Fixed presentation

presentation/presentation.tex

@@ -20,6 +20,8 @@
 
 \include{../thesis/macros}
 
+\renewcommand{\somdl}{\text{Ed-$N$-DLog-Reveal}\xspace}
+
 \begin{document}
 \frame{\titlepage}
 
@@ -32,7 +34,7 @@
 	\item Related work
 	\item Preliminaries
 	\item The EdDSA signature scheme
-	\item Singe- and multi-user Proofs for EdDSA
+	\item Singe- and multi-user proofs for EdDSA
 	\item GGM proofs of the underlying assumptions
 	\item Concrete security
 \end{enumerate}
@@ -55,8 +57,8 @@
 	
 	Results of this thesis:
 	\begin{enumerate}
-		\item EdDSA is tightly secure under Ed-DLog assumption in the single-user setting
-		\item EdDSA is tightly secure under the N-Ed-DLog-Reveal assumption in the multi-user setting
+		\item EdDSA is tightly secure under \sdlog assumption in the single-user setting
+		\item EdDSA is tightly secure under the \somdl assumption in the multi-user setting
 		\item \textcolor{gray}{Ed25519 provides 125/124 bits of security in the single/multi-user setting}
 		\item \textcolor{gray}{Ed448 provides 221/220 bits of security in the single/multi-user setting}
 	\end{enumerate}
@@ -68,8 +70,8 @@
 	
 	Results of this thesis:
 	\begin{enumerate}
-		\item EdDSA is tightly secure under Ed-DLog assumption in the single-user setting
-		\item EdDSA is tightly secure under the N-Ed-DLog-Reveal assumption in the multi-user setting
+		\item EdDSA is tightly secure under \sdlog assumption in the single-user setting
+		\item EdDSA is tightly secure under the \somdl assumption in the multi-user setting
 		\item Ed25519 provides 125/124 bits of security in the single/multi-user setting
 		\item Ed448 provides 221/220 bits of security in the single/multi-user setting
 	\end{enumerate}
@@ -90,7 +92,7 @@
 \begin{frame}
 	\frametitle{Motivation}
 	
-	No existing tight security proof since publication in 2015
+	No existing tight security proof since publication in 2011
 \end{frame}
 
 \begin{frame}
@@ -137,7 +139,7 @@
 		\end{algorithmic}
 		\vspace{2mm}
 		\begin{algorithmic}
-			\Statex \underline{\oracle \Osign($i \in \{1,2,...,n\}$, $\m \in \messagespace$)}
+			\Statex \underline{\oracle \Osign($i \in \{1,2,...,N\}$, $\m \in \messagespace$)}
 			\State $\signature \randomassign \sign(\privkey_i, \m)$
 			\State $M \assign M \cup \{(\pubkey_i, \m)\}$
 			\State \Return $\signature$
@@ -165,7 +167,7 @@
 		\end{algorithmic}
 		\vspace{2mm}
 		\begin{algorithmic}
-			\Statex \underline{\oracle \Osign($i \in \{1,2,...,n\}$, $\m \in \messagespace$)}
+			\Statex \underline{\oracle \Osign($i \in \{1,2,...,N\}$, $\m \in \messagespace$)}
 			\State $\signature \randomassign \sign(\privkey_i, \m)$
 			\State $M \assign M \cup \{(\pubkey_i, \m, \signature)\}$
 			\State \Return $\signature$
@@ -620,7 +622,7 @@
 	
 	\begin{theorem}[Security of EdDSA with lax parsing in the multi-user setting]
 		\label{theorem:eddsa_lp_mu}
-		Let $\adversary{A}$ be an adversary against the  MU-EUF-CMA security of EdDSA with lax parsing, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
+		Let $\adversary{A}$ be an adversary against the  $N$-MU-EUF-CMA security of EdDSA with lax parsing, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
 		
 		\[ \advantage{\group{G}, \adversary{A}}{\text{MU-EUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
 	\end{theorem}
@@ -629,13 +631,57 @@
 \begin{frame}
 	\frametitle{Multi-User Security}
 	
-	\[ \somdl \overset{\text{AGM}}{\Rightarrow} \igame \overset{\text{ROM}}{\Rightarrow} \text{MU-EUF-NMA} \overset{\text{ROM}}{\Rightarrow} \text{MU-\cma}_{\text{EdDSA sp}} \]
-	\[ \somdl \overset{\text{AGM}}{\Rightarrow} \igame \overset{\text{ROM}}{\Rightarrow} \text{MU-EUF-NMA} \overset{\text{ROM}}{\Rightarrow} \text{MU-EUF-CMA}_{\text{EdDSA lp}} \]
+	\begin{itemize}
+		\item $\text{MU-EUF-NMA} \overset{\text{ROM}}{\Rightarrow} \text{MU-\cma}_{\text{EdDSA sp}}$
+		\item $\text{MU-EUF-NMA} \overset{\text{ROM}}{\Rightarrow} \text{MU-EUF-CMA}_{\text{EdDSA lp}}$
+		\item $\somdl \overset{\text{AGM}}{\Rightarrow} \text{$N$-\igame} \overset{\text{ROM}}{\Rightarrow} \text{MU-EUF-NMA}$
+	\end{itemize}
 \end{frame}
 
