rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Rewritings due to feedback

Browse Source
This commit is contained in:
Aaron Kaiser
2023-06-21 18:45:32 +02:00
parent 3db0912f79
commit 0d3218440b
19 changed files with 167 additions and 163 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
thesis/sections/edggm/sdlog.tex
View File

@@ -179,25 +179,25 @@ The following proof utilizes the Schwartz-Zippel lemma \cite{schwartz_fast_1980}
\end{figure}
\begin{proof}
\item Let $G_0$ represent the \sdlog game in the generic group model. In this proof, the discrete logarithm within the prime order subgroup of the group element $\groupelement{A}$ will be substituted with an indeterminate. Following that, it will be demonstrated that the challenger, by working with polynomials rather than actual discrete logarithms, makes errors in the simulation with negligible probability. Finally, it will be established that the discrete logarithm of the group element $\groupelement{A}$ can be selected after the adversary has submitted its solution for the game.
\item Let $G_0$ be the \sdlog game in the generic group model. In this proof, the discrete logarithm within the prime order subgroup of the group element $\groupelement{A}$ will be substituted with an indeterminate. Following that, it will be demonstrated that the challenger, by working with polynomials rather than actual discrete logarithms, makes errors in the simulation with negligible probability. Finally, it will be established that the discrete logarithm of the group element $\groupelement{A}$ can be selected after the adversary has submitted its solution for the game.
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:sdlog_games_ggm_1} by excluding all boxes except the black ones. This is identical to the \sdlog in the generic group model. By definition,
\[ \advantage{\curve, n, c, L, \adversary{A}}{\sdlog} = \prone{G_0^{\adversary{A}}}. \]
\item \paragraph{\underline{$G_1:$}} $G_1$ is defined by substituting some black boxes with blue ones, causing the challenger to work with discrete logarithms rather than group elements. This modification remains undetectable to the adversary, as it only deals with labels representing group elements, and each group element can be uniquely represented by its discrete logarithms. These discrete logarithms are denoted by an integer vector, where each element corresponds to the discrete logarithm concerning the generator in the generating set. The addition of these vectors is carried out component-wise. This change remains conceptual, since it only changes how the challenger internally represents group elements. Each group element still gets the same label assigned. Therefore,
\item \paragraph{\underline{$G_1:$}} $G_1$ is defined by substituting some black boxes with blue ones, causing the challenger to work with discrete logarithms rather than group elements. This modification is undetectable to the adversary, as it only deals with labels representing group elements, and each group element can be uniquely represented by its discrete logarithms. These discrete logarithms are denoted by an integer vector, where each element corresponds to the discrete logarithm concerning the generator in the generating set. The addition of these vectors is carried out component-wise. This change remains conceptual, since it only changes how the challenger internally represents group elements. Each group element is still assigned the same label. Therefore,
\[ \prone{G_0^{\adversary{A}}} = \prone{G_1^{\adversary{A}}}. \]
\item \paragraph{\underline{$G_2:$}} In $G_2$, the blue boxes are replaced with the red ones, which involves replacing the discrete logarithm of the prime order subgroup with a polynomial. The polynomial has one indeterminant, denoted by $Z$, which represents the discrete logarithm, in the prime order subgroup, of the challenge. The polynomial that serves as the discrete logarithm of the prime order subgroup is simply $P = Z$. It is important to note that this change is only conceptual since the polynomial is ultimately evaluated at the secret scalar $a$ in the Enc procedure. Hence,
\item \paragraph{\underline{$G_2:$}} In $G_2$, the blue boxes are replaced with the red ones, which involves replacing the discrete logarithm of group elements in the prime order subgroup with a polynomial. The polynomial has one indeterminant, denoted by $Z$, which represents the discrete logarithm of group element in the prime order subgroup, provided to the adversary as a challenge. Therefore, the polynomial that serves as the discrete logarithm of the challenge in the prime order subgroup is simply $P = Z$. It is important to note that this change is only conceptual since the polynomial is ultimately evaluated at the secret scalar $a$ in the Enc procedure. Hence,
