simplified equations
This commit is contained in:
@@ -20,7 +20,7 @@ This definition can be used to calculate the bit security of concrete instantiat
|
||||
|
||||
\begin{theorem}[Ed25519 Bit Security]
|
||||
\label{theorem:ed25519}
|
||||
The Ed25519 signature scheme provides 125-bit security in the single-user setting and 124-bit security in the multi-user setting against algebraic adversaries.
|
||||
The Ed25519 signature scheme provides 125-bit security in the single-user setting and 124-bit security in the multi-user setting against generic adversaries.
|
||||
\end{theorem}
|
||||
|
||||
Ed25519 is one of the most widely used instantiations of EdDSA. According to the RFC it is supposed to provide around 128-bit of security. It uses the twisted Edwards curve Ed25519 and SHA-512 as a hash function \cite{josefsson_edwards-curve_2017} \cite{moody_digital_2023}. This provides the following values, needed to calculate the security level of Ed25519 according to the security proof in this thesis:
|
||||
@@ -48,10 +48,10 @@ Ed25519 is one of the most widely used instantiations of EdDSA. According to the
|
||||
|
||||
\begin{align*}
|
||||
SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\
|
||||
&\leq \frac{\advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
|
||||
&\leq \frac{\frac{(\groupqueries + 3)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
|
||||
&\leq \frac{(2^{125} + 3)^2 + 1}{2^{250} 2^{125}} + \frac{2(2^{125} + 1)}{2^{256} 2^{125}} + \frac{2^{64} 2^{125} + 2^{64}}{2^{252} 2^{125}} \\
|
||||
&\approx 2^{-125} + 2^{-316} + 2^{-189} \\
|
||||
&\leq \frac{\advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries (\hashqueries + 1) \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}}{Time(\adversary{A})} \\
|
||||
&\leq \frac{\frac{(\groupqueries + 3)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries (\hashqueries + 1) \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}}{Time(\adversary{A})} \\
|
||||
&\leq \frac{(2^{125} + 3)^2 + 1}{2^{250} 2^{125}} + \frac{2(2^{125} + 1)}{2^{256} 2^{125}} + \frac{2^{64} (2^{125} + 1) 2^{260}}{2^{512} 2^{125}} \\
|
||||
&\approx 2^{-125} + 2^{-316} + 2^{-188} \\
|
||||
&\approx 2^{-125}
|
||||
\end{align*}
|
||||
|
||||
@@ -63,10 +63,10 @@ Ed25519 is one of the most widely used instantiations of EdDSA. According to the
|
||||
|
||||
\begin{align*}
|
||||
SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{MU-SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\
|
||||
&\leq \frac{\advantage{\curve, n, c, L, \adversary{A}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
|
||||
&\leq \frac{\frac{2(\groupqueries + N + 2)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
|
||||
&\leq \frac{2 (2^{125} + 2^{35} + 2)^2 + 1}{2^{250} 2^{125}} + \frac{2(2^{125} + 1)}{2^{256} 2^{125}} + \frac{2^{64} 2^{125} + 2^{64} 2^{35}}{2^{252} 2^{125}} \\
|
||||
&\approx 2^{-124} + 2^{-316} + 2^{-189} \\
|
||||
&\leq \frac{\advantage{\curve, n, c, L, \adversary{A}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries (\hashqueries + N) \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}}{Time(\adversary{A})} \\
|
||||
&\leq \frac{\frac{2(\groupqueries + N + 2)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries (\hashqueries + N) \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}}{Time(\adversary{A})} \\
|
||||
&\leq \frac{2 (2^{125} + 2^{35} + 2)^2 + 1}{2^{250} 2^{125}} + \frac{2(2^{125} + 1)}{2^{256} 2^{125}} + \frac{2^{64} (2^{125} + 2^{35}) 2^{260}}{2^{512} 2^{125}} \\
|
||||
&\approx 2^{-124} + 2^{-316} + 2^{-188} \\
|
||||
&\approx 2^{-124}
|
||||
\end{align*}
|
||||
|
||||
@@ -79,7 +79,7 @@ Ed25519 is one of the most widely used instantiations of EdDSA. According to the
|
||||
|
||||
\begin{theorem}[Ed448 Bit Security]
|
||||
\label{theorem:ED448}
|
||||
The Ed448 signature scheme provides 221-bit security in the single-user setting and 220-bit security in the multi-user setting against algebraic adversaries.
