Overhauled single-user proofs
This commit is contained in:
@@ -1,16 +1,16 @@
|
||||
\subsection{\igame $\overset{\text{ROM}}{\Rightarrow}$ UF-NMA}
|
||||
|
||||
This section shows that \igame implies the UF-NMA security of the EdDSA signature scheme using the Random Oracle Model. The section starts by first providing introducing an intermediate game \igame followed by an intuition of the proof and the detailed security proof.
|
||||
This section shows that \igame implies the UF-NMA security of the EdDSA signature scheme using the random oracle model. The section begins with the introduction of an intermediate game \igame, followed by an intuition of the proof and the detailed security proof.
|
||||
|
||||
\paragraph{\underline{Introducing \igame}} The intermediate game \igame is introduced to create a separation between proofs in the random oracle model and the algebraic group model. This is archived by replacing the random oracle by the \ioracle oracle, which takes a commitment and outputs a challenge. This also strips away the message and focuses on the forgery of an arbitrary message. The \igame game is depicted in figure \ref{game:igame}.
|
||||
\paragraph{\underline{Introducing \igame}} The intermediate game \igame is introduced to create a separation between proofs in the random oracle model and the algebraic group model. This is archived by replacing the random oracle with the \ioracle oracle, which takes a commitment and issues a challenge. This also removes the message and focuses on forging an arbitrary signature. The \igame game is shown in the figure \ref{game:igame}.
|
||||
|
||||
\begin{definition}[\igame]
|
||||
For an adversary $\adversary{A}$ we define its advantage in the \igame game as following:
|
||||
For an adversary $\adversary{A}$. The advantage of $\adversary{A}$ in the \igame game is defined as following:
|
||||
|
||||
\[ \advantage{\adversary{A}}{\igame}(\secparamter) \assign | \Pr[\igame^{\adversary{A}} \Rightarrow 1] |. \]
|
||||
\[ \advantage{\group{G},\adversary{A}}{\igame}(\secparamter) \assign | \Pr[\igame^{\adversary{A}} \Rightarrow 1] |. \]
|
||||
\end{definition}
|
||||
|
||||
\begin{figure}
|
||||
\begin{figure}[h]
|
||||
\hrule
|
||||
\begin{multicols}{2}
|
||||
\large
|
||||
@@ -38,14 +38,14 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur
|
||||
\label{theorem:adv_igame}
|
||||
Let $\adversary{A}$ be an adversary against $\text{UF-NMA}$. Then,
|
||||
|
||||
\[ \advantage{\adversary{A}}{\text{UF-NMA}}(\secparamter) = \advantage{\adversary{B}}{\text{\igame}}(\secparamter). \]
|
||||
\[ \advantage{\group{G}, \adversary{A}}{\text{UF-NMA}}(\secparamter) = \advantage{\group{G}, \adversary{B}}{\text{\igame}}(\secparamter). \]
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}} The adversary has to query the random oracle to get the hash value $H(\encoded{R} | \encoded{A} | m)$. The programmability of the random oracle can be used to embed the challenge from the \ioracle oracle into the answer of the random oracle. This way a valid forgery of a signature also provides a valid solution for the \igame game.
|
||||
\paragraph{\underline{Proof Overview}} The adversary must query the random oracle to obtain the hash value $H(\encoded{R} | \encoded{A} | m)$. The programmability of the random oracle can be used to embed the challenge from the \ioracle into the answer from the random oracle. In this way, a valid signature forgery also provides a valid solution to the \igame game.
|
||||
|
||||
\paragraph{\underline{Formal Proof}}
|
||||
|
||||
\begin{figure}
|
||||
\begin{figure}[h]
|
||||
\hrule
|
||||
\begin{multicols}{2}
|
||||
\large
|
||||
@@ -71,9 +71,11 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur
|
||||
\end{figure}
|
||||
|
||||
\begin{proof}
|
||||
\item \paragraph{\underline{$G_0$}} Let $G_0$ be defined in figure \ref{fig:igame_implies_uf-nma} and let $G_0$ be $\text{UF-NMA}$. By definition,
|
||||
\item This proof does not require any game hop, since the random oracle can be simulated using the \ioracle oracle.
|
||||
|
||||
\[ \advantage{\text{EdDSA}, \adversary{A}}{\text{UF-NMA}}(\secparamter) = \Pr[\text{UF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
|
||||
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:igame_implies_uf-nma}. Clearly, $G_0$ is $\text{UF-NMA}$. By definition,
|
||||
|
||||
\[ \advantage{\group{G}, \adversary{A}}{\text{UF-NMA}}(\secparamter) = \Pr[\text{UF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
|
||||
|
||||
\item $G_0$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||
|
||||
@@ -81,7 +83,7 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur
|
||||
\Pr[G_0^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\text{\igame}}(\secparamter). \label{eq:adv_igame}
|
||||
\end{align}
|
||||
|
||||
\begin{figure}
|
||||
\begin{figure}[h]
|
||||
\hrule
|
||||
\vspace{1mm}
|
||||
\begin{multicols}{2}
|
||||
@@ -107,7 +109,7 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur
|
||||
\label{fig:adversary_igame}
|
||||
\end{figure}
|
||||
|
||||
\item To proof (\ref{eq:adv_igame}), we define an adversary $\adversary{B}$ attacking \igame that simulates $\adversary{A}$'s view in $G_0$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_igame} is run in the \igame game and adversary $\adversary{B}$ simulates the random oracle $H$ for the adversary $\adversary{A}$. $H$ is simulated perfectly.
|
||||
\item To prove (\ref{eq:adv_igame}), we define an adversary $\adversary{B}$ attacking \igame that simulates the view of $\adversary{A}$ in $G_0$. The adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_igame} is run in the \igame game, and the adversary $\adversary{B}$ simulates the random oracle $H$ for the adversary $\adversary{A}$. $H$ is perfectly simulated because the \ioracle oracle also outputs a uniformly random 2b-bit bitstring. For this reason, $H$ returns a uniformly random 2b-bit bitstring for all queries, as expected.
|
||||
|
||||
Finally, consider $\adversary{A}$'s output $(\m^*, \signature^* \assign (\encoded{R}, S))$. It is known that:
|
||||
|
||||
@@ -118,7 +120,9 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur
|
||||
\Leftrightarrow \groupelement{R}' &= 2^c S \groupelement{B} - 2^c \ioracle(\groupelement{R}') \groupelement{A}
|
||||
\end{align*}
|
||||
|
||||
Therefore $S$ is a valid solution for the \igame game.
|
||||
Therefore, $S$ is a valid solution for the \igame game.
|
||||
|
||||
\item The runtime of adversary $\adversary{B}$ is clearly ppt, since it just outputs the solution of adversary $\adversary{A}$, and in the random oracle it either calls the \ioracle oracle or samples a value uniformly at random.
|
||||
|
||||
\item This proves theorem \ref{theorem:adv_igame}.
|
||||
\end{proof}
|
||||
Reference in New Issue
Block a user