Add N parameter to multi user games
This commit is contained in:
@@ -19,12 +19,12 @@ This section provides a lower bound on the hardness of the modified version of t
|
||||
\State \textbf{for} $i \in \{1,2,...,N\}$
|
||||
\State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$
|
||||
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
|
||||
\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), DL(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$
|
||||
\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), \textit{Reveal}(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$
|
||||
\State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N)$
|
||||
\end{algorithmic}
|
||||
\vspace{1mm}
|
||||
\begin{algorithmic}
|
||||
\Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)}
|
||||
\Statex \underline{\oracle \textit{Reveal}($j \in \{1,2,...,N\}$)}
|
||||
\Comment{max. one query}
|
||||
\State \Return $\{a_i | i \in \{1,2,...,N\} \backslash \{j\}\}$
|
||||
\end{algorithmic}
|
||||
@@ -72,12 +72,12 @@ This section provides a lower bound on the hardness of the modified version of t
|
||||
\Comment{$G_2 - G_4$}
|
||||
\State \quad $\groupelement{A_i} \assign (P_i, 0, ..., 0)$
|
||||
\EndBox
|
||||
\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), DL(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$
|
||||
\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), \textit{Reveal}(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$
|
||||
\State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N)$
|
||||
\end{algorithmic}
|
||||
\vspace{1mm}
|
||||
\begin{algorithmic}
|
||||
\Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)}
|
||||
\Statex \underline{\oracle \textit{Reveal}($j \in \{1,2,...,N\}$)}
|
||||
\BeginBox[draw=green]
|
||||
\State \textbf{for } $P_i \in \pset{P}$
|
||||
\Comment{$G_3 - G_4$}
|
||||
@@ -139,7 +139,7 @@ This section provides a lower bound on the hardness of the modified version of t
|
||||
\EndBox
|
||||
\State \quad $P_i \assign Z_i$
|
||||
\State \quad $\groupelement{A_i} \assign (P_i, 0, ..., 0)$
|
||||
\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), DL(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$
|
||||
\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), \textit{Reveal}(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$
|
||||
\BeginBox[draw=orange]
|
||||
\State \textbf{for } $i \in \{1,2,...,N\}$
|
||||
\Comment{$G_8$}
|
||||
@@ -159,7 +159,7 @@ This section provides a lower bound on the hardness of the modified version of t
|
||||
\end{algorithmic}
|
||||
\vspace{1mm}
|
||||
\begin{algorithmic}
|
||||
\Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)}
|
||||
\Statex \underline{\oracle \textit{Reveal}($j \in \{1,2,...,N\}$)}
|
||||
\BeginBox[draw=orange]
|
||||
\State \textbf{for } $i \in \{1,2,...,N\} \backslash \{j\}$
|
||||
\Comment{$G_8$}
|
||||
@@ -215,7 +215,7 @@ This section provides a lower bound on the hardness of the modified version of t
|
||||
|
||||
\[ \prone{G_1^{\adversary{A}}} = \prone{G_2^{\adversary{A}}}. \]
|
||||
|
||||
\item \paragraph{\underline{$G_3:$}} $G_3$ introduces the $bad_1$ flag in the DL query. Without loss of generality the following explanation assumes that the adversary queries the DL oracle with input $j = N$. Each polynomial, generated by the challenger, is a linear multivariate polynomial of degree one. This is due to the fact that the challenger starts with linear multivariate polynomials of degree one in $\field{L}[Z_1, ..., Z_N]$ and only adds them to generate new polynomials. This means that each polynomial $P_i \in \field{L}[Z_1,...,Z_N]$, generated by the challenger, can be split into two polynomials $R_i \in \field{L}[Z_1,...,Z_{N-1}], S_i \in \field{L}[Z_N]$ so that $P_i = R_i + S_i$, simply by distributing the monials between the polynomials $R_i$ and $S_i$. The polynom $S_i$ only contains the monial $Z_n$, while the polynom $R_i$ contains the remaining monials and the constant. Now the polynomial $P_i$ can be partially evaluated by setting $P_i = R_i(\overset{\rightharpoonup}{a}) + S_i$. For the simulation to be correct, when replacing the polynomial $P_i$ with $R_i(\overset{\rightharpoonup}{a}) + S_i$, it has to be ensured that distinct polynomials stay distinct after being partially evaluated. To ensure this, it is necessary to check that no two distinct polynomials $R_i, R_j$ result in the same value when evaluated with $\overset{\rightharpoonup}{a}$. In the case of this happening the $bad_1$ flag is set to true. Afterward, each generated polynomial is partially evaluated as described and the table $\sum$, which stores the association between group elements and labels, is updated to reflect this partial evaluation as well. From now on, each polynomial used by the challenger is in $\field{L}[Z_N]$. This change is purely conceptual, since the polynomials still get fully evaluated before being compared in the Enc procedure. Therefore,
