rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Rewritings due to feedback

Browse Source
This commit is contained in:
Aaron Kaiser
2023-06-21 18:45:32 +02:00
parent 3db0912f79
commit 0d3218440b
19 changed files with 167 additions and 163 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
thesis/sections/security_of_eddsa/gamez_implies_uf-nma.tex
View File

@@ -1,6 +1,6 @@
\subsection{\igame $\overset{\text{ROM}}{\Rightarrow}$ UF-NMA}
\subsection{\igame $\overset{\text{ROM}}{\Rightarrow}$ EUF-NMA}
This section shows that \igame implies the UF-NMA security of the EdDSA signature scheme using the random oracle model. The section begins with the introduction of an intermediate game \igame, followed by an intuition of the proof and the detailed security proof.
This section shows that \igame implies the EUF-NMA security of the EdDSA signature scheme using the random oracle model. The section begins with the introduction of an intermediate game \igame, followed by an intuition of the proof and the detailed security proof.
\paragraph{\underline{Introducing \igame}} The intermediate game \igame is introduced to create a separation between proofs in the random oracle model and the algebraic group model. This is achieved by replacing the random oracle with the \ioracle oracle, which takes a commitment and issues a challenge. This also removes the message and focuses on forging an arbitrary signature. The \igame game is shown in figure \ref{game:igame}. The game has been inspired by the IDLOG game from \cite{C:KilMasPan16}.
@@ -36,9 +36,9 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur
\begin{theorem}
\label{theorem:adv_igame}
Let $\adversary{A}$ be an adversary against $\text{UF-NMA}$. Then,
Let $\adversary{A}$ be an adversary against $\text{EUF-NMA}$. Then,
\[ \advantage{\group{G}, \adversary{A}}{\text{UF-NMA}}(\secparamter) = \advantage{\group{G}, \adversary{B}}{\text{\igame}}(\secparamter). \]
\[ \advantage{\group{G}, \adversary{A}}{\text{EUF-NMA}}(\secparamter) = \advantage{\group{G}, \adversary{B}}{\text{\igame}}(\secparamter). \]
\end{theorem}
\paragraph{\underline{Proof Overview}} The adversary must query the random oracle to obtain the hash value $H(\encoded{R} | \encoded{A} | m)$. The programmability of the random oracle can be used to embed the challenge from the \ioracle into the answer from the random oracle. In this way, a valid signature forgery also provides a valid solution to the \igame game.
@@ -73,9 +73,9 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur
\begin{proof}
\item This proof does not require any game hop, since the random oracle can be simulated using the \ioracle oracle.
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:igame_implies_uf-nma}. Clearly, $G_0$ is $\text{UF-NMA}$. By definition,
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:igame_implies_uf-nma}. Clearly, $G_0$ is $\text{EUF-NMA}$. By definition,
\[ \advantage{\group{G}, \adversary{A}}{\text{UF-NMA}}(\secparamter) = \Pr[\text{UF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
\[ \advantage{\group{G}, \adversary{A}}{\text{EUF-NMA}}(\secparamter) = \Pr[\text{EUF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
\item $G_0$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying