rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add Dlog' ggm proof

Browse Source
This commit is contained in:
Aaron Kaiser
2023-05-09 10:01:01 +02:00
parent 8a7b0d4d75
commit 56f6c785bb
9 changed files with 280 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
thesis/Abschlussarbeit.tex
View File

@@ -143,11 +143,7 @@ The chain of reductions can be depicted as:
\input{sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma} \input{sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma}
\input{sections/mu_security_of_eddsa/omdl'_implies_mu-gamez} \input{sections/mu_security_of_eddsa/omdl'_implies_mu-gamez}
\section{The Ed-GGM} \input{sections/edggm}
\subsection{Bounds on \sdlog} \label{sec:sdlog}
\subsection{Bounds on OMDlog'} \label{sec:somdl}
\section{Concrete Security of EdDSA} \section{Concrete Security of EdDSA}

36
thesis/citation.bib
View File

@@ -188,3 +188,39 @@
pages = {115--129}, pages = {115--129},
file = {Full Text PDF:/home/rixxc/Zotero/storage/WKJLTLKJ/Karpfinger and Meyberg - 2021 - Die Sätze von Sylow.pdf:application/pdf}, file = {Full Text PDF:/home/rixxc/Zotero/storage/WKJLTLKJ/Karpfinger and Meyberg - 2021 - Die Sätze von Sylow.pdf:application/pdf},
} }
@incollection{hutchison_exact_2012,
address = {Berlin, Heidelberg},
title = {On the {Exact} {Security} of {Schnorr}-{Type} {Signatures} in the {Random} {Oracle} {Model}},
volume = {7237},
isbn = {978-3-642-29010-7 978-3-642-29011-4},
url = {http://link.springer.com/10.1007/978-3-642-29011-4_33},
abstract = {The Schnorr signature scheme has been known to be provably secure in the Random Oracle Model under the Discrete Logarithm (DL) assumption since the work of Pointcheval and Stern (EUROCRYPT 96), at the price of a very loose reduction though: if there is a forger making at most qh random oracle queries, and forging signatures with probability εF , then the Forking Lemma tells that one can compute discrete logarithms with constant probability by rewinding the forger O(qh/εF ) times. In other words, the security reduction loses a factor O(qh) in its time-to-success ratio. This is rather unsatisfactory since qh may be quite large. Yet Paillier and Vergnaud (ASIACRYPT 2005) later showed that under the One More Discrete Logarithm (OMDL) assumption, any algebraic reduction must lose a factor at least qh1/2 in its time-to-success ratio. This was later improved by Garg et al. (CRYPTO 2008) to a factor qh2/3. Up to now, the gap between qh2/3 and qh remained open. In this paper, we show that the security proof using the Forking Lemma is essentially the best possible. Namely, under the OMDL assumption, any algebraic reduction must lose a factor f (εF )qh in its time-to-success ratio, where f ≤ 1 is a function that remains close to 1 as long as εF is noticeably smaller than 1. Using a formulation in terms of expected-time and queries algorithms, we obtain an optimal loss factor Ω(qh), independently of εF . These results apply to other signature schemes based on one-way group homomorphisms, such as the Guillou-Quisquater signature scheme.},
language = {en},
urldate = {2023-04-30},
booktitle = {Advances in {Cryptology} {EUROCRYPT} 2012},
publisher = {Springer Berlin Heidelberg},
author = {Seurin, Yannick},
editor = {Hutchison, David and Kanade, Takeo and Kittler, Josef and Kleinberg, Jon M. and Mattern, Friedemann and Mitchell, John C. and Naor, Moni and Nierstrasz, Oscar and Pandu Rangan, C. and Steffen, Bernhard and Sudan, Madhu and Terzopoulos, Demetri and Tygar, Doug and Vardi, Moshe Y. and Weikum, Gerhard and Pointcheval, David and Johansson, Thomas},
year = {2012},
doi = {10.1007/978-3-642-29011-4_33},
note = {Series Title: Lecture Notes in Computer Science},
pages = {554--571},
file = {Seurin - 2012 - On the Exact Security of Schnorr-Type Signatures i.pdf:/home/rixxc/Zotero/storage/5CWR5JYA/Seurin - 2012 - On the Exact Security of Schnorr-Type Signatures i.pdf:application/pdf},
}
@article{schwartz_fast_1980,
title = {Fast {Probabilistic} {Algorithms} for {Verification} of {Polynomial} {Identities}},
volume = {27},
issn = {0004-5411},
url = {https://dl.acm.org/doi/10.1145/322217.322225},
doi = {10.1145/322217.322225},
number = {4},
urldate = {2023-05-08},
journal = {Journal of the ACM},
author = {Schwartz, J. T.},
month = oct,
year = {1980},
pages = {701--717},
file = {Full Text PDF:/home/rixxc/Zotero/storage/9XIETZ49/Schwartz - 1980 - Fast Probabilistic Algorithms for Verification of .pdf:application/pdf},
}

