diff --git a/presentation/presentation.pdf b/presentation/presentation.pdf index c91c7d1..e2d5093 100644 Binary files a/presentation/presentation.pdf and b/presentation/presentation.pdf differ diff --git a/presentation/presentation.tex b/presentation/presentation.tex index edc9c9c..3fcc906 100644 --- a/presentation/presentation.tex +++ b/presentation/presentation.tex @@ -20,6 +20,8 @@ \include{../thesis/macros} +\renewcommand{\somdl}{\text{Ed-$N$-DLog-Reveal}\xspace} + \begin{document} \frame{\titlepage} @@ -32,7 +34,7 @@ \item Related work \item Preliminaries \item The EdDSA signature scheme - \item Singe- and multi-user Proofs for EdDSA + \item Singe- and multi-user proofs for EdDSA \item GGM proofs of the underlying assumptions \item Concrete security \end{enumerate} @@ -55,8 +57,8 @@ Results of this thesis: \begin{enumerate} - \item EdDSA is tightly secure under Ed-DLog assumption in the single-user setting - \item EdDSA is tightly secure under the N-Ed-DLog-Reveal assumption in the multi-user setting + \item EdDSA is tightly secure under \sdlog assumption in the single-user setting + \item EdDSA is tightly secure under the \somdl assumption in the multi-user setting \item \textcolor{gray}{Ed25519 provides 125/124 bits of security in the single/multi-user setting} \item \textcolor{gray}{Ed448 provides 221/220 bits of security in the single/multi-user setting} \end{enumerate} @@ -68,8 +70,8 @@ Results of this thesis: \begin{enumerate} - \item EdDSA is tightly secure under Ed-DLog assumption in the single-user setting - \item EdDSA is tightly secure under the N-Ed-DLog-Reveal assumption in the multi-user setting + \item EdDSA is tightly secure under \sdlog assumption in the single-user setting + \item EdDSA is tightly secure under the \somdl assumption in the multi-user setting \item Ed25519 provides 125/124 bits of security in the single/multi-user setting \item Ed448 provides 221/220 bits of security in the single/multi-user setting \end{enumerate} @@ -90,7 +92,7 @@ \begin{frame} \frametitle{Motivation} - No existing tight security proof since publication in 2015 + No existing tight security proof since publication in 2011 \end{frame} \begin{frame} @@ -137,7 +139,7 @@ \end{algorithmic} \vspace{2mm} \begin{algorithmic} - \Statex \underline{\oracle \Osign($i \in \{1,2,...,n\}$, $\m \in \messagespace$)} + \Statex \underline{\oracle \Osign($i \in \{1,2,...,N\}$, $\m \in \messagespace$)} \State $\signature \randomassign \sign(\privkey_i, \m)$ \State $M \assign M \cup \{(\pubkey_i, \m)\}$ \State \Return $\signature$ @@ -165,7 +167,7 @@ \end{algorithmic} \vspace{2mm} \begin{algorithmic} - \Statex \underline{\oracle \Osign($i \in \{1,2,...,n\}$, $\m \in \messagespace$)} + \Statex \underline{\oracle \Osign($i \in \{1,2,...,N\}$, $\m \in \messagespace$)} \State $\signature \randomassign \sign(\privkey_i, \m)$ \State $M \assign M \cup \{(\pubkey_i, \m, \signature)\}$ \State \Return $\signature$ @@ -620,7 +622,7 @@ \begin{theorem}[Security of EdDSA with lax parsing in the multi-user setting] \label{theorem:eddsa_lp_mu} - Let $\adversary{A}$ be an adversary against the MU-EUF-CMA security of EdDSA with lax parsing, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then, + Let $\adversary{A}$ be an adversary against the $N$-MU-EUF-CMA security of EdDSA with lax parsing, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then, \[ \advantage{\group{G}, \adversary{A}}{\text{MU-EUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \] \end{theorem} @@ -629,13 +631,57 @@ \begin{frame} \frametitle{Multi-User Security} - \[ \somdl \overset{\text{AGM}}{\Rightarrow} \igame \overset{\text{ROM}}{\Rightarrow} \text{MU-EUF-NMA} \overset{\text{ROM}}{\Rightarrow} \text{MU-\cma}_{\text{EdDSA sp}} \] - \[ \somdl \overset{\text{AGM}}{\Rightarrow} \igame \overset{\text{ROM}}{\Rightarrow} \text{MU-EUF-NMA} \overset{\text{ROM}}{\Rightarrow} \text{MU-EUF-CMA}_{\text{EdDSA lp}} \] + \begin{itemize} + \item $\text{MU-EUF-NMA} \overset{\text{ROM}}{\Rightarrow} \text{MU-\cma}_{\text{EdDSA sp}}$ + \item $\text{MU-EUF-NMA} \overset{\text{ROM}}{\Rightarrow} \text{MU-EUF-CMA}_{\text{EdDSA lp}}$ + \item $\somdl \overset{\text{AGM}}{\Rightarrow} \text{$N$-\igame} \overset{\text{ROM}}{\Rightarrow} \text{MU-EUF-NMA}$ + \end{itemize} \end{frame} \begin{frame} \frametitle{Multi-User Security} - \framesubtitle{$\somdl \overset{\text{AGM}}{\Rightarrow} \igame$} + \framesubtitle{$\somdl \overset{\text{AGM}}{\Rightarrow} \text{$N$-\igame}$} + + \begin{theorem} + \label{theorem:adv_omdl'} + Let $\adversary{A}$ be an adversary against \text{$N$-\igame} with $\group{G}$ being a cyclic group of prime order $L$, receiving $N$ public keys and making at most $\oraclequeries$ oracle queries. Then + + \[ \advantage{\group{G},\adversary{A}}{\text{$N$-\igame}}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\somdl}(\secparamter) + \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \] + \end{theorem} +\end{frame} + +\begin{frame} + \frametitle{Multi-User Security} + \framesubtitle{$\somdl \overset{\text{AGM}}{\Rightarrow} \text{$N$-\igame}$} + + \begin{figure}[h] + \hrule + \vspace{1mm} + \large + \begin{algorithmic} + \Statex \underline{\game \text{$N$-\igame}} + \State \textbf{for} $i \in \{1,2,...,N\}$ + \State \quad $a_i \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$ + \State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$ + \State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$ + \State \Return $\exists (\groupelement{R}^*, \ch^*) \in \pset{Q}, i \in \{1,2,...,N\} \in : \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$ + \end{algorithmic} + \vspace{2mm} + \begin{algorithmic} + \Statex \underline{\oracle \ioracle($\groupelement{R_i} \in \group{G}$)} + \State $\ch_i \randomsample \{0,1\}^{2b}$ + \State $\pset{Q} \assign \pset{Q} \cup \{ (\groupelement{R}_i, \ch_i) \}$ + \State \Return $\ch_i$ + \end{algorithmic} + \hrule + \caption{\text{$N$-\igame}} + \label{game:mu-igame} + \end{figure} +\end{frame} + +\begin{frame} + \frametitle{Multi-User Security} + \framesubtitle{$\somdl \overset{\text{AGM}}{\Rightarrow} \text{$N$-\igame}$} \begin{figure}[h] \hrule @@ -665,7 +711,7 @@ \begin{frame} \frametitle{Multi-User Security} - \framesubtitle{$\somdl \overset{\text{AGM}}{\Rightarrow} \igame$} + \framesubtitle{$\somdl \overset{\text{AGM}}{\Rightarrow} \text{$N$-\igame}$} Proof Idea: @@ -700,6 +746,8 @@ \end{frame} \begin{frame} + \frametitle{\somdl} + \begin{lemma}[Schwartz-Zippel lemma \cite{schwartz_fast_1980}] Let $L$ be a prime number and $P \in \mathbb{F}_{L}[X_1, ..., X_n]$ be a non-zero polynomial of total degree $d \geq 0$ over a field $\mathbb{F}_{L}$. Let $S$ be a finite subset of $\mathbb{F}_{L}$ and let $x$ be selected uniformly at random from $S$. Then @@ -708,6 +756,8 @@ \end{frame} \begin{frame} + \frametitle{\somdl} + \begin{figure}[H] \hrule \tiny @@ -744,6 +794,8 @@ \end{frame} \begin{frame} + \frametitle{\somdl} + \begin{figure}[H] \hrule \tiny @@ -784,6 +836,8 @@ \end{frame} \begin{frame} + \frametitle{\somdl} + \begin{figure}[H] \hrule \tiny @@ -828,6 +882,8 @@ \end{frame} \begin{frame} + \frametitle{\somdl} + \begin{figure}[H] \hrule \vspace{2mm} @@ -857,6 +913,8 @@ \end{frame} \begin{frame} + \frametitle{\somdl} + \begin{figure}[H] \hrule \tiny @@ -906,6 +964,8 @@ \end{frame} \begin{frame} + \frametitle{\somdl} + \begin{figure}[H] \hrule \tiny @@ -949,6 +1009,8 @@ \end{frame} \begin{frame} + \frametitle{\somdl} + \begin{figure}[H] \hrule \tiny @@ -1022,6 +1084,20 @@ \end{align*} \end{frame} +\begin{frame} + \frametitle{Concrete Security} + \framesubtitle{Ed25519} + + \begin{align*} + SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{MU-SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\ + &\leq \frac{\advantage{\curve, n, c, L, \adversary{A}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\ + &\leq \frac{\frac{2(\groupqueries + N + 2)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\ + &\leq \frac{2 (2^{125} + 2^{35} + 2)^2 + 1}{2^{250} 2^{125}} + \frac{2(2^{125} + 1)}{2^{256} 2^{125}} + \frac{2^{64} 2^{125} + 2^{64} 2^{35}}{2^{252} 2^{125}} \\ + &\approx 2^{-124} + 2^{-316} + 2^{-189} \\ + &\approx 2^{-124} + \end{align*} +\end{frame} + \begin{frame} \huge \centering @@ -1029,7 +1105,7 @@ Questions? \end{frame} -\begin{frame} +\begin{frame}[allowframebreaks] \bibliographystyle{ieeetr} \bibliography{../thesis/cryptobib/abbrev0,../thesis/cryptobib/crypto,../thesis/citation} \end{frame}