rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Overhauled single-user proofs

Browse Source
This commit is contained in:
Aaron Kaiser
2023-05-25 18:18:44 +02:00
parent 24bb0784aa
commit a4a04dda4d
3 changed files with 39 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex
View File

@@ -4,7 +4,7 @@ This section shows that the UF-NMA security of EdDSA implies the \cma security o
\begin{theorem}
\label{theorem:adv_uf-nma}
Let $\adversary{A}$ be an adversary against $\cma$, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
Let $\adversary{A}$ be an adversary against $\cma$, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and let $\group{G}$ be a group of prime order $L$. Then,
\[ \advantage{\group{G}, \adversary{A}}{\text{\cma}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\text{UF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
\end{theorem}
@@ -111,7 +111,7 @@ This method of simulating the \Osign oracle and the resulting loss of advantage
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:uf-nma_implies_suf-cma_games} by excluding all boxes except the black one. Clearly $G_0$ is the game $\text{\cma}$ for EdDSA. By definition,
\[ \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) = \Pr[\text{\cma}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
\[ \advantage{\group{G},\adversary{A}}{\cma}(\secparamter) = \Pr[\text{\cma}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
\item \paragraph{\underline{$G_1:$}} $G_1$ is now defined by replacing the black box with the blue one. This change inlines the call to the hash function and introduces a bad flag in the \Osign oracle, which is set in case the hash value for the challenge is already set before the \Osign oracle is called. This change is only conceptual, since it does not change the behavior of the oracle and only changes internal variables of the game. Therefore,
@@ -196,7 +196,7 @@ This section shows that the UF-NMA security of EdDSA implies the EUF-CMA securit
\begin{proof}
\item
\begin{align}
\prone{G_3^{\adversary{A}}} = \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter). \label{eq:adv2_uf-nma}
\prone{G_3^{\adversary{A}}} = \advantage{\group{G}, \adversary{B}}{\text{UF-NMA}}(\secparamter). \label{eq:adv2_uf-nma}
\end{align}
\begin{figure}
@@ -243,7 +243,7 @@ This section shows that the UF-NMA security of EdDSA implies the EUF-CMA securit
This means that the forged signature of the adversary $\adversary{A}$ is also a valid signature in the UF-NMA game.
\item Since the adversary $\adversary{B}$ is the same as in the proof above the runtime is also the ppt.
\item Since the adversary $\adversary{B}$ is the same as in the proof above the runtime is also ppt.
\item This proves theorem \ref{theorem:adv2_uf-nma}.
\end{proof}