rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added UF-NMA => SUF-CMA proof

Browse Source
This commit is contained in:
Aaron Kaiser
2023-03-29 18:29:10 +02:00
parent fe4c190cbc
commit a9f00cb311
4 changed files with 146 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
thesis/macros.tex
View File

@@ -22,16 +22,19 @@
\newcommand{\messagespace}{\mathcal{M}}
% Special Dlog
\newcommand{\sdlog}{DLog' }
\newcommand{\sdlog}{\text{DLog'} }
% SIM algotithm
\newcommand{\simalg}{\textit{Sim} }
% Intermediate Game
\newcommand{\igame}{\textbf{Game Z} }
\newcommand{\ioracle}{\text{Chall} }
\newcommand{\igame}{\text{Game Z} }
\newcommand{\ioracle}{\textit{Chall} }
% EdDSA procedures
\newcommand{\keygen}{\text{KeyGen} }
\newcommand{\sign}{\text{Sign} }
\newcommand{\verify}{\text{Verify} }
\newcommand{\keygen}{\textit{KeyGen} }
\newcommand{\sign}{\textit{Sign} }
\newcommand{\verify}{\textit{Verify} }
% Security Notions
\newcommand{\cma}{\text{SUF-CMA} }

15
thesis/sections/eddsa.tex
View File

@@ -77,7 +77,7 @@ The EdDSA signature scheme is defined using a twisted Edwards curve. Twisted Edw
\State $(r'_0, r'_1, ..., r'_{2b-1}) \assign H(h_b | ... | h_{2b-1} | m)$
\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
\State $R \assign rB$
\State $S \assign (r + sH(\encoded{R} | \encoded{A} | m)) \pmod l$
\State $S \assign (r + sH(\encoded{R} | \encoded{A} | m)) \pmod L$
\State \Return $\sigma \assign (\encoded{R}, S)$
\end{algorithmic}
\columnbreak
@@ -116,7 +116,7 @@ The EdDSA' signature scheme is depicted in figure \ref{fig:eddsa'}. The differen
\State $(r'_0, r'_1, ..., r'_{2b-1}) \assign RF(h_b | ... | h_{2b-1} | m)$
\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
\State $R \assign rB$
\State $S \assign (r + sH(\encoded{R} | \encoded{A} | m)) \pmod l$
\State $S \assign (r + sH(\encoded{R} | \encoded{A} | m)) \pmod L$
\State \Return $\sigma \assign (\encoded{R}, S)$
\end{algorithmic}
\columnbreak
@@ -136,7 +136,7 @@ The EdDSA' signature scheme is depicted in figure \ref{fig:eddsa'}. The differen
TODO. Then
%TODO: richtigre Richtung?
\[ \advantage{\textbf{EdDSA'},\adversary{A}}{\cma}(k) \leq \advantage{\textbf{EdDSA},\adversary{A}}{\cma}(k) - \frac{2\hashqueries}{2^b} \]
\[ \advantage{\text{EdDSA'},\adversary{A}}{\cma}(k) \leq \advantage{\text{EdDSA},\adversary{A}}{\cma}(k) - \frac{2\hashqueries}{2^b} \]
\end{theorem}
\paragraph{\underline{Proof Overview}}
@@ -182,7 +182,7 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
\EndBox
\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
\State $R \assign rB$
\State $S \assign (r + sH(\encoded{R} | \encoded{A} | m)) \pmod l$
\State $S \assign (r + sH(\encoded{R} | \encoded{A} | m)) \pmod L$
\State $\signature \assign (\encoded{R}, S)$
\State $Q \assign Q \cup \{(\m, \signature)\}$
\State \Return $\signature$
@@ -212,9 +212,9 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
\end{figure}
\begin{proof}
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:eddsa'games} by excluding all boxes expect the grey filled ones and $G_0$ be $\cma_{EdDSA}$. By definition,
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:eddsa'games} by excluding all boxes expect the grey filled ones and $G_0$ be $\cma_{\text{EdDSA}}$. By definition,
\[ \advantage{\textbf{EdDSA},\adversary{A}}{\cma}(k) = \Pr[\cma^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
\[ \advantage{\text{EdDSA},\adversary{A}}{\cma}(k) = \Pr[\cma_{\text{EdDSA}}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
\item \paragraph{\underline{$G_1:$}} Let $G_1$ be defined by additionally including all blue boxes and excluding the grey filled boxes. This change inlines calls to the random oracle and introduces to if conditions in the random oracle which are setting a bad flag if the condition is triggert. Since the behavior of the game does not change the changes are conceptual and the probability of winning the game is not affected. Hence,
@@ -228,9 +228,10 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
\[ |\Pr[G_2^{\adversary{A}} \Rightarrow 1] - \Pr[G_3^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad_2] \leq \frac{\hashqueries}{2^b} \].
%TODO: Signatur von RF genauer beschreiben?
\item \paragraph{\underline{$G_4:$}} $G_4$ replaces the blue filled boxes with the orange boxes. With this change the \cma game parameterized with the EdDSA' game is obtained. This change is only conceptual since the adversary is not able to query the random oracle with the inputs used for those calls and due to the nature of the random oracle model the adversary has no information on those values. Therefor an adversary can not differentiate between the values being the result of the hash function or chosen uniformly at random. Hence,
\[ \Pr[G_3^{\adversary{A}} \Rightarrow 1] = \Pr[G_4^{\adversary{A}} \Rightarrow 1] = \advantage{\textbf{EdDSA'},\adversary{A}}{\cma}(k) \].
\[ \Pr[G_3^{\adversary{A}} \Rightarrow 1] = \Pr[G_4^{\adversary{A}} \Rightarrow 1] = \advantage{\text{EdDSA'},\adversary{A}}{\cma}(k) \].
\item This proves theorem \ref{theorem:adveddsa'}.
\end{proof}

