diff --git a/thesis/Abschlussarbeit.tex b/thesis/Abschlussarbeit.tex index d85aeca..01fb6c7 100644 --- a/thesis/Abschlussarbeit.tex +++ b/thesis/Abschlussarbeit.tex @@ -144,27 +144,28 @@ Now that the single-user security of EdDSA got analyzed, we can take a look at i Therefore, a similar approach to the proof in the single-user setting is used. It is not possible to reduce onto the \sdlog problem directly since the adversary gets multiple public keys and therefore might not provide a representation of the commitment looking like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A}$, which was needed for the discrete logarithm of the public key to be calculated. For this reason a variant of the one-more discrete logarithm assumption (OMDL) has to be used, as introduced in \cite{JC:BNPS03}. -The proof starts by showing that the MU-EUF-NMA security of EdDSA implies MU-SUF-CMA security of EdDSA in the random oracle model. Next an intermediate game is introduced onto which the MU-EUF-NMA security of EdDSA is reduced. At last, the security of the intermediate game is reduced onto the security of the variant of the one-more discrete logarithm assumption. +The proof starts by showing that the $N$-MU-EUF-NMA security of EdDSA implies $N$-MU-SUF-CMA security of EdDSA in the random oracle model. Next an intermediate game is introduced onto which the $N$-MU-EUF-NMA security of EdDSA is reduced. At last, the security of the intermediate game is reduced onto the security of the variant of the one-more discrete logarithm assumption. The two main theorems for the multi-user security of $\text{EdDSA}_{\text{sp}}$ and $\text{EdDSA}_{\text{lp}}$ are: \begin{theorem}[Security of EdDSA with strict parsing in the multi-user setting] \label{theorem:eddsa_sp_mu} - Let $\adversary{A}$ be an adversary against the MU-SUF-CMA security of EdDSA with strict parsing, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then, + Let $\adversary{A}$ be an adversary against the $N$-MU-SUF-CMA security of EdDSA with strict parsing, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then, - \[ \advantage{\group{G}, \adversary{A}}{\text{MU-SUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries (\hashqueries + N) \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}} \] + \[ \advantage{\group{G}, \adversary{A}}{\text{$N$-MU-SUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries (\hashqueries + N) \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}} \] \end{theorem} \begin{theorem}[Security of EdDSA with lax parsing in the multi-user setting] \label{theorem:eddsa_lp_mu} - Let $\adversary{A}$ be an adversary against the MU-EUF-CMA security of EdDSA with lax parsing, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then, + Let $\adversary{A}$ be an adversary against the $N$-MU-EUF-CMA security of EdDSA with lax parsing, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then, - \[ \advantage{\group{G}, \adversary{A}}{\text{MU-EUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries (\hashqueries + N) \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}} \] + \[ \advantage{\group{G}, \adversary{A}}{\text{$N$-MU-EUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries (\hashqueries + N) \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}} \] \end{theorem} The chain of reductions can be depicted as: -\[ \somdl \overset{\text{AGM}}{\Rightarrow} \igame \overset{\text{ROM}}{\Rightarrow} \text{MU-EUF-NMA} \overset{\text{ROM}}{\Rightarrow} MU-\cma_{\text{EdDSA sp}} / \text{MU-EUF-CMA}_{\text{EdDSA lp}} \] +\[ \somdl \overset{\text{AGM}}{\Rightarrow} \igame \overset{\text{ROM}}{\Rightarrow} \text{$N$-MU-EUF-NMA} \overset{\text{ROM}}{\Rightarrow} \text{$N$-MU-\cma}_{\text{EdDSA sp}} \] +\[ \somdl \overset{\text{AGM}}{\Rightarrow} \igame \overset{\text{ROM}}{\Rightarrow} \text{$N$-MU-EUF-NMA} \overset{\text{ROM}}{\Rightarrow} \text{$N$-MU-EUF-CMA}_{\text{EdDSA lp}} \] \input{sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma} \input{sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma} diff --git a/thesis/macros.tex b/thesis/macros.tex index 7a5bc68..7f33c75 100644 --- a/thesis/macros.tex +++ b/thesis/macros.tex @@ -48,7 +48,7 @@ % Oracle \newcommand{\Osign}{\textit{Sign}\xspace} -\newcommand{\Odl}{\textif{DL}\xspace} +\newcommand{\Odl}{\textif{Reveal}\xspace} % Structrues \newcommand{\curve}{E} \ No newline at end of file diff --git a/thesis/sections/concrete_security.tex b/thesis/sections/concrete_security.tex index 6a3942d..5b74eab 100644 --- a/thesis/sections/concrete_security.tex +++ b/thesis/sections/concrete_security.tex @@ -62,7 +62,7 @@ Ed25519 is one of the most widely used instantiations of EdDSA. According to the This provides a success ratio of: \begin{align*} - SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{MU-SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\ + SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{$N$-MU-SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\ &\leq \frac{\advantage{\curve, n, c, L, \adversary{A}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries (\hashqueries + N) \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}}{Time(\adversary{A})} \\ &\leq \frac{\frac{2(\groupqueries + N + 2)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries (\hashqueries + N) \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}}{Time(\adversary{A})} \\ &\leq \frac{2 (2^{125} + 2^{35} + 2)^2 + 1}{2^{250} 2^{125}} + \frac{2(2^{125} + 1)}{2^{256} 2^{125}} + \frac{2^{64} (2^{125} + 2^{35}) 2^{260}}{2^{512} 2^{125}} \\ @@ -117,7 +117,7 @@ Another popular instantiation of the EdDSA signature scheme is Ed448. It uses th Now the same is done for the multi-user security of Ed448. This yields following upper bound for the success ratio: \begin{align*} - SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{MU-SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\ + SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{$N$-MU-SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\ &\leq \frac{\advantage{\curve, n, c, L, \adversary{A}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries (\hashqueries + N) \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}}{Time(\adversary{A})} \\ &\leq \frac{\frac{2(\groupqueries + N + 2)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries (\hashqueries + N) \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}}{Time(\adversary{A})} \\ &\leq \frac{2 (2^{223} + 2^{35} + 2)^2 + 1}{2^{444} 2^{223}} + \frac{2(2^{223} + 1)}{2^{456} 2^{223}} + \frac{2^{64} (2^{223} + 2^{35}) 2^{466}}{2^{912} 2^{223}} \\ diff --git a/thesis/sections/edggm/omdl.tex b/thesis/sections/edggm/omdl.tex index 971b947..273501c 100644 --- a/thesis/sections/edggm/omdl.tex +++ b/thesis/sections/edggm/omdl.tex @@ -19,12 +19,12 @@ This section provides a lower bound on the hardness of the modified version of t \State \textbf{for} $i \in \{1,2,...,N\}$ \State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$ \State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$ - \State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), DL(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$ + \State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), \textit{Reveal}(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$ \State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N)$ \end{algorithmic} \vspace{1mm} \begin{algorithmic} - \Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)} + \Statex \underline{\oracle \textit{Reveal}($j \in \{1,2,...,N\}$)} \Comment{max. one query} \State \Return $\{a_i | i \in \{1,2,...,N\} \backslash \{j\}\}$ \end{algorithmic} @@ -72,12 +72,12 @@ This section provides a lower bound on the hardness of the modified version of t \Comment{$G_2 - G_4$} \State \quad $\groupelement{A_i} \assign (P_i, 0, ..., 0)$ \EndBox - \State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), DL(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$ + \State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), \textit{Reveal}(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$ \State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N)$ \end{algorithmic} \vspace{1mm} \begin{algorithmic} - \Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)} + \Statex \underline{\oracle \textit{Reveal}($j \in \{1,2,...,N\}$)} \BeginBox[draw=green] \State \textbf{for } $P_i \in \pset{P}$ \Comment{$G_3 - G_4$} @@ -139,7 +139,7 @@ This section provides a lower bound on the hardness of the modified version of t \EndBox \State \quad $P_i \assign Z_i$ \State \quad $\groupelement{A_i} \assign (P_i, 0, ..., 0)$ - \State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), DL(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$ + \State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), \textit{Reveal}(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$ \BeginBox[draw=orange] \State \textbf{for } $i \in \{1,2,...,N\}$ \Comment{$G_8$} @@ -159,7 +159,7 @@ This section provides a lower bound on the hardness of the modified version of t \end{algorithmic} \vspace{1mm} \begin{algorithmic} - \Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)} + \Statex \underline{\oracle \textit{Reveal}($j \in \{1,2,...,N\}$)} \BeginBox[draw=orange] \State \textbf{for } $i \in \{1,2,...,N\} \backslash \{j\}$ \Comment{$G_8$} @@ -215,7 +215,7 @@ This section provides a lower bound on the hardness of the modified version of t \[ \prone{G_1^{\adversary{A}}} = \prone{G_2^{\adversary{A}}}. \] - \item \paragraph{\underline{$G_3:$}} $G_3$ introduces the $bad_1$ flag in the DL query. Without loss of generality the following explanation assumes that the adversary queries the DL oracle with input $j = N$. Each polynomial, generated by the challenger, is a linear multivariate polynomial of degree one. This is due to the fact that the challenger starts with linear multivariate polynomials of degree one in $\field{L}[Z_1, ..., Z_N]$ and only adds them to generate new polynomials. This means that each polynomial $P_i \in \field{L}[Z_1,...,Z_N]$, generated by the challenger, can be split into two polynomials $R_i \in \field{L}[Z_1,...,Z_{N-1}], S_i \in \field{L}[Z_N]$ so that $P_i = R_i + S_i$, simply by distributing the monials between the polynomials $R_i$ and $S_i$. The polynom $S_i$ only contains the monial $Z_n$, while the polynom $R_i$ contains the remaining monials and the constant. Now the polynomial $P_i$ can be partially evaluated by setting $P_i = R_i(\overset{\rightharpoonup}{a}) + S_i$. For the simulation to be correct, when replacing the polynomial $P_i$ with $R_i(\overset{\rightharpoonup}{a}) + S_i$, it has to be ensured that distinct polynomials stay distinct after being partially evaluated. To ensure this, it is necessary to check that no two distinct polynomials $R_i, R_j$ result in the same value when evaluated with $\overset{\rightharpoonup}{a}$. In the case of this happening the $bad_1$ flag is set to true. Afterward, each generated polynomial is partially evaluated as described and the table $\sum$, which stores the association between group elements and labels, is updated to reflect this partial evaluation as well. From now on, each polynomial used by the challenger is in $\field{L}[Z_N]$. This change is purely conceptual, since the polynomials still get fully evaluated before being compared in the Enc procedure. Therefore, + \item \paragraph{\underline{$G_3:$}} $G_3$ introduces the $bad_1$ flag in the \textit{Reveal} query. Without loss of generality the following explanation assumes that the adversary queries the \textit{Reveal} oracle with input $j = N$. Each polynomial, generated by the challenger, is a linear multivariate polynomial of degree one. This is due to the fact that the challenger starts with linear multivariate polynomials of degree one in $\field{L}[Z_1, ..., Z_N]$ and only adds them to generate new polynomials. This means that each polynomial $P_i \in \field{L}[Z_1,...,Z_N]$, generated by the challenger, can be split into two polynomials $R_i \in \field{L}[Z_1,...,Z_{N-1}], S_i \in \field{L}[Z_N]$ so that $P_i = R_i + S_i$, simply by distributing the monials between the polynomials $R_i$ and $S_i$. The polynom $S_i$ only contains the monial $Z_n$, while the polynom $R_i$ contains the remaining monials and the constant. Now the polynomial $P_i$ can be partially evaluated by setting $P_i = R_i(\overset{\rightharpoonup}{a}) + S_i$. For the simulation to be correct, when replacing the polynomial $P_i$ with $R_i(\overset{\rightharpoonup}{a}) + S_i$, it has to be ensured that distinct polynomials stay distinct after being partially evaluated. To ensure this, it is necessary to check that no two distinct polynomials $R_i, R_j$ result in the same value when evaluated with $\overset{\rightharpoonup}{a}$. In the case of this happening the $bad_1$ flag is set to true. Afterward, each generated polynomial is partially evaluated as described and the table $\sum$, which stores the association between group elements and labels, is updated to reflect this partial evaluation as well. From now on, each polynomial used by the challenger is in $\field{L}[Z_N]$. This change is purely conceptual, since the polynomials still get fully evaluated before being compared in the Enc procedure. Therefore, \[ \prone{G_2^{\adversary{A}}} = \prone{G_3^{\adversary{A}}}. \] @@ -229,21 +229,21 @@ This section provides a lower bound on the hardness of the modified version of t \[ \prone{G_4^{\adversary{A}}} = \prone{G_5^{\adversary{A}}}. \] - \item \paragraph{\underline{$G_6:$}} $G_6$ aborts if the $bad_2$ flag is set. The $bad_2$ flag is set if any two distinct polynomials evaluate to the same value, when evaluated with the vector of discrete logarithms. There are two cases. The first case is that the adversary has queried the DL oracle. The second case is that the adversary did not queried the DL oracle. + \item \paragraph{\underline{$G_6:$}} $G_6$ aborts if the $bad_2$ flag is set. The $bad_2$ flag is set if any two distinct polynomials evaluate to the same value, when evaluated with the vector of discrete logarithms. There are two cases. The first case is that the adversary has queried the \textit{Reveal} oracle. The second case is that the adversary did not queried the \textit{Reveal} oracle. - In the first case the adversary got the discrete logarithms of all but one challenge. Without loss of generality it is assumed that the adversary queried the discrete logarithm of all but the $N$th group element. In this case all polynomials in $\pset{P}$ are in $\field{L}[Z_N]$, since at the time of the DL query all polynomials, generated up to this point, are partially evaluated and are in $\field{Z}[Z_N]$. All polynomials that are generated after this point are generated by the addition of the existing polynomials and are therefore also in $\field{L}[Z_N]$. In this case the Schwartz-Zippel lemma can be applied since the adversary has no information on the remaining discrete logarithm. This is the same scenario as in the \sdlog proof. + In the first case the adversary got the discrete logarithms of all but one challenge. Without loss of generality it is assumed that the adversary queried the discrete logarithm of all but the $N$th group element. In this case all polynomials in $\pset{P}$ are in $\field{L}[Z_N]$, since at the time of the \textit{Reveal} query all polynomials, generated up to this point, are partially evaluated and are in $\field{Z}[Z_N]$. All polynomials that are generated after this point are generated by the addition of the existing polynomials and are therefore also in $\field{L}[Z_N]$. In this case the Schwartz-Zippel lemma can be applied since the adversary has no information on the remaining discrete logarithm. This is the same scenario as in the \sdlog proof. - In the case where the adversary did not queried the DL oracle the adversary has no information on any of the discrete logarithms. All polynomials in $\pset{P}$ are in $\field{Z}[N_1, ..., Z_N]$. In this case the Schwartz-Zippel lemma can be applied, since the all discrete logarithms are chosen uniformly at random and the adversary has no information on them, prior to them being chosen. + In the case where the adversary did not queried the \textit{Reveal} oracle the adversary has no information