Removed line numbers in figures
This commit is contained in:
20
bounds/bounds.py
Normal file
20
bounds/bounds.py
Normal file
@@ -0,0 +1,20 @@
|
|||||||
|
n = 254
|
||||||
|
c = 3
|
||||||
|
b = 256
|
||||||
|
a = 253
|
||||||
|
|
||||||
|
def calc(qo, qh, qg):
|
||||||
|
x = ((2 ** qg + 3) ** 2 + 1) / 2 ** (n - 1 - c) - (2 * (2 ** qo + 1)) / 2 ** b - (2 ** qo * 2 ** qh + 2 ** qo) / 2 ** a
|
||||||
|
return x
|
||||||
|
|
||||||
|
best = (512, 512, 512)
|
||||||
|
|
||||||
|
for qo in range(1, 128):
|
||||||
|
print(qo)
|
||||||
|
for qh in range(1, 128):
|
||||||
|
for qg in range(1, 128):
|
||||||
|
x = calc(qo, qh, qg)
|
||||||
|
if x >= 1 and qo + qh + qg < sum(best):
|
||||||
|
best = (qo, qh, qg)
|
||||||
|
|
||||||
|
print(best)
|
||||||
@@ -37,7 +37,7 @@ The EdDSA signature scheme is depicted in figure \ref{fig:eddsa}.
|
|||||||
\hrule
|
\hrule
|
||||||
\begin{multicols}{3}
|
\begin{multicols}{3}
|
||||||
\scriptsize
|
\scriptsize
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\textbf{\keygen}}
|
\Statex \underline{\textbf{\keygen}}
|
||||||
\State $k \randomsample \{0,1\}^b$
|
\State $k \randomsample \{0,1\}^b$
|
||||||
\State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$
|
\State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$
|
||||||
@@ -46,7 +46,7 @@ The EdDSA signature scheme is depicted in figure \ref{fig:eddsa}.
|
|||||||
\State \Return (\encoded{$A$}, $k$)
|
\State \Return (\encoded{$A$}, $k$)
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\columnbreak
|
\columnbreak
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\textbf{\sign}($k$, $m$)}
|
\Statex \underline{\textbf{\sign}($k$, $m$)}
|
||||||
\State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$
|
\State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$
|
||||||
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
|
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
|
||||||
@@ -57,7 +57,7 @@ The EdDSA signature scheme is depicted in figure \ref{fig:eddsa}.
|
|||||||
\State \Return $\sigma \assign (\encoded{R}, S)$
|
\State \Return $\sigma \assign (\encoded{R}, S)$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\columnbreak
|
\columnbreak
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\textbf{\verify}($\encoded{A}, \sigma \assign (\encoded{R}, S), m$)}
|
\Statex \underline{\textbf{\verify}($\encoded{A}, \sigma \assign (\encoded{R}, S), m$)}
|
||||||
\State \Return $2^c SB \test 2^c R + 2^c H(\encoded{R} | \encoded{A} | m)A$
|
\State \Return $2^c SB \test 2^c R + 2^c H(\encoded{R} | \encoded{A} | m)A$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
@@ -129,7 +129,7 @@ The EdDSA' signature scheme is shown in figure \ref{fig:eddsa'}. The difference
|
|||||||
\hrule
|
\hrule
|
||||||
\begin{multicols}{3}
|
\begin{multicols}{3}
|
||||||
\scriptsize
|
\scriptsize
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\textbf{\keygen}}
|
\Statex \underline{\textbf{\keygen}}
|
||||||
\State $(h_0, h_1, ..., h_{2b-1}) \randomsample \{0,1\}^{2b}$
|
\State $(h_0, h_1, ..., h_{2b-1}) \randomsample \{0,1\}^{2b}$
|
||||||
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
|
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
|
||||||
@@ -137,7 +137,7 @@ The EdDSA' signature scheme is shown in figure \ref{fig:eddsa'}. The difference
|
|||||||
\State \Return (\encoded{$A$}, $k \assign (s, h_b | ... | h_{2b-1})$)
|
\State \Return (\encoded{$A$}, $k \assign (s, h_b | ... | h_{2b-1})$)
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\columnbreak
|
\columnbreak
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\textbf{\sign}($k \assign (s, h_b | ... | h_{2b-1})$, $m$)}
|
\Statex \underline{\textbf{\sign}($k \assign (s, h_b | ... | h_{2b-1})$, $m$)}
|
||||||
\State $(r'_0, r'_1, ..., r'_{2b-1}) \assign RF(h_b | ... | h_{2b-1} | m)$
|
\State $(r'_0, r'_1, ..., r'_{2b-1}) \assign RF(h_b | ... | h_{2b-1} | m)$
|
||||||
\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
|
\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
|
||||||
@@ -146,7 +146,7 @@ The EdDSA' signature scheme is shown in figure \ref{fig:eddsa'}. The difference
|
|||||||
\State \Return $\sigma \assign (\encoded{R}, S)$
|
\State \Return $\sigma \assign (\encoded{R}, S)$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\columnbreak
|
\columnbreak
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\textbf{\verify}($\encoded{A}, \sigma \assign (\encoded{R}, S), m$)}
|
\Statex \underline{\textbf{\verify}($\encoded{A}, \sigma \assign (\encoded{R}, S), m$)}
|
||||||
\State \Return $2^c SB \test 2^c R + 2^c H(\encoded{R} | \encoded{A} | m)A$
|
\State \Return $2^c SB \test 2^c R + 2^c H(\encoded{R} | \encoded{A} | m)A$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
@@ -173,7 +173,7 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
|
|||||||
\hrule
|
\hrule
|
||||||
\begin{multicols}{2}
|
\begin{multicols}{2}
|
||||||
\large
|
\large
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$} / \textcolor{green}{$G_3$} / \textcolor{orange}{$G_4$}}
|
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$} / \textcolor{green}{$G_3$} / \textcolor{orange}{$G_4$}}
|
||||||
\State $k \randomsample \{0,1\}^b$
|
\State $k \randomsample \{0,1\}^b$
|
||||||
\BeginBox[draw=black]
|
\BeginBox[draw=black]
|
||||||
@@ -196,7 +196,7 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
|
|||||||
\State \Return $\verify(A, \m^*,\signature^*) \wedge (\m^*, \signature^*) \notin \pset{Q}$
|
\State \Return $\verify(A, \m^*,\signature^*) \wedge (\m^*, \signature^*) \notin \pset{Q}$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\columnbreak
|
\columnbreak
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\oracle \sign($m \in \messagespace$)}
|
\Statex \underline{\oracle \sign($m \in \messagespace$)}
|
||||||
\BeginBox[draw=black]
|
\BeginBox[draw=black]
|
||||||
\State $(r'_0, r'_1, ..., r'_{2b-1}) \assign H(h_b | ... | h_{2b-1} | m)$
|
\State $(r'_0, r'_1, ..., r'_{2b-1}) \assign H(h_b | ... | h_{2b-1} | m)$
|
||||||
@@ -220,7 +220,7 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
|
|||||||
\State \Return $\signature$
|
\State \Return $\signature$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\end{multicols}
|
\end{multicols}
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
|
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
|
||||||
\BeginBox[draw=blue]
|
\BeginBox[draw=blue]
|
||||||
\State $\textbf{if } m = k \textbf{ then}$
|
\State $\textbf{if } m = k \textbf{ then}$
|
||||||
|
|||||||
@@ -214,9 +214,9 @@ This section provides a lower bound on the hardness of the modified version of t
|
|||||||
|
|
||||||
\[ \prone{G_1^{\adversary{A}}} = \prone{G_2^{\adversary{A}}}. \]
|
\[ \prone{G_1^{\adversary{A}}} = \prone{G_2^{\adversary{A}}}. \]
|
||||||
|
|
||||||
\item \paragraph{\underline{$G_3:$}} $G_3$ also introduces the $bad_1$ flag in the DL query. Without loss of generality the following explanation assumes that the adversary queries the DL oracle with input $j = N$. Each polynomial, generated by the challenger, is a linear multivariate polynomial of degree one. This is due to the fact that the challenger starts with linear multivariate polynomials of degree one in $\field{L}[Z_1, ..., Z_N]$ and only adds them to generate new polynomials. This means that each polynomial $P_i \in \field{L}[Z_1,...,Z_N]$, generated by the challenger, can be split into two polynomials $R_i \in \field{L}[Z_1,...,Z_{N-1}], S_i \in \field{L}[Z_N]$ so that $P_i = R_i + S_i$, simply by distributing the monials between the polynomials $R_i$ and $S_i$. Now the polynomial $P_i$ can be partially evaluated by setting $P_i = R_i(\overset{\rightharpoonup}{a}) + S_i$. For the simulation to be correct, when replacing the polynomial $P_i$ with $R_i(\overset{\rightharpoonup}{a}) + S_i$, it has to be ensured that distinct polynomials stay distinct after being partially evaluated. To ensure this, it is necessary to check that no two distinct polynomials $R_i, R_j$ result in the same value when evaluated with $\overset{\rightharpoonup}{a}$. In the case of this happening the $bad_1$ flag is set to true. Afterward, each generated polynomial is partially evaluated as described and the table $\sum$, which stores the association between group elements and lables, is updated to reflect this partial evaluation as well. From now on, each polynomial used by the challenger is in $\field{L}[Z_N]$. This change is purely conceptual, since the polynomials still get fully evaluated before being compared in the Enc procedure. Therefore,
|
\item \paragraph{\underline{$G_3:$}} $G_3$ also introduces the $bad_1$ flag in the DL query. Without loss of generality the following explanation assumes that the adversary queries the DL oracle with input $j = N$. Each polynomial, generated by the challenger, is a linear multivariate polynomial of degree one. This is due to the fact that the challenger starts with linear multivariate polynomials of degree one in $\field{L}[Z_1, ..., Z_N]$ and only adds them to generate new polynomials. This means that each polynomial $P_i \in \field{L}[Z_1,...,Z_N]$, generated by the challenger, can be split into two polynomials $R_i \in \field{L}[Z_1,...,Z_{N-1}], S_i \in \field{L}[Z_N]$ so that $P_i = R_i + S_i$, simply by distributing the monials between the polynomials $R_i$ and $S_i$. Now the polynomial $P_i$ can be partially evaluated by setting $P_i = R_i(\overset{\rightharpoonup}{a}) + S_i$. For the simulation to be correct, when replacing the polynomial $P_i$ with $R_i(\overset{\rightharpoonup}{a}) + S_i$, it has to be ensured that distinct polynomials stay distinct after being partially evaluated. To ensure this, it is necessary to check that no two distinct polynomials $R_i, R_j$ result in the same value when evaluated with $\overset{\rightharpoonup}{a}$. In the case of this happening the $bad_1$ flag is set to true. Afterward, each generated polynomial is partially evaluated as described and the table $\sum$, which stores the association between group elements and labels, is updated to reflect this partial evaluation as well. From now on, each polynomial used by the challenger is in $\field{L}[Z_N]$. This change is purely conceptual, since the polynomials still get fully evaluated before being compared in the Enc procedure. Therefore,
|
||||||
|
|
||||||
\[ \prone{G_2^{\adversary{A}}} = \prone{G_3^{\adversary{A}}} \]
|
\[ \prone{G_2^{\adversary{A}}} = \prone{G_3^{\adversary{A}}}. \]
|
||||||
|
|
||||||
\item \paragraph{\underline{$G_4:$}} In $G_4$ the abort instruction in the orange box is introduced, which is executed after the $bad_1$ flag is set. The $bad_1$ flag is set if distinct polynomials result in the same polynomial, after being partially evaluated. To calculate the probability of this happening the Schwart-Zippel lemma can be utilized. For every $R_i, R_j \in \pset{R} \wedge R_i \neq R_j$ a polynomial $R^* \assign R_i - R_j$ can be constructed. If and only if $R_i(\overset{\rightharpoonup}{a}) = R_j(\overset{\rightharpoonup}{a})$ then $R^*(\overset{\rightharpoonup}{a}) = 0$. Since $R^* \neq 0$, the degree of $R^*$ being $1$ and $\overset{\rightharpoonup}{a}$ being chosen uniformly at random from $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ the Schwartz-Zippel lemma can be used to calculate the probability of $R^*(\overset{\rightharpoonup}{a}) = 0$, which is $\Pr[R^*(\overset{\rightharpoonup}{a}) = 0] \leq \frac{1}{2^{n - 1 - c}}$. The challenger can generate at most $\oraclequeries + N + 2$ many polynomials, one per DL query and $N + 2$ for encoding the input to the adversary. By the Union bound over all $(\oraclequeries + N + 2)^2$ possible pairs of polynomials an upper bound on the $bad_1$ flag being set can be calculated as $\Pr[bad_1] \leq \frac{(\oraclequeries + N + 2)^2}{2^{n - 1 - c}}$. Since $G_3$ and $G_4$ are identical-until-bad games,
|
