rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Included Feedback in Dlog'=>GameZ proof

Browse Source
This commit is contained in:
Aaron Kaiser
2023-03-09 12:17:19 +01:00
parent 8925f7c66c
commit 673d2170a0
3 changed files with 153 additions and 149 deletions
Download Patch File Download Diff File Expand all files Collapse all files

159
thesis/Abschlussarbeit.tex
View File

@@ -208,7 +208,7 @@ The EdDSA signature scheme is defined using a twisted Edwards curve. Twisted Edw
$n$ & The number of bits used for the secret scalar of the public key. \\ $n$ & The number of bits used for the secret scalar of the public key. \\
$a, d$ & The curve parameter of the twisted Edwards curve. \\ $a, d$ & The curve parameter of the twisted Edwards curve. \\
$B$ & A generator point of the prime order subgroup of $E$. \\ $B$ & A generator point of the prime order subgroup of $E$. \\
$l$ & The order of the prime order subgroup. \\ $L$ & The order of the prime order subgroup. \\
$H'(\inp)$ & A prehash function applied to the message prior to applying the \sign or \verify procedure. $H'(\inp)$ & A prehash function applied to the message prior to applying the \sign or \verify procedure.
\end{tabularx} \end{tabularx}
\caption{Parameter of the EdDSA signature scheme} \caption{Parameter of the EdDSA signature scheme}
@@ -294,19 +294,18 @@ This section shows that \igame implies the UF-NMA security if the EdDSA signatur
\begin{multicols}{2} \begin{multicols}{2}
\large \large
\begin{algorithmic}[1] \begin{algorithmic}[1]
\State \underline{\game \igame} \Statex \underline{\game \igame}
\State $a \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$ \State \quad $a \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$
\State $\groupelement{A} = a \groupelement{B}$ \State \quad $\groupelement{A} \assign a \groupelement{B}$
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$ \State \quad $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
\State \Return $\exists \groupelement{R}^*, c^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - c^* \groupelement{A}) \wedge (\groupelement{R}^*, c^*) \in Q$ \State \quad \Return $\exists \groupelement{R}^*, c^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - c^* \groupelement{A}) \wedge (\groupelement{R}^*, c^*) \in Q$
\end{algorithmic} \end{algorithmic}
\columnbreak \columnbreak
\begin{algorithmic}[1] \begin{algorithmic}[1]
\Procedure{\ioracle}{$\groupelement{R_i} \in \group{G}$} \Statex \underline{\oracle \ioracle($\groupelement{R_i} \in \group{G}$)}
\State $c_i \randomsample \{0,1\}^{2b}$ \State \quad $chall_i \randomsample \{0,1\}^{2b}$
\State $Q \assign Q \cup \{ (\groupelement{R}_i, c_i) \}$ \State \quad $Q \assign Q \cup \{ (\groupelement{R}_i, c_i) \}$
\State \Return $c_i$ \State \quad \Return $chall_i$
\EndProcedure
\end{algorithmic} \end{algorithmic}
\end{multicols} \end{multicols}
\hrule \hrule
@@ -314,144 +313,8 @@ This section shows that \igame implies the UF-NMA security if the EdDSA signatur
\label{game:igame} \label{game:igame}
\end{figure} \end{figure}
\subsection{\sdlog $=>$ \igame (AGM)} \include{sections/security_of_eddsa/dlog'_implies_gamez}
This section shows that \sdlog implies \igame using the Algebraic Group Model. The section starts by introducing a special variant of the discret logarithm problem followed by an intuition of the proof and at last giving a detailed security proof.
\paragraph{\underline{Introducing \sdlog}}
The \sdlog game is a variant of the discrete logarithm game which represents the clearing and setting of bits in the secret scalar during the EdDSA key generation. The only difference to the normal discrete logarithm game is that the secret scalars are not choosen uniformly random from $\field{L}$ with $L$ being the order of the generator but rather from the set $\{2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8\}$. This set represents all valid private keys according to the key generation algorithm. The hardness of this version of the discrete logarithm problem is further analyzed in section \ref{sec:sdlog}. The \sdlog game is depicted in figure \ref{fig:sdlog}.
