finished first version of proofs
This commit is contained in:
@@ -135,7 +135,7 @@ The EdDSA' signature scheme is depicted in figure \ref{fig:eddsa'}. The differen
|
||||
Let $\adversary{A}$ be and adversary against SUF-CMA security of the EdDSA signature scheme. Then
|
||||
|
||||
%TODO: richtigre Richtung?
|
||||
\[ \advantage{\text{EdDSA'},\adversary{A}}{\cma}(\secparamter) \leq \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) - \frac{2\hashqueries}{2^b} \]
|
||||
\[ \advantage{\text{EdDSA'},\adversary{A}}{\cma}(\secparamter) \leq \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) - \frac{2\hashqueries}{2^b}. \]
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}}
|
||||
@@ -222,28 +222,28 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
|
||||
\begin{proof}
|
||||
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:eddsa'games} by excluding all boxes expect the black ones and $G_0$ be $\cma$. By definition,
|
||||
|
||||
\[ \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) = \Pr[\cma_{\text{EdDSA}}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
\[ \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) = \Pr[\cma_{\text{EdDSA}}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
|
||||
|
||||
\item \paragraph{\underline{$G_1:$}} Let $G_1$ be defined by additionally including all blue boxes and excluding the black boxes. This change inlines calls to the random oracle and introduces to if conditions in the random oracle which are setting a bad flag if the condition is triggert. Since the behavior of the game does not change the changes are conceptual and the probability of winning the game is not affected. Hence,
|
||||
|
||||
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \].
|
||||
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1]. \]
|
||||
|
||||
\item \paragraph{\underline{$G_2:$}} $G_2$ now introduces the abort condition in the red box. The game aborts if the flag $bad_1$ is set. For each individual query the $bad_1$ flag is set with a probability at most $\frac{1}{2^b}$. The flag is set if the message equals $k$. $k$ is a value chosen uniformly at random from $\{0,1\}^b$ and is hidden from the adversary. Therefor the adversary can can only guess this value. By the union bound over all hash queries $\hashqueries$ we obtain $\Pr[bad_1] \leq \frac{\hashqueries}{2^b}$. Since $G_1$ and $G_2$ are identical-until-bad games regarding the $bad_1$ flag, we have
|
||||
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad_1] \leq \frac{\hashqueries}{2^b} \].
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad_1] \leq \frac{\hashqueries}{2^b}. \]
|
||||
|
||||
\item \paragraph{\underline{$G_3:$}} $G_3$ now also introduces the abort condition in the green box. This game also aborts if a message is queried which starts with $h_b | ... | h_{2b-1}$. For each individual query the $bad_2$ flag is set with a probability at most $\frac{1}{2^b}$. The value $h$ is the result of a random oracle call with $k$ as input. Since the adversary is not able to query the random oracle with input $k$, due to the abort condition introduced ion $G_2$, the adversary has no information on $h$. Therefor the adversary can only guess the value of $h$. By the union bound over all hash queries $\hashqueries$ we obtain $\Pr[bad_2] \leq \frac{\hashqueries}{2^b}$. Since $G_2$ and $G_3$ are identical-until-bad games regarding the $bad_2$ flag, we have
|
||||
|
||||
\[ |\Pr[G_2^{\adversary{A}} \Rightarrow 1] - \Pr[G_3^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad_2] \leq \frac{\hashqueries}{2^b} \].
|
||||
\[ |\Pr[G_2^{\adversary{A}} \Rightarrow 1] - \Pr[G_3^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad_2] \leq \frac{\hashqueries}{2^b}. \]
|
||||
|
||||
%TODO: Signatur von RF genauer beschreiben?
|
||||
\item \paragraph{\underline{$G_4:$}} $G_4$ replaces the blue boxes in the main game and the \Osign oracle with the orange boxes. This change is only conceptual since the adversary is not able to query the random oracle with the inputs used for those calls and due to the nature of the random oracle model the adversary has no information on those values. Therefore, an adversary can not differentiate between the values being the result of the hash function or chosen uniformly at random. Hence,
|
||||
|
||||
\[ \Pr[G_3^{\adversary{A}} \Rightarrow 1] = \Pr[G_4^{\adversary{A}} \Rightarrow 1] \].
|
||||
\[ \Pr[G_3^{\adversary{A}} \Rightarrow 1] = \Pr[G_4^{\adversary{A}} \Rightarrow 1]. \]
|
||||
|
||||
\item Now $G_4$ is the same as SUF-CMA parameterized with EdDSA'. Therefore, we have
|
||||
|
||||
\[ \Pr[G_4^{\adversary{A}} \Rightarrow 1] = \advantage{\text{EdDSA'},\adversary{A}}{\cma}(\secparamter) \].
|
||||
\[ \Pr[G_4^{\adversary{A}} \Rightarrow 1] = \advantage{\text{EdDSA'},\adversary{A}}{\cma}(\secparamter). \]
|
||||
|
||||
\item This proves theorem \ref{theorem:adveddsa'}.