on any of the discrete logarithms. All polynomials in $\pset{P}$ are in $\field{Z}[N_1, ..., Z_N]$. In this case the Schwartz-Zippel lemma can be applied, since the all discrete logarithms are chosen uniformly at random and the adversary has no information on them, prior to them being chosen. The probability of $bad_2$ being true can be calculated using the Schwartz-Zippel lemma, as described in the game-hop to $G_4$. With the Union bound over all polynomial pairs in $\pset{P}$ the probability of $bad_2$ being true is $\Pr[bad_2] \leq \frac{(\groupqueries + N + 2)^2}{2^{n - 1 - c}}$. $G_5$ and $G_6$ are identical-until-bad games, therefore: \[ |\prone{G_5^{\adversary{A}}} - \prone{G_6^{\adversary{A}}}| \leq \frac{(\groupqueries + N + 2)^2}{2^{n - 1 - c}}. \] - \item \paragraph{\underline{$G_7:$}} $G_7$ removes the evaluation of polynomials in the Enc procedure. It is argued that this change is only conceptual. When the evaluation of polynomials is removed, the polynomials are compared directly. Group elements represented by different polynomials are assigned different labels by the challenger. This is equivalent to the original definition as long as different polynomials do not evaluate to the same value, when evaluated with the discrete logarithms. This inconsistency in the simulation can be detected by the adversary when it gets some information on the discrete logarithms. This can either be during the query to the DL oracle or after the adversary provided its solution. In both cases there is an if condition checking for this inconsistency. If such an inconsistency is detected the game aborts. This change is only conceptual, since the different polynomials correspond to different group elements, in the cases where the game does not abort, and since the adversary only sees the labels it cannot detect whether the challenger works with polynomials or concrete discrete logarithms. Hence, + \item \paragraph{\underline{$G_7:$}} $G_7$ removes the evaluation of polynomials in the Enc procedure. It is argued that this change is only conceptual. When the evaluation of polynomials is removed, the polynomials are compared directly. Group elements represented by different polynomials are assigned different labels by the challenger. This is equivalent to the original definition as long as different polynomials do not evaluate to the same value, when evaluated with the discrete logarithms. This inconsistency in the simulation can be detected by the adversary when it gets some information on the discrete logarithms. This can either be during the query to the \textit{Reveal} oracle or after the adversary provided its solution. In both cases there is an if condition checking for this inconsistency. If such an inconsistency is detected the game aborts. This change is only conceptual, since the different polynomials correspond to different group elements, in the cases where the game does not abort, and since the adversary only sees the labels it cannot detect whether the challenger works with polynomials or concrete discrete logarithms. Hence, \[ \prone{G_6^{\adversary{A}}} = \prone{G_7^{\adversary{A}}}. \] - \item \paragraph{\underline{$G_8:$}} In $G_8$ the discrete logarithms of the challenge are only generated right before they are used. Since the discrete logarithms are not used during the Enc function anymore they the challenger can generate them not at the start of the game but only right before they are used. The discrete logarithms are only used during the inconsistency checks in the DL oracle or after the adversary has provided its solution. $N - 1$ discrete logarithms are used in the DL oracle to check for inconsistencies and to partially evaluate the polynomials. After the adversary provided its solution the remaining discrete logarithms can chosen to fully evaluate all polynomials. This can be either all discrete logarithm, in the case that the adversary did not queried the DL oracle, or the remaining one, in the case that the adversary did queried the DL oracle. This change is only conceptual, since the initialization of variables is only moved right before the variable is used. Therefore, + \item \paragraph{\underline{$G_8:$}} In $G_8$ the discrete logarithms of the challenge are only generated right before they are used. Since the discrete logarithms are not used during the Enc function anymore they the challenger can generate them not at the start of the game but only right before they are used. The discrete logarithms are only used during the inconsistency checks in the \textit{Reveal} oracle or after the adversary has provided its solution. $N - 1$ discrete logarithms are used in the \textit{Reveal} oracle to check for inconsistencies and to partially evaluate the polynomials. After the adversary provided its solution the remaining discrete logarithms can chosen to fully evaluate all polynomials. This can be either all discrete logarithm, in the case that the adversary did not queried the \textit{Reveal} oracle, or the remaining one, in the case that the adversary did queried the \textit{Reveal} oracle. This change is only conceptual, since the initialization of variables is only moved right before the variable is used. Therefore, \[ \prone{G_7^{\adversary{A}}} = \prone{G_8^{\adversary{A}}}. \] diff --git a/thesis/sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma.tex b/thesis/sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma.tex index 68a33cd..6da3104 100644 --- a/thesis/sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma.tex +++ b/thesis/sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma.tex @@ -1,13 +1,13 @@ -\subsection{MU-\igame $\overset{\text{ROM}}{\Rightarrow}$ MU-EUF-NMA} +\subsection{$N$-MU-\igame $\overset{\text{ROM}}{\Rightarrow}$ $N$-MU-EUF-NMA} -This section shows that MU-\igame implies MU-EUF-NMA security of the EdDSA signature scheme using the Random Oracle Model. The section starts by first providing an intuition of the proof followed by the detailed security proof. +This section shows that $N$-MU-\igame implies $N$-MU-EUF-NMA security of the EdDSA signature scheme using the Random Oracle Model. The section starts by first providing an intuition of the proof followed by the detailed security proof. -\paragraph{\underline{Introducing MU-\igame}} This game follows closely the definition of the \igame game. It again replaces the random oracle with the \ioracle oracle. The only difference to the \igame game is that the adversary gets access to $N$ public keys. The adversary again has to output a valid result for any commitment challenge pair generated by the \ioracle oracle for any of the public keys. The MU-\igame game is depicted in figure \ref{game:mu-igame}. +\paragraph{\underline{Introducing $N$-MU-\igame}} This game follows closely the definition of the \igame game. It again replaces the random oracle with the \ioracle oracle. The only difference to the \igame game is that the adversary gets access to $N$ public keys. The adversary again has to output a valid result for any commitment challenge pair generated by the \ioracle oracle for any of the public keys. The $N$-MU-\igame game is depicted in figure \ref{game:mu-igame}. -\begin{definition}[MU-\igame] - Let $n$ and $N$ be positive integers. For an adversary $\adversary{A}$, receiving $N$ public keys as input, we define its advantage in the MU-\igame as following: +\begin{definition}[$N$-MU-\igame] + Let $n$ and $N$ be positive integers. For an adversary $\adversary{A}$, receiving $N$ public keys as input, we define its advantage in the $N$-MU-\igame as following: - \[ \advantage{\adversary{A}}{\text{$N$-MU-\igame}}(\secparamter) \assign | \Pr[\text{MU-\igame}^{\adversary{A}} \Rightarrow 1] |. \] + \[ \advantage{\adversary{A}}{\text{$N$-MU-\igame}}(\secparamter) \assign | \Pr[\text{$N$-MU-\igame}^{\adversary{A}} \Rightarrow 1] |. \] \end{definition} \begin{figure}[h] @@ -36,12 +36,12 @@ This section shows that MU-\igame implies MU-EUF-NMA security of the EdDSA signa \begin{theorem} \label{theorem:adv_mu-igame} - Let $\adversary{A}$ be an adversary against MU-\igame. Then, + Let $\adversary{A}$ be an adversary