\begin{figure}
\hrule
\begin{algorithmic}[1]
\State \underline{\game \sdlog}
\State $a \randomsample \{ 2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8 \}$
\State $\groupelement{A} \assign a \groupelement{B}$
\State $a' \randomassign \adversary{A}(\groupelement{A})$
\State \Return $a = a'$
\end{algorithmic}
\hrule
\caption{\sdlog}
\label{fig:sdlog}
\end{figure}
\paragraph{\underline{Proof Overview}}
The adversary has to call the \ioracle oracle with a commitment $\groupelement{R}$ to get a challenge from the challenger. Due to the nature of Algebraic Group Model the adversary also has to provide a representation of the group element $\groupelement{R}$, as the linear combination of all known group elements. Since only the generator of the group and the public key are known to the adversary the representation looks like this $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A}$. Upon providing a valid solution for the game \igame the reduction also gains following equation $\groupelement{R} = 2^c s \groupelement{B} - 2^c c \groupelement{A}$. Both equations yield:
% TODO: collision von cofactor c und challenge c
\begin{align}
r_1 \groupelement{B} + r_2 \groupelement{A} &= 2^c s \groupelement{B} - 2^c c \groupelement{A} \\
(r_2 + 2^c c)A &= (2^c s - r_1)B \\
A &= (2^c s - r_1)(r_2 + 2^c c)^{-1} B
\label{eq:Adlog}
\end{align}
Assuming that $r_2 + 2^c c$ is invertible in $\field{L}$ (not equal to $0$) we can use both equations to calculate the discrete logarithm of $\groupelement{A}$. To ensure that $r_2 + 2^c c$ is invertible the reduction has to abort if $-r_2$ equals $2^c c$ with $c$ being randomly chosen in the \ioracle oracle.
% TODO: clarify encoding of c
\begin{figure}
\hrule
\begin{multicols}{2}
\large
\begin{algorithmic}[1]
\State \underline{\game $G_0 = \igame$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$}}
\State $a \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$
\State $\groupelement{A} = a \groupelement{B}$
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
\State \Return $\exists \groupelement{R}^*, c^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - c^* \groupelement{A}) \wedge (\groupelement{R}^*, c^*) \in Q$
\end{algorithmic}
\columnbreak
\begin{algorithmic}[1]
\Procedure{\ioracle}{$\agmgroupelement{R_i}{r_i} \in \group{G}$}
\State $\groupelement{R}_i = r_1 \groupelement{B} + r_2 \groupelement{A}$
\State $c_i \randomsample \{0,1\}^{2b}$
\BeginBox[draw=blue]
\State \textbf{If} $2^c c_i \equiv -r_2 \pmod L$ \textbf{then}
\State \quad $bad \assign true$
\BeginBox[draw=red,dashed]
\State \quad $abort$
\EndBox
\EndBox
\State $Q \assign Q \cup \{ (\groupelement{R}_i, c_i) \}$
\State \Return $c_i$
\EndProcedure
\end{algorithmic}
\end{multicols}
\hrule
\caption{\igame with aborts}
\label{fig:igamewithabort}
\end{figure}
\paragraph{Introducing aborts}
Game $G_0$ is defined in Figure \ref{fig:igamewithabort} by ignoring all boxes. Game $G_1$ is defined by including the blue (but not the dotted red) box. It introduces a bad flag which is set if $2^c c_i = -r_2$. This represents cases where not all solutions from the adversary $\adversary{A}$ can be used to calculate the discrete logarithm of $\groupelement{A}$. Since only the bad flag is set the change is only semantically. Game $G_2$ includes all boxes and aborts in the case where the bad flag is set. The later proof argues that the advantage to differentiate between game $G_1$ and $G_2$ is negligible.
