rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Ended proof sections

Browse Source
This commit is contained in:
Aaron Kaiser
2023-06-14 15:31:33 +02:00
parent 0da8add51b
commit 84b6119620
4 changed files with 14 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
thesis/Abschlussarbeit.tex
View File

@@ -109,12 +109,14 @@ This section takes a closer look at the single-user security of the EdDSA signat
The two main theorems for the single-user security of $\text{EdDSA}_{\text{sp}}$ and $\text{EdDSA}_{\text{lp}}$ are: The two main theorems for the single-user security of $\text{EdDSA}_{\text{sp}}$ and $\text{EdDSA}_{\text{lp}}$ are:
\begin{theorem}[Security of EdDSA with strict parsing in the single-user setting] \begin{theorem}[Security of EdDSA with strict parsing in the single-user setting]
\label{theorem:eddsa_sp_su}
Let $\adversary{A}$ be an adversary against the SUF-CMA security of EdDSA with strict parsing, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then, Let $\adversary{A}$ be an adversary against the SUF-CMA security of EdDSA with strict parsing, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
\[ \advantage{\group{G}, \adversary{A}}{\text{SUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \] \[ \advantage{\group{G}, \adversary{A}}{\text{SUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
\end{theorem} \end{theorem}
\begin{theorem}[Security of EdDSA with lax parsing in the single-user setting] \begin{theorem}[Security of EdDSA with lax parsing in the single-user setting]
\label{theorem:eddsa_lp_su}
Let $\adversary{A}$ be an adversary against the SUF-CMA security of EdDSA with lax parsing, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then, Let $\adversary{A}$ be an adversary against the SUF-CMA security of EdDSA with lax parsing, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
\[ \advantage{\group{G}, \adversary{A}}{\text{EUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \] \[ \advantage{\group{G}, \adversary{A}}{\text{EUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
@@ -130,6 +132,8 @@ The chain of reductions can be depicted as:
\input{sections/security_of_eddsa/gamez_implies_uf-nma} \input{sections/security_of_eddsa/gamez_implies_uf-nma}
\input{sections/security_of_eddsa/dlog'_implies_gamez} \input{sections/security_of_eddsa/dlog'_implies_gamez}
By combining the loss of advantage during all of the proofs above, combined with the loss introduced by EdDSA', a proof for theorem \ref{theorem:eddsa_sp_su} and \ref{theorem:eddsa_lp_su} is obtained.
\section{The Security of EdDSA in a Multi-User Setting} \section{The Security of EdDSA in a Multi-User Setting}
In this section the multi-user security of the EdDSA signature scheme will be analyzed. A common approach for Schnorr-like signature schemes is to show it via the Random Self-reducibility property of the canonical identification scheme as done in \cite{C:KilMasPan16}. This approach does not work with the EdDSA signature scheme, since the reduction is not able to rerandomize a public key in a way preserving the distribution of the key generation algorithm. This is due to the fact that valid public key always has to have the n-th bit set. In this section the multi-user security of the EdDSA signature scheme will be analyzed. A common approach for Schnorr-like signature schemes is to show it via the Random Self-reducibility property of the canonical identification scheme as done in \cite{C:KilMasPan16}. This approach does not work with the EdDSA signature scheme, since the reduction is not able to rerandomize a public key in a way preserving the distribution of the key generation algorithm. This is due to the fact that valid public key always has to have the n-th bit set.
@@ -141,12 +145,14 @@ The proof starts by showing that the MU-UF-NMA security of EdDSA implies MU-SUF-
The two main theorems for the multi-user security of $\text{EdDSA}_{\text{sp}}$ and $\text{EdDSA}_{\text{lp}}$ are: The two main theorems for the multi-user security of $\text{EdDSA}_{\text{sp}}$ and $\text{EdDSA}_{\text{lp}}$ are:
\begin{theorem}[Security of EdDSA with strict parsing in the multi-user setting] \begin{theorem}[Security of EdDSA with strict parsing in the multi-user setting]
\label{theorem:eddsa_sp_mu}
Let $\adversary{A}$ be an adversary against the MU-SUF-CMA security of EdDSA with strict parsing, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then, Let $\adversary{A}$ be an adversary against the MU-SUF-CMA security of EdDSA with strict parsing, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
\[ \advantage{\group{G}, \adversary{A}}{\text{MU-SUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \] \[ \advantage{\group{G}, \adversary{A}}{\text{MU-SUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
\end{theorem} \end{theorem}
\begin{theorem}[Security of EdDSA with lax parsing in the multi-user setting] \begin{theorem}[Security of EdDSA with lax parsing in the multi-user setting]
\label{theorem:eddsa_lp_mu}
Let $\adversary{A}$ be an adversary against the MU-EUF-CMA security of EdDSA with lax parsing, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then, Let $\adversary{A}$ be an adversary against the MU-EUF-CMA security of EdDSA with lax parsing, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
\[ \advantage{\group{G}, \adversary{A}}{\text{MU-EUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \] \[ \advantage{\group{G}, \adversary{A}}{\text{MU-EUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
@@ -160,6 +166,8 @@ The chain of reductions can be depicted as:
\input{sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma} \input{sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma}
\input{sections/mu_security_of_eddsa/omdl'_implies_mu-gamez} \input{sections/mu_security_of_eddsa/omdl'_implies_mu-gamez}
By combining the loss of advantage during all of the proofs above, combined with the loss introduced by EdDSA', a proof for theorem \ref{theorem:eddsa_sp_mu} and \ref{theorem:eddsa_lp_mu} is obtained.
\input{sections/edggm} \input{sections/edggm}
\input{sections/concrete_security} \input{sections/concrete_security}

