From 419018dec391071790223a8538cfe9217b29a099 Mon Sep 17 00:00:00 2001 From: Aaron Kaiser Date: Mon, 1 May 2023 17:38:55 +0200 Subject: [PATCH] More more more --- thesis/Abschlussarbeit.tex | 17 +-- thesis/sections/eddsa.tex | 34 ++++- .../omdl'_implies_mu-gamez.tex | 14 +- thesis/sections/notation.tex | 8 +- thesis/sections/preliminaries.tex | 126 ++++++++++++++++++ thesis/sections/security_notions.tex | 2 - .../uf-nma_implies_suf-cma.tex | 4 +- 7 files changed, 171 insertions(+), 34 deletions(-) create mode 100644 thesis/sections/preliminaries.tex diff --git a/thesis/Abschlussarbeit.tex b/thesis/Abschlussarbeit.tex index bebbeaf..362b7b8 100644 --- a/thesis/Abschlussarbeit.tex +++ b/thesis/Abschlussarbeit.tex @@ -19,6 +19,7 @@ listof=totoc, \usepackage[urlcolor=blue,hidelinks]{hyperref} \usepackage[,hhmmss]{datetime} +\newtheorem{lemma}{Lemma}[section] \newtheorem{theorem}{Theorem}[section] \newtheorem{definition}{Definition}[section] @@ -107,21 +108,7 @@ TODO \newpage \section{Related Work} -\input{sections/notation} - -\section{Preliminaries} - -\subsection{Schnorr Signatures} - -\subsection{Edwards Curves} - -\input{sections/security_notions} - -\subsection{Random Oracle Model (ROM)} - -\subsection{Algebraic Group Model (AGM)} - -\subsection{Generic Group Model (GGM)} +\input{sections/preliminaries} \input{sections/eddsa} diff --git a/thesis/sections/eddsa.tex b/thesis/sections/eddsa.tex index 3a9de63..530bb4f 100644 --- a/thesis/sections/eddsa.tex +++ b/thesis/sections/eddsa.tex @@ -6,9 +6,10 @@ This section takes a closer look at the existing specifications of the EdDSA sig This work will take a closer look at the \cma security of the EdDSA signature scheme. EdDSA was introduced as the Ed25519 signature scheme using the twisted Edwards curve Edwards25519, which is birationally equivalent to the Weierstrass curve Curve25519 \cite{JCEng:BDLSY12}. Later in 2015 the paper "EdDSA for more Curves" by Bernstein et al. introduces a more general version of EdDSA \cite{EPRINT:BJLSY15}. The paper also introduces a variant of EdDSA using prehashing. The RFC 8032 "Edwards-Curve Digital Signature Algorithm (EdDSA)" from 2017 specifies a version of EdDSA with the inclusion of an additional input parameter \textit{context} for the \sign and \verify procedure \cite{josefsson_edwards-curve_2017}. This version was also included into the FIPS 186-5 "Digital Signature Standard (DSS)" standard \cite{moody_digital_2023}. -In the prehashing variant of EdDSA the signature is calculated on the hash value of the message. The message is used twice during the generation of the signature. Thus the message needs to be buffered or transmitted twice during the generation of the signature. Therefore the prehashing variant offers an performance advantage on memory and bandwidth constraint devices. The context is an additional input parameter which has to be equal during generation and verification of the signature and is used to bind the signature to a given context. +In the prehashing variant of EdDSA the signature is calculated on the hash value of the message. The message is used twice during the generation of the signature. Thus the message needs to be buffered or transmitted twice during the generation of the signature. Therefore the prehashing variant offers an performance advantage on memory and bandwidth constraint devices. The context is an additional input parameter which has to be equal during generation and verification of the signature and is used to bind the signature to a given context. -Figure \ref{fig:eddsa} defines the EdDSA signature scheme. In this version the prehashing of the message is ommited since the main security proof will focus on the EdDSA version without prehashing. In this case the prehash function $H'(\inp)$ is the identity function. After proofing the security of the EdDSA signature scheme without prehashing it will be shown that EdDSA with prehashing is equally as secure assuming collision resistence of the prehash function $H'(\inp)$. +In the following, when speaking from the EdDSA signature scheme, the original variant, without prehashing and context, is meant. It is argued that the context can be modeled as being part of the message. Regarding the prehashing a standard proof for prehashing variants of UF-CMA secure signature schemes can be used. In the case of EdDSA the prehash function $H'(\inp)$ is the identity function. Figure \ref{fig:eddsa} defines the EdDSA signature scheme +%TODO standard proof for prehashing referenzieren \subsection{EdDSA Parameter} @@ -16,7 +17,15 @@ The generic version of EdDSA from the "EdDSA for more Curves" paper, the RFC 803 The list of the parameters can be found in table \ref{tab:parameter}. -The encoding function is assumed to be unambiguous. With each point on the twisted Edwards curve having exactly one bitstring representing that point and