|
||||
\end{proof}
|
||||
|
||||
@@ -8,7 +8,7 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat
|
||||
\begin{definition}[MU-\igame]
|
||||
Let $n$ and $N$ be positive integers. For an adversary $\adversary{A}$ we define its advantage in the MU-\igame as following:
|
||||
|
||||
\[ \advantage{\adversary{A}}{\text{MU-\igame}}(\secparamter) \assign | \Pr[\text{MU-\igame}^{\adversary{A}} \Rightarrow 1] | \].
|
||||
\[ \advantage{\adversary{A}}{\text{MU-\igame}}(\secparamter) \assign | \Pr[\text{MU-\igame}^{\adversary{A}} \Rightarrow 1] |. \]
|
||||
\end{definition}
|
||||
|
||||
\begin{figure}
|
||||
@@ -75,13 +75,13 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat
|
||||
\begin{proof}
|
||||
\item Let $G_0$ be defined in figure \ref{fig:mu-igame_implies_mu-uf-nma} and $G_0$ be MU-UF-NMA. By definition,
|
||||
|
||||
\[ \advantage{\text{EdDSA}, \adversary{A}}{\text{MU-UF-NMA}}(\secparamter) = \Pr[\text{MU-UF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
\[ \advantage{\text{EdDSA}, \adversary{A}}{\text{MU-UF-NMA}}(\secparamter) = \Pr[\text{MU-UF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
|
||||
|
||||
\item $G_0$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||
|
||||
\begin{align}
|
||||
\Pr[G_0^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\text{MU-\igame}}(\secparamter) \label{eq:adv_mu-igame}
|
||||
\end{align}.
|
||||
\Pr[G_0^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\text{MU-\igame}}(\secparamter). \label{eq:adv_mu-igame}
|
||||
\end{align}
|
||||
|
||||
\begin{figure}
|
||||
\hrule
|
||||
@@ -113,8 +113,8 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat
|
||||
|
||||
\begin{align*}
|
||||
2^c S \groupelement{B} &= 2^c \groupelement{R} + 2^c H(\encoded{R} | \encoded{A_i} | m) \groupelement{A_i} \\
|
||||
2^c \groupelement{R} &= 2^c S \groupelement{B} - 2^c H(\encoded{R} | \encoded{A_i} | m) \groupelement{A_i} \\
|
||||
2^c \groupelement{R} &= 2^c S \groupelement{B} - 2^c \ioracle(2^c \groupelement{R}) \groupelement{A_i} \\
|
||||
\Leftrightarrow 2^c \groupelement{R} &= 2^c S \groupelement{B} - 2^c H(\encoded{R} | \encoded{A_i} | m) \groupelement{A_i} \\
|
||||
\Leftrightarrow 2^c \groupelement{R} &= 2^c S \groupelement{B} - 2^c \ioracle(2^c \groupelement{R}) \groupelement{A_i} \\
|
||||
\groupelement{R}' &= 2^c S \groupelement{B} - 2^c \ioracle(\groupelement{R}') \groupelement{A_i}
|
||||
\end{align*}
|
||||
|
||||
|
||||
@@ -6,7 +6,7 @@ This section shows that the MU-UF-NMA security of the EdDSA signature scheme imp
|
||||
\label{theorem:adv_mu-uf-nma}
|
||||
Let $n$ and $N$ be positive integer and $\adversary{A}$ an adversary against MU-SUF-CMA, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
|
||||
|
||||
\[ \advantage{\adversary{A}}{\text{MU-\cma}}(\secparamter) = \advantage{\adversary{B}}{\text{MU-UF-NMA}}(\secparamter) - \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
|
||||
\[ \advantage{\adversary{A}}{\text{MU-\cma}}(\secparamter) = \advantage{\adversary{B}}{\text{MU-UF-NMA}}(\secparamter) - \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}} This proof follows closely the proof in section \ref{proof:uf-nma_implies_suf-cma}. The only difference of both security notions is the missing \Osign oracle in MU-UF-NMA. For this reason the reduction has to simulate the \Osign oracle without the knowledge of the private keys.
