rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

did a lot

Browse Source
This commit is contained in:
Aaron Kaiser
2023-04-04 16:07:24 +02:00
parent a9f00cb311
commit 2c92ebf8bd
5 changed files with 291 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex
View File

@@ -5,7 +5,7 @@ This section shows that the \cma security of EdDSA signature scheme implies the
\begin{theorem}
\label{theorem:adv_uf-nma}
Let $\adversary{A}$ be an adversary against \cma, making at most $\hashqueries$ hash queries. Then,
Let $\adversary{A}$ be an adversary against $\cma_{\text{EdDSA}}$, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
\[ \advantage{\adversary{A}}{\text{\cma}}(k) = \advantage{\adversary{B}}{\text{UF-NMA}}(k) - \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
\end{theorem}
@@ -41,45 +41,62 @@ The proof starts by providing an algorithm which generates correctly distributed
\begin{multicols}{2}
\large
\begin{algorithmic}[1]
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$}}
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$} / \textcolor{green}{$G_3$}}
\State $(h_0, h_1, ..., h_{2b-1}) \randomsample \{0,1\}^{2b}$
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
\State $A \assign sB$
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp)}(A)$
\State \Return $\verify(A, \m^*,\signature^*) \wedge (\m^*, \signature^*) \notin Q$
\State $A \assign s \groupelement{B}$
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp)}(\groupelement{A})$
\State \Return $\verify(\groupelement{A}, \m^*,\signature^*) \wedge (\m^*, \signature^*) \notin Q$
\end{algorithmic}
\columnbreak
\begin{algorithmic}[1]
\Statex \underline{\oracle \sign($m \in \messagespace$)}
\State $(r'_0, r'_1, ..., r'_{2b-1}) = RF(h_b | ... | h_{2b-1} | m)$
\Statex \underline{\oracle \sign($\m \in \messagespace$)}
\State $(r'_0, r'_1, ..., r'_{2b-1}) = RF(h_b | ... | h_{2b-1} | \m)$
\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
\State $R \assign rB$
\BeginBox[fill=lightgray]
\State $S \assign (r + sH(\encoded{R} | \encoded{A} | m)) \pmod L$
\State $S \assign (r + sH(\encoded{R} | \encoded{A} | \m)) \pmod L$
\EndBox
\BeginBox[draw=blue]
\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | m] \neq \bot \textbf{ then}$
\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | \m] \neq \bot \textbf{ then}$
\State \quad $bad \assign true$
\BeginBox[draw=red,dashed]
\State \quad $abort$
\EndBox
\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | m] = \bot \textbf{ then}$
\State \quad $\sum[\encoded{R} | \encoded{A} | m] \randomsample \{0,1\}^{2b}$
\State $S \assign (r + s\sum[\encoded{R} | \encoded{A} | m]) \pmod L$
\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | \m] = \bot \textbf{ then}$
\State \quad $\sum[\encoded{R} | \encoded{A} | \m] \randomsample \{0,1\}^{2b}$
\State $S \assign (r + s\sum[\encoded{R} | \encoded{A} | \m]) \pmod L$
\EndBox
\State $\signature \assign (\encoded{R}, S)$
\State $Q \assign Q \cup \{(\m, \signature)\}$
\State \Return $\signature$
\end{algorithmic}
\end{multicols}
\begin{algorithmic}[1]
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
\State \quad $\sum[m] \randomsample \{0,1\}^{2b}$
\State \Return $\sum[m]$
\end{algorithmic}
\begin{multicols}{2}
\begin{algorithmic}[1]
\Statex \underline{\oracle $H(\m \in \{0,1\}^*)$}
\State $\textbf{if } \sum[\m] = \bot \textbf{ then}$
\State \quad $\sum[\m] \randomsample \{0,1\}^{2b}$
\State \Return $\sum[\m]$
\end{algorithmic}
\columnbreak
\begin{algorithmic}[1]
%TODO: Nummer vor Oracle
\BeginBox[draw=green]
\State \underline{\oracle \sign($\m \in \messagespace$)}
\State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A})$
\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | \m] \neq \bot \textbf{ then}$
