From 3df7ccbfe4c0a7a3942983dccb4669ef5e6f80ba Mon Sep 17 00:00:00 2001 From: Aaron Kaiser Date: Mon, 12 Jun 2023 11:53:44 +0200 Subject: [PATCH] Removed line numbers in figures --- bounds/bounds.py | 20 ++++++++++++++++++ thesis/sections/eddsa.tex | 18 ++++++++-------- thesis/sections/edggm/omdl.tex | 6 ++++-- .../mu-gamez_implies_mu-uf-nma.tex | 14 ++++++------- .../mu-uf-nma_implies_mu-suf-cma.tex | 21 +++++++++---------- .../omdl'_implies_mu-gamez.tex | 14 ++++++------- thesis/sections/security_notions.tex | 10 ++++----- .../security_of_eddsa/dlog'_implies_gamez.tex | 8 +++---- .../gamez_implies_uf-nma.tex | 12 +++++------ .../uf-nma_implies_suf-cma.tex | 20 +++++++++--------- 10 files changed, 82 insertions(+), 61 deletions(-) create mode 100644 bounds/bounds.py diff --git a/bounds/bounds.py b/bounds/bounds.py new file mode 100644 index 0000000..6714c8d --- /dev/null +++ b/bounds/bounds.py @@ -0,0 +1,20 @@ +n = 254 +c = 3 +b = 256 +a = 253 + +def calc(qo, qh, qg): + x = ((2 ** qg + 3) ** 2 + 1) / 2 ** (n - 1 - c) - (2 * (2 ** qo + 1)) / 2 ** b - (2 ** qo * 2 ** qh + 2 ** qo) / 2 ** a + return x + +best = (512, 512, 512) + +for qo in range(1, 128): + print(qo) + for qh in range(1, 128): + for qg in range(1, 128): + x = calc(qo, qh, qg) + if x >= 1 and qo + qh + qg < sum(best): + best = (qo, qh, qg) + +print(best) diff --git a/thesis/sections/eddsa.tex b/thesis/sections/eddsa.tex index 4b067c2..180d235 100644 --- a/thesis/sections/eddsa.tex +++ b/thesis/sections/eddsa.tex @@ -37,7 +37,7 @@ The EdDSA signature scheme is depicted in figure \ref{fig:eddsa}. \hrule \begin{multicols}{3} \scriptsize - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\textbf{\keygen}} \State $k \randomsample \{0,1\}^b$ \State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$ @@ -46,7 +46,7 @@ The EdDSA signature scheme is depicted in figure \ref{fig:eddsa}. \State \Return (\encoded{$A$}, $k$) \end{algorithmic} \columnbreak - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\textbf{\sign}($k$, $m$)} \State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$ \State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$ @@ -57,7 +57,7 @@ The EdDSA signature scheme is depicted in figure \ref{fig:eddsa}. \State \Return $\sigma \assign (\encoded{R}, S)$ \end{algorithmic} \columnbreak - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\textbf{\verify}($\encoded{A}, \sigma \assign (\encoded{R}, S), m$)} \State \Return $2^c SB \test 2^c R + 2^c H(\encoded{R} | \encoded{A} | m)A$ \end{algorithmic} @@ -129,7 +129,7 @@ The EdDSA' signature scheme is shown in figure \ref{fig:eddsa'}. The difference \hrule \begin{multicols}{3} \scriptsize - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\textbf{\keygen}} \State $(h_0, h_1, ..., h_{2b-1}) \randomsample \{0,1\}^{2b}$ \State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$ @@ -137,7 +137,7 @@ The EdDSA' signature scheme is shown in figure \ref{fig:eddsa'}. The difference \State \Return (\encoded{$A$}, $k \assign (s, h_b | ... | h_{2b-1})$) \end{algorithmic} \columnbreak - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\textbf{\sign}($k \assign (s, h_b | ... | h_{2b-1})$, $m$)} \State $(r'_0, r'_1, ..., r'_{2b-1}) \assign RF(h_b | ... | h_{2b-1} | m)$ \State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$ @@ -146,7 +146,7 @@ The EdDSA' signature scheme is shown in figure \ref{fig:eddsa'}. The difference \State \Return $\sigma \assign (\encoded{R}, S)$ \end{algorithmic} \columnbreak - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\textbf{\verify}($\encoded{A}, \sigma \assign (\encoded{R}, S), m$)} \State \Return $2^c SB \test 2^c R + 2^c H(\encoded{R} | \encoded{A} | m)A$ \end{algorithmic} @@ -173,7 +173,7 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game \hrule \begin{multicols}{2} \large - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$} / \textcolor{green}{$G_3$} / \textcolor{orange}{$G_4$}} \State $k \randomsample \{0,1\}^b$ \BeginBox[draw=black] @@ -196,7 +196,7 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game \State \Return $\verify(A, \m^*,\signature^*) \wedge (\m^*, \signature^*) \notin \pset{Q}$ \end{algorithmic} \columnbreak - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\oracle \sign($m \in \messagespace$)} \BeginBox[draw=black] \State $(r'_0, r'_1, ..., r'_{2b-1}) \assign H(h_b | ... | h_{2b-1} | m)$ @@ -220,7 +220,7 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game \State \Return $\signature$ \end{algorithmic} \end{multicols} - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\oracle $H(m \in \{0,1\}^*)$} \BeginBox[draw=blue] \State $\textbf{if } m = k \textbf{ then}$ diff --git a/thesis/sections/edggm/omdl.tex b/thesis/sections/edggm/omdl.tex index ab7be0c..a02dad4 100644 --- a/thesis/sections/edggm/omdl.tex +++ b/thesis/sections/edggm/omdl.tex @@ -214,9 +214,9 @@ This section provides a lower bound on the hardness of the modified version of t \[ \prone{G_1^{\adversary{A}}} = \prone{G_2^{\adversary{A}}}. \] - \item \paragraph{\underline{$G_3:$}} $G_3$ also introduces the $bad_1$ flag in the DL query. Without loss of generality the following explanation assumes that the adversary queries the DL oracle with input $j = N$. Each polynomial, generated by the challenger, is a linear multivariate polynomial of degree one. This is due to the fact that the challenger starts with linear multivariate polynomials of degree one in $\field{L}[Z_1, ..., Z_N]$ and only adds them to generate new polynomials. This means that each polynomial $P_i \in \field{L}[Z_1,...,Z_N]$, generated by the challenger, can be split into two polynomials $R_i \in \field{L}[Z_1,...,Z_{N-1}], S_i \in \field{L}[Z_N]$ so that $P_i = R_i + S_i$, simply by distributing the monials between the polynomials $R_i$ and $S_i$. Now the polynomial $P_i$ can be partially evaluated by setting $P_i = R_i(\overset{\rightharpoonup}{a}) + S_i$. For the simulation to be correct, when replacing the polynomial $P_i$ with $R_i(\overset{\rightharpoonup}{a}) + S_i$, it has to be ensured that distinct polynomials stay distinct after being partially evaluated. To ensure this, it is necessary to check that no two distinct polynomials $R_i, R_j$ result in the same value when evaluated with $\overset{\rightharpoonup}{a}$. In the case of this happening the $bad_1$ flag is set to true. Afterward, each generated polynomial is partially evaluated as described and the table $\sum$, which stores the association between group elements and lables, is updated to reflect this partial evaluation as well. From now on, each polynomial used by the challenger is in $\field{L}[Z_N]$. This change is purely conceptual, since the polynomials still get fully evaluated before being compared in the Enc procedure. Therefore, + \item \paragraph{\underline{$G_3:$}} $G_3$ also introduces the $bad_1$ flag in the DL query. Without loss of generality the following explanation assumes that the adversary queries the DL oracle with input $j = N$. Each polynomial, generated by the challenger, is a linear multivariate polynomial of degree one. This is due to the fact that the challenger starts with linear multivariate polynomials of degree one in $\field{L}[Z_1, ..., Z_N]$ and only adds them to generate new polynomials. This means that each polynomial $P_i \in \field{L}[Z_1,...,Z_N]$, generated by the challenger, can be split into two polynomials $R_i \in \field{L}[Z_1,...,Z_{N-1}], S_i \in \field{L}[Z_N]$ so that $P_i = R_i + S_i$, simply by distributing the monials between the polynomials $R_i$ and $S_i$. Now the polynomial $P_i$ can be partially evaluated by setting $P_i = R_i(\overset{\rightharpoonup}{a}) + S_i$. For the simulation to be correct, when replacing the polynomial $P_i$ with $R_i(\overset{\rightharpoonup}{a}) + S_i$, it has to be ensured that distinct polynomials stay distinct after being partially evaluated. To ensure this, it is necessary to check that no two distinct polynomials $R_i, R_j$ result in the same value when evaluated with $\overset{\rightharpoonup}{a}$. In the case of this happening the $bad_1$ flag is set to true. Afterward, each