Rewritings due to feedback
This commit is contained in:
@@ -1,6 +1,6 @@
|
||||
\subsection{\igame $\overset{\text{ROM}}{\Rightarrow}$ UF-NMA}
|
||||
\subsection{\igame $\overset{\text{ROM}}{\Rightarrow}$ EUF-NMA}
|
||||
|
||||
This section shows that \igame implies the UF-NMA security of the EdDSA signature scheme using the random oracle model. The section begins with the introduction of an intermediate game \igame, followed by an intuition of the proof and the detailed security proof.
|
||||
This section shows that \igame implies the EUF-NMA security of the EdDSA signature scheme using the random oracle model. The section begins with the introduction of an intermediate game \igame, followed by an intuition of the proof and the detailed security proof.
|
||||
|
||||
\paragraph{\underline{Introducing \igame}} The intermediate game \igame is introduced to create a separation between proofs in the random oracle model and the algebraic group model. This is achieved by replacing the random oracle with the \ioracle oracle, which takes a commitment and issues a challenge. This also removes the message and focuses on forging an arbitrary signature. The \igame game is shown in figure \ref{game:igame}. The game has been inspired by the IDLOG game from \cite{C:KilMasPan16}.
|
||||
|
||||
@@ -36,9 +36,9 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur
|
||||
|
||||
\begin{theorem}
|
||||
\label{theorem:adv_igame}
|
||||
Let $\adversary{A}$ be an adversary against $\text{UF-NMA}$. Then,
|
||||
Let $\adversary{A}$ be an adversary against $\text{EUF-NMA}$. Then,
|
||||
|
||||
\[ \advantage{\group{G}, \adversary{A}}{\text{UF-NMA}}(\secparamter) = \advantage{\group{G}, \adversary{B}}{\text{\igame}}(\secparamter). \]
|
||||
\[ \advantage{\group{G}, \adversary{A}}{\text{EUF-NMA}}(\secparamter) = \advantage{\group{G}, \adversary{B}}{\text{\igame}}(\secparamter). \]
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}} The adversary must query the random oracle to obtain the hash value $H(\encoded{R} | \encoded{A} | m)$. The programmability of the random oracle can be used to embed the challenge from the \ioracle into the answer from the random oracle. In this way, a valid signature forgery also provides a valid solution to the \igame game.
|
||||
@@ -73,9 +73,9 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur
|
||||
\begin{proof}
|
||||
\item This proof does not require any game hop, since the random oracle can be simulated using the \ioracle oracle.
|
||||
|
||||
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:igame_implies_uf-nma}. Clearly, $G_0$ is $\text{UF-NMA}$. By definition,
|
||||
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:igame_implies_uf-nma}. Clearly, $G_0$ is $\text{EUF-NMA}$. By definition,
|
||||
|
||||
\[ \advantage{\group{G}, \adversary{A}}{\text{UF-NMA}}(\secparamter) = \Pr[\text{UF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
|
||||
\[ \advantage{\group{G}, \adversary{A}}{\text{EUF-NMA}}(\secparamter) = \Pr[\text{EUF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
|
||||
|
||||
\item $G_0$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||
|
||||
|
||||
@@ -1,15 +1,15 @@
|
||||
\subsection{UF-NMA $\overset{\text{ROM}}{\Rightarrow} \text{SUF-CMA}_{\text{EdDSA sp}}$} \label{proof:uf-nma_implies_suf-cma}
|
||||
\subsection{EUF-NMA $\overset{\text{ROM}}{\Rightarrow} \text{SUF-CMA}_{\text{EdDSA sp}}$} \label{proof:uf-nma_implies_suf-cma}
|
||||
|
||||
This section shows that the UF-NMA security of EdDSA implies the \cma security of EdDSA with strict parsing using the random oracle model. The section begins with an intuition for the proof, followed by the detailed security proof.
|
||||
This section shows that the EUF-NMA security of EdDSA implies the \cma security of EdDSA with strict parsing using the random oracle model. The section begins with an intuition for the proof, followed by the detailed security proof.
