Fixed some spelling mistakes, thanks Henrik. again
This commit is contained in:
@@ -104,7 +104,7 @@ abstract
|
||||
|
||||
\section{The Security of EdDSA in a Single-User Setting}
|
||||
|
||||
This section takes a closer look at the single-user security of the EdDSA signature scheme. This is done by sowing the SUF-CMA and EUF-CMA security of EdDSA with different styles of signature parsing. The security is under the \sdlog assumption. The \sdlog assumption is a variation of the original discrete logarithm problem, which takes the key clamping during the key generation algorithm of EdDSA into account.
|
||||
This section takes a closer look at the single-user security of the EdDSA signature scheme. This is done by showing the SUF-CMA and EUF-CMA security of EdDSA with different styles of signature parsing. The security based on the \sdlog assumption. The \sdlog assumption is a variation of the original discrete logarithm problem, which takes the key clamping during the key generation algorithm of EdDSA into account.
|
||||
|
||||
The two main theorems for the single-user security of $\text{EdDSA}_{\text{sp}}$ and $\text{EdDSA}_{\text{lp}}$ are:
|
||||
|
||||
@@ -117,7 +117,7 @@ The two main theorems for the single-user security of $\text{EdDSA}_{\text{sp}}$
|
||||
|
||||
\begin{theorem}[Security of EdDSA with lax parsing in the single-user setting]
|
||||
\label{theorem:eddsa_lp_su}
|
||||
Let $\adversary{A}$ be an adversary against the SUF-CMA security of EdDSA with lax parsing, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
|
||||
Let $\adversary{A}$ be an adversary against the EUF-CMA security of EdDSA with lax parsing, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
|
||||
|
||||
\[ \advantage{\group{G}, \adversary{A}}{\text{EUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
|
||||
\end{theorem}
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
\section{The Ed-GGM}
|
||||
|
||||
The following section gives specific bounds on the difficulty of certain variations of the discrete logarithm and one-more discrete logarithm problems introduced in the previous proofs. These proofs are given in the generic group model. In the generic group model, group elements are represented as random bit strings, and the adversary can only perform group operations by invoking an oracle.
|
||||
The following section gives specific bounds on the difficulty of certain variations of the discrete logarithm and one-more discrete logarithm problems introduced in the previous proofs. These proofs are given in the generic group model. In the generic group model, group elements are represented as random bitstrings, and the adversary can only perform group operations by invoking an oracle.
|
||||
|
||||
In order to build a generic group model for twisted Edwards curves, it's essential to examine the group structure. As shown in section \ref{sec:sdlog_imlies_igame}, a twisted Edwards curve can be uniquely decomposed into a collection of cyclic subgroups. The generating set for this twisted Edwards curve is defined as a set of generators for these cyclic subgroups. With a fixed generating set, any point on the twisted Edwards curve can be uniquely expressed as a linear combination of the generators in that set. Consequently, the adversary is given the entire generator set as a description of the twisted Edwards curve. In addition, the adversary has access to a group operation oracle, GOp, which, given two labels and a bit indicating whether the group elements should be added or subtracted, returns the label of the resulting group element.
|
||||
In order to build a generic group model for twisted Edwards curves, it is essential to examine the group structure. As shown in section \ref{sec:sdlog_imlies_igame}, a twisted Edwards curve can be uniquely decomposed into a collection of cyclic subgroups. The generating set for this twisted Edwards curve is defined as a set of generators for these cyclic subgroups. With a fixed generating set, any point on the twisted Edwards curve can be uniquely expressed as a linear combination of the generators in that set. Consequently, the adversary is given the entire generator set as a description of the twisted Edwards curve. In addition, the adversary has access to a group operation oracle, GOp, which, given two labels and a bit indicating whether the group elements should be added or subtracted, returns the label of the resulting group element.
|
||||
|
||||
The labels are bit string of length $\lceil \log_2(L) \rceil$, with $L$ being the order of the group.
|
||||
The labels are bitstrings of length $\lceil \log_2(L) \rceil$, with $L$ being the order of the group.
|
||||
|
||||
\input{sections/edggm/sdlog}
|
||||
\input{sections/edggm/omdl}
|
||||
@@ -1,6 +1,6 @@
|
||||
\subsection{Bounds on \sdlog} \label{sec:sdlog}
|
||||
|
||||
This section focuses on establishing a lower bound on the hardness of a modified version of the discrete logarithm problem in the generic group model. This variant is introduced in the definition \ref{def:sdlog} and works similarly to the original discrete logarithm problem, except for the secret scalar generation, which is derived from the key generation algorithm of the EdDSA signature scheme. The following proof is given in the generic group model for twisted Edwards curves.