|
||||
@@ -23,8 +23,8 @@ Again the programmability of the random oracle together with the \simalg algorit
|
||||
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$} / \textcolor{green}{$G_3$}}
|
||||
\State \textbf{for} $j \in \{1,2,...,N\}$
|
||||
\State \quad $(h_{j_0}, h_{j_1}, ..., h_{j_{2b-1}}) \randomsample \{0,1\}^{2b}$
|
||||
\State \quad $s_i \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_{j_i}$
|
||||
\State \quad $\groupelement{A_i} \assign s_i \groupelement{B}$
|
||||
\State \quad $s_j \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_{j_i}$
|
||||
\State \quad $\groupelement{A_j} \assign s_j \groupelement{B}$
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp, \inp)}(\groupelement{A_1}, \groupelement{A_2},...,\groupelement{A_N})$
|
||||
\State \Return $\exists j \in \{1,2,...,N\}: \verify(\groupelement{A_j}, \m^*,\signature^*) \wedge (\groupelement{A_j}, \m^*, \signature^*) \notin Q$
|
||||
\end{algorithmic}
|
||||
@@ -88,33 +88,33 @@ Again the programmability of the random oracle together with the \simalg algorit
|
||||
\begin{proof}
|
||||
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:mu-uf-nma_implies_mu-suf-cma_games} by excluding all boxes except the black one and $G_0$ be MU-SUF-CMA. By definition,
|
||||
|
||||
\[ \advantage{\text{EdDSA},\adversary{A}}{\text{MU-}\cma}(\secparamter) = \Pr[\text{\text{MU-}\cma}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
\[ \advantage{\text{EdDSA},\adversary{A}}{\text{MU-}\cma}(\secparamter) = \Pr[\text{\text{MU-}\cma}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
|
||||
|
||||
\item \paragraph{\underline{$G_1:$}} $G_1$ now is defined by replacing the black box with the blue one. This change inlines the call to the hash function and introduces a bad flag, which is set if the hash value is already set. This change is only conceptual, since it does not alter the behavior of the oracle. Therefore,
|
||||
|
||||
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \].
|
||||
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1]. \]
|
||||
|
||||
\item \paragraph{\underline{$G_2:$}} $G_2$ is defined by also introducing the abort instruction in the red box. Again without loss of generality it is assumed that the adversary only quries each public key message pair only once since the signatures are deterministic and the attacker would not gain any additional information by querying the \Osign oracle multiple times with the same input. Since the commitment $\groupelement{R}$ is the only unknown input to the hash function the probability of the bad flag being set for each individual \Osign query is at most $\frac{\hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
|
||||
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
|
||||
\item \paragraph{\underline{$G_3:$}} In $G_3$ the \Osign oracle is replaced by the \Osign oracle in the green box. Instead of calculating the response using the secret key the \simalg algorithm is used to generate a tuple of commitment, challenge and response. Then the random oracle is programmed to output the specific challenge given $\encoded{R} | \encoded{A_j} | \m$ as an input. This change is only conceptual, since \simalg outputs a correctly distributed set and it was ruled out in earlier games that the random oracle was previously queries with this input. Hence,
|
||||
|
||||
\[ \Pr[G_2^{\adversary{A}} \Rightarrow 1] = \Pr[G_3^{\adversary{A}} \Rightarrow 1] \].
|
||||
\[ \Pr[G_2^{\adversary{A}} \Rightarrow 1] = \Pr[G_3^{\adversary{A}} \Rightarrow 1]. \]
|
||||
|
||||
\item Finally, Game $G_3$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||
|
||||
\begin{align}
|
||||
\Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{MU-UF-NMA}}(\secparamter) \label{eq:adv_mu-uf-nma}
|
||||
\end{align}.
|
||||
\Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{MU-UF-NMA}}(\secparamter). \label{eq:adv_mu-uf-nma}
|
||||
\end{align}
|
||||
|
||||
\begin{figure}
|
||||
\hrule
|
||||
\begin{multicols}{2}
|
||||
\large
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\textbf{Adversary} $\adversary{B}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$}
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp, \inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
||||
\Statex \underline{\textbf{Adversary} $\adversary{B}^{H(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$}
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H'(\inp), \sign(\inp, \inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
||||
\State \Return $(\m^*, \signature^*)$
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
@@ -131,9 +131,9 @@ Again the programmability of the random oracle together with the \simalg algorit
|
||||
\end{algorithmic}
|
||||
\end{multicols}
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
|
||||
\Statex \underline{\oracle $H'(m \in \{0,1\}^*)$}
|
||||
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
||||
\State \quad $\sum[m] \randomsample \{0,1\}^{2b}$
|
||||
\State \quad $\sum[m] \assign H(m)$
|
||||
\State \Return $\sum[m]$
|
||||
\end{algorithmic}
|
||||
\hrule
|
||||
@@ -143,8 +143,14 @@ Again the programmability of the random oracle together with the \simalg algorit
|
||||
|
||||
To prove (\ref{eq:adv_mu-uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{MU-UF-NMA}$ that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversaryb_mu-uf-nma} is run in the $\text{MU-UF-NMA}$ game and adversary $\adversary{B}$ simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly.
|
||||
|
||||
% TODO: Ist die Begründung ausreichend?
|
||||
Finally, consider $\adversary{A}$ output $(\m^*, \signature^*)$. Every valid signature outputted by adversary $\adversary{A}$ in the $\text{MU-\cma}$ setting is also a valid signature in the $\text{MU-UF-NMA}$ setting.
