Finished OMDL proof in GGM
This commit is contained in:
@@ -1 +1,254 @@
|
||||
\subsection{Bounds on \somdl} \label{sec:somdl}
|
||||
|
||||
This section provides a lower bound on the hardness of the modified version one-more discrete logarithm problem in the generic group model. The variant of the one-more discrete logarithm problem was introduced in definition \ref{def:somdl}. \somdl differs from the original one-more discrete logarithm problem by only allowing the adversary to query the discrete logarithm of all challenges but one. Also the discrete logarithms are chosen from a predefined set that is the result of the special key generation algorithm used in EdDSA. The following proof uses the generic group model for twisted Edwards curves. There already exists a proof for the one-more discrete logarithm problem in the generic group model \cite{EPRINT:BauFucPlo21}. This proof provides a lower bound on the original definition of the one-more discrete logarithm problem. This proof is not directly applicable to this definition of \sdlog, since the secret scalars are not chosen uniformly at random from $\field{L}$ and the group structure is not just a prime order group. Also since a more restricted version of the one-more discrete logarithm problem is used a simpler proof, than that in \cite{EPRINT:BauFucPlo21}, can be used, providing a better bound on \somdl.
|
||||
|
||||
\begin{theorem}
|
||||
\label{theorem:somdl_ggm}
|
||||
Let $n$ and $c$ be positive integers. Consider a twisted Edwards curve $\curve$ wit a cofactor of $2^c$ and a generating set consisting of $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_m})$. Among these, let $\groupelement{B}$ be the generator of the largest prime order subgroup with an order of $L$. Let $\adversary{A}$ be a generic adversary making at most $\oraclequeries$ group operations. Then,
|
||||
|
||||
\[ \advantage{\curve, n, c, L, \adversary{A}}{\somdl} \leq \frac{2(\oraclequeries + N + 2)^2 + 1}{2^{n-1-c}}. \]
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}} This proof uses the same approach as the discrete logarithm proof in the generic group model, by replacing the group elements with polynomials and choosing the challenge after the adversary provided its solution. The tricky part is that the adversary is able to query the discrete logarithms of $N - 1$ group elements, provided to it as a challenge. The proof starts by replacing all group elements with multivariate polynomials representing their discrete logarithms. The indeterminants of those polynomials are the discrete logarithms of each group element, provided to the adversary as challenges. Once the adversary requests the discrete logarithms for all but one group element of the challenge those discrete logarithms are chosen uniformly at random and all polynomials are partially evaluated. This leaves polynomials with just one indeterminant, representing the discrete logarithm of the last challenge. This challenge is then chosen after the adversary provided its solution, leaving the adversay no option but to guess the remaining discrete logarithm. The \somdl game in the generic group model is depicted in figure \ref{fig:somdl_ggm}.
|
||||
|
||||
\begin{figure}[h]
|
||||
\hrule
|
||||
\vspace{2mm}
|
||||
\begin{algorithmic}
|
||||
\Statex \underline{\game \somdl}
|
||||
\State \textbf{for} $i \in \{1,2,...,N\}$
|
||||
\State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$
|
||||
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