\paragraph{\underline{Formal Proof}}
\begin{theorem}
\label{theorem:advgamez}
Let $\adversary{A}$ be an adversary that solves \igame with $\group{G}$ being a cyclic group of prime order $L$, making at most $\oraclequeries$ oracle queries. Then
% TODO: hard bezüglich ggen
\[ \advantage{\igame}{\adversary{A}} \leq \advantage{\sdlog}{\adversary{B}} - \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
\end{theorem}
\begin{proof}
\item \paragraph{\underline{$G_0$:}} Let $G_0 \assign \igame$ be \igame. By definition,
\[ \Pr[\igame^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \]
\item \paragraph{\underline{$G_1$:}} Game $G_1$ is exactly the same as $G_0$ with the only change being the bad flag being set inside an if condition. This is just a conceptual change since the behavior of the game does not change wether the flag is set or not. Hence,
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \]
\item \paragraph{\underline{$G_2:$}} Game $G_2$ aborts if the flag bad is set. For each individual \ioracle query the bad flag is set with probability at most $\frac{1}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ being the min entropy of $c \pmod L$ since $c$ is chosen from $\{0,1\}^{2b}$ uniformly at random and then reduced modulo $L$ in the check during the if condition. By the Union bound over all $\oraclequeries$ queries we obtain $\Pr[bad] = \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
\item Finally, Game $G_2$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
\begin{align}
\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\sdlog}{\adversary{B}} \label{eq:advbsdlog}
\end{align}
\begin{figure}
\hrule
\begin{multicols}{2}
\large
\begin{algorithmic}[1]
\State \underline{Adversary $\adversary{B}(\groupelement{A})$}
\State $(s^*) \randomassign \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
\State $\exists \agmgroupelement{R^*}{r^*}, c^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - c^* \groupelement{A}) \wedge (\agmgroupelement{R^*}{r^*}, c^*) \in Q$
\State $R^* = r_1 \groupelement{B} + r_2 \groupelement{A}$
\State \Return $(2^c s^* - r_1)(r_2 + 2^c c^*)^{-1}$
\end{algorithmic}
\columnbreak
\begin{algorithmic}[1]
\Procedure{\ioracle}{$\agmgroupelement{R_i}{r_i} \in \group{G}$}
\State $\groupelement{R}_i = r_1 \groupelement{B} + r_2 \groupelement{A}$
\State $c_i \randomsample \{0,1\}^{2b}$
\State \textbf{If} $2^c c_i \equiv -r_2 \pmod L$ \textbf{then}
\State \quad $bad \assign true$
\State \quad $abort$
\State $Q \assign Q \cup \{ (\agmgroupelement{R_i}{r_i}, c_i) \}$
\State \Return $c_i$
\EndProcedure
\end{algorithmic}
\end{multicols}
\hrule
\caption{Adversary $\adversary{B}$ breaking \sdlog}
\label{fig:adversarybsdlog}
\end{figure}
To prove (\ref{eq:advbsdlog}), we define an adversary $\adversary{B}$ attacking \sdlog that simulates $\adversary{A}$'s view on $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversarybsdlog} is run in the \sdlog game and has access to \ioracle. \ioracle is perfectly simulated.
Finally, consider $\adversary{A}$ output $s^*$. If bad is not set $r_2 + 2^c c^*$ is invertible in $\field{L}$ and $(2^c s^* - r_1)(r_2 + 2^c c^*)^{-1}$ is the discrete logarithm of $\adversary{A}$ to the basis of $\adversary{B}$ as shown in (\ref{eq:Adlog}).
\item This proves Theorem \ref{theorem:advgamez}.
\end{proof}
\newpage \newpage
\section{The Security of EdDSA in a Multi-User Setting} \section{The Security of EdDSA in a Multi-User Setting}

4
thesis/macros.tex
View File

@@ -1,9 +1,10 @@
% Games % Games
\newcommand{\game}{\textbf{Game} } \newcommand{\game}{\textbf{Game} }
\newcommand{\oracle}{\textbf{Oracle} }
\newcommand{\inp}{\cdot} \newcommand{\inp}{\cdot}
\newcommand{\field}[1]{\mathbb{Z}_{#1}} \newcommand{\field}[1]{\mathbb{Z}_{#1}}
\newcommand{\secparamter}{\lambda} \newcommand{\secparamter}{\lambda}
\newcommand{\randomsample}{\overset{{\scriptscriptstyle\$}}{\leftarrow}} \newcommand{\randomsample}{\leftarrow}
\newcommand{\randomassign}{\leftarrow} \newcommand{\randomassign}{\leftarrow}
\newcommand{\assign}{:=} \newcommand{\assign}{:=}
\newcommand{\encoded}[1]{\underline{#1}} \newcommand{\encoded}[1]{\underline{#1}}
@@ -15,6 +16,7 @@
\newcommand{\agmgroupelement}[2]{[\groupelement{#1}]_{\overset{\rightharpoonup}{#2}}} \newcommand{\agmgroupelement}[2]{[\groupelement{#1}]_{\overset{\rightharpoonup}{#2}}}
\newcommand{\group}[1]{\mathbb{#1}} \newcommand{\group}[1]{\mathbb{#1}}
\newcommand{\oraclequeries}{q_o} \newcommand{\oraclequeries}{q_o}
\newcommand{\test}{\overset{?}{=}}
% Special Dlog % Special Dlog
\newcommand{\sdlog}{DLog' } \newcommand{\sdlog}{DLog' }

139
thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex Normal file
View File

@@ -0,0 +1,139 @@
\subsection{\sdlog $=>$ \igame (AGM)}
%TODO check if all c_i's are replaced by chall_i
This section shows that \sdlog implies \igame using the Algebraic Group Model. The section starts by introducing a special variant of the discret logarithm problem followed by an intuition of the proof and at last giving a detailed security proof.