\item \paragraph{\underline{$G_4:$}} In $G_4$ the abort instruction in the orange box is introduced, which is executed after the $bad_1$ flag is set. The $bad_1$ flag is set if distinct polynomials result in the same polynomial, after being partially evaluated. To calculate the probability of this happening the Schwart-Zippel lemma can be utilized. For every $R_i, R_j \in \pset{R} \wedge R_i \neq R_j$ a polynomial $R^* \assign R_i - R_j$ can be constructed. If and only if $R_i(\overset{\rightharpoonup}{a}) = R_j(\overset{\rightharpoonup}{a})$ then $R^*(\overset{\rightharpoonup}{a}) = 0$. Since $R^* \neq 0$, the degree of $R^*$ being $1$ and $\overset{\rightharpoonup}{a}$ being chosen uniformly at random from $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ the Schwartz-Zippel lemma can be used to calculate the probability of $R^*(\overset{\rightharpoonup}{a}) = 0$, which is $\Pr[R^*(\overset{\rightharpoonup}{a}) = 0] \leq \frac{1}{2^{n - 1 - c}}$. The challenger can generate at most $\oraclequeries + N + 2$ many polynomials, one per DL query and $N + 2$ for encoding the input to the adversary. By the Union bound over all $(\oraclequeries + N + 2)^2$ possible pairs of polynomials an upper bound on the $bad_1$ flag being set can be calculated as $\Pr[bad_1] \leq \frac{(\oraclequeries + N + 2)^2}{2^{n - 1 - c}}$. Since $G_3$ and $G_4$ are identical-until-bad games,
|
||||||
|
|
||||||
@@ -238,10 +238,12 @@ This section provides a lower bound on the hardness of the modified version of t
|
|||||||
|
|
||||||
\[ |\prone{G_5^{\adversary{A}}} - \prone{G_6^{\adversary{A}}}| \leq \frac{(\oraclequeries + N + 2)^2}{2^{n - 1 - c}}. \]
|
\[ |\prone{G_5^{\adversary{A}}} - \prone{G_6^{\adversary{A}}}| \leq \frac{(\oraclequeries + N + 2)^2}{2^{n - 1 - c}}. \]
|
||||||
|
|
||||||
|
%TODOÖ genauer erklären, da nicht eindeutig.
|
||||||
\item \paragraph{\underline{$G_7:$}} $G_7$ removes the evaluation of the polynomials in the Enc procedure. This change is conceptual, since the game aborts if two distinct polynomials would evaluate to the same value. Therefore, it is sufficient to directly compare polynomials in the cases where the game does not abort. Since the change is only conceptual:
|
\item \paragraph{\underline{$G_7:$}} $G_7$ removes the evaluation of the polynomials in the Enc procedure. This change is conceptual, since the game aborts if two distinct polynomials would evaluate to the same value. Therefore, it is sufficient to directly compare polynomials in the cases where the game does not abort. Since the change is only conceptual:
|
||||||
|
|
||||||
\[ \prone{G_6^{\adversary{A}}} = \prone{G_7^{\adversary{A}}}. \]
|
\[ \prone{G_6^{\adversary{A}}} = \prone{G_7^{\adversary{A}}}. \]
|
||||||
|
|
||||||
|
%TODO: Auch genauer beschreiben
|
||||||
\item \paragraph{\underline{$G_8:$}} In $G_8$ the discrete logarithms of the challenge are only generated right before they are used. This change is only conceptual, since the discrete logarithms are not used prior to being chosen. Therefore,
|
\item \paragraph{\underline{$G_8:$}} In $G_8$ the discrete logarithms of the challenge are only generated right before they are used. This change is only conceptual, since the discrete logarithms are not used prior to being chosen. Therefore,
|
||||||
|
|
||||||
\[ \prone{G_7^{\adversary{A}}} = \prone{G_8^{\adversary{A}}}. \]
|
\[ \prone{G_7^{\adversary{A}}} = \prone{G_8^{\adversary{A}}}. \]
|
||||||
|
|||||||
@@ -15,7 +15,7 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat
|
|||||||
\hrule
|
\hrule
|
||||||
\vspace{1mm}
|
\vspace{1mm}
|
||||||
\large
|
\large
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\game \igame}
|
\Statex \underline{\game \igame}
|
||||||
\State \textbf{for} $i \in \{1,2,...,N\}$
|
\State \textbf{for} $i \in \{1,2,...,N\}$
|
||||||
\State \quad $a_i \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$
|
\State \quad $a_i \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$
|
||||||
@@ -24,7 +24,7 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat
|
|||||||
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in \pset{Q}, i \in \{1,2,...,N\} \in : \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$
|
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in \pset{Q}, i \in \{1,2,...,N\} \in : \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\vspace{2mm}
|
\vspace{2mm}
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\oracle \ioracle($\groupelement{R_i} \in \group{G}$)}
|
\Statex \underline{\oracle \ioracle($\groupelement{R_i} \in \group{G}$)}
|
||||||
\State $\ch_i \randomsample \{0,1\}^{2b}$
|
\State $\ch_i \randomsample \{0,1\}^{2b}$
|
||||||
\State $\pset{Q} \assign \pset{Q} \cup \{ (\groupelement{R}_i, \ch_i) \}$
|
\State $\pset{Q} \assign \pset{Q} \cup \{ (\groupelement{R}_i, \ch_i) \}$
|
||||||
@@ -39,7 +39,7 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat
|
|||||||
\label{theorem:adv_mu-igame}
|
\label{theorem:adv_mu-igame}
|
||||||
Let $\adversary{A}$ be an adversary against MU-\igame. Then,
|
Let $\adversary{A}$ be an adversary against MU-\igame. Then,
|
||||||
|
|
||||||
\[ \advantage{\adversary{A}}{\text{MU-UF-NMA}}(\secparamter) = \advantage{\adversary{B}}{\text{MU-\igame}}(\secparamter) \].
|
\[ \advantage{\adversary{A}}{\text{MU-UF-NMA}}(\secparamter) = \advantage{\adversary{B}}{\text{MU-\igame}}(\secparamter). \]
|
||||||
\end{theorem}
|
\end{theorem}
|
||||||
|
|
||||||
\paragraph{\underline{Proof Overview}} Like the single-user setting the adversary has to query the random oracle to get the hash value $H(\encoded{R}|\encoded{A_i}|m)$. Again the programmability of the random oracle can be used to embed the challenge from \ioracle oracle into the answer of the random oracle. By embedding the challenge from the \ioracle oracle answer into the answer of the random oracle a valid forgery of the signature also becomes a valid solution for the MU-\igame game.
|
\paragraph{\underline{Proof Overview}} Like the single-user setting the adversary has to query the random oracle to get the hash value $H(\encoded{R}|\encoded{A_i}|m)$. Again the programmability of the random oracle can be used to embed the challenge from \ioracle oracle into the answer of the random oracle. By embedding the challenge from the \ioracle oracle answer into the answer of the random oracle a valid forgery of the signature also becomes a valid solution for the MU-\igame game.
