rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

finished first version of proofs

Browse Source
This commit is contained in:
Aaron Kaiser
2023-04-24 16:12:19 +02:00
parent f527b43068
commit 397abfe5fe
8 changed files with 95 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
thesis/sections/eddsa.tex
View File

@@ -135,7 +135,7 @@ The EdDSA' signature scheme is depicted in figure \ref{fig:eddsa'}. The differen
Let $\adversary{A}$ be and adversary against SUF-CMA security of the EdDSA signature scheme. Then
%TODO: richtigre Richtung?
\[ \advantage{\text{EdDSA'},\adversary{A}}{\cma}(\secparamter) \leq \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) - \frac{2\hashqueries}{2^b} \]
\[ \advantage{\text{EdDSA'},\adversary{A}}{\cma}(\secparamter) \leq \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) - \frac{2\hashqueries}{2^b}. \]
\end{theorem}
\paragraph{\underline{Proof Overview}}
@@ -222,28 +222,28 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
\begin{proof}
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:eddsa'games} by excluding all boxes expect the black ones and $G_0$ be $\cma$. By definition,
\[ \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) = \Pr[\cma_{\text{EdDSA}}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
\[ \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) = \Pr[\cma_{\text{EdDSA}}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
\item \paragraph{\underline{$G_1:$}} Let $G_1$ be defined by additionally including all blue boxes and excluding the black boxes. This change inlines calls to the random oracle and introduces to if conditions in the random oracle which are setting a bad flag if the condition is triggert. Since the behavior of the game does not change the changes are conceptual and the probability of winning the game is not affected. Hence,
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \].
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1]. \]
\item \paragraph{\underline{$G_2:$}} $G_2$ now introduces the abort condition in the red box. The game aborts if the flag $bad_1$ is set. For each individual query the $bad_1$ flag is set with a probability at most $\frac{1}{2^b}$. The flag is set if the message equals $k$. $k$ is a value chosen uniformly at random from $\{0,1\}^b$ and is hidden from the adversary. Therefor the adversary can can only guess this value. By the union bound over all hash queries $\hashqueries$ we obtain $\Pr[bad_1] \leq \frac{\hashqueries}{2^b}$. Since $G_1$ and $G_2$ are identical-until-bad games regarding the $bad_1$ flag, we have
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad_1] \leq \frac{\hashqueries}{2^b} \].
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad_1] \leq \frac{\hashqueries}{2^b}. \]
\item \paragraph{\underline{$G_3:$}} $G_3$ now also introduces the abort condition in the green box. This game also aborts if a message is queried which starts with $h_b | ... | h_{2b-1}$. For each individual query the $bad_2$ flag is set with a probability at most $\frac{1}{2^b}$. The value $h$ is the result of a random oracle call with $k$ as input. Since the adversary is not able to query the random oracle with input $k$, due to the abort condition introduced ion $G_2$, the adversary has no information on $h$. Therefor the adversary can only guess the value of $h$. By the union bound over all hash queries $\hashqueries$ we obtain $\Pr[bad_2] \leq \frac{\hashqueries}{2^b}$. Since $G_2$ and $G_3$ are identical-until-bad games regarding the $bad_2$ flag, we have
\[ |\Pr[G_2^{\adversary{A}} \Rightarrow 1] - \Pr[G_3^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad_2] \leq \frac{\hashqueries}{2^b} \].
\[ |\Pr[G_2^{\adversary{A}} \Rightarrow 1] - \Pr[G_3^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad_2] \leq \frac{\hashqueries}{2^b}. \]
%TODO: Signatur von RF genauer beschreiben?
\item \paragraph{\underline{$G_4:$}} $G_4$ replaces the blue boxes in the main game and the \Osign oracle with the orange boxes. This change is only conceptual since the adversary is not able to query the random oracle with the inputs used for those calls and due to the nature of the random oracle model the adversary has no information on those values. Therefore, an adversary can not differentiate between the values being the result of the hash function or chosen uniformly at random. Hence,
\[ \Pr[G_3^{\adversary{A}} \Rightarrow 1] = \Pr[G_4^{\adversary{A}} \Rightarrow 1] \].
\[ \Pr[G_3^{\adversary{A}} \Rightarrow 1] = \Pr[G_4^{\adversary{A}} \Rightarrow 1]. \]
\item Now $G_4$ is the same as SUF-CMA parameterized with EdDSA'. Therefore, we have
\[ \Pr[G_4^{\adversary{A}} \Rightarrow 1] = \advantage{\text{EdDSA'},\adversary{A}}{\cma}(\secparamter) \].
\[ \Pr[G_4^{\adversary{A}} \Rightarrow 1] = \advantage{\text{EdDSA'},\adversary{A}}{\cma}(\secparamter). \]
\item This proves theorem \ref{theorem:adveddsa'}.
\end{proof}