rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Overview DLog' => Game Z

Browse Source
This commit is contained in:
Aaron Kaiser
2023-03-01 18:00:26 +01:00
parent ef1610a1e0
commit 3f9ba21fe7
2 changed files with 104 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

106
thesis/Abschlussarbeit.tex
View File

@@ -11,11 +11,15 @@ listof=totoc,
\usepackage{thesisstyle}
\usepackage{algpseudocodex}
\usepackage{xcolor}
\usepackage{tikz}
\usepackage{multicol}
\usepackage{tabularx}
\usepackage[parfill]{parskip}
\usepackage[urlcolor=blue,hidelinks]{hyperref}
\newtheorem{theorem}{Theorem}
\begin{document}
\include{macros.tex}
@@ -259,14 +263,14 @@ To make working with the random oracle easier in the following proofs some calls
\section{The Security of EdDSA in a Single-User Setting}
This section takes a look at the single-user security of EdDSA. This is done by showing the \cma security of EdDSA assuming the security of a special version of the DLog problem. This special version is derived from the key generation procedure. Section \ref{sec:dlog'} provides a concrete bound on the security of this version of the DLog problem, which is a result of the special key generation algorithm used by EdDSA.
This section takes a look at the single-user security of EdDSA. This is done by showing the \cma security of EdDSA assuming the security of a special version of the DLog problem. This special version is derived from the key generation procedure. Section \ref{sec:sdlog} provides a concrete bound on the security of this version of the DLog problem, which is a result of the special key generation algorithm used by EdDSA.
% TODO: richtige Richtung?
The proof starts by showing that the UF-NMA security of EdDSA implies \cma security of EdDSA in the Random Oracle Model. Next a intermediate game is introduced onto which the UF-NMA securtiy of EdDSA is reduced. At last, the security of the intermediate game is reduced onto the security of a special version of DLog.
The chain of reductions can be depicted as:
\[ DLog' => \igame => UF-NMA_{EdDSA} => \cma_{EdDSA} \]
\[ \sdlog => \igame => UF-NMA_{EdDSA} => \cma_{EdDSA} \]
\subsection{UF-NMA $=>$ \cma (ROM)}
@@ -285,14 +289,57 @@ To generate a signature without the knowledge of the private key the challenge a
This section shows that \igame implies the UF-NMA security if the EdDSA signature scheme using the Algebraic Group Model. The section starts by first providing an intuition if the proof followed by the detailed security proof.
\subsection{DLog' $=>$ \igame (AGM)}
\begin{figure}
\caption{\igame}
\label{game:igame}
\hrule
\begin{multicols}{2}
\large
\begin{algorithmic}[1]
\State \underline{\game \igame}
\State $a \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$
\State $\groupelement{A} = a \groupelement{B}$
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
\State \Return $\exists \groupelement{R}^*, c^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - c^* \groupelement{A}) \wedge (\groupelement{R}^*, c^*) \in Q$
\end{algorithmic}
\columnbreak
\begin{algorithmic}[1]
\Procedure{\ioracle}{$\agmgroupelement{R_i}{r_i}$}
\State $\groupelement{R}_i = r_1 \groupelement{B} + r_2 \groupelement{A}$
\State $c_i \randomsample \{0,1\}^{2b}$
\State $Q \assign Q \cup \{ (\groupelement{R}_i, c_i) \}$
\State \Return $c_i$
\EndProcedure
\end{algorithmic}
\end{multicols}
\hrule
\end{figure}
This section shows that DLog implies \igame using the Algebraic Group Model. The section starts by first providing an intuition if the proof followed by the detailed security proof.
\subsection{\sdlog $=>$ \igame (AGM)}
\paragraph{Proof Overview}
This section shows that \sdlog implies \igame using the Algebraic Group Model. The section starts by introducing a special variant of the discret logarithm problem followed by an intuition of the proof and at last giving a detailed security proof.
The adversary has to call the \ioracle oracle with a commitment $\groupelement{R}$ to get a challenge from the challenger. Due to the nature of Generic Group Model the adversary also has to provide a representation of the group element $\groupelement{R}$, as the linear combination of all known group elements. Since only the generator of the group and the public key are known to the adversary the representation looks like this $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A}$. Upon providing a valid solution for the game \igame the reduction also gains following equation $\groupelement{R} = 2^c s \groupelement{B} - 2^c c \groupelement{A}$. Both equations yield:
\paragraph{\underline{Introducing \sdlog}}