3
thesis/macros.tex
View File

@@ -6,7 +6,7 @@
\newcommand{\secparamter}{\lambda} \newcommand{\secparamter}{\lambda}
\newcommand{\randomsample}{\leftarrow} \newcommand{\randomsample}{\leftarrow}
\newcommand{\randomassign}{\leftarrow} \newcommand{\randomassign}{\leftarrow}
\newcommand{\assign}{:=} \newcommand{\assign}{:=} % TODO: \coloneqq
\newcommand{\encoded}[1]{\underline{#1}} \newcommand{\encoded}[1]{\underline{#1}}
\newcommand{\m}{m} \newcommand{\m}{m}
\newcommand{\signature}{\sigma} \newcommand{\signature}{\sigma}
@@ -20,6 +20,7 @@
\newcommand{\test}{\overset{?}{=}} \newcommand{\test}{\overset{?}{=}}
\newcommand{\ch}{\textbf{ch}} \newcommand{\ch}{\textbf{ch}}
\newcommand{\messagespace}{\mathcal{M}} \newcommand{\messagespace}{\mathcal{M}}
\newcommand{\pset}[1]{\mathbf{#1}}
% Special Dlog % Special Dlog
\newcommand{\sdlog}{\text{DLog'} } \newcommand{\sdlog}{\text{DLog'} }

8
thesis/sections/edggm.tex Normal file
View File

@@ -0,0 +1,8 @@
\section{The Ed-GGM}
The subsequent section will determine specific bounds on the difficulty of particular variations of the discrete logarithm and one-more discrete logarithm problems introduced in previous proofs. These proofs are carried out in the generic group model. In the generic group model, group elements are represented as random bitstrings, and the adversary can only execute group operations by invoking an oracle.
In order to establish a generic group model for twisted Edwards curves, it's essential to examine the group structure. As demonstrated in Section \ref{sec:sdlog_imlies_igame}, a twisted Edwards curve can be broken down into a collection of cyclic subgroups. The generating set for this twisted Edwards curve is defined as a set of generators for these cyclic subgroups. With a fixed generating set, every point on the twisted Edwards curve can be uniquely expressed as a linear combination of the generators in that set. Consequently, the adversary is given the entire generator set as the description of the twisted Edwards curve. Additionally, the adversary has access to a group operation oracle, GOp, which, when supplied with two labels and a bit indicating whether the group elements should be added or subtracted, outputs the label of the resulting group element.
\input{sections/edggm/sdlog}
\input{sections/edggm/omdl}

