rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Small fix in OMDL GGM proof

Browse Source
This commit is contained in:
Aaron Kaiser
2023-05-31 13:14:22 +02:00
parent cd19dbb4aa
commit 9ba0bc2ef3
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
thesis/sections/edggm/omdl.tex
View File

@@ -4,7 +4,7 @@ This section provides a lower bound on the hardness of the modified version of t
\begin{theorem} \begin{theorem}
\label{theorem:somdl_ggm} \label{theorem:somdl_ggm}
Let $n$ and $c$ be positive integers. Consider a twisted Edwards curve $\curve$ wit a cofactor of $2^c$ and a generating set consisting of $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_m})$. Among these, let $\groupelement{B}$ be the generator of the largest prime order subgroup with an order of $L$. Let $\adversary{A}$ be a generic adversary making at most $\oraclequeries$ group operations. Then, Let $n$ and $c$ be positive integers. Consider a twisted Edwards curve $\curve$ wit a cofactor of $2^c$ and a generating set consisting of $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_m})$. Among these, let $\groupelement{B}$ be the generator of the largest prime order subgroup with an order of $L$. Let $\adversary{A}$ be a generic adversary making at most $\oraclequeries$ group operations queries. Then,
\[ \advantage{\curve, n, c, L, \adversary{A}}{\somdl} \leq \frac{2(\oraclequeries + N + 2)^2 + 1}{2^{n-1-c}}. \] \[ \advantage{\curve, n, c, L, \adversary{A}}{\somdl} \leq \frac{2(\oraclequeries + N + 2)^2 + 1}{2^{n-1-c}}. \]
\end{theorem} \end{theorem}
@@ -244,7 +244,7 @@ This section provides a lower bound on the hardness of the modified version of t
\item \paragraph{\underline{$G_8:$}} In $G_8$ the discrete logarithms of the challenge are only generated right before they are used. This change is only conceptual, since the discrete logarithms are not used prior to being chosen. Therefore, \item \paragraph{\underline{$G_8:$}} In $G_8$ the discrete logarithms of the challenge are only generated right before they are used. This change is only conceptual, since the discrete logarithms are not used prior to being chosen. Therefore,
\[ \prone{G_6^{\adversary{A}}} = \prone{G_7^{\adversary{A}}}. \] \[ \prone{G_7^{\adversary{A}}} = \prone{G_8^{\adversary{A}}}. \]
\item Since at least one discrete logarithm is chosen after the adversary provided its solution, its best chance is to guess it. Therefore, the probability of the adversary of winning $G_7$ is upper bounded by the probability of it guessing that discrete logarithm. Hence, \item Since at least one discrete logarithm is chosen after the adversary provided its solution, its best chance is to guess it. Therefore, the probability of the adversary of winning $G_7$ is upper bounded by the probability of it guessing that discrete logarithm. Hence,