|
||||||
@@ -50,7 +50,7 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat
|
|||||||
\hrule
|
\hrule
|
||||||
\begin{multicols}{2}
|
\begin{multicols}{2}
|
||||||
\large
|
\large
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\State \underline{\game $G_0$}
|
\State \underline{\game $G_0$}
|
||||||
\State \textbf{for} $i \in \{1,2,...,N\}$
|
\State \textbf{for} $i \in \{1,2,...,N\}$
|
||||||
\State \quad $(h_{i_0}, h_{i_1}, ..., h_{i_{2b-1}}) \randomsample \{0,1\}^{2b}$
|
\State \quad $(h_{i_0}, h_{i_1}, ..., h_{i_{2b-1}}) \randomsample \{0,1\}^{2b}$
|
||||||
@@ -60,7 +60,7 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat
|
|||||||
\State \Return $\exists i \in \{1,2,...,N\}: \verify(\groupelement{A_i}, \m^*,\signature^*)$
|
\State \Return $\exists i \in \{1,2,...,N\}: \verify(\groupelement{A_i}, \m^*,\signature^*)$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\columnbreak
|
\columnbreak
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
|
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
|
||||||
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
||||||
\State \quad $\sum[m] \randomsample \{0,1\}^{2b}$
|
\State \quad $\sum[m] \randomsample \{0,1\}^{2b}$
|
||||||
@@ -87,13 +87,13 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat
|
|||||||
\hrule
|
\hrule
|
||||||
\vspace{1mm}
|
\vspace{1mm}
|
||||||
\large
|
\large
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\textbf{Adversary} $\adversary{B}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$}
|
\Statex \underline{\textbf{Adversary} $\adversary{B}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$}
|
||||||
\State $(\m^*, \signature^* \assign (\encoded{R}, S)) \randomassign \adversary{A}^{H(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
\State $(\m^*, \signature^* \assign (\encoded{R}, S)) \randomassign \adversary{A}^{H(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
||||||
\State \Return $S$
|
\State \Return $S$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\vspace{2mm}
|
\vspace{2mm}
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
|
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
|
||||||
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
||||||
\State \quad $\textbf{if } \encoded{R} | \encoded{A} | m' \assign m \wedge \groupelement{R}, \groupelement{A} \in \curve \textbf{ then}$
|
\State \quad $\textbf{if } \encoded{R} | \encoded{A} | m' \assign m \wedge \groupelement{R}, \groupelement{A} \in \curve \textbf{ then}$
|
||||||
|
|||||||
@@ -19,7 +19,7 @@ Again the programmability of the random oracle together with the \simalg algorit
|
|||||||
\hrule
|
\hrule
|
||||||
\begin{multicols}{2}
|
\begin{multicols}{2}
|
||||||
\large
|
\large
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$} / \textcolor{green}{$G_3$}}
|
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$} / \textcolor{green}{$G_3$}}
|
||||||
\State \textbf{for} $j \in \{1,2,...,N\}$
|
\State \textbf{for} $j \in \{1,2,...,N\}$
|
||||||
\State \quad $(h_{j_0}, h_{j_1}, ..., h_{j_{2b-1}}) \randomsample \{0,1\}^{2b}$
|
\State \quad $(h_{j_0}, h_{j_1}, ..., h_{j_{2b-1}}) \randomsample \{0,1\}^{2b}$
|
||||||
@@ -29,7 +29,7 @@ Again the programmability of the random oracle together with the \simalg algorit
|
|||||||
\State \Return $\exists j \in \{1,2,...,N\}: \verify(\groupelement{A_j}, \m^*,\signature^*) \wedge (\groupelement{A_j}, \m^*, \signature^*) \notin \pset{Q}$
|
\State \Return $\exists j \in \{1,2,...,N\}: \verify(\groupelement{A_j}, \m^*,\signature^*) \wedge (\groupelement{A_j}, \m^*, \signature^*) \notin \pset{Q}$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\columnbreak
|
\columnbreak
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\oracle \sign($j \in \{1,2,...,N\}$, $\m \in \messagespace$)}
|
\Statex \underline{\oracle \sign($j \in \{1,2,...,N\}$, $\m \in \messagespace$)}
|
||||||
\Comment{$G_0 - G_2$}
|
\Comment{$G_0 - G_2$}
|
||||||
\State $(r'_0, r'_1, ..., r'_{2b-1}) = RF(h_{j_b} | ... | h_{j_{2b-1}} | \m)$
|
\State $(r'_0, r'_1, ..., r'_{2b-1}) = RF(h_{j_b} | ... | h_{j_{2b-1}} | \m)$
|
||||||
@@ -57,15 +57,14 @@ Again the programmability of the random oracle together with the \simalg algorit
|
|||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\end{multicols}
|
\end{multicols}
|
||||||
\begin{multicols}{2}
|
\begin{multicols}{2}
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\oracle $H(\m \in \{0,1\}^*)$}
|
\Statex \underline{\oracle $H(\m \in \{0,1\}^*)$}
|
||||||
\State $\textbf{if } \sum[\m] = \bot \textbf{ then}$
|
\State $\textbf{if } \sum[\m] = \bot \textbf{ then}$
|
||||||
\State \quad $\sum[\m] \randomsample \{0,1\}^{2b}$
|
\State \quad $\sum[\m] \randomsample \{0,1\}^{2b}$
|
||||||
\State \Return $\sum[\m]$
|
\State \Return $\sum[\m]$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\columnbreak
|
\columnbreak
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
%TODO: Nummer vor Oracle
|
|
||||||
\BeginBox[draw=green]
|
\BeginBox[draw=green]
|
||||||
\State \underline{\oracle \sign($j \in \{1,2,...,N\}$, $\m \in \messagespace$)}
|
\State \underline{\oracle \sign($j \in \{1,2,...,N\}$, $\m \in \messagespace$)}
|
||||||
\Comment{$G_3$}
|
\Comment{$G_3$}
|
||||||
@@ -112,13 +111,13 @@ Again the programmability of the random oracle together with the \simalg algorit
|
|||||||
\hrule
|
\hrule
|
||||||
\begin{multicols}{2}
|
\begin{multicols}{2}
|
||||||
\large
|
\large
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\textbf{Adversary} $\adversary{B}^{H(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$}
|
\Statex \underline{\textbf{Adversary} $\adversary{B}^{H(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$}
|
||||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H'(\inp), \sign(\inp, \inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H'(\inp), \sign(\inp, \inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
||||||
\State \Return $(\m^*, \signature^*)$
|
\State \Return $(\m^*, \signature^*)$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\columnbreak
|
\columnbreak
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\oracle \sign($j \in \{1,2,...,N\}$, $\m \in \messagespace$)}
|
\Statex \underline{\oracle \sign($j \in \{1,2,...,N\}$, $\m \in \messagespace$)}
|
||||||
\State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A_j})$
|
\State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A_j})$
|
||||||
\State $\textbf{if } \sum[\encoded{R} | \encoded{A_j} | m] \neq \bot \textbf{ then}$