|
||||
|
||||
\begin{theorem}
|
||||
\label{theorem:adv_uf-nma}
|
||||
Let $\adversary{A}$ be an adversary against $\cma$, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and let $\group{G}$ be a group of prime order $L$. Then,
|
||||
|
||||
\[ \advantage{\group{G}, \adversary{A}}{\text{\cma}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\text{UF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
\[ \advantage{\group{G}, \adversary{A}}{\text{\cma}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\text{EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}} The UF-NMA security definition is close to the \cma security definition, but lacks the \Osign oracle. To show that UF-NMA security implies \cma security, the reduction must simulate the \Osign oracle without knowledge of the private key.
|
||||
\paragraph{\underline{Proof Overview}} The EUF-NMA security definition is close to the \cma security definition, but lacks the \Osign oracle. To show that EUF-NMA security implies \cma security, the reduction must simulate the \Osign oracle without knowledge of the private key.
|
||||
|
||||
The EdDSA signature scheme is based on the Schnorr signature scheme, which is a canonical identification scheme to which the Fiat-Shamir transformation is applied. This means that EdDSA roughly follows the structure of a canonical identification scheme by first computing a commitment $R$, computing a challenge $\ch$ using the hash function, and then computing the response $S$ based on the commitment, challenge, and private key. The signature is the commitment and response tuple.
|
||||
|
||||
@@ -127,7 +127,7 @@ This method of simulating the \Osign oracle and the resulting loss of advantage
|
||||
\item Finally, Game $G_3$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||
|
||||
\begin{align}
|
||||
\Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\text{UF-NMA}}(\secparamter). \label{eq:adv_uf-nma}
|
||||
\Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\text{EUF-NMA}}(\secparamter). \label{eq:adv_uf-nma}
|
||||
\end{align}
|
||||
|
||||
\begin{figure}
|
||||
@@ -159,35 +159,35 @@ This method of simulating the \Osign oracle and the resulting loss of advantage
|
||||
\State \Return $\sum[m]$
|
||||
\end{algorithmic}
|
||||
\hrule
|
||||
\caption{Adversary $\adversary{B}$ breaking $\text{UF-NMA}$}
|
||||
\caption{Adversary $\adversary{B}$ breaking $\text{EUF-NMA}$}
|
||||
\label{fig:adversarybuf-nma}
|
||||
\end{figure}
|
||||
|
||||
To prove (\ref{eq:adv_uf-nma}), an adversary $\adversary{B}$ is defined that attacks $\text{UF-NMA}$ simulating the view of $\adversary{A}$ in $G_3$. The adversary $\adversary{B}$, formally defined in figure \ref{fig:adversarybuf-nma}, is run in the $\text{UF-NMA}$ game, and the adversary $\adversary{B}$ simulates \Osign for the adversary $\adversary{A}$. \Osign is simulated perfectly. The hash queries of $\adversary{A}$ are forwarded to the UF-NMA challenger, when not set by the reduction itself.
|
||||
To prove (\ref{eq:adv_uf-nma}), an adversary $\adversary{B}$ is defined that attacks $\text{EUF-NMA}$ simulating the view of $\adversary{A}$ in $G_3$. The adversary $\adversary{B}$, formally defined in figure \ref{fig:adversarybuf-nma}, is run in the $\text{EUF-NMA}$ game, and the adversary $\adversary{B}$ simulates \Osign for the adversary $\adversary{A}$. \Osign is simulated perfectly. The hash queries of $\adversary{A}$ are forwarded to the EUF-NMA challenger, when not set by the reduction itself.
