diff --git a/thesis/Abschlussarbeit.tex b/thesis/Abschlussarbeit.tex index a3e10d2..47eb640 100644 --- a/thesis/Abschlussarbeit.tex +++ b/thesis/Abschlussarbeit.tex @@ -342,11 +342,12 @@ The \sdlog game is a variant of the discrete logarithm game which represents the The adversary has to call the \ioracle oracle with a commitment $\groupelement{R}$ to get a challenge from the challenger. Due to the nature of Algebraic Group Model the adversary also has to provide a representation of the group element $\groupelement{R}$, as the linear combination of all known group elements. Since only the generator of the group and the public key are known to the adversary the representation looks like this $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A}$. Upon providing a valid solution for the game \igame the reduction also gains following equation $\groupelement{R} = 2^c s \groupelement{B} - 2^c c \groupelement{A}$. Both equations yield: % TODO: collision von cofactor c und challenge c -\begin{align*} +\begin{align} r_1 \groupelement{B} + r_2 \groupelement{A} &= 2^c s \groupelement{B} - 2^c c \groupelement{A} \\ (r_2 + 2^c c)A &= (2^c s - r_1)B \\ A &= (2^c s - r_1)(r_2 + 2^c c)^{-1} B -\end{align*} + \label{eq:Adlog} +\end{align} Assuming that $r_2 + 2^c c$ is invertable in $\field{L}$ (not equal to $0$) we can use both equations to calculate the discrete logarithm of $\groupelement{A}$. To ensure that $r_2 + 2^c c$ is invertable the reduction has to abort if $-r_2$ equals $2^c c$ with $c$ being randomly choosen in the \ioracle oracle. @@ -418,9 +419,49 @@ TODO: vielleicht doch eher $\oraclequeries$ durch min entropy von $\{0,1\}^{2b} \item Finally, Game $G_2$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying - \[ \Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\sdlog}{\adversary{B}} \] + \begin{align} + \Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\sdlog}{\adversary{B}} \label{eq:advbsdlog} + \end{align} - \item This proofs Theorem \ref{theorem:advgamez}. + \begin{figure} + \hrule + \begin{multicols}{2} + \large + \begin{algorithmic} + \State \underline{Adversary $\adversary{B}(\groupelement{A})$} + \State $(s^*) \randomassign \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$ + \State $\exists \agmgroupelement{R^*}{r^*}, c^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - c^* \groupelement{A}) \wedge (\agmgroupelement{R^*}{r^*}, c^*) \in Q$ + \State $R^* = r_1 \groupelement{B} + r_2 \groupelement{A}$ + \State \Return $(2^c s^* - r_1)(r_2 + 2^c c^*)^{-1}$ + \end{algorithmic} + \columnbreak + \begin{algorithmic}[1] + \Procedure{\ioracle}{$\agmgroupelement{R_i}{r_i} \in \group{G}$} + \State $\groupelement{R}_i = r_1 \groupelement{B} + r_2 \groupelement{A}$ + \State $c_i \randomsample \{0,1\}^{2b}$ + \BeginBox[draw=blue] + \State \textbf{If} $2^c c_i = -r_2$ \textbf{then} + \State \text{ } $bad \assign true$ + \BeginBox[draw=red,dashed] + \State \text{ } $abort$ + \EndBox + \State \textbf{endIf} + \EndBox + \State $Q \assign Q \cup \{ (\agmgroupelement{R_i}{r_i}, c_i) \}$ + \State \Return $c_i$ + \EndProcedure + \end{algorithmic} + \end{multicols} + \hrule + \caption{Adversary $\adversary{B}$ breaking \sdlog} + \label{fig:adversarybsdlog} + \end{figure} + + To prove (\ref{eq:advbsdlog}), we define an adversary $\adversary{B}$ attacking \sdlog that simulates $\adversary{A}$'s view on $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversarybsdlog} is run in the \sdlog game and has access to \ioracle. \ioracle is perfectly simulated. + + Finally, consider $\adversary{A}$ output $s^*$. If bad is not set $r_2 + 2^c c^*$ is invertable in $\field{L}$ and $(2^c s^* - r_1)(r_2 + 2^c c^*)^{-1}$ is the discrete logarithm of $\adversary{A}$ to the basis of $\adversary{B}$ as shown in (\ref{eq:Adlog}). + + \item This proves Theorem \ref{theorem:advgamez}. \end{proof} \newpage