rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Removed line numbers in figures

Browse Source
This commit is contained in:
Aaron Kaiser
2023-06-12 11:53:44 +02:00
parent 9ba0bc2ef3
commit 3df7ccbfe4
10 changed files with 82 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
thesis/sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma.tex
View File

@@ -15,7 +15,7 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat
\hrule
\vspace{1mm}
\large
\begin{algorithmic}[1]
\begin{algorithmic}
\Statex \underline{\game \igame}
\State \textbf{for} $i \in \{1,2,...,N\}$
\State \quad $a_i \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$
@@ -24,7 +24,7 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in \pset{Q}, i \in \{1,2,...,N\} \in : \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$
\end{algorithmic}
\vspace{2mm}
\begin{algorithmic}[1]
\begin{algorithmic}
\Statex \underline{\oracle \ioracle($\groupelement{R_i} \in \group{G}$)}
\State $\ch_i \randomsample \{0,1\}^{2b}$
\State $\pset{Q} \assign \pset{Q} \cup \{ (\groupelement{R}_i, \ch_i) \}$
@@ -39,7 +39,7 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat
\label{theorem:adv_mu-igame}
Let $\adversary{A}$ be an adversary against MU-\igame. Then,
\[ \advantage{\adversary{A}}{\text{MU-UF-NMA}}(\secparamter) = \advantage{\adversary{B}}{\text{MU-\igame}}(\secparamter) \].
\[ \advantage{\adversary{A}}{\text{MU-UF-NMA}}(\secparamter) = \advantage{\adversary{B}}{\text{MU-\igame}}(\secparamter). \]
\end{theorem}
\paragraph{\underline{Proof Overview}} Like the single-user setting the adversary has to query the random oracle to get the hash value $H(\encoded{R}|\encoded{A_i}|m)$. Again the programmability of the random oracle can be used to embed the challenge from \ioracle oracle into the answer of the random oracle. By embedding the challenge from the \ioracle oracle answer into the answer of the random oracle a valid forgery of the signature also becomes a valid solution for the MU-\igame game.
@@ -50,7 +50,7 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat
\hrule
\begin{multicols}{2}
\large
\begin{algorithmic}[1]
\begin{algorithmic}
\State \underline{\game $G_0$}
\State \textbf{for} $i \in \{1,2,...,N\}$
\State \quad $(h_{i_0}, h_{i_1}, ..., h_{i_{2b-1}}) \randomsample \{0,1\}^{2b}$
@@ -60,7 +60,7 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat
\State \Return $\exists i \in \{1,2,...,N\}: \verify(\groupelement{A_i}, \m^*,\signature^*)$
\end{algorithmic}
\columnbreak
\begin{algorithmic}[1]
\begin{algorithmic}
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
\State \quad $\sum[m] \randomsample \{0,1\}^{2b}$
@@ -87,13 +87,13 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat
\hrule
\vspace{1mm}
\large
\begin{algorithmic}[1]
\begin{algorithmic}
\Statex \underline{\textbf{Adversary} $\adversary{B}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$}
\State $(\m^*, \signature^* \assign (\encoded{R}, S)) \randomassign \adversary{A}^{H(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
\State \Return $S$
\end{algorithmic}
\vspace{2mm}
\begin{algorithmic}[1]
\begin{algorithmic}
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
\State \quad $\textbf{if } \encoded{R} | \encoded{A} | m' \assign m \wedge \groupelement{R}, \groupelement{A} \in \curve \textbf{ then}$