|
||||
|
||||
Finally, consider $\adversary{A}$'s output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. It is known that $2^c S^* \groupelement{B} = 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}$. If strict parsing is used to decode $S$ from the signature, it is known that $0 \leq S < L$. Therefore, for every $R$, $\m$ pair, there is only one valid encoded $S$ that satisfies the equation. This means that a new and valid signature cannot be generated by simply changing the $S$ value of an already valid signature. Therefore, $R$ or $m$ must also be changed in order to create a new valid signature from another. Since $R$ and $m$ are inputs to the hash query used to generate the challenge, the result of this hash query is passed from the $H$ hash oracle provided to the adversary $\adversary{B}$ instead of being set by $\adversary{B}$ itself. Also, the existence of multiple encodings of the commitment $\groupelement{R}$ does not pose a problem, since if another representation of the same $\groupelement{R}$ is chosen, its hash value for the corresponding challenge has not been set by $\adversary{B}$ and therefore must have been passed from the UF-NMA challenger. For this reason, $H'(\encoded{R^*}|\encoded{A}|m^*) = H(\encoded{R^*}|\encoded{A}|m^*)$. Therefore,
|
||||
Finally, consider $\adversary{A}$'s output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. It is known that $2^c S^* \groupelement{B} = 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}$. If strict parsing is used to decode $S$ from the signature, it is known that $0 \leq S < L$. Therefore, for every $R$, $\m$ pair, there is only one valid encoded $S$ that satisfies the equation. This means that a new and valid signature cannot be generated by simply changing the $S$ value of an already valid signature. Therefore, $R$ or $m$ must also be changed in order to create a new valid signature from another. Since $R$ and $m$ are inputs to the hash query used to generate the challenge, the result of this hash query is passed from the $H$ hash oracle provided to the adversary $\adversary{B}$ instead of being set by $\adversary{B}$ itself. Also, the existence of multiple encodings of the commitment $\groupelement{R}$ does not pose a problem, since if another representation of the same $\groupelement{R}$ is chosen, its hash value for the corresponding challenge has not been set by $\adversary{B}$ and therefore must have been passed from the EUF-NMA challenger. For this reason, $H'(\encoded{R^*}|\encoded{A}|m^*) = H(\encoded{R^*}|\encoded{A}|m^*)$. Therefore,
|
||||
|
||||
\begin{align*}
|
||||
2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}\\
|
||||
\Leftrightarrow 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}.
|
||||
\end{align*}
|
||||
|
||||
This means that the forged signature of the adversary $\adversary{A}$ is also a valid signature in the UF-NMA game.
|
||||
This means that the forged signature of the adversary $\adversary{A}$ is also a valid signature in the EUF-NMA game.
|
||||
|
||||
\item The runtime of adversary $\adversary{B}$ is roughly the same as the runtime of adversary $\adversary{A}$. Simulating a \Osign query simply executes the ppt procedure \simalg and sets the hash function output, the hash function $H'$ simply forwards the query to the $H$ hash function, and the adversary $\adversary{B}$ simply calls $\adversary{A}$ and outputs its forged signature.
|
||||
|
||||
\item This proves theorem \ref{theorem:adv_uf-nma}.
|
||||
\end{proof}
|
||||
|
||||
\subsection{UF-NMA $\overset{\text{ROM}}{\Rightarrow} \text{SUF-CMA}_{\text{EdDSA lp}}$}
|
||||
\subsection{EUF-NMA $\overset{\text{ROM}}{\Rightarrow} \text{SUF-CMA}_{\text{EdDSA lp}}$}
|
||||
|
||||
This section shows that the UF-NMA security of EdDSA implies the EUF-CMA security of EdDSA with lax parsing using the random oracle model. This proof is very similar to the proof of the SUF-CMA security of EdDSA with strict parsing. The modification of the games is the same as in the proof above, with the only difference being the winning condition, which is $\verify(\groupelement{A}, \m^*,\signature^*) \wedge \m^* \notin \pset{Q}$. For this reason, this proof begins by showing the existence of an adversary $\adversary{B}$ who breaks UF-NMA security. The SUF-CMA security cannot be proved because there may be multiple encodings of $S$ that map to the same $S \pmod L$, and therefore a new valid signature could be forged from an old one by simply choosing a different encoding of $S$, which would cause the output $H'(\encoded{R^*}|\encoded{A}|m^*)$ to be set by the reduction itself, and therefore the forged signature would not be a valid signature for the UF-NMA challenger.
|
||||
This section shows that the EUF-NMA security of EdDSA implies the EUF-CMA security of EdDSA with lax parsing using the random oracle model. This proof is very similar to the proof of the SUF-CMA security of EdDSA with strict parsing. The modification of the games is the same as in the proof above, with the only difference being the winning condition, which is $\verify(\groupelement{A}, \m^*,\signature^*) \wedge \m^* \notin \pset{Q}$. For this reason, this proof begins by showing the existence of an adversary $\adversary{B}$ who breaks EUF-NMA security. The SUF-CMA security cannot be proved because there may be multiple encodings of $S$ that map to the same $S \pmod L$, and therefore a new valid signature could be forged from an old one by simply choosing a different encoding of $S$, which would cause the output $H'(\encoded{R^*}|\encoded{A}|m^*)$ to be set by the reduction itself, and therefore the forged signature would not be a valid signature for the EUF-NMA challenger.