|
||||
This section focuses on establishing a lower bound on the hardness of a modified version of the discrete logarithm problem in the generic group model. This variant is introduced in definition \ref{def:sdlog} and works similarly to the original discrete logarithm problem, except for the secret scalar generation, which is derived from the key generation algorithm of the EdDSA signature scheme. The following proof is given in the generic group model for twisted Edwards curves.
|
||||
|
||||
\begin{theorem}
|
||||
\label{theorem:sdlog_ggm}
|
||||
@@ -185,11 +185,11 @@ The following proof utilizes the Schwartz-Zippel lemma \cite{schwartz_fast_1980}
|
||||
|
||||
\[ \advantage{\curve, n, c, L, \adversary{A}}{\sdlog} = \prone{G_0^{\adversary{A}}}. \]
|
||||
|
||||
\item \paragraph{\underline{$G_1:$}} $G_1$ is defined by substituting some black boxes with blue ones, causing the challenger to work with discrete logarithms rather than group elements. This modification remains undetectable to the adversary, as it only deals with labels representing group elements, and each group element can be uniquely represented by its discrete logarithms. These discrete logarithms are denoted by an integer vector, where each element corresponds to the discrete logarithm concerning the generator in the generating set. The addition of these vectors is carried out component-wise. This change remains conceptual, since it only changes how the challenger internally represents group element. Each group element still gets the same label assigned. Therefore,
|
||||
\item \paragraph{\underline{$G_1:$}} $G_1$ is defined by substituting some black boxes with blue ones, causing the challenger to work with discrete logarithms rather than group elements. This modification remains undetectable to the adversary, as it only deals with labels representing group elements, and each group element can be uniquely represented by its discrete logarithms. These discrete logarithms are denoted by an integer vector, where each element corresponds to the discrete logarithm concerning the generator in the generating set. The addition of these vectors is carried out component-wise. This change remains conceptual, since it only changes how the challenger internally represents group elements. Each group element still gets the same label assigned. Therefore,
|
||||
|
||||
\[ \prone{G_0^{\adversary{A}}} = \prone{G_1^{\adversary{A}}}. \]
|
||||
|
||||
\item \paragraph{\underline{$G_2:$}} In $G_2$, the blue boxes are replaced with the red ones, which involves replacing the discrete logarithm of the prime order subgroup with a polynomial. The polynomial has one indeterminant, denoted by $Z$, which represents the discrete logarithm, in the prime order subgroup, of the challenge. The polynomial that serves as the discrete logarithm of the prime order subgroup is simply $P = Z$. It's important to note that this change is only conceptual since the polynomial is ultimately evaluated at the secret scalar $a$ in the Enc procedure. Hence,
|
||||
\item \paragraph{\underline{$G_2:$}} In $G_2$, the blue boxes are replaced with the red ones, which involves replacing the discrete logarithm of the prime order subgroup with a polynomial. The polynomial has one indeterminant, denoted by $Z$, which represents the discrete logarithm, in the prime order subgroup, of the challenge. The polynomial that serves as the discrete logarithm of the prime order subgroup is simply $P = Z$. It is important to note that this change is only conceptual since the polynomial is ultimately evaluated at the secret scalar $a$ in the Enc procedure. Hence,
|
||||
|
||||
\[ \prone{G_1^{\adversary{A}}} = \prone{G_2^{\adversary{A}}}. \]
|
||||
|
||||
@@ -201,7 +201,7 @@ The following proof utilizes the Schwartz-Zippel lemma \cite{schwartz_fast_1980}
|
||||
|
||||
\[ |\prone{G_2^{\adversary{A}}} - \prone{G_3^{\adversary{A}}}| \leq \Pr[bad] \leq \frac{(\groupqueries + 3)^2}{2^{n-1-c}}. \]
|
||||
|
||||
For improved readability, $G_4$ is also depicted in \ref{fig:sdlog_games_ggm_2} by including only the black boxes and excluding all others. The subsequent game-hops are also illustrated in the same figure.
