Cleaned up definitions for digital signature schemes and security assumptions
This commit is contained in:
@@ -14,117 +14,57 @@ A digital signature scheme is a method to ensure the authenticity of data. The s
|
||||
For the digital signature scheme to be correct it is required that $\forall (\pubkey, \privkey) \in \keygen(par), \m \in \messagespace, \signature \in \sign(\privkey, \m): \verify(\pubkey, \m, \signature) = 1$
|
||||
\end{definition}
|
||||
|
||||
\subsubsection{\cma}
|
||||
A common security notion for digital signature schemes is the existential unforgeability under chosen message attack security (EUF-CMA). It requires that no adversary is able to forge a signature, for a given key, on a message for which they have not been provided with a valid signature. A stronger notion that is often used is strong unforgeability under chosen message attack (SUF-CMA), which only requires the adversary to provide a message signature pair that has not been provided to the adversary. With this security notion, the adversary also wins if it is able to forge a new valid signature from an already valid one. Both of these notions are in the single-user setting. In the multi-user setting of these security notions, the adversary is supplied with $N$ public keys and had to forge a signature for one of those public keys. In the following, the multi-user definitions of the EUF-CMA and SUF-CMA security notions are defined, respectively MU-EUF-CMA and SUF-CMA. The single-user variant of these security notions can be seen as a special case of the multi-user definitions with $N=1$.
|
||||
|
||||
Strong Existential Unforgeability against Chosen Message Attack (\cma) is a security notion for digital signature schemes. In this game the adversary is given access to a \Osign oracle, which generates valid signatures for arbitrary messages. The adversary wins the game if he is able to provide a message signature pair which is valid and was not generated by the \Osign oracle. The security game is depicted in figure \ref{game:cma}.
|
||||
\subsubsection{MU-EUF-CMA}
|
||||
|
||||
\begin{definition}[\cma]
|
||||
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme. $SIG$ is \cma secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{\cma}}(\secparamter)$ is negligible in $\secparamter$.
|
||||
\begin{definition}[MU-EUF-CMA]
|
||||
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the MU-EUF-CMA game be defined in figure \ref{game:mu-euf-cma}. $SIG$ is MU-SUF-CMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{MU-EUF-CMA}}(\secparamter)$ is negligible in $\secparamter$.
|
||||
|
||||
\[ \advantage{SIG,\adversary{A}}{\text{\cma}}(\secparamter) \assign \prone{\text{\cma}^{\adversary{A}}} \leq \epsilon \]
|
||||
\[ \advantage{SIG,\adversary{A}}{\text{MU-EUF-CMA}}(\secparamter) \assign \prone{\text{MU-EUF-CMA}^{\adversary{A}}} \leq negl(\secparamter) \]
|
||||
\end{definition}
|
||||
|
||||
|
||||
\begin{figure}[h]
|
||||
\hrule
|
||||
\begin{multicols}{2}
|
||||
\normalsize
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\game $\text{\cma}$}
|
||||
\State $(\pubkey, \privkey) \randomassign \keygen(1^\secparamter)$
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp)}(\pubkey)$
|
||||
\State \Return $\verify(\pubkey, \m^*, \signature^*) \test 1 \wedge (\m^*, \signature^*) \notin M$
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\oracle \Osign($\m \in \messagespace$)}
|
||||
\State $\signature \randomassign \sign(\privkey, \m)$
|
||||
\State $M \assign M \cup \{(\m, \signature)\}$
|
||||
\State \Return $\signature$
|
||||
\end{algorithmic}
|
||||
\end{multicols}
|
||||
\hrule
|
||||
\caption{\cma Security Game}
|
||||
\label{game:cma}
|
||||
\end{figure}
|
||||
|
||||
\subsubsection{EUF-CMA}
|
||||
|
||||
Existential Unforgability against Chosen Message Attack (EUF-CMA) is similar to the SUF-CMA security notion. The adversary also gets access to an \Osign oracle which generates arbitrary signatures. Unlike in the SUF-CMA game the adversary wins the EUF-CMA game only if he forges a valid signature for a message that was not queries by the \Osign oracle. The security game is depicted in figure \ref{game:euf-cma}.