against $N$-MU-\igame. Then, - \[ \advantage{\adversary{A}}{\text{MU-EUF-NMA}}(\secparamter) = \advantage{\adversary{B}}{\text{MU-\igame}}(\secparamter). \] + \[ \advantage{\adversary{A}}{\text{$N$-MU-EUF-NMA}}(\secparamter) = \advantage{\adversary{B}}{\text{$N$-MU-\igame}}(\secparamter). \] \end{theorem} -\paragraph{\underline{Proof Overview}} Like the single-user setting the adversary has to query the random oracle to get the hash value $H(\encoded{R}|\encoded{A_i}|m)$. Again the programmability of the random oracle can be used to embed the challenge from \ioracle oracle into the answer of the random oracle. By embedding the challenge from the \ioracle oracle answer into the answer of the random oracle, a valid forgery of the signature also becomes a valid solution for the MU-\igame game. +\paragraph{\underline{Proof Overview}} Like the single-user setting the adversary has to query the random oracle to get the hash value $H(\encoded{R}|\encoded{A_i}|m)$. Again the programmability of the random oracle can be used to embed the challenge from \ioracle oracle into the answer of the random oracle. By embedding the challenge from the \ioracle oracle answer into the answer of the random oracle, a valid forgery of the signature also becomes a valid solution for the $N$-MU-\igame game. \paragraph{\underline{Formal Proof}} @@ -72,16 +72,16 @@ This section shows that MU-\igame implies MU-EUF-NMA security of the EdDSA signa \end{figure} \begin{proof} - \item Now it is argued that the \ioracle oracle can be used to simulate the hash function in a way that the answer of the MU-EUF-NMA adversary can be used as an valid solution for the MU-\igame challenger. + \item Now it is argued that the \ioracle oracle can be used to simulate the hash function in a way that the answer of the $N$-MU-EUF-NMA adversary can be used as an valid solution for the $N$-MU-\igame challenger. - \item Let $G_0$ be defined in figure \ref{fig:mu-igame_implies_mu-uf-nma}. Then $G_0$ is the same as MU-EUF-NMA with EdDSA. By definition, + \item Let $G_0$ be defined in figure \ref{fig:mu-igame_implies_mu-uf-nma}. Then $G_0$ is the same as $N$-MU-EUF-NMA with EdDSA. By definition, - \[ \advantage{\text{EdDSA}, \adversary{A}}{\text{MU-EUF-NMA}}(\secparamter) = \Pr[\text{MU-EUF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \] + \[ \advantage{\text{EdDSA}, \adversary{A}}{\text{$N$-MU-EUF-NMA}}(\secparamter) = \Pr[\text{$N$-MU-EUF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \] \item $G_0$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying \begin{align} - \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\text{MU-\igame}}(\secparamter). \label{eq:adv_mu-igame} + \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\text{$N$-MU-\igame}}(\secparamter). \label{eq:adv_mu-igame} \end{align} \begin{figure}[h] @@ -108,7 +108,7 @@ This section shows that MU-\igame implies MU-EUF-NMA security of the EdDSA signa \label{fig:adversary_mu-igame} \end{figure} - \item To proof (\ref{eq:adv_mu-igame}), we define an adversary $\adversary{B}$ attacking MU-\igame that simulates $\adversary{A}$'s view in $G_0$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_mu-igame} is run in the \igame game and adversary $\adversary{B}$ simulates the random oracle $H$ for the adversary $\adversary{A}$. $H$ is perfectly simulated because the \ioracle oracle also outputs a uniformly random 2b-bit bitstring. For this reason, $H$ returns a uniformly random 2b-bit bitstring for all queries, as expected. + \item To proof (\ref{eq:adv_mu-igame}), we define an adversary $\adversary{B}$ attacking $N$-MU-\igame that simulates $\adversary{A}$'s view in $G_0$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_mu-igame} is run in the \igame game and adversary $\adversary{B}$ simulates the random oracle $H$ for the adversary $\adversary{A}$. $H$ is perfectly simulated because the \ioracle oracle also outputs a uniformly random 2b-bit bitstring. For this reason, $H$ returns a uniformly random 2b-bit bitstring for all queries, as expected. Finally, consider $\adversary{A}$'s output $(\m^*, \signature^* \assign (\encoded{R}, S))$. It is known that: @@ -119,7 +119,7 @@ This section shows that MU-\igame implies MU-EUF-NMA security of the EdDSA signa \groupelement{R}' &= 2^c S \groupelement{B} - 2^c \ioracle(\groupelement{R}') \groupelement{A_i} \end{align*} - Therefore, $S$ is a valid solution for the MU-\igame game. + Therefore, $S$ is a valid solution for the $N$-MU-\igame game. \item This proves theorem \ref{theorem:adv_mu-igame}. \end{proof} \ No newline at end of file diff --git a/thesis/sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma.tex b/thesis/sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma.tex index b9301d1..dfd368b 100644 --- a/thesis/sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma.tex +++ b/thesis/sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma.tex @@ -1,15 +1,15 @@ -\subsection{MU-EUF-NMA $\overset{\text{ROM}}{\Rightarrow}$ $\text{MU-SUF-CMA}_{\text{EdDSA sp}}$} +\subsection{$N$-MU-EUF-NMA $\overset{\text{ROM}}{\Rightarrow}$ $\text{$N$-MU-SUF-CMA}_{\text{EdDSA sp}}$} -This section shows that the MU-EUF-NMA security of the EdDSA signature scheme implies the MU-SUF-CMA security of the EdDSA signature scheme using the random oracle model. The section starts with providing an intuition of the proof, followed by the detailed security proof. +This section shows that the $N$-MU-EUF-NMA security of the EdDSA signature scheme implies the $N$-MU-SUF-CMA security of the EdDSA signature scheme using the random oracle model. The section starts with providing an intuition of the proof, followed by the detailed security proof. \begin{theorem} \label{theorem:adv_mu-uf-nma} - Let $n$ and $N$ be positive integer and $\adversary{A}$ an adversary against MU-SUF-CMA, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then, + Let $n$ and $N$ be positive integer and $\adversary{A}$ an adversary against $N$-MU-SUF-CMA, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then, - \[ \advantage{\adversary{A}}{\text{MU-\cma}}(\secparamter) \leq \advantage{\adversary{B}}{\text{MU-EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \] + \[ \advantage{\adversary{A}}{\text{$N$-MU-\cma}}(\secparamter) \leq \advantage{\adversary{B}}{\text{$N$-MU-EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \] \end{theorem} -\paragraph{\underline{Proof Overview}} This proof closely follows the proof in section \ref{proof:uf-nma_implies_suf-cma}. The only difference of both security notions is the absence of the \Osign oracle in MU-EUF-NMA. For this reason, the reduction must simulate the \Osign oracle without the knowledge of the private keys. This is achieved by generating a valid and well-distributed tuple of commitment, challenge, and response using the \simalg procedure, introduced in section \ref{proof:uf-nma_implies_suf-cma}, and then programming the random oracle to output that challenge for the corresponding input. The different games are shown in figure \ref{fig:mu-uf-nma_implies_mu-suf-cma_games}. +\paragraph{\underline{Proof Overview}} This proof closely follows the proof in section \ref{proof:uf-nma_implies_suf-cma}. The only difference of both security notions is the absence of the \Osign oracle in $N$-MU-EUF-NMA. For this reason, the reduction must simulate the \Osign oracle without the knowledge of the private keys. This is achieved by generating a valid and well-distributed tuple of commitment, challenge, and response using the \simalg procedure, introduced in section \ref{proof:uf-nma_implies_suf-cma}, and then programming the random oracle to output that challenge for the corresponding input. The different games are shown in figure \ref{fig:mu-uf-nma_implies_mu-suf-cma_games}. \paragraph{\underline{Formal Proof}} @@ -83,11 +83,11 @@ This section shows that the MU-EUF-NMA security of the EdDSA signature scheme im \end{figure} \begin{proof} - \item Now the original MU-SUF-CMA game is manipulated in a way that makes it possible to simulate signatures without the knowledge of the secret key. During each of the game-hops the probability for an adversary