|
||||
For improved readability, $G_4$ is also depicted in figure \ref{fig:sdlog_games_ggm_2} by including only the black boxes and excluding all others. The subsequent game-hops are also illustrated in the same figure.
|
||||
|
||||
\item \paragraph{\underline{$G_5:$}} $G_5$ removes the evaluation of the polynomial in the Enc procedure. This alteration is purely conceptual, as the previous abort condition ensured that no two distinct polynomials would yield the same value upon evaluation. Consequently, it is feasible to work directly with the polynomials rather than evaluating them.
|
||||
|
||||
@@ -213,7 +213,7 @@ The following proof utilizes the Schwartz-Zippel lemma \cite{schwartz_fast_1980}
|
||||
|
||||
$G_6$ aborts $\Rightarrow G_5$ aborts: If $G_6$ were to abort, the set $\pset{P}$ would contain a pair of polynomials that satisfy the abort condition. The distinction between $G_6$ and $G_5$ is that $G_5$ checks for the existence of such a pair immediately after inserting a new polynomial. Consequently, if $G_6$ were to abort, $G_5$ would also abort.
|
||||
|
||||
This proofs that this change is only conceptual. Hence,
|
||||
This proves that this change is only conceptual. Hence,
|
||||
|
||||
\[ \prone{G_5^{\adversary{A}}} = \prone{G_6^{\adversary{A}}}. \]
|
||||
|
||||
@@ -225,5 +225,5 @@ The following proof utilizes the Schwartz-Zippel lemma \cite{schwartz_fast_1980}
|
||||
|
||||
\[ \prone{G_7^{\adversary{A}}} \leq \frac{1}{2^{n-1-c}}. \]
|
||||
|
||||
\item This proofs theorem \ref{theorem:sdlog_ggm}.
|
||||
\item This proves theorem \ref{theorem:sdlog_ggm}.
|
||||
\end{proof}
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signature scheme using the Random Oracle Model. The section starts by first providing an intuition of the proof followed by the detailed security proof.
|
||||
|
||||
\paragraph{\underline{Introducing MU-\igame}} This game followed closely the definition of the \igame game. It again replaces the random oracle with the \ioracle oracle. The only difference to the \igame game is that the adversary gets access to $N$ public keys. The adversary again has to output a valid result for any commitment challenge pair generated by the \ioracle oracle for any of the public keys. The MU-\igame game is depicted in figure \ref{game:mu-igame}.
|
||||
\paragraph{\underline{Introducing MU-\igame}} This game follows closely the definition of the \igame game. It again replaces the random oracle with the \ioracle oracle. The only difference to the \igame game is that the adversary gets access to $N$ public keys. The adversary again has to output a valid result for any commitment challenge pair generated by the \ioracle oracle for any of the public keys. The MU-\igame game is depicted in figure \ref{game:mu-igame}.
|
||||
|
||||
\begin{definition}[MU-\igame]
|
||||
Let $n$ and $N$ be positive integers. For an adversary $\adversary{A}$, receiving $N$ public keys as input, we define its advantage in the MU-\igame as following:
|
||||
|
||||
@@ -93,7 +93,7 @@ This section shows that the MU-UF-NMA security of the EdDSA signature scheme imp
|
||||
|
||||
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1]. \]
|
||||
|
||||
\item \paragraph{\underline{$G_2:$}} $G_2$ is defined by also introducing the abort instruction in the red box. Again, without loss of generality it is assumed that the adversary only queries each public key/message pair only once since the signatures are deterministic and the attacker would not gain any additional information by querying the \Osign oracle multiple times with the same input. Since the commitment $\groupelement{R}$ is the only unknown input to the hash function, the probability of the bad flag being set for each individual \Osign query is at most $\frac{\hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
|
||||
\item \paragraph{\underline{$G_2:$}} $G_2$ is defined by also introducing the abort instruction in the red box. Again, without loss of generality it is assumed that the adversary only queried each public key/message pair only once since the signatures are deterministic and the attacker would not gain any additional information by querying the \Osign oracle multiple times with the same input. Since the commitment $\groupelement{R}$ is the only unknown input to the hash function, the probability of the bad flag being set for each individual \Osign query is at most $\frac{\hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
|
||||
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
|
||||
@@ -142,7 +142,7 @@ This section shows that the MU-UF-NMA security of the EdDSA signature scheme imp
|
||||
|
||||
To prove (\ref{eq:adv_mu-uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{MU-UF-NMA}$ that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversaryb_mu-uf-nma} is run in the $\text{MU-UF-NMA}$ game and adversary $\adversary{B}$ simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly.
|
||||
|
||||
Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. Every valid signature outputted by adversary $\adversary{A}$ has to fulfill following equation for one public key $\groupelement{A_i}$: $2^c S \groupelement{B} = 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}$. Again there is only one valid encoded $S$ for each $\groupelement{R}$, $m$, $\groupelement{A_i}$ tuple that satisfies the verification equation. For the signature to be a valid forgery it must not be outputted by the \Osign oracle for this specific $m^*$ and $\groupelement{A_i}$. No new valid signature can be generated from a valid one by just changing the $S$ value. This means that at either $\groupelement{R}$, $m$ or $\groupelement{A_i}$ have to be changed to generate a new valid signature from an already valid signature. Since all these parameters are part of the hash query to generate the challenge the resulting hash value has to be forwarded from the $H$ hash oracle provided to the adversary $\adversary{B}$. For this reason $H'(\encoded{R^*}|\encoded{A_i}|m^*) = H(\encoded{R^*}|\encoded{A_i}|m^*)$. Hence,
|
||||
Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. Every valid signature outputted by adversary $\adversary{A}$ has to fulfill the following equation for one public key $\groupelement{A_i}$: $2^c S \groupelement{B} = 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}$. Again there is only one valid encoded $S$ for each $\groupelement{R}$, $m$, $\groupelement{A_i}$ tuple that satisfies the verification equation. For the signature to be a valid forgery it must not be outputted by the \Osign oracle for this specific $m^*$ and $\groupelement{A_i}$. No new valid signature can be generated from a valid one by just changing the $S$ value. This means that either $\groupelement{R}$, $m$ or $\groupelement{A_i}$ have to be changed to generate a new valid signature from an already valid signature. Since all these parameters are part of the hash query to generate the challenge the resulting hash value has to be forwarded from the $H$ hash oracle provided to the adversary $\adversary{B}$. For this reason $H'(\encoded{R^*}|\encoded{A_i}|m^*) = H(\encoded{R^*}|\encoded{A_i}|m^*)$. Hence,
|
||||
|
||||
\begin{align*}
|
||||
2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A_i}|m^*) \groupelement{A_i} \\
|
||||
@@ -158,11 +158,11 @@ This section shows that the MU-UF-NMA security of the EdDSA signature scheme imp
|
||||
|
||||
\subsection{MU-UF-NMA $\overset{\text{ROM}}{\Rightarrow}$ $\text{MU-EUF-CMA}_{\text{EdDSA lp}}$}
|
||||
|
||||
This section shows that MU-UF-NMA security of EdDSA implies the MU-EUF-CMA security of EdDSA with lax parsing using in the random oracle model. This proof is very similar to the proof MU-SUF-CMA proof of EdDSA with strict parsing. The modification to the games are the same as in the proof above with the only modifications being in the win condition, which is $\exists j \in \{1,2,...,N\}: \verify(\groupelement{A_j}, \m^*) \wedge (\groupelement{A_j}, \m^*) \notin \pset{Q}$. For this reason this proof starts at showing the existence of an adversary $\adversary{B}$ breaking MU-UF-NMA security. Similar to the proof in the single-user setting, the SUF-CMA security of EdDSA with lax parsing cannot be shown, as there are multiple valid encodings of $S$ for one signature. This way the adversary would be able to generate a new valid signature from an obtained one by simply choosing a different encoding of $S$. This would result in the output of $H'(\encoded{R^*}|\encoded{A}|m^*)$ being programmed by the reduction itself and therefore the signature not being valid for the UF-NMA challenger.
|
||||
This section shows that MU-UF-NMA security of EdDSA implies the MU-EUF-CMA security of EdDSA with lax parsing used in the random oracle model. This proof is very similar to the proof MU-SUF-CMA proof of EdDSA with strict parsing. The modification to the games are the same as in the proof above with the only modifications being in the win condition, which is $\exists j \in \{1,2,...,N\}: \verify(\groupelement{A_j}, \m^*) \wedge (\groupelement{A_j}, \m^*) \notin \pset{Q}$. For this reason this proof starts at showing the existence of an adversary $\adversary{B}$ breaking MU-UF-NMA security. Similar to the proof in the single-user setting, the SUF-CMA security of EdDSA with lax parsing cannot be shown, as there are multiple valid encodings of $S$ for one signature. This way the adversary would be able to generate a new valid signature from an obtained one by simply choosing a different encoding of $S$. This would result in the output of $H'(\encoded{R^*}|\encoded{A}|m^*)$ being programmed by the reduction itself and therefore the signature not being valid for the UF-NMA challenger.
|
||||
|
||||
\begin{theorem}
|
||||
\label{theorem:adv2_mu-uf-nma}
|
||||
Let $n$ and $N$ be positive integer and $\adversary{A}$ an adversary against MU-EUF-CMA, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
|
||||
Let $n$ and $N$ be positive integers and $\adversary{A}$ an adversary against MU-EUF-CMA, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
|
||||
|
||||
\[ \advantage{\adversary{A}}{\text{MU-EUF-CMA}}(\secparamter) \leq \advantage{\adversary{B}}{\text{MU-UF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
\end{theorem}
|
||||
@@ -210,7 +210,7 @@ This section shows that MU-UF-NMA security of EdDSA implies the MU-EUF-CMA secur
|
||||
|
||||
To prove (\ref{eq:adv2_mu-uf-nma}), we define an adversary $\adversary{B}$ attacking MU-UF-NMA that simulates $\adversary{A}$'s view on $G_3$. Adversary $\adversary{B}$, formally defined in figure \ref{fig:adversary_b_mu-uf-nma}, is run in the MU-UF-NMA game and simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly.
|
||||
|
||||
Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. Every valid signature outputted by adversary $\adversary{A}$ has to fulfill following equation for one public key $\groupelement{A_i}$: $2^c S \groupelement{B} = 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}$. Like in the single-user setting the adversary can create a new valid signature from an already valid one by choosing a different bitstring representation of the $S$ value that maps to the same $S \pmod L$. Since we are in the MU-EUF-CMA setting the adversary has to forge a signature for a message $m^*$ and public key $A_i$ to which it has not queried a signature before. For this reason, the output of $H'(\encoded{R^*}|\encoded{A_i}|m^*)$ has not been set by the adversary $\adversary{B}$, but was forwarded from the $H$ hash oracle provided by the MU-UF-NMA challenger. For this reason $H'(\encoded{R^*}|\encoded{A_i}|m^*) = H(\encoded{R^*}|\encoded{A_i}|m^*)$. Therefore,
|
||||
Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. Every valid signature outputted by adversary $\adversary{A}$ has to fulfill the following equation for one public key $\groupelement{A_i}$: $2^c S \groupelement{B} = 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}$. Like in the single-user setting the adversary can create a new valid signature from an already valid one by choosing a different bitstring representation of the $S$ value that maps to the same $S \pmod L$. Since we are in the MU-EUF-CMA setting the adversary has to forge a signature for a message $m^*$ and public key $A_i$ to which it has not queried a signature before. For this reason, the output of $H'(\encoded{R^*}|\encoded{A_i}|m^*)$ has not been set by the adversary $\adversary{B}$, but was forwarded from the $H$ hash oracle provided by the MU-UF-NMA challenger. For this reason $H'(\encoded{R^*}|\encoded{A_i}|m^*) = H(\encoded{R^*}|\encoded{A_i}|m^*)$. Therefore,
|
||||
|
||||
\begin{align*}
|
||||
2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A_i}|m^*) \groupelement{A_i}\\
|
||||
@@ -221,6 +221,6 @@ This section shows that MU-UF-NMA security of EdDSA implies the MU-EUF-CMA secur
|
||||
|
||||
\item Since the adversary $\adversary{B}$ is the same as in the proof above, its runtime is roughly the same as the runtime of adversary $\adversary{A}$, for the same reason.
|
||||
|
||||
\item This proofs theorem \ref{theorem:adv2_mu-uf-nma}.
|
||||
\item This proves theorem \ref{theorem:adv2_mu-uf-nma}.