1
thesis/sections/edggm/omdl.tex Normal file
View File

@@ -0,0 +1 @@
\subsection{Bounds on OMDlog'} \label{sec:somdl}

227
thesis/sections/edggm/sdlog.tex Normal file
View File

@@ -0,0 +1,227 @@
\subsection{Bounds on \sdlog} \label{sec:sdlog}
This section concentrates on establishing a lower bound for the hardness of a modified version of the discrete logarithm problem in the generic group model. This variation is introduced in definition \ref{def:sdlog} and functions similarly to the original discrete logarithm problem, with the exception of the secret scalar generation, which is derived from the EdDSA signature scheme's key generation algorithm. The subsequent proof is carried out in the generic group model for twisted Edwards curves.
\begin{theorem}
\label{theorem:sdlog_ggm}
Let $n$ and $c$ be positive integers. Consider a twisted Edwards curve $\curve$ with a cofactor of $2^c$ and a generating set consisting of $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_n})$. Among these, let $\groupelement{B}$ be the generator of the largest prime order subgroup with an order of $L$. Let $\adversary{A}$ be a generic adversary making at most $\oraclequeries$ group operations. Then,
\[ \advantage{\curve, n, c, L, \adversary{A}}{\sdlog} \leq \frac{1}{2^{n-1-c}} + \frac{\oraclequeries^2}{2^{n-1-c}}. \]
\end{theorem}
\paragraph{\underline{Proof Overview}} This proof closely resembles the original proof on the lower bound for the discrete logarithm problem by Shoup \cite{EC:Shoup97}. The initial step involves working with the discrete logarithms of group elements rather than the actual group elements themselves. In the generic group model, this is equivalent as each group element can be uniquely represented by its discrete logarithms with respect to a generating set. For consistency the generating set is denoted as $(\groupelement{B}, \groupelement{E_1}, ..., \groupelement{E_n})$, with $\groupelement{B}$ being the generator of the prime order subgroup and $\groupelement{E_1}$ to $\groupelement{E_n}$ being the generators of the other subgroups. Subsequently, the discrete logarithm in the prime order subgroup is replaced by an indeterminate. By doing this, the discrete logarithm in the prime order subgroup can be chosen after the adversary has provided their solution. As a result, the generic adversary can only guess the discrete logarithm in the prime order subgroup, since it is generated only after the adversary has already submitted their solution. Figure \ref{fig:sdlog_ggm} shows the \sdlog game in the generic group model.
\begin{figure}[h]
\hrule
\vspace{2mm}
\begin{algorithmic}
\Statex \underline{\game \sdlog}
\vspace{1mm}
\State $a \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$
\State $\groupelement{A} \assign a \groupelement{B}$
\State $a^* \randomassign \adversary{A}^{GOp(\inp, \inp, \inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_n}), Enc(\groupelement{A}))$
\State \Return $a^* \test a$
\end{algorithmic}
\vspace{1mm}
\begin{algorithmic}
\Statex \underline{\oracle GOp($x, y \in \mathbf{S}, b \in \{0,1\}$)}
\State \quad \Return $Enc(\sum^{-1}[x] + (-1)^b \sum^{-1}[y])$
\end{algorithmic}
\vspace{1mm}
\begin{algorithmic}
\Statex \underline{\textbf{Procedure} Enc($\groupelement{X} \in \curve$)}
\vspace{1mm}
\State \textbf{If } $\sum[\groupelement{X}] = \bot$ \textbf{ then}
\State \quad $\sum[\groupelement{X}] \randomsample \{0,1\}^{\lceil log_2(|\curve|) \rceil} \backslash \pset{S}$
\State \quad $\mathbf{S} \assign \pset{S} \cup \{\sum[X]\}$
\State \Return $\sum[\groupelement{X}]$
\end{algorithmic}
\hrule
\caption{\sdlog in the generic group model}
\label{fig:sdlog_ggm}
\end{figure}
\paragraph{\underline{Formal Proof}}
\begin{figure}[h]
\hrule
\vspace{2mm}
\begin{algorithmic}
\Statex \underline{\game \textcolor{black}{$G_0$} / \textcolor{blue}{$G_1$} /\textcolor{red}{$G_2$} / \textcolor{green}{$G_3$} / \textcolor{orange}{$G_4$}}
\vspace{1mm}
\BeginBox[draw=black]
\State $a \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$
\Comment{$G_0 - G_4$}
\EndBox
\BeginBox[draw=black]
\State $\groupelement{A} \assign a \groupelement{B}$
\Comment{$G_0$}
\EndBox
\BeginBox[draw=blue]
\State $\groupelement{A} \assign (a, 0, ..., 0)$
\Comment{$G_1$}
\EndBox
\BeginBox[draw=red]
\State $P \assign Z$
\Comment{$G_2 - G_4$}
\State $\groupelement{A} \assign (P, 0, ..., 0)$
\EndBox
\State $a^* \randomassign \adversary{A}^{GOp(\inp, \inp, \inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_n}), Enc(\groupelement{A}))$
\State \Return $a^* \test a$
\end{algorithmic}
\vspace{1mm}
\begin{algorithmic}
\Statex \underline{\oracle GOp($x, y \in \mathbf{S}, b \in \{0,1\}$)}
\State \quad \Return $Enc(\sum^{-1}[x] + (-1)^b \sum^{-1}[y])$
\end{algorithmic}
\vspace{1mm}
\begin{algorithmic}
\BeginBox[draw=black]
\State \underline{\textbf{Procedure} Enc($\groupelement{X} \in \curve$)}