2
thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex
View File

@@ -85,7 +85,7 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \].
\item \paragraph{\underline{$G_2:$}} Game $G_2$ aborts if the flag bad is set. For each individual \ioracle query the bad flag is set with probability at most $\frac{1}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. $c_i$ is chosen by the game after the adversary has provided the representation of $\groupelement{R_i}$ and therefor the value of $r_2$. This way the adversary has no way of choosing $\ch_i$ after $r_2$ and can not influence the probability of the abort being triggert. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $\ch_i \pmod L$. $\ch_i$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ during the check in the if condition. At first there are $2^{2b}$ possible values for $\ch_i$. After the reduction module $L$ there are $min\{2^{2b}, L\}$ possible values left for $\ch_i$. In the case that the values $L$ is smaller than $2^{2b}$ (this is the case in most instantiations of EdDSA) then the $\ch_i$'s are not uniformly distributed in $\field{L}$. Since an adversary could use this information the min entropy of $\ch_i$ has to be concidert, which takes this into account. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
\item \paragraph{\underline{$G_2:$}} Game $G_2$ aborts if the flag bad is set. For each individual \ioracle query the $bad$ flag is set with probability at most $\frac{1}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. $c_i$ is chosen by the game after the adversary has provided the representation of $\groupelement{R_i}$ and therefor the value of $r_2$. This way the adversary has no way of choosing $\ch_i$ after $r_2$ and can not influence the probability of the abort being triggered. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $\ch_i \pmod L$. $\ch_i$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ during the check in the if condition. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
% TODO: Müsste das nicht floor statt ceil sein?
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].