|
||||
|
||||
\end{proof}
|
||||
@@ -6,7 +6,7 @@ This section shows that \somdl implies MU-\igame using the algebraic group model
|
||||
|
||||
\begin{definition}[\somdl]
|
||||
\label{def:somdl}
|
||||
Let $n$ and $N$ be positive integer. For an adversary $\adversary{A}$, receiving $N$ challenge group elements, we define its advantage in the \somdl game as following:
|
||||
Let $n$ and $N$ be positive integers. For an adversary $\adversary{A}$, receiving $N$ challenge group elements, we define its advantage in the \somdl game as following:
|
||||
|
||||
\[ \advantage{\adversary{A}}{\text{\somdl}}(\secparamter) \assign | \Pr[\text{\somdl}^{\adversary{A}} \Rightarrow 1] |. \]
|
||||
\end{definition}
|
||||
@@ -43,7 +43,7 @@ This section shows that \somdl implies MU-\igame using the algebraic group model
|
||||
\[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\somdl}(\secparamter) + \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}} In the multi-user setting the adversary gets access to not only the generator $\groupelement{B}$ and one public key $\groupelement{A}$ but rather a set of public keys $\groupelement{A_1}$ to $\groupelement{A_N}$. For this reason the representation of a group element, the adversary has to provide, looks the following: $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$. Since there are multiple group elements with unknown discrete logarithms it is not possible to directly calculate the discrete logarithm of one of the public keys given a valid forgery of a signature. Upon receiving a valid solution the \textit{DL} oracle can be used to get the discrete logarithm of all the public keys except the one for which the solution is valid. This way it again possible to construct a representation looking like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_i}$. Then it is again possible to calculate the discrete logarithm of $\groupelement{A_i}$ and win the \somdl game.
|
||||
\paragraph{\underline{Proof Overview}} In the multi-user setting the adversary gets access to not only the generator $\groupelement{B}$ and one public key $\groupelement{A}$ but rather a set of public keys $\groupelement{A_1}$ to $\groupelement{A_N}$. For this reason, the representation of a group element, the adversary has to provide, looks the following: $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$. Since there are multiple group elements with unknown discrete logarithms it is not possible to directly calculate the discrete logarithm of one of the public keys given a valid forgery of a signature. Upon receiving a valid solution the \textit{DL} oracle can be used to get the discrete logarithm of all the public keys except the one for which the solution is valid. This way it is again possible to construct a representation looking like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_i}$. Then it is again possible to calculate the discrete logarithm of $\groupelement{A_i}$ and win the \somdl game.
|
||||
|
||||
\paragraph{\underline{Formal Proof}}
|
||||
|
||||
@@ -88,7 +88,7 @@ This section shows that \somdl implies MU-\igame using the algebraic group model
|
||||
|
||||
\[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) = \Pr[\text{MU-\igame}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
|
||||
|
||||
\item \paragraph{\underline{$G_1$:}} $G_1$ is defined by including the if condition in the blue box, which sets a bad flag if the randomly chosen value $\ch$ fulfills $2^c \ch \equiv - r_i \pmod L$ for any $i \in \{2,3,...,N+1\}$. This represents challenges $\ch$ to which the solution might not be usable to break the discrete logarithm of one of the public keys, due to $(r_i + 2^c \ch)$ not being invertible in $\field{L}$. Since only the bad flag being introduced this change does not influence the behavior of the game and is therefore only conceptual.
|
||||
\item \paragraph{\underline{$G_1$:}} $G_1$ is defined by including the if condition in the blue box, which sets a bad flag if the randomly chosen value $\ch$ fulfills $2^c \ch \equiv - r_i \pmod L$ for any $i \in \{2,3,...,N+1\}$. This represents challenges $\ch$ to which the solution might not be usable to break the discrete logarithm of one of the public keys, due to $(r_i + 2^c \ch)$ not being invertible in $\field{L}$. Since only the bad flag is introduced this change does not influence the behavior of the game and is therefore only conceptual.
|
||||
|
||||
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1]. \]
|
||||
|
||||
|
||||
@@ -79,13 +79,13 @@ The adversary must call the \ioracle oracle with a commitment $\groupelement{R}$
|
||||
\paragraph{\underline{Formal Proof}}
|
||||
|
||||
\begin{proof}
|
||||
\item The proofs begin by showing that the only valid representation of a group element in the prime order subgroup is the one relative to all known elements in the subgroup and cannot include elements from outside the subgroup. This is followed by a discussion of the individual games-hops.
|
||||
\item The proofs begin by showing that the only valid representation of a group element in the prime order subgroup is the one relative to all known elements in the subgroup and cannot include elements from outside the subgroup. This is followed by a discussion of the individual game-hops.