\[ \prone{G_1^{\adversary{A}}} = \prone{G_2^{\adversary{A}}}. \]
\item \paragraph{\underline{$G_3:$}} $G_3$ introduces the if condition within the green box. This condition checks if the challenger generated two distinct polynomials that would produce the same value when evaluated at $a$. This verification ensures that polynomials can be directly compared later on, rather than needing to evaluate them. If the if condition evaluates to true, a bad flag is set to true, indicating that the challenger might incorrectly assume that two discrete logarithms, represented by the polynomials, are different by only comparing the polynomials. This modification is purely conceptual, as it only affects internal variables and does not influence the game's behavior. Therefore,
\item \paragraph{\underline{$G_3:$}} $G_3$ introduces the if condition within the green box. This condition checks if the challenger generated two distinct polynomials that would produce the same value when evaluated at $a$. This condition ensures that polynomials can be directly compared later on, rather than needing to evaluate them. If the if condition evaluates to true, a bad flag is set to true, indicating that the challenger might incorrectly assume that two discrete logarithms, represented by the polynomials, are different by only comparing the polynomials. This modification is purely conceptual, as it only affects internal variables and does not influence the game's behavior. Therefore,
\[ \prone{G_1^{\adversary{A}}} = \prone{G_2^{\adversary{A}}}. \]
\item \paragraph{\underline{$G_4:$}} $G_4$ terminates if the bad flag is activated. This bad flag signifies situations where collisions of discrete logarithms would not be identified by merely comparing polynomials without evaluating them. The likelihood of the bad flag being activated can be determined using the Schwartz-Zippel lemma. The set $\pset{P}$ is a set of all polynomials generated by the challenger and the polynomial $P$ represents the newly generated one. During the encoding of a newly generated group element the challenger checks that no two distinct polynomials evaluate to the same value at $a$. For a fixed $P_i \in \pset{P} \neq P$ we define $P^* = P_i - P$. If and only if $P_i(a) = P(a)$ then $P^*(a) = 0$. Since $P^* \neq 0$, the degree of $P^*$ being $1$ and $a$ being chosen uniformly at random from $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ the Schwarz-Zippel lemma can be used to calculate the probability that $P^*(a) = 0$, which is $\Pr[P^*(a) = 0] \leq \frac{1}{2^{n-1-c}}$. Since the set $\pset{P}$ can hold at most $\groupqueries + 3$ many polynomials (one per DL call, and three by encoding the input to the adversary) by the Union bound over all polynomials in $\pset{P}$ the probability of bad being set, for each individual oracle query, is less or equal to $\frac{\groupqueries + 3}{2^{n-1-c}}$. By the Union bound over all oracle queries the probability of bad being set to true is $\Pr[bad] \leq \frac{(\groupqueries + 3)^2}{2^{n-1-c}}$. For this reason,
\item \paragraph{\underline{$G_4:$}} $G_4$ terminates if the bad flag defined in the previous game is set. This bad flag signifies situations where collisions of discrete logarithms would not be identified by merely comparing polynomials without evaluating them. The likelihood of the bad flag being set can be determined using the Schwartz-Zippel lemma. The set $\pset{P}$ is a set of all polynomials generated by the challenger and the polynomial $P$ represents the newly generated one. During the encoding of a newly generated group element the challenger checks that no two distinct polynomials evaluate to the same value at $a$. For a fixed $P_i \in \pset{P} \neq P$ we define $P^* = P_i - P$. If and only if $P_i(a) = P(a)$ then $P^*(a) = 0$. Since $P^* \neq 0$, the degree of $P^*$ being $1$ and $a$ being chosen uniformly at random from $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ the Schwarz-Zippel lemma can be used to calculate the probability that $P^*(a) = 0$, which is $\Pr[P^*(a) = 0] \leq \frac{1}{2^{n-1-c}}$. Since the set $\pset{P}$ can hold at most $\groupqueries + 3$ many polynomials (one per call to the group operation oracle GOp, and three by encoding the input to the adversary) by the Union bound over all polynomials in $\pset{P}$ the probability of bad being set, for each individual oracle query, is less or equal to $\frac{\groupqueries + 3}{2^{n-1-c}}$. By the Union bound over all oracle queries the probability of bad being set to true is $\Pr[bad] \leq \frac{(\groupqueries + 3)^2}{2^{n-1-c}}$. For this reason,
\[ |\prone{G_2^{\adversary{A}}} - \prone{G_3^{\adversary{A}}}| \leq \Pr[bad] \leq \frac{(\groupqueries + 3)^2}{2^{n-1-c}}. \]