|
||||
\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), DL(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$
|
||||
\State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N)$
|
||||
\end{algorithmic}
|
||||
\vspace{1mm}
|
||||
\begin{algorithmic}
|
||||
\Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)}
|
||||
\State \Return $\{a_i | i \in \{1,2,...,N\} \backslash j\}$
|
||||
\end{algorithmic}
|
||||
\vspace{1mm}
|
||||
\begin{algorithmic}
|
||||
\Statex \underline{\oracle GOp($x, y \in \mathbf{S}, b \in \{0,1\}$)}
|
||||
\State \quad \Return $Enc(\sum^{-1}[x] + (-1)^b \sum^{-1}[y])$
|
||||
\end{algorithmic}
|
||||
\vspace{1mm}
|
||||
\begin{algorithmic}
|
||||
\Statex \underline{\textbf{Procedure} Enc($\groupelement{X} \in \curve$)}
|
||||
\vspace{1mm}
|
||||
\State \textbf{If } $\sum[\groupelement{X}] = \bot$ \textbf{ then}
|
||||
\State \quad $\sum[\groupelement{X}] \randomsample \{0,1\}^{\lceil log_2(|\curve|) \rceil} \backslash \pset{S}$
|
||||
\State \quad $\mathbf{S} \assign \pset{S} \cup \{\sum[X]\}$
|
||||
\State \Return $\sum[\groupelement{X}]$
|
||||
\end{algorithmic}
|
||||
\hrule
|
||||
\caption{\somdl in the generic group model}
|
||||
\label{fig:somdl_ggm}
|
||||
\end{figure}
|
||||
|
||||
\paragraph{\underline{Formal Proof}}
|
||||
|
||||
\begin{figure}[h]
|
||||
\hrule
|
||||
\vspace{2mm}
|
||||
\begin{algorithmic}
|
||||
\Statex \underline{\game \textcolor{black}{$G_0$} / \textcolor{blue}{$G_1$} /\textcolor{red}{$G_2$} / \textcolor{green}{$G_3$} / \textcolor{orange}{$G_4$}}
|
||||
\State \textbf{for} $i \in \{1,2,...,N\}$
|
||||
\BeginBox[draw=black]
|
||||
\State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$
|
||||
\Comment{$G_0 - G_4$}
|
||||
\EndBox
|
||||
\BeginBox[draw=black]
|
||||
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
|
||||
\Comment{$G_0$}
|
||||
\EndBox
|
||||
\BeginBox[draw=blue]
|
||||
\State \quad $\groupelement{A_i} \assign (a_i, 0, ..., 0)$
|
||||
\Comment{$G_1$}
|
||||
\EndBox
|
||||
\BeginBox[draw=red]
|
||||
\State \quad $P_i \assign Z_i$
|
||||
\Comment{$G_2 - G_4$}
|
||||
\State \quad $\groupelement{A_i} \assign (P_i, 0, ..., 0)$
|
||||
\EndBox
|
||||
\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), DL(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$
|
||||
\State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N)$
|
||||
\end{algorithmic}
|
||||
\vspace{1mm}
|
||||
\begin{algorithmic}
|
||||
\Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)}
|
||||
\BeginBox[draw=green]
|
||||
\State \textbf{for } $P_i \in \pset{P}$
|
||||
\Comment{$G_3 - G_4$}
|
||||
\State \quad Let $P_i = R_i + S_i, R_i \in \field{L}[Z_1,...,Z_{j-1},Z_{j+1},...,Z_N], S_i \in \field{L}[Z_j]$
|
||||
\State \quad $\pset{R} \assign \pset{R} \cup \{R_i\}$
|
||||
\State \textbf{if } $\exists R_i, R_j \in \pset{R}: R_i(\overset{\rightharpoonup}{a}) = R_j(\overset{\rightharpoonup}{a}) \wedge R_i \neq R_j$
|
||||
\State \quad $bad_1 \assign true$
|
||||
\BeginBox[draw=orange,dashed]
|
||||
\State \quad abort
|
||||
\Comment{$G_4$}
|
||||
\EndBox
|
||||
\State \textbf{for } $P_i \in \pset{P}$
|
||||
\State \quad $\sum[R_i(\overset{\rightharpoonup}{a}) + S_i] = \sum[P_i]$
|
||||
\State \quad $P_i \assign R_i(\overset{\rightharpoonup}{a}) + S_i$
|
||||
\EndBox
|
||||
\State \Return $\{a_i | i \in \{1,2,...,N\} \backslash j\}$
|
||||
\end{algorithmic}
|
||||
\vspace{1mm}
|
||||
\begin{algorithmic}
|
||||
\Statex \underline{\oracle GOp($x, y \in \mathbf{S}, b \in \{0,1\}$)}
