Fixed set for secret scalar
This commit is contained in:
@@ -9,7 +9,7 @@ This section concentrates on establishing a lower bound for the hardness of a mo
|
|||||||
\[ \advantage{\curve, n, c, L, \adversary{A}}{\sdlog} \leq \frac{\oraclequeries^2 + 1}{2^{n-1-c}}. \]
|
\[ \advantage{\curve, n, c, L, \adversary{A}}{\sdlog} \leq \frac{\oraclequeries^2 + 1}{2^{n-1-c}}. \]
|
||||||
\end{theorem}
|
\end{theorem}
|
||||||
|
|
||||||
\paragraph{\underline{Proof Overview}} This proof closely resembles the original proof on the lower bound for the discrete logarithm problem by Shoup \cite{EC:Shoup97}. The initial step involves working with the discrete logarithms of group elements rather than the actual group elements themselves. In the generic group model, this is equivalent as each group element can be uniquely represented by its discrete logarithms with respect to a generating set. For consistencycd the generating set is denoted as $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_n})$, with $\groupelement{B}$ being the generator of the prime order subgroup and $\groupelement{E_2}$ to $\groupelement{E_n}$ being the generators of the other subgroups. Subsequently, the discrete logarithm in the prime order subgroup is replaced by an indeterminate. By doing this, the discrete logarithm in the prime order subgroup can be chosen after the adversary has provided their solution. As a result, the generic adversary can only guess the discrete logarithm in the prime order subgroup, since it is generated only after the adversary has already submitted their solution. Figure \ref{fig:sdlog_ggm} shows the \sdlog game in the generic group model.
|
\paragraph{\underline{Proof Overview}} This proof closely resembles the original proof on the lower bound for the discrete logarithm problem by Shoup \cite{EC:Shoup97}. The initial step involves working with the discrete logarithms of group elements rather than the actual group elements themselves. In the generic group model, this is equivalent as each group element can be uniquely represented by its discrete logarithms with respect to a generating set. For consistency the generating set is denoted as $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_n})$, with $\groupelement{B}$ being the generator of the prime order subgroup and $\groupelement{E_2}$ to $\groupelement{E_n}$ being the generators of the other subgroups. Subsequently, the discrete logarithm in the prime order subgroup is replaced by an indeterminate. By doing this, the discrete logarithm in the prime order subgroup can be chosen after the adversary has provided their solution. As a result, the generic adversary can only guess the discrete logarithm in the prime order subgroup, since it is generated only after the adversary has already submitted their solution. Figure \ref{fig:sdlog_ggm} shows the \sdlog game in the generic group model.
|
||||||
|
|
||||||
\begin{figure}[h]
|
\begin{figure}[h]
|
||||||
\hrule
|
\hrule
|
||||||
@@ -173,15 +173,12 @@ This section concentrates on establishing a lower bound for the hardness of a mo
|
|||||||
\begin{proof}
|
\begin{proof}
|
||||||
\item Let $G_0$ represent the \sdlog game in the generic group model. In this proof, the discrete logarithm within the prime order subgroup of the group element $\groupelement{A}$ will be substituted with an indeterminate. Following that, it will be demonstrated that the challenger, by working with polynomials rather than actual discrete logarithms, makes errors in the simulation with negligible probability. Finally, it will be established that the discrete logarithm of the group element $\groupelement{A}$ can be selected after the adversary has submitted its solution for the game.
|
\item Let $G_0$ represent the \sdlog game in the generic group model. In this proof, the discrete logarithm within the prime order subgroup of the group element $\groupelement{A}$ will be substituted with an indeterminate. Following that, it will be demonstrated that the challenger, by working with polynomials rather than actual discrete logarithms, makes errors in the simulation with negligible probability. Finally, it will be established that the discrete logarithm of the group element $\groupelement{A}$ can be selected after the adversary has submitted its solution for the game.
|
||||||
|
|
||||||
%TODO: Schwatz-Zippel lemma zitieren
|
\item This proof utilizes the Schwartz-Zippel lemma \cite{schwartz_fast_1980}. The Schwarz-Zippel lemma is defined as following:
|
||||||
\item This proof utilizes the Schwartz-Zippel lemma. The Schwarz-Zippel lemma is defined as following:
|
|
||||||
|
|
||||||
\begin{definition}[Schwatz-Zippel lemma]
|
\begin{definition}[Schwartz-Zippel lemma]
|
||||||
Let $L$ be a prime number and $P \in \mathbb{F}_{L}[X]$ be a non-zero polynomial of total degree $d \geq 0$ over a field $\mathbb{F}_{L}$. Let $S$ be a finite subset of $\mathbb{F}_{L}$ and let $x$ be selected uniformly at random from $S$. Then
|
Let $L$ be a prime number and $P \in \mathbb{F}_{L}[X]$ be a non-zero polynomial of total degree $d \geq 0$ over a field $\mathbb{F}_{L}$. Let $S$ be a finite subset of $\mathbb{F}_{L}$ and let $x$ be selected uniformly at random from $S$. Then
|
||||||
|
|
||||||
\[ \Pr[P(x) = 0] \leq \frac{d}{|S|}. \]
|
\[ \Pr[P(x) = 0] \leq \frac{d}{|S|}. \]
|
||||||
|
|
||||||
A proof for this lemma can be found in \cite{schwartz_fast_1980}.