|
||||
The Ed448 signature scheme provides 221-bit security in the single-user setting and 220-bit security in the multi-user setting against generic adversaries.
|
||||
\end{theorem}
|
||||
|
||||
Another popular instantiation of the EdDSA signature scheme is Ed448. It uses the Ed448 twisted Edwards curve and SHAKE256 as hash function. It is supposed to provide around 224 bits of security and was also standardized by the IETF and NIST \cite{josefsson_edwards-curve_2017} \cite{moody_digital_2023}. The respective standards provide following values:
|
||||
@@ -105,10 +105,10 @@ Another popular instantiation of the EdDSA signature scheme is Ed448. It uses th
|
||||
|
||||
\begin{align*}
|
||||
SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\
|
||||
&\leq \frac{\advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
|
||||
&\leq \frac{\frac{(\groupqueries + 3)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
|
||||
&\leq \frac{(2^{223} + 3)^2 + 1}{2^{444} 2^{223}} + \frac{2(2^{223} + 1)}{2^{456} 2^{223}} + \frac{2^{64} 2^{223} + 2^{64}}{2^{446} 2^{223}} \\
|
||||
&\approx 2^{-221} + 2^{-455} + 2^{-382} \\
|
||||
&\leq \frac{\advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries (\hashqueries + 1) \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}}{Time(\adversary{A})} \\
|
||||
&\leq \frac{\frac{(\groupqueries + 3)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries (\hashqueries + 1) \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}}{Time(\adversary{A})} \\
|
||||
&\leq \frac{(2^{223} + 3)^2 + 1}{2^{444} 2^{223}} + \frac{2(2^{223} + 1)}{2^{456} 2^{223}} + \frac{2^{64} (2^{223} + 1) 2^{466}}{2^{912} 2^{223}} \\
|
||||
&\approx 2^{-221} + 2^{-455} + 2^{-372} \\
|
||||
&\approx 2^{-221}
|
||||
\end{align*}
|
||||
|
||||
@@ -118,10 +118,10 @@ Another popular instantiation of the EdDSA signature scheme is Ed448. It uses th
|
||||
|
||||
\begin{align*}
|
||||
SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{MU-SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\
|
||||
&\leq \frac{\advantage{\curve, n, c, L, \adversary{A}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
|
||||
&\leq \frac{\frac{2(\groupqueries + N + 2)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
|
||||
&\leq \frac{2 (2^{223} + 2^{35} + 2)^2 + 1}{2^{444} 2^{223}} + \frac{2(2^{223} + 1)}{2^{456} 2^{223}} + \frac{2^{64} 2^{223} + 2^{64} 2^{35}}{2^{446} 2^{223}} \\
|
||||
&\approx 2^{-220} + 2^{-445} + 2^{-382} \\
|
||||
&\leq \frac{\advantage{\curve, n, c, L, \adversary{A}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries (\hashqueries + N) \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}}{Time(\adversary{A})} \\
|
||||
&\leq \frac{\frac{2(\groupqueries + N + 2)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries (\hashqueries + N) \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}}{Time(\adversary{A})} \\
|
||||
&\leq \frac{2 (2^{223} + 2^{35} + 2)^2 + 1}{2^{444} 2^{223}} + \frac{2(2^{223} + 1)}{2^{456} 2^{223}} + \frac{2^{64} (2^{223} + 2^{35}) 2^{466}}{2^{912} 2^{223}} \\
|
||||
&\approx 2^{-220} + 2^{-445} + 2^{-372} \\
|
||||
&\approx 2^{-220}
|
||||
\end{align*}
|
||||
|
||||
|
||||
@@ -215,7 +215,7 @@ This section provides a lower bound on the hardness of the modified version of t