|
||||
\State \quad \Return $Enc(\sum^{-1}[x] + (-1)^b \sum^{-1}[y])$
|
||||
\end{algorithmic}
|
||||
\vspace{1mm}
|
||||
\begin{algorithmic}
|
||||
\BeginBox[draw=black]
|
||||
\State \underline{\textbf{Procedure} Enc($\groupelement{X} \in \curve$)}
|
||||
\Comment{$G_0$}
|
||||
\EndBox
|
||||
\BeginBox[draw=blue]
|
||||
\State \underline{\textbf{Procedure} Enc($\groupelement{X} \in \field{L} \times \field{ord(E_2)} \times ... \times \field{ord(E_n)}$)}
|
||||
\Comment{$G_1$}
|
||||
\EndBox
|
||||
\BeginBox[draw=red]
|
||||
\State \underline{\textbf{Procedure} Enc($\groupelement{X} \in \field{L}[Z_1,...,Z_N] \times \field{ord(E_2)} \times ... \times \field{ord(E_n)}$)}
|
||||
\Comment{$G_2 - G_4$}
|
||||
\State Let $X = (P, x_2, ..., x_n)$
|
||||
\State $\pset{P} = \pset{P} \cup \{P\}$
|
||||
\State $X \assign (P(\overset{\rightharpoonup}{a}), x_2, ..., x_n)$
|
||||
\EndBox
|
||||
\State \textbf{If } $\sum[\groupelement{X}] = \bot$ \textbf{ then}
|
||||
\State \quad $\sum[\groupelement{X}] \randomsample \{0,1\}^{\lceil log_2(|\curve|) \rceil} \backslash \pset{S}$
|
||||
\State \quad $\mathbf{S} \assign \pset{S} \cup \{\sum[X]\}$
|
||||
\State \Return $\sum[\groupelement{X}]$
|
||||
\end{algorithmic}
|
||||
\hrule
|
||||
\caption{$G_0 - G_4$}
|
||||
\label{fig:somdl_games_ggm_1}
|
||||
\end{figure}
|
||||
|
||||
\begin{figure}[h]
|
||||
\hrule
|
||||
\vspace{2mm}
|
||||
\begin{algorithmic}
|
||||
\Statex \underline{\game \textcolor{black}{$G_4$} / \textcolor{blue}{$G_5$} /\textcolor{red}{$G_6$} / \textcolor{green}{$G_7$} / \textcolor{orange}{$G_8$}}
|
||||
\State \textbf{for} $i \in \{1,2,...,N\}$
|
||||
\BeginBox[draw=black]
|
||||
\State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$
|
||||
\Comment{$G_4 - G_7$}
|
||||
\EndBox
|
||||
\State \quad $P_i \assign Z_i$
|
||||
\State \quad $\groupelement{A_i} \assign (P_i, 0, ..., 0)$
|
||||
\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), DL(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$
|
||||
\BeginBox[draw=orange]
|
||||
\State \textbf{for } $i \in \{1,2,...,N\}$
|
||||
\Comment{$G_8$}
|
||||
\State \quad \textbf{if } $a_i \neq \bot$
|
||||
\State \qquad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$
|
||||
\EndBox
|
||||
\BeginBox[draw=blue]
|
||||
\State \textbf{if } $\exists P_i, P_j \in \pset{P}: P_i(\overset{\rightharpoonup}{a}) = P_j(\overset{\rightharpoonup}{a}) \wedge P_i \neq P_j$
|
||||
\Comment{$G_5 - G_8$}
|
||||
\State \quad $bad_2 \assign true$
|
||||
\BeginBox[draw=red,dashed]
|
||||
\State \quad abort
|
||||
\Comment{$G_6 - G_8$}
|
||||
\EndBox
|
||||
\EndBox
|
||||
\State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N)$
|
||||
\end{algorithmic}
|
||||
\vspace{1mm}
|
||||
\begin{algorithmic}
|
||||
\Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)}
|
||||
\BeginBox[draw=orange]
|
||||
\State \textbf{for } $i \in \{1,2,...,N\} \backslash j$
|
||||
\Comment{$G_8$}
|
||||
\State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$
|
||||
\EndBox
|
||||
\State \textbf{for } $P_i \in \pset{P}$
|
||||
\State \quad Let $P_i = R_i + S_i, R_i \in \field{L}[Z_1,...,Z_{j-1},Z_{j+1},...,Z_N], S_i \in \field{L}[Z_j]$
|
||||
\State \quad $\pset{R} \assign \pset{R} \cup \{R_i\}$
|
||||
\State \textbf{if } $\exists R_i, R_j \in \pset{R}: R_i(\overset{\rightharpoonup}{a}) = R_j(\overset{\rightharpoonup}{a}) \wedge R_i \neq R_j$
|
||||
\State \quad $bad_1 \assign true$
|
||||
\State \quad abort
|
||||
\State \textbf{for } $P_i \in \pset{P}$
