rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixed some spelling mistakes, thanks Henrik. again

Browse Source
This commit is contained in:
Aaron Kaiser
2023-06-14 16:23:56 +02:00
parent 497a789df3
commit 97e842892c
9 changed files with 28 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex
View File

@@ -79,13 +79,13 @@ The adversary must call the \ioracle oracle with a commitment $\groupelement{R}$
\paragraph{\underline{Formal Proof}}
\begin{proof}
\item The proofs begin by showing that the only valid representation of a group element in the prime order subgroup is the one relative to all known elements in the subgroup and cannot include elements from outside the subgroup. This is followed by a discussion of the individual games-hops.
\item The proofs begin by showing that the only valid representation of a group element in the prime order subgroup is the one relative to all known elements in the subgroup and cannot include elements from outside the subgroup. This is followed by a discussion of the individual game-hops.
\item \paragraph{\underline{AGM}} This proof is done in the algebraic group model. This means that the adversary has to provide a representation along each group element he provides to the reduction. The adversary must provide an element $\groupelement{R}$ which is an element in the prime order subgroup of the twisted Edwards curve. The question remains whether the representation should be defined relative to the prime order subgroup or the twisted Edwards curve. The answer to this question is that it is sufficient to define the representation relative to the prime order subgroup. The reason for this is given in the following paragraph.
The twisted Edwards curve $\curve$ over the finite field $\mathbb{F}_{q}$ is a finite abelian group. Even though the group $\curve$ may not be cyclic, the Fundamental Theorem of Finitely Generated Abelian Groups tells us that every finite abelian group can be uniquely decomposed into the direct product of cyclic subgroups \cite{karpfinger_hauptsatz_2021}. This means that $\curve$ can be written as $\curve = \langle a_1 \rangle \bigotimes \langle a_2 \rangle \bigotimes ... \bigotimes \langle a_n \rangle$. The set of generators for each of the cyclic groups is called the generating set of $\curve$. Let us recall a well-known theorem of algebra:
\item \begin{theorem}[Characterization of Inner Direct Products \cite{karpfinger_direkte_2021}]
Let $N_1, ..., N_n$ be subgroups of an group $\group{G}$. Following statements are equivalent:
Let $N_1, ..., N_n$ be subgroups of a group $\group{G}$. Following statements are equivalent:
\begin{enumerate}[label=(\arabic*)]
\item $N_1, ..., N_n \trianglelefteq \group{G}$ and $\group{G} = N_1 \bigotimes ... \bigotimes N_n$.
@@ -148,7 +148,7 @@ The adversary must call the \ioracle oracle with a commitment $\groupelement{R}$
To prove (\ref{eq:advbsdlog}), we define an adversary $\adversary{B}$ attacking \sdlog, which simulates the view of $\adversary{A}$ in $G_2$. The adversary $\adversary{B}$ formally defined in figure \ref{fig:adversarybsdlog} is run in the \sdlog game and adversary $\adversary{B}$ simulates \ioracle for adversary $\adversary{A}$. The \ioracle oracle is simulated perfectly.
Finally, consider $\adversary{A}$'s output $s^*$. We know that one $R^* = 2^c s^*B - 2^c \ch^*A$. We can use this together with the representation of $R^*$ to get following equation:
Finally, consider $\adversary{A}$'s output $s^*$. We know that one $R^* = 2^c s^*B - 2^c \ch^*A$. We can use this together with the representation of $R^*$ to get the following equation:
\begin{align*}
r_1 \groupelement{B} + r_2 \groupelement{A} &= 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A} \\