|
\State $\textbf{if } \sum[\encoded{R} | \encoded{A_j} | m] \neq \bot \textbf{ then}$
|
||||||
@@ -130,7 +129,7 @@ Again the programmability of the random oracle together with the \simalg algorit
|
|||||||
\State \Return $\signature$
|
\State \Return $\signature$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\end{multicols}
|
\end{multicols}
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\oracle $H'(m \in \{0,1\}^*)$}
|
\Statex \underline{\oracle $H'(m \in \{0,1\}^*)$}
|
||||||
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
||||||
\State \quad $\sum[m] \assign H(m)$
|
\State \quad $\sum[m] \assign H(m)$
|
||||||
@@ -178,13 +177,13 @@ This section shows that MU-UF-NMA security of EdDSA implies the MU-EUF-CMA secur
|
|||||||
\hrule
|
\hrule
|
||||||
\begin{multicols}{2}
|
\begin{multicols}{2}
|
||||||
\large
|
\large
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\textbf{Adversary} $\adversary{B}^{H(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$}
|
\Statex \underline{\textbf{Adversary} $\adversary{B}^{H(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$}
|
||||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H'(\inp), \sign(\inp, \inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H'(\inp), \sign(\inp, \inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
||||||
\State \Return $(\m^*, \signature^*)$
|
\State \Return $(\m^*, \signature^*)$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\columnbreak
|
\columnbreak
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\oracle \sign($j \in \{1,2,...,N\}$, $\m \in \messagespace$)}
|
\Statex \underline{\oracle \sign($j \in \{1,2,...,N\}$, $\m \in \messagespace$)}
|
||||||
\State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A_j})$
|
\State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A_j})$
|
||||||
\State $\textbf{if } \sum[\encoded{R} | \encoded{A_j} | m] \neq \bot \textbf{ then}$
|
\State $\textbf{if } \sum[\encoded{R} | \encoded{A_j} | m] \neq \bot \textbf{ then}$
|
||||||
@@ -196,7 +195,7 @@ This section shows that MU-UF-NMA security of EdDSA implies the MU-EUF-CMA secur
|
|||||||
\State \Return $\signature$
|
\State \Return $\signature$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\end{multicols}
|
\end{multicols}
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\oracle $H'(m \in \{0,1\}^*)$}
|
\Statex \underline{\oracle $H'(m \in \{0,1\}^*)$}
|
||||||
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
||||||
\State \quad $\sum[m] \assign H(m)$
|
\State \quad $\sum[m] \assign H(m)$
|
||||||
|
|||||||
@@ -15,7 +15,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
|
|||||||
\hrule
|
\hrule
|
||||||
\vspace{1mm}
|
\vspace{1mm}
|
||||||
\large
|
\large
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\game \somdl}
|
\Statex \underline{\game \somdl}
|
||||||
\State \textbf{for} $i \in \{1,2,...,N\}$
|
\State \textbf{for} $i \in \{1,2,...,N\}$
|
||||||
\State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$
|
\State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$
|
||||||
@@ -25,7 +25,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
|
|||||||
\State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N) \wedge I < N$
|
\State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N) \wedge I < N$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\vspace{2mm}
|
\vspace{2mm}
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\oracle $DL(i \in \{1,2,...,N\})$}
|
\Statex \underline{\oracle $DL(i \in \{1,2,...,N\})$}
|
||||||
\vspace{1mm}
|
\vspace{1mm}
|
||||||
\State $I \assign I + 1$
|
\State $I \assign I + 1$
|
||||||
@@ -41,7 +41,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
|
|||||||
\label{theorem:adv_omdl'}
|
\label{theorem:adv_omdl'}
|
||||||
Let $\adversary{A}$ be an adversary against \igame with $\group{G}$ being a cyclic group of prime order $L$, making at most $\oraclequeries$ oracle queries. Then
|
Let $\adversary{A}$ be an adversary against \igame with $\group{G}$ being a cyclic group of prime order $L$, making at most $\oraclequeries$ oracle queries. Then
|
||||||
|
|
||||||
\[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\somdl}(\secparamter) + \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
|
\[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\somdl}(\secparamter) + \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||||
\end{theorem}
|
\end{theorem}
|
||||||
|
|
||||||
\paragraph{\underline{Proof Overview}} In the multi-user setting the adversary gets access to not only the generator $\groupelement{B}$ and one public key $\groupelement{A}$ but rather a set of public keys $\groupelement{A_1}$ to $\groupelement{A_N}$. For this reason the representation of a group element, the adversary has to provide looks the following: $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$. Since there are multiple group elements with unknown discrete logarithms it is not possible to directly calculate the discrete logarithm of one of the public keys given a valid forgery of a signature. Upon receiving a valid solution the \textit{DL} oracle can be used to get the discrete logarithm of all the public keys except the one for which the solution is valid. This way it again possible to construct a representation looking like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_i}$. Then it is again possible to calculate the discrete logarithm of $\groupelement{A_i}$ and win the \somdl game.
|
\paragraph{\underline{Proof Overview}} In the multi-user setting the adversary gets access to not only the generator $\groupelement{B}$ and one public key $\groupelement{A}$ but rather a set of public keys $\groupelement{A_1}$ to $\groupelement{A_N}$. For this reason the representation of a group element, the adversary has to provide looks the following: $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$. Since there are multiple group elements with unknown discrete logarithms it is not possible to directly calculate the discrete logarithm of one of the public keys given a valid forgery of a signature. Upon receiving a valid solution the \textit{DL} oracle can be used to get the discrete logarithm of all the public keys except the one for which the solution is valid. This way it again possible to construct a representation looking like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_i}$. Then it is again possible to calculate the discrete logarithm of $\groupelement{A_i}$ and win the \somdl game.