\Comment{$G_0$}
\EndBox
\BeginBox[draw=blue]
\State \underline{\textbf{Procedure} Enc($\groupelement{X} \in \field{L} \times \field{ord(E_1)} \times ... \times \field{ord(E_n)}$)}
\Comment{$G_1$}
\EndBox
\BeginBox[draw=red]
\State \underline{\textbf{Procedure} Enc($\groupelement{X} \in \field{L}[Z] \times \field{ord(E_1)} \times ... \times \field{ord(E_n)}$)}
\Comment{$G_2 - G_4$}
\vspace{1mm}
\State Let $X = (P, x_2, ..., x_n)$
\State $\pset{P} = \pset{P} \cup \{P\}$
\EndBox
\BeginBox[draw=green]
\State \textbf{if } $\exists P_i \in \pset{P}: P_i(a) = P(a) \wedge P_i \neq P$
\Comment{$G_3 - G_4$}
\State \quad $bad \assign true$
\BeginBox[draw=orange,dashed]
\State \quad abort
\Comment{$G_4$}
\EndBox
\EndBox
\BeginBox[draw=red]
\State $X \assign (P(a), x_2, ..., x_n)$
\Comment{$G_2 - G_4$}
\EndBox
\State \textbf{If } $\sum[\groupelement{X}] = \bot$ \textbf{ then}
\State \quad $\sum[\groupelement{X}] \randomsample \{0,1\}^{\lceil log_2(|\curve|) \rceil} \backslash \mathbf{S}$
\State \quad $\mathbf{S} \assign \mathbf{S} \cup \{\sum[X]\}$
\State \Return $\sum[\groupelement{X}]$
\end{algorithmic}
\hrule
\caption{$G_0 - G_4$}
\label{fig:sdlog_games_ggm_1}
\end{figure}
\begin{figure}[h]
\hrule
\vspace{2mm}
\begin{algorithmic}
\Statex \underline{\game \textcolor{black}{$G_4$} / \textcolor{blue}{$G_5$} /\textcolor{red}{$G_6$} / \textcolor{green}{$G_7$}}
\vspace{1mm}
\BeginBox[draw=black]
\State $a \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$
\Comment{$G_4 - G_6$}
\EndBox
\State $P \assign Z$
\State $\groupelement{A} \assign (P, 0, ..., 0)$
\State $a^* \randomassign \adversary{A}^{GOp(\inp, \inp, \inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_n}), Enc(\groupelement{A}))$
\BeginBox[draw=green]
\State $a \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8\}$
\Comment{$G_7$}
\EndBox
\BeginBox[draw=red]
\State \textbf{if } $\exists P_i, P_j \in \pset{P}: P_i(a) = P_j(a) \wedge P_i \neq P$
\Comment{$G_6 - G_7$}
\State \quad $bad \assign true$
\State \quad abort
\EndBox
\State \Return $a^* \test a$
\end{algorithmic}
\vspace{1mm}
\begin{algorithmic}
\Statex \underline{\oracle GOp($x, y \in \mathbf{S}, b \in \{0,1\}$)}
\State \quad \Return $Enc(\sum^{-1}[x] + (-1)^b \sum^{-1}[y])$
\end{algorithmic}
\vspace{1mm}
\begin{algorithmic}
\State \underline{\textbf{Procedure} Enc($\groupelement{X} \in \field{L}[Z] \times \field{ord(E_1)} \times ... \times \field{ord(E_n)}$)}
\vspace{1mm}
\State Let $X = (P, x_2, ..., x_n)$
\State $\pset{P} = \pset{P} \cup \{P\}$
\BeginBox[draw=black]
\State \textbf{if } $\exists P_i \in \pset{P}: P_i(a) = P(a) \wedge P_i \neq P$
\Comment{$G_4 - G_5$}
\State \quad $bad \assign true$
\State \quad abort
\EndBox
\BeginBox[draw=black]
\State $X \assign (P(a), x_2, ..., x_n)$
\Comment{$G_4$}
\EndBox
\State \textbf{If } $\sum[\groupelement{X}] = \bot$ \textbf{ then}
\State \quad $\sum[\groupelement{X}] \randomsample \{0,1\}^{\lceil log_2(|\curve|) \rceil} \backslash \mathbf{S}$
\State \quad $\mathbf{S} \assign \mathbf{S} \cup \{\sum[X]\}$
\State \Return $\sum[\groupelement{X}]$
\end{algorithmic}
\hrule
\caption{$G_4 - G_7$}
\label{fig:sdlog_games_ggm_2}
\end{figure}
\begin{proof}
\item Let $G_0$ represent the \sdlog game in the generic group model. In this proof, the discrete logarithm within the prime order subgroup of the group element $\groupelement{A}$ will be substituted with an indeterminate. Following that, it will be demonstrated that the challenger, by working with polynomials rather than actual discrete logarithms, makes errors in the simulation with negligible probability. Finally, it will be established that the discrete logarithm of the group element $\groupelement{A}$ can be selected after the adversary has submitted its solution for the game.
\item This proof utilizes the Schwartz-Zippel lemma. The Schwarz-Zippel lemma is defined as following:
\begin{definition}[Schwatz-Zippel lemma]
Let $L$ be a prime number and $P \in \mathbb{F}_{L}[X]$ be a non-zero polynomial of total degree $d \geq 0$ over a field $\mathbb{F}_{L}$. Let $S$ be a finite subset of $\mathbb{F}_{L}$ and let $x$ be selected uniformly at random from $S$. Then
\[ \Pr[P(x) = 0] \leq \frac{d}{|S|}. \]
A proof for this lemma can be found in \cite{schwartz_fast_1980}.
\end{definition}
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:sdlog_games_ggm_1} by excluding all boxes except the black ones. This is equivalent to the \sdlog in the generic group model. By definition,
\[ \advantage{\curve, \adversary{A}}{\sdlog} = \prone{\sdlog^{\adversary{A}}}. \]