invalid bitstring being rejected during decoding of the point. +\subsection{Encoding Function} + +The encoding function encodes points on the twisted Edwards cuve into b-bit bitstring and vice versa. It is assumed to be unambiguous, with each point on the twisted Edwards curve having exactly one bitstring representing that point and invalid bitstring being rejected during decoding of the point. This way by decoding a b-bit bitstring into an cuve point implicitly ensures that the decoded point is a valid point on the specified twisted Edwards curve. The requirement for this property comes from the specified encoding function in \cite{EPRINT:BJLSY15}. + +\subsection{Message Space} + +The message space $\messagespace$ is defined as a bitstring of arbitrary length. To make the proof also apply to the EdDSA variant with context the context can be modeled to be part of the message. + +Looking at the RFC and the FIPS standard the context is passed into a "dom" function which concatenates the context with some additional data. The resulting data is then passed as additional data to each hash function call during the generation and verification of the signature. Since the proofs are conducted in the random oracle model the position of the data in the hash function call and the actual content of the message and the context are not relevant for the output of the random oracle call. Unless the reduction explicitly uses the content of message, which they do not in this case. Therefore, the context can be modeled as being part of the message. \subsection{Differences from Schnorr Signatures} @@ -24,14 +33,30 @@ As already pointed out in \cite{SP:BCJZ21} there are some minor differences from \subsubsection{Group Structure} -The EdDSA signature scheme is defined using a twisted Edwards curve. Twisted Edwards curves always have a cofactor of at least 4. Traditional Schnorr signatures are constructed over a prime order field. Since there is no explicit check that points provided to the verify procedure resides in the prime order subgroup the standard proof of Schnorr signature schemes does not apply. +Unlike the standard Schnorr signature scheme, which was defined over a prime order group, the EdDSA signature scheme is defined over a prime order subgroup of a twisted Edwards curve. + +This might pose additional challenges since working with group elements outside the prime order subgroup might have some unintended side effects. In the proofs using the algebraic group model, where this might become relevant, it is argued that the additional group structure from the twisted Edwards curves do not pose an additional treat to the schema. \subsubsection{Private Key Clamping} +Instead of choosing the secret scalar uniformly at random, as done in most other schemes, the secret scalar is generated by hashing a random bitstring, fixing some bits of the hash result to a specific value and then interpreting $n$ bits of the result as the little endian representation of an integer. + +To be more precise from the lower $b$ bit of the $2b$ bit the lowest $c$ bit are set to 0, where $c$ is the cofactor of the twisted Edwards cureve, and the $n$th bit is set to 1. Then the first $n$ bits are interpreted as the secret scalar $s$. + +This is strictly less secure, in the sense of the discrete logarithm problem, then choosing the secret scalar uniformly at random. It also makes proofs in the multi-user setting more challenging, since rerandomization of a public key is not easily possible and therefore the multi-user security of EdDSA can not easily be reduced onto the single-user security of EdDSA. + +To overcome this challenge specific variants of the discrete logarithm problem and the one-more discrete logarithm problem are introduced, which take the specific key generation into account. The hardness of those problems are then examined in the generic group model. + +Choosing the secret scalar like this is supposed to help make implementation constant time and to prevent the leakage of bits through side channel attacks. + \subsubsection{Key Prefixing} +The EdDSA signatur scheme also includes the public key as an additional input to the hash function, when generating the challenge. This change does not reduce the security of the signature scheme and mainly revolves around the multi-user security of the signature scheme. + \subsubsection{Deterministic Nonce Generation} +The commitment is chosen as the result of a hash function instead of uniformly at random on every signature generation. This makes the signature generation deterministic. Since the hash function is modeled as a random oracle the deterministic generation of the commitment does not pose an additional security risk, since it can be replaced with a random function, as shown in \ref{sec:eddsa'_proof}. + % TODO: Ist das ok hier einfach zu kopieren? \begin{center} \begin{table}[t] @@ -92,6 +117,7 @@ The EdDSA signature scheme is defined using a twisted Edwards curve. Twisted Edw \end{figure} \subsection{Replacing Hash Function Calls} +\label{sec:eddsa'_proof} To make working with the random oracle easier in the following proofs a variant of the EdDSA signature scheme is introduced which has some calls to the random oracle replaced by directly sampling a value uniformly at random or using a random function. After that it will be shown that the advantage winning the \cma game in both versions of the signature scheme is roughly the same. diff --git a/thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex b/thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex index 948f633..ba00d4e 100644 --- a/thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex +++ b/thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex @@ -109,7 +109,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model \State $s^* \randomassign \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$ \State \textbf{If} $\nexists (\agmgroupelement{R^*}{r^*}, \ch^*) \in Q, i \in \{1,2,...,N\}: \groupelement{R^*} = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$ \textbf{then} \State \quad $abort$ - \State Let $\groupelement{R^*} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$ + \State Let $\groupelement{R^*} = r^*_1 \groupelement{B} + r^*_2 \groupelement{A_1} + ... + r^*_{N+1} \groupelement{A_N}$ \State $r_b \assign r_1$ \State \textbf{for} $j \in \{1,2,...,N\} \backslash \{i\}$ \State \quad $a_j \assign \textit{DL}(\groupelement{A_j})$ @@ -121,15 +121,15 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model \end{algorithmic} \vspace{2mm} \begin{algorithmic}[1] - \Statex \underline{\oracle \ioracle($\agmgroupelement{R_i}{r_i} \in \group{G}$)} + \Statex \underline{\oracle \ioracle($\agmgroupelement{R}{r} \in \group{G}$)} \vspace{1mm} - \State Let $\groupelement{R}_i = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$ - \State $\ch_i \randomsample \{0,1\}^{2b}$ - \State \textbf{If} $\exists i \in \{2,3,...,N+1\}: 2^c \ch_i \equiv -r_i \pmod L$ \textbf{then} + \State Let $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$ + \State $\ch \randomsample \{0,1\}^{2b}$ + \State \textbf{If} $\exists i \in \{2,3,...,N+1\}: 2^c \ch \equiv -r_i \pmod L$ \textbf{then} \State \quad $bad \assign true$ \State \quad $abort$ - \State $Q \assign Q \cup \{ (\groupelement{R}_i, \ch_i) \}$ - \State \Return $\ch_i$ + \State $Q \assign Q \cup \{ (\groupelement{R}, \ch) \}$ + \State \Return $\ch$ \end{algorithmic} \hrule \caption{Adversary $\adversary{B}$ breaking \somdl} diff --git a/thesis/sections/notation.tex b/thesis/sections/notation.tex index 9380c56..6bcfe02 100644 --- a/thesis/sections/notation.tex +++ b/thesis/sections/notation.tex @@ -1,11 +1,11 @@ -\section{Notation} +\subsection{Notation} -\subsection{General Notation} +\subsubsection{General Notation} For an integer n, $\field{n}$ is defined as the residual ring $\mathbb{Z}/n\mathbb{Z}$. $a \randomsample A$ denotes sampling the element $a$ from an non-empty set $A$ uniformly at random. A function $f: \mathbb{N} \rightarrow \mathbb{R}$ is called negligible if there exists a $N \in \mathbb{N}$ for all polynomials $p$ so that $\forall n \geq N: f(n) < \frac{1}{p(n)}$. All algorithms are probabilistic polynomial time (ppt) unless stated otherwise. $o \randomassign \adversary{A}(I)$ denotes running the algorithm $\adversary{A}$ with input $I$ and uniformly random coins and $o$ describing its output. If $\adversary{A}$ has additionally access to an oracle $O$ this is denoted as $o \randomassign \adversary{A}^{O(\inp)}(I)$. A security game consists of a main procedure and optionally some oracle procedures. The main procedure runs and adversary $\adversary{A}$ given some inputs and access to the oracle procedures and getting some output from the adversary $\adversary{A}$. Based on the output of the adversary $\adversary{A}$ and its oracle calls the main procedure outputs $1$ or $0$ depending on whether the adversary $\adversary{A}$ won the game. -\subsection{Algebraic Notation} +\subsubsection{Algebraic Notation} A group description is denoted as a tuple $\mathbf{G} = (L, \mathbb{G}, \groupelement{B})$ with $\mathbb{G}$ being a cyclic group of prime order $L$ generated by group element $\groupelement{B}$. The group uses additive notation for its group law and group elements are denoted by uppercase letters. It is assumed that there exists a group generation algorithm that, upon inputting $1^\secparamter$, outputs a group description $\mathbf{G}$ with $L$ being $\secparamter$ bits in length. -\subsection{Game Notation} \ No newline at end of file +\subsubsection{Game Notation} \ No newline at end of file diff --git a/thesis/sections/preliminaries.tex b/thesis/sections/preliminaries.tex new file mode 100644 index 0000000..5f8cf22 --- /dev/null +++ b/thesis/sections/preliminaries.tex @@ -0,0 +1,126 @@ +\section{Preliminaries} + +\subsection{Code-based reduction proofs} + +To perform the security proof of the EdDSA signature scheme code based game playing proofs are used as introduced in \cite{EC:BelRog06}. For this proofs an adversary is tasked to play (and win) against a predefined game. The game is defined by a set of instructions which are executed consecutively. At one point the game calls the adversary with some input and gets some output from the adversary. The game then decides, depending on the output of the adversary, whether the adversary won or not. In addition the adversary might get oracle access to one or more procedures, meaning that the adversary is only able to observe the output of the procedure call given a specific input. Those procedures are called oracles. The advantage of the adversary in a game describes its ability to win the game more reliably than using generic attacks (e.g. guessing the answer to the game). + +During the proof these games are being modified until an adversary against the modified game can also be used as an adversary against another game. This method is called a reduction proof. It shows that one problem (described by one game) can be reduced to another problem. In other words it says that if problem A can be reduced onto problem B any algorithm solving problem A can be transformed into an algorithm solving problem B. + +\subsubsection{Identical-Until-Bad Games} + +While modifying the games it has to be ensured that the advantage for an attacker to distinguish between the original and modified game is negligible. This can be achieved by constructing so called identical-until-bad games. + +\begin{definition}[identical-until-bad games] + Two games are called identical-until-bad games if they are syntactically equivalent except for instructions following the setting of a bad flag to true. +\end{definition} + +\begin{lemma}[Fundamental lemma of game-playing] + Let G and H be identical-until-bad games and let $\adversary{A}$ be an adversary. Then, + + \[ Adv(G^{\adversary{A}}, H^{\adversary{A}}) \leq \Pr[bad] \] +\end{lemma} + +This means that the advantage to distinguish between two identical-until-bad games is bound by the probability of the bad flag being set. A proof for this lemma can be found in \cite{EC:BelRog06}. + +\input{sections/notation} + +\input{sections/security_notions} + +\subsection{Fiat-Shamir Transformation} + +The Fiat-Schamir transformation is a transformation which creates a digital signature scheme from a canonical identification scheme. The transformation was introduces by Fiat-Schmir in 1986 \cite{C:FiaSha86}. To transform a canonical identification scheme into a signature scheme it has to be become non-interactive. The role of the verifier in the canonical identification scheme (besides verifying the solution) is to provide a challenge to the proofer. This is a crucial part for the security of the scheme since otherwise the proofer might be able to choose a commitment and solution in a way that lets him generate a valid transcript without being in the possession of the secret key. + +The Fiat-Schamir transformation replaces the verifier by a pseudorandom function. This pseudorandom function takes the commitment and a a message as input and outputs the challenge. Now the challenge is computable by the proofer without the need to interact with another party. With this the proofer is able to calculate the response. The commitment together with the solution can now be considered a signature for that message. To verify the signature a verifier can use the same pseudorandom function to calculate the challenge based on the commitment and the message and apply the verification algorithm from the canonical identification scheme to verify the solution and thereby the validity of the signature. In practice a hash function is often used as the pseudorandom function. The Fiat-Schamir transformation is depicted in figure \ref{fig:fs-transformation}. + +If the canonical identification scheme is IMP-PA secure then the digital signature scheme, resulting from the Fiat-Schamir transformation of that canonical identification scheme, is UF-CMA secure in the random oracle model (the meaning of the random oracle model will be explained in section \ref{sec:rom}) \cite{EC:PoiSte96}. %TODO: Ist das das richtige Paper? + +\begin{figure} + \hrule + \vspace{1mm} + \begin{multicols}{3} + \begin{algorithmic}[1] + \Statex \underline{\textbf{KeyGen}(par)} + \State $(\pubkey, \privkey) \randomassign \keygen(1^\secparamter)$ + \State \Return $(\pubkey, \privkey)$ + \end{algorithmic} + \columnbreak + \begin{algorithmic}[1] + \Statex \underline{\textbf{Sign}(\privkey, \m)} + \State $(R, st) \randomassign P_1(\privkey)$ + \State $\ch \assign F(R|\m)$ + \State $s \assign