simplified equations
This commit is contained in:
@@ -7,7 +7,7 @@ This section shows that MU-\igame implies MU-EUF-NMA security of the EdDSA signa
|
||||
\begin{definition}[MU-\igame]
|
||||
Let $n$ and $N$ be positive integers. For an adversary $\adversary{A}$, receiving $N$ public keys as input, we define its advantage in the MU-\igame as following:
|
||||
|
||||
\[ \advantage{\adversary{A}}{\text{MU-\igame}}(\secparamter) \assign | \Pr[\text{MU-\igame}^{\adversary{A}} \Rightarrow 1] |. \]
|
||||
\[ \advantage{\adversary{A}}{\text{$N$-MU-\igame}}(\secparamter) \assign | \Pr[\text{MU-\igame}^{\adversary{A}} \Rightarrow 1] |. \]
|
||||
\end{definition}
|
||||
|
||||
\begin{figure}[h]
|
||||
@@ -15,7 +15,7 @@ This section shows that MU-\igame implies MU-EUF-NMA security of the EdDSA signa
|
||||
\vspace{1mm}
|
||||
\large
|
||||
\begin{algorithmic}
|
||||
\Statex \underline{\game \igame}
|
||||
\Statex \underline{\game $N$-MU-\igame}
|
||||
\State \textbf{for} $i \in \{1,2,...,N\}$
|
||||
\State \quad $a_i \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$
|
||||
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
|
||||
@@ -30,7 +30,7 @@ This section shows that MU-\igame implies MU-EUF-NMA security of the EdDSA signa
|
||||
\State \Return $\ch_i$
|
||||
\end{algorithmic}
|
||||
\hrule
|
||||
\caption{MU-\igame}
|
||||
\caption{$N$-MU-\igame}
|
||||
\label{game:mu-igame}
|
||||
\end{figure}
|
||||
|
||||
|
||||
@@ -6,7 +6,7 @@ This section shows that the MU-EUF-NMA security of the EdDSA signature scheme im
|
||||
\label{theorem:adv_mu-uf-nma}
|
||||
Let $n$ and $N$ be positive integer and $\adversary{A}$ an adversary against MU-SUF-CMA, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
|
||||
|
||||
\[ \advantage{\adversary{A}}{\text{MU-\cma}}(\secparamter) \leq \advantage{\adversary{B}}{\text{MU-EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
\[ \advantage{\adversary{A}}{\text{MU-\cma}}(\secparamter) \leq \advantage{\adversary{B}}{\text{MU-EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}} This proof closely follows the proof in section \ref{proof:uf-nma_implies_suf-cma}. The only difference of both security notions is the absence of the \Osign oracle in MU-EUF-NMA. For this reason, the reduction must simulate the \Osign oracle without the knowledge of the private keys. This is achieved by generating a valid and well-distributed tuple of commitment, challenge, and response using the \simalg procedure, introduced in section \ref{proof:uf-nma_implies_suf-cma}, and then programming the random oracle to output that challenge for the corresponding input. The different games are shown in figure \ref{fig:mu-uf-nma_implies_mu-suf-cma_games}.
|
||||
@@ -95,7 +95,7 @@ This section shows that the MU-EUF-NMA security of the EdDSA signature scheme im
|
||||
|
||||
\item \paragraph{\underline{$G_2:$}} $G_2$ is defined by also introducing the abort instruction in the red box. Again, without loss of generality it is assumed that the adversary only queried each public key/message pair only once since the signatures are deterministic and the attacker would not gain any additional information by querying the \Osign oracle multiple times with the same input. Since the commitment $\groupelement{R}$ is the only unknown input to the hash function, the probability of the bad flag being set for each individual \Osign query is at most $\frac{\hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
|
||||
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
|
||||
|
||||
\item \paragraph{\underline{$G_3:$}} In $G_3$ the \Osign oracle is replaced by the \Osign oracle in the green box. Instead of calculating the response using the secret key, the \simalg algorithm is used to generate a tuple of commitment, challenge, and response. Then the random oracle is programmed to output the specific challenge given $\encoded{R} | \encoded{A_j} | \m$ as an input. This change is only conceptual, since \simalg outputs a correctly distributed set and it was ruled out in earlier games that the random oracle was previously queries with this input. Hence,
|
||||
|
||||
@@ -164,7 +164,7 @@ This section shows that MU-EUF-NMA security of EdDSA implies the MU-EUF-CMA secu
|
||||
\label{theorem:adv2_mu-uf-nma}
|
||||
Let $n$ and $N$ be positive integers and $\adversary{A}$ an adversary against MU-EUF-CMA, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
|
||||
|
||||
\[ \advantage{\adversary{A}}{\text{MU-EUF-CMA}}(\secparamter) \leq \advantage{\adversary{B}}{\text{MU-EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
\[ \advantage{\adversary{A}}{\text{MU-EUF-CMA}}(\secparamter) \leq \advantage{\adversary{B}}{\text{MU-EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Formal Proof}}
|
||||
|
||||
@@ -40,7 +40,7 @@ This section shows that \somdl implies MU-\igame using the algebraic group model
|
||||
\label{theorem:adv_omdl'}
|
||||
Let $\adversary{A}$ be an adversary against \igame with $\group{G}$ being a cyclic group of prime order $L$, receiving $N$ public keys and making at most $\oraclequeries$ oracle queries. Then
|
||||
|
||||
\[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\somdl}(\secparamter) + \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
\[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\somdl}(\secparamter) + \frac{\oraclequeries N \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}} In the multi-user setting the adversary gets access to not only the generator $\groupelement{B}$ and one public key $\groupelement{A}$ but rather a set of public keys $\groupelement{A_1}$ to $\groupelement{A_N}$. For this reason, the representation of a group element, the adversary has to provide, looks the following: $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$. Since there are multiple group elements with unknown discrete logarithms it is not possible to directly calculate the discrete logarithm of one of the public keys given a valid forgery of a signature. Upon receiving a valid solution the \textit{DL} oracle can be used to get the discrete logarithm of all the public keys except the one for which the solution is valid. This way it is again possible to construct a representation looking like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_i}$. Then it is again possible to calculate the discrete logarithm of $\groupelement{A_i}$ and win the \somdl game.
|
||||
@@ -94,7 +94,7 @@ This section shows that \somdl implies MU-\igame using the algebraic group model
|
||||
|
||||
\item \paragraph{\underline{$G_2:$}} $G_2$ also includes the abort instruction in the red box. The abort is triggered if the bad flag is set to true. For each individual \ioracle oracle query the bad flag is set with a probability of $\frac{N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. With $2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}$ being the min-entropy of $\ch$ and $N$ being the number of $r_i$ with which the equation $2^c \ch \equiv - r_i \pmod L$ could evaluate to true. By the Union bound over all $\oraclequeries$ oracle quries we obtain $\Pr[bad] \leq \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
|
||||
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries N \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
|
||||
|
||||
\item Finally, Game $G_2$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||
|
||||
|
||||
Reference in New Issue
Block a user