rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added UF-NMA => SUF-CMA proof

Browse Source
This commit is contained in:
Aaron Kaiser
2023-03-29 18:29:10 +02:00
parent fe4c190cbc
commit a9f00cb311
4 changed files with 146 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
thesis/sections/eddsa.tex
View File

@@ -77,7 +77,7 @@ The EdDSA signature scheme is defined using a twisted Edwards curve. Twisted Edw
\State $(r'_0, r'_1, ..., r'_{2b-1}) \assign H(h_b | ... | h_{2b-1} | m)$
\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
\State $R \assign rB$
\State $S \assign (r + sH(\encoded{R} | \encoded{A} | m)) \pmod l$
\State $S \assign (r + sH(\encoded{R} | \encoded{A} | m)) \pmod L$
\State \Return $\sigma \assign (\encoded{R}, S)$
\end{algorithmic}
\columnbreak
@@ -116,7 +116,7 @@ The EdDSA' signature scheme is depicted in figure \ref{fig:eddsa'}. The differen
\State $(r'_0, r'_1, ..., r'_{2b-1}) \assign RF(h_b | ... | h_{2b-1} | m)$
\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
\State $R \assign rB$
\State $S \assign (r + sH(\encoded{R} | \encoded{A} | m)) \pmod l$
\State $S \assign (r + sH(\encoded{R} | \encoded{A} | m)) \pmod L$
\State \Return $\sigma \assign (\encoded{R}, S)$
\end{algorithmic}
\columnbreak
@@ -136,7 +136,7 @@ The EdDSA' signature scheme is depicted in figure \ref{fig:eddsa'}. The differen
TODO. Then
%TODO: richtigre Richtung?
\[ \advantage{\textbf{EdDSA'},\adversary{A}}{\cma}(k) \leq \advantage{\textbf{EdDSA},\adversary{A}}{\cma}(k) - \frac{2\hashqueries}{2^b} \]
\[ \advantage{\text{EdDSA'},\adversary{A}}{\cma}(k) \leq \advantage{\text{EdDSA},\adversary{A}}{\cma}(k) - \frac{2\hashqueries}{2^b} \]
\end{theorem}
\paragraph{\underline{Proof Overview}}
@@ -182,7 +182,7 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
\EndBox
\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
\State $R \assign rB$
\State $S \assign (r + sH(\encoded{R} | \encoded{A} | m)) \pmod l$
\State $S \assign (r + sH(\encoded{R} | \encoded{A} | m)) \pmod L$
\State $\signature \assign (\encoded{R}, S)$
\State $Q \assign Q \cup \{(\m, \signature)\}$
\State \Return $\signature$
@@ -212,9 +212,9 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
\end{figure}
\begin{proof}
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:eddsa'games} by excluding all boxes expect the grey filled ones and $G_0$ be $\cma_{EdDSA}$. By definition,
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:eddsa'games} by excluding all boxes expect the grey filled ones and $G_0$ be $\cma_{\text{EdDSA}}$. By definition,
\[ \advantage{\textbf{EdDSA},\adversary{A}}{\cma}(k) = \Pr[\cma^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
\[ \advantage{\text{EdDSA},\adversary{A}}{\cma}(k) = \Pr[\cma_{\text{EdDSA}}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
\item \paragraph{\underline{$G_1:$}} Let $G_1$ be defined by additionally including all blue boxes and excluding the grey filled boxes. This change inlines calls to the random oracle and introduces to if conditions in the random oracle which are setting a bad flag if the condition is triggert. Since the behavior of the game does not change the changes are conceptual and the probability of winning the game is not affected. Hence,
@@ -228,9 +228,10 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
\[ |\Pr[G_2^{\adversary{A}} \Rightarrow 1] - \Pr[G_3^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad_2] \leq \frac{\hashqueries}{2^b} \].
%TODO: Signatur von RF genauer beschreiben?
\item \paragraph{\underline{$G_4:$}} $G_4$ replaces the blue filled boxes with the orange boxes. With this change the \cma game parameterized with the EdDSA' game is obtained. This change is only conceptual since the adversary is not able to query the random oracle with the inputs used for those calls and due to the nature of the random oracle model the adversary has no information on those values. Therefor an adversary can not differentiate between the values being the result of the hash function or chosen uniformly at random. Hence,
\[ \Pr[G_3^{\adversary{A}} \Rightarrow 1] = \Pr[G_4^{\adversary{A}} \Rightarrow 1] = \advantage{\textbf{EdDSA'},\adversary{A}}{\cma}(k) \].
\[ \Pr[G_3^{\adversary{A}} \Rightarrow 1] = \Pr[G_4^{\adversary{A}} \Rightarrow 1] = \advantage{\text{EdDSA'},\adversary{A}}{\cma}(k) \].
\item This proves theorem \ref{theorem:adveddsa'}.
\end{proof}