Formalized proof DLog' => GameZ

thesis/Abschlussarbeit.tex

@@ -128,7 +128,6 @@ Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme. $SIG$ is \c
 \[ \advantage{SIG,\adversary{A}}{\cma}(\secparamter) \assign \prone{\cma^{\adversary{A}}} \leq \epsilon \]
 
 \begin{figure}
-	\label{game:cma}
 	\hrule
 	\begin{multicols}{2}
 		\normalsize
@@ -149,6 +148,7 @@ Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme. $SIG$ is \c
 	\end{multicols}
 	\hrule
 	\caption{\cma Security Game}
+	\label{game:cma}
 \end{figure}
 
 \subsection{Random Oracle Model (ROM)}
@@ -195,7 +195,6 @@ The EdDSA signature scheme is defined using a twisted Edwards curve. Twisted Edw
 % TODO: Ist das ok hier einfach zu kopieren?
 \begin{center}
 	\begin{table}[t]
-		\label{tab:parameter}
 		\centering
 		\begin{tabularx}{\textwidth}{@{}lX@{}}
 			\textbf{Parameter} & \textbf{Description} \\
@@ -212,13 +211,13 @@ The EdDSA signature scheme is defined using a twisted Edwards curve. Twisted Edw
 			$H'(\inp)$ & A prehash function applied to the message prior to applying the \sign or \verify procedure.
 		\end{tabularx}
 	\caption{Parameter of the EdDSA signature scheme}
+	\label{tab:parameter}
 	\end{table}
 \end{center}
 
 
 
 \begin{figure}
-	\label{fig:eddsa}
 	\hrule
 	\begin{multicols}{3}
 		\scriptsize
@@ -252,6 +251,7 @@ The EdDSA signature scheme is defined using a twisted Edwards curve. Twisted Edw
 	\end{multicols}
 	\hrule
 	\caption{Generic description of the algorithms \keygen, \sign and \verify used by the EdDSA signature scheme}
+	\label{fig:eddsa}
 \end{figure}
 
 \subsection{Replacing Hash Function Calls}
@@ -290,7 +290,6 @@ To generate a signature without the knowledge of the private key the challenge a
 This section shows that \igame implies the UF-NMA security if the EdDSA signature scheme using the Algebraic Group Model. The section starts by first providing an intuition if the proof followed by the detailed security proof.
 
 \begin{figure}
-	\label{game:igame}
 	\hrule
 	\begin{multicols}{2}
 		\large
@@ -313,6 +312,7 @@ This section shows that \igame implies the UF-NMA security if the EdDSA signatur
 	\end{multicols}
 	\hrule
 	\caption{\igame}
+	\label{game:igame}
 \end{figure}
 
 \subsection{\sdlog $=>$ \igame (AGM)}
@@ -324,7 +324,6 @@ This section shows that \sdlog implies \igame using the Algebraic Group Model. T
 The \sdlog game is a variant of the discrete logarithm game which represents the clearing and setting of bits in the secret scalar during the EdDSA key generation. The only difference to the normal discrete logarithm game is that the secret scalars are not choosen uniformly random from $\field{L}$ with $L$ being the order of the generator but rather from the set $\{2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8\}$. This set represents all valid private keys according to the key generation algorithm. The hardness of this version of the discrete logarithm problem is further analyzed in section \ref{sec:sdlog}. The \sdlog game is depicted in figure \ref{fig:sdlog}. 
 
 \begin{figure}
-	\label{fig:sdlog}
 	\hrule
 	\begin{algorithmic}[1]
 		\State \underline{\game \sdlog}
@@ -335,6 +334,7 @@ The \sdlog game is a variant of the discrete logarithm game which represents the
 	\end{algorithmic}
 	\hrule
 	\caption{\sdlog}
+	\label{fig:sdlog}
 \end{figure}
 
 \paragraph{\underline{Proof Overview}}
@@ -352,7 +352,6 @@ Assuming that $r_2 + 2^c c$ is invertable in $\field{L}$ (not equal to $0$) we c
 
 \begin{figure}
 	% TODO: set caption
-	\label{fig:igamewithabort}
 	\hrule
 	\begin{multicols}{2}
 		\large
@@ -383,6 +382,7 @@ Assuming that $r_2 + 2^c c$ is invertable in $\field{L}$ (not equal to $0$) we c
 	\end{multicols}
 	\hrule
 	\caption{\igame with aborts}
+	\label{fig:igamewithabort}
 \end{figure}
 
 \paragraph{Introducing aborts}
@@ -392,9 +392,37 @@ Game $G_0$ is defined in Figure \ref{fig:igamewithabort} by ignoring all boxes.
 \paragraph{\underline{Formal Proof}}
 
 \begin{theorem}
-	Let
+	\label{theorem:advgamez}
+	Let $\adversary{A}$ be an adversary that solves \igame with $\group{G}$ being a cyclic group of prime order $L$, making at most $\oraclequeries$ oracle queries. Then
+	
+	% TODO: hard bezüglich ggen
+	% TODO: min entropy von {0,1}^{2b} mod L?
+	\[ \advantage{\igame}{\adversary{A}} \leq \advantage{\sdlog}{\adversary{B}} - \frac{\oraclequeries}{L} \]
 \end{theorem}
 
+TODO: vielleicht doch eher $\oraclequeries$  durch min entropy von $\{0,1\}^{2b} \pmod L$?
+
+\begin{proof}
+	\item \paragraph{\underline{$G_0$:}} Let $G_0 \assign \igame$ be \igame. By definition,
+	
+	\[ \Pr[\igame^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \]
+	
+	\item \paragraph{\underline{$G_1$:}} Game $G_1$ is exactly the same as $G_0$ with the only change being the bad flag being set inside an if condition. This is just a conceptual change since the behavior of the game does not change wether the flag is set or not. Hence,
+	
+	\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \]
+	
+	% TODO: wählen von 
+	\item \paragraph{\underline{$G_2:$}} Game $G_2$ aborts if the flag bad is set. For each individual \ioracle query the bad flag is set with probability at most $\frac{1}{L}$, since $c$ is chosen from $\field{L}$ uniformly at random. By the Union bound over all $\oraclequeries$ queries we obtain $\Pr[bad] = \frac{\oraclequeries}{L}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
+	
+	\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries}{L} \]
+	
+	\item Finally, Game $G_2$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
+	
+	\[ \Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\sdlog}{\adversary{B}} \]
+	
+	\item This proofs Theorem \ref{theorem:advgamez}.
+\end{proof}
+
 \newpage
 \section{The Security of EdDSA in a Multi-User Setting}