Fixed some spelling mistakes, thanks Henrik. again
This commit is contained in:
@@ -79,13 +79,13 @@ The adversary must call the \ioracle oracle with a commitment $\groupelement{R}$
|
||||
\paragraph{\underline{Formal Proof}}
|
||||
|
||||
\begin{proof}
|
||||
\item The proofs begin by showing that the only valid representation of a group element in the prime order subgroup is the one relative to all known elements in the subgroup and cannot include elements from outside the subgroup. This is followed by a discussion of the individual games-hops.
|
||||
\item The proofs begin by showing that the only valid representation of a group element in the prime order subgroup is the one relative to all known elements in the subgroup and cannot include elements from outside the subgroup. This is followed by a discussion of the individual game-hops.
|
||||
|
||||
\item \paragraph{\underline{AGM}} This proof is done in the algebraic group model. This means that the adversary has to provide a representation along each group element he provides to the reduction. The adversary must provide an element $\groupelement{R}$ which is an element in the prime order subgroup of the twisted Edwards curve. The question remains whether the representation should be defined relative to the prime order subgroup or the twisted Edwards curve. The answer to this question is that it is sufficient to define the representation relative to the prime order subgroup. The reason for this is given in the following paragraph.
|
||||
|
||||
The twisted Edwards curve $\curve$ over the finite field $\mathbb{F}_{q}$ is a finite abelian group. Even though the group $\curve$ may not be cyclic, the Fundamental Theorem of Finitely Generated Abelian Groups tells us that every finite abelian group can be uniquely decomposed into the direct product of cyclic subgroups \cite{karpfinger_hauptsatz_2021}. This means that $\curve$ can be written as $\curve = \langle a_1 \rangle \bigotimes \langle a_2 \rangle \bigotimes ... \bigotimes \langle a_n \rangle$. The set of generators for each of the cyclic groups is called the generating set of $\curve$. Let us recall a well-known theorem of algebra:
|
||||
\item \begin{theorem}[Characterization of Inner Direct Products \cite{karpfinger_direkte_2021}]
|
||||
Let $N_1, ..., N_n$ be subgroups of an group $\group{G}$. Following statements are equivalent:
|
||||
Let $N_1, ..., N_n$ be subgroups of a group $\group{G}$. Following statements are equivalent:
|
||||
|
||||
\begin{enumerate}[label=(\arabic*)]
|
||||
\item $N_1, ..., N_n \trianglelefteq \group{G}$ and $\group{G} = N_1 \bigotimes ... \bigotimes N_n$.
|
||||
@@ -148,7 +148,7 @@ The adversary must call the \ioracle oracle with a commitment $\groupelement{R}$
|
||||
|
||||
To prove (\ref{eq:advbsdlog}), we define an adversary $\adversary{B}$ attacking \sdlog, which simulates the view of $\adversary{A}$ in $G_2$. The adversary $\adversary{B}$ formally defined in figure \ref{fig:adversarybsdlog} is run in the \sdlog game and adversary $\adversary{B}$ simulates \ioracle for adversary $\adversary{A}$. The \ioracle oracle is simulated perfectly.
|
||||
|
||||
Finally, consider $\adversary{A}$'s output $s^*$. We know that one $R^* = 2^c s^*B - 2^c \ch^*A$. We can use this together with the representation of $R^*$ to get following equation:
|
||||
Finally, consider $\adversary{A}$'s output $s^*$. We know that one $R^* = 2^c s^*B - 2^c \ch^*A$. We can use this together with the representation of $R^*$ to get the following equation:
|
||||
|
||||
\begin{align*}
|
||||
r_1 \groupelement{B} + r_2 \groupelement{A} &= 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A} \\
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
This section shows that \igame implies the UF-NMA security of the EdDSA signature scheme using the random oracle model. The section begins with the introduction of an intermediate game \igame, followed by an intuition of the proof and the detailed security proof.
|
||||
|
||||
\paragraph{\underline{Introducing \igame}} The intermediate game \igame is introduced to create a separation between proofs in the random oracle model and the algebraic group model. This is archived by replacing the random oracle with the \ioracle oracle, which takes a commitment and issues a challenge. This also removes the message and focuses on forging an arbitrary signature. The \igame game is shown in the figure \ref{game:igame}.
|
||||
\paragraph{\underline{Introducing \igame}} The intermediate game \igame is introduced to create a separation between proofs in the random oracle model and the algebraic group model. This is achieved by replacing the random oracle with the \ioracle oracle, which takes a commitment and issues a challenge. This also removes the message and focuses on forging an arbitrary signature. The \igame game is shown in figure \ref{game:igame}.
|
||||
|
||||
\begin{definition}[\igame]
|
||||
For an adversary $\adversary{A}$. The advantage of $\adversary{A}$ in the \igame game is defined as following:
|
||||
|
||||
@@ -107,7 +107,7 @@ This method of simulating the \Osign oracle and the resulting loss of advantage
|
||||
\end{figure}
|
||||
|
||||
\begin{proof}
|
||||
\item The proof begins by providing an algorithm that generates a correctly distributed tuple of commitment, challenge, and response. This algorithm is called \simalg and is shown in the figure \ref{fig:sim}. This procedure is taken from \cite{SP:BCJZ21}. A proof can be found in the same paper. The formula for the min-entropy of the commitment $\groupelement{R}$ is also taken from that paper.
|
||||
\item The proof begins by providing an algorithm that generates a correctly distributed tuple of commitment, challenge, and response. This algorithm is called \simalg and is shown in figure \ref{fig:sim}. This procedure is taken from \cite{SP:BCJZ21}. A proof can be found in the same paper. The formula for the min-entropy of the commitment $\groupelement{R}$ is also taken from that paper.
|
||||
|
||||
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:uf-nma_implies_suf-cma_games} by excluding all boxes except the black one. Clearly $G_0$ is the game $\text{\cma}$ for EdDSA. By definition,
|
||||
|
||||
@@ -164,9 +164,9 @@ This method of simulating the \Osign oracle and the resulting loss of advantage
|
||||
\label{fig:adversarybuf-nma}
|
||||
\end{figure}
|
||||
|
||||
To prove (\ref{eq:adv_uf-nma}), an adversary $\adversary{B}$ is defined that attacks $\text{UF-NMA}$ simulating the view of $\adversary{A}$ in $G_3$. The adversary $\adversary{B}$ formally defined in figure \ref{fig:adversarybuf-nma} is run in the $\text{UF-NMA}$ game, and the adversary $\adversary{B}$ simulates \Osign for the adversary $\adversary{A}$. \Osign is simulated perfectly. The hash queries of $\adversary{A}$ are forwarded to the UF-NMA challenger.
|
||||
To prove (\ref{eq:adv_uf-nma}), an adversary $\adversary{B}$ is defined that attacks $\text{UF-NMA}$ simulating the view of $\adversary{A}$ in $G_3$. The adversary $\adversary{B}$, formally defined in figure \ref{fig:adversarybuf-nma}, is run in the $\text{UF-NMA}$ game, and the adversary $\adversary{B}$ simulates \Osign for the adversary $\adversary{A}$. \Osign is simulated perfectly. The hash queries of $\adversary{A}$ are forwarded to the UF-NMA challenger.
|
||||
|
||||
Finally, consider $\adversary{A}$'s output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. It is known that $2^c S^* \groupelement{B} = 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}$. If strict parsing is used to decode $S$ from the signature, it is known that $0 \leq S < L$. Therefore, for every $R$, $\m$ pair, there is only one valid encoded $S$ that satisfies the equation. This means that a new and valid signature cannot be generated by simply changing the $S$ value of an already valid signature. Therefore, $R$ or $m$ must also be changed in order to create a new valid signature from another. Since $R$ and $m$ are inputs to the hash query used to generate the challenge, the result of this hash query is passed from the $H$ hash oracle provided to the adversary $\adversary{B}$ instead of being set by the $\adversary{B}$ itself. Also, the existence of multiple encodings of the commitment $\groupelement{R}$ does not pose a problem, since if another representation of the same $\groupelement{R}$ is chosen, its hash value has not been set by $\adversary{B}$ and therefore must have passed from the UF-NMA challenger. For this reason, $H'(\encoded{R^*}|\encoded{A}|m^*) = H(\encoded{R^*}|\encoded{A}|m^*)$. Therefore,
|
||||
Finally, consider $\adversary{A}$'s output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. It is known that $2^c S^* \groupelement{B} = 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}$. If strict parsing is used to decode $S$ from the signature, it is known that $0 \leq S < L$. Therefore, for every $R$, $\m$ pair, there is only one valid encoded $S$ that satisfies the equation. This means that a new and valid signature cannot be generated by simply changing the $S$ value of an already valid signature. Therefore, $R$ or $m$ must also be changed in order to create a new valid signature from another. Since $R$ and $m$ are inputs to the hash query used to generate the challenge, the result of this hash query is passed from the $H$ hash oracle provided to the adversary $\adversary{B}$ instead of being set by $\adversary{B}$ itself. Also, the existence of multiple encodings of the commitment $\groupelement{R}$ does not pose a problem, since if another representation of the same $\groupelement{R}$ is chosen, its hash value has not been set by $\adversary{B}$ and therefore must have been passed from the UF-NMA challenger. For this reason, $H'(\encoded{R^*}|\encoded{A}|m^*) = H(\encoded{R^*}|\encoded{A}|m^*)$. Therefore,
|
||||
|
||||
\begin{align*}
|
||||
2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}\\
|
||||
|
||||
Reference in New Issue
Block a user