Rewritings due to feedback
This commit is contained in:
@@ -1,15 +1,15 @@
|
||||
\subsection{Bounds on \somdl} \label{sec:somdl}
|
||||
|
||||
This section provides a lower bound on the hardness of the modified version of the one-more discrete logarithm problem in the generic group model. The variant of the one-more discrete logarithm problem was introduced in the definition \ref{def:somdl}. \somdl differs from the original one-more discrete logarithm problem by only allowing the adversary to query the discrete logarithm of all challenges but one. Also the discrete logarithms are chosen from a predefined set that is the result of the special key generation algorithm used in EdDSA. The following proof uses the generic group model for twisted Edwards curves. There already exists a proof for the one-more discrete logarithm problem in the generic group model \cite{EPRINT:BauFucPlo21}. This proof provides a lower bound on the original definition of the one-more discrete logarithm problem. This proof is not directly applicable to this definition of \sdlog, since the secret scalars are not chosen uniformly at random from $\field{L}$ and the group structure is not just a prime order group. Also since a more restricted version of the one-more discrete logarithm problem is used a simpler proof, than that in \cite{EPRINT:BauFucPlo21} can be used, providing a better bound on \somdl.
|
||||
This section provides a lower bound on the hardness of the modified version of the one-more discrete logarithm problem in the generic group model. The variant of the one-more discrete logarithm problem was introduced in the definition \ref{def:somdl}. \somdl differs from the original one-more discrete logarithm problem by only allowing the adversary to query the discrete logarithm of all challenges but one. Also the discrete logarithms of the group elements in the challenge to the adversary are chosen from a predefined set that is the result of the special key generation algorithm used in EdDSA. The following proof uses the generic group model for twisted Edwards curves. There already exists a proof for the one-more discrete logarithm problem in the generic group model \cite{EPRINT:BauFucPlo21}. This proof provides a lower bound on the original definition of the one-more discrete logarithm problem. This proof is not directly applicable to this definition of \somdl, since the secret scalars are not chosen uniformly at random from $\field{L}$ and the group structure is not just a prime order group. Since a more restricted version of the one-more discrete logarithm problem is used a simpler proof than that in \cite{EPRINT:BauFucPlo21} can be used, providing a better bound on \somdl.
|
||||
|
||||
\begin{theorem}
|
||||
\label{theorem:somdl_ggm}
|
||||
Let $n$, $N$, $c$ be positive integers. Consider a twisted Edwards curve $\curve$ with a cofactor of $2^c$ and a generating set consisting of $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_m})$. Among these, let $\groupelement{B}$ be the generator of the largest prime order subgroup with an order of $L$. Let $\adversary{A}$ be a generic adversary receiving $N$ group elements as challenge and making at most $\groupqueries$ group operations queries. Then,
|
||||
Let $n$, $N$, $c$ be positive integers. Consider a twisted Edwards curve $\curve$ with a cofactor of $2^c$ and a generating set consisting of $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_m})$. Among these, let $\groupelement{B}$ be the generator of the largest prime order subgroup with an order of $L$. Let $\adversary{A}$ be a generic adversary against \somdl receiving $N$ group elements as challenge and making at most $\groupqueries$ group operations queries. Then,
|
||||
|
||||
\[ \advantage{\curve, n, c, L, \adversary{A}}{\somdl} \leq \frac{2(\groupqueries + N + 2)^2 + 1}{2^{n-1-c}}. \]
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}} This proof uses the same approach as the discrete logarithm proof in the generic group model by replacing the group elements with polynomials and choosing the challenge after the adversary provided its solution. The tricky part is that the adversary is able to query the discrete logarithms of the $N - 1$ group elements, provided to it as a challenge. The proof starts by replacing all group elements with multivariate polynomials representing their discrete logarithms. The indeterminants of those polynomials are the discrete logarithms of each group element, provided to the adversary as challenges. Once the adversary requests the discrete logarithms for all but one group element of the challenge those discrete logarithms are chosen uniformly at random and all polynomials are partially evaluated. This leaves polynomials with just one indeterminate, representing the discrete logarithm of the last challenge. This challenge is then chosen after the adversary provided its solution, leaving the adversay no option but to guess the remaining discrete logarithm. The \somdl game in the generic group model is depicted in figure \ref{fig:somdl_ggm}.