The \sdlog game is a variant of the discrete logarithm game which represents the clearing and setting of bits in the secret scalar during the EdDSA key generation. The only difference to the normal discrete logarithm game is that the secret scalars are not choosen uniformly random from $\field{L}$ with $L$ being the order of the generator but rather from the set $\{2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8\}$. This set represents all valid private keys according to the key generation algorithm. The hardness of this version of the discrete logarithm problem is further analyzed in section \ref{sec:sdlog}. The \sdlog game is depicted in figure \ref{fig:sdlog}.
\begin{figure}
\caption{\sdlog}
\label{fig:sdlog}
\begin{algorithmic}[1]
\State \underline{\game \sdlog}
\State $a \randomsample \{ 2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8 \}$
\State $\groupelement{A} \assign a \groupelement{B}$
\State $a' \randomassign \adversary{A}(\groupelement{A})$
\State \Return $a = a'$
\end{algorithmic}
\end{figure}
\paragraph{\underline{Proof Overview}}
The adversary has to call the \ioracle oracle with a commitment $\groupelement{R}$ to get a challenge from the challenger. Due to the nature of Algebraic Group Model the adversary also has to provide a representation of the group element $\groupelement{R}$, as the linear combination of all known group elements. Since only the generator of the group and the public key are known to the adversary the representation looks like this $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A}$. Upon providing a valid solution for the game \igame the reduction also gains following equation $\groupelement{R} = 2^c s \groupelement{B} - 2^c c \groupelement{A}$. Both equations yield:
% TODO: collision von cofactor c und challenge c
\begin{align*}
r_1 \groupelement{B} + r_2 \groupelement{A} &= 2^c s \groupelement{B} - 2^c c \groupelement{A} \\
(r_2 + 2^c c)A &= (2^c s - r_1)B \\
@@ -301,12 +348,57 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
Assuming that $r_2 + 2^c c$ is invertable in $\field{L}$ (not equal to $0$) we can use both equations to calculate the discrete logarithm of $\groupelement{A}$. To ensure that $r_2 + 2^c c$ is invertable the reduction has to abort if $-r_2$ equals $2^c c$ with $c$ being randomly choosen in the \ioracle oracle.
\begin{figure}
% TODO: set caption
\caption{\igame with aborts}
\label{fig:igamewithabort}
\hrule
\begin{multicols}{2}
\large
\begin{algorithmic}[1]
\State \underline{\game $G_0 = \igame$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$}}
\State $a \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$
\State $\groupelement{A} = a \groupelement{B}$
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
\State \Return $\exists \groupelement{R}^*, c^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - c^* \groupelement{A}) \wedge (\groupelement{R}^*, c^*) \in Q$
\end{algorithmic}
\columnbreak
\begin{algorithmic}[1]
\Procedure{\ioracle}{$\agmgroupelement{R_i}{r_i} \in \group{G}$}
\State $\groupelement{R}_i = r_1 \groupelement{B} + r_2 \groupelement{A}$
\State $c_i \randomsample \{0,1\}^{2b}$
\BeginBox[draw=blue]
\State \textbf{If} $2^c c_i = -r_2$ \textbf{then}
\State \text{ } $bad \assign true$
\BeginBox[draw=red,dashed]
\State \text{ } $abort$
\EndBox
\State \textbf{endIf}
\EndBox
\State $Q \assign Q \cup \{ (\groupelement{R}_i, c_i) \}$
\State \Return $c_i$
\EndProcedure
\end{algorithmic}
\end{multicols}
\hrule
\end{figure}
\paragraph{Introducing aborts}
Game $G_0$ is defined in Figure \ref{fig:igamewithabort} by ignoring all boxes. Game $G_1$ is defined by including the blue (but not the dotted red) box. It introduces a bad flag which is set if $2^c c_i = -r_2$. This represents cases where not all solutions from the adversary $\adversary{A}$ can be used to calculate the discrete logarithm of $\groupelement{A}$. Since only the bad flag is set the change is only semantically. Game $G_2$ includes all boxes and aborts in the case where the bad flag is set. The later proof argues that the advantage to differentiate between game $G_1$ and $G_2$ is negligible.
\paragraph{\underline{Formal Proof}}
\begin{theorem}
Let
\end{theorem}
\newpage
\section{The Security of EdDSA in a Multi-User Setting}
\section{The Ed-GGM}
\subsection{Bounds on Dlog'} \label{sec:dlog'}
\subsection{Bounds on \sdlog} \label{sec:sdlog}
\subsection{Bounds on OMDlog'}

5
thesis/macros.tex
View File

@@ -12,6 +12,11 @@
\newcommand{\pubkey}{pk}
\newcommand{\privkey}{sk}
\newcommand{\groupelement}[1]{#1}
\newcommand{\agmgroupelement}[2]{[\groupelement{#1}]_{\overset{\rightharpoonup}{#2}}}
\newcommand{\group}[1]{\mathbb{#1}}
% Special Dlog
\newcommand{\sdlog}{DLog' }
% Intermediate Game
\newcommand{\igame}{Game Z }