Added Proofs for lax parsing
This commit is contained in:
@@ -1,4 +1,5 @@
|
||||
\section{EdDSA Signatures}
|
||||
\label{sec:eddsa}
|
||||
|
||||
% TODO: Referenz zum ersten Paper 2011 oder lieber zum journal paper 2012?
|
||||
|
||||
@@ -17,7 +18,7 @@ The generic version of EdDSA from the "EdDSA for more Curves" paper, the RFC 803
|
||||
|
||||
The list of the parameters can be found in table \ref{tab:parameter}.
|
||||
|
||||
\subsection{Encoding Function}
|
||||
\subsection{Encoding of Group Elements}
|
||||
|
||||
The encoding function encodes points on the twisted Edwards cuve into b-bit bitstring and vice versa. It is assumed to be unambiguous, with each point on the twisted Edwards curve having exactly one bitstring representing that point and invalid bitstring being rejected during decoding of the point. This way by decoding a b-bit bitstring into an cuve point implicitly ensures that the decoded point is a valid point on the specified twisted Edwards curve. The requirement for this property comes from the specified encoding function in \cite{EPRINT:BJLSY15}.
|
||||
|
||||
@@ -27,6 +28,16 @@ The message space $\messagespace$ is defined as a bitstring of arbitrary length.
|
||||
|
||||
Looking at the RFC and the FIPS standard the context is passed into a "dom" function which concatenates the context with some additional data. The resulting data is then passed as additional data to each hash function call during the generation and verification of the signature. Since the proofs are conducted in the random oracle model the position of the data in the hash function call and the actual content of the message and the context are not relevant for the output of the random oracle call. Unless the reduction explicitly uses the content of message, which they do not in this case. Therefore, the context can be modeled as being part of the message.
|
||||
|
||||
\subsection{Signature}
|
||||
|
||||
The signature is a defined as a $2b$ bitstrig of the encoded curve points $\groupelement{R}$ concatenated with the $b$-bit little endian encoding of the scalar $S$.
|
||||
|
||||
$S$ being defined as the $b$-bit little endian encoding poses a problem. It might be possible that the decoded $S$ is larger than the order $L$ of the generator. The original paper \cite{EPRINT:BJLSY15} proposes two variants to handle decoded $S$ values, which are larger than $L$. The first approach is to replace $S$ with $S \pmod L$ and continue the verification of the signature. This will be called the lax parsing. The other approach is to reject all $S$ values larger than $L$ and fail the verification of the signature in that case. Parsing the integer like this will be called strict parsing.
|
||||
|
||||
The later proofs show that those two approaches lead to different security properties of the signature. Using strict parsing results in the SUF-CMA security while using lax parsing "only" ensures EUF-CMA security.
|
||||
|
||||
The RFC as well as the FIPS standard both require strict parsing.
|
||||
|
||||
\subsection{Differences from Schnorr Signatures}
|
||||
|
||||
As already pointed out in \cite{SP:BCJZ21} there are some minor differences from traditional Schnorr signature which prevent already existing proofs of the Schnorr signature scheme to be applied to EdDSA. This section points out the differences of the EdDSA signature scheme from traditional Schnorr signature scheme.
|
||||
@@ -59,7 +70,7 @@ The commitment is chosen as the result of a hash function instead of uniformly a
|
||||
|
||||
% TODO: Ist das ok hier einfach zu kopieren?
|
||||
\begin{center}
|
||||
\begin{table}[t]
|
||||
\begin{table}[!ht]
|
||||
\centering
|
||||
\begin{tabularx}{\textwidth}{@{}lX@{}}
|
||||
\textbf{Parameter} & \textbf{Description} \\
|
||||
@@ -82,7 +93,7 @@ The commitment is chosen as the result of a hash function instead of uniformly a
|
||||
|
||||
|
||||
|
||||
\begin{figure}
|
||||
\begin{figure}[H]
|
||||
\hrule
|
||||
\begin{multicols}{3}
|
||||
\scriptsize
|
||||
@@ -161,7 +172,7 @@ The EdDSA' signature scheme is depicted in figure \ref{fig:eddsa'}. The differen
|
||||
Let $\adversary{A}$ be and adversary against SUF-CMA security of the EdDSA signature scheme. Then
|
||||
|
||||
%TODO: richtigre Richtung?
