$G_1:$}} $G_1$ is now defined by replacing the black box with the blue one. This change inlines the call to the hash function and introduces a bad flag in the \Osign oracle, which is set in case the hash value for the challenge is already set before the \Osign oracle is called. This change is only conceptual, since it does not change the behavior of the oracle and only changes internal variables of the game. Therefore,
|
||||
\item \paragraph{\underline{$G_1:$}} $G_1$ is now defined by replacing the black box with the blue one. This change inlines the call to the hash function and introduces a bad flag in the \Osign oracle, which is set in case the hash value for the challenge is already set before the \Osign oracle is called. In this cases the adversary already queried the challenge for that signature resulting in the challenger not being able to program the random oracle on that input. Without being able to program the random oracle the challenger is not able to generate a valid signature, without knowing the private key. This change is only conceptual, since it does not change the behavior of the oracle and only changes internal variables of the game. Therefore,
|
||||
|
||||
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1]. \]
|
||||
|
||||
@@ -175,14 +175,14 @@ This method of simulating the \Osign oracle and the resulting loss of advantage
|
||||
|
||||
This means that the forged signature of the adversary $\adversary{A}$ is also a valid signature in the UF-NMA game.
|
||||
|
||||
\item The runtime of the adversary $\adversary{B}$ is ppt and dominated by the runtime of $\adversary{A}$. Simulating a \Osign query simply executes the ppt procedure \simalg and sets the hash function output, the hash function $H'$ simply forwards the query to the $H$ hash function, and the adversary $\adversary{B}$ simply calls $\adversary{A}$ and outputs its forged signature.
|
||||
\item The runtime of adversary $\adversary{B}$ is roughly the same as the runtime of adversary $\adversary{A}$. Simulating a \Osign query simply executes the ppt procedure \simalg and sets the hash function output, the hash function $H'$ simply forwards the query to the $H$ hash function, and the adversary $\adversary{B}$ simply calls $\adversary{A}$ and outputs its forged signature.
|
||||
|
||||
\item This proves theorem \ref{theorem:adv_uf-nma}.
|
||||
\end{proof}
|
||||
|
||||
\subsection{UF-NMA $\overset{\text{ROM}}{\Rightarrow} \text{SUF-CMA}_{\text{EdDSA lp}}$}
|
||||
|
||||
This section shows that the UF-NMA security of EdDSA implies the EUF-CMA security of EdDSA with lax parsing using the random oracle model. This proof is very similar to the proof of the SUF-CMA security of EdDSA with strict parsing. The modification of the games is the same as in the proof above, with the only difference being the winning condition, which is $\verify(\groupelement{A}, \m^*,\signature^*) \wedge \m^* \notin \pset{Q}$. For this reason, this proof begins by showing the existence of an adversary $\adversary{B}$ who breaks UF-NMA security. The SUF-CMA security cannot be proved because there may be multiple encodings of $S$ that map to the same $S \pmod L$, and therefore a new valid signature could be forged from an old one by simply choosing a different encoding of $S$, which would cause the output $H'(\encoded{R^*}|\encoded{A}|m^*)$ to be set by $\adversary{B}$, and therefore the forged signature would not be a valid signature for the UF-NMA challenger.
|
||||
This section shows that the UF-NMA security of EdDSA implies the EUF-CMA security of EdDSA with lax parsing using the random oracle model. This proof is very similar to the proof of the SUF-CMA security of EdDSA with strict parsing. The modification of the games is the same as in the proof above, with the only difference being the winning condition, which is $\verify(\groupelement{A}, \m^*,\signature^*) \wedge \m^* \notin \pset{Q}$. For this reason, this proof begins by showing the existence of an adversary $\adversary{B}$ who breaks UF-NMA security. The SUF-CMA security cannot be proved because there may be multiple encodings of $S$ that map to the same $S \pmod L$, and therefore a new valid signature could be forged from an old one by simply choosing a different encoding of $S$, which would cause the output $H'(\encoded{R^*}|\encoded{A}|m^*)$ to be set by the reduction itself, and therefore the forged signature would not be a valid signature for the UF-NMA challenger.
|
||||
|
||||
\begin{theorem}
|
||||
\label{theorem:adv2_uf-nma}
|
||||
@@ -243,7 +243,7 @@ This section shows that the UF-NMA security of EdDSA implies the EUF-CMA securit
|
||||
|
||||
This means that the forged signature of the adversary $\adversary{A}$ is also a valid signature in the UF-NMA game.
|
||||
|
||||
\item Since the adversary $\adversary{B}$ is the same as in the proof above the runtime is also ppt.
|
||||
\item Since the adversary $\adversary{B}$ is the same as in the proof above, the runtime is roughly the same as the runtime of $\adversary{A}$, for the same reasons.
|
||||
|
||||
\item This proves theorem \ref{theorem:adv2_uf-nma}.
|
||||
\end{proof}
|
||||
Reference in New Issue
Block a user