|
||||
Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R}, S))$. Every valid signature outputted by adversary $\adversary{A}$ has to fulfill following equation for one public key $\groupelement{A_i}$: $2^c S \groupelement{B} = 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}$. For the signature to be valid in the \cma game the signature for this message and public key must have not been queried via the \Osign oracle. Therefore the output of $H'(\encoded{R}|\encoded{A_i}|m)$ has not been set by adversary $\adversary{B}$ but was forwarded from the MU-UF-NMA challenger. Meaning $H'(\encoded{R}|\encoded{A_i}|m) = H(\encoded{R}|\encoded{A_i}|m)$. Hence,
|
||||
|
||||
\begin{align*}
|
||||
2^c S \groupelement{B} &= 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i} \\
|
||||
\Leftrightarrow 2^c S \groupelement{B} &= 2^c R + 2^c H(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}
|
||||
\end{align*}
|
||||
|
||||
Since the public keys and the results of the hash queries are forwarded from the MU-UF-NMA challenger the forged signature from $\adversary{A}$ in the MU-\cma game is also valid for the MU-UF-NMA challenger.
|
||||
|
||||
\item This proves theorem \ref{theorem:adv_mu-uf-nma}.
|
||||
\end{proof}
|
||||
@@ -7,7 +7,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
|
||||
\begin{definition}[\somdl]
|
||||
Let $n$ and $N$ be positive integer. For an adversary $\adversary{A}$ we define its advantage in the \somdl game as following:
|
||||
|
||||
\[ \advantage{\adversary{A}}{\text{\somdl}}(\secparamter) \assign | \Pr[\text{\somdl}^{\adversary{A}} \Rightarrow 1] | \].
|
||||
\[ \advantage{\adversary{A}}{\text{\somdl}}(\secparamter) \assign | \Pr[\text{\somdl}^{\adversary{A}} \Rightarrow 1] |. \]
|
||||
\end{definition}
|
||||
|
||||
\begin{figure}
|
||||
@@ -57,7 +57,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
|
||||
\State \quad $a_i \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$
|
||||
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
|
||||
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
||||
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in Q, i \in \{1,2,...,N\}: \groupelement{R}^* = 2^c (s^* \groupelement{B} - \ch^* \groupelement{A_i})$
|
||||
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in Q, i \in \{1,2,...,N\}: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$
|
||||
\end{algorithmic}
|
||||
\vspace{2mm}
|
||||
\begin{algorithmic}[1]
|
||||
@@ -84,21 +84,21 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
|
||||
\begin{proof}
|
||||
\item \paragraph{\underline{$G_0$:}} Let $G_0$ be defined in figure \ref{fig:omdl'_implies_mu-igame} by excluding all boxes and $G_0$ be MU-\igame. By definition,
|
||||
|
||||
\[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) = \Pr[\text{MU-\igame}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
\[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) = \Pr[\text{MU-\igame}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
|
||||
|
||||
\item \paragraph{\underline{$G_1$:}} TODO %TODO
|
||||
\item \paragraph{\underline{$G_1$:}} $G_1$ is defined by including the if condition in the blue box setting a bad flag if the randomly chosen value $\ch$ fulfills $2^c \ch \equiv - r_i \pmod L$ for any $i \in \{2,3,...,N+1\}$. This represents challenges $\ch$ to which the solution might not be usable to break the discrete logarithm of one of the public keys due to $(r_i + 2^c \ch)$ not being invertible in $\field{L}$. Since only the bad flag being introduced this change does not influence the behavior of the game and is therefore only conceptual.
|
||||
|
||||
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \].
|
||||
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1]. \]
|
||||
|
||||
\item \paragraph{\underline{$G_2:$}} TODO %TODO
|
||||
\item \paragraph{\underline{$G_2:$}} $G_2$ also includes the abort instruction in the red box. The abort is triggered if the bad flag is set to true. For each individual \ioracle oracle query the bad flag is set with a probability of $\frac{N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. With $2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}$ being the min-entropy of $\ch$ and $N$ being the number of $r_i$ with which the equation $2^c \ch \equiv - r_i \pmod L$ could evaluate to true. By the Union bound over all $\oraclequeries$ oracle quries we obtain $\Pr[bad] \leq \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
|
||||
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
|
||||
\item Finally, Game $G_2$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||
|
||||
\begin{align}
|
||||
\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G},\adversary{B}}{\somdl}(\secparamter) \label{eq:adv_omdl'}
|
||||
\end{align}.