|
||||
\paragraph{\underline{Proof Overview}} This proof uses the same approach as the discrete logarithm proof in the generic group model by replacing the group elements with polynomials and choosing the challenge after the adversary provided its solution. The tricky part is that the adversary is able to query the discrete logarithms of all but one of the $N$ group elements, provided to it as a challenge. The proof starts by replacing all group elements with multivariate polynomials representing their discrete logarithms. The indeterminants of those polynomials are the discrete logarithms of each group element, provided to the adversary as challenges. Once the adversary requests the discrete logarithms for all but one group element of the challenge those discrete logarithms are chosen uniformly at random and all polynomials are partially evaluated. This leaves polynomials with just one indeterminate, representing the discrete logarithm of the last challenge. This challenge is then chosen after the adversary provided its solution, leaving the adversay no option but to guess the remaining discrete logarithm. The \somdl game in the generic group model is depicted in figure \ref{fig:somdl_ggm}.
|
||||
|
||||
\begin{figure}[h]
|
||||
\hrule
|
||||
@@ -201,7 +201,7 @@ This section provides a lower bound on the hardness of the modified version of t
|
||||
\end{figure}
|
||||
|
||||
\begin{proof}
|
||||
\item The proof starts by replacing group elements with polynomials. This happens in games $G_1$ and $G_2$. After that it is argued that the challenger makes a mistake in its simulation, by comparing polynomials instead of evaluating them, with only negligible probability. This is shown in $G_3 - G_6$. At last, since the polynomials are not evaluated during the simulation, one discrete logarithm is not used before the adversary provided its solution. Therefore, it can be chosen after the adversary provided its solution, which is shown in $G_7$ and $G_8$.
|
||||
\item The proof starts by replacing group elements with polynomials. This happens in games $G_1$ and $G_2$. After that it is argued that the challenger makes a mistake in its simulation with only negligible probability by comparing polynomials directly instead of evaluating them. This is shown in $G_3 - G_6$. At last, since the polynomials are not evaluated during the simulation, one discrete logarithm is not used before the adversary provides its solution. Therefore, it can be chosen after the adversary provided its solution, which is shown in $G_7$ and $G_8$.
|
||||
|
||||
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be depicted in figure \ref{fig:somdl_games_ggm_1} by excluding all boxes but the black ones. Clearly, this is equivalent to the \somdl game in the generic group model. Therefore,
|
||||
|
||||
@@ -211,15 +211,15 @@ This section provides a lower bound on the hardness of the modified version of t
|
||||
|
||||
\[ \prone{G_0^{\adversary{A}}} = \prone{G_1^{\adversary{A}}}. \]
|
||||
|
||||
\item \paragraph{\underline{$G_2:$}} $G_2$ replaces the blue boxes with the red ones. This change affects the discrete logarithm of the group elements in the prime order subgroup. The discrete logarithm is now represented as a multivariate polynomial. Each indeterminate of the polynomial represents the discrete logarithm of one of the group elements in the challenge to the adversary. The discrete logarithm of the group element in the challenge to the adversary is then instantiated with the indeterminate representing the discrete logarithm of that challenge, instead of the discrete logarithm itself. This change is only conceptual, since the polynomials are evaluated, with the discrete logarithm vector of the group elements in the challenge, before being compared in the Enc procedure. Hence,
|
||||