|
||||
|
||||
\begin{definition}[\cma]
|
||||
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme. $SIG$ is EUF-CMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{EUF-CMA}}(\secparamter)$ is negligible in $\secparamter$.
|
||||
|
||||
\[ \advantage{SIG,\adversary{A}}{\text{EUF-CMA}}(\secparamter) \assign \prone{\text{EUF-CMA}^{\adversary{A}}} \leq \epsilon \]
|
||||
\end{definition}
|
||||
|
||||
\begin{figure}[h]
|
||||
\hrule
|
||||
\begin{multicols}{2}
|
||||
\normalsize
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\game $\text{\cma}$}
|
||||
\State $(\pubkey, \privkey) \randomassign \keygen(1^\secparamter)$
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp)}(\pubkey)$
|
||||
\State \Return $\verify(\pubkey, \m^*, \signature^*) \test 1 \wedge \m^* \notin M$
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\oracle \Osign($\m \in \messagespace$)}
|
||||
\State $\signature \randomassign \sign(\privkey, \m)$
|
||||
\State $M \assign M \cup \{\m\}$
|
||||
\State \Return $\signature$
|
||||
\end{algorithmic}
|
||||
\end{multicols}
|
||||
\hrule
|
||||
\caption{EUF-CMA Security Game}
|
||||
\label{game:euf-cma}
|
||||
\end{figure}
|
||||
|
||||
\subsubsection{UF-NMA}
|
||||
|
||||
Unforgeability against No Message Attack (UF-NMA) is a security notion for digital signature schemes. The difference to the \cma game is that the adversary does not get access to an \Osign oracle, which provides it with valid signatures for arbitrary messages. Like in the \cma setting the adversary is tasked to provide a valid signature for an arbitrary message. The game is depicted in figure \ref{game:uf-nma}.
|
||||
|
||||
\begin{definition}[UF-NMA]
|
||||
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme. $SIG$ is UF-NMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{UF-NMA}}(\secparamter)$ is negligible in $\secparamter$.
|
||||
|
||||
\[ \advantage{SIG,\adversary{A}}{\text{UF-NMA}}(\secparamter) \assign \prone{\text{UF-NMA}^{\adversary{A}}} \leq \epsilon \]
|
||||
\end{definition}
|
||||
|
||||
\begin{figure}[h]
|
||||
\hrule
|
||||
\vspace{1mm}
|
||||
\begin{algorithmic}
|
||||
\Statex \underline{\game $\text{MU-EUF-CMA}$}
|
||||
\State \textbf{for} $i \in \{1,2,...,N\}$
|
||||
\State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp, \inp)}(\pubkey_1, \pubkey_2, ..., \pubkey_n)$
|
||||
\State \Return $\exists i \in \{1,2,...,N\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1 \wedge (\pubkey_i, \m^*) \notin M$
|
||||
\end{algorithmic}
|
||||
\vspace{2mm}
|
||||
\begin{algorithmic}[1]
|
||||
\State \underline{\game $\text{UF-NMA}$}
|
||||
\State $(\pubkey, \privkey) \randomassign \keygen(1^\secparamter)$
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}(\pubkey)$
|
||||
\State \Return $\verify(\pubkey, \m^*, \signature^*) \test 1$
|
||||
\Statex \underline{\oracle \Osign($i \in \{1,2,...,n\}$, $\m \in \messagespace$)}
|
||||
\State $\signature \randomassign \sign(\privkey_i, \m)$
|
||||
\State $M \assign M \cup \{(\pubkey_i, \m)\}$
|
||||
\State \Return $\signature$
|
||||
\end{algorithmic}
|
||||
\hrule
|
||||
\caption{UF-NMA Security Game}
|
||||
\label{game:uf-nma}
|
||||
\caption{MU-EUF-CMA Security Game}
|
||||
\label{game:mu-euf-cma}
|
||||
\end{figure}
|
||||
|
||||
\subsubsection{MU-SUF-CMA}
|
||||
|
||||
MU-SUF-CMA is the multi-user variant of the SUF-CMA security notion. Instead of one public key the attacker gets $n$ public keys and is able to query signatures for arbitrary messages for any of the public keys. The goal of the adversary is to forge a signature for any of the public keys. The game is depicted in figure \ref{game:mu-suf-cma}.