|
||||
\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G},\adversary{B}}{\somdl}(\secparamter). \label{eq:adv_omdl'}
|
||||
\end{align}
|
||||
|
||||
\begin{figure}
|
||||
\hrule
|
||||
@@ -107,21 +107,22 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\textbf{Adversary} $\adversary{B}^{\textit{DL}(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$}
|
||||
\State $s^* \randomassign \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
||||
\State \textbf{If} $\nexists (\agmgroupelement{R^*}{r^*}, \ch^*) \in Q, i \in \{1,2,...,N\}: \groupelement{R}^* = 2^c (s^* \groupelement{B} - \ch^* \groupelement{A_i})$ \textbf{then}
|
||||
\State \textbf{If} $\nexists (\agmgroupelement{R^*}{r^*}, \ch^*) \in Q, i \in \{1,2,...,N\}: \groupelement{R^*} = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$ \textbf{then}
|
||||
\State \quad $abort$
|
||||
\State Let $\groupelement{R^*} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$
|
||||
\State $r^* \assign r_1$
|
||||
\State $r_b \assign r_1$
|
||||
\State \textbf{for} $j \in \{1,2,...,N\} \backslash \{i\}$
|
||||
\State \quad $a_j \assign \textit{DL}(\groupelement{A_j})$
|
||||
\Comment{$\groupelement{A_j} = a_j \groupelement{B}$}
|
||||
\State \quad $r^* \assign r^* + a_j$
|
||||
\State Let $R^* = r^* \groupelement{B} + r_i \groupelement{A_i}$
|
||||
\State $a_i \assign (2^c s^* - r^*)(r_i + 2^c \ch^*)^{-1}$
|
||||
\State \quad $r_b \assign r_b + r_{j+1} a_j$
|
||||
\State $a_i \assign (2^c s^* - r_b)(r_i + 2^c \ch^*)^{-1}$
|
||||
\Comment{$\groupelement{R} = r_b \groupelement{B} + r_i \groupelement{A_i}$}
|
||||
\State \Return $(a_1, a_2, ..., a_N)$
|
||||
\end{algorithmic}
|
||||
\vspace{2mm}
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\oracle \ioracle($\agmgroupelement{R_i}{r_i} \in \group{G}$)}
|
||||
\vspace{1mm}
|
||||
\State Let $\groupelement{R}_i = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$
|
||||
\State $\ch_i \randomsample \{0,1\}^{2b}$
|
||||
\State \textbf{If} $\exists i \in \{2,3,...,N+1\}: 2^c \ch_i \equiv -r_i \pmod L$ \textbf{then}
|
||||
@@ -137,8 +138,15 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
|
||||
|
||||
To prove (\ref{eq:adv_omdl'}), we define an adversary $\adversary{B}$ attacking \sdlog that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_omdl'} is run in the \sdlog game and adversary $\adversary{B}$ simulates \ioracle for adversary $\adversary{A}$. \ioracle is simulated perfectly.
|
||||
|
||||
Finally, consider $\adversary{A}$'s output $s^*$. TODO %TODO:
|
||||
Finally, consider $\adversary{A}$'s output $s^*$. It is known that $\groupelement{R^*} = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$ for one of the public keys and one tuple $(R^*, \ch^*)$ generated by the \ioracle oracle. Using the \textit{DL} oracle we can get the discrete logarithms of all public keys but the one for which $s^*$ is a valid solution in the MU-\igame game. This way the \textit{DL} oracle gets called exactly $N-1$ times which is smaller than $N$ which is required by the \somdl game. Together with the representation of $R^*$ provided during the \ioracle oracle call and the discrete logarithms of the public keys we are able to generate a representation of $R^*$ looking like $\groupelement{R^*} = r_b \groupelement{B} + r_i \groupelement{A_i}$. By equating both equations we get:
|
||||
|
||||
\begin{align*}
|
||||
r_b \groupelement{B} + r_i \groupelement{A_i} &= 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i} \\
|
||||
\Leftrightarrow (r_i + 2^c \ch^*) \groupelement{A} &= (2^c s^* - r_b) \groupelement{B} \\
|
||||
\Leftrightarrow \groupelement{A} &= (2^c s^* - r_b)(r_i + 2^c \ch^*)^{-1} \groupelement{B}
|
||||
\end{align*}
|
||||
|
||||
Assuming that $r_i + 2^c \ch^*$ is invertible in $\field{L}$ (i.e. not equal to 0), which is ensured by the abort in $G_2$ for all $i$, both equations can be used to calculate the discrete logarithm if $A_i$. Together with the discrete logarithms of the other public keys, which where obtained by the \textit{DL} oracle, the adversary $\adversary{B}$ is able to craft a valid solution for the \somdl challenger.
|
||||
|
||||
\item This proves theorem \ref{theorem:adv_omdl'}.
|
||||
\end{proof}
|
||||
@@ -15,7 +15,7 @@ Strong Existential Unforgeability against Chosen Message Attack (\cma) is a secu
|
||||
\end{definition}
|
||||
|
||||
|
||||
\begin{figure}
|
||||
\begin{figure}[h]
|
||||
\hrule
|
||||
\begin{multicols}{2}
|
||||
\normalsize
|
||||
@@ -48,13 +48,13 @@ Unforgeability against No Message Attack (UF-NMA) is a security notion for digit
|
||||
\[ \advantage{SIG,\adversary{A}}{\text{UF-NMA}}(\secparamter) \assign \prone{\text{UF-NMA}^{\adversary{A}}} \leq \epsilon \]
|
||||
\end{definition}
|
||||
|
||||
\begin{figure}
|
||||
\begin{figure}[h]
|
||||
\hrule
|
||||
\vspace{1mm}
|
||||
\begin{algorithmic}[1]
|
||||
\State \underline{\game $\text{UF-NMA}$}
|
||||
\State $(\pubkey, \privkey) \randomassign \keygen(1^\secparamter)$
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp)}(\pubkey)$
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}(\pubkey)$
|
||||
\State \Return $\verify(\pubkey, \m^*, \signature^*) \test 1$
|
||||
\end{algorithmic}
|
||||
\hrule
|
||||
|
||||
@@ -11,7 +11,7 @@ The \sdlog game is a variant of the discrete logarithm game which represents the
|
||||
\begin{definition}[\sdlog]
|
||||
For an adversary $\adversary{A}$ we define its advantage in the \sdlog game as following:
|
||||
|
||||
\[ \advantage{\adversary{A}}{\text{\sdlog}}(\secparamter) \assign | \Pr[\text{\sdlog}^{\adversary{A}} \Rightarrow 1] | \].