\item \paragraph{\underline{$G_2:$}} $G_2$ replaces the blue boxes with the red ones. This change affects the discrete logarithm of the group elements in the prime order subgroup. The discrete logarithm is now represented as a multivariate polynomial. Each indeterminate of the polynomial represents the discrete logarithm of one of the group elements in the challenge to the adversary. The discrete logarithm of the group element in the challenge to the adversary is then instantiated with the indeterminate representing the discrete logarithm of that challenge, instead of the discrete logarithm itself. This change is only conceptual, since the polynomials are evaluated with the discrete logarithm vector of the group elements in the challenge before being compared in the Enc procedure. Hence,
|
||||
|
||||
\[ \prone{G_1^{\adversary{A}}} = \prone{G_2^{\adversary{A}}}. \]
|
||||
|
||||
\item \paragraph{\underline{$G_3:$}} $G_3$ also introduces the $bad_1$ flag in the DL query. Without loss of generality the following explanation assumes that the adversary queries the DL oracle with input $j = N$. Each polynomial, generated by the challenger, is a linear multivariate polynomial of degree one. This is due to the fact that the challenger starts with linear multivariate polynomials of degree one in $\field{L}[Z_1, ..., Z_N]$ and only adds them to generate new polynomials. This means that each polynomial $P_i \in \field{L}[Z_1,...,Z_N]$, generated by the challenger, can be split into two polynomials $R_i \in \field{L}[Z_1,...,Z_{N-1}], S_i \in \field{L}[Z_N]$ so that $P_i = R_i + S_i$, simply by distributing the monials between the polynomials $R_i$ and $S_i$. Now the polynomial $P_i$ can be partially evaluated by setting $P_i = R_i(\overset{\rightharpoonup}{a}) + S_i$. For the simulation to be correct, when replacing the polynomial $P_i$ with $R_i(\overset{\rightharpoonup}{a}) + S_i$, it has to be ensured that distinct polynomials stay distinct after being partially evaluated. To ensure this, it is necessary to check that no two distinct polynomials $R_i, R_j$ result in the same value when evaluated with $\overset{\rightharpoonup}{a}$. In the case of this happening the $bad_1$ flag is set to true. Afterward, each generated polynomial is partially evaluated as described and the table $\sum$, which stores the association between group elements and labels, is updated to reflect this partial evaluation as well. From now on, each polynomial used by the challenger is in $\field{L}[Z_N]$. This change is purely conceptual, since the polynomials still get fully evaluated before being compared in the Enc procedure. Therefore,
|
||||
\item \paragraph{\underline{$G_3:$}} $G_3$ introduces the $bad_1$ flag in the DL query. Without loss of generality the following explanation assumes that the adversary queries the DL oracle with input $j = N$. Each polynomial, generated by the challenger, is a linear multivariate polynomial of degree one. This is due to the fact that the challenger starts with linear multivariate polynomials of degree one in $\field{L}[Z_1, ..., Z_N]$ and only adds them to generate new polynomials. This means that each polynomial $P_i \in \field{L}[Z_1,...,Z_N]$, generated by the challenger, can be split into two polynomials $R_i \in \field{L}[Z_1,...,Z_{N-1}], S_i \in \field{L}[Z_N]$ so that $P_i = R_i + S_i$, simply by distributing the monials between the polynomials $R_i$ and $S_i$. Now the polynomial $P_i$ can be partially evaluated by setting $P_i = R_i(\overset{\rightharpoonup}{a}) + S_i$. For the simulation to be correct, when replacing the polynomial $P_i$ with $R_i(\overset{\rightharpoonup}{a}) + S_i$, it has to be ensured that distinct polynomials stay distinct after being partially evaluated. To ensure this, it is necessary to check that no two distinct polynomials $R_i, R_j$ result in the same value when evaluated with $\overset{\rightharpoonup}{a}$. In the case of this happening the $bad_1$ flag is set to true. Afterward, each generated polynomial is partially evaluated as described and the table $\sum$, which stores the association between group elements and labels, is updated to reflect this partial evaluation as well. From now on, each polynomial used by the challenger is in $\field{L}[Z_N]$. This change is purely conceptual, since the polynomials still get fully evaluated before being compared in the Enc procedure. Therefore,
