rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

finished first draft of proof DLog' => GameZ

Browse Source
This commit is contained in:
Aaron Kaiser
2023-03-02 10:06:29 +01:00
parent fdcb3a8e9b
commit 851033a324
1 changed files with 45 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
thesis/Abschlussarbeit.tex
View File

@@ -342,11 +342,12 @@ The \sdlog game is a variant of the discrete logarithm game which represents the
The adversary has to call the \ioracle oracle with a commitment $\groupelement{R}$ to get a challenge from the challenger. Due to the nature of Algebraic Group Model the adversary also has to provide a representation of the group element $\groupelement{R}$, as the linear combination of all known group elements. Since only the generator of the group and the public key are known to the adversary the representation looks like this $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A}$. Upon providing a valid solution for the game \igame the reduction also gains following equation $\groupelement{R} = 2^c s \groupelement{B} - 2^c c \groupelement{A}$. Both equations yield: The adversary has to call the \ioracle oracle with a commitment $\groupelement{R}$ to get a challenge from the challenger. Due to the nature of Algebraic Group Model the adversary also has to provide a representation of the group element $\groupelement{R}$, as the linear combination of all known group elements. Since only the generator of the group and the public key are known to the adversary the representation looks like this $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A}$. Upon providing a valid solution for the game \igame the reduction also gains following equation $\groupelement{R} = 2^c s \groupelement{B} - 2^c c \groupelement{A}$. Both equations yield:
% TODO: collision von cofactor c und challenge c % TODO: collision von cofactor c und challenge c
\begin{align*} \begin{align}
r_1 \groupelement{B} + r_2 \groupelement{A} &= 2^c s \groupelement{B} - 2^c c \groupelement{A} \\ r_1 \groupelement{B} + r_2 \groupelement{A} &= 2^c s \groupelement{B} - 2^c c \groupelement{A} \\
(r_2 + 2^c c)A &= (2^c s - r_1)B \\ (r_2 + 2^c c)A &= (2^c s - r_1)B \\
A &= (2^c s - r_1)(r_2 + 2^c c)^{-1} B A &= (2^c s - r_1)(r_2 + 2^c c)^{-1} B
\end{align*} \label{eq:Adlog}
\end{align}
Assuming that $r_2 + 2^c c$ is invertable in $\field{L}$ (not equal to $0$) we can use both equations to calculate the discrete logarithm of $\groupelement{A}$. To ensure that $r_2 + 2^c c$ is invertable the reduction has to abort if $-r_2$ equals $2^c c$ with $c$ being randomly choosen in the \ioracle oracle. Assuming that $r_2 + 2^c c$ is invertable in $\field{L}$ (not equal to $0$) we can use both equations to calculate the discrete logarithm of $\groupelement{A}$. To ensure that $r_2 + 2^c c$ is invertable the reduction has to abort if $-r_2$ equals $2^c c$ with $c$ being randomly choosen in the \ioracle oracle.
@@ -418,9 +419,49 @@ TODO: vielleicht doch eher $\oraclequeries$ durch min entropy von $\{0,1\}^{2b}
\item Finally, Game $G_2$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying \item Finally, Game $G_2$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
\[ \Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\sdlog}{\adversary{B}} \] \begin{align}
\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\sdlog}{\adversary{B}} \label{eq:advbsdlog}
\end{align}
\item This proofs Theorem \ref{theorem:advgamez}. \begin{figure}
\hrule
\begin{multicols}{2}
\large
\begin{algorithmic}
\State \underline{Adversary $\adversary{B}(\groupelement{A})$}
\State $(s^*) \randomassign \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
\State $\exists \agmgroupelement{R^*}{r^*}, c^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - c^* \groupelement{A}) \wedge (\agmgroupelement{R^*}{r^*}, c^*) \in Q$
\State $R^* = r_1 \groupelement{B} + r_2 \groupelement{A}$
\State \Return $(2^c s^* - r_1)(r_2 + 2^c c^*)^{-1}$
\end{algorithmic}
\columnbreak
\begin{algorithmic}[1]
\Procedure{\ioracle}{$\agmgroupelement{R_i}{r_i} \in \group{G}$}
\State $\groupelement{R}_i = r_1 \groupelement{B} + r_2 \groupelement{A}$
\State $c_i \randomsample \{0,1\}^{2b}$
\BeginBox[draw=blue]
\State \textbf{If} $2^c c_i = -r_2$ \textbf{then}
\State \text{ } $bad \assign true$
\BeginBox[draw=red,dashed]
\State \text{ } $abort$
\EndBox
\State \textbf{endIf}
\EndBox
\State $Q \assign Q \cup \{ (\agmgroupelement{R_i}{r_i}, c_i) \}$
\State \Return $c_i$
\EndProcedure
\end{algorithmic}
\end{multicols}
\hrule
\caption{Adversary $\adversary{B}$ breaking \sdlog}
\label{fig:adversarybsdlog}
\end{figure}
To prove (\ref{eq:advbsdlog}), we define an adversary $\adversary{B}$ attacking \sdlog that simulates $\adversary{A}$'s view on $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversarybsdlog} is run in the \sdlog game and has access to \ioracle. \ioracle is perfectly simulated.
Finally, consider $\adversary{A}$ output $s^*$. If bad is not set $r_2 + 2^c c^*$ is invertable in $\field{L}$ and $(2^c s^* - r_1)(r_2 + 2^c c^*)^{-1}$ is the discrete logarithm of $\adversary{A}$ to the basis of $\adversary{B}$ as shown in (\ref{eq:Adlog}).
\item This proves Theorem \ref{theorem:advgamez}.
\end{proof} \end{proof}
\newpage \newpage