131
thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex
View File

@@ -4,16 +4,141 @@
This section shows that the \cma security of EdDSA signature scheme implies the UF-NMA security of EdDSA signature scheme using the Random Oracle Model. The section starts by first providing an intuition for the proof followed by the detailed security proof.
\begin{theorem}
\label{theorem:adv_uf-nma}
Let $\adversary{A}$ be an adversary against \cma, making at most $\hashqueries$ hash queries. Then,
\[ \advantage{\adversary{A}}{\cma}(k) = \advantage{\adversary{B}}{UF-NMA}(k) - \frac{\hashqueries}{|R|} \].
\[ \advantage{\adversary{A}}{\text{\cma}}(k) = \advantage{\adversary{B}}{\text{UF-NMA}}(k) - \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
\end{theorem}
\paragraph{Proof Overview} The UF-NMA security definition is close to the security definition of \cma but is missing the \Osign oracle. To show that UF-NMA security implies \cma security the reduction has to simulate the \Osign oracle without the knowledge of the private key.
\paragraph{\underline{Proof Overview}} The UF-NMA security definition is close to the security definition of \cma but is missing the \Osign oracle. To show that UF-NMA security implies \cma security the reduction has to simulate the \Osign oracle without the knowledge of the private key.
The EdDSA signature scheme is based on the Schnorr signature scheme which basis is a canonical identification scheme onto which the Fiat-Shamir transformation is applied. This means EdDSA roughly follows the structure of a canonical identification scheme by first calculating a commitment $R$, calculating a challenge $h$ using the hash function and then calculating the response $S$ based on commitment, challenge and secret key. The signature is the tuple of commitment and response.
To generate a signature without the knowledge of the private key the challenge and the response are choosen randomly and the commitment is calculated based on the chosen challenge and response. The random oracle is then programmed to output the challenge given the commitment and the message as input. This way the resulting tuple of commitment and response is a valid signature for the given message.
\paragraph{Formal Proof}
\paragraph{\underline{Formal Proof}}
The proof starts by providing an algorithm which generates correctly distributed tuple of commitment, challenge and response. This algorithm is called \simalg and is depicted in figure \ref{fig:sim}. TODO
%TODO: Beweis für Sim Algorithmus
\begin{figure}
\hrule
\begin{algorithmic}[1]
\Statex \underline{\simalg(\groupelement{A})}
\State $\textbf{ch} \randomsample \{0,1\}^{2b}$
\State $s \randomsample \{0,1\}^{2b}$
\State $S \assign \sum_{i=0}^{2b-1} 2^i s_i \pmod L$
\State $R \assign S\groupelement{B} - \textbf{ch}\groupelement{A}$
\State \Return $(\encoded{R}, \textbf{ch}, S)$
\end{algorithmic}
\hrule
\caption{\simalg}
\label{fig:sim}
\end{figure}
\begin{figure}
\hrule
\begin{multicols}{2}
\large
\begin{algorithmic}[1]
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$}}
\State $(h_0, h_1, ..., h_{2b-1}) \randomsample \{0,1\}^{2b}$
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
\State $A \assign sB$
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp)}(A)$
\State \Return $\verify(A, \m^*,\signature^*) \wedge (\m^*, \signature^*) \notin Q$
\end{algorithmic}
\columnbreak
\begin{algorithmic}[1]
\Statex \underline{\oracle \sign($m \in \messagespace$)}
\State $(r'_0, r'_1, ..., r'_{2b-1}) = RF(h_b | ... | h_{2b-1} | m)$
\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
\State $R \assign rB$
\BeginBox[fill=lightgray]
\State $S \assign (r + sH(\encoded{R} | \encoded{A} | m)) \pmod L$
\EndBox
\BeginBox[draw=blue]
\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | m] \neq \bot \textbf{ then}$
\State \quad $bad \assign true$
\BeginBox[draw=red,dashed]
\State \quad $abort$
\EndBox
\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | m] = \bot \textbf{ then}$
\State \quad $\sum[\encoded{R} | \encoded{A} | m] \randomsample \{0,1\}^{2b}$
\State $S \assign (r + s\sum[\encoded{R} | \encoded{A} | m]) \pmod L$
\EndBox
\State $\signature \assign (\encoded{R}, S)$
\State $Q \assign Q \cup \{(\m, \signature)\}$
\State \Return $\signature$
\end{algorithmic}
\end{multicols}
\begin{algorithmic}[1]
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
\State \quad $\sum[m] \randomsample \{0,1\}^{2b}$
\State \Return $\sum[m]$
\end{algorithmic}
\hrule
\caption{Games $G_0 - G_2$}
\label{fig:uf-nma_implies_suf-cma_games}
\end{figure}
\begin{proof}
