diff --git a/thesis/Abschlussarbeit.tex b/thesis/Abschlussarbeit.tex index 3c710c5..25db0c1 100644 --- a/thesis/Abschlussarbeit.tex +++ b/thesis/Abschlussarbeit.tex @@ -109,12 +109,14 @@ This section takes a closer look at the single-user security of the EdDSA signat The two main theorems for the single-user security of $\text{EdDSA}_{\text{sp}}$ and $\text{EdDSA}_{\text{lp}}$ are: \begin{theorem}[Security of EdDSA with strict parsing in the single-user setting] + \label{theorem:eddsa_sp_su} Let $\adversary{A}$ be an adversary against the SUF-CMA security of EdDSA with strict parsing, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then, \[ \advantage{\group{G}, \adversary{A}}{\text{SUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \] \end{theorem} \begin{theorem}[Security of EdDSA with lax parsing in the single-user setting] + \label{theorem:eddsa_lp_su} Let $\adversary{A}$ be an adversary against the SUF-CMA security of EdDSA with lax parsing, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then, \[ \advantage{\group{G}, \adversary{A}}{\text{EUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \] @@ -130,6 +132,8 @@ The chain of reductions can be depicted as: \input{sections/security_of_eddsa/gamez_implies_uf-nma} \input{sections/security_of_eddsa/dlog'_implies_gamez} +By combining the loss of advantage during all of the proofs above, combined with the loss introduced by EdDSA', a proof for theorem \ref{theorem:eddsa_sp_su} and \ref{theorem:eddsa_lp_su} is obtained. + \section{The Security of EdDSA in a Multi-User Setting} In this section the multi-user security of the EdDSA signature scheme will be analyzed. A common approach for Schnorr-like signature schemes is to show it via the Random Self-reducibility property of the canonical identification scheme as done in \cite{C:KilMasPan16}. This approach does not work with the EdDSA signature scheme, since the reduction is not able to rerandomize a public key in a way preserving the distribution of the key generation algorithm. This is due to the fact that valid public key always has to have the n-th bit set. @@ -141,12 +145,14 @@ The proof starts by showing that the MU-UF-NMA security of EdDSA implies MU-SUF- The two main theorems for the multi-user security of $\text{EdDSA}_{\text{sp}}$ and $\text{EdDSA}_{\text{lp}}$ are: \begin{theorem}[Security of EdDSA with strict parsing in the multi-user setting] + \label{theorem:eddsa_sp_mu} Let $\adversary{A}$ be an adversary against the MU-SUF-CMA security of EdDSA with strict parsing, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then, \[ \advantage{\group{G}, \adversary{A}}{\text{MU-SUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \] \end{theorem} \begin{theorem}[Security of EdDSA with lax parsing in the multi-user setting] + \label{theorem:eddsa_lp_mu} Let $\adversary{A}$ be an adversary against the MU-EUF-CMA security of EdDSA with lax parsing, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then, \[ \advantage{\group{G}, \adversary{A}}{\text{MU-EUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \] @@ -160,6 +166,8 @@ The chain of reductions can be depicted as: \input{sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma} \input{sections/mu_security_of_eddsa/omdl'_implies_mu-gamez} +By combining the loss of advantage during all of the proofs above, combined with the loss introduced by EdDSA', a proof for theorem \ref{theorem:eddsa_sp_mu} and \ref{theorem:eddsa_lp_mu} is obtained. + \input{sections/edggm} \input{sections/concrete_security} diff --git a/thesis/sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma.tex b/thesis/sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma.tex index 70adf35..04c5d49 100644 --- a/thesis/sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma.tex +++ b/thesis/sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma.tex @@ -72,6 +72,8 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat \end{figure} \begin{proof} + \item Now it is argued that the \ioracle oracle can be used to simulate the hash function in a way that the answer of the MU-UF-NMA adversary can be used as an valid solution for the MU-\igame challenger. + \item Let $G_0$ be defined in figure \ref{fig:mu-igame_implies_mu-uf-nma}. Then $G_0$ is the same as MU-UF-NMA with EdDSA. By definition, \[ \advantage{\text{EdDSA}, \adversary{A}}{\text{MU-UF-NMA}}(\secparamter) = \Pr[\text{MU-UF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \] diff --git a/thesis/sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma.tex b/thesis/sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma.tex index e8c66fb..bcf28be 100644 --- a/thesis/sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma.tex +++ b/thesis/sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma.tex @@ -83,6 +83,8 @@ This section shows that the MU-UF-NMA security of the EdDSA signature scheme imp \end{figure} \begin{proof} + \item Now the original MU-SUF-CMA game is manipulated in a way that makes it possible to simulate signatures without the knowledge of the secret key. During each of the game-hops the probability for an adversary to detect this change is upper bounded. + \item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:mu-uf-nma_implies_mu-suf-cma_games} by excluding all boxes except the black one. $G_0$ is the MU-SUF-CMA for EdDSA. By definition, \[ \advantage{\text{EdDSA},\adversary{A}}{\text{MU-}\cma}(\secparamter) = \Pr[\text{\text{MU-}\cma}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \] diff --git a/thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex b/thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex index 5469832..d3af73d 100644 --- a/thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex +++ b/thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex @@ -82,6 +82,8 @@ This section shows that \somdl implies MU-\igame using the algebraic group model \end{figure} \begin{proof} + \item Now the individual game-hops are analyzed and the probability, that an adversary can distinguish between two games, is upper bounded. + \item \paragraph{\underline{$G_0$:}} Let $G_0$ be defined in figure \ref{fig:omdl'_implies_mu-igame} by excluding all boxes. Clearly, $G_0$ is the MU-\igame. By definition, \[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) = \Pr[\text{MU-\igame}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]