|
||||
\[ \advantage{\text{EdDSA'},\adversary{A}}{\cma}(\secparamter) \leq \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) - \frac{2\hashqueries}{2^b}. \]
|
||||
\[ \advantage{\text{EdDSA'},\adversary{A}}{\cma}(\secparamter) \leq \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) - \frac{2 (\hashqueries + 1)}{2^b}. \]
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}}
|
||||
@@ -254,13 +265,13 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
|
||||
|
||||
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1]. \]
|
||||
|
||||
\item \paragraph{\underline{$G_2:$}} $G_2$ now introduces the abort condition in the red box. The game aborts if the flag $bad_1$ is set. For each individual query the $bad_1$ flag is set with a probability at most $\frac{1}{2^b}$. The flag is set if the message equals $k$. $k$ is a value chosen uniformly at random from $\{0,1\}^b$ and is hidden from the adversary. Therefor the adversary can can only guess this value. By the union bound over all hash queries $\hashqueries$ we obtain $\Pr[bad_1] \leq \frac{\hashqueries}{2^b}$. Since $G_1$ and $G_2$ are identical-until-bad games regarding the $bad_1$ flag, we have
|
||||
\item \paragraph{\underline{$G_2:$}} $G_2$ now introduces the abort condition in the red box. The game aborts if the flag $bad_1$ is set. For each individual query the $bad_1$ flag is set with a probability at most $\frac{1}{2^b}$. The flag is set if the message equals $k$. $k$ is a value chosen uniformly at random from $\{0,1\}^b$ and is hidden from the adversary. Therefor the adversary can can only guess this value. By the union bound over all hash queries $\hashqueries$ plus the one hash, which is performed by the challenger during signature verification, we obtain $\Pr[bad_1] \leq \frac{\hashqueries + 1}{2^b}$. Since $G_1$ and $G_2$ are identical-until-bad games regarding the $bad_1$ flag, we have
|
||||
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad_1] \leq \frac{\hashqueries}{2^b}. \]
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad_1] \leq \frac{\hashqueries + 1}{2^b}. \]
|
||||
|
||||
\item \paragraph{\underline{$G_3:$}} $G_3$ now also introduces the abort condition in the green box. This game also aborts if a message is queried which starts with $h_b | ... | h_{2b-1}$. For each individual query the $bad_2$ flag is set with a probability at most $\frac{1}{2^b}$. The value $h$ is the result of a random oracle call with $k$ as input. Since the adversary is not able to query the random oracle with input $k$, due to the abort condition introduced ion $G_2$, the adversary has no information on $h$. Therefor the adversary can only guess the value of $h$. By the union bound over all hash queries $\hashqueries$ we obtain $\Pr[bad_2] \leq \frac{\hashqueries}{2^b}$. Since $G_2$ and $G_3$ are identical-until-bad games regarding the $bad_2$ flag, we have
|
||||
\item \paragraph{\underline{$G_3:$}} $G_3$ now also introduces the abort condition in the green box. This game also aborts if a message is queried which starts with $h_b | ... | h_{2b-1}$. For each individual query the $bad_2$ flag is set with a probability at most $\frac{1}{2^b}$. The value $h$ is the result of a random oracle call with $k$ as input. Since the adversary is not able to query the random oracle with input $k$, due to the abort condition introduced ion $G_2$, the adversary has no information on $h$. Therefor the adversary can only guess the value of $h$. By the union bound over all hash queries $\hashqueries$ plus the one hash, which is performed by the challenger during signature verification, we obtain $\Pr[bad_2] \leq \frac{\hashqueries + 1}{2^b}$. Since $G_2$ and $G_3$ are identical-until-bad games regarding the $bad_2$ flag, we have
|
||||
|
||||
\[ |\Pr[G_2^{\adversary{A}} \Rightarrow 1] - \Pr[G_3^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad_2] \leq \frac{\hashqueries}{2^b}. \]
|
||||
\[ |\Pr[G_2^{\adversary{A}} \Rightarrow 1] - \Pr[G_3^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad_2] \leq \frac{\hashqueries + 1}{2^b}. \]
|
||||
|
||||
%TODO: Signatur von RF genauer beschreiben?
|
||||
\item \paragraph{\underline{$G_4:$}} $G_4$ replaces the blue boxes in the main game and the \Osign oracle with the orange boxes. This change is only conceptual since the adversary is not able to query the random oracle with the inputs used for those calls and due to the nature of the random oracle model the adversary has no information on those values. Therefore, an adversary can not differentiate between the values being the result of the hash function or chosen uniformly at random. Hence,
|
||||
|
||||
Reference in New Issue
Block a user