|
||||
|
||||
\[ \prone{G_1^{\adversary{A}}} = \prone{G_2^{\adversary{A}}}. \]
|
||||
|
||||
\item \paragraph{\underline{$G_3:$}} $G_3$ introduces the $bad_1$ flag in the DL query. Without loss of generality the following explanation assumes that the adversary queries the DL oracle with input $j = N$. Each polynomial, generated by the challenger, is a linear multivariate polynomial of degree one. This is due to the fact that the challenger starts with linear multivariate polynomials of degree one in $\field{L}[Z_1, ..., Z_N]$ and only adds them to generate new polynomials. This means that each polynomial $P_i \in \field{L}[Z_1,...,Z_N]$, generated by the challenger, can be split into two polynomials $R_i \in \field{L}[Z_1,...,Z_{N-1}], S_i \in \field{L}[Z_N]$ so that $P_i = R_i + S_i$, simply by distributing the monials between the polynomials $R_i$ and $S_i$. Now the polynomial $P_i$ can be partially evaluated by setting $P_i = R_i(\overset{\rightharpoonup}{a}) + S_i$. For the simulation to be correct, when replacing the polynomial $P_i$ with $R_i(\overset{\rightharpoonup}{a}) + S_i$, it has to be ensured that distinct polynomials stay distinct after being partially evaluated. To ensure this, it is necessary to check that no two distinct polynomials $R_i, R_j$ result in the same value when evaluated with $\overset{\rightharpoonup}{a}$. In the case of this happening the $bad_1$ flag is set to true. Afterward, each generated polynomial is partially evaluated as described and the table $\sum$, which stores the association between group elements and labels, is updated to reflect this partial evaluation as well. From now on, each polynomial used by the challenger is in $\field{L}[Z_N]$. This change is purely conceptual, since the polynomials still get fully evaluated before being compared in the Enc procedure. Therefore,
|
||||
\item \paragraph{\underline{$G_3:$}} $G_3$ introduces the $bad_1$ flag in the DL query. Without loss of generality the following explanation assumes that the adversary queries the DL oracle with input $j = N$. Each polynomial, generated by the challenger, is a linear multivariate polynomial of degree one. This is due to the fact that the challenger starts with linear multivariate polynomials of degree one in $\field{L}[Z_1, ..., Z_N]$ and only adds them to generate new polynomials. This means that each polynomial $P_i \in \field{L}[Z_1,...,Z_N]$, generated by the challenger, can be split into two polynomials $R_i \in \field{L}[Z_1,...,Z_{N-1}], S_i \in \field{L}[Z_N]$ so that $P_i = R_i + S_i$, simply by distributing the monials between the polynomials $R_i$ and $S_i$. The polynom $S_i$ only contains the monial $Z_n$, while the polynom $R_i$ contains the remaining monials and the constant. Now the polynomial $P_i$ can be partially evaluated by setting $P_i = R_i(\overset{\rightharpoonup}{a}) + S_i$. For the simulation to be correct, when replacing the polynomial $P_i$ with $R_i(\overset{\rightharpoonup}{a}) + S_i$, it has to be ensured that distinct polynomials stay distinct after being partially evaluated. To ensure this, it is necessary to check that no two distinct polynomials $R_i, R_j$ result in the same value when evaluated with $\overset{\rightharpoonup}{a}$. In