rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

split file into multiple files

Browse Source
This commit is contained in:
Aaron Kaiser
2023-03-10 10:30:23 +01:00
parent 673d2170a0
commit 33e92e22eb
4 changed files with 44 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
thesis/Abschlussarbeit.tex
View File

@@ -116,6 +116,8 @@ TODO
\subsection{Security Notions}
\subsubsection{Identical-until-bad Games}
\subsubsection{Digital Signature Scheme}
@@ -272,47 +274,8 @@ The chain of reductions can be depicted as:
\[ \sdlog => \igame => UF-NMA_{EdDSA} => \cma_{EdDSA} \]
\subsection{UF-NMA $=>$ \cma (ROM)}
% TODO: "intuition for the proof" vs. "intuition of the proof"?
This section shows that the \cma security of EdDSA signature scheme implies the UF-NMA security of EdDSA signature scheme using the Random Oracle Model. The section starts by first providing an intuition for the proof followed by the detailed security proof.
\paragraph{Proof Overview} The UF-NMA security definition is close to the security definition of \cma but is missing the \Osign oracle. To show that UF-NMA security implies \cma security the reduction has to simulate the \Osign oracle without the knowledge of the private key.
The EdDSA signature scheme is based on the Schnorr signature scheme which basis is a canonical identification scheme onto which the Fiat-Shamir transformation is applied. This means EdDSA roughly follows the structure of a canonical identification scheme by first calculating a commitment $R$, calculating a challenge $h$ using the hash function and then calculating the response $S$ based on commitment, challenge and secret key. The signature is the tuple of commitment and response.
To generate a signature without the knowledge of the private key the challenge and the response are choosen randomly and the commitment is calculated based on the choosen challenge and response. The random oracle is then programmed to output the challenge given the commitment and the message as input. This way the resulting tuple of commitment and response is a valid signature for the given message.
\paragraph{Formal Proof}
\subsection{\igame $=>$ UF-NMA (ROM)}
This section shows that \igame implies the UF-NMA security if the EdDSA signature scheme using the Algebraic Group Model. The section starts by first providing an intuition if the proof followed by the detailed security proof.
\begin{figure}
\hrule
\begin{multicols}{2}
\large
\begin{algorithmic}[1]
\Statex \underline{\game \igame}
\State \quad $a \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$
\State \quad $\groupelement{A} \assign a \groupelement{B}$
\State \quad $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
\State \quad \Return $\exists \groupelement{R}^*, c^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - c^* \groupelement{A}) \wedge (\groupelement{R}^*, c^*) \in Q$
\end{algorithmic}
\columnbreak
\begin{algorithmic}[1]
\Statex \underline{\oracle \ioracle($\groupelement{R_i} \in \group{G}$)}
\State \quad $chall_i \randomsample \{0,1\}^{2b}$
\State \quad $Q \assign Q \cup \{ (\groupelement{R}_i, c_i) \}$
\State \quad \Return $chall_i$
\end{algorithmic}
\end{multicols}
\hrule
\caption{\igame}
\label{game:igame}
\end{figure}
\include{sections/security_of_eddsa/uf-nma_implies_suf-cma}
\include{sections/security_of_eddsa/gamez_implies_uf-nma}
\include{sections/security_of_eddsa/dlog'_implies_gamez}