generated polynomial is partially evaluated as described and the table $\sum$, which stores the association between group elements and labels, is updated to reflect this partial evaluation as well. From now on, each polynomial used by the challenger is in $\field{L}[Z_N]$. This change is purely conceptual, since the polynomials still get fully evaluated before being compared in the Enc procedure. Therefore, - \[ \prone{G_2^{\adversary{A}}} = \prone{G_3^{\adversary{A}}} \] + \[ \prone{G_2^{\adversary{A}}} = \prone{G_3^{\adversary{A}}}. \] \item \paragraph{\underline{$G_4:$}} In $G_4$ the abort instruction in the orange box is introduced, which is executed after the $bad_1$ flag is set. The $bad_1$ flag is set if distinct polynomials result in the same polynomial, after being partially evaluated. To calculate the probability of this happening the Schwart-Zippel lemma can be utilized. For every $R_i, R_j \in \pset{R} \wedge R_i \neq R_j$ a polynomial $R^* \assign R_i - R_j$ can be constructed. If and only if $R_i(\overset{\rightharpoonup}{a}) = R_j(\overset{\rightharpoonup}{a})$ then $R^*(\overset{\rightharpoonup}{a}) = 0$. Since $R^* \neq 0$, the degree of $R^*$ being $1$ and $\overset{\rightharpoonup}{a}$ being chosen uniformly at random from $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ the Schwartz-Zippel lemma can be used to calculate the probability of $R^*(\overset{\rightharpoonup}{a}) = 0$, which is $\Pr[R^*(\overset{\rightharpoonup}{a}) = 0] \leq \frac{1}{2^{n - 1 - c}}$. The challenger can generate at most $\oraclequeries + N + 2$ many polynomials, one per DL query and $N + 2$ for encoding the input to the adversary. By the Union bound over all $(\oraclequeries + N + 2)^2$ possible pairs of polynomials an upper bound on the $bad_1$ flag being set can be calculated as $\Pr[bad_1] \leq \frac{(\oraclequeries + N + 2)^2}{2^{n - 1 - c}}$. Since $G_3$ and $G_4$ are identical-until-bad games, @@ -238,10 +238,12 @@ This section provides a lower bound on the hardness of the modified version of t \[ |\prone{G_5^{\adversary{A}}} - \prone{G_6^{\adversary{A}}}| \leq \frac{(\oraclequeries + N + 2)^2}{2^{n - 1 - c}}. \] + %TODOÖ genauer erklären, da nicht eindeutig. \item \paragraph{\underline{$G_7:$}} $G_7$ removes the evaluation of the polynomials in the Enc procedure. This change is conceptual, since the game aborts if two distinct polynomials would evaluate to the same value. Therefore, it is sufficient to directly compare polynomials in the cases where the game does not abort. Since the change is only conceptual: \[ \prone{G_6^{\adversary{A}}} = \prone{G_7^{\adversary{A}}}. \] + %TODO: Auch genauer beschreiben \item \paragraph{\underline{$G_8:$}} In $G_8$ the discrete logarithms of the challenge are only generated right before they are used. This change is only conceptual, since the discrete logarithms are not used prior to being chosen. Therefore, \[ \prone{G_7^{\adversary{A}}} = \prone{G_8^{\adversary{A}}}. \] diff --git a/thesis/sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma.tex b/thesis/sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma.tex index 5ee1dbc..0362f9e 100644 --- a/thesis/sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma.tex +++ b/thesis/sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma.tex @@ -15,7 +15,7 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat \hrule \vspace{1mm} \large - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\game \igame} \State \textbf{for} $i \in \{1,2,...,N\}$ \State \quad $a_i \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$ @@ -24,7 +24,7 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat \State \Return $\exists (\groupelement{R}^*, \ch^*) \in \pset{Q}, i \in \{1,2,...,N\} \in : \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$ \end{algorithmic} \vspace{2mm} - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\oracle \ioracle($\groupelement{R_i} \in \group{G}$)} \State $\ch_i \randomsample \{0,1\}^{2b}$ \State $\pset{Q} \assign \pset{Q} \cup \{ (\groupelement{R}_i, \ch_i) \}$ @@ -39,7 +39,7 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat \label{theorem:adv_mu-igame} Let $\adversary{A}$ be an adversary against MU-\igame. Then, - \[ \advantage{\adversary{A}}{\text{MU-UF-NMA}}(\secparamter) = \advantage{\adversary{B}}{\text{MU-\igame}}(\secparamter) \]. + \[ \advantage{\adversary{A}}{\text{MU-UF-NMA}}(\secparamter) = \advantage{\adversary{B}}{\text{MU-\igame}}(\secparamter). \] \end{theorem} \paragraph{\underline{Proof Overview}} Like the single-user setting the adversary has to query the random oracle to get the hash value $H(\encoded{R}|\encoded{A_i}|m)$. Again the programmability of the random oracle can be used to embed the challenge from \ioracle oracle into the answer of the random oracle. By embedding the challenge from the \ioracle oracle answer into the answer of the random oracle a valid forgery of the signature also becomes a valid solution for the MU-\igame game. @@ -50,7 +50,7 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat \hrule \begin{multicols}{2} \large - \begin{algorithmic}[1] + \begin{algorithmic} \State \underline{\game $G_0$} \State \textbf{for} $i \in \{1,2,...,N\}$ \State \quad $(h_{i_0}, h_{i_1}, ..., h_{i_{2b-1}}) \randomsample \{0,1\}^{2b}$ @@ -60,7 +60,7 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat \State \Return $\exists i \in \{1,2,...,N\}: \verify(\groupelement{A_i}, \m^*,\signature^*)$ \end{algorithmic} \columnbreak - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\oracle $H(m \in \{0,1\}^*)$} \State $\textbf{if } \sum[m] = \bot \textbf{ then}$ \State \quad $\sum[m] \randomsample \{0,1\}^{2b}$ @@ -87,13 +87,13 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat \hrule \vspace{1mm} \large - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\textbf{Adversary} $\adversary{B}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$} \State $(\m^*, \signature^* \assign (\encoded{R}, S)) \randomassign \adversary{A}^{H(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$ \State \Return $S$ \end{algorithmic} \vspace{2mm} - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\oracle $H(m \in \{0,1\}^*)$} \State $\textbf{if } \sum[m] = \bot \textbf{ then}$ \State \quad $\textbf{if } \encoded{R} | \encoded{A} | m' \assign m \wedge \groupelement{R}, \groupelement{A} \in \curve \textbf{ then}$ diff --git a/thesis/sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma.tex b/thesis/sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma.tex index bfbd22b..812de96 100644 --- a/thesis/sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma.tex +++ b/thesis/sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma.tex @@ -19,7 +19,7 @@ Again the programmability of the random oracle together with the \simalg algorit \hrule \begin{multicols}{2} \large - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$} / \textcolor{green}{$G_3$}} \State \textbf{for} $j \in \{1,2,...,N\}$ \State \quad $(h_{j_0}, h_{j_1}, ..., h_{j_{2b-1}}) \randomsample \{0,1\}^{2b}$ @@ -29,7 +29,7 @@ Again the programmability of the random oracle together with the \simalg algorit \State \Return $\exists j \in \{1,2,...,N\}: \verify(\groupelement{A_j}, \m^*,\signature^*) \wedge (\groupelement{A_j}, \m^*, \signature^*) \notin \pset{Q}$ \end{algorithmic} \columnbreak - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\oracle \sign($j \in \{1,2,...,N\}$, $\m \in \messagespace$)} \Comment{$G_0 - G_2$} \State $(r'_0, r'_1, ..., r'_{2b-1}) = RF(h_{j_b} | ... | h_{j_{2b-1}} | \m)$ @@ -57,15 +57,14 @@ Again the programmability of the random oracle together with the \simalg algorit \end{algorithmic} \end{multicols} \begin{multicols}{2} - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\oracle $H(\m \in \{0,1\}^*)$} \State $\textbf{if } \sum[\m] = \bot \textbf{ then}$ \State \quad $\sum[\m] \randomsample \{0,1\}^{2b}$ \State \Return $\sum[\m]$ \end{algorithmic} \columnbreak - \begin{algorithmic}[1] - %TODO: Nummer vor Oracle + \begin{algorithmic} \BeginBox[draw=green] \State \underline{\oracle \sign($j \in \{1,2,...,N\}$, $\m \in \messagespace$)} \Comment{$G_3$} @@ -112,13 +111,13 @@ Again the programmability of the random oracle together with the \simalg algorit \hrule \begin{multicols}{2} \large - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\textbf{Adversary} $\adversary{B}^{H(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$} \State $(\m^*, \signature^*) \randomassign \adversary{A}^{H'(\inp), \sign(\inp, \inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$ \State \Return $(\m^*, \signature^*)$ \end{algorithmic} \columnbreak - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\oracle \sign($j \in \{1,2,...,N\}$, $\m \in \messagespace$)} \State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A_j})$ \State $\textbf{if } \sum[\encoded{R} | \encoded{A_j} | m] \neq \bot \textbf{ then}$ @@ -130,7 +129,7 @@ Again the programmability of the random oracle together with the \simalg algorit \State \Return $\signature$ \end{algorithmic} \end{multicols} - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\oracle $H'(m \in \{0,1\}^*)$} \State $\textbf{if } \sum[m] = \bot \textbf{ then}$ \State \quad $\sum[m] \assign H(m)$ @@ -178,13 +177,13 @@ This section shows that MU-UF-NMA security of EdDSA implies the MU-EUF-CMA secur \hrule \begin{multicols}{2} \large - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\textbf{Adversary} $\adversary{B}^{H(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$} \State $(\m^*, \signature^*) \randomassign \adversary{A}^{H'(\inp), \sign(\inp, \inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$ \State \Return $(\m^*, \signature^*)$ \end{algorithmic} \columnbreak - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\oracle \sign($j \in \{1,2,...,N\}$, $\m \in \messagespace$)} \State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A_j})$ \State $\textbf{if } \sum[\encoded{R} | \encoded{A_j} | m] \neq \bot \textbf{ then}$ @@ -196,7 +195,7 @@ This section shows that MU-UF-NMA security of EdDSA implies the MU-EUF-CMA secur \State \Return $\signature$ \end{algorithmic} \end{multicols} - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\oracle $H'(m \in \{0,1\}^*)$} \State $\textbf{if } \sum[m] = \bot \textbf{ then}$ \State \quad $\sum[m] \assign H(m)$ diff --git a/thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex b/thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex index d55bdb6..89a51fe 100644 --- a/thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex +++ b/thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex @@ -15,7 +15,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model \hrule \vspace{1mm} \large - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\game \somdl} \State \textbf{for} $i \in \{1,2,...,N\}$ \State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$ @@ -25,7 +25,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model \State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N) \wedge I < N$ \end{algorithmic} \vspace{2mm} - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\oracle $DL(i \in \{1,2,...,N\})$} \vspace{1mm} \State $I \assign I + 1$ @@ -41,7 +41,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model \label{theorem:adv_omdl'} Let $\adversary{A}$ be an adversary against \igame with $\group{G}$ being a cyclic group of prime order $L$, making at most $\oraclequeries$ oracle queries. Then - \[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\somdl}(\secparamter) + \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]. + \[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\somdl}(\secparamter) + \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \] \end{theorem} \paragraph{\underline{Proof Overview}} In the multi-user setting the adversary gets access to not only the generator $\groupelement{B}$ and one public key $\groupelement{A}$ but rather a set of public keys $\groupelement{A_1}$ to $\groupelement{A_N}$. For this reason the representation of a group element, the adversary has to provide looks the following: $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$. Since