|
||||||
@@ -52,7 +52,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
|
|||||||
\hrule
|
\hrule
|
||||||
\large
|
\large
|
||||||
\vspace{1mm}
|
\vspace{1mm}
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$}}
|
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$}}
|
||||||
\State \textbf{for} $i \in \{1,2,...,N\}$
|
\State \textbf{for} $i \in \{1,2,...,N\}$
|
||||||
\State \quad $a_i \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$
|
\State \quad $a_i \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$
|
||||||
@@ -61,7 +61,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
|
|||||||
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in \pset{Q}, i \in \{1,2,...,N\}: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$
|
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in \pset{Q}, i \in \{1,2,...,N\}: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\vspace{2mm}
|
\vspace{2mm}
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\oracle \ioracle($\agmgroupelement{R}{r} \in \group{G}$)}
|
\Statex \underline{\oracle \ioracle($\agmgroupelement{R}{r} \in \group{G}$)}
|
||||||
\State Let $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$
|
\State Let $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$
|
||||||
\State $\ch \randomsample \{0,1\}^{2b}$
|
\State $\ch \randomsample \{0,1\}^{2b}$
|
||||||
@@ -105,7 +105,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
|
|||||||
\hrule
|
\hrule
|
||||||
\large
|
\large
|
||||||
\vspace{1mm}
|
\vspace{1mm}
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\textbf{Adversary} $\adversary{B}^{\textit{DL}(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$}
|
\Statex \underline{\textbf{Adversary} $\adversary{B}^{\textit{DL}(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$}
|
||||||
\State $s^* \randomassign \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
\State $s^* \randomassign \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
||||||
\State \textbf{If} $\nexists (\agmgroupelement{R^*}{r^*}, \ch^*) \in Q, i \in \{1,2,...,N\}: \groupelement{R^*} = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$ \textbf{then}
|
\State \textbf{If} $\nexists (\agmgroupelement{R^*}{r^*}, \ch^*) \in Q, i \in \{1,2,...,N\}: \groupelement{R^*} = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$ \textbf{then}
|
||||||
@@ -121,7 +121,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
|
|||||||
\State \Return $(a_1, a_2, ..., a_N)$
|
\State \Return $(a_1, a_2, ..., a_N)$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\vspace{2mm}
|
\vspace{2mm}
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\oracle \ioracle($\agmgroupelement{R}{r} \in \group{G}$)}
|
\Statex \underline{\oracle \ioracle($\agmgroupelement{R}{r} \in \group{G}$)}
|
||||||
\vspace{1mm}
|
\vspace{1mm}
|
||||||
\State Let $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$
|
\State Let $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$
|
||||||
|
|||||||
@@ -36,7 +36,7 @@ A common security notion for digital signature schemes is the existential unforg
|
|||||||
\State \Return $\exists i \in \{1,2,...,N\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1 \wedge (\pubkey_i, \m^*) \notin M$
|
\State \Return $\exists i \in \{1,2,...,N\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1 \wedge (\pubkey_i, \m^*) \notin M$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\vspace{2mm}
|
\vspace{2mm}
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\oracle \Osign($i \in \{1,2,...,n\}$, $\m \in \messagespace$)}
|
\Statex \underline{\oracle \Osign($i \in \{1,2,...,n\}$, $\m \in \messagespace$)}
|
||||||
\State $\signature \randomassign \sign(\privkey_i, \m)$
|
\State $\signature \randomassign \sign(\privkey_i, \m)$
|
||||||
\State $M \assign M \cup \{(\pubkey_i, \m)\}$
|
\State $M \assign M \cup \{(\pubkey_i, \m)\}$
|
||||||
@@ -67,7 +67,7 @@ A common security notion for digital signature schemes is the existential unforg
|
|||||||
\State \Return $\exists i \in \{1,2,...,N\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1 \wedge (\pubkey_i, \m^*, \signature^*) \notin M$
|
\State \Return $\exists i \in \{1,2,...,N\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1 \wedge (\pubkey_i, \m^*, \signature^*) \notin M$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\vspace{2mm}
|
\vspace{2mm}
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\oracle \Osign($i \in \{1,2,...,n\}$, $\m \in \messagespace$)}
|
\Statex \underline{\oracle \Osign($i \in \{1,2,...,n\}$, $\m \in \messagespace$)}
|
||||||
\State $\signature \randomassign \sign(\privkey_i, \m)$
|
\State $\signature \randomassign \sign(\privkey_i, \m)$
|
||||||
\State $M \assign M \cup \{(\pubkey_i, \m, \signature)\}$
|
\State $M \assign M \cup \{(\pubkey_i, \m, \signature)\}$
|
||||||
@@ -91,7 +91,7 @@ The MU-UF-NMA security game is similar to the MU-EUF-CMA game. The only differen
|
|||||||
\begin{figure}[h]
|
\begin{figure}[h]
|
||||||
\hrule
|
\hrule
|
||||||
\vspace{1mm}
|
\vspace{1mm}
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\State \underline{\game $\text{MU-UF-NMA}$}
|
\State \underline{\game $\text{MU-UF-NMA}$}
|
||||||
\State \textbf{for} $i \in \{1,2,...,N\}$
|
\State \textbf{for} $i \in \{1,2,...,N\}$
|
||||||
\State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$
|
\State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$
|
||||||
@@ -118,7 +118,7 @@ This thesis proves the security of the EdDSA signature scheme under two assumpti
|
|||||||
\begin{figure}[h]
|
\begin{figure}[h]
|
||||||
\hrule
|
\hrule
|
||||||
\vspace{1mm}
|
\vspace{1mm}
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\game Dlog}
|
\Statex \underline{\game Dlog}
|
||||||
\State $a \randomsample \field{L}$
|
\State $a \randomsample \field{L}$
|
||||||
\State $\groupelement{A} \assign a \groupelement{B}$
|
\State $\groupelement{A} \assign a \groupelement{B}$
|
||||||
@@ -144,7 +144,7 @@ The one-more discrete logarithm assumption is stronger than the discrete logarit
|
|||||||
\begin{figure}[h]
|
\begin{figure}[h]
|
||||||
\hrule
|
\hrule
|
||||||
\vspace{1mm}
|
\vspace{1mm}
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\game OM-Dlog}
|
\Statex \underline{\game OM-Dlog}
|
||||||
\State \textbf{for} $i \in \{1,2,...,N\}$
|
\State \textbf{for} $i \in \{1,2,...,N\}$
|
||||||
\State \quad $a_i \randomsample \field{L}$
|
\State \quad $a_i \randomsample \field{L}$
