rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

finished first version of proofs

Browse Source
This commit is contained in:
Aaron Kaiser
2023-04-24 16:12:19 +02:00
parent f527b43068
commit 397abfe5fe
8 changed files with 95 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex
View File

@@ -7,7 +7,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
\begin{definition}[\somdl]
Let $n$ and $N$ be positive integer. For an adversary $\adversary{A}$ we define its advantage in the \somdl game as following:
\[ \advantage{\adversary{A}}{\text{\somdl}}(\secparamter) \assign | \Pr[\text{\somdl}^{\adversary{A}} \Rightarrow 1] | \].
\[ \advantage{\adversary{A}}{\text{\somdl}}(\secparamter) \assign | \Pr[\text{\somdl}^{\adversary{A}} \Rightarrow 1] |. \]
\end{definition}
\begin{figure}
@@ -57,7 +57,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
\State \quad $a_i \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in Q, i \in \{1,2,...,N\}: \groupelement{R}^* = 2^c (s^* \groupelement{B} - \ch^* \groupelement{A_i})$
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in Q, i \in \{1,2,...,N\}: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$
\end{algorithmic}
\vspace{2mm}
\begin{algorithmic}[1]
@@ -84,21 +84,21 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
\begin{proof}
\item \paragraph{\underline{$G_0$:}} Let $G_0$ be defined in figure \ref{fig:omdl'_implies_mu-igame} by excluding all boxes and $G_0$ be MU-\igame. By definition,
\[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) = \Pr[\text{MU-\igame}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
\[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) = \Pr[\text{MU-\igame}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
\item \paragraph{\underline{$G_1$:}} TODO %TODO
\item \paragraph{\underline{$G_1$:}} $G_1$ is defined by including the if condition in the blue box setting a bad flag if the randomly chosen value $\ch$ fulfills $2^c \ch \equiv - r_i \pmod L$ for any $i \in \{2,3,...,N+1\}$. This represents challenges $\ch$ to which the solution might not be usable to break the discrete logarithm of one of the public keys due to $(r_i + 2^c \ch)$ not being invertible in $\field{L}$. Since only the bad flag being introduced this change does not influence the behavior of the game and is therefore only conceptual.
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \].
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1]. \]
\item \paragraph{\underline{$G_2:$}} TODO %TODO
\item \paragraph{\underline{$G_2:$}} $G_2$ also includes the abort instruction in the red box. The abort is triggered if the bad flag is set to true. For each individual \ioracle oracle query the bad flag is set with a probability of $\frac{N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. With $2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}$ being the min-entropy of $\ch$ and $N$ being the number of $r_i$ with which the equation $2^c \ch \equiv - r_i \pmod L$ could evaluate to true. By the Union bound over all $\oraclequeries$ oracle quries we obtain $\Pr[bad] \leq \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
\item Finally, Game $G_2$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
\begin{align}
\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G},\adversary{B}}{\somdl}(\secparamter) \label{eq:adv_omdl'}
\end{align}.
\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G},\adversary{B}}{\somdl}(\secparamter). \label{eq:adv_omdl'}
\end{align}
\begin{figure}
\hrule
@@ -107,21 +107,22 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
\begin{algorithmic}[1]
\Statex \underline{\textbf{Adversary} $\adversary{B}^{\textit{DL}(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$}
\State $s^* \randomassign \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
\State \textbf{If} $\nexists (\agmgroupelement{R^*}{r^*}, \ch^*) \in Q, i \in \{1,2,...,N\}: \groupelement{R}^* = 2^c (s^* \groupelement{B} - \ch^* \groupelement{A_i})$ \textbf{then}
\State \textbf{If} $\nexists (\agmgroupelement{R^*}{r^*}, \ch^*) \in Q, i \in \{1,2,...,N\}: \groupelement{R^*} = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$ \textbf{then}
\State \quad $abort$
\State Let $\groupelement{R^*} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$
\State $r^* \assign r_1$
\State $r_b \assign r_1$
\State \textbf{for} $j \in \{1,2,...,N\} \backslash \{i\}$
\State \quad $a_j \assign \textit{DL}(\groupelement{A_j})$
\Comment{$\groupelement{A_j} = a_j \groupelement{B}$}
\State \quad $r^* \assign r^* + a_j$
\State Let $R^* = r^* \groupelement{B} + r_i \groupelement{A_i}$
\State $a_i \assign (2^c s^* - r^*)(r_i + 2^c \ch^*)^{-1}$
\State \quad $r_b \assign r_b + r_{j+1} a_j$
\State $a_i \assign (2^c s^* - r_b)(r_i + 2^c \ch^*)^{-1}$
\Comment{$\groupelement{R} = r_b \groupelement{B} + r_i \groupelement{A_i}$}
\State \Return $(a_1, a_2, ..., a_N)$
\end{algorithmic}
\vspace{2mm}
\begin{algorithmic}[1]
\Statex \underline{\oracle \ioracle($\agmgroupelement{R_i}{r_i} \in \group{G}$)}
\vspace{1mm}
\State Let $\groupelement{R}_i = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$
\State $\ch_i \randomsample \{0,1\}^{2b}$
\State \textbf{If} $\exists i \in \{2,3,...,N+1\}: 2^c \ch_i \equiv -r_i \pmod L$ \textbf{then}
@@ -137,8 +138,15 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
To prove (\ref{eq:adv_omdl'}), we define an adversary $\adversary{B}$ attacking \sdlog that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_omdl'} is run in the \sdlog game and adversary $\adversary{B}$ simulates \ioracle for adversary $\adversary{A}$. \ioracle is simulated perfectly.
Finally, consider $\adversary{A}$'s output $s^*$. TODO %TODO:
Finally, consider $\adversary{A}$'s output $s^*$. It is known that $\groupelement{R^*} = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$ for one of the public keys and one tuple $(R^*, \ch^*)$ generated by the \ioracle oracle. Using the \textit{DL} oracle we can get the discrete logarithms of all public keys but the one for which $s^*$ is a valid solution in the MU-\igame game. This way the \textit{DL} oracle gets called exactly $N-1$ times which is smaller than $N$ which is required by the \somdl game. Together with the representation of $R^*$ provided during the \ioracle oracle call and the discrete logarithms of the public keys we are able to generate a representation of $R^*$ looking like $\groupelement{R^*} = r_b \groupelement{B} + r_i \groupelement{A_i}$. By equating both equations we get:
\begin{align*}
r_b \groupelement{B} + r_i \groupelement{A_i} &= 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i} \\
\Leftrightarrow (r_i + 2^c \ch^*) \groupelement{A} &= (2^c s^* - r_b) \groupelement{B} \\
\Leftrightarrow \groupelement{A} &= (2^c s^* - r_b)(r_i + 2^c \ch^*)^{-1} \groupelement{B}
\end{align*}
Assuming that $r_i + 2^c \ch^*$ is invertible in $\field{L}$ (i.e. not equal to 0), which is ensured by the abort in $G_2$ for all $i$, both equations can be used to calculate the discrete logarithm if $A_i$. Together with the discrete logarithms of the other public keys, which where obtained by the \textit{DL} oracle, the adversary $\adversary{B}$ is able to craft a valid solution for the \somdl challenger.
\item This proves theorem \ref{theorem:adv_omdl'}.
\end{proof}