there are multiple group elements with unknown discrete logarithms it is not possible to directly calculate the discrete logarithm of one of the public keys given a valid forgery of a signature. Upon receiving a valid solution the \textit{DL} oracle can be used to get the discrete logarithm of all the public keys except the one for which the solution is valid. This way it again possible to construct a representation looking like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_i}$. Then it is again possible to calculate the discrete logarithm of $\groupelement{A_i}$ and win the \somdl game. @@ -52,7 +52,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model \hrule \large \vspace{1mm} - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$}} \State \textbf{for} $i \in \{1,2,...,N\}$ \State \quad $a_i \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$ @@ -61,7 +61,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model \State \Return $\exists (\groupelement{R}^*, \ch^*) \in \pset{Q}, i \in \{1,2,...,N\}: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$ \end{algorithmic} \vspace{2mm} - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\oracle \ioracle($\agmgroupelement{R}{r} \in \group{G}$)} \State Let $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$ \State $\ch \randomsample \{0,1\}^{2b}$ @@ -105,7 +105,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model \hrule \large \vspace{1mm} - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\textbf{Adversary} $\adversary{B}^{\textit{DL}(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$} \State $s^* \randomassign \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$ \State \textbf{If} $\nexists (\agmgroupelement{R^*}{r^*}, \ch^*) \in Q, i \in \{1,2,...,N\}: \groupelement{R^*} = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$ \textbf{then} @@ -121,7 +121,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model \State \Return $(a_1, a_2, ..., a_N)$ \end{algorithmic} \vspace{2mm} - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\oracle \ioracle($\agmgroupelement{R}{r} \in \group{G}$)} \vspace{1mm} \State Let $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$ diff --git a/thesis/sections/security_notions.tex b/thesis/sections/security_notions.tex index b6ade65..47b4c5f 100644 --- a/thesis/sections/security_notions.tex +++ b/thesis/sections/security_notions.tex @@ -36,7 +36,7 @@ A common security notion for digital signature schemes is the existential unforg \State \Return $\exists i \in \{1,2,...,N\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1 \wedge (\pubkey_i, \m^*) \notin M$ \end{algorithmic} \vspace{2mm} - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\oracle \Osign($i \in \{1,2,...,n\}$, $\m \in \messagespace$)} \State $\signature \randomassign \sign(\privkey_i, \m)$ \State $M \assign M \cup \{(\pubkey_i, \m)\}$ @@ -67,7 +67,7 @@ A common security notion for digital signature schemes is the existential unforg \State \Return $\exists i \in \{1,2,...,N\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1 \wedge (\pubkey_i, \m^*, \signature^*) \notin M$ \end{algorithmic} \vspace{2mm} - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\oracle \Osign($i \in \{1,2,...,n\}$, $\m \in \messagespace$)} \State $\signature \randomassign \sign(\privkey_i, \m)$ \State $M \assign M \cup \{(\pubkey_i, \m, \signature)\}$ @@ -91,7 +91,7 @@ The MU-UF-NMA security game is similar to the MU-EUF-CMA game. The only differen \begin{figure}[h] \hrule \vspace{1mm} - \begin{algorithmic}[1] + \begin{algorithmic} \State \underline{\game $\text{MU-UF-NMA}$} \State \textbf{for} $i \in \{1,2,...,N\}$ \State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$ @@ -118,7 +118,7 @@ This thesis proves the security of the EdDSA signature scheme under two assumpti \begin{figure}[h] \hrule \vspace{1mm} - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\game Dlog} \State $a \randomsample \field{L}$ \State $\groupelement{A} \assign a \groupelement{B}$ @@ -144,7 +144,7 @@ The one-more discrete