P_2(\privkey, R, \ch, st)$ + \State \Return $(R, s)$ + \end{algorithmic} + \columnbreak + \begin{algorithmic}[1] + \Statex \underline{\textbf{Verify}(\pubkey, \m, $\signature \assign (R,s)$)} + \State $\ch \assign F(R|\m)$ + \State \Return $V(\pubkey, R, \ch, s)$ + \end{algorithmic} + \end{multicols} + + \hrule + \caption{Fiat-Schamir transformation of a CID \assign (KeyGen, P, V)} + \label{fig:fs-transformation} +\end{figure} + +\subsection{Schnorr Signatures} + +The Schnorr signature scheme is a signature scheme which was introduced by Claus Peter Schnorr in 1991 \cite{JC:Schnorr91}. The Schnorr signature scheme proved to be a robust and efficient signature scheme. For two prime numbers $p$ and $q$ with $q|p-1$ and and element $g \in \field{p}$ with order $q$ the Schnorr signature scheme is depicted in figure \ref{fig:schorr}. Since the scheme is defined on $\field{p}$ multiplicative notation is used for this scheme as an exception. + +\begin{figure}[h] + \hrule + \vspace{1mm} + \begin{multicols}{3} + \begin{algorithmic}[1] + \Statex \underline{\textbf{KeyGen}(par)} + \State $x \randomsample \field{q}$ + \State \Return $(X \assign g^x, x)$ + \end{algorithmic} + \columnbreak + \begin{algorithmic}[1] + \Statex \underline{\textbf{Sign}($s$, \m)} + \State $r \randomsample \field{q}$ + \State $R \assign g^r$ + \State $\ch \assign H(R|m)$ + \State $s \assign r + s \ch \pmod q$ + \State \Return $(R, s)$ + \end{algorithmic} + \columnbreak + \begin{algorithmic}[1] + \Statex \underline{\textbf{Verify}(\pubkey, \m, $\signature \assign (R,s)$)} + \State $\ch \assign F(R|\m)$ + \State \Return $R \test g^s X^{-H(R|m)}$ + \end{algorithmic} + \end{multicols} + + \hrule + \caption{Schnorr Signature Scheme} + \label{fig:schorr} +\end{figure} + +\subsection{Edwards Curves} + +\subsection{Random Oracle Model (ROM)} +\label{sec:rom} + +Some of the following proofs are conducted in the random oracle model. The random oracle model was introduces by Bellare and Rogaway in 1993 \cite{CCS:BelRog93}. In the random oracle model some primitives (in this case hash functions) are modeled as public random oracles. Meaning that instead of calling the hash function the adversary has to call the random oracle supplied by the challenger. This random oracle has to behave like a truly random function. + +To simulate a truly random function in polynomical time a process called "lazy-sampling" can be used. Lazy-sampling means that the challenger has a table which at the start is empty. When the adversary quries a value from the random oracle the challenger checks if that input is in the table. If the input is in the table the challenger returns the output value according to the table. Otherwise the challenger chooses an output value from a uniform random distribution and inserts it into the table for this specific input value. Then the challenger returns this value. + +This method allows observing and influencing the behavior of the adversary. Since the random oracle behaves like a truly random function the adversary has to query the random oracle to know the output value for an specific input value. Therefore the challenger can observe any input value to the random oracle. Also the challenger has the ability to program specific output values of the random oracle as long as it is correctly distributed and is consistent. Consistent meaning that the random oracle should at no time output two different values for the same input value. + +%TODO: Kann man das so schreiben? +Especially the programmability of the random oracle will be used in the following proofs and should be kept in mind. + +\subsection{Algebraic Group Model (AGM)} + +The algebraic group model was introduced in 2018 by Fuchsbauer et al. \cite{C:FucKilLos18}. In the algebraic group model all adversaries are modeled as being algebraic. This means that the adversary has to know a representation for each group element regarding all group elements the adversary received from the challenger. This representation has to be provided to the challenger for every group element the adversary outputs or inputs as an oracle parameter. For example if the adversary receives the group elements $\groupelement{A}$ and $\groupelement{B}$ from the challenger and at one point outputs group element $\groupelement{C}$ the adversary also has to output a vector $\overset{\rightharpoonup}{c} = (c_1, c_2)$ which satisfies: $\groupelement{C} = c_1 \groupelement{A} + c_2 \groupelement{B}$. For the game proofs the group element $\groupelement{C}$ and its representation $\overset{\rightharpoonup}{c}$ is denoted as $\agmgroupelement{C}{c}$. + +\subsection{Generic Group Model (GGM)} + +Unlike the random oracle model or the algebraic group model the generic group model is not used to build reductions from one to another problem. It is rather used to get information theoretic lower bound on the complexity