|
||||
|
||||
\item \paragraph{\underline{AGM}} This proof is done in the algebraic group model. This means that the adversary has to provide a representation along each group element he provides to the reduction. The adversary must provide an element $\groupelement{R}$ which is an element in the prime order subgroup of the twisted Edwards curve. The question remains whether the representation should be defined relative to the prime order subgroup or the twisted Edwards curve. The answer to this question is that it is sufficient to define the representation relative to the prime order subgroup. The reason for this is given in the following paragraph.
|
||||
|
||||
The twisted Edwards curve $\curve$ over the finite field $\mathbb{F}_{q}$ is a finite abelian group. Even though the group $\curve$ may not be cyclic, the Fundamental Theorem of Finitely Generated Abelian Groups tells us that every finite abelian group can be uniquely decomposed into the direct product of cyclic subgroups \cite{karpfinger_hauptsatz_2021}. This means that $\curve$ can be written as $\curve = \langle a_1 \rangle \bigotimes \langle a_2 \rangle \bigotimes ... \bigotimes \langle a_n \rangle$. The set of generators for each of the cyclic groups is called the generating set of $\curve$. Let us recall a well-known theorem of algebra:
|
||||
\item \begin{theorem}[Characterization of Inner Direct Products \cite{karpfinger_direkte_2021}]
|
||||
Let $N_1, ..., N_n$ be subgroups of an group $\group{G}$. Following statements are equivalent:
|
||||
Let $N_1, ..., N_n$ be subgroups of a group $\group{G}$. Following statements are equivalent:
|
||||
|
||||
\begin{enumerate}[label=(\arabic*)]
|
||||
\item $N_1, ..., N_n \trianglelefteq \group{G}$ and $\group{G} = N_1 \bigotimes ... \bigotimes N_n$.
|
||||
@@ -148,7 +148,7 @@ The adversary must call the \ioracle oracle with a commitment $\groupelement{R}$
|
||||
|
||||
To prove (\ref{eq:advbsdlog}), we define an adversary $\adversary{B}$ attacking \sdlog, which simulates the view of $\adversary{A}$ in $G_2$. The adversary $\adversary{B}$ formally defined in figure \ref{fig:adversarybsdlog} is run in the \sdlog game and adversary $\adversary{B}$ simulates \ioracle for adversary $\adversary{A}$. The \ioracle oracle is simulated perfectly.
|
||||
|
||||
Finally, consider $\adversary{A}$'s output $s^*$. We know that one $R^* = 2^c s^*B - 2^c \ch^*A$. We can use this together with the representation of $R^*$ to get following equation:
|
||||
Finally, consider $\adversary{A}$'s output $s^*$. We know that one $R^* = 2^c s^*B - 2^c \ch^*A$. We can use this together with the representation of $R^*$ to get the following equation:
|
||||
|
||||
\begin{align*}
|
||||
r_1 \groupelement{B} + r_2 \groupelement{A} &= 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A} \\
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
This section shows that \igame implies the UF-NMA security of the EdDSA signature scheme using the random oracle model. The section begins with the introduction of an intermediate game \igame, followed by an intuition of the proof and the detailed security proof.
|
||||
|
||||
\paragraph{\underline{Introducing \igame}} The intermediate game \igame is introduced to create a separation between proofs in the random oracle model and the algebraic group model. This is archived by replacing the random oracle with the \ioracle oracle, which takes a commitment and issues a challenge. This also removes the message and focuses on forging an arbitrary signature. The \igame game is shown in the figure \ref{game:igame}.
|
||||
\paragraph{\underline{Introducing \igame}} The intermediate game \igame is introduced to create a separation between proofs in the random oracle model and the algebraic group model. This is achieved by replacing the random oracle with the \ioracle oracle, which takes a commitment and issues a challenge. This also removes the message and focuses on forging an arbitrary signature. The \igame game is shown in figure \ref{game:igame}.
|
||||
|
||||
\begin{definition}[\igame]
|
||||
For an adversary $\adversary{A}$. The advantage of $\adversary{A}$ in the \igame game is defined as following:
|
||||
|
||||
@@ -107,7 +107,7 @@ This method of simulating the \Osign oracle and the resulting loss of advantage
|
||||
\end{figure}
|
||||
|
||||
\begin{proof}
|
||||
\item The proof begins by providing an algorithm that generates a correctly distributed tuple of commitment, challenge, and response. This algorithm is called \simalg and is shown in the figure \ref{fig:sim}. This procedure is taken from \cite{SP:BCJZ21}. A proof can be found in the same paper. The formula for the min-entropy of the commitment $\groupelement{R}$ is also taken from that paper.