|
||||||
|
|||||||
@@ -18,7 +18,7 @@ The \sdlog game is a variant of the discrete logarithm game that represents the
|
|||||||
\begin{figure}[h]
|
\begin{figure}[h]
|
||||||
\hrule
|
\hrule
|
||||||
\vspace{1mm}
|
\vspace{1mm}
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\game \sdlog}
|
\Statex \underline{\game \sdlog}
|
||||||
\State $a \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$
|
\State $a \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$
|
||||||
\State $\groupelement{A} \assign a \groupelement{B}$
|
\State $\groupelement{A} \assign a \groupelement{B}$
|
||||||
@@ -46,7 +46,7 @@ The adversary must call the \ioracle oracle with a commitment $\groupelement{R}$
|
|||||||
\hrule
|
\hrule
|
||||||
\begin{multicols}{2}
|
\begin{multicols}{2}
|
||||||
\large
|
\large
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$}}
|
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$}}
|
||||||
\State $a \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$
|
\State $a \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$
|
||||||
\State $\groupelement{A} \assign a \groupelement{B}$
|
\State $\groupelement{A} \assign a \groupelement{B}$
|
||||||
@@ -121,7 +121,7 @@ The adversary must call the \ioracle oracle with a commitment $\groupelement{R}$
|
|||||||
\hrule
|
\hrule
|
||||||
\begin{multicols}{2}
|
\begin{multicols}{2}
|
||||||
\large
|
\large
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\textbf{Adversary} $\adversary{B}(\groupelement{A})$}
|
\Statex \underline{\textbf{Adversary} $\adversary{B}(\groupelement{A})$}
|
||||||
\State $s^* \randomassign \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
|
\State $s^* \randomassign \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
|
||||||
\State \textbf{If} $\nexists \agmgroupelement{R^*}{r^*}, \ch^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - \ch^* \groupelement{A}) \wedge (\agmgroupelement{R^*}{r^*}, \ch^*) \in \pset{Q}$ \textbf{then}
|
\State \textbf{If} $\nexists \agmgroupelement{R^*}{r^*}, \ch^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - \ch^* \groupelement{A}) \wedge (\agmgroupelement{R^*}{r^*}, \ch^*) \in \pset{Q}$ \textbf{then}
|
||||||
@@ -130,7 +130,7 @@ The adversary must call the \ioracle oracle with a commitment $\groupelement{R}$
|
|||||||
\State \Return $(2^c s^* - r_1)(r_2 + 2^c \ch^*)^{-1}$
|
\State \Return $(2^c s^* - r_1)(r_2 + 2^c \ch^*)^{-1}$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\columnbreak
|
\columnbreak
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\oracle \ioracle($\agmgroupelement{R_i}{r_i} \in \group{G}$)}
|
\Statex \underline{\oracle \ioracle($\agmgroupelement{R_i}{r_i} \in \group{G}$)}
|
||||||
\State Let $\groupelement{R}_i = r_1 \groupelement{B} + r_2 \groupelement{A}$
|
\State Let $\groupelement{R}_i = r_1 \groupelement{B} + r_2 \groupelement{A}$
|
||||||
\State $\ch_i \randomsample \{0,1\}^{2b}$
|
\State $\ch_i \randomsample \{0,1\}^{2b}$
|
||||||
|
|||||||
@@ -14,7 +14,7 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur
|
|||||||
\hrule
|
\hrule
|
||||||
\begin{multicols}{2}
|
\begin{multicols}{2}
|
||||||
\large
|
\large
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\game \igame}
|
\Statex \underline{\game \igame}
|
||||||
\State $a \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$
|
\State $a \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$
|
||||||
\State $\groupelement{A} \assign a \groupelement{B}$
|
\State $\groupelement{A} \assign a \groupelement{B}$
|
||||||
@@ -22,7 +22,7 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur
|
|||||||
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in \pset{Q}: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A}$
|
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in \pset{Q}: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A}$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\columnbreak
|
\columnbreak
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\oracle \ioracle($\groupelement{R_i} \in \group{G}$)}
|
\Statex \underline{\oracle \ioracle($\groupelement{R_i} \in \group{G}$)}
|
||||||
\State $\ch_i \randomsample \{0,1\}^{2b}$
|
\State $\ch_i \randomsample \{0,1\}^{2b}$
|
||||||
\State $\pset{Q} \assign \pset{Q} \cup \{ (\groupelement{R}_i, \ch_i) \}$
|
\State $\pset{Q} \assign \pset{Q} \cup \{ (\groupelement{R}_i, \ch_i) \}$
|
||||||
@@ -49,7 +49,7 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur
|
|||||||
\hrule
|
\hrule
|
||||||
\begin{multicols}{2}
|
\begin{multicols}{2}
|
||||||
\large
|
\large
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\State \underline{\game $G_0$}
|
\State \underline{\game $G_0$}
|
||||||
\State $(h_0, h_1, ..., h_{2b-1}) \randomsample \{0,1\}^{2b}$
|
\State $(h_0, h_1, ..., h_{2b-1}) \randomsample \{0,1\}^{2b}$
|
||||||
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
|
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
|
||||||
@@ -58,7 +58,7 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur
|
|||||||
\State \Return $\verify(\groupelement{A}, \m^*,\signature^*)$
|
\State \Return $\verify(\groupelement{A}, \m^*,\signature^*)$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\columnbreak
|
\columnbreak
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
|
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
|
||||||
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
||||||
\State \quad $\sum[m] \randomsample \{0,1\}^{2b}$
|
\State \quad $\sum[m] \randomsample \{0,1\}^{2b}$
|
||||||
@@ -88,13 +88,13 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur
|
|||||||
\vspace{1mm}
|
\vspace{1mm}
|
||||||
\begin{multicols}{2}
|
\begin{multicols}{2}
|
||||||
\large
|
\large
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\textbf{Adversary} $\adversary{B}^{\ioracle(\inp)}(\groupelement{A})$}
|
\Statex \underline{\textbf{Adversary} $\adversary{B}^{\ioracle(\inp)}(\groupelement{A})$}
|
||||||
\State $(\m^*, \signature^* \assign (\encoded{R}, S)) \randomassign \adversary{A}^{H(\inp)}(\groupelement{A})$
|
\State $(\m^*, \signature^* \assign (\encoded{R}, S)) \randomassign \adversary{A}^{H(\inp)}(\groupelement{A})$
|
||||||
\State \Return $S$
|
\State \Return $S$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\columnbreak
|
\columnbreak
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
|
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
|
||||||
