rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Rewritings due to feedback

Browse Source
This commit is contained in:
Aaron Kaiser
2023-06-21 18:45:32 +02:00
parent 3db0912f79
commit 0d3218440b
19 changed files with 167 additions and 163 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
thesis/Abschlussarbeit.tex
View File

@@ -20,6 +20,7 @@ listof=totoc,
\usepackage[,hhmmss]{datetime}
\usepackage{float}
\usepackage{xspace}
\usepackage{mathtools}
\newtheorem{lemma}{Lemma}[section]
\newtheorem{theorem}{Theorem}[section]
@@ -122,11 +123,11 @@ The two main theorems for the single-user security of $\text{EdDSA}_{\text{sp}}$
\[ \advantage{\group{G}, \adversary{A}}{\text{EUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
\end{theorem}
The proof begins by showing that the UF-NMA security of EdDSA implies the SUF-CMA/EUF-CMA security of EdDSA with different types of parsing, in the random oracle model. With this step, subsequent proofs can be performed without worrying about signature generation, and a unified chain of reduction can be used to prove the security of EdDSA with both parsing variants. Next, an algebraic intermediate game \igame is introduced. This intermediate game serves as a separation for proofs in the random oracle model and those in the algebraic group model. Finally, the intermediate game \igame is reduced to the special discrete logarithm variant \sdlog.
The proof begins by showing that the EUF-NMA security of EdDSA implies the SUF-CMA/EUF-CMA security of EdDSA with different types of parsing, in the random oracle model. With this step, subsequent proofs can be performed without worrying about signature generation, and a unified chain of reduction can be used to prove the security of EdDSA with both parsing variants. Next, an algebraic intermediate game \igame is introduced. This intermediate game serves as a separation for proofs in the random oracle model and those in the algebraic group model. Finally, the intermediate game \igame is reduced to the special discrete logarithm variant \sdlog.
The chain of reductions can be depicted as:
\[ \sdlog \overset{\text{AGM}}{\Rightarrow} \igame \overset{\text{ROM}}{\Rightarrow} \text{UF-NMA} \overset{\text{ROM}}{\Rightarrow} \cma_{\text{EdDSA sp}} / \text{EUF-CMA}_{\text{EdDSA lp}} \]
\[ \sdlog \overset{\text{AGM}}{\Rightarrow} \igame \overset{\text{ROM}}{\Rightarrow} \text{EUF-NMA} \overset{\text{ROM}}{\Rightarrow} \cma_{\text{EdDSA sp}} / \text{EUF-CMA}_{\text{EdDSA lp}} \]
\input{sections/security_of_eddsa/uf-nma_implies_suf-cma}
\input{sections/security_of_eddsa/gamez_implies_uf-nma}
@@ -140,7 +141,7 @@ Now that the single-user security of EdDSA got analyzed, we can take a look at i
Therefore, a similar approach to the proof in the single-user setting is used. It is not possible to reduce onto the \sdlog problem directly since the adversary gets multiple public keys and therefore might not provide a representation of the commitment looking like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A}$, which was needed for the discrete logarithm of the public key to be calculated. For this reason a variant of the one-more discrete logarithm assumption (OMDL) has to be used, as introduced in \cite{JC:BNPS03}.
The proof starts by showing that the MU-UF-NMA security of EdDSA implies MU-SUF-CMA security of EdDSA in the random oracle model. Next an intermediate game is introduced onto which the MU-UF-NMA security of EdDSA is reduced. At last, the security of the intermediate game is reduced onto the security of the variant of the one-more discrete logarithm assumption.
The proof starts by showing that the MU-EUF-NMA security of EdDSA implies MU-SUF-CMA security of EdDSA in the random oracle model. Next an intermediate game is introduced onto which the MU-EUF-NMA security of EdDSA is reduced. At last, the security of the intermediate game is reduced onto the security of the variant of the one-more discrete logarithm assumption.
The two main theorems for the multi-user security of $\text{EdDSA}_{\text{sp}}$ and $\text{EdDSA}_{\text{lp}}$ are:
@@ -160,7 +161,7 @@ The two main theorems for the multi-user security of $\text{EdDSA}_{\text{sp}}$
The chain of reductions can be depicted as:
\[ \somdl \overset{\text{AGM}}{\Rightarrow} \igame \overset{\text{ROM}}{\Rightarrow} \text{MU-UF-NMA} \overset{\text{ROM}}{\Rightarrow} MU-\cma_{\text{EdDSA sp}} / \text{MU-EUF-CMA}_{\text{EdDSA lp}} \]
\[ \somdl \overset{\text{AGM}}{\Rightarrow} \igame \overset{\text{ROM}}{\Rightarrow} \text{MU-EUF-NMA} \overset{\text{ROM}}{\Rightarrow} MU-\cma_{\text{EdDSA sp}} / \text{MU-EUF-CMA}_{\text{EdDSA lp}} \]
\input{sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma}
\input{sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma}