rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

simplified equations

Browse Source
This commit is contained in:
Aaron Kaiser
2023-07-12 22:11:02 +02:00
parent a75f324d8f
commit 8d6f37310c
10 changed files with 48 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex
View File

@@ -35,7 +35,7 @@ The \sdlog game is a variant of the discrete logarithm game that represents the
\label{theorem:advgamez}
Let $\adversary{A}$ be an adversary against \igame with $\group{G}$ being a cyclic group of prime order $L$, making at most $\oraclequeries$ oracle queries. Then
\[ \advantage{\group{G},\adversary{A}}{\igame}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\sdlog}(\secparamter) + \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
\[ \advantage{\group{G},\adversary{A}}{\igame}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\sdlog}(\secparamter) + \frac{\oraclequeries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
\end{theorem}
\paragraph{\underline{Proof Overview}}
@@ -109,7 +109,7 @@ The adversary must call the \ioracle oracle with a commitment $\groupelement{R}$
\item \paragraph{\underline{$G_2:$}} The game $G_2$ is aborted if the bad flag is set. For each individual \ioracle query, the $bad$ flag is set with probability at most $\frac{1}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. $\ch_i$ is chosen by the game after the adversary has provided the representation of $\groupelement{R_i}$ and thus the value of $r_2$. This way the adversary has no way to choose $\ch_i$ after $r_2$ and therefore cannot influence the probability of the abort being triggered. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $\ch_i \pmod L$. $\ch_i$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ during the if condition check. By the union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
\item Finally, Game $G_2$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying

8
thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex
View File

@@ -6,7 +6,7 @@ This section shows that the EUF-NMA security of EdDSA implies the \cma security
\label{theorem:adv_uf-nma}
Let $\adversary{A}$ be an adversary against $\cma$, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and let $\group{G}$ be a group of prime order $L$. Then,
\[ \advantage{\group{G}, \adversary{A}}{\text{\cma}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\text{EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
\[ \advantage{\group{G}, \adversary{A}}{\text{\cma}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\text{EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
\end{theorem}
\paragraph{\underline{Proof Overview}} The EUF-NMA security definition is close to the \cma security definition, but lacks the \Osign oracle. To show that EUF-NMA security implies \cma security, the reduction must simulate the \Osign oracle without knowledge of the private key.
@@ -118,7 +118,7 @@ This method of simulating the \Osign oracle and the resulting loss of advantage
\item \paragraph{\underline{$G_2:$}} $G_2$ also contains the abort statement in the red box. The abort condition is triggered when the $bad$ flag is set. Without loss of generality, it is assumed that the adversary queries the \sign oracle only once for each message, since the signature generated is deterministic and an adversary would not gain more information by multiple queries on the same message. For each individual signature query, the probability of the $bad$ flag being set is at most $\frac{\hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. The only parameter of the hash function that is unknown to the adversary prior to calling the \sign oracle is the commitment $R$. For an adversary to trigger the abort condition, he must guess the commitment $\groupelement{R}$ used during one of the \sign queries. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min-entropy of $\groupelement{R}$. $r'$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ when multiplied by the generator $\groupelement{B}$. At first there are $2^{2b}$ possible values for $r'$. After the reduction modulo $L$ there are $min\{2^{2b}, L\}$ possible values for $r'$. If the values of $L$ are less than $2^{2b}$ (which is the case in most instances of EdDSA), then the $r'$'s are not uniformly distributed in $\field{L}$. Since an adversary could use this information, the min entropy of $\groupelement{R}$ must be considered, which takes this into account. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
\item \paragraph{\underline{$G_3:$}} $G_3$ replaces the \sign oracle with the \sign oracle in the green box. Now the signature is not generated by using the secret key, but by using the \simalg procedure and manually setting the result of the hash function call. This change is conceptual only. \simalg returns a correctly distributed tuple $(R, \ch, S)$, with $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c \ch \groupelement{A}$, and it has been excluded that $H'(\encoded{R} | \encoded{A} | \m)$ is set before calling the \sign oracle, so that the random oracle can be programmed to output $\ch$ when calling $H'(\encoded{R} | \encoded{A} | m)$. This ensures that $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c H'(\encoded{R} | \encoded{A} | \m) \groupelement{A}$, which means that $\signature \assign (\encoded{R}, S)$ is a valid signature for the message $\m$ and was generated without using the private key $s$. Therefore,
@@ -179,7 +179,7 @@ This method of simulating the \Osign oracle and the resulting loss of advantage
\item This proves theorem \ref{theorem:adv_uf-nma}.
\end{proof}
\subsection{EUF-NMA $\overset{\text{ROM}}{\Rightarrow} \text{SUF-CMA}_{\text{EdDSA lp}}$}
\subsection{EUF-NMA $\overset{\text{ROM}}{\Rightarrow} \text{EUF-CMA}_{\text{EdDSA lp}}$}
This section shows that the EUF-NMA security of EdDSA implies the EUF-CMA security of EdDSA with lax parsing using the random oracle model. This proof is very similar to the proof of the SUF-CMA security of EdDSA with strict parsing. The modification of the games is the same as in the proof above, with the only difference being the winning condition, which is $\verify(\groupelement{A}, \m^*,\signature^*) \wedge \m^* \notin \pset{Q}$. For this reason, this proof begins by showing the existence of an adversary $\adversary{B}$ who breaks EUF-NMA security. The SUF-CMA security cannot be proved because there may be multiple encodings of $S$ that map to the same $S \pmod L$, and therefore a new valid signature could be forged from an old one by simply choosing a different encoding of $S$, which would cause the output $H'(\encoded{R^*}|\encoded{A}|m^*)$ to be set by the reduction itself, and therefore the forged signature would not be a valid signature for the EUF-NMA challenger.
@@ -187,7 +187,7 @@ This section shows that the EUF-NMA security of EdDSA implies the EUF-CMA securi
\label{theorem:adv2_uf-nma}
Let $\adversary{A}$ be an adversary against EUF-CMA, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
\[ \advantage{\group{G}, \adversary{A}}{\text{EUF-CMA}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\text{EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
\[ \advantage{\group{G}, \adversary{A}}{\text{EUF-CMA}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\text{EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
\end{theorem}
\paragraph{\underline{Formal Proof}}