to detect this change is upper bounded. + \item Now the original $N$-MU-SUF-CMA game is manipulated in a way that makes it possible to simulate signatures without the knowledge of the secret key. During each of the game-hops the probability for an adversary to detect this change is upper bounded. - \item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:mu-uf-nma_implies_mu-suf-cma_games} by excluding all boxes except the black one. $G_0$ is the MU-SUF-CMA for EdDSA. By definition, + \item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:mu-uf-nma_implies_mu-suf-cma_games} by excluding all boxes except the black one. $G_0$ is the $N$-MU-SUF-CMA for EdDSA. By definition, - \[ \advantage{\text{EdDSA},\adversary{A}}{\text{MU-}\cma}(\secparamter) = \Pr[\text{\text{MU-}\cma}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \] + \[ \advantage{\text{EdDSA},\adversary{A}}{\text{$N$-MU-}\cma}(\secparamter) = \Pr[\text{\text{$N$-MU-}\cma}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \] \item \paragraph{\underline{$G_1:$}} $G_1$ now is defined by replacing the black box with the blue one. This change inlines the call to the hash function and introduces a bad flag, which is set if the hash value is already set. The bad flag being set represents cases where the adversary already queried the random oracle for the challenge used for that signature and therefore the random oracle cannot be programmed. This results in the challenger not being able to produce a valid signature. This change is only conceptual, as it does not alter the behavior of the oracle. Therefore, @@ -104,7 +104,7 @@ This section shows that the MU-EUF-NMA security of the EdDSA signature scheme im \item Finally, Game $G_3$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying \begin{align} - \Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{MU-EUF-NMA}}(\secparamter). \label{eq:adv_mu-uf-nma} + \Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{$N$-MU-EUF-NMA}}(\secparamter). \label{eq:adv_mu-uf-nma} \end{align} \begin{figure}[h] @@ -136,11 +136,11 @@ This section shows that the MU-EUF-NMA security of the EdDSA signature scheme im \State \Return $\sum[m]$ \end{algorithmic} \hrule - \caption{Adversary $\adversary{B}$ breaking $\text{MU-EUF-NMA}$} + \caption{Adversary $\adversary{B}$ breaking $\text{$N$-MU-EUF-NMA}$} \label{fig:adversaryb_mu-uf-nma} \end{figure} - To prove (\ref{eq:adv_mu-uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{MU-EUF-NMA}$ that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversaryb_mu-uf-nma} is run in the $\text{MU-EUF-NMA}$ game and adversary $\adversary{B}$ simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly. + To prove (\ref{eq:adv_mu-uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{$N$-MU-EUF-NMA}$ that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversaryb_mu-uf-nma} is run in the $\text{$N$-MU-EUF-NMA}$ game and adversary $\adversary{B}$ simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly. Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. Every valid signature outputted by adversary $\adversary{A}$ has to fulfill the following equation for one public key $\groupelement{A_i}$: $2^c S \groupelement{B} = 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}$. Again there is only one valid encoded $S$ for each $\groupelement{R}$, $m$, $\groupelement{A_i}$ tuple that satisfies the verification equation. For the signature to be a valid forgery it must not be outputted by the \Osign oracle for this specific $m^*$ and $\groupelement{A_i}$. No new valid signature can be generated from a valid one by just changing the $S$ value. This means that either $\groupelement{R}$, $m$ or $\groupelement{A_i}$ have to be changed to generate a new valid signature from an already valid signature. Since all these parameters are part of the hash query to generate the challenge the resulting hash value has to be forwarded from the $H$ hash oracle provided to the adversary $\adversary{B}$. For this reason $H'(\encoded{R^*}|\encoded{A_i}|m^*) = H(\encoded{R^*}|\encoded{A_i}|m^*)$. Hence, @@ -149,22 +149,22 @@ This section shows that the MU-EUF-NMA security of the EdDSA signature scheme im \Leftrightarrow 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H(\encoded{R^*}|\encoded{A_i}|m^*) \groupelement{A_i} \end{align*} - Since the public keys and the results of the hash queries are forwarded from the MU-EUF-NMA challenger the forged signature from $\adversary{A}$ in the MU-\cma game is also a valid forgery for the MU-EUF-NMA challenger. + Since the public keys and the results of the hash queries are forwarded from the $N$-MU-EUF-NMA challenger the forged signature from $\adversary{A}$ in the $N$-MU-\cma game is also a valid forgery for the $N$-MU-EUF-NMA challenger. \item In the main procedure the adversary $\adversary{B}$ simply calls adversary $\adversary{A}$ and outputs its forged signature. To simulate the hash function $\adversary{B}$ simply forwards the queries to adversary $\adversary{A}$ and to a signature $\adversary{B}$ obtains the pair of commitment, challenge, and solution from the \simalg procedure, which is just samples two values and calculates the last one using a simple equation, and then programs its random oracle. Therefore, the runtime of adversary $\adversary{B}$ is roughly the same as the runtime of adversary $\adversary{A}$. \item This proves theorem \ref{theorem:adv_mu-uf-nma}. \end{proof} -\subsection{MU-EUF-NMA $\overset{\text{ROM}}{\Rightarrow}$ $\text{MU-EUF-CMA}_{\text{EdDSA lp}}$} +\subsection{$N$-MU-EUF-NMA $\overset{\text{ROM}}{\Rightarrow}$ $\text{$N$-MU-EUF-CMA}_{\text{EdDSA lp}}$} -This section shows that MU-EUF-NMA security of EdDSA implies the MU-EUF-CMA security of EdDSA with lax parsing used in the random oracle model. This proof is very similar to the proof MU-SUF-CMA proof of EdDSA with strict parsing. The modification to the games are the same as in the proof above with the only modifications being in the win condition, which is $\exists j \in \{1,2,...,N\}: \verify(\groupelement{A_j}, \m^*) \wedge (\groupelement{A_j}, \m^*) \notin \pset{Q}$. For this reason this proof starts at showing the existence of an adversary $\adversary{B}$ breaking MU-EUF-NMA security. Similar to the proof in the single-user setting, the SUF-CMA security of EdDSA with lax parsing cannot be shown, as there are multiple valid encodings of $S$ for one signature. This way the adversary would be able to generate a new valid signature from an obtained one by simply choosing a different encoding of $S$. This would result in the output of $H'(\encoded{R^*}|\encoded{A}|m^*)$ being programmed by the reduction itself and therefore the signature not being valid for the EUF-NMA challenger. +This section shows that $N$-MU-EUF-NMA security of EdDSA implies the $N$-MU-EUF-CMA security of EdDSA with lax parsing used in the random oracle model. This proof is very similar to the proof $N$-MU-SUF-CMA proof of EdDSA with strict parsing. The modification to the games are the same as in the proof above with the only modifications being in the win condition, which is $\exists j \in \{1,2,...,N\}: \verify(\groupelement{A_j}, \m^*) \wedge (\groupelement{A_j}, \m^*) \notin \pset{Q}$. For this reason this proof starts at showing the existence of an adversary $\adversary{B}$ breaking $N$-MU-EUF-NMA security. Similar to the proof in the single-user setting, the SUF-CMA security of EdDSA with lax parsing cannot be shown, as there are multiple valid encodings of $S$ for one signature. This way the adversary would be able to generate a new valid signature from an obtained one by simply choosing a different encoding of $S$. This would result in the output of $H'(\encoded{R^*}|\encoded{A}|m^*)$ being programmed by the reduction itself and therefore the signature not being valid for the EUF-NMA challenger. \begin{theorem} \label{theorem:adv2_mu-uf-nma} - Let $n$ and $N$ be positive integers and $\adversary{A}$ an adversary against MU-EUF-CMA, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then, + Let $n$ and $N$ be positive integers and $\adversary{A}$ an adversary against $N$-MU-EUF-CMA, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then, - \[ \advantage{\adversary{A}}{\text{MU-EUF-CMA}}(\secparamter) \leq \advantage{\adversary{B}}{\text{MU-EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \] + \[ \advantage{\adversary{A}}{\text{$N$-MU-EUF-CMA}}(\secparamter) \leq \advantage{\adversary{B}}{\text{$N$-MU-EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \] \end{theorem} \paragraph{\underline{Formal Proof}} @@ -172,7 +172,7 @@ This section shows that MU-EUF-NMA security of EdDSA implies the MU-EUF-CMA secu \begin{proof} \item \begin{align} - \Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{MU-EUF-NMA}}(\secparamter). \label{eq:adv2_mu-uf-nma} + \Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{$N$-MU-EUF-NMA}}(\secparamter). \label{eq:adv2_mu-uf-nma} \end{align} \begin{figure}[h] @@ -204,20 +204,20 @@ This section shows that MU-EUF-NMA security of EdDSA implies the MU-EUF-CMA secu \State \Return $\sum[m]$ \end{algorithmic} \hrule - \caption{Adversary $\adversary{B}$ breaking $\text{MU-EUF-NMA}$} + \caption{Adversary $\adversary{B}$ breaking $\text{$N$-MU-EUF-NMA}$} \label{fig:adversary_b_mu-uf-nma} \end{figure} - To prove (\ref{eq:adv2_mu-uf-nma}), we define an adversary $\adversary{B}$ attacking MU-EUF-NMA that simulates $\adversary{A}$'s view on $G_3$. Adversary $\adversary{B}$, formally defined in figure \ref{fig:adversary_b_mu-uf-nma}, is run in the MU-EUF-NMA game and simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly. + To prove (\ref{eq:adv2_mu-uf-nma}), we define an adversary $\adversary{B}$ attacking $N$-MU-EUF-NMA that simulates $\adversary{A}$'s view on $G_3$. Adversary $\adversary{B}$, formally defined in figure \ref{fig:adversary_b_mu-uf-nma}, is run in the $N$-MU-EUF-NMA game and simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly. - Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. Every valid signature outputted by adversary $\adversary{A}$ has to fulfill the following equation for one public key $\groupelement{A_i}$: $2^c S \groupelement{B} = 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}$. Like in the single-user setting the adversary can create a new valid signature from an already valid one by choosing a different bitstring representation of the $S$ value that maps to the same $S \pmod L$. Since we are in the MU-EUF-CMA setting the adversary has to forge a signature for a message $m^*$ and public key $A_i$ to which it has not queried a signature before. For this reason, the output of $H'(\encoded{R^*}|\encoded{A_i}|m^*)$ has not been set by the adversary $\adversary{B}$, but was forwarded from the $H$ hash oracle provided by the MU-EUF-NMA challenger. For this reason $H'(\encoded{R^*}|\encoded{A_i}|m^*) = H(\encoded{R^*}|\encoded{A_i}|m^*)$. Therefore, + Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. Every valid signature outputted by adversary $\adversary{A}$ has to fulfill the following equation for one public key $\groupelement{A_i}$: $2^c S \groupelement{B} = 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}$. Like in the single-user setting the adversary can create a new valid signature from an already valid one by choosing a different bitstring representation of the $S$ value that maps to the same $S \pmod L$. Since we are in the $N$-MU-EUF-CMA setting the adversary has to forge a signature for a message $m^*$ and public key $A_i$ to which it has not queried a signature before. For this reason, the output of $H'(\encoded{R^*}|\encoded{A_i}|m^*)$ has not been set by the adversary $\adversary{B}$, but was forwarded from the $H$ hash oracle provided by the $N$-MU-EUF-NMA challenger. For this reason $H'(\encoded{R^*}|\encoded{A_i}|m^*) = H(\encoded{R^*}|\encoded{A_i}|m^*)$. Therefore, \begin{align*} 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A_i}|m^*) \groupelement{A_i}\\ \Leftrightarrow 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H(\encoded{R^*}|\encoded{A_i}|m^*) \groupelement{A_i}. \end{align*} - This shows that the forged signature from adversary $\adversary{A}$ is also a valid forged signature for the MU-EUF-NMA challenger. + This shows that the forged signature from adversary $\adversary{A}$ is also a valid forged signature for the $N$-MU-EUF-NMA challenger. \item Since the adversary $\adversary{B}$ is the same as in the proof above, its runtime is roughly the same as the runtime of adversary $\adversary{A}$, for the same reason. diff --git a/thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex b/thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex index 1269966..65e4413 100644 --- a/thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex +++ b/thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex @@ -1,8 +1,8 @@ -\subsection{\somdl $\overset{\text{AGM}}{\Rightarrow}$ MU-\igame} +\subsection{\somdl $\overset{\text{AGM}}{\Rightarrow}$ $N$-MU-\igame} -This section shows that \somdl implies MU-\igame using the algebraic group model. The section starts by introducing a special variant of the one-more discrete logarithm problem followed by an intuition of the proof and at last giving a detailed security proof. The reduction cannot be directly performed using the \sdlog assumption, since the representation of the commitment contains more than one group element with unknown discrete logarithm, because the adversary against MU-\igame receives multiple public keys as input. Therefore, a new assumption, based on the one-more discrete logarithm assumption, has to be introduced. +This section shows that \somdl implies $N$-MU-\igame using the algebraic group model. The section starts by introducing a special variant of the one-more discrete logarithm problem followed by an intuition of the proof and at last giving a detailed security proof. The reduction cannot be directly performed using the \sdlog assumption, since the representation of the commitment contains more than one group element with unknown discrete logarithm, because the adversary against $N$-MU-\igame receives multiple public keys as input. Therefore, a new assumption, based on the one-more discrete logarithm assumption, has to be introduced. -\paragraph{\underline{Introducing \somdl}} Similar to \sdlog, which is a variant of the discrete logarithm problem the \somdl is a variant of the one-more discrete logarithm problem, which represents the special distribution of secret keys resulting from the key generation algorithm of the EdDSA signature scheme. The only differences to the original one-more discrete logarithm game as introduced in \cite{JC:BNPS03} are that the secret scalars are chosen from the set $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ which represents all valid secret scalars regarding the key generation algorithm and that the adversary is only able to query $N-1$ discrete logarithms of the challenge group elements at once. This modification makes the assumption weaker than the original one-more discrete logarithm assumption. A lower bound on the hardness of the \somdl problem is further analyzed in section \ref{sec:somdl}. The \somdl game is illustrated in figure \ref{fig:somdl}. +\paragraph{\underline{Introducing \somdl}} Similar to \sdlog, which is a variant of the discrete logarithm problem the \somdl is a variant of the one-more discrete logarithm problem, which represents the special distribution of secret keys resulting from the key generation algorithm of the EdDSA signature scheme. The only differences to the original one-more discrete logarithm game as introduced in \cite{JC:BNPS03} are that the secret scalars are chosen from the set $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ which represents all valid secret scalars regarding the key generation algorithm and that the adversary is only able to query $N-1$ discrete logarithms of the challenge group elements at once. This modification makes the assumption weaker than the original one-more discrete logarithm assumption. Since the resulting game is similar to the $N$-discrete logarithm problem with an additinal \textit{Reveal} query, it is called \somdl. A lower bound on the hardness of the \somdl problem is further analyzed in