|
||||
\[ \advantage{\adversary{A}}{\text{\sdlog}}(\secparamter) \assign | \Pr[\text{\sdlog}^{\adversary{A}} \Rightarrow 1] |. \]
|
||||
\end{definition}
|
||||
|
||||
|
||||
@@ -35,7 +35,7 @@ The \sdlog game is a variant of the discrete logarithm game which represents the
|
||||
\label{theorem:advgamez}
|
||||
Let $\adversary{A}$ be an adversary against \igame with $\group{G}$ being a cyclic group of prime order $L$, making at most $\oraclequeries$ oracle queries. Then
|
||||
|
||||
\[ \advantage{\group{G},\adversary{A}}{\igame}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\sdlog}(\secparamter) - \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
|
||||
\[ \advantage{\group{G},\adversary{A}}{\igame}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\sdlog}(\secparamter) - \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}}
|
||||
@@ -100,23 +100,23 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
|
||||
|
||||
\item \paragraph{\underline{$G_0$:}} Let $G_0$ be defined in figure \ref{fig:igamewithabort} by excluding all boxes and $G_0$ be \igame. By definition,
|
||||
|
||||
\[ \advantage{\group{G},\adversary{A}}{\igame}(\secparamter) = \Pr[\igame^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
\[ \advantage{\group{G},\adversary{A}}{\igame}(\secparamter) = \Pr[\igame^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
|
||||
|
||||
\item \paragraph{\underline{$G_1$:}} Game $G_1$ is exactly the same as $G_0$ with the only change being the bad flag being set inside an if condition. The bad flag is set if $2^c \ch_i = -r_2$. This represents cases where not all solutions from the adversary $\adversary{A}$ can be used to calculate the discrete logarithm of $\groupelement{A}$. This is just a conceptual change since the behavior of the game does not change whether the flag is set or not. Hence,
|
||||
|
||||
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \].
|
||||
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1]. \]
|
||||
|
||||
\item \paragraph{\underline{$G_2:$}} Game $G_2$ aborts if the flag bad is set. For each individual \ioracle query the $bad$ flag is set with probability at most $\frac{1}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. $c_i$ is chosen by the game after the adversary has provided the representation of $\groupelement{R_i}$ and therefore the value of $r_2$. This way the adversary has no way of choosing $\ch_i$ after $r_2$ and can not influence the probability of the abort being triggered. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $\ch_i \pmod L$. $\ch_i$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ during the check in the if condition. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
|
||||
% TODO: Müsste das nicht floor statt ceil sein?
|
||||
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
|
||||
\item Finally, Game $G_2$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||
|
||||
\begin{align}
|
||||
\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G},\adversary{B}}{\sdlog}(\secparamter) \label{eq:advbsdlog}
|
||||
\end{align}.
|
||||
|
||||
\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G},\adversary{B}}{\sdlog}(\secparamter). \label{eq:advbsdlog}
|
||||
\end{align}
|
||||
|
||||
\begin{figure}
|
||||
\hrule
|
||||
\begin{multicols}{2}
|
||||
@@ -152,8 +152,8 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
|
||||
|
||||
\begin{align*}
|
||||
r_1 \groupelement{B} + r_2 \groupelement{A} &= 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A} \\
|
||||
(r_2 + 2^c \ch^*)A &= (2^c s^* - r_1)B \\
|
||||
A &= (2^c s^* - r_1)(r_2 + 2^c \ch^*)^{-1} B
|
||||
\Leftrightarrow (r_2 + 2^c \ch^*)A &= (2^c s^* - r_1)B \\
|
||||
\Leftrightarrow A &= (2^c s^* - r_1)(r_2 + 2^c \ch^*)^{-1} B
|
||||
\end{align*}
|
||||
|
||||
Assuming that $r_2 + 2^c \ch^*$ is invertible in $\field{L}$ (i.e. not equal to $0$), which is ensured due to the abort in $G_2$, both equations can be used to calculate the discrete logarithm of $\groupelement{A}$.
|
||||
|
||||
@@ -7,7 +7,7 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur
|
||||
\begin{definition}[\igame]
|
||||
For an adversary $\adversary{A}$ we define its advantage in the \igame game as following:
|
||||
|
||||
\[ \advantage{\adversary{A}}{\igame}(\secparamter) \assign | \Pr[\igame^{\adversary{A}} \Rightarrow 1] | \].