the case of this happening the $bad_1$ flag is set to true. Afterward, each generated polynomial is partially evaluated as described and the table $\sum$, which stores the association between group elements and labels, is updated to reflect this partial evaluation as well. From now on, each polynomial used by the challenger is in $\field{L}[Z_N]$. This change is purely conceptual, since the polynomials still get fully evaluated before being compared in the Enc procedure. Therefore,
|
||||
|
||||
\[ \prone{G_2^{\adversary{A}}} = \prone{G_3^{\adversary{A}}}. \]
|
||||
|
||||
|
||||
@@ -7,7 +7,7 @@ This section shows that MU-\igame implies MU-EUF-NMA security of the EdDSA signa
|
||||
\begin{definition}[MU-\igame]
|
||||
Let $n$ and $N$ be positive integers. For an adversary $\adversary{A}$, receiving $N$ public keys as input, we define its advantage in the MU-\igame as following:
|
||||
|
||||
\[ \advantage{\adversary{A}}{\text{MU-\igame}}(\secparamter) \assign | \Pr[\text{MU-\igame}^{\adversary{A}} \Rightarrow 1] |. \]
|
||||
\[ \advantage{\adversary{A}}{\text{$N$-MU-\igame}}(\secparamter) \assign | \Pr[\text{MU-\igame}^{\adversary{A}} \Rightarrow 1] |. \]
|
||||
\end{definition}
|
||||
|
||||
\begin{figure}[h]
|
||||
@@ -15,7 +15,7 @@ This section shows that MU-\igame implies MU-EUF-NMA security of the EdDSA signa
|
||||
\vspace{1mm}
|
||||
\large
|
||||
\begin{algorithmic}
|
||||
\Statex \underline{\game \igame}
|
||||
\Statex \underline{\game $N$-MU-\igame}
|
||||
\State \textbf{for} $i \in \{1,2,...,N\}$
|
||||
\State \quad $a_i \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$
|
||||
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
|
||||
@@ -30,7 +30,7 @@ This section shows that MU-\igame implies MU-EUF-NMA security of the EdDSA signa
|
||||
\State \Return $\ch_i$
|
||||
\end{algorithmic}
|
||||
\hrule
|
||||
\caption{MU-\igame}
|
||||
\caption{$N$-MU-\igame}
|
||||
\label{game:mu-igame}
|
||||
\end{figure}
|
||||
|
||||
|
||||
@@ -6,7 +6,7 @@ This section shows that the MU-EUF-NMA security of the EdDSA signature scheme im
|
||||
\label{theorem:adv_mu-uf-nma}
|
||||
Let $n$ and $N$ be positive integer and $\adversary{A}$ an adversary against MU-SUF-CMA, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
|
||||
|
||||
\[ \advantage{\adversary{A}}{\text{MU-\cma}}(\secparamter) \leq \advantage{\adversary{B}}{\text{MU-EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
\[ \advantage{\adversary{A}}{\text{MU-\cma}}(\secparamter) \leq \advantage{\adversary{B}}{\text{MU-EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}} This proof closely follows the proof in section \ref{proof:uf-nma_implies_suf-cma}. The only difference of both security notions is the absence of the \Osign oracle in MU-EUF-NMA. For this reason, the reduction must simulate the \Osign oracle without the knowledge of the private keys. This is achieved by generating a valid and well-distributed tuple of commitment, challenge, and response using the \simalg procedure, introduced in section \ref{proof:uf-nma_implies_suf-cma}, and then programming the random oracle to output that challenge for the corresponding input. The different games are shown in figure \ref{fig:mu-uf-nma_implies_mu-suf-cma_games}.