|
||||
|
||||
\begin{definition}[MU-SUF-CMA]
|
||||
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $n$ be an integer. $SIG$ is n-MU-SUF-CMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{MU-SUF-CMA}}(\secparamter)$ is negligible in $\secparamter$.
|
||||
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the MU-SUF-CMA game be defined in figure \ref{game:mu-suf-cma}. $SIG$ is MU-SUF-CMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{MU-SUF-CMA}}(\secparamter)$ is negligible in $\secparamter$.
|
||||
|
||||
\[ \advantage{SIG,\adversary{A}}{\text{MU-SUF-CMA}}(\secparamter) \assign \prone{\text{MU-SUF-CMA}^{\adversary{A}}} \leq \epsilon \]
|
||||
\[ \advantage{SIG,\adversary{A}}{\text{MU-SUF-CMA}}(\secparamter) \assign \prone{\text{MU-SUF-CMA}^{\adversary{A}}} \leq negl(\secparamter) \]
|
||||
\end{definition}
|
||||
|
||||
\begin{figure}[h]
|
||||
\hrule
|
||||
\normalsize
|
||||
\vspace{1mm}
|
||||
\begin{algorithmic}[1]
|
||||
\begin{algorithmic}
|
||||
\Statex \underline{\game $\text{MU-SUF-CMA}$}
|
||||
\State \textbf{for} $i \in \{1,2,...,n\}$
|
||||
\State \textbf{for} $i \in \{1,2,...,N\}$
|
||||
\State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp, \inp)}(\pubkey_1, \pubkey_2, ..., \pubkey_n)$
|
||||
\State \Return $\exists i \in \{1,2,...,n\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1 \wedge (\pubkey_i, \m^*, \signature^*) \notin M$
|
||||
\State \Return $\exists i \in \{1,2,...,N\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1 \wedge (\pubkey_i, \m^*, \signature^*) \notin M$
|
||||
\end{algorithmic}
|
||||
\vspace{2mm}
|
||||
\begin{algorithmic}[1]
|
||||
@@ -138,16 +78,14 @@ MU-SUF-CMA is the multi-user variant of the SUF-CMA security notion. Instead of
|
||||
\label{game:mu-suf-cma}
|
||||
\end{figure}
|
||||
|
||||
\subsubsection{MU-EUF-CMA}
|
||||
|
||||
\subsubsection{MU-UF-NMA}
|
||||
|
||||
MU-UF-NMA is the multi-user variant of the UF-NMA security notion. Instead of one public key the adversary gets access to $n$ public keys and has to forge a signature for any of the public keys. Unlike the MU-SUF-CMA the adversary does not get access to a signing oracle. The game is depicted in figure \ref{game:mu-uf-nma}.
|
||||
The MU-UF-NMA security game is similar to the MU-EUF-CMA game. The only difference is that the adversary does not has access to an oracle to obtain valid signatures for arbitrary messages. Again the UF-NMA security notation is a special case of the MU-UF-NMA security notation with $N=1$.
|
||||
|
||||
\begin{definition}[MU-UF-NMA]
|
||||
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $n$ be an integer. $SIG$ is n-MU-UF-NMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{MU-UF-NMA}}(\secparamter)$ is negligible in $\secparamter$.
|
||||
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the MU-UF-NMA game be defined in figure \ref{game:mu-uf-nma}. $SIG$ is MU-UF-NMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{MU-UF-NMA}}(\secparamter)$ is negligible in $\secparamter$.