 \begin{frame}
 	\frametitle{Multi-User Security}
-	\framesubtitle{$\somdl \overset{\text{AGM}}{\Rightarrow} \igame$}
+	\framesubtitle{$\somdl \overset{\text{AGM}}{\Rightarrow} \text{$N$-\igame}$}
+	
+	\begin{theorem}
+		\label{theorem:adv_omdl'}
+		Let $\adversary{A}$ be an adversary against \text{$N$-\igame} with $\group{G}$ being a cyclic group of prime order $L$, receiving $N$ public keys and making at most $\oraclequeries$ oracle queries. Then
+		
+		\[ \advantage{\group{G},\adversary{A}}{\text{$N$-\igame}}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\somdl}(\secparamter) + \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
+	\end{theorem}
+\end{frame}
+
+\begin{frame}
+	\frametitle{Multi-User Security}
+	\framesubtitle{$\somdl \overset{\text{AGM}}{\Rightarrow} \text{$N$-\igame}$}
+	
+	\begin{figure}[h]
+		\hrule
+		\vspace{1mm}
+		\large
+		\begin{algorithmic}
+			\Statex \underline{\game \text{$N$-\igame}}
+			\State \textbf{for} $i \in \{1,2,...,N\}$
+			\State \quad $a_i \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$
+			\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
+			\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$	
+			\State \Return $\exists (\groupelement{R}^*, \ch^*) \in \pset{Q}, i \in \{1,2,...,N\} \in : \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$		
+		\end{algorithmic}
+		\vspace{2mm}
+		\begin{algorithmic}
+			\Statex \underline{\oracle \ioracle($\groupelement{R_i} \in \group{G}$)}
+			\State $\ch_i \randomsample \{0,1\}^{2b}$
+			\State $\pset{Q} \assign \pset{Q} \cup \{ (\groupelement{R}_i, \ch_i) \}$
+			\State \Return $\ch_i$
+		\end{algorithmic}
+		\hrule
+		\caption{\text{$N$-\igame}}
+		\label{game:mu-igame}
+	\end{figure}
+\end{frame}
+
+\begin{frame}
+	\frametitle{Multi-User Security}
+	\framesubtitle{$\somdl \overset{\text{AGM}}{\Rightarrow} \text{$N$-\igame}$}
 	
 	\begin{figure}[h]
 		\hrule
@@ -665,7 +711,7 @@
 
 \begin{frame}
 	\frametitle{Multi-User Security}
-	\framesubtitle{$\somdl \overset{\text{AGM}}{\Rightarrow} \igame$}
+	\framesubtitle{$\somdl \overset{\text{AGM}}{\Rightarrow} \text{$N$-\igame}$}
 
 	Proof Idea:
 	
@@ -700,6 +746,8 @@
 \end{frame}
 
 \begin{frame}
+	\frametitle{\somdl}
+	
 	\begin{lemma}[Schwartz-Zippel lemma \cite{schwartz_fast_1980}]
 		Let $L$ be a prime number and $P \in \mathbb{F}_{L}[X_1, ..., X_n]$ be a non-zero polynomial of total degree $d \geq 0$ over a field $\mathbb{F}_{L}$. Let $S$ be a finite subset of $\mathbb{F}_{L}$ and let $x$ be selected uniformly at random from $S$. Then
 		
@@ -708,6 +756,8 @@
  \end{frame}
 
 \begin{frame}
+	\frametitle{\somdl}
+	
 	\begin{figure}[H]
 		\hrule
 		\tiny
@@ -744,6 +794,8 @@
 \end{frame}
 
 \begin{frame}
+	\frametitle{\somdl}
+	
 	\begin{figure}[H]
 		\hrule
 		\tiny
@@ -784,6 +836,8 @@
 \end{frame}
 
 \begin{frame}
+	\frametitle{\somdl}
+	
 	\begin{figure}[H]
 		\hrule
 		\tiny
@@ -828,6 +882,8 @@
 \end{frame}
 
 \begin{frame}
+	\frametitle{\somdl}
+	
 	\begin{figure}[H]
 		\hrule
 		\vspace{2mm}
@@ -857,6 +913,8 @@
 \end{frame}
 
 \begin{frame}
+	\frametitle{\somdl}
+	
 	\begin{figure}[H]
 		\hrule
 		\tiny
@@ -906,6 +964,8 @@
 \end{frame}
 
 \begin{frame}
+	\frametitle{\somdl}
+	
 	\begin{figure}[H]
 		\hrule
 		\tiny
@@ -949,6 +1009,8 @@
 \end{frame}
 
 \begin{frame}
+	\frametitle{\somdl}
+	
 	\begin{figure}[H]
 		\hrule
 		\tiny
@@ -1022,6 +1084,20 @@
 	\end{align*}
 \end{frame}
 
+\begin{frame}
+	\frametitle{Concrete Security}
+	\framesubtitle{Ed25519}
+	
+	\begin{align*}
+		SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{MU-SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\
+		&\leq \frac{\advantage{\curve, n, c, L, \adversary{A}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
+		&\leq \frac{\frac{2(\groupqueries + N + 2)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
+		&\leq \frac{2 (2^{125} + 2^{35} + 2)^2 + 1}{2^{250} 2^{125}} + \frac{2(2^{125} + 1)}{2^{256} 2^{125}} + \frac{2^{64} 2^{125} + 2^{64} 2^{35}}{2^{252} 2^{125}} \\
+		&\approx 2^{-124} + 2^{-316} + 2^{-189} \\
+		&\approx 2^{-124}
+	\end{align*}
+\end{frame}
+
 \begin{frame}
 	\huge
 	\centering
@@ -1029,7 +1105,7 @@
 	Questions?
 \end{frame}
 
-\begin{frame}
+\begin{frame}[allowframebreaks]
 	\bibliographystyle{ieeetr}
 	\bibliography{../thesis/cryptobib/abbrev0,../thesis/cryptobib/crypto,../thesis/citation}
 \end{frame}