diff --git a/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex b/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex index 619188c..64d5581 100644 --- a/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex +++ b/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex @@ -1,26 +1,26 @@ -\subsection{UF-NMA $\Rightarrow$ $\text{\cma}_{\text{EdDSA with strict parsing}}$ (ROM)} \label{proof:uf-nma_implies_suf-cma} +\subsection{UF-NMA $\overset{\text{ROM}}{\Rightarrow} \text{SUF-CMA}_{\text{EdDSA sp}}$} \label{proof:uf-nma_implies_suf-cma} -% TODO: "intuition for the proof" vs. "intuition of the proof"? -This section shows that the UF-NMA security of EdDSA implies the \cma security of EdDSA with strict parsing using the random oracle model. The section starts by first providing an intuition for the proof followed by the detailed security proof. +This section shows that the UF-NMA security of EdDSA implies the \cma security of EdDSA with strict parsing using the random oracle model. The section begins with an intuition for the proof, followed by the detailed security proof. \begin{theorem} \label{theorem:adv_uf-nma} - Let $\adversary{A}$ be an adversary against $\cma$, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then, + Let $\adversary{A}$ be an adversary against $\cma$, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then, - \[ \advantage{\adversary{A}}{\text{\cma}}(\secparamter) \leq \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \] + \[ \advantage{\group{G}, \adversary{A}}{\text{\cma}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\text{UF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \] \end{theorem} -\paragraph{\underline{Proof Overview}} The UF-NMA security definition is close to the security definition of \cma but is missing the \Osign oracle. To show that UF-NMA security implies \cma security the reduction has to simulate the \Osign oracle without the knowledge of the private key. +\paragraph{\underline{Proof Overview}} The UF-NMA security definition is close to the \cma security definition, but lacks the \Osign oracle. To show that UF-NMA security implies \cma security, the reduction must simulate the \Osign oracle without knowledge of the private key. -The EdDSA signature scheme is based on the Schnorr signature scheme which basis is a canonical identification scheme onto which the Fiat-Shamir transformation is applied. This means EdDSA roughly follows the structure of a canonical identification scheme by first calculating a commitment $R$, calculating a challenge $h$ using the hash function and then calculating the response $S$ based on commitment, challenge and secret key. The signature is the tuple of commitment and response. +The EdDSA signature scheme is based on the Schnorr signature scheme, which is a canonical identification scheme to which the Fiat-Shamir transformation is applied. This means that EdDSA roughly follows the structure of a canonical identification scheme by first computing a commitment $R$, computing a challenge $\ch$ using the hash function, and then computing the response $S$ based on the commitment, challenge, and private key. The signature is the commitment and response tuple. -To generate a signature without the knowledge of the private key the challenge and the response are choosen randomly and the commitment is calculated based on the chosen challenge and response. The random oracle is then programmed to output the challenge given the commitment and the message as input. This way the resulting tuple of commitment and response is a valid signature for the given message. +To generate a signature without knowing the private key, the challenge and response are chosen randomly, and the commitment is calculated based on the chosen challenge and response. The random oracle is then programmed to output the challenge given the commitment and the message as input. In this way, the resulting tuple of challenge and response is a valid signature for the given message. + +For the reduction to be able to program the random oracle, the adversary must not have queried the hash function with this exact input before asking for the signature. Since the input to the hash query includes the commitment, which is unknown to the adversary prior to the \Osign query, and the result of a random function, the adversary can only guess it, which introduces the loss of advantage. + +This method of simulating the \Osign oracle and the resulting loss of advantage was first introduced in \cite{SP:BCJZ21}. \paragraph{\underline{Formal Proof}} -The proof starts by providing an algorithm which generates correctly distributed tuple of commitment, challenge and response. This algorithm is called \simalg and is depicted in figure \ref{fig:sim}. TODO -%TODO: Beweis für Sim Algorithmus - \begin{figure} \hrule \vspace{1mm} @@ -107,26 +107,28 @@ The proof starts by providing an algorithm which generates correctly distributed \end{figure} \begin{proof} - \item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:uf-nma_implies_suf-cma_games} by excluding all boxes except the black one and let $G_0$ be $\text{\cma}$. By definition, + \item The proof begins by providing an algorithm that generates a correctly distributed tuple of commitment, challenge, and response. This algorithm is called \simalg and is shown in the figure \ref{fig:sim}. This procedure is taken from \cite{SP:BCJZ21}. A proof can be found in the same paper. The formula for the min-entropy of the commitment $\groupelement{R}$ is also taken from that paper. + + \item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:uf-nma_implies_suf-cma_games} by excluding all boxes except the black one. Clearly $G_0$ is the game $\text{\cma}$ for EdDSA. By definition, \[ \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) = \Pr[\text{\cma}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \] - \item \paragraph{\underline{$G_1:$}} $G_1$ is now defined by replacing the black box with the blue one. This change inlines the call to the hash function and introduces a bad flag, which is set in the case that the hash value is already set. This change is only conceptual, since it does not alter the behavior of the oracle. Hence, + \item \paragraph{\underline{$G_1:$}} $G_1$ is now defined by replacing the black box with the blue one. This change inlines the call to the hash function and introduces a bad flag in the \Osign oracle, which is set in case the hash value for the challenge is already set before the \Osign oracle is called. This change is only conceptual, since it does not change the behavior of the oracle and only changes internal variables of the game. Therefore, \[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1]. \] - \item \paragraph{\underline{$G_2:$}} $G_2$ also includes the abort instruction in the red box. The abort condition is triggered if the $bad$ flag is set. Without loss of generality it is assumed that the adversary queries the \sign oracle only once with each message since the signature generated is deterministic and an adversary would not gain more information by multiple queries with the same message. For each individual sign query the probability for the $bad$ flag to be set is at most $\frac{\hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. The only parameter, which is unknown to the adversary prior to calling the \sign oracle is the commitment $R$. For an adversary to trigger the abort condition he has to guess the commitment $\groupelement{R}$ used during on of the \sign queries. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $\groupelement{R}$. $r'$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ when multiplied with the generator $\groupelement{B}$. At first there are $2^{2b}$ possible values for $r'$. After the reduction module $L$ there are $min\{2^{2b}, L\}$ possible values left for $r'$. In the case that the values $L$ is smaller than $2^{2b}$ (this is the case in most instantiations of EdDSA) then the $r'$'s are not uniformly distributed in $\field{L}$. Since an adversary could use this information the min entropy of $\groupelement{R}$ has to be considered, which takes this into account. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have + \item \paragraph{\underline{$G_2:$}} $G_2$ also contains the abort statement in the red box. The abort condition is triggered when the $bad$ flag is set. Without loss of generality, it is assumed that the adversary queries the \sign oracle only once for each message, since the signature generated is deterministic and an adversary would not gain more information by multiple queries on the same message. For each individual signature query, the probability of the $bad$ flag being set is at most $\frac{\hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. The only parameter of the hash function that is unknown to the adversary prior to calling the \sign oracle is the commitment $R$. For an adversary to trigger the abort condition, he must guess the commitment $\groupelement{R}$ used during one of the \sign queries. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min-entropy of $\groupelement{R}$. $r'$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ when multiplied by the generator $\groupelement{B}$. At first there are $2^{2b}$ possible values for $r'$. After the reduction modulo $L$ there are $min\{2^{2b}, L\}$ possible values for $r'$. If the values of $L$ are less than $2^{2b}$ (which is the case in most instances of EdDSA), then the $r'$'s are not uniformly distributed in $\field{L}$. Since an adversary could use this information, the min entropy of $\groupelement{R}$ must be considered, which takes this into account. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have \[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \] - \item \paragraph{\underline{$G_3:$}} $G_3$ replaces the \sign oracle by the \sign oracle in the green box. This change is only conceptual. \simalg outputs a correctly distributed tuple $(R, \textbf{ch}, S)$ with $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c \textbf{ch} \groupelement{A}$ and it was ruled out that $H(\encoded{R} | \encoded{A} | \m)$ is set prior to calling the \sign oracle the random oracle can be programmed to output $\textbf{ch}$ upon calling $H(\encoded{R} | \encoded{A} | m)$. Therefore, it is ensured that $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c H(\encoded{R} | \encoded{A} | \m) \groupelement{A}$, which means that $\signature \assign (\encoded{R}, S)$ is a valid signature for the message $\m$ and was generated without the usage of the private key $s$. Therefore, + \item \paragraph{\underline{$G_3:$}} $G_3$ replaces the \sign oracle with the \sign oracle in the green box. Now the signature is not generated by using the secret key, but by using the \simalg procedure and manually setting the result of the hash function call. This change is conceptual only. \simalg returns a correctly distributed tuple $(R, \ch, S)$ with $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c \ch \groupelement{A}$ and it has been excluded that $H(\encoded{R} | \encoded{A} | \m)$ is set before calling the \sign oracle, so that the random oracle can be programmed to output $\ch$ when calling $H(\encoded{R} | \encoded{A} | m)$. This ensures that $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c H(\encoded{R} | \encoded{A} | \m) \groupelement{A}$, which means that $\signature \assign (\encoded{R}, S)$ is a valid signature for the message $\m$ and was generated without using the private key $s$. Therefore, \[ \Pr[G_2^{\adversary{A}} \Rightarrow 1] = \Pr[G_3^{\adversary{A}} \Rightarrow 1]. \] \item Finally, Game $G_3$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying \begin{align} - \Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter). \label{eq:adv_uf-nma} + \Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\text{UF-NMA}}(\secparamter). \label{eq:adv_uf-nma} \end{align} \begin{figure} @@ -162,29 +164,31 @@ The proof starts by providing an algorithm which generates correctly distributed \label{fig:adversarybuf-nma} \end{figure} - To prove (\ref{eq:adv_uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{UF-NMA}$ that simulates $\adversary{A}$'s view in $G_3$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversarybuf-nma} is run in the $\text{UF-NMA}$ game and adversary $\adversary{B}$ simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly. + To prove (\ref{eq:adv_uf-nma}), an adversary $\adversary{B}$ is defined that attacks $\text{UF-NMA}$ simulating the view of $\adversary{A}$ in $G_3$. The adversary $\adversary{B}$ formally defined in figure \ref{fig:adversarybuf-nma} is run in the $\text{UF-NMA}$ game, and the adversary $\adversary{B}$ simulates \Osign for the adversary $\adversary{A}$. \Osign is simulated perfectly. The hash queries of $\adversary{A}$ are forwarded to the UF-NMA challenger. - Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. It is known that $2^c S^* \groupelement{B} = 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}$. When using strict parsing any the decoded $S$ from the signature it is known that $0 \leq S < L$. Therefore there is only one valid encoded $S$ for each $R$, $\m$ pair that satisfies the equation. This means that from no new and valid signature can be generated by only changing the $S$ value of an already valid signature. Hence, also $R$ or $m$ has to be altered to generate a new valid signature from another one. Since $R$ and $m$ are inputs to the hash query, which is used to generate the challenge, the result for this hash query are forwarded from the $H$ hash oracle provided to the adversary $\adversary{B}$. For this reason $H'(\encoded{R^*}|\encoded{A}|m^*) = H(\encoded{R^*}|\encoded{A}|m^*)$. Therefore, + Finally, consider $\adversary{A}$'s output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. It is known that $2^c S^* \groupelement{B} = 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}$. If strict parsing is used to decode $S$ from the signature, it is known that $0 \leq S < L$. Therefore, for every $R$, $\m$ pair, there is only one valid encoded $S$ that satisfies the equation. This means that a new and valid signature cannot be generated by simply changing the $S$ value of an already valid signature. Therefore, $R$ or $m$ must also be changed in order to create a new valid signature from another. Since $R$ and $m$ are inputs to the hash query used to generate the challenge, the result of this hash query is passed from the $H$ hash oracle provided to the adversary $\adversary{B}$ instead of being set by the $\adversary{B}$ itself. Also, the existence of multiple encodings of the commitment $\groupelement{R}$ does not pose a problem, since if another representation of the same $\groupelement{R}$ is chosen, its hash value has not been set by $\adversary{B}$ and therefore must have passed from the UF-NMA challenger. For this reason, $H'(\encoded{R^*}|\encoded{A}|m^*) = H(\encoded{R^*}|\encoded{A}|m^*)$. Therefore, \begin{align*} 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}\\ \Leftrightarrow 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}. \end{align*} - Meaning that the forged signature from adversary $\adversary{A}$ is also a valid signature in the UF-NMA game. + This means that the forged signature of the adversary $\adversary{A}$ is also a valid signature in the UF-NMA game. + + \item The runtime of the adversary $\adversary{B}$ is ppt and dominated by the runtime of $\adversary{A}$. Simulating a \Osign query simply executes the ppt procedure \simalg and sets the hash function output, the hash function $H'$ simply forwards the query to the $H$ hash function, and the adversary $\adversary{B}$ simply calls $\adversary{A}$ and outputs its forged signature. \item This proves theorem \ref{theorem:adv_uf-nma}. \end{proof} -\subsection{UF-NMA $\Rightarrow$ $\text{EUF-CMA}_{\text{EdDSA with lax parsing}}$ (ROM)} +\subsection{UF-NMA $\overset{\text{ROM}}{\Rightarrow} \text{SUF-CMA}_{\text{EdDSA lp}}$} -This section shows that the UF-NMA security of EdDSA implies the EUF-CMA security of EdDSA with lax parsing using the random oracle model. This proof is very similar to the proof of the SUF-CMA security of EdDSA with strict parsing. The modification of the games are the same as in the proof above with the only difference being the win condition, which is $\verify(\groupelement{A}, \m^*,\signature^*) \wedge \m^* \notin \pset{Q}$. For this reason