|
||||
\[ \advantage{\adversary{A}}{\igame}(\secparamter) \assign | \Pr[\igame^{\adversary{A}} \Rightarrow 1] |. \]
|
||||
\end{definition}
|
||||
|
||||
\begin{figure}
|
||||
@@ -38,7 +38,7 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur
|
||||
\label{theorem:adv_igame}
|
||||
Let $\adversary{A}$ be an adversary against $\text{UF-NMA}$. Then,
|
||||
|
||||
\[ \advantage{\adversary{A}}{\text{UF-NMA}}(\secparamter) = \advantage{\adversary{B}}{\text{\igame}}(\secparamter) \].
|
||||
\[ \advantage{\adversary{A}}{\text{UF-NMA}}(\secparamter) = \advantage{\adversary{B}}{\text{\igame}}(\secparamter). \]
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}} The adversary has to query the random oracle to get the hash value $H(\encoded{R} | \encoded{A} | m)$. The programmability of the random oracle can be used to embed the challenge from the \ioracle oracle into the answer of the random oracle. This way a valid forgery of a signature also provides a valid solution for the \igame game.
|
||||
@@ -73,13 +73,13 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur
|
||||
\begin{proof}
|
||||
\item \paragraph{\underline{$G_0$}} Let $G_0$ be defined in figure \ref{fig:igame_implies_uf-nma} and let $G_0$ be $\text{UF-NMA}$. By definition,
|
||||
|
||||
\[ \advantage{\text{EdDSA}, \adversary{A}}{\text{UF-NMA}}(\secparamter) = \Pr[\text{UF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
\[ \advantage{\text{EdDSA}, \adversary{A}}{\text{UF-NMA}}(\secparamter) = \Pr[\text{UF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
|
||||
|
||||
\item $G_0$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||
|
||||
\begin{align}
|
||||
\Pr[G_0^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\text{\igame}}(\secparamter) \label{eq:adv_igame}
|
||||
\end{align}.
|
||||
\Pr[G_0^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\text{\igame}}(\secparamter). \label{eq:adv_igame}
|
||||
\end{align}
|
||||
|
||||
\begin{figure}
|
||||
\hrule
|
||||
@@ -113,9 +113,9 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur
|
||||
|
||||
\begin{align*}
|
||||
2^c S \groupelement{B} &= 2^c \groupelement{R} + 2^c H(\encoded{R} | \encoded{A} | m) \groupelement{A} \\
|
||||
2^c \groupelement{R} &= 2^c S \groupelement{B} - 2^c H(\encoded{R} | \encoded{A} | m) \groupelement{A} \\
|
||||
2^c \groupelement{R} &= 2^c S \groupelement{B} - 2^c \ioracle(2^c \groupelement{R}) \groupelement{A} \\
|
||||
\groupelement{R}' &= 2^c S \groupelement{B} - 2^c \ioracle(\groupelement{R}') \groupelement{A}
|
||||
\Leftrightarrow 2^c \groupelement{R} &= 2^c S \groupelement{B} - 2^c H(\encoded{R} | \encoded{A} | m) \groupelement{A} \\
|
||||
\Leftrightarrow 2^c \groupelement{R} &= 2^c S \groupelement{B} - 2^c \ioracle(2^c \groupelement{R}) \groupelement{A} \\
|
||||
\Leftrightarrow \groupelement{R}' &= 2^c S \groupelement{B} - 2^c \ioracle(\groupelement{R}') \groupelement{A}
|
||||
\end{align*}
|
||||
|
||||
Therefore $S$ is a valid solution for the \igame game.
|
||||
|
||||
@@ -7,7 +7,7 @@ This section shows that the UF-NMA security of EdDSA signature scheme implies th
|
||||
\label{theorem:adv_uf-nma}
|
||||
Let $\adversary{A}$ be an adversary against $\cma$, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
|
||||
|
||||
\[ \advantage{\adversary{A}}{\text{\cma}}(\secparamter) = \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter) - \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
|
||||
\[ \advantage{\adversary{A}}{\text{\cma}}(\secparamter) = \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter) - \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}} The UF-NMA security definition is close to the security definition of \cma but is missing the \Osign oracle. To show that UF-NMA security implies \cma security the reduction has to simulate the \Osign oracle without the knowledge of the private key.