|
|
||||||
\end{definition}
|
\end{definition}
|
||||||
|
|
||||||
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:sdlog_games_ggm_1} by excluding all boxes except the black ones. This is identical to the \sdlog in the generic group model. By definition,
|
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:sdlog_games_ggm_1} by excluding all boxes except the black ones. This is identical to the \sdlog in the generic group model. By definition,
|
||||||
|
|||||||
@@ -18,7 +18,7 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat
|
|||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}[1]
|
||||||
\Statex \underline{\game \igame}
|
\Statex \underline{\game \igame}
|
||||||
\State \textbf{for} $i \in \{1,2,...,N\}$
|
\State \textbf{for} $i \in \{1,2,...,N\}$
|
||||||
\State \quad $a_i \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$
|
\State \quad $a_i \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$
|
||||||
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
|
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
|
||||||
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
||||||
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in Q, i \in \{1,2,...,N\} \in : \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$
|
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in Q, i \in \{1,2,...,N\} \in : \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$
|
||||||
|
|||||||
@@ -55,7 +55,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
|
|||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}[1]
|
||||||
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$}}
|
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$}}
|
||||||
\State \textbf{for} $i \in \{1,2,...,N\}$
|
\State \textbf{for} $i \in \{1,2,...,N\}$
|
||||||
\State \quad $a_i \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$
|
\State \quad $a_i \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$
|
||||||
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
|
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
|
||||||
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
||||||
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in Q, i \in \{1,2,...,N\}: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$
|
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in Q, i \in \{1,2,...,N\}: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$
|
||||||
|
|||||||
@@ -7,7 +7,7 @@ This section shows that \sdlog implies \igame using the Algebraic Group Model. T
|
|||||||
|
|
||||||
\paragraph{\underline{Introducing \sdlog}}
|
\paragraph{\underline{Introducing \sdlog}}
|
||||||
|
|
||||||
The \sdlog game is a variant of the discrete logarithm game which represents the clearing and setting of bits in the secret scalar during the EdDSA key generation. The only difference to the normal discrete logarithm game is that the secret scalars are not chosen uniformly random from $\field{L}$ with $L$ being the order of the generator but rather from the set $\{2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8\}$. This set represents all valid private keys according to the key generation algorithm. The hardness of this version of the discrete logarithm problem is further analyzed in section \ref{sec:sdlog}. The \sdlog game is depicted in figure \ref{fig:sdlog}.
|
The \sdlog game is a variant of the discrete logarithm game which represents the clearing and setting of bits in the secret scalar during the EdDSA key generation. The only difference to the normal discrete logarithm game is that the secret scalars are not chosen uniformly random from $\field{L}$ with $L$ being the order of the generator but rather from the set $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$. This set represents all valid private keys according to the key generation algorithm. The hardness of this version of the discrete logarithm problem is further analyzed in section \ref{sec:sdlog}. The \sdlog game is depicted in figure \ref{fig:sdlog}.
|
||||||
|
|
||||||
\begin{definition}[\sdlog]
|
\begin{definition}[\sdlog]
|
||||||
\label{def:sdlog}
|
\label{def:sdlog}
|
||||||
@@ -22,7 +22,7 @@ The \sdlog game is a variant of the discrete logarithm game which represents the
|
|||||||
\vspace{1mm}
|
\vspace{1mm}
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}[1]
|
||||||
\Statex \underline{\game \sdlog}
|
\Statex \underline{\game \sdlog}
|
||||||
\State $a \randomsample \{ 2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8 \}$
|
\State $a \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$
|
||||||
\State $\groupelement{A} \assign a \groupelement{B}$
|
\State $\groupelement{A} \assign a \groupelement{B}$
|
||||||
\State $a' \randomassign \adversary{A}(\groupelement{A})$
|
\State $a' \randomassign \adversary{A}(\groupelement{A})$
|
||||||
\State \Return $a \test a'$
|
\State \Return $a \test a'$
|
||||||
|
|||||||
@@ -16,7 +16,7 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur
|
|||||||
\large
|
\large
|
||||||
\begin{algorithmic}[1]
|
\begin{algorithmic}[1]
|
||||||
\Statex \underline{\game \igame}
|
\Statex \underline{\game \igame}
|
||||||
\State $a \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$
|
\State $a \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$
|
||||||
\State $\groupelement{A} \assign a \groupelement{B}$
|
\State $\groupelement{A} \assign a \groupelement{B}$
|
||||||
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
|
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
|
||||||
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in Q: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A}$
|
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in Q: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A}$
|
||||||
|
|||||||
Reference in New Issue
Block a user