this proofs starts at showing the existence of an adversary $\adversary{B}$ breaking UF-NMA security. +This section shows that the UF-NMA security of EdDSA implies the EUF-CMA security of EdDSA with lax parsing using the random oracle model. This proof is very similar to the proof of the SUF-CMA security of EdDSA with strict parsing. The modification of the games is the same as in the proof above, with the only difference being the winning condition, which is $\verify(\groupelement{A}, \m^*,\signature^*) \wedge \m^* \notin \pset{Q}$. For this reason, this proof begins by showing the existence of an adversary $\adversary{B}$ who breaks UF-NMA security. The SUF-CMA security cannot be proved because there may be multiple encodings of $S$ that map to the same $S \pmod L$, and therefore a new valid signature could be forged from an old one by simply choosing a different encoding of $S$, which would cause the output $H'(\encoded{R^*}|\encoded{A}|m^*)$ to be set by $\adversary{B}$, and therefore the forged signature would not be a valid signature for the UF-NMA challenger. \begin{theorem} \label{theorem:adv2_uf-nma} - Let $\adversary{A}$ be an adversary against EUF-CMA, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then, + Let $\adversary{A}$ be an adversary against EUF-CMA, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then, - \[ \advantage{\adversary{A}}{\text{EUF-CMA}}(\secparamter) \leq \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \] + \[ \advantage{\group{G}, \adversary{A}}{\text{EUF-CMA}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\text{UF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \] \end{theorem} \paragraph{\underline{Formal Proof}} @@ -228,16 +232,18 @@ This section shows that the UF-NMA security of EdDSA implies the EUF-CMA securit \label{fig:adversary_b_suf-nma} \end{figure} - To prove (\ref{eq:adv2_uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{UF-NMA}$ that simulates $\adversary{A}$'s view in $G_3$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_b_suf-nma} is run in the $\text{UF-NMA}$ game and adversary $\adversary{B}$ simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly. + To prove (\ref{eq:adv2_uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{UF-NMA}$ that simulates the view of $\adversary{A}$ in $G_3$. The adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_b_suf-nma} is run in the $\text{UF-NMA}$ game and the adversary $\adversary{B}$ simulates \Osign for the adversary $\adversary{A}$. \Osign is simulated perfectly. The hash queries of $\adversary{A}$ are forwarded to the UF-NMA challenger. - Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. It is known that $2^c S^* \groupelement{B} = 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}$. The same argument as in the proof above cannot be used since the lax parser could map multiple $2b$-bit bitstrings onto the same $S^* \pmod L$. Therefore the adversary $\adversary{A}$ could generate a new valid signature from a by \Osign generated one by simply choosing a different bitstring representation of the same $S^* \pmod L$. Since in this case $\sum[\encoded{R^*}|\encoded{A}|m^*]$ was set by the adversary $\adversary{B}$ this signature is not valid for the UF-NMA challenger. But since we are in the EUF-CMA setting we require the adversary $\adversary{A}$ to output a signature for a message $m^*$ for that it has not requested a signature via the \Osign oracle. Since the signature for the message $m^*$ has not been queried in the Sign oracle the output of $H'(\encoded{R^*}|\encoded{A}|m^*)$ has not been set by the adversary B but was forwarded from the $H$ hash oracle. For this reason $H'(\encoded{R^*}|\encoded{A}|m^*) = H(\encoded{R^*}|\encoded{A}|m^*)$. Therefore, + Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. It is known that $2^c S^* \groupelement{B} = 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}$. The same argument as in the proof above cannot be used, since the lax parser could map multiple $2b$-bit bitstrings onto the same $S^* \pmod L$. Therefore, the adversary $\adversary{A}$ could generate a new valid signature from one generated by \Osign simply by choosing a different bitstring representation of the same $S^* \pmod L$. Since in this case $\sum[\encoded{R^*}|\encoded{A}|m^*]$ was set by the adversary $\adversary{B}$, this signature is not valid for the UF-NMA challenger. However, since we are in the EUF-CMA setting, we require the adversary $\adversary{A}$ to provide a signature for a message $m^*$ for which it has not requested a signature from the \Osign oracle. Since the signature for the message $m^*$ was not requested in the Sign oracle, the output of $H'(\encoded{R^*}|\encoded{A}|m^*)$ was not set by the adversary B, but was forwarded from the $H$ hash oracle. For this reason, $H'(\encoded{R^*}|\encoded{A}|m^*) = H(\encoded{R^*}|\encoded{A}|m^*)$. Therefore, \begin{align*} 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}\\ \Leftrightarrow 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}. \end{align*} - Meaning that the forged signature from adversary $\adversary{A}$ is also a valid signature in the UF-NMA game. + This means that the forged signature of the adversary $\adversary{A}$ is also a valid signature in the UF-NMA game. + + \item Since the adversary $\adversary{B}$ is the same as in the proof above the runtime is also the ppt. \item This proves theorem \ref{theorem:adv2_uf-nma}. \end{proof} \ No newline at end of file