|
||||
|
||||
\[ \prone{G_2^{\adversary{A}}} = \prone{G_3^{\adversary{A}}}. \]
|
||||
|
||||
\item \paragraph{\underline{$G_4:$}} In $G_4$ the abort instruction in the orange box is introduced, which is executed after the $bad_1$ flag is set. The $bad_1$ flag is set if distinct polynomials result in the same polynomial, after being partially evaluated. To calculate the probability of this happening the Schwart-Zippel lemma can be utilized. For every $R_i, R_j \in \pset{R} \wedge R_i \neq R_j$ a polynomial $R^* \assign R_i - R_j$ can be constructed. If and only if $R_i(\overset{\rightharpoonup}{a}) = R_j(\overset{\rightharpoonup}{a})$ then $R^*(\overset{\rightharpoonup}{a}) = 0$. Since $R^* \neq 0$, the degree of $R^*$ being $1$ and $\overset{\rightharpoonup}{a}$ being chosen uniformly at random from $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ the Schwartz-Zippel lemma can be used to calculate the probability of $R^*(\overset{\rightharpoonup}{a}) = 0$, which is $\Pr[R^*(\overset{\rightharpoonup}{a}) = 0] \leq \frac{1}{2^{n - 1 - c}}$. The challenger can generate at most $\groupqueries + N + 2$ many polynomials, one per DL query and $N + 2$ for encoding the input to the adversary. By the Union bound over all $(\groupqueries + N + 2)^2$ possible pairs of polynomials an upper bound on the $bad_1$ flag being set can be calculated as $\Pr[bad_1] \leq \frac{(\groupqueries + N + 2)^2}{2^{n - 1 - c}}$. Since $G_3$ and $G_4$ are identical-until-bad games,
|
||||
\item \paragraph{\underline{$G_4:$}} In $G_4$ the abort instruction in the orange box is introduced, which is executed after the $bad_1$ flag is set. The $bad_1$ flag is set if distinct polynomials result in the same polynomial, after being partially evaluated. To calculate the probability of this happening the Schwart-Zippel lemma can be utilized. For every $R_i, R_j \in \pset{R} \wedge R_i \neq R_j$ a polynomial $R^* \assign R_i - R_j$ can be constructed. If and only if $R_i(\overset{\rightharpoonup}{a}) = R_j(\overset{\rightharpoonup}{a})$ then $R^*(\overset{\rightharpoonup}{a}) = 0$. Since $R^* \neq 0$, the degree of $R^*$ being $1$ and $\overset{\rightharpoonup}{a}$ being chosen uniformly at random from $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ the Schwartz-Zippel lemma can be used to calculate the probability of $R^*(\overset{\rightharpoonup}{a}) = 0$, which is $\Pr[R^*(\overset{\rightharpoonup}{a}) = 0] \leq \frac{1}{2^{n - 1 - c}}$. The challenger can generate at most $\groupqueries + N + 2$ many polynomials, one per group operation query GOp and $N + 2$ for encoding the input to the adversary. By the Union bound over all $(\groupqueries + N + 2)^2$ possible pairs of polynomials an upper bound on the $bad_1$ flag being set can be calculated as $\Pr[bad_1] \leq \frac{(\groupqueries + N + 2)^2}{2^{n - 1 - c}}$. Since $G_3$ and $G_4$ are identical-until-bad games,
|
||||
|
||||
\[ |\prone{G_3^{\adversary{A}}} - \prone{G_4^{\adversary{A}}}| \leq \frac{(\groupqueries + N + 2)^2}{2^{n - 1 - c}}. \]
|
||||
|
||||
@@ -249,7 +249,7 @@ This section provides a lower bound on the hardness of the modified version of t
|
||||
|
||||
\item Since at least one discrete logarithm is chosen after the adversary provided its solution, its only chance is to guess it. Therefore, the probability of the adversary of winning $G_7$ is upper bounded by the probability of it guessing that discrete logarithm. Hence,
|
||||
|
||||
\[ \prone{G_7^{\adversary{A}}} \leq \frac{1}{2^{n - 1 - c}}. \]
|
||||
\[ \prone{G_8^{\adversary{A}}} \leq \frac{1}{2^{n - 1 - c}}. \]
|
||||
|
||||
\item This proves theorem \ref{theorem:somdl_ggm}.
|
||||
\end{proof}
|
||||
Reference in New Issue
Block a user