21
thesis/sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma.tex
View File

@@ -19,7 +19,7 @@ Again the programmability of the random oracle together with the \simalg algorit
\hrule
\begin{multicols}{2}
\large
\begin{algorithmic}[1]
\begin{algorithmic}
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$} / \textcolor{green}{$G_3$}}
\State \textbf{for} $j \in \{1,2,...,N\}$
\State \quad $(h_{j_0}, h_{j_1}, ..., h_{j_{2b-1}}) \randomsample \{0,1\}^{2b}$
@@ -29,7 +29,7 @@ Again the programmability of the random oracle together with the \simalg algorit
\State \Return $\exists j \in \{1,2,...,N\}: \verify(\groupelement{A_j}, \m^*,\signature^*) \wedge (\groupelement{A_j}, \m^*, \signature^*) \notin \pset{Q}$
\end{algorithmic}
\columnbreak
\begin{algorithmic}[1]
\begin{algorithmic}
\Statex \underline{\oracle \sign($j \in \{1,2,...,N\}$, $\m \in \messagespace$)}
\Comment{$G_0 - G_2$}
\State $(r'_0, r'_1, ..., r'_{2b-1}) = RF(h_{j_b} | ... | h_{j_{2b-1}} | \m)$
@@ -57,15 +57,14 @@ Again the programmability of the random oracle together with the \simalg algorit
\end{algorithmic}
\end{multicols}
\begin{multicols}{2}
\begin{algorithmic}[1]
\begin{algorithmic}
\Statex \underline{\oracle $H(\m \in \{0,1\}^*)$}
\State $\textbf{if } \sum[\m] = \bot \textbf{ then}$
\State \quad $\sum[\m] \randomsample \{0,1\}^{2b}$
\State \Return $\sum[\m]$
\end{algorithmic}
\columnbreak
\begin{algorithmic}[1]
%TODO: Nummer vor Oracle
\begin{algorithmic}
\BeginBox[draw=green]
\State \underline{\oracle \sign($j \in \{1,2,...,N\}$, $\m \in \messagespace$)}
\Comment{$G_3$}
@@ -112,13 +111,13 @@ Again the programmability of the random oracle together with the \simalg algorit
\hrule
\begin{multicols}{2}
\large
\begin{algorithmic}[1]
\begin{algorithmic}
\Statex \underline{\textbf{Adversary} $\adversary{B}^{H(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$}
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H'(\inp), \sign(\inp, \inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
\State \Return $(\m^*, \signature^*)$
\end{algorithmic}
\columnbreak
\begin{algorithmic}[1]
\begin{algorithmic}
\Statex \underline{\oracle \sign($j \in \{1,2,...,N\}$, $\m \in \messagespace$)}
\State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A_j})$
\State $\textbf{if } \sum[\encoded{R} | \encoded{A_j} | m] \neq \bot \textbf{ then}$
@@ -130,7 +129,7 @@ Again the programmability of the random oracle together with the \simalg algorit
\State \Return $\signature$
\end{algorithmic}
\end{multicols}
\begin{algorithmic}[1]
\begin{algorithmic}
\Statex \underline{\oracle $H'(m \in \{0,1\}^*)$}
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
\State \quad $\sum[m] \assign H(m)$
@@ -178,13 +177,13 @@ This section shows that MU-UF-NMA security of EdDSA implies the MU-EUF-CMA secur
\hrule
\begin{multicols}{2}
\large
\begin{algorithmic}[1]
\begin{algorithmic}
\Statex \underline{\textbf{Adversary} $\adversary{B}^{H(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$}
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H'(\inp), \sign(\inp, \inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
\State \Return $(\m^*, \signature^*)$
\end{algorithmic}
\columnbreak
\begin{algorithmic}[1]
\begin{algorithmic}
\Statex \underline{\oracle \sign($j \in \{1,2,...,N\}$, $\m \in \messagespace$)}
\State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A_j})$
\State $\textbf{if } \sum[\encoded{R} | \encoded{A_j} | m] \neq \bot \textbf{ then}$
@@ -196,7 +195,7 @@ This section shows that MU-UF-NMA security of EdDSA implies the MU-EUF-CMA secur
\State \Return $\signature$
\end{algorithmic}
\end{multicols}
\begin{algorithmic}[1]
\begin{algorithmic}
\Statex \underline{\oracle $H'(m \in \{0,1\}^*)$}
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
\State \quad $\sum[m] \assign H(m)$

14
thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex
View File

@@ -15,7 +15,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
\hrule
\vspace{1mm}
\large
\begin{algorithmic}[1]
\begin{algorithmic}
\Statex \underline{\game \somdl}
\State \textbf{for} $i \in \{1,2,...,N\}$
\State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$
@@ -25,7 +25,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
\State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N) \wedge I < N$
\end{algorithmic}
\vspace{2mm}
\begin{algorithmic}[1]
\begin{algorithmic}
\Statex \underline{\oracle $DL(i \in \{1,2,...,N\})$}
\vspace{1mm}
\State $I \assign I + 1$
@@ -41,7 +41,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
\label{theorem:adv_omdl'}
Let $\adversary{A}$ be an adversary against \igame with $\group{G}$ being a cyclic group of prime order $L$, making at most $\oraclequeries$ oracle queries. Then
\[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\somdl}(\secparamter) + \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
\[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\somdl}(\secparamter) + \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
\end{theorem}
\paragraph{\underline{Proof Overview}} In the multi-user setting the adversary gets access to not only the generator $\groupelement{B}$ and one public key $\groupelement{A}$ but rather a set of public keys $\groupelement{A_1}$ to $\groupelement{A_N}$. For this reason the representation of a group element, the adversary has to provide looks the following: $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$. Since there are multiple group elements with unknown discrete logarithms it is not possible to directly calculate the discrete logarithm of one of the public keys given a valid forgery of a signature. Upon receiving a valid solution the \textit{DL} oracle can be used to get the discrete logarithm of all the public keys except the one for which the solution is valid. This way it again possible to construct a representation looking like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_i}$. Then it is again possible to calculate the discrete logarithm of $\groupelement{A_i}$ and win the \somdl game.
@@ -52,7 +52,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
\hrule
\large
\vspace{1mm}
\begin{algorithmic}[1]
\begin{algorithmic}
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$}}
\State \textbf{for} $i \in \{1,2,...,N\}$
\State \quad $a_i \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$
@@ -61,7 +61,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in \pset{Q}, i \in \{1,2,...,N\}: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$
\end{algorithmic}
\vspace{2mm}
\begin{algorithmic}[1]
\begin{algorithmic}
\Statex \underline{\oracle \ioracle($\agmgroupelement{R}{r} \in \group{G}$)}
\State Let $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$
\State $\ch \randomsample \{0,1\}^{2b}$
@@ -105,7 +105,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
\hrule
\large
\vspace{1mm}
\begin{algorithmic}[1]
\begin{algorithmic}
\Statex \underline{\textbf{Adversary} $\adversary{B}^{\textit{DL}(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$}
\State $s^* \randomassign \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
\State \textbf{If} $\nexists (\agmgroupelement{R^*}{r^*}, \ch^*) \in Q, i \in \{1,2,...,N\}: \groupelement{R^*} = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$ \textbf{then}
@@ -121,7 +121,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
\State \Return $(a_1, a_2, ..., a_N)$
\end{algorithmic}
\vspace{2mm}
\begin{algorithmic}[1]
\begin{algorithmic}
\Statex \underline{\oracle \ioracle($\agmgroupelement{R}{r} \in \group{G}$)}
\vspace{1mm}
\State Let $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$