\item \paragraph{\underline{$G_1$}} $G_1$ is defined by substituting some black boxes with blue ones, causing the challenger to work with discrete logarithms rather than group elements. This modification remains undetectable to the adversary, as it only deals with labels representing group elements, and each group element can be uniquely represented by its discrete logarithms. These discrete logarithms are denoted by an integer vector, where each element corresponds to the discrete logarithm concerning the generator in the generating set. The addition of these vectors is carried out component-wise. Therefore,
\[ \prone{G_0^{\adversary{A}}} = \prone{G_1^{\adversary{A}}}. \]
\item \paragraph{\underline{$G_2:$}} $G_2$ replaces the blue boxes with the red ones. This change replaces the discrete logarithm of the prime order subgroup with a polynomial. This change is only conceptual since the polynomial is evaluated in the Enc procedure. Hence,
\[ \prone{G_1^{\adversary{A}}} = \prone{G_2^{\adversary{A}}}. \]
\item \paragraph{\underline{$G_3:$}} $G_3$ introduces the "if" condition within the green box. This modification is purely conceptual, as it only impacts internal variables that do not influence the game's behavior. Therefore,
\[ \prone{G_1^{\adversary{A}}} = \prone{G_2^{\adversary{A}}}. \]
\item \paragraph{\underline{$G_4:$}} $G_4$ terminates if the bad flag is activated. This bad flag signifies situations where collisions of group elements would not be identified by merely comparing polynomials without evaluating them. The likelihood of the bad flag being activated can be determined using the Schwartz-Zippel lemma. For a fixed $P_i \in \pset{P}$ we define $P^* = P_i - P$. If and only if $P_i(a) = P(a) \wedge P_i \neq P$ then $P^*(a) = 0$. Since $P^* \neq 0$, the degree of $P^*$ being less or equal to $1$ and $a$ being chosen uniformly at random from $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ the Schwarz-Zippel lemma can be used to calculate the probability that $P^*(a) = 0$, which is $\Pr[P^*(a) = 0] \leq \frac{1}{2^{n-1-c}}$. Since the set $\pset{P}$ can hold at most $\oraclequeries$ many polynomials by the Union bound over all polynomials in $\pset{P}$ the probability of bad being set, for each individual oracle query, is less or equal to $\frac{\oraclequeries}{2^{n-1-c}}$. By the Union bound over all oracle queries the probability of bad being set to true is $\Pr[bad] \leq \frac{\oraclequeries^2}{2^{n-1-c}}$. For this reason,
\[ |\prone{G_2^{\adversary{A}}} - \prone{G_3^{\adversary{A}}}| \leq \Pr[bad] \leq \frac{\oraclequeries^2}{2^{n-1-c}}. \]
For improved readability, $G_4$ is also depicted in \ref{fig:sdlog_games_ggm_2} by including only the black boxes and excluding all others.
\item \paragraph{\underline{$G_5:$}} $G_5$ removes the evaluation of the polynomial in the Enc procedure. This alteration is purely conceptual, as the previous abort condition ensured that no two distinct polynomials would yield the same value upon evaluation. Consequently, it is feasible to work directly with the polynomials rather than evaluating them.
\[ \prone{G_4^{\adversary{A}}} = \prone{G_5^{\adversary{A}}}. \]
\item \paragraph{\underline{$G_6:$}} The difference in $G_6$ is that the abort condition was moved into the main game after the adversary provided its solution. To demonstrate that this alteration is solely conceptual, it will be proven that $G_6$ aborts if and only if $G_5$ would do the same.
$G_5$ aborts $\Rightarrow G_6$ aborts: If $G_5$ aborts, it means that a polynomial $P_i$ has been added to the set $\pset{P}$ during the call to the Enc procedure, which satisfies the abort condition. In $G_6$, the polynomials in the set $\pset{S}$ remain the same, since the instruction for adding polynomials to the set during the Enc procedure has not been altered between the games. After the adversary provides its solution, the challenger checks for any pair of polynomials in the set that meet the abort condition. Thus, $G_6$ will abort if $G_5$ would have aborted.
$G_6$ aborts $\Rightarrow G_5$ aborts: If $G_6$ were to abort, the set $\pset{P}$ would contain a pair of polynomials that satisfy the abort condition. The distinction between $G_6$ and $G_5$ is that $G_5$ checks for the existence of such a pair immediately after inserting a new polynomial. Consequently, if $G_6$ were to abort, $G_5$ would also abort.
This proofs that this change is only conceptual. Hence,
\[ \prone{G_5^{\adversary{A}}} = \prone{G_6^{\adversary{A}}}. \]
\item \paragraph{\underline{$G_7:$}} The generation of the secret scalar $a$ in $G_7$ occurs after the adversary has provided its solution. This modification is purely conceptual, as the secret scalar is not utilized prior to this point. As a result, the adversary has no improved likelihood of computing its solution $a^*$ other than guessing, given that the challenger does not select $a$ until the adversary has submitted its solution. Thus,
\[ \prone{G_6^{\adversary{A}}} = \prone{G_7^{\adversary{A}}} = \frac{1}{2^{n-1-c}}. \]
\item This proofs theorem \ref{theorem:sdlog_ggm}.
\end{proof}