2
thesis/sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma.tex
View File

@@ -72,6 +72,8 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat
\end{figure} \end{figure}
\begin{proof} \begin{proof}
\item Now it is argued that the \ioracle oracle can be used to simulate the hash function in a way that the answer of the MU-UF-NMA adversary can be used as an valid solution for the MU-\igame challenger.
\item Let $G_0$ be defined in figure \ref{fig:mu-igame_implies_mu-uf-nma}. Then $G_0$ is the same as MU-UF-NMA with EdDSA. By definition, \item Let $G_0$ be defined in figure \ref{fig:mu-igame_implies_mu-uf-nma}. Then $G_0$ is the same as MU-UF-NMA with EdDSA. By definition,
\[ \advantage{\text{EdDSA}, \adversary{A}}{\text{MU-UF-NMA}}(\secparamter) = \Pr[\text{MU-UF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \] \[ \advantage{\text{EdDSA}, \adversary{A}}{\text{MU-UF-NMA}}(\secparamter) = \Pr[\text{MU-UF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]

2
thesis/sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma.tex
View File

@@ -83,6 +83,8 @@ This section shows that the MU-UF-NMA security of the EdDSA signature scheme imp
\end{figure} \end{figure}
\begin{proof} \begin{proof}
\item Now the original MU-SUF-CMA game is manipulated in a way that makes it possible to simulate signatures without the knowledge of the secret key. During each of the game-hops the probability for an adversary to detect this change is upper bounded.
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:mu-uf-nma_implies_mu-suf-cma_games} by excluding all boxes except the black one. $G_0$ is the MU-SUF-CMA for EdDSA. By definition, \item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:mu-uf-nma_implies_mu-suf-cma_games} by excluding all boxes except the black one. $G_0$ is the MU-SUF-CMA for EdDSA. By definition,
\[ \advantage{\text{EdDSA},\adversary{A}}{\text{MU-}\cma}(\secparamter) = \Pr[\text{\text{MU-}\cma}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \] \[ \advantage{\text{EdDSA},\adversary{A}}{\text{MU-}\cma}(\secparamter) = \Pr[\text{\text{MU-}\cma}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]

2
thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex
View File

@@ -82,6 +82,8 @@ This section shows that \somdl implies MU-\igame using the algebraic group model
\end{figure} \end{figure}
\begin{proof} \begin{proof}
\item Now the individual game-hops are analyzed and the probability, that an adversary can distinguish between two games, is upper bounded.
\item \paragraph{\underline{$G_0$:}} Let $G_0$ be defined in figure \ref{fig:omdl'_implies_mu-igame} by excluding all boxes. Clearly, $G_0$ is the MU-\igame. By definition, \item \paragraph{\underline{$G_0$:}} Let $G_0$ be defined in figure \ref{fig:omdl'_implies_mu-igame} by excluding all boxes. Clearly, $G_0$ is the MU-\igame. By definition,
\[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) = \Pr[\text{MU-\igame}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \] \[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) = \Pr[\text{MU-\igame}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]