\State \quad $bad \assign true$
\State \quad $abort$
\State $\sum[\encoded{R} | \encoded{A} | \m] = \textbf{ch}$
\State $\signature \assign (\encoded{R}, S)$
\State $Q \assign Q \cup \{(\m, \signature)\}$
\State \Return $\signature$
\EndBox
\end{algorithmic}
\end{multicols}
\hrule
\caption{Games $G_0 - G_2$}
\caption{Games $G_0 - G_3$}
\label{fig:uf-nma_implies_suf-cma_games}
\end{figure}
@@ -96,11 +113,13 @@ The proof starts by providing an algorithm which generates correctly distributed
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
\item Finally, Game $G_2$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
\item \paragraph{\underline{$G_3:$}} $G_3$ replaces the \sign oracle by the \sign oracle in the green box. This change is only conceptual. \simalg outputs a correctly distributed tuple $(R, \textbf{ch}, S)$ with $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c \textbf{ch} \groupelement{A}$ and it was ruled out that $H(\encoded{R} | \encoded{A} | \m)$ is set prior to calling the \sign oracle the random oracle can be programmed to output $\textbf{ch}$ upon calling $H(\encoded{R} | \encoded{A} | m)$. Therefore, it is ensured that $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c H(\encoded{R} | \encoded{A} | \m) \groupelement{A}$, which means that $\signature \assign (\encoded{R}, S)$ is a valid signature for the message $\m$ and was generated without the usage of the private key $s$.
\item Finally, Game $G_3$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
\begin{align}
\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{UF-NMA}}(k) \label{eq:adv_uf-nma}
\end{align}
\end{align}.
\begin{figure}
\hrule
@@ -108,7 +127,7 @@ The proof starts by providing an algorithm which generates correctly distributed
\large
\begin{algorithmic}[1]
\Statex \underline{\textbf{Adversary} $\adversary{B}(\groupelement{A})$}
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp)}(A)$
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp)}(\groupelement{A})$
\State \Return $(\m^*, \signature^*)$
\end{algorithmic}
\columnbreak
@@ -135,7 +154,7 @@ The proof starts by providing an algorithm which generates correctly distributed
\label{fig:adversarybuf-nma}
\end{figure}
To prove (\ref{eq:adv_uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{UF-NMA}_{\text{EdDSA}}$ that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversarybuf-nma} is run in the $\text{UF-NMA}_{\text{EdDSA}}$ game and adversary $\adversary{B}$ simulates \sign for adversary $\adversary{A}$. \sign is simulated perfectly. \simalg outputs a tuple $(\groupelement{R}, \textbf{ch}, S)$ satisfying $S\groupelement{B} = \groupelement{R} + \textbf{ch}\groupelement{A}$ for a given public key $\groupelement{A}$ and the random oracle is programmed to output $\textbf{ch}$ for the input $\encoded{R} | \encoded{A} | m$. Therefor the signature $\signature \assign (\encoded{R}, S)$ satisfies the verification equation $2^c S\groupelement{B} = 2^c \groupelement{R} + 2^c H(\encoded{R} | \encoded{A} | m)\groupelement{A}$ and is a valid signature for the message $\m$.
To prove (\ref{eq:adv_uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{UF-NMA}_{\text{EdDSA}}$ that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversarybuf-nma} is run in the $\text{UF-NMA}_{\text{EdDSA}}$ game and adversary $\adversary{B}$ simulates \sign for adversary $\adversary{A}$. \sign is simulated perfectly.
% TODO: Ist die Begründung ausreichend?
Finally, consider $\adversary{A}$ output $(\m^*, \signature^*)$. Every valid signature outputted by adversary $\adversary{A}$ in the $\text{\cma}_{\text{EdDSA}}$ setting is also a valid signature in the $\text{UF-NMA}_{\text{EdDSA}}$ setting.