|
||||
@@ -95,7 +95,7 @@ This section shows that the MU-EUF-NMA security of the EdDSA signature scheme im
|
||||
|
||||
\item \paragraph{\underline{$G_2:$}} $G_2$ is defined by also introducing the abort instruction in the red box. Again, without loss of generality it is assumed that the adversary only queried each public key/message pair only once since the signatures are deterministic and the attacker would not gain any additional information by querying the \Osign oracle multiple times with the same input. Since the commitment $\groupelement{R}$ is the only unknown input to the hash function, the probability of the bad flag being set for each individual \Osign query is at most $\frac{\hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
|
||||
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
|
||||
|
||||
\item \paragraph{\underline{$G_3:$}} In $G_3$ the \Osign oracle is replaced by the \Osign oracle in the green box. Instead of calculating the response using the secret key, the \simalg algorithm is used to generate a tuple of commitment, challenge, and response. Then the random oracle is programmed to output the specific challenge given $\encoded{R} | \encoded{A_j} | \m$ as an input. This change is only conceptual, since \simalg outputs a correctly distributed set and it was ruled out in earlier games that the random oracle was previously queries with this input. Hence,
|
||||
|
||||
@@ -164,7 +164,7 @@ This section shows that MU-EUF-NMA security of EdDSA implies the MU-EUF-CMA secu
|
||||
\label{theorem:adv2_mu-uf-nma}
|
||||
Let $n$ and $N$ be positive integers and $\adversary{A}$ an adversary against MU-EUF-CMA, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
|
||||
|
||||
\[ \advantage{\adversary{A}}{\text{MU-EUF-CMA}}(\secparamter) \leq \advantage{\adversary{B}}{\text{MU-EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
\[ \advantage{\adversary{A}}{\text{MU-EUF-CMA}}(\secparamter) \leq \advantage{\adversary{B}}{\text{MU-EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Formal Proof}}
|
||||
|
||||
@@ -40,7 +40,7 @@ This section shows that \somdl implies MU-\igame using the algebraic group model
|
||||
\label{theorem:adv_omdl'}
|
||||
Let $\adversary{A}$ be an adversary against \igame with $\group{G}$ being a cyclic group of prime order $L$, receiving $N$ public keys and making at most $\oraclequeries$ oracle queries. Then
|
||||
|
||||
\[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\somdl}(\secparamter) + \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
\[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\somdl}(\secparamter) + \frac{\oraclequeries N \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}} In the multi-user setting the adversary gets access to not only the generator $\groupelement{B}$ and one public key $\groupelement{A}$ but rather a set of public keys $\groupelement{A_1}$ to $\groupelement{A_N}$. For this reason, the representation of a group element, the adversary has to provide, looks the following: $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$. Since there are multiple group elements with unknown discrete logarithms it is not possible to directly calculate the discrete logarithm of one of the public keys given a valid forgery of a signature. Upon receiving a valid solution the \textit{DL} oracle can be used to get the discrete logarithm of all the public keys except the one for which the solution is valid. This way it is again possible to construct a representation looking like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_i}$. Then it is again possible to calculate the discrete logarithm of $\groupelement{A_i}$ and win the \somdl game.
|
||||
@@ -94,7 +94,7 @@ This section shows that \somdl implies MU-\igame using the algebraic group model
|
||||
|
||||
