rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Intuition for UF-NMA => UF-CMA

Browse Source
This commit is contained in:
Aaron Kaiser
2023-02-24 10:36:46 +01:00
parent ca1e2c10cb
commit be6defc8bf
1 changed files with 18 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
thesis/Abschlussarbeit.tex
View File

@@ -98,6 +98,8 @@ TODO
\raggedbottom
\newpage
\section{Related Work}
\section{Preliminaries}
\subsection{Schnorr Signatures}
@@ -112,6 +114,8 @@ TODO
\subsection{Generic Group Model (GGM)}
\section{Notation}
\newpage
\section{EdDSA Signatures}
@@ -210,9 +214,10 @@ The EdDSA signature scheme is defined using a twisted Edwards curve. Twisted Edw
\hrule
\end{figure}
\subsection{Replacing Hash Function Calls}
\newpage
\section{Notation}
\section{The Security of EdDSA in a Single-User Setting}
@@ -221,11 +226,21 @@ This section takes a look at the single-user security of EdDSA. This is done by
% TODO: Ichform?
% TODO: richtige Richtung?
% TODO: "onto which I will reduce the UF-NMA security" kann man das so schreiben?
The proof starts by replacing some calls to hash function $H$ with calls to a pseudo random function and pseudo random generator. After replacing some calls to the hash function I show that the UF-CMA security of EdDSA implies UF-NMA security of EdDSA in the Random Oracle Model. Next I introduce an intermediate game on which I will reduce the UF-NMA security. At last I will show that this intermediate game implies security regarding the special version of the DLog problem.
The proof starts by showing that the UF-NMA security of EdDSA implies UF-CMA security of EdDSA in the Random Oracle Model. Next I introduce an intermediate game on which I will reduce the UF-NMA security. At last, I will show that this intermediate game implies security regarding the special version of the DLog problem.
\subsection{UF-CMA $=>$ UF-NMA (ROM)}
The chain of reductions can be depicted as:
\[ DLog' => Game Z => UF-NMA_{EdDSA} => UF-CMA_{EdDSA} \]
\subsection{UF-NMA $=>$ UF-CMA (ROM)}
In this section I will show that the UF-CMA security of EdDSA signature scheme implies the UF-NMA security of EdDSA signature scheme using the Random Oracle Model. I first start by providing an intuition for the proof followed by the detailed security proof.
\paragraph{intuition} The UF-NMA security definition is close to the security definition of UF-CMA but is missing the Sign oracle. To show that UF-NMA security implies UF-CMA security the reduction has to simulate the Sign oracle without the knowledge of the private key.
The EdDSA signature scheme is based on the Schnorr signature scheme which basis is a canonical identification scheme onto which the Fiat-Shamir transformation is applied. This means EdDSA roughly follows the scheme by first calculating a commitment $R$, calculating a challenge $h$ using the hash function and then calculating the response $S$ based on commitment and challenge. The signature is the tuple of commitment and response.
To generate a signature without the knowledge of the private key I choose the challenge and the response randomly, calculate the commitment based on the choosen challenge and response and then program the random oracle to output the challenge given the commitment and the message as input. This way the resulting tuple of commitment and response is a valid signature for this message.
\section{The Security of EdDSA in a Multi-User Setting}