|
||||
\item The proof begins by providing an algorithm that generates a correctly distributed tuple of commitment, challenge, and response. This algorithm is called \simalg and is shown in figure \ref{fig:sim}. This procedure is taken from \cite{SP:BCJZ21}. A proof can be found in the same paper. The formula for the min-entropy of the commitment $\groupelement{R}$ is also taken from that paper.
|
||||
|
||||
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:uf-nma_implies_suf-cma_games} by excluding all boxes except the black one. Clearly $G_0$ is the game $\text{\cma}$ for EdDSA. By definition,
|
||||
|
||||
@@ -164,9 +164,9 @@ This method of simulating the \Osign oracle and the resulting loss of advantage
|
||||
\label{fig:adversarybuf-nma}
|
||||
\end{figure}
|
||||
|
||||
To prove (\ref{eq:adv_uf-nma}), an adversary $\adversary{B}$ is defined that attacks $\text{UF-NMA}$ simulating the view of $\adversary{A}$ in $G_3$. The adversary $\adversary{B}$ formally defined in figure \ref{fig:adversarybuf-nma} is run in the $\text{UF-NMA}$ game, and the adversary $\adversary{B}$ simulates \Osign for the adversary $\adversary{A}$. \Osign is simulated perfectly. The hash queries of $\adversary{A}$ are forwarded to the UF-NMA challenger.
|
||||
To prove (\ref{eq:adv_uf-nma}), an adversary $\adversary{B}$ is defined that attacks $\text{UF-NMA}$ simulating the view of $\adversary{A}$ in $G_3$. The adversary $\adversary{B}$, formally defined in figure \ref{fig:adversarybuf-nma}, is run in the $\text{UF-NMA}$ game, and the adversary $\adversary{B}$ simulates \Osign for the adversary $\adversary{A}$. \Osign is simulated perfectly. The hash queries of $\adversary{A}$ are forwarded to the UF-NMA challenger.
|
||||
|
||||
Finally, consider $\adversary{A}$'s output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. It is known that $2^c S^* \groupelement{B} = 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}$. If strict parsing is used to decode $S$ from the signature, it is known that $0 \leq S < L$. Therefore, for every $R$, $\m$ pair, there is only one valid encoded $S$ that satisfies the equation. This means that a new and valid signature cannot be generated by simply changing the $S$ value of an already valid signature. Therefore, $R$ or $m$ must also be changed in order to create a new valid signature from another. Since $R$ and $m$ are inputs to the hash query used to generate the challenge, the result of this hash query is passed from the $H$ hash oracle provided to the adversary $\adversary{B}$ instead of being set by the $\adversary{B}$ itself. Also, the existence of multiple encodings of the commitment $\groupelement{R}$ does not pose a problem, since if another representation of the same $\groupelement{R}$ is chosen, its hash value has not been set by $\adversary{B}$ and therefore must have passed from the UF-NMA challenger. For this reason, $H'(\encoded{R^*}|\encoded{A}|m^*) = H(\encoded{R^*}|\encoded{A}|m^*)$. Therefore,
|
||||
Finally, consider $\adversary{A}$'s output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. It is known that $2^c S^* \groupelement{B} = 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}$. If strict parsing is used to decode $S$ from the signature, it is known that $0 \leq S < L$. Therefore, for every $R$, $\m$ pair, there is only one valid encoded $S$ that satisfies the equation. This means that a new and valid signature cannot be generated by simply changing the $S$ value of an already valid signature. Therefore, $R$ or $m$ must also be changed in order to create a new valid signature from another. Since $R$ and $m$ are inputs to the hash query used to generate the challenge, the result of this hash query is passed from the $H$ hash oracle provided to the adversary $\adversary{B}$ instead of being set by $\adversary{B}$ itself. Also, the existence of multiple encodings of the commitment $\groupelement{R}$ does not pose a problem, since if another representation of the same $\groupelement{R}$ is chosen, its hash value has not been set by $\adversary{B}$ and therefore must have been passed from the UF-NMA challenger. For this reason, $H'(\encoded{R^*}|\encoded{A}|m^*) = H(\encoded{R^*}|\encoded{A}|m^*)$. Therefore,
|
||||
|
||||
\begin{align*}
|
||||
2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}\\
|
||||
|
||||
Reference in New Issue
Block a user