of generic adversaries against a certain problem. Generic algorithms are algorithms that only perform the defined group actions on group elements and do not exploit group specific representations of the element. + +The generic group model was first introduced by Shoup 1997 \cite{EC:Shoup97}. In this paper Shoup proved a information theoretic lower bound on the discrete logarithm problem. He archived that by replacing group elements by labels which are random bitstrings. This way he hid all group specific representations of the elements. Group actions are only able via oracles, which are provided to the adversary by the challenger. The only action the adversary can perform on its own is to compare elements for equality by comparing labels. + +In 2005 Maurer proposed an alternative proposed an alternative definition of the generic group model \cite{IMA:Maurer05}. The proofs conducted in this thesis will use the generic group model as defined by Shoup. \ No newline at end of file diff --git a/thesis/sections/security_notions.tex b/thesis/sections/security_notions.tex index 2335583..0e56a84 100644 --- a/thesis/sections/security_notions.tex +++ b/thesis/sections/security_notions.tex @@ -1,5 +1,3 @@ -\subsection{Identical-Until-Bad Games} - \subsection{Canonical Identification Scheme} A canonical identification scheme (CID), as defined in \cite{EC:AABN02}, is a protocol between two parties. The prover tries to proof the knowledge of a secret key to the verfier which only knows the public key. This is achieved by exchanging three messages between the two parties. At first the prover starts the protocol by sending a commitment $R$ to the verifier. The verifer answers with a random challenge $\ch$ from a predefined challenge set $\textbf{CHSet}$. The prover then uses the commitment, challenge and its secret key to calculate a response $s$. The verifier then can use the commitment, challenge and response together with the public key of the prover to verify the response and thereby whether the prover is actually in the possession of the private key. diff --git a/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex b/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex index e0a9d39..4e6c7f5 100644 --- a/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex +++ b/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex @@ -109,11 +109,11 @@ The proof starts by providing an algorithm which generates correctly distributed \begin{proof} \item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:uf-nma_implies_suf-cma_games} by excluding all boxes except the black one and let $G_0$ be $\text{\cma}$. By definition, - \[ \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) = \Pr[\text{\cma}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \]. + \[ \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) = \Pr[\text{\cma}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \] \item \paragraph{\underline{$G_1:$}} $G_1$ is now defined by replacing the black box with the blue one. This change inlines the call to the hash function and introduces a bad flag, which is set in the case that the hash value is already set. This change is only conceptual, since it does not alter the behavior of the oracle. Hence, - \[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \]. + \[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1]. \] \item \paragraph{\underline{$G_2:$}} $G_2$ also includes the abort instruction in the red box. The abort condition is triggered if the $bad$ flag is set. Without loss of generality it is assumed that the adversary queries the \sign oracle only once with each message since the signature generated is deterministic and an adversary would not gain more information by multiple queries with the same message. For each individual sign query the probability for the $bad$ flag to be set is at most $\frac{\hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. The only parameter, which is unknown to the adversary prior to calling the \sign oracle is the commitment $R$. For an adversary to trigger the abort condition he has to guess the commitment $\groupelement{R}$ used during on of the \sign queries. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $\groupelement{R}$. $r'$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ when multiplied with the generator $\groupelement{B}$. At first there are $2^{2b}$ possible values for $r'$. After the reduction module $L$ there are $min\{2^{2b}, L\}$ possible values left for $r'$. In the case that the values $L$ is smaller than $2^{2b}$ (this is the case in most instantiations of EdDSA) then the $r'$'s are not uniformly distributed in $\field{L}$. Since an adversary could use this information the min entropy of $\groupelement{R}$ has to be considered, which takes this into account. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have