\item \paragraph{\underline{$G_2:$}} $G_2$ also includes the abort instruction in the red box. The abort is triggered if the bad flag is set to true. For each individual \ioracle oracle query the bad flag is set with a probability of $\frac{N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. With $2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}$ being the min-entropy of $\ch$ and $N$ being the number of $r_i$ with which the equation $2^c \ch \equiv - r_i \pmod L$ could evaluate to true. By the Union bound over all $\oraclequeries$ oracle quries we obtain $\Pr[bad] \leq \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
|
||||
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries N \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
|
||||
|
||||
\item Finally, Game $G_2$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||
|
||||
|
||||
@@ -19,7 +19,7 @@ A common security notion for digital signature schemes is the existential unforg
|
||||
\begin{definition}[MU-EUF-CMA]
|
||||
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the N-MU-EUF-CMA game be defined in figure \ref{game:mu-euf-cma}. $SIG$ is N-MU-EUF-CMA secure if for all ppt adversaries $\adversary{A}$, we have
|
||||
|
||||
\[ \advantage{SIG,\adversary{A}}{\textsf{N-MU-EUF-CMA}}(\secparamter) \assign \prone{\textsf{N-MU-EUF-CMA}^{\adversary{A}}} \leq negl(\secparamter). \]
|
||||
\[ \advantage{SIG,\adversary{A}}{\textsf{$N$-MU-EUF-CMA}}(\secparamter) \assign \prone{\textsf{$N$-MU-EUF-CMA}^{\adversary{A}}} \leq negl(\secparamter). \]
|
||||
\end{definition}
|
||||
|
||||
\begin{figure}[h]
|
||||
@@ -27,7 +27,7 @@ A common security notion for digital signature schemes is the existential unforg
|
||||
\normalsize
|
||||
\vspace{1mm}
|
||||
\begin{algorithmic}
|
||||
\Statex \underline{\game $\text{N-MU-EUF-CMA}$}
|
||||
\Statex \underline{\game $\text{$N$-MU-EUF-CMA}$}
|
||||
\State \textbf{for} $i \in \{1,2,...,N\}$
|
||||
\State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp, \inp)}(\pubkey_1, \pubkey_2, ..., \pubkey_n)$
|
||||
@@ -41,14 +41,14 @@ A common security notion for digital signature schemes is the existential unforg
|
||||
\State \Return $\signature$
|
||||
\end{algorithmic}
|
||||
\hrule
|
||||
\caption{N-MU-EUF-CMA Security Game}
|
||||
\caption{$N$-MU-EUF-CMA Security Game}
|
||||
\label{game:mu-euf-cma}
|
||||
\end{figure}
|
||||
|
||||
\begin{definition}[MU-SUF-CMA]
|
||||
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the MU-SUF-CMA game be defined in figure \ref{game:mu-suf-cma}. $SIG$ is MU-SUF-CMA secure if for all ppt adversaries $\adversary{A}$, we have
|
||||
|
||||
\[ \advantage{SIG,\adversary{A}}{\textsf{N-MU-SUF-CMA}}(\secparamter) \assign \prone{\textsf{N-MU-SUF-CMA}^{\adversary{A}}} \leq negl(\secparamter). \]
|
||||
\[ \advantage{SIG,\adversary{A}}{\textsf{$N$-MU-SUF-CMA}}(\secparamter) \assign \prone{\textsf{$N$-MU-SUF-CMA}^{\adversary{A}}} \leq negl(\secparamter). \]
|
||||
\end{definition}
|
||||
|
||||
\begin{figure}[h]
|
||||
@@ -56,7 +56,7 @@ A common security notion for digital signature schemes is the existential unforg
|
||||
\normalsize
|
||||
\vspace{1mm}
|
||||
\begin{algorithmic}
|
||||
\Statex \underline{\game $\text{N-MU-SUF-CMA}$}
|
||||
\Statex \underline{\game $\text{$N$-MU-SUF-CMA}$}
|
||||
\State \textbf{for} $i \in \{1,2,...,N\}$
|
||||
\State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp, \inp)}(\pubkey_1, \pubkey_2, ..., \pubkey_n)$
|
||||
@@ -70,7 +70,7 @@ A common security notion for digital signature schemes is the existential unforg
|
||||
\State \Return $\signature$
|
||||
\end{algorithmic}
|
||||
\hrule
|
||||
\caption{N-MU-SUF-CMA Security Game}
|
||||
\caption{$N$-MU-SUF-CMA Security Game}
|
||||
\label{game:mu-suf-cma}
|
||||
\end{figure}
|
||||
|
||||
@@ -79,21 +79,21 @@ The MU-EUF-NMA security game is similar to the MU-EUF-CMA game. The only differe
|
||||
