finished first version of proofs
This commit is contained in:
@@ -7,7 +7,7 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur
|
||||
\begin{definition}[\igame]
|
||||
For an adversary $\adversary{A}$ we define its advantage in the \igame game as following:
|
||||
|
||||
\[ \advantage{\adversary{A}}{\igame}(\secparamter) \assign | \Pr[\igame^{\adversary{A}} \Rightarrow 1] | \].
|
||||
\[ \advantage{\adversary{A}}{\igame}(\secparamter) \assign | \Pr[\igame^{\adversary{A}} \Rightarrow 1] |. \]
|
||||
\end{definition}
|
||||
|
||||
\begin{figure}
|
||||
@@ -38,7 +38,7 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur
|
||||
\label{theorem:adv_igame}
|
||||
Let $\adversary{A}$ be an adversary against $\text{UF-NMA}$. Then,
|
||||
|
||||
\[ \advantage{\adversary{A}}{\text{UF-NMA}}(\secparamter) = \advantage{\adversary{B}}{\text{\igame}}(\secparamter) \].
|
||||
\[ \advantage{\adversary{A}}{\text{UF-NMA}}(\secparamter) = \advantage{\adversary{B}}{\text{\igame}}(\secparamter). \]
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}} The adversary has to query the random oracle to get the hash value $H(\encoded{R} | \encoded{A} | m)$. The programmability of the random oracle can be used to embed the challenge from the \ioracle oracle into the answer of the random oracle. This way a valid forgery of a signature also provides a valid solution for the \igame game.
|
||||
@@ -73,13 +73,13 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur
|
||||
\begin{proof}
|
||||
\item \paragraph{\underline{$G_0$}} Let $G_0$ be defined in figure \ref{fig:igame_implies_uf-nma} and let $G_0$ be $\text{UF-NMA}$. By definition,
|
||||
|
||||
\[ \advantage{\text{EdDSA}, \adversary{A}}{\text{UF-NMA}}(\secparamter) = \Pr[\text{UF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
\[ \advantage{\text{EdDSA}, \adversary{A}}{\text{UF-NMA}}(\secparamter) = \Pr[\text{UF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
|
||||
|
||||
\item $G_0$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||
|
||||
\begin{align}
|
||||
\Pr[G_0^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\text{\igame}}(\secparamter) \label{eq:adv_igame}
|
||||
\end{align}.
|
||||
\Pr[G_0^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\text{\igame}}(\secparamter). \label{eq:adv_igame}
|
||||
\end{align}
|
||||
|
||||
\begin{figure}
|
||||
\hrule
|
||||
@@ -113,9 +113,9 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur
|
||||
|
||||
\begin{align*}
|
||||
2^c S \groupelement{B} &= 2^c \groupelement{R} + 2^c H(\encoded{R} | \encoded{A} | m) \groupelement{A} \\
|
||||
2^c \groupelement{R} &= 2^c S \groupelement{B} - 2^c H(\encoded{R} | \encoded{A} | m) \groupelement{A} \\
|
||||
2^c \groupelement{R} &= 2^c S \groupelement{B} - 2^c \ioracle(2^c \groupelement{R}) \groupelement{A} \\
|
||||
\groupelement{R}' &= 2^c S \groupelement{B} - 2^c \ioracle(\groupelement{R}') \groupelement{A}
|
||||
\Leftrightarrow 2^c \groupelement{R} &= 2^c S \groupelement{B} - 2^c H(\encoded{R} | \encoded{A} | m) \groupelement{A} \\
|
||||
\Leftrightarrow 2^c \groupelement{R} &= 2^c S \groupelement{B} - 2^c \ioracle(2^c \groupelement{R}) \groupelement{A} \\
|
||||
\Leftrightarrow \groupelement{R}' &= 2^c S \groupelement{B} - 2^c \ioracle(\groupelement{R}') \groupelement{A}
|
||||
\end{align*}
|
||||
|
||||
Therefore $S$ is a valid solution for the \igame game.
|
||||
|
||||
Reference in New Issue
Block a user