\paragraph{\underline{Introducing \sdlog}}
The \sdlog game is a variant of the discrete logarithm game which represents the clearing and setting of bits in the secret scalar during the EdDSA key generation. The only difference to the normal discrete logarithm game is that the secret scalars are not choosen uniformly random from $\field{L}$ with $L$ being the order of the generator but rather from the set $\{2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8\}$. This set represents all valid private keys according to the key generation algorithm. The hardness of this version of the discrete logarithm problem is further analyzed in section \ref{sec:sdlog}. The \sdlog game is depicted in figure \ref{fig:sdlog}.
For an adversary $\adversary{A}$ we define its advantage in the \sdlog game as following:
% TODO: \sdlog => \sdlog^{\adversary{A}}
% TODO: Sicherheitsparameter von dlog'?
\[ \advantage{\adversary{A}}{\sdlog}(k) \assign | \Pr[\sdlog \Rightarrow 1] | \]
\begin{figure}
\hrule
\begin{algorithmic}[1]
\Statex \underline{\game \sdlog}
\State \quad $a \randomsample \{ 2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8 \}$
\State \quad $\groupelement{A} \assign a \groupelement{B}$
\State \quad $a' \randomassign \adversary{A}(\groupelement{A})$
\State \quad \Return $a \test a'$
\end{algorithmic}
\hrule
\caption{\sdlog}
\label{fig:sdlog}
\end{figure}
\begin{theorem}
\label{theorem:advgamez}
Let $\adversary{A}$ be an adversary against \igame with $\group{G}$ being a cyclic group of prime order $L$, making at most $\oraclequeries$ oracle queries. Then
\[ \advantage{\igame,\adversary{A}}{\group{G}} \leq \advantage{\sdlog,\adversary{B}}{\group{G}} - \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
\end{theorem}
\paragraph{\underline{Proof Overview}}
The adversary has to call the \ioracle oracle with a commitment $\groupelement{R}$ to get a challenge from the challenger. Due to the nature of Algebraic Group Model the adversary also has to provide a representation of the group element $\groupelement{R}$, as the linear combination of all known group elements. Since only the generator of the group and the public key are known to the adversary the representation looks like this: $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A}$. Together with a valid to the \igame game this can be used to calculate the discrete logarithm of the public key.
% TODO: clarify encoding of c
\begin{figure}
\hrule
\begin{multicols}{2}
\large
\begin{algorithmic}[1]
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$}}
\State \quad $a \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$
\State \quad $\groupelement{A} \assign a \groupelement{B}$
\State \quad $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
\State \quad \Return $\exists \groupelement{R}^*, chall^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - chall^* \groupelement{A}) \wedge (\groupelement{R}^*, chall^*) \in Q$
\end{algorithmic}
\columnbreak
\begin{algorithmic}[1]
\Statex \underline{\oracle \ioracle($\agmgroupelement{R_i}{r_i} \in \group{G}$)}
\State \quad Let $\groupelement{R}_i = r_1 \groupelement{B} + r_2 \groupelement{A}$
\State \quad $chall_i \randomsample \{0,1\}^{2b}$
\BeginBox[draw=blue]
\State \quad \textbf{If} $2^c chall_i \equiv -r_2 \pmod L$ \textbf{then}
\State \qquad $bad \assign true$
\BeginBox[draw=red,dashed]
\State \qquad $abort$
\EndBox
\EndBox
\State \quad $Q \assign Q \cup \{ (\groupelement{R}_i, chall_i) \}$
\State \quad \Return $chall_i$
\end{algorithmic}
\end{multicols}
\hrule
\caption{Games $G_0 - G_2$}
\label{fig:igamewithabort}
\end{figure}
\paragraph{\underline{Formal Proof}}
\begin{proof}
\item \paragraph{\underline{$G_0$:}} Let $G_0$ be \igame. By definition,
% TODO: Hier Sicherheitsparameter?
