rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Changed oracle queries to hash queries in EdDSA' proof

Browse Source
This commit is contained in:
Aaron Kaiser
2023-03-28 14:32:14 +02:00
parent c5bdf84b77
commit 90346155a5
1 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
thesis/sections/eddsa.tex
View File

@@ -136,7 +136,7 @@ The EdDSA' signature scheme is depicted in figure \ref{fig:eddsa'}. The differen
TODO. Then TODO. Then
%TODO: richtigre Richtung? %TODO: richtigre Richtung?
\[ \advantage{\textbf{EdDSA'},\adversary{A}}{\cma}(k) \leq \advantage{\textbf{EdDSA},\adversary{A}}{\cma}(k) - \frac{2\oraclequeries}{2^b} \] \[ \advantage{\textbf{EdDSA'},\adversary{A}}{\cma}(k) \leq \advantage{\textbf{EdDSA},\adversary{A}}{\cma}(k) - \frac{2\hashqueries}{2^b} \]
\end{theorem} \end{theorem}
\paragraph{\underline{Proof Overview}} \paragraph{\underline{Proof Overview}}
@@ -220,13 +220,13 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \]. \[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \].
\item \paragraph{\underline{$G_2:$}} $G_2$ now introduces the abort condition in the red box. The game aborts if the flag $bad_1$ is set. For each individual query the $bad_1$ flag is set with a probability at most $\frac{1}{2^b}$. The flag is set if the message equals $k$. $k$ is a value chosen uniformly at random from $\{0,1\}^b$ and is hidden from the adversary. Therefor the adversary can can only guess this value. By the union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad_1] \leq \frac{\oraclequeries}{2^b}$. Since $G_1$ and $G_2$ are identical-until-bad games regarding the $bad_1$ flag, we have \item \paragraph{\underline{$G_2:$}} $G_2$ now introduces the abort condition in the red box. The game aborts if the flag $bad_1$ is set. For each individual query the $bad_1$ flag is set with a probability at most $\frac{1}{2^b}$. The flag is set if the message equals $k$. $k$ is a value chosen uniformly at random from $\{0,1\}^b$ and is hidden from the adversary. Therefor the adversary can can only guess this value. By the union bound over all hash queries $\hashqueries$ we obtain $\Pr[bad_1] \leq \frac{\hashqueries}{2^b}$. Since $G_1$ and $G_2$ are identical-until-bad games regarding the $bad_1$ flag, we have
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad_1] \leq \frac{\oraclequeries}{2^b} \]. \[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad_1] \leq \frac{\hashqueries}{2^b} \].
\item \paragraph{\underline{$G_3:$}} $G_3$ now also introduces the abort condition in the green box. This game also aborts if a message is queried which starts with $h_b | ... | h_{2b-1}$. For each individual query the $bad_2$ flag is set with a probability at most $\frac{1}{2^b}$. The value $h$ is the result of a random oracle call with $k$ as input. Since the adversary is not able to query the random oracle with input $k$, due to the abort condition introduced ion $G_2$, the adversary has no information on $h$. Therefor the adversary can only guess the value of $h$. By the union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad_2] \leq \frac{\oraclequeries}{2^b}$. Since $G_2$ and $G_3$ are identical-until-bad games regarding the $bad_2$ flag, we have \item \paragraph{\underline{$G_3:$}} $G_3$ now also introduces the abort condition in the green box. This game also aborts if a message is queried which starts with $h_b | ... | h_{2b-1}$. For each individual query the $bad_2$ flag is set with a probability at most $\frac{1}{2^b}$. The value $h$ is the result of a random oracle call with $k$ as input. Since the adversary is not able to query the random oracle with input $k$, due to the abort condition introduced ion $G_2$, the adversary has no information on $h$. Therefor the adversary can only guess the value of $h$. By the union bound over all hash queries $\hashqueries$ we obtain $\Pr[bad_2] \leq \frac{\hashqueries}{2^b}$. Since $G_2$ and $G_3$ are identical-until-bad games regarding the $bad_2$ flag, we have
\[ |\Pr[G_2^{\adversary{A}} \Rightarrow 1] - \Pr[G_3^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad_2] \leq \frac{\oraclequeries}{2^b} \]. \[ |\Pr[G_2^{\adversary{A}} \Rightarrow 1] - \Pr[G_3^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad_2] \leq \frac{\hashqueries}{2^b} \].
\item \paragraph{\underline{$G_4:$}} $G_4$ replaces the blue filled boxes with the orange boxes. With this change the \cma game parameterized with the EdDSA' game is obtained. This change is only conceptual since the adversary is not able to query the random oracle with the inputs used for those calls and due to the nature of the random oracle model the adversary has no information on those values. Therefor an adversary can not differentiate between the values being the result of the hash function or chosen uniformly at random. Hence, \item \paragraph{\underline{$G_4:$}} $G_4$ replaces the blue filled boxes with the orange boxes. With this change the \cma game parameterized with the EdDSA' game is obtained. This change is only conceptual since the adversary is not able to query the random oracle with the inputs used for those calls and due to the nature of the random oracle model the adversary has no information on those values. Therefor an adversary can not differentiate between the values being the result of the hash function or chosen uniformly at random. Hence,