section \ref{sec:somdl}. The \somdl game is illustrated in figure \ref{fig:somdl}. \begin{definition}[\somdl] \label{def:somdl} @@ -20,12 +20,12 @@ This section shows that \somdl implies MU-\igame using the algebraic group model \State \textbf{for} $i \in \{1,2,...,N\}$ \State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$ \State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$ - \State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{DL(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$ + \State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{Reveal(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$ \State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N)$ \end{algorithmic} \vspace{2mm} \begin{algorithmic} - \Statex \underline{\oracle $DL(j \in \{1,2,...,N\})$} + \Statex \underline{\oracle $Reveal(j \in \{1,2,...,N\})$} \Comment{max. one query} \vspace{1mm} \State \Return $\{a_i|i \in \{1,2,...,N\}\backslash \{j\}\}$ @@ -40,10 +40,10 @@ This section shows that \somdl implies MU-\igame using the algebraic group model \label{theorem:adv_omdl'} Let $\adversary{A}$ be an adversary against \igame with $\group{G}$ being a cyclic group of prime order $L$, receiving $N$ public keys and making at most $\oraclequeries$ oracle queries. Then - \[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\somdl}(\secparamter) + \frac{\oraclequeries N \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \] + \[ \advantage{\group{G},\adversary{A}}{\text{$N$-MU-\igame}}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\somdl}(\secparamter) + \frac{\oraclequeries N \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \] \end{theorem} -\paragraph{\underline{Proof Overview}} In the multi-user setting the adversary gets access to not only the generator $\groupelement{B}$ and one public key $\groupelement{A}$ but rather a set of public keys $\groupelement{A_1}$ to $\groupelement{A_N}$. For this reason, the representation of a group element, the adversary has to provide, looks the following: $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$. Since there are multiple group elements with unknown discrete logarithms it is not possible to directly calculate the discrete logarithm of one of the public keys given a valid forgery of a signature. Upon receiving a valid solution the \textit{DL} oracle can be used to get the discrete logarithm of all the public keys except the one for which the solution is valid. This way it is again possible to construct a representation looking like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_i}$. Then it is again possible to calculate the discrete logarithm of $\groupelement{A_i}$ and win the \somdl game. +\paragraph{\underline{Proof Overview}} In the multi-user setting the adversary gets access to not only the generator $\groupelement{B}$ and one public key $\groupelement{A}$ but rather a set of public keys $\groupelement{A_1}$ to $\groupelement{A_N}$. For this reason, the representation of a group element, the adversary has to provide, looks the following: $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$. Since there are multiple group elements with unknown discrete logarithms it is not possible to directly calculate the discrete logarithm of one of the public keys given a valid forgery of a signature. Upon receiving a valid solution the \textit{Reveal} oracle can be used to get the discrete logarithm of all the public keys except the one for which the solution is valid. This way it is again possible to construct a representation looking like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_i}$. Then it is again possible to calculate the discrete logarithm of $\groupelement{A_i}$ and win the \somdl game. \paragraph{\underline{Formal Proof}} @@ -84,9 +84,9 @@ This section shows that \somdl implies MU-\igame using the algebraic group model \begin{proof} \item Now the individual game-hops are analyzed and the probability, that an adversary can distinguish between two games, is upper bounded. - \item \paragraph{\underline{$G_0$:}} Let $G_0$ be defined in figure \ref{fig:omdl'_implies_mu-igame} by excluding all boxes. Clearly, $G_0$ is the MU-\igame. By definition, + \item \paragraph{\underline{$G_0$:}} Let $G_0$ be defined in figure \ref{fig:omdl'_implies_mu-igame} by excluding all boxes. Clearly, $G_0$ is the $N$-MU-\igame. By definition, - \[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) = \Pr[\text{MU-\igame}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \] + \[ \advantage{\group{G},\adversary{A}}{\text{$N$-MU-\igame}}(\secparamter) = \Pr[\text{$N$-MU-\igame}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \] \item \paragraph{\underline{$G_1$:}} $G_1$ is defined by including the if condition in the blue box, which sets a bad flag if the randomly chosen value $\ch$ fulfills $2^c \ch \equiv - r_i \pmod L$ for any $i \in \{2,3,...,N+1\}$. This represents challenges $\ch$ to which the solution might not be usable to break the discrete logarithm of one of the public keys, due to $(r_i + 2^c \ch)$ not being invertible in $\field{L}$. Since only the bad flag is introduced this change does not influence the behavior of the game and is therefore only conceptual. @@ -107,13 +107,13 @@ This section shows that \somdl implies MU-\igame using the algebraic group model \large \vspace{1mm} \begin{algorithmic} - \Statex \underline{\textbf{Adversary} $\adversary{B}^{\textit{DL}(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$} + \Statex \underline{\textbf{Adversary} $\adversary{B}^{\textit{Reveal}(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$} \State $s^* \randomassign \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$ \State \textbf{If} $\nexists (\agmgroupelement{R^*}{r^*}, \ch^*) \in Q, i \in \{1,2,...,N\}: \groupelement{R^*} = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$ \textbf{then} \State \quad $abort$ \State Let $\groupelement{R^*} = r^*_1 \groupelement{B} + r^*_2 \groupelement{A_1} + ... + r^*_{N+1} \groupelement{A_N}$ \State $r_b \assign r_1$ - \State $(a_1, ..., a_{i-1}, a_{i+1}, ..., a_N) \randomassign DL(i)$ + \State $(a_1, ..., a_{i-1}, a_{i+1}, ..., a_N) \randomassign \textit{Reveal}(i)$ \State \textbf{for} $j \in \{1,2,...,N\} \backslash \{i\}$ \State \quad $r_b \assign r_b + r_{j+1} a_j$ \Comment{$\groupelement{A_j} = a_j \groupelement{B}$} @@ -140,7 +140,7 @@ This section shows that \somdl implies MU-\igame using the algebraic group model To prove (\ref{eq:adv_omdl'}), we define an adversary $\adversary{B}$ attacking \somdl that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_omdl'} is run in the \somdl game and adversary $\adversary{B}$ simulates \ioracle for adversary $\adversary{A}$. \ioracle is simulated perfectly. - Finally, consider $\adversary{A}$'s output $s^*$. It is known that $\groupelement{R^*} = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$ for one of the public keys and one tuple $(R^*, \ch^*)$ generated by the \ioracle oracle. Using the \textit{DL} oracle we can get the discrete logarithms of all public keys but the one, for which $s^*$ is a valid solution in the MU-\igame game. Together with the representation of $R^*$, provided during the \ioracle oracle call, and the discrete logarithms of the public keys we are able to generate a representation of $R^*$, which looks like $\groupelement{R^*} = r_b \groupelement{B} + r_i \groupelement{A_i}$. By equating both equations we get: + Finally, consider $\adversary{A}$'s output $s^*$. It is known that $\groupelement{R^*} = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$ for one of the public keys and one tuple $(R^*, \ch^*)$ generated by the \ioracle oracle. Using the \textit{Reveal} oracle we can get the discrete logarithms of all public keys but the one, for which $s^*$ is a valid solution in the $N$-MU-\igame game. Together with the representation of $R^*$, provided during the \ioracle oracle call, and the discrete logarithms of the public keys we are able to generate a representation of $R^*$, which looks like $\groupelement{R^*} = r_b \groupelement{B} + r_i \groupelement{A_i}$. By equating both equations we get: \begin{align*} r_b \groupelement{B} + r_i \groupelement{A_i} &= 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i} \\ @@ -148,9 +148,9 @@ This section shows that \somdl implies MU-\igame using the algebraic group model \Leftrightarrow \groupelement{A} &= (2^c s^* - r_b)(r_i + 2^c \ch^*)^{-1} \groupelement{B} \end{align*} - Assuming that $r_i + 2^c \ch^*$ is invertible in $\field{L}$ (i.e., not equal to 0), which is ensured by the abort in $G_2$ for all $i$, both equations can be used to calculate the discrete logarithm of $A_i$. Together with the discrete logarithms of the other public keys, which were obtained by the \textit{DL} oracle, the adversary $\adversary{B}$ is able to craft a valid solution for the \somdl challenger. + Assuming that $r_i + 2^c \ch^*$ is invertible in $\field{L}$ (i.e., not equal to 0), which is ensured by the abort in $G_2$ for all $i$, both equations can be used to calculate the discrete logarithm of $A_i$. Together with the discrete logarithms of the other public keys, which were obtained by the \textit{Reveal} oracle, the adversary $\adversary{B}$ is able to craft a valid solution for the \somdl challenger. - \item The runtime of adversary $\adversary{B}$ is roughly the same as the runtime of adversary $\adversary{A}$. In the main procedure the adversary $\adversary{B}$ calls adversary $\adversary{A}$, queries the DL oracle and performs some simple calculations to obtain the discrete logarithm of all public keys. In the \ioracle the adversary simply samples a 2b bitstring uniformly at random. + \item The runtime of adversary $\adversary{B}$ is roughly the same as the runtime of adversary $\adversary{A}$. In the main procedure the adversary $\adversary{B}$ calls adversary $\adversary{A}$, queries the \textit{Reveal} oracle and performs some simple calculations to obtain the discrete logarithm of all public keys. In the \ioracle the adversary simply samples a 2b bitstring uniformly at random. \item This proves theorem \ref{theorem:adv_omdl'}. \end{proof} \ No newline at end of file diff --git a/thesis/sections/mu_security_of_eddsa/sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma.tex b/thesis/sections/mu_security_of_eddsa/sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma.tex deleted file mode 100644 index ad318c1..0000000 --- a/thesis/sections/mu_security_of_eddsa/sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma.tex +++ /dev/null @@ -1 +0,0 @@ -\section{MU-\igame $\Rightarrow$ MU-EUF-NMA} \ No newline at end of file diff --git a/thesis/sections/security_notions.tex b/thesis/sections/security_notions.tex index 2dd2795..f1774ae 100644 --- a/thesis/sections/security_notions.tex +++ b/thesis/sections/security_notions.tex @@ -14,10 +14,10 @@ A digital signature scheme is a method to ensure the authenticity of data. The s For the digital signature scheme to be correct, it is required that $\forall (\pubkey, \privkey) \in \keygen(par), \m \in \messagespace, \signature \in \sign(\privkey, \m): \verify(\pubkey, \m, \signature) = 1$ \end{definition} -A common security notion for digital signature schemes is the existential unforgeability under chosen message attack (EUF-CMA) security. It requires that no adversary is able to forge a signature for a message to which they have not observed a valid signature, given a public key. A stronger notion, that is often used, is strong unforgeability under chosen message attack (SUF-CMA), which only requires the adversary to provide a message signature pair that has not been provided to the adversary. With this security notion, the adversary also wins if it is able to forge a new valid signature from an already valid one. Both of these notions are in the single-user setting. In the multi-user setting of these security notions, the adversary is supplied with $N$ public keys and has to forge a signature for one of those public keys. In the following, the multi-user definitions of the EUF-CMA and SUF-CMA security notions are defined, respectively MU-EUF-CMA and MU-SUF-CMA. The single-user variant of these security notions can be seen as a special case of the multi-user definitions in which the adversary is only provided with one public key. +A common security notion for digital signature schemes is the existential unforgeability under chosen message attack (EUF-CMA) security. It requires that no adversary is able to forge a signature for a message to which they have not observed a valid signature, given a public key. A stronger notion, that is often used, is strong unforgeability under chosen message attack (SUF-CMA), which only requires the adversary to provide a message signature pair that has not been provided to the adversary. With this security notion, the adversary also wins if it is able to forge a new valid signature from an already valid one. Both of these notions are in the single-user setting. In the multi-user setting of these security notions, the adversary is supplied with $N$ public keys and has to forge a signature for one of those public keys. In the following, the multi-user definitions of the EUF-CMA and SUF-CMA security notions are defined, respectively $N$-MU-EUF-CMA and $N$-MU-SUF-CMA. The single-user variant of these security notions can be seen as a special case of the multi-user definitions in which the adversary is only provided with one public key. -\begin{definition}[MU-EUF-CMA] - Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the N-MU-EUF-CMA game be defined in figure \ref{game:mu-euf-cma}. $SIG$ is N-MU-EUF-CMA secure if for all ppt adversaries $\adversary{A}$, we have +\begin{definition}[$N$-MU-EUF-CMA] + Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the $N$-MU-EUF-CMA game be defined in figure \ref{game:mu-euf-cma}. $SIG$ is $N$-MU-EUF-CMA secure if for all ppt adversaries $\adversary{A}$, we have \[ \advantage{SIG,\adversary{A}}{\textsf{$N$-MU-EUF-CMA}}(\secparamter) \assign \prone{\textsf{$N$-MU-EUF-CMA}^{\adversary{A}}} \leq negl(\secparamter). \] \end{definition} @@ -45,8 +45,8 @@ A common security notion for digital signature schemes is the existential unforg \label{game:mu-euf-cma} \end{figure} -\begin{definition}[MU-SUF-CMA] - Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the MU-SUF-CMA game be defined in figure \ref{game:mu-suf-cma}. $SIG$ is MU-SUF-CMA secure if for all ppt adversaries $\adversary{A}$, we have +\begin{definition}[$N$-MU-SUF-CMA] + Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the $N$-MU-SUF-CMA game be defined in figure \ref{game:mu-suf-cma}. $SIG$ is $N$-MU-SUF-CMA secure if for all ppt adversaries $\adversary{A}$, we have \[ \advantage{SIG,\adversary{A}}{\textsf{$N$-MU-SUF-CMA}}(\secparamter) \assign \prone{\textsf{$N$-MU-SUF-CMA}^{\adversary{A}}} \leq negl(\secparamter). \] \end{definition} @@ -74,10 +74,10 @@ A common security notion for digital signature schemes is the existential unforg \label{game:mu-suf-cma} \end{figure} -The MU-EUF-NMA security game is similar to the MU-EUF-CMA game. The only difference is that the adversary does not has access to an oracle to obtain valid signatures for arbitrary messages. Again the EUF-NMA security notation is a special case of the MU-EUF-NMA security notation with $N=1$. +The $N$-MU-EUF-NMA security game is similar to the $N$-MU-EUF-CMA game. The only difference is that the adversary does not has access to an oracle to obtain valid signatures for arbitrary messages. Again the EUF-NMA security notation is a special case of the $N$-MU-EUF-NMA security notation with $N=1$. -\begin{definition}[MU-EUF-NMA] - Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the N-MU-EUF-NMA game be defined in figure \ref{game:mu-uf-nma}. $SIG$ is N-MU-EUF-NMA secure if for all ppt adversaries $\adversary{A}$, we have +\begin{definition}[$N$-MU-EUF-NMA] + Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the $N$-MU-EUF-NMA game be defined in figure \ref{game:mu-uf-nma}. $SIG$ is $N$-MU-EUF-NMA secure if for all ppt adversaries $\adversary{A}$, we have \[ \advantage{SIG,\adversary{A}}{\textsf{$N$-MU-EUF-NMA}}(\secparamter) \assign \prone{\textsf{$N$-MU-EUF-NMA}^{\adversary{A}}} \leq negl(\secparamter). \] \end{definition}