\[ \advantage{\igame,\adversary{A}}{\group{G}} = \Pr[\igame^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \]
\item \paragraph{\underline{$G_1$:}} Game $G_1$ is exactly the same as $G_0$ with the only change being the bad flag being set inside an if condition. The bad flag is set if $2^c chall_i = -r_2$. This represents cases where not all solutions from the adversary $\adversary{A}$ can be used to calculate the discrete logarithm of $\groupelement{A}$. This is just a conceptual change since the behavior of the game does not change whether the flag is set or not. Hence,
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \]
\item \paragraph{\underline{$G_2:$}} Game $G_2$ aborts if the flag bad is set. For each individual \ioracle query the bad flag is set with probability at most $\frac{1}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. $c_i$ is chosen by the game after the adversary has provided the representation of $\groupelement{R_i}$ and therefor the value of $r_2$. This way the adversary has no way of choosing $chall_i$ after $r_2$ and can not influence the probability of the abort being triggert. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $chall_i \pmod L$. $chall_i$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ during the check in the if condition. At first there are $2^{2b}$ possible values for $chall_i$. After the reduction module $L$ there are $min\{2^{2b}, L\}$ possible values left for $chall_i$. In the case that the values $L$ is smaller than $2^{2b}$ (this is the case in most instantiations of EdDSA) then the $chall_i$'s are not uniformly distributed in $\field{L}$. Since an adversary could use this information the min entropy of $chall_i$ has to be concidert, which takes this into account. By the Union bound over all $\oraclequeries$ queries we obtain $\Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
\item Finally, Game $G_2$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
\begin{align}
\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\sdlog}{\adversary{B}} \label{eq:advbsdlog}
\end{align}
\begin{figure}
\hrule
\begin{multicols}{2}
\large
\begin{algorithmic}[1]
\Statex \underline{\textbf{Adversary} $\adversary{B}(\groupelement{A})$}
\State \quad $s^* \randomassign \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
\State \quad \textbf{If} $\nexists \agmgroupelement{R^*}{r^*}, chall^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - chall^* \groupelement{A}) \wedge (\agmgroupelement{R^*}{r^*}, chall^*) \in Q$ \textbf{then}
\State \qquad $abort$
\State \quad Let $R^* = r_1 \groupelement{B} + r_2 \groupelement{A}$
\State \quad \Return $(2^c s^* - r_1)(r_2 + 2^c chall^*)^{-1}$
\end{algorithmic}
\columnbreak
\begin{algorithmic}[1]
\Statex \underline{\oracle \ioracle($\agmgroupelement{R_i}{r_i} \in \group{G}$)}
\State \quad Let $\groupelement{R}_i = r_1 \groupelement{B} + r_2 \groupelement{A}$
\State \quad $chall_i \randomsample \{0,1\}^{2b}$
\State \quad \textbf{If} $2^c chall_i \equiv -r_2 \pmod L$ \textbf{then}
\State \qquad $bad \assign true$
\State \qquad $abort$
\State \quad $Q \assign Q \cup \{ (\agmgroupelement{R_i}{r_i}, chall_i) \}$
\State \quad \Return $chall_i$
\end{algorithmic}
\end{multicols}
\hrule
\caption{Adversary $\adversary{B}$ breaking \sdlog}
\label{fig:adversarybsdlog}
\end{figure}
To prove (\ref{eq:advbsdlog}), we define an adversary $\adversary{B}$ attacking \sdlog that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversarybsdlog} is run in the \sdlog game and adversary $\adversary{B}$ simulates \ioracle for adversary $\adversary{A}$. \ioracle is simulated perfectly.
Finally, consider $\adversary{A}$ output $s^*$. We know that one $R^* = 2^c s^*B - 2^c chall^*A$. We can use this together with the representation of $R^*$ to get following equation:
\begin{align*}
r_1 \groupelement{B} + r_2 \groupelement{A} &= 2^c s^* \groupelement{B} - 2^c chall^* \groupelement{A} \\
(r_2 + 2^c chall^*)A &= (2^c s^* - r_1)B \\
A &= (2^c s^* - r_1)(r_2 + 2^c chall^*)^{-1} B
\end{align*}
Assuming that $r_2 + 2^c chall^*$ is invertible in $\field{L}$ (i.e. not equal to $0$), which is ensured due to the abort in $G_2$, both equations can be used to calculate the discrete logarithm of $\groupelement{A}$.
\item This proves Theorem \ref{theorem:advgamez}.
\end{proof}