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
||||||
\State \quad $\textbf{if } \encoded{R} | \encoded{A} | m' \assign m \wedge \groupelement{R} \in \curve \textbf{ then}$
|
\State \quad $\textbf{if } \encoded{R} | \encoded{A} | m' \assign m \wedge \groupelement{R} \in \curve \textbf{ then}$
|
||||||
|
|||||||
@@ -24,7 +24,7 @@ This method of simulating the \Osign oracle and the resulting loss of advantage
|
|||||||
\begin{figure}
|
\begin{figure}
|
||||||
\hrule
|
\hrule
|
||||||
\vspace{1mm}
|
\vspace{1mm}
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\simalg(\groupelement{A})}
|
\Statex \underline{\simalg(\groupelement{A})}
|
||||||
\State $\textbf{ch} \randomsample \{0,1\}^{2b}$
|
\State $\textbf{ch} \randomsample \{0,1\}^{2b}$
|
||||||
\State $s \randomsample \{0,1\}^{2b}$
|
\State $s \randomsample \{0,1\}^{2b}$
|
||||||
@@ -41,7 +41,7 @@ This method of simulating the \Osign oracle and the resulting loss of advantage
|
|||||||
\hrule
|
\hrule
|
||||||
\begin{multicols}{2}
|
\begin{multicols}{2}
|
||||||
\large
|
\large
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$} / \textcolor{green}{$G_3$}}
|
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$} / \textcolor{green}{$G_3$}}
|
||||||
\State $(h_0, h_1, ..., h_{2b-1}) \randomsample \{0,1\}^{2b}$
|
\State $(h_0, h_1, ..., h_{2b-1}) \randomsample \{0,1\}^{2b}$
|
||||||
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
|
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
|
||||||
@@ -50,7 +50,7 @@ This method of simulating the \Osign oracle and the resulting loss of advantage
|
|||||||
\State \Return $\verify(\groupelement{A}, \m^*,\signature^*) \wedge (\m^*, \signature^*) \notin \pset{Q}$
|
\State \Return $\verify(\groupelement{A}, \m^*,\signature^*) \wedge (\m^*, \signature^*) \notin \pset{Q}$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\columnbreak
|
\columnbreak
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\oracle \sign($\m \in \messagespace$)}
|
\Statex \underline{\oracle \sign($\m \in \messagespace$)}
|
||||||
\Comment{$G_0 - G_2$}
|
\Comment{$G_0 - G_2$}
|
||||||
\State $(r'_0, r'_1, ..., r'_{2b-1}) = RF(h_b | ... | h_{2b-1} | \m)$
|
\State $(r'_0, r'_1, ..., r'_{2b-1}) = RF(h_b | ... | h_{2b-1} | \m)$
|
||||||
@@ -78,14 +78,14 @@ This method of simulating the \Osign oracle and the resulting loss of advantage
|
|||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\end{multicols}
|
\end{multicols}
|
||||||
\begin{multicols}{2}
|
\begin{multicols}{2}
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\oracle $H(\m \in \{0,1\}^*)$}
|
\Statex \underline{\oracle $H(\m \in \{0,1\}^*)$}
|
||||||
\State $\textbf{if } \sum[\m] = \bot \textbf{ then}$
|
\State $\textbf{if } \sum[\m] = \bot \textbf{ then}$
|
||||||
\State \quad $\sum[\m] \randomsample \{0,1\}^{2b}$
|
\State \quad $\sum[\m] \randomsample \{0,1\}^{2b}$
|
||||||
\State \Return $\sum[\m]$
|
\State \Return $\sum[\m]$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\columnbreak
|
\columnbreak
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
%TODO: Nummer vor Oracle
|
%TODO: Nummer vor Oracle
|
||||||
\BeginBox[draw=green]
|
\BeginBox[draw=green]
|
||||||
\State \underline{\oracle \sign($\m \in \messagespace$)}
|
\State \underline{\oracle \sign($\m \in \messagespace$)}
|
||||||
@@ -135,13 +135,13 @@ This method of simulating the \Osign oracle and the resulting loss of advantage
|
|||||||
\hrule
|
\hrule
|
||||||
\begin{multicols}{2}
|
\begin{multicols}{2}
|
||||||
\large
|
\large
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\textbf{Adversary} $\adversary{B}^{H(\inp)}(\groupelement{A})$}
|
\Statex \underline{\textbf{Adversary} $\adversary{B}^{H(\inp)}(\groupelement{A})$}
|
||||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H'(\inp), \sign(\inp)}(\groupelement{A})$
|
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H'(\inp), \sign(\inp)}(\groupelement{A})$
|
||||||
\State \Return $(\m^*, \signature^*)$
|
\State \Return $(\m^*, \signature^*)$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\columnbreak
|
\columnbreak
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\oracle \sign($m \in \messagespace$)}
|
\Statex \underline{\oracle \sign($m \in \messagespace$)}
|
||||||
\State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A})$
|
\State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A})$
|
||||||
\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | m] \neq \bot \textbf{ then}$
|
\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | m] \neq \bot \textbf{ then}$
|
||||||
@@ -153,7 +153,7 @@ This method of simulating the \Osign oracle and the resulting loss of advantage
|
|||||||
\State \Return $\signature$
|
\State \Return $\signature$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\end{multicols}
|
\end{multicols}
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\oracle $H'(m \in \{0,1\}^*)$}
|
\Statex \underline{\oracle $H'(m \in \{0,1\}^*)$}
|
||||||
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
||||||
\State \quad $\sum[m] \assign H(m)$
|
\State \quad $\sum[m] \assign H(m)$
|
||||||
@@ -203,7 +203,7 @@ This section shows that the UF-NMA security of EdDSA implies the EUF-CMA securit
|
|||||||
\hrule
|
\hrule
|
||||||
\begin{multicols}{2}
|
\begin{multicols}{2}
|
||||||
\large
|
\large
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\textbf{Adversary} $\adversary{B}^{H(\inp)}(\groupelement{A})$}
|
\Statex \underline{\textbf{Adversary} $\adversary{B}^{H(\inp)}(\groupelement{A})$}
|
||||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H'(\inp), \sign(\inp)}(\groupelement{A})$
|
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H'(\inp), \sign(\inp)}(\groupelement{A})$
|
||||||
\State \Return $(\m^*, \signature^*)$
|
\State \Return $(\m^*, \signature^*)$
|
||||||
@@ -221,7 +221,7 @@ This section shows that the UF-NMA security of EdDSA implies the EUF-CMA securit
|
|||||||
\State \Return $\signature$
|
\State \Return $\signature$
|
||||||
\end{algorithmic}
|
\end{algorithmic}
|
||||||
\end{multicols}
|
\end{multicols}
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}
|
||||||
\Statex \underline{\oracle $H'(m \in \{0,1\}^*)$}
|
\Statex \underline{\oracle $H'(m \in \{0,1\}^*)$}
|
||||||
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
||||||
\State \quad $\sum[m] \assign H(m)$
|
\State \quad $\sum[m] \assign H(m)$
|
||||||
|
|||||||
Reference in New Issue
Block a user