From 9ba0bc2ef389e02c31e6b67f2fd6af02f75f245b Mon Sep 17 00:00:00 2001 From: Aaron Kaiser Date: Wed, 31 May 2023 13:14:22 +0200 Subject: [PATCH] Small fix in OMDL GGM proof --- thesis/sections/edggm/omdl.tex | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/thesis/sections/edggm/omdl.tex b/thesis/sections/edggm/omdl.tex index 6f28432..ab7be0c 100644 --- a/thesis/sections/edggm/omdl.tex +++ b/thesis/sections/edggm/omdl.tex @@ -4,7 +4,7 @@ This section provides a lower bound on the hardness of the modified version of t \begin{theorem} \label{theorem:somdl_ggm} - Let $n$ and $c$ be positive integers. Consider a twisted Edwards curve $\curve$ wit a cofactor of $2^c$ and a generating set consisting of $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_m})$. Among these, let $\groupelement{B}$ be the generator of the largest prime order subgroup with an order of $L$. Let $\adversary{A}$ be a generic adversary making at most $\oraclequeries$ group operations. Then, + Let $n$ and $c$ be positive integers. Consider a twisted Edwards curve $\curve$ wit a cofactor of $2^c$ and a generating set consisting of $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_m})$. Among these, let $\groupelement{B}$ be the generator of the largest prime order subgroup with an order of $L$. Let $\adversary{A}$ be a generic adversary making at most $\oraclequeries$ group operations queries. Then, \[ \advantage{\curve, n, c, L, \adversary{A}}{\somdl} \leq \frac{2(\oraclequeries + N + 2)^2 + 1}{2^{n-1-c}}. \] \end{theorem} @@ -244,7 +244,7 @@ This section provides a lower bound on the hardness of the modified version of t \item \paragraph{\underline{$G_8:$}} In $G_8$ the discrete logarithms of the challenge are only generated right before they are used. This change is only conceptual, since the discrete logarithms are not used prior to being chosen. Therefore, - \[ \prone{G_6^{\adversary{A}}} = \prone{G_7^{\adversary{A}}}. \] + \[ \prone{G_7^{\adversary{A}}} = \prone{G_8^{\adversary{A}}}. \] \item Since at least one discrete logarithm is chosen after the adversary provided its solution, its best chance is to guess it. Therefore, the probability of the adversary of winning $G_7$ is upper bounded by the probability of it guessing that discrete logarithm. Hence,