\begin{definition}[MU-EUF-NMA]
|
||||
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the N-MU-EUF-NMA game be defined in figure \ref{game:mu-uf-nma}. $SIG$ is N-MU-EUF-NMA secure if for all ppt adversaries $\adversary{A}$, we have
|
||||
|
||||
\[ \advantage{SIG,\adversary{A}}{\textsf{N-MU-EUF-NMA}}(\secparamter) \assign \prone{\textsf{N-MU-EUF-NMA}^{\adversary{A}}} \leq negl(\secparamter). \]
|
||||
\[ \advantage{SIG,\adversary{A}}{\textsf{$N$-MU-EUF-NMA}}(\secparamter) \assign \prone{\textsf{$N$-MU-EUF-NMA}^{\adversary{A}}} \leq negl(\secparamter). \]
|
||||
\end{definition}
|
||||
|
||||
\begin{figure}[h]
|
||||
\hrule
|
||||
\vspace{1mm}
|
||||
\begin{algorithmic}
|
||||
\State \underline{\game $\text{N-MU-EUF-NMA}$}
|
||||
\State \underline{\game $\text{$N$-MU-EUF-NMA}$}
|
||||
\State \textbf{for} $i \in \{1,2,...,N\}$
|
||||
\State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}(\pubkey_1, \pubkey_2, \pubkey_n)$
|
||||
\State \Return $\exists i \in \{1,2,...,N\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1$
|
||||
\end{algorithmic}
|
||||
\hrule
|
||||
\caption{N-MU-EUF-NMA Security Game}
|
||||
\caption{$N$-MU-EUF-NMA Security Game}
|
||||
\label{game:mu-uf-nma}
|
||||
\end{figure}
|
||||
|
||||
|
||||
@@ -35,7 +35,7 @@ The \sdlog game is a variant of the discrete logarithm game that represents the
|
||||
\label{theorem:advgamez}
|
||||
Let $\adversary{A}$ be an adversary against \igame with $\group{G}$ being a cyclic group of prime order $L$, making at most $\oraclequeries$ oracle queries. Then
|
||||
|
||||
\[ \advantage{\group{G},\adversary{A}}{\igame}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\sdlog}(\secparamter) + \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
\[ \advantage{\group{G},\adversary{A}}{\igame}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\sdlog}(\secparamter) + \frac{\oraclequeries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}}
|
||||
@@ -109,7 +109,7 @@ The adversary must call the \ioracle oracle with a commitment $\groupelement{R}$
|
||||
|
||||
\item \paragraph{\underline{$G_2:$}} The game $G_2$ is aborted if the bad flag is set. For each individual \ioracle query, the $bad$ flag is set with probability at most $\frac{1}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. $\ch_i$ is chosen by the game after the adversary has provided the representation of $\groupelement{R_i}$ and thus the value of $r_2$. This way the adversary has no way to choose $\ch_i$ after $r_2$ and therefore cannot influence the probability of the abort being triggered. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $\ch_i \pmod L$. $\ch_i$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ during the if condition check. By the union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
|
||||
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
|
||||
|
||||
\item Finally, Game $G_2$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||
|
||||
|
||||
@@ -6,7 +6,7 @@ This section shows that the EUF-NMA security of EdDSA implies the \cma security
|
||||
\label{theorem:adv_uf-nma}
|
||||
Let $\adversary{A}$ be an adversary against $\cma$, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and let $\group{G}$ be a group of prime order $L$. Then,
|
||||
|
||||
\[ \advantage{\group{G}, \adversary{A}}{\text{\cma}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\text{EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
\[ \advantage{\group{G}, \adversary{A}}{\text{\cma}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\text{EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}} The EUF-NMA security definition is close to the \cma security definition, but lacks the \Osign oracle. To show that EUF-NMA security implies \cma security, the reduction must simulate the \Osign oracle without knowledge of the private key.