logarithm assumption is stronger than the discrete logarit \begin{figure}[h] \hrule \vspace{1mm} - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\game OM-Dlog} \State \textbf{for} $i \in \{1,2,...,N\}$ \State \quad $a_i \randomsample \field{L}$ diff --git a/thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex b/thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex index 0e9c49d..d390b2b 100644 --- a/thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex +++ b/thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex @@ -18,7 +18,7 @@ The \sdlog game is a variant of the discrete logarithm game that represents the \begin{figure}[h] \hrule \vspace{1mm} - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\game \sdlog} \State $a \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$ \State $\groupelement{A} \assign a \groupelement{B}$ @@ -46,7 +46,7 @@ The adversary must call the \ioracle oracle with a commitment $\groupelement{R}$ \hrule \begin{multicols}{2} \large - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$}} \State $a \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$ \State $\groupelement{A} \assign a \groupelement{B}$ @@ -121,7 +121,7 @@ The adversary must call the \ioracle oracle with a commitment $\groupelement{R}$ \hrule \begin{multicols}{2} \large - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\textbf{Adversary} $\adversary{B}(\groupelement{A})$} \State $s^* \randomassign \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$ \State \textbf{If} $\nexists \agmgroupelement{R^*}{r^*}, \ch^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - \ch^* \groupelement{A}) \wedge (\agmgroupelement{R^*}{r^*}, \ch^*) \in \pset{Q}$ \textbf{then} @@ -130,7 +130,7 @@ The adversary must call the \ioracle oracle with a commitment $\groupelement{R}$ \State \Return $(2^c s^* - r_1)(r_2 + 2^c \ch^*)^{-1}$ \end{algorithmic} \columnbreak - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\oracle \ioracle($\agmgroupelement{R_i}{r_i} \in \group{G}$)} \State Let $\groupelement{R}_i = r_1 \groupelement{B} + r_2 \groupelement{A}$ \State $\ch_i \randomsample \{0,1\}^{2b}$ diff --git a/thesis/sections/security_of_eddsa/gamez_implies_uf-nma.tex b/thesis/sections/security_of_eddsa/gamez_implies_uf-nma.tex index 516d2ba..77a0afc 100644 --- a/thesis/sections/security_of_eddsa/gamez_implies_uf-nma.tex +++ b/thesis/sections/security_of_eddsa/gamez_implies_uf-nma.tex @@ -14,7 +14,7 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur \hrule \begin{multicols}{2} \large - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\game \igame} \State $a \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$ \State $\groupelement{A} \assign a \groupelement{B}$ @@ -22,7 +22,7 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur \State \Return $\exists (\groupelement{R}^*, \ch^*) \in \pset{Q}: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A}$ \end{algorithmic} \columnbreak - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\oracle \ioracle($\groupelement{R_i} \in \group{G}$)} \State $\ch_i \randomsample \{0,1\}^{2b}$ \State $\pset{Q} \assign \pset{Q} \cup \{ (\groupelement{R}_i, \ch_i) \}$ @@ -49,7 +49,7 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur \hrule \begin{multicols}{2} \large - \begin{algorithmic}[1] + \begin{algorithmic} \State \underline{\game $G_0$} \State $(h_0, h_1, ..., h_{2b-1}) \randomsample \{0,1\}^{2b}$ \State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$ @@ -58,7 +58,7 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur \State \Return $\verify(\groupelement{A}, \m^*,\signature^*)$ \end{algorithmic} \columnbreak - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\oracle $H(m \in \{0,1\}^*)$} \State $\textbf{if } \sum[m] = \bot \textbf{ then}$ \State \quad $\sum[m] \randomsample \{0,1\}^{2b}$ @@ -88,13 +88,13 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur \vspace{1mm} \begin{multicols}{2} \large - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\textbf{Adversary} $\adversary{B}^{\ioracle(\inp)}(\groupelement{A})$} \State $(\m^*, \signature^* \assign (\encoded{R}, S)) \randomassign \adversary{A}^{H(\inp)}(\groupelement{A})$ \State \Return $S$ \end{algorithmic} \columnbreak - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\oracle $H(m \in \{0,1\}^*)$} \State $\textbf{if } \sum[m] = \bot \textbf{ then}$ \State \quad $\textbf{if } \encoded{R} | \encoded{A} | m' \assign m \wedge \groupelement{R} \in \curve \textbf{ then}$ diff --git a/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex b/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex index 04bd2ce..3535021 100644 --- a/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex +++ b/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex @@ -24,7 +24,7 @@ This method of simulating the \Osign oracle and the resulting loss of advantage \begin{figure} \hrule \vspace{1mm} - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\simalg(\groupelement{A})} \State $\textbf{ch} \randomsample \{0,1\}^{2b}$ \State $s \randomsample \{0,1\}^{2b}$ @@ -41,7 +41,7 @@ This method of simulating the \Osign oracle and the resulting loss of advantage \hrule \begin{multicols}{2} \large - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$} / \textcolor{green}{$G_3$}} \State $(h_0, h_1, ..., h_{2b-1}) \randomsample \{0,1\}^{2b}$ \State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$ @@ -50,7 +50,7 @@ This method of simulating the \Osign oracle and the resulting loss of advantage \State \Return $\verify(\groupelement{A}, \m^*,\signature^*) \wedge (\m^*, \signature^*) \notin \pset{Q}$ \end{algorithmic} \columnbreak - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\oracle \sign($\m \in \messagespace$)} \Comment{$G_0 - G_2$} \State $(r'_0, r'_1, ..., r'_{2b-1}) = RF(h_b | ... | h_{2b-1} | \m)$ @@ -78,14 +78,14 @@ This method of simulating the \Osign oracle and the resulting loss of advantage \end{algorithmic} \end{multicols} \begin{multicols}{2} - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\oracle $H(\m \in \{0,1\}^*)$} \State $\textbf{if } \sum[\m] = \bot \textbf{ then}$ \State \quad $\sum[\m] \randomsample \{0,1\}^{2b}$ \State \Return $\sum[\m]$ \end{algorithmic} \columnbreak - \begin{algorithmic}[1] + \begin{algorithmic} %TODO: Nummer vor Oracle \BeginBox[draw=green] \State \underline{\oracle \sign($\m \in \messagespace$)} @@ -135,13 +135,13 @@ This method of simulating the \Osign oracle and the resulting loss of advantage \hrule \begin{multicols}{2} \large - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\textbf{Adversary} $\adversary{B}^{H(\inp)}(\groupelement{A})$} \State $(\m^*, \signature^*) \randomassign \adversary{A}^{H'(\inp), \sign(\inp)}(\groupelement{A})$ \State \Return $(\m^*, \signature^*)$ \end{algorithmic} \columnbreak - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\oracle \sign($m \in \messagespace$)} \State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A})$ \State $\textbf{if } \sum[\encoded{R} | \encoded{A} | m] \neq \bot \textbf{ then}$ @@ -153,7 +153,7 @@ This method of simulating the \Osign oracle and the resulting loss of advantage \State \Return $\signature$ \end{algorithmic} \end{multicols} - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\oracle $H'(m \in \{0,1\}^*)$} \State $\textbf{if } \sum[m] = \bot \textbf{ then}$ \State \quad $\sum[m] \assign H(m)$ @@ -203,7 +203,7 @@ This section shows that the UF-NMA security of EdDSA implies the EUF-CMA securit \hrule \begin{multicols}{2} \large - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\textbf{Adversary} $\adversary{B}^{H(\inp)}(\groupelement{A})$} \State $(\m^*, \signature^*) \randomassign \adversary{A}^{H'(\inp), \sign(\inp)}(\groupelement{A})$ \State \Return $(\m^*, \signature^*)$ @@ -221,7 +221,7 @@ This section shows that the UF-NMA security of EdDSA implies the EUF-CMA securit \State \Return $\signature$ \end{algorithmic} \end{multicols} - \begin{algorithmic}[1] + \begin{algorithmic} \Statex \underline{\oracle $H'(m \in \{0,1\}^*)$} \State $\textbf{if } \sum[m] = \bot \textbf{ then}$ \State \quad $\sum[m] \assign H(m)$