|
||||
|
||||
\[ \advantage{SIG,\adversary{A}}{\text{MU-UF-NMA}}(\secparamter) \assign \prone{\text{MU-UF-NMA}^{\adversary{A}}} \leq \epsilon \]
|
||||
\[ \advantage{SIG,\adversary{A}}{\text{MU-UF-NMA}}(\secparamter) \assign \prone{\text{MU-UF-NMA}^{\adversary{A}}} \leq negl(\secparamter) \]
|
||||
\end{definition}
|
||||
|
||||
\begin{figure}[h]
|
||||
@@ -155,10 +93,10 @@ MU-UF-NMA is the multi-user variant of the UF-NMA security notion. Instead of o
|
||||
\vspace{1mm}
|
||||
\begin{algorithmic}[1]
|
||||
\State \underline{\game $\text{MU-UF-NMA}$}
|
||||
\State \textbf{for} $i \in \{1,2,...,n\}$
|
||||
\State \textbf{for} $i \in \{1,2,...,N\}$
|
||||
\State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp)}(\pubkey_1, \pubkey_2, \pubkey_n)$
|
||||
\State \Return $\exists i \in \{1,2,...,n\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1$
|
||||
\State \Return $\exists i \in \{1,2,...,N\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1$
|
||||
\end{algorithmic}
|
||||
\hrule
|
||||
\caption{MU-UF-NMA Security Game}
|
||||
@@ -166,3 +104,56 @@ MU-UF-NMA is the multi-user variant of the UF-NMA security notion. Instead of o
|
||||
\end{figure}
|
||||
|
||||
\subsection{Security Assumptions}
|
||||
|
||||
This thesis proves the security of the EdDSA signature scheme under two assumptions. The single-user security of EdDSA can be proved under the discrete logarithm assumption, while the multi-user security of EdDSA requires the stronger one-more discrete logarithm assumption. Both security assumptions are presented in this section.
|
||||
|
||||
\subsubsection{Discrete Logarithm Problem}
|
||||
|
||||
\begin{definition}[Discrete Logarithm Problem]
|
||||
Let $\group{G}$ be a cyclic group of order $L$ with a generator $\groupelement{B}$. Let the discrete logarithm game be defined in figure \ref{game:dlog}. The advantage of an adversary $\adversary{A}$ is defined by its ability to win the discrete logarithm game.
|
||||
|
||||
\[ \advantage{\group{G}, \adversary{A}}{Dlog} \assign \prone{\text{Dlog}^{\adversary{A}}} \]
|
||||
\end{definition}
|
||||
|
||||
\begin{figure}[h]
|
||||
\hrule
|
||||
\vspace{1mm}
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\game Dlog}
|
||||
\State $a \randomsample \field{L}$
|
||||
\State $\groupelement{A} \assign a \groupelement{B}$
|
||||
\State $a' \randomassign \adversary{A}(\groupelement{A})$
|
||||
\State \Return $a \test a'$
|
||||
\end{algorithmic}
|
||||
\vspace{1mm}
|
||||
\hrule
|
||||
\caption{Dlog}
|
||||
\label{game:dlog}
|
||||
\end{figure}
|
||||
|
||||
\subsubsection{One-More Discrete Logarithm}
|
||||
|
||||
The one-more discrete logarithm assumption is stronger than the discrete logarithm assumption. In this assumption the adversary is supplied with $N$ group elements and an oracle to obtain the discrete logarithm of up to $N-1$ group elements. The task of the adversary is to output the discrete logarithm for all supplied group elements.
|
||||
|
||||
\begin{definition}[One-More Discrete Logarithm Problem]
|
||||
Let $\group{G}$ be a cyclic group of order $L$ with a generator $\groupelement{B}$. Let the one-more discrete logarithm game be defined in figure \ref{game:om-dlog}. The advantage of an adversary $\adversary{A}$ is defined by its ability to win the one-more discrete logarithm game.
|
||||
|
||||
\[ \advantage{\group{G}, \adversary{A}}{OM-Dlog} \assign \prone{\text{OM-Dlog}^{\adversary{A}}} \]
|
||||
\end{definition}
|
||||
|
||||
\begin{figure}[h]
|
||||
\hrule
|
||||
\vspace{1mm}
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\game OM-Dlog}
|
||||
\State \textbf{for} $i \in \{1,2,...,N\}$
|
||||
\State \quad $a_i \randomsample \field{L}$
|
||||
\State \quad $\groupelement{A_i} \assign a \groupelement{B}$
|
||||
\State $\overset{\rightharpoonup}{a'} \randomassign \adversary{A}^{DL(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
||||
\State \Return $\forall i \in \{1,2,...,N\}: a_i \test a'_i$
|
||||
\end{algorithmic}
|
||||
\vspace{1mm}
|
||||
\hrule
|
||||
\caption{One-More Discrete Logarithm}
|
||||
\label{game:om-dlog}
|
||||
\end{figure}
|
||||
Reference in New Issue
Block a user