|
||||
@@ -118,7 +118,7 @@ This method of simulating the \Osign oracle and the resulting loss of advantage
|
||||
|
||||
\item \paragraph{\underline{$G_2:$}} $G_2$ also contains the abort statement in the red box. The abort condition is triggered when the $bad$ flag is set. Without loss of generality, it is assumed that the adversary queries the \sign oracle only once for each message, since the signature generated is deterministic and an adversary would not gain more information by multiple queries on the same message. For each individual signature query, the probability of the $bad$ flag being set is at most $\frac{\hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. The only parameter of the hash function that is unknown to the adversary prior to calling the \sign oracle is the commitment $R$. For an adversary to trigger the abort condition, he must guess the commitment $\groupelement{R}$ used during one of the \sign queries. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min-entropy of $\groupelement{R}$. $r'$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ when multiplied by the generator $\groupelement{B}$. At first there are $2^{2b}$ possible values for $r'$. After the reduction modulo $L$ there are $min\{2^{2b}, L\}$ possible values for $r'$. If the values of $L$ are less than $2^{2b}$ (which is the case in most instances of EdDSA), then the $r'$'s are not uniformly distributed in $\field{L}$. Since an adversary could use this information, the min entropy of $\groupelement{R}$ must be considered, which takes this into account. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
|
||||
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
|
||||
|
||||
\item \paragraph{\underline{$G_3:$}} $G_3$ replaces the \sign oracle with the \sign oracle in the green box. Now the signature is not generated by using the secret key, but by using the \simalg procedure and manually setting the result of the hash function call. This change is conceptual only. \simalg returns a correctly distributed tuple $(R, \ch, S)$, with $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c \ch \groupelement{A}$, and it has been excluded that $H'(\encoded{R} | \encoded{A} | \m)$ is set before calling the \sign oracle, so that the random oracle can be programmed to output $\ch$ when calling $H'(\encoded{R} | \encoded{A} | m)$. This ensures that $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c H'(\encoded{R} | \encoded{A} | \m) \groupelement{A}$, which means that $\signature \assign (\encoded{R}, S)$ is a valid signature for the message $\m$ and was generated without using the private key $s$. Therefore,
|
||||
|
||||
@@ -179,7 +179,7 @@ This method of simulating the \Osign oracle and the resulting loss of advantage
|
||||
\item This proves theorem \ref{theorem:adv_uf-nma}.
|
||||
\end{proof}
|
||||
|
||||
\subsection{EUF-NMA $\overset{\text{ROM}}{\Rightarrow} \text{SUF-CMA}_{\text{EdDSA lp}}$}
|
||||
\subsection{EUF-NMA $\overset{\text{ROM}}{\Rightarrow} \text{EUF-CMA}_{\text{EdDSA lp}}$}
|
||||
|
||||
This section shows that the EUF-NMA security of EdDSA implies the EUF-CMA security of EdDSA with lax parsing using the random oracle model. This proof is very similar to the proof of the SUF-CMA security of EdDSA with strict parsing. The modification of the games is the same as in the proof above, with the only difference being the winning condition, which is $\verify(\groupelement{A}, \m^*,\signature^*) \wedge \m^* \notin \pset{Q}$. For this reason, this proof begins by showing the existence of an adversary $\adversary{B}$ who breaks EUF-NMA security. The SUF-CMA security cannot be proved because there may be multiple encodings of $S$ that map to the same $S \pmod L$, and therefore a new valid signature could be forged from an old one by simply choosing a different encoding of $S$, which would cause the output $H'(\encoded{R^*}|\encoded{A}|m^*)$ to be set by the reduction itself, and therefore the forged signature would not be a valid signature for the EUF-NMA challenger.
|
||||
|
||||
@@ -187,7 +187,7 @@ This section shows that the EUF-NMA security of EdDSA implies the EUF-CMA securi
|
||||
\label{theorem:adv2_uf-nma}
|
||||
Let $\adversary{A}$ be an adversary against EUF-CMA, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
|
||||
|
||||
\[ \advantage{\group{G}, \adversary{A}}{\text{EUF-CMA}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\text{EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
\[ \advantage{\group{G}, \adversary{A}}{\text{EUF-CMA}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\text{EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Formal Proof}}
|
||||
|
||||
Reference in New Issue
Block a user