|
||||
\item \paragraph{\underline{$G_3:$}} $G_3$ introduces the $bad_1$ flag in the \textit{Reveal} query. Without loss of generality the following explanation assumes that the adversary queries the \textit{Reveal} oracle with input $j = N$. Each polynomial, generated by the challenger, is a linear multivariate polynomial of degree one. This is due to the fact that the challenger starts with linear multivariate polynomials of degree one in $\field{L}[Z_1, ..., Z_N]$ and only adds them to generate new polynomials. This means that each polynomial $P_i \in \field{L}[Z_1,...,Z_N]$, generated by the challenger, can be split into two polynomials $R_i \in \field{L}[Z_1,...,Z_{N-1}], S_i \in \field{L}[Z_N]$ so that $P_i = R_i + S_i$, simply by distributing the monials between the polynomials $R_i$ and $S_i$. The polynom $S_i$ only contains the monial $Z_n$, while the polynom $R_i$ contains the remaining monials and the constant. Now the polynomial $P_i$ can be partially evaluated by setting $P_i = R_i(\overset{\rightharpoonup}{a}) + S_i$. For the simulation to be correct, when replacing the polynomial $P_i$ with $R_i(\overset{\rightharpoonup}{a}) + S_i$, it has to be ensured that distinct polynomials stay distinct after being partially evaluated. To ensure this, it is necessary to check that no two distinct polynomials $R_i, R_j$ result in the same value when evaluated with $\overset{\rightharpoonup}{a}$. In the case of this happening the $bad_1$ flag is set to true. Afterward, each generated polynomial is partially evaluated as described and the table $\sum$, which stores the association between group elements and labels, is updated to reflect this partial evaluation as well. From now on, each polynomial used by the challenger is in $\field{L}[Z_N]$. This change is purely conceptual, since the polynomials still get fully evaluated before being compared in the Enc procedure. Therefore,
|
||||
|
||||
\[ \prone{G_2^{\adversary{A}}} = \prone{G_3^{\adversary{A}}}. \]
|
||||
|
||||
@@ -229,21 +229,21 @@ This section provides a lower bound on the hardness of the modified version of t
|
||||
|
||||
\[ \prone{G_4^{\adversary{A}}} = \prone{G_5^{\adversary{A}}}. \]
|
||||
|
||||
\item \paragraph{\underline{$G_6:$}} $G_6$ aborts if the $bad_2$ flag is set. The $bad_2$ flag is set if any two distinct polynomials evaluate to the same value, when evaluated with the vector of discrete logarithms. There are two cases. The first case is that the adversary has queried the DL oracle. The second case is that the adversary did not queried the DL oracle.
|
||||
\item \paragraph{\underline{$G_6:$}} $G_6$ aborts if the $bad_2$ flag is set. The $bad_2$ flag is set if any two distinct polynomials evaluate to the same value, when evaluated with the vector of discrete logarithms. There are two cases. The first case is that the adversary has queried the \textit{Reveal} oracle. The second case is that the adversary did not queried the \textit{Reveal} oracle.
|
||||
|
||||
In the first case the adversary got the discrete logarithms of all but one challenge. Without loss of generality it is assumed that the adversary queried the discrete logarithm of all but the $N$th group element. In this case all polynomials in $\pset{P}$ are in $\field{L}[Z_N]$, since at the time of the DL query all polynomials, generated up to this point, are partially evaluated and are in $\field{Z}[Z_N]$. All polynomials that are generated after this point are generated by the addition of the existing polynomials and are therefore also in $\field{L}[Z_N]$. In this case the Schwartz-Zippel lemma can be applied since the adversary has no information on the remaining discrete logarithm. This is the same scenario as in the \sdlog proof.
|
||||
In the first case the adversary got the discrete logarithms of all but one challenge. Without loss of generality it is assumed that the adversary queried the discrete logarithm of all but the $N$th group element. In this case all polynomials in $\pset{P}$ are in $\field{L}[Z_N]$, since at the time of the \textit{Reveal} query all polynomials, generated up to this point, are partially evaluated and are in $\field{Z}[Z_N]$. All polynomials that are generated after this point are generated by the addition of the existing polynomials and are therefore also in $\field{L}[Z_N]$. In this case the Schwartz-Zippel lemma can be applied since the adversary has no information on the remaining discrete logarithm. This is the same scenario as in the \sdlog proof.
|
||||
|
||||
In the case where the adversary did not queried the DL oracle the adversary has no information on any of the discrete logarithms. All polynomials in $\pset{P}$ are in $\field{Z}[N_1, ..., Z_N]$. In this case the Schwartz-Zippel lemma can be applied, since the all discrete logarithms are chosen uniformly at random and the adversary has no information on them, prior to them being chosen.