|
||||
@@ -117,25 +117,25 @@ The proof starts by providing an algorithm which generates correctly distributed
|
||||
|
||||
\item \paragraph{\underline{$G_2:$}} $G_2$ also includes the abort instruction in the red box. The abort condition is triggered if the $bad$ flag is set. Without loss of generality it is assumed that the adversary queries the \sign oracle only once with each message since the signature generated is deterministic and an adversary would not gain more information by multiple queries with the same message. For each individual sign query the probability for the $bad$ flag to be set is at most $\frac{\hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. The only parameter, which is unknown to the adversary prior to calling the \sign oracle is the commitment $R$. For an adversary to trigger the abort condition he has to guess the commitment $\groupelement{R}$ used during on of the \sign queries. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $\groupelement{R}$. $r'$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ when multiplied with the generator $\groupelement{B}$. At first there are $2^{2b}$ possible values for $r'$. After the reduction module $L$ there are $min\{2^{2b}, L\}$ possible values left for $r'$. In the case that the values $L$ is smaller than $2^{2b}$ (this is the case in most instantiations of EdDSA) then the $r'$'s are not uniformly distributed in $\field{L}$. Since an adversary could use this information the min entropy of $\groupelement{R}$ has to be considered, which takes this into account. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
|
||||
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
|
||||
\item \paragraph{\underline{$G_3:$}} $G_3$ replaces the \sign oracle by the \sign oracle in the green box. This change is only conceptual. \simalg outputs a correctly distributed tuple $(R, \textbf{ch}, S)$ with $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c \textbf{ch} \groupelement{A}$ and it was ruled out that $H(\encoded{R} | \encoded{A} | \m)$ is set prior to calling the \sign oracle the random oracle can be programmed to output $\textbf{ch}$ upon calling $H(\encoded{R} | \encoded{A} | m)$. Therefore, it is ensured that $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c H(\encoded{R} | \encoded{A} | \m) \groupelement{A}$, which means that $\signature \assign (\encoded{R}, S)$ is a valid signature for the message $\m$ and was generated without the usage of the private key $s$. Therefore,
|
||||
|
||||
\[ \Pr[G_2^{\adversary{A}} \Rightarrow 1] = \Pr[G_3^{\adversary{A}} \Rightarrow 1] \].
|
||||
\[ \Pr[G_2^{\adversary{A}} \Rightarrow 1] = \Pr[G_3^{\adversary{A}} \Rightarrow 1]. \]
|
||||
|
||||
\item Finally, Game $G_3$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||
|
||||
\begin{align}
|
||||
\Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter) \label{eq:adv_uf-nma}
|
||||
\end{align}.
|
||||
\Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter). \label{eq:adv_uf-nma}
|
||||
\end{align}
|
||||
|
||||
\begin{figure}
|
||||
\hrule
|
||||
\begin{multicols}{2}
|
||||
\large
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\textbf{Adversary} $\adversary{B}(\groupelement{A})$}
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp)}(\groupelement{A})$
|
||||
\Statex \underline{\textbf{Adversary} $\adversary{B}^{H(\inp)}(\groupelement{A})$}
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H'(\inp), \sign(\inp)}(\groupelement{A})$
|
||||
\State \Return $(\m^*, \signature^*)$
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
@@ -152,9 +152,9 @@ The proof starts by providing an algorithm which generates correctly distributed
|
||||
\end{algorithmic}
|
||||
\end{multicols}
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
|
||||
\Statex \underline{\oracle $H'(m \in \{0,1\}^*)$}
|
||||
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
||||
\State \quad $\sum[m] \randomsample \{0,1\}^{2b}$
|
||||
\State \quad $\sum[m] \assign H(m)$
|
||||
\State \Return $\sum[m]$
|
||||
\end{algorithmic}
|
||||
\hrule
|
||||
@@ -164,8 +164,14 @@ The proof starts by providing an algorithm which generates correctly distributed
|
||||
|
||||
To prove (\ref{eq:adv_uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{UF-NMA}$ that simulates $\adversary{A}$'s view in $G_3$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversarybuf-nma} is run in the $\text{UF-NMA}$ game and adversary $\adversary{B}$ simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly.
|
||||
|
||||
% TODO: Ist die Begründung ausreichend?
|
||||
Finally, consider $\adversary{A}$ output $(\m^*, \signature^*)$. Every valid signature outputted by adversary $\adversary{A}$ in the $\text{\cma}$ setting is also a valid signature in the $\text{UF-NMA}$ setting.
|
||||
Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R}, S))$. It is known that $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c H'(\encoded{R}|\encoded{A}|m) \groupelement{A}$. Since the signature for the message $\m^*$ has not been queried in the \Osign oracle the output of $H'(\encoded{R}|\encoded{A}|m)$ has not been set by the adversary $\adversary{B}$ but was forwarded from the $H$ hash oracle. For this reason $H'(\encoded{R}|\encoded{A}|m) = H(\encoded{R}|\encoded{A}|m)$. Therefore,
|
||||
|
||||
\begin{align*}
|
||||
2^c S \groupelement{B} &= 2^c \groupelement{R} + 2^c H'(\encoded{R}|\encoded{A}|m) \groupelement{A}\\
|
||||
\Leftrightarrow 2^c S \groupelement{B} &= 2^c \groupelement{R} + 2^c H(\encoded{R}|\encoded{A}|m) \groupelement{A}.
|
||||
\end{align*}
|
||||
|
||||
Meaning that the forged signature from adversary $\adversary{A}$ is also a valid signature in the UF-NMA game.
|
||||
|
||||
\item This proves theorem \ref{theorem:adv_uf-nma}.
|
||||
\end{proof}
|
||||
Reference in New Issue
Block a user