|
||||
|
||||
\begin{theorem}
|
||||
\label{theorem:adv2_uf-nma}
|
||||
Let $\adversary{A}$ be an adversary against EUF-CMA, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
|
||||
|
||||
\[ \advantage{\group{G}, \adversary{A}}{\text{EUF-CMA}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\text{UF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
\[ \advantage{\group{G}, \adversary{A}}{\text{EUF-CMA}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\text{EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Formal Proof}}
|
||||
@@ -195,7 +195,7 @@ This section shows that the UF-NMA security of EdDSA implies the EUF-CMA securit
|
||||
\begin{proof}
|
||||
\item
|
||||
\begin{align}
|
||||
\prone{G_3^{\adversary{A}}} = \advantage{\group{G}, \adversary{B}}{\text{UF-NMA}}(\secparamter). \label{eq:adv2_uf-nma}
|
||||
\prone{G_3^{\adversary{A}}} = \advantage{\group{G}, \adversary{B}}{\text{EUF-NMA}}(\secparamter). \label{eq:adv2_uf-nma}
|
||||
\end{align}
|
||||
|
||||
\begin{figure}
|
||||
@@ -227,11 +227,11 @@ This section shows that the UF-NMA security of EdDSA implies the EUF-CMA securit
|
||||
\State \Return $\sum[m]$
|
||||
\end{algorithmic}
|
||||
\hrule
|
||||
\caption{Adversary $\adversary{B}$ breaking $\text{UF-NMA}$}
|
||||
\caption{Adversary $\adversary{B}$ breaking $\text{EUF-NMA}$}
|
||||
\label{fig:adversary_b_suf-nma}
|
||||
\end{figure}
|
||||
|
||||
To prove (\ref{eq:adv2_uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{UF-NMA}$ that simulates the view of $\adversary{A}$ in $G_3$. The adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_b_suf-nma} is run in the $\text{UF-NMA}$ game and the adversary $\adversary{B}$ simulates \Osign for the adversary $\adversary{A}$. \Osign is simulated perfectly. The hash queries of $\adversary{A}$ are forwarded to the UF-NMA challenger, when not set by the reduction itself.
|
||||
To prove (\ref{eq:adv2_uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{EUF-NMA}$ that simulates the view of $\adversary{A}$ in $G_3$. The adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_b_suf-nma} is run in the $\text{EUF-NMA}$ game and the adversary $\adversary{B}$ simulates \Osign for the adversary $\adversary{A}$. \Osign is simulated perfectly. The hash queries of $\adversary{A}$ are forwarded to the EUF-NMA challenger, when not set by the reduction itself.
|
||||
|
||||
Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. It is known that $2^c S^* \groupelement{B} = 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}$. Because we are in the EUF-CMA setting, the adversary $\adversary{A}$ is required to provide a signature for a message $m^*$ for which it has not requested a signature from the \Osign oracle. Since the signature for the message $m^*$ was not requested in the Sign oracle, the output of $H'(\encoded{R^*}|\encoded{A}|m^*)$ was not set by the adversary B, but must have been forwarded from the $H$ hash oracle. For this reason, $H'(\encoded{R^*}|\encoded{A}|m^*) = H(\encoded{R^*}|\encoded{A}|m^*)$. Therefore,
|
||||
|
||||
@@ -240,7 +240,7 @@ This section shows that the UF-NMA security of EdDSA implies the EUF-CMA securit
|
||||
\Leftrightarrow 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}.
|
||||
\end{align*}
|
||||
|
||||
This means that the forged signature of the adversary $\adversary{A}$ is also a valid signature in the UF-NMA game.
|
||||
This means that the forged signature of the adversary $\adversary{A}$ is also a valid signature in the EUF-NMA game.
|
||||
|
||||
\item Since the adversary $\adversary{B}$ is the same as in the proof above, the runtime is roughly the same as the runtime of $\adversary{A}$, for the same reasons.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user