rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixed some spelling mistakes, thanks Henrik. again

Browse Source
This commit is contained in:
Aaron Kaiser
2023-06-14 16:23:56 +02:00
parent 497a789df3
commit 97e842892c
9 changed files with 28 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
thesis/sections/edggm/sdlog.tex
View File

@@ -1,6 +1,6 @@
\subsection{Bounds on \sdlog} \label{sec:sdlog}
This section focuses on establishing a lower bound on the hardness of a modified version of the discrete logarithm problem in the generic group model. This variant is introduced in the definition \ref{def:sdlog} and works similarly to the original discrete logarithm problem, except for the secret scalar generation, which is derived from the key generation algorithm of the EdDSA signature scheme. The following proof is given in the generic group model for twisted Edwards curves.
This section focuses on establishing a lower bound on the hardness of a modified version of the discrete logarithm problem in the generic group model. This variant is introduced in definition \ref{def:sdlog} and works similarly to the original discrete logarithm problem, except for the secret scalar generation, which is derived from the key generation algorithm of the EdDSA signature scheme. The following proof is given in the generic group model for twisted Edwards curves.
\begin{theorem}
\label{theorem:sdlog_ggm}
@@ -185,11 +185,11 @@ The following proof utilizes the Schwartz-Zippel lemma \cite{schwartz_fast_1980}
\[ \advantage{\curve, n, c, L, \adversary{A}}{\sdlog} = \prone{G_0^{\adversary{A}}}. \]
\item \paragraph{\underline{$G_1:$}} $G_1$ is defined by substituting some black boxes with blue ones, causing the challenger to work with discrete logarithms rather than group elements. This modification remains undetectable to the adversary, as it only deals with labels representing group elements, and each group element can be uniquely represented by its discrete logarithms. These discrete logarithms are denoted by an integer vector, where each element corresponds to the discrete logarithm concerning the generator in the generating set. The addition of these vectors is carried out component-wise. This change remains conceptual, since it only changes how the challenger internally represents group element. Each group element still gets the same label assigned. Therefore,
\item \paragraph{\underline{$G_1:$}} $G_1$ is defined by substituting some black boxes with blue ones, causing the challenger to work with discrete logarithms rather than group elements. This modification remains undetectable to the adversary, as it only deals with labels representing group elements, and each group element can be uniquely represented by its discrete logarithms. These discrete logarithms are denoted by an integer vector, where each element corresponds to the discrete logarithm concerning the generator in the generating set. The addition of these vectors is carried out component-wise. This change remains conceptual, since it only changes how the challenger internally represents group elements. Each group element still gets the same label assigned. Therefore,
\[ \prone{G_0^{\adversary{A}}} = \prone{G_1^{\adversary{A}}}. \]
\item \paragraph{\underline{$G_2:$}} In $G_2$, the blue boxes are replaced with the red ones, which involves replacing the discrete logarithm of the prime order subgroup with a polynomial. The polynomial has one indeterminant, denoted by $Z$, which represents the discrete logarithm, in the prime order subgroup, of the challenge. The polynomial that serves as the discrete logarithm of the prime order subgroup is simply $P = Z$. It's important to note that this change is only conceptual since the polynomial is ultimately evaluated at the secret scalar $a$ in the Enc procedure. Hence,
\item \paragraph{\underline{$G_2:$}} In $G_2$, the blue boxes are replaced with the red ones, which involves replacing the discrete logarithm of the prime order subgroup with a polynomial. The polynomial has one indeterminant, denoted by $Z$, which represents the discrete logarithm, in the prime order subgroup, of the challenge. The polynomial that serves as the discrete logarithm of the prime order subgroup is simply $P = Z$. It is important to note that this change is only conceptual since the polynomial is ultimately evaluated at the secret scalar $a$ in the Enc procedure. Hence,
\[ \prone{G_1^{\adversary{A}}} = \prone{G_2^{\adversary{A}}}. \]
@@ -201,7 +201,7 @@ The following proof utilizes the Schwartz-Zippel lemma \cite{schwartz_fast_1980}
\[ |\prone{G_2^{\adversary{A}}} - \prone{G_3^{\adversary{A}}}| \leq \Pr[bad] \leq \frac{(\groupqueries + 3)^2}{2^{n-1-c}}. \]
For improved readability, $G_4$ is also depicted in \ref{fig:sdlog_games_ggm_2} by including only the black boxes and excluding all others. The subsequent game-hops are also illustrated in the same figure.
For improved readability, $G_4$ is also depicted in figure \ref{fig:sdlog_games_ggm_2} by including only the black boxes and excluding all others. The subsequent game-hops are also illustrated in the same figure.
\item \paragraph{\underline{$G_5:$}} $G_5$ removes the evaluation of the polynomial in the Enc procedure. This alteration is purely conceptual, as the previous abort condition ensured that no two distinct polynomials would yield the same value upon evaluation. Consequently, it is feasible to work directly with the polynomials rather than evaluating them.
@@ -213,7 +213,7 @@ The following proof utilizes the Schwartz-Zippel lemma \cite{schwartz_fast_1980}
$G_6$ aborts $\Rightarrow G_5$ aborts: If $G_6$ were to abort, the set $\pset{P}$ would contain a pair of polynomials that satisfy the abort condition. The distinction between $G_6$ and $G_5$ is that $G_5$ checks for the existence of such a pair immediately after inserting a new polynomial. Consequently, if $G_6$ were to abort, $G_5$ would also abort.
This proofs that this change is only conceptual. Hence,
This proves that this change is only conceptual. Hence,
\[ \prone{G_5^{\adversary{A}}} = \prone{G_6^{\adversary{A}}}. \]
@@ -225,5 +225,5 @@ The following proof utilizes the Schwartz-Zippel lemma \cite{schwartz_fast_1980}
\[ \prone{G_7^{\adversary{A}}} \leq \frac{1}{2^{n-1-c}}. \]
\item This proofs theorem \ref{theorem:sdlog_ggm}.
\item This proves theorem \ref{theorem:sdlog_ggm}.
\end{proof}