From 33e92e22ebd5ece892d80e7df9118be6d192cdba Mon Sep 17 00:00:00 2001 From: Aaron Kaiser Date: Fri, 10 Mar 2023 10:30:23 +0100 Subject: [PATCH] split file into multiple files --- thesis/Abschlussarbeit.tex | 45 ++----------------- .../security_of_eddsa/dlog'_implies_gamez.tex | 1 + .../gamez_implies_uf-nma.tex | 27 +++++++++++ .../uf-nma_implies_suf-cma.tex | 12 +++++ 4 files changed, 44 insertions(+), 41 deletions(-) create mode 100644 thesis/sections/security_of_eddsa/gamez_implies_uf-nma.tex create mode 100644 thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex diff --git a/thesis/Abschlussarbeit.tex b/thesis/Abschlussarbeit.tex index 72ded2f..fcd8974 100644 --- a/thesis/Abschlussarbeit.tex +++ b/thesis/Abschlussarbeit.tex @@ -116,6 +116,8 @@ TODO \subsection{Security Notions} +\subsubsection{Identical-until-bad Games} + \subsubsection{Digital Signature Scheme} @@ -272,47 +274,8 @@ The chain of reductions can be depicted as: \[ \sdlog => \igame => UF-NMA_{EdDSA} => \cma_{EdDSA} \] -\subsection{UF-NMA $=>$ \cma (ROM)} - -% TODO: "intuition for the proof" vs. "intuition of the proof"? -This section shows that the \cma security of EdDSA signature scheme implies the UF-NMA security of EdDSA signature scheme using the Random Oracle Model. The section starts by first providing an intuition for the proof followed by the detailed security proof. - -\paragraph{Proof Overview} The UF-NMA security definition is close to the security definition of \cma but is missing the \Osign oracle. To show that UF-NMA security implies \cma security the reduction has to simulate the \Osign oracle without the knowledge of the private key. - -The EdDSA signature scheme is based on the Schnorr signature scheme which basis is a canonical identification scheme onto which the Fiat-Shamir transformation is applied. This means EdDSA roughly follows the structure of a canonical identification scheme by first calculating a commitment $R$, calculating a challenge $h$ using the hash function and then calculating the response $S$ based on commitment, challenge and secret key. The signature is the tuple of commitment and response. - -To generate a signature without the knowledge of the private key the challenge and the response are choosen randomly and the commitment is calculated based on the choosen challenge and response. The random oracle is then programmed to output the challenge given the commitment and the message as input. This way the resulting tuple of commitment and response is a valid signature for the given message. - -\paragraph{Formal Proof} - -\subsection{\igame $=>$ UF-NMA (ROM)} - -This section shows that \igame implies the UF-NMA security if the EdDSA signature scheme using the Algebraic Group Model. The section starts by first providing an intuition if the proof followed by the detailed security proof. - -\begin{figure} - \hrule - \begin{multicols}{2} - \large - \begin{algorithmic}[1] - \Statex \underline{\game \igame} - \State \quad $a \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$ - \State \quad $\groupelement{A} \assign a \groupelement{B}$ - \State \quad $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$ - \State \quad \Return $\exists \groupelement{R}^*, c^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - c^* \groupelement{A}) \wedge (\groupelement{R}^*, c^*) \in Q$ - \end{algorithmic} - \columnbreak - \begin{algorithmic}[1] - \Statex \underline{\oracle \ioracle($\groupelement{R_i} \in \group{G}$)} - \State \quad $chall_i \randomsample \{0,1\}^{2b}$ - \State \quad $Q \assign Q \cup \{ (\groupelement{R}_i, c_i) \}$ - \State \quad \Return $chall_i$ - \end{algorithmic} - \end{multicols} - \hrule - \caption{\igame} - \label{game:igame} -\end{figure} - +\include{sections/security_of_eddsa/uf-nma_implies_suf-cma} +\include{sections/security_of_eddsa/gamez_implies_uf-nma} \include{sections/security_of_eddsa/dlog'_implies_gamez} diff --git a/thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex b/thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex index 46928bf..b6170da 100644 --- a/thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex +++ b/thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex @@ -85,6 +85,7 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R \[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \] \item \paragraph{\underline{$G_2:$}} Game $G_2$ aborts if the flag bad is set. For each individual \ioracle query the bad flag is set with probability at most $\frac{1}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. $c_i$ is chosen by the game after the adversary has provided the representation of $\groupelement{R_i}$ and therefor the value of $r_2$. This way the adversary has no way of choosing $chall_i$ after $r_2$ and can not influence the probability of the abort being triggert. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $chall_i \pmod L$. $chall_i$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ during the check in the if condition. At first there are $2^{2b}$ possible values for $chall_i$. After the reduction module $L$ there are $min\{2^{2b}, L\}$ possible values left for $chall_i$. In the case that the values $L$ is smaller than $2^{2b}$ (this is the case in most instantiations of EdDSA) then the $chall_i$'s are not uniformly distributed in $\field{L}$. Since an adversary could use this information the min entropy of $chall_i$ has to be concidert, which takes this into account. By the Union bound over all $\oraclequeries$ queries we obtain $\Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have + % TODO: Müsste das nicht floor statt ceil sein? \[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \] diff --git a/thesis/sections/security_of_eddsa/gamez_implies_uf-nma.tex b/thesis/sections/security_of_eddsa/gamez_implies_uf-nma.tex new file mode 100644 index 0000000..594c35a --- /dev/null +++ b/thesis/sections/security_of_eddsa/gamez_implies_uf-nma.tex @@ -0,0 +1,27 @@ +\subsection{\igame $=>$ UF-NMA (ROM)} + +This section shows that \igame implies the UF-NMA security if the EdDSA signature scheme using the Algebraic Group Model. The section starts by first providing an intuition if the proof followed by the detailed security proof. + +\begin{figure} + \hrule + \begin{multicols}{2} + \large + \begin{algorithmic}[1] + \Statex \underline{\game \igame} + \State \quad $a \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$ + \State \quad $\groupelement{A} \assign a \groupelement{B}$ + \State \quad $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$ + \State \quad \Return $\exists \groupelement{R}^*, c^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - c^* \groupelement{A}) \wedge (\groupelement{R}^*, c^*) \in Q$ + \end{algorithmic} + \columnbreak + \begin{algorithmic}[1] + \Statex \underline{\oracle \ioracle($\groupelement{R_i} \in \group{G}$)} + \State \quad $chall_i \randomsample \{0,1\}^{2b}$ + \State \quad $Q \assign Q \cup \{ (\groupelement{R}_i, c_i) \}$ + \State \quad \Return $chall_i$ + \end{algorithmic} + \end{multicols} + \hrule + \caption{\igame} + \label{game:igame} +\end{figure} \ No newline at end of file diff --git a/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex b/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex new file mode 100644 index 0000000..b15e9ad --- /dev/null +++ b/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex @@ -0,0 +1,12 @@ +\subsection{UF-NMA $=>$ \cma (ROM)} + +% TODO: "intuition for the proof" vs. "intuition of the proof"? +This section shows that the \cma security of EdDSA signature scheme implies the UF-NMA security of EdDSA signature scheme using the Random Oracle Model. The section starts by first providing an intuition for the proof followed by the detailed security proof. + +\paragraph{Proof Overview} The UF-NMA security definition is close to the security definition of \cma but is missing the \Osign oracle. To show that UF-NMA security implies \cma security the reduction has to simulate the \Osign oracle without the knowledge of the private key. + +The EdDSA signature scheme is based on the Schnorr signature scheme which basis is a canonical identification scheme onto which the Fiat-Shamir transformation is applied. This means EdDSA roughly follows the structure of a canonical identification scheme by first calculating a commitment $R$, calculating a challenge $h$ using the hash function and then calculating the response $S$ based on commitment, challenge and secret key. The signature is the tuple of commitment and response. + +To generate a signature without the knowledge of the private key the challenge and the response are choosen randomly and the commitment is calculated based on the choosen challenge and response. The random oracle is then programmed to output the challenge given the commitment and the message as input. This way the resulting tuple of commitment and response is a valid signature for the given message. + +\paragraph{Formal Proof} \ No newline at end of file