3
thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex
View File

@@ -26,6 +26,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
\vspace{2mm} \vspace{2mm}
\begin{algorithmic}[1] \begin{algorithmic}[1]
\Statex \underline{\oracle $DL(i \in \{1,2,...,N\})$} \Statex \underline{\oracle $DL(i \in \{1,2,...,N\})$}
\vspace{1mm}
\State $I \assign I + 1$ \State $I \assign I + 1$
\State \Return $a_i$ \State \Return $a_i$
\end{algorithmic} \end{algorithmic}
@@ -146,7 +147,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
\Leftrightarrow \groupelement{A} &= (2^c s^* - r_b)(r_i + 2^c \ch^*)^{-1} \groupelement{B} \Leftrightarrow \groupelement{A} &= (2^c s^* - r_b)(r_i + 2^c \ch^*)^{-1} \groupelement{B}
\end{align*} \end{align*}
Assuming that $r_i + 2^c \ch^*$ is invertible in $\field{L}$ (i.e. not equal to 0), which is ensured by the abort in $G_2$ for all $i$, both equations can be used to calculate the discrete logarithm if $A_i$. Together with the discrete logarithms of the other public keys, which where obtained by the \textit{DL} oracle, the adversary $\adversary{B}$ is able to craft a valid solution for the \somdl challenger. Assuming that $r_i + 2^c \ch^*$ is invertible in $\field{L}$ (i.e., not equal to 0), which is ensured by the abort in $G_2$ for all $i$, both equations can be used to calculate the discrete logarithm of $A_i$. Together with the discrete logarithms of the other public keys, which were obtained by the \textit{DL} oracle, the adversary $\adversary{B}$ is able to craft a valid solution for the \somdl challenger.
\item This proves theorem \ref{theorem:adv_omdl'}. \item This proves theorem \ref{theorem:adv_omdl'}.
\end{proof} \end{proof}