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:uf-nma_implies_suf-cma_games} by excluding all boxes except the gray filled one and let $G_0$ be $\text{\cma}_{\text{EdDSA}}$. By definition,
\[ \advantage{\text{EdDSA},\adversary{A}}{\cma}(k) = \Pr[\text{\cma}_{\text{EdDSA}}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
\item \paragraph{\underline{$G_1:$}} $G_1$ is now defined by replacing the gray filled box with the blue one. This change inlines the call to the hash function and introduces a bad flag, which is set in the case that the hash value is already set. This change is only conceptual, since it does not alter the behavior of the oracle. Hence,
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \].
\item \paragraph{\underline{$G_2:$}} $G_2$ also includes the abort condition in the red box. The abort condition is triggered if the $bad$ flag is set. Without loss of generality it is assumed that the adversary queries the \sign oracle only once with each message since the signature generated is deterministic and an adversary would not gain more information by multiple queries with the same message. For each individual sign query the probability for the $bad$ flag to be set is at most $\frac{\hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. The only parameter, which is unknown to the adversary prior to calling the \sign oracle is the commitment $R$. For an adversary to trigger the abort condition he has to guess the commitment $\groupelement{R}$ used during on of the \sign queries. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $\groupelement{R}$. $r'$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ when multiplied with the generator $\groupelement{B}$. At first there are $2^{2b}$ possible values for $r'$. After the reduction module $L$ there are $min\{2^{2b}, L\}$ possible values left for $r'$. In the case that the values $L$ is smaller than $2^{2b}$ (this is the case in most instantiations of EdDSA) then the $r'$'s are not uniformly distributed in $\field{L}$. Since an adversary could use this information the min entropy of $\groupelement{R}$ has to be considered, which takes this into account. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
\item Finally, Game $G_2$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
\begin{align}
\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{UF-NMA}}(k) \label{eq:adv_uf-nma}
\end{align}
\begin{figure}
\hrule
\begin{multicols}{2}
\large
\begin{algorithmic}[1]
\Statex \underline{\textbf{Adversary} $\adversary{B}(\groupelement{A})$}
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp)}(A)$
\State \Return $(\m^*, \signature^*)$
\end{algorithmic}
\columnbreak
\begin{algorithmic}[1]
\Statex \underline{\oracle \sign($m \in \messagespace$)}
\State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A})$
\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | m] \neq \bot \textbf{ then}$
\State \quad $bad \assign true$
\State \quad $abort$
\State $\sum[\encoded{R} | \encoded{A} | m] = \textbf{ch}$
\State $\signature \assign (\encoded{R}, S)$
\State $Q \assign Q \cup \{(\m, \signature)\}$
\State \Return $\signature$
\end{algorithmic}
\end{multicols}
\begin{algorithmic}[1]
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
\State \quad $\sum[m] \randomsample \{0,1\}^{2b}$
\State \Return $\sum[m]$
\end{algorithmic}
\hrule
\caption{Adversary $\adversary{B}$ breaking $\text{UF-NMA}_{\text{EdDSA}}$}
\label{fig:adversarybuf-nma}
\end{figure}
To prove (\ref{eq:adv_uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{UF-NMA}_{\text{EdDSA}}$ that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversarybuf-nma} is run in the $\text{UF-NMA}_{\text{EdDSA}}$ game and adversary $\adversary{B}$ simulates \sign for adversary $\adversary{A}$. \sign is simulated perfectly. \simalg outputs a tuple $(\groupelement{R}, \textbf{ch}, S)$ satisfying $S\groupelement{B} = \groupelement{R} + \textbf{ch}\groupelement{A}$ for a given public key $\groupelement{A}$ and the random oracle is programmed to output $\textbf{ch}$ for the input $\encoded{R} | \encoded{A} | m$. Therefor the signature $\signature \assign (\encoded{R}, S)$ satisfies the verification equation $2^c S\groupelement{B} = 2^c \groupelement{R} + 2^c H(\encoded{R} | \encoded{A} | m)\groupelement{A}$ and is a valid signature for the message $\m$.
% TODO: Ist die Begründung ausreichend?
Finally, consider $\adversary{A}$ output $(\m^*, \signature^*)$. Every valid signature outputted by adversary $\adversary{A}$ in the $\text{\cma}_{\text{EdDSA}}$ setting is also a valid signature in the $\text{UF-NMA}_{\text{EdDSA}}$ setting.
\item This proves theorem \ref{theorem:adv_uf-nma}.
\end{proof}