|
||||
In the case where the adversary did not queried the \textit{Reveal} oracle the adversary has no information on any of the discrete logarithms. All polynomials in $\pset{P}$ are in $\field{Z}[N_1, ..., Z_N]$. In this case the Schwartz-Zippel lemma can be applied, since the all discrete logarithms are chosen uniformly at random and the adversary has no information on them, prior to them being chosen.
|
||||
|
||||
The probability of $bad_2$ being true can be calculated using the Schwartz-Zippel lemma, as described in the game-hop to $G_4$. With the Union bound over all polynomial pairs in $\pset{P}$ the probability of $bad_2$ being true is $\Pr[bad_2] \leq \frac{(\groupqueries + N + 2)^2}{2^{n - 1 - c}}$. $G_5$ and $G_6$ are identical-until-bad games, therefore:
|
||||
|
||||
\[ |\prone{G_5^{\adversary{A}}} - \prone{G_6^{\adversary{A}}}| \leq \frac{(\groupqueries + N + 2)^2}{2^{n - 1 - c}}. \]
|
||||
|
||||
\item \paragraph{\underline{$G_7:$}} $G_7$ removes the evaluation of polynomials in the Enc procedure. It is argued that this change is only conceptual. When the evaluation of polynomials is removed, the polynomials are compared directly. Group elements represented by different polynomials are assigned different labels by the challenger. This is equivalent to the original definition as long as different polynomials do not evaluate to the same value, when evaluated with the discrete logarithms. This inconsistency in the simulation can be detected by the adversary when it gets some information on the discrete logarithms. This can either be during the query to the DL oracle or after the adversary provided its solution. In both cases there is an if condition checking for this inconsistency. If such an inconsistency is detected the game aborts. This change is only conceptual, since the different polynomials correspond to different group elements, in the cases where the game does not abort, and since the adversary only sees the labels it cannot detect whether the challenger works with polynomials or concrete discrete logarithms. Hence,
|
||||
\item \paragraph{\underline{$G_7:$}} $G_7$ removes the evaluation of polynomials in the Enc procedure. It is argued that this change is only conceptual. When the evaluation of polynomials is removed, the polynomials are compared directly. Group elements represented by different polynomials are assigned different labels by the challenger. This is equivalent to the original definition as long as different polynomials do not evaluate to the same value, when evaluated with the discrete logarithms. This inconsistency in the simulation can be detected by the adversary when it gets some information on the discrete logarithms. This can either be during the query to the \textit{Reveal} oracle or after the adversary provided its solution. In both cases there is an if condition checking for this inconsistency. If such an inconsistency is detected the game aborts. This change is only conceptual, since the different polynomials correspond to different group elements, in the cases where the game does not abort, and since the adversary only sees the labels it cannot detect whether the challenger works with polynomials or concrete discrete logarithms. Hence,
|
||||
|
||||
\[ \prone{G_6^{\adversary{A}}} = \prone{G_7^{\adversary{A}}}. \]
|
||||
|
||||
\item \paragraph{\underline{$G_8:$}} In $G_8$ the discrete logarithms of the challenge are only generated right before they are used. Since the discrete logarithms are not used during the Enc function anymore they the challenger can generate them not at the start of the game but only right before they are used. The discrete logarithms are only used during the inconsistency checks in the DL oracle or after the adversary has provided its solution. $N - 1$ discrete logarithms are used in the DL oracle to check for inconsistencies and to partially evaluate the polynomials. After the adversary provided its solution the remaining discrete logarithms can chosen to fully evaluate all polynomials. This can be either all discrete logarithm, in the case that the adversary did not queried the DL oracle, or the remaining one, in the case that the adversary did queried the DL oracle. This change is only conceptual, since the initialization of variables is only moved right before the variable is used. Therefore,
|
||||
\item \paragraph{\underline{$G_8:$}} In $G_8$ the discrete logarithms of the challenge are only generated right before they are used. Since the discrete logarithms are not used during the Enc function anymore they the challenger can generate them not at the start of the game but only right before they are used. The discrete logarithms are only used during the inconsistency checks in the \textit{Reveal} oracle or after the adversary has provided its solution. $N - 1$ discrete logarithms are used in the \textit{Reveal} oracle to check for inconsistencies and to partially evaluate the polynomials. After the adversary provided its solution the remaining discrete logarithms can chosen to fully evaluate all polynomials. This can be either all discrete logarithm, in the case that the adversary did not queried the \textit{Reveal} oracle, or the remaining one, in the case that the adversary did queried the \textit{Reveal} oracle. This change is only conceptual, since the initialization of variables is only moved right before the variable is used. Therefore,
|
||||
|
||||
\[ \prone{G_7^{\adversary{A}}} = \prone{G_8^{\adversary{A}}}. \]
|
||||
|
||||
|
||||
Reference in New Issue
Block a user