2
thesis/sections/preliminaries.tex
View File

@@ -17,7 +17,7 @@ While modifying the games it has to be ensured that the advantage for an attacke
\begin{lemma}[Fundamental lemma of game-playing] \begin{lemma}[Fundamental lemma of game-playing]
Let G and H be identical-until-bad games and let $\adversary{A}$ be an adversary. Then, Let G and H be identical-until-bad games and let $\adversary{A}$ be an adversary. Then,
\[ Adv(G^{\adversary{A}}, H^{\adversary{A}}) \leq \Pr[bad] \] \[ Adv(G^{\adversary{A}}, H^{\adversary{A}}) = |\prone{G^{\adversary{A}}} - \prone{H^{\adversary{A}}}| \leq \Pr[bad] \]
\end{lemma} \end{lemma}
This means that the advantage to distinguish between two identical-until-bad games is bound by the probability of the bad flag being set. A proof for this lemma can be found in \cite{EC:BelRog06}. This means that the advantage to distinguish between two identical-until-bad games is bound by the probability of the bad flag being set. A proof for this lemma can be found in \cite{EC:BelRog06}.

2
thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex
View File

@@ -1,4 +1,5 @@
\subsection{\sdlog $\Rightarrow$ \igame (AGM)} \subsection{\sdlog $\Rightarrow$ \igame (AGM)}
\label{sec:sdlog_imlies_igame}
%TODO check if all c_i's are replaced by chall_i %TODO check if all c_i's are replaced by chall_i
@@ -9,6 +10,7 @@ This section shows that \sdlog implies \igame using the Algebraic Group Model. T
The \sdlog game is a variant of the discrete logarithm game which represents the clearing and setting of bits in the secret scalar during the EdDSA key generation. The only difference to the normal discrete logarithm game is that the secret scalars are not chosen uniformly random from $\field{L}$ with $L$ being the order of the generator but rather from the set $\{2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8\}$. This set represents all valid private keys according to the key generation algorithm. The hardness of this version of the discrete logarithm problem is further analyzed in section \ref{sec:sdlog}. The \sdlog game is depicted in figure \ref{fig:sdlog}. The \sdlog game is a variant of the discrete logarithm game which represents the clearing and setting of bits in the secret scalar during the EdDSA key generation. The only difference to the normal discrete logarithm game is that the secret scalars are not chosen uniformly random from $\field{L}$ with $L$ being the order of the generator but rather from the set $\{2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8\}$. This set represents all valid private keys according to the key generation algorithm. The hardness of this version of the discrete logarithm problem is further analyzed in section \ref{sec:sdlog}. The \sdlog game is depicted in figure \ref{fig:sdlog}.
\begin{definition}[\sdlog] \begin{definition}[\sdlog]
\label{def:sdlog}
For an adversary $\adversary{A}$ we define its advantage in the \sdlog game as following: For an adversary $\adversary{A}$ we define its advantage in the \sdlog game as following:
\[ \advantage{\adversary{A}}{\text{\sdlog}}(\secparamter) \assign | \Pr[\text{\sdlog}^{\adversary{A}} \Rightarrow 1] |. \] \[ \advantage{\adversary{A}}{\text{\sdlog}}(\secparamter) \assign | \Pr[\text{\sdlog}^{\adversary{A}} \Rightarrow 1] |. \]