|
||||
\State \quad $\sum[R_i(\overset{\rightharpoonup}{a}) + S_i] = \sum[P_i]$
|
||||
\State \quad $P_i \assign R_i(\overset{\rightharpoonup}{a}) + S_i$
|
||||
\State \Return $\{a_i | i \in \{1,2,...,N\} \backslash j\}$
|
||||
\end{algorithmic}
|
||||
\vspace{1mm}
|
||||
\begin{algorithmic}
|
||||
\Statex \underline{\oracle GOp($x, y \in \mathbf{S}, b \in \{0,1\}$)}
|
||||
\State \quad \Return $Enc(\sum^{-1}[x] + (-1)^b \sum^{-1}[y])$
|
||||
\end{algorithmic}
|
||||
\vspace{1mm}
|
||||
\begin{algorithmic}
|
||||
\State \underline{\textbf{Procedure} Enc($\groupelement{X} \in \field{L}[Z_1,...,Z_N] \times \field{ord(E_2)} \times ... \times \field{ord(E_n)}$)}
|
||||
\State Let $X = (P, x_2, ..., x_n)$
|
||||
\State $\pset{P} = \pset{P} \cup \{P\}$
|
||||
\BeginBox[draw=black]
|
||||
\State $X \assign (P(\overset{\rightharpoonup}{a}), x_2, ..., x_n)$
|
||||
\Comment{$G_4 - G_6$}
|
||||
\EndBox
|
||||
\State \textbf{If } $\sum[\groupelement{X}] = \bot$ \textbf{ then}
|
||||
\State \quad $\sum[\groupelement{X}] \randomsample \{0,1\}^{\lceil log_2(|\curve|) \rceil} \backslash \pset{S}$
|
||||
\State \quad $\mathbf{S} \assign \pset{S} \cup \{\sum[X]\}$
|
||||
\State \Return $\sum[\groupelement{X}]$
|
||||
\end{algorithmic}
|
||||
\hrule
|
||||
\caption{$G_4 - G_8$}
|
||||
\label{fig:somdl_games_ggm_2}
|
||||
\end{figure}
|
||||
|
||||
\begin{proof}
|
||||
\item The proof starts by replacing group elements with polynomials. This happens in games $G_1$ and $G_2$. After that it is argued that the challenger makes a mistake in its simulation, by comparing polynomials instead of evaluating them, with only negligible probability. This is shown in $G_3 - G_6$. At last, since the polynomials are not evaluated during the simulation, one discrete logarithm is not used before the adversary provided its solution. Therefore, it can be chosen after the adversary provided its solution, which is shown in $G_7$ and $G_8$.
|
||||
|
||||
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be depicted in figure \ref{fig:somdl_games_ggm_1} by excluding all boxes but the black ones. Clearly, this is equivalent to the \somdl game in the generic group model. Therefore,
|
||||
|
||||
\[ \advantage{\curve, n, c, L, \adversary{A}}{\somdl} = \prone{G_0^{\adversary{A}}}. \]
|
||||
|
||||
\item \paragraph{\underline{$G_1:$}} $G_1$ now replaces the group elements in the challenger with its discrete logarithms. This change is purely conceptual, since the adversary only sees the labels of the group elements and each group element can be uniquely identified by its discrete logarithm. Like in the \sdlog proof the discrete logarithm of a group element is denoted by an integer vector, with each element in the vector representing the discrete logarithm regarding one generator from the generating set. For this reason,
|
||||
|
||||
\[ \prone{G_0^{\adversary{A}}} = \prone{G_1^{\adversary{A}}}. \]
|
||||
|
||||
\item \paragraph{\underline{$G_2:$}} $G_2$ replaces the blue boxes with the red ones. This change regards the discrete logarithm of the group elements in the prime order subgroup. The discrete logarithm is now represented as a multivariate polynomial. Each indeterminant of the polynomial represents the discrete logarithm of one of the group elements in the challenge to the adversary. The discrete logarithm of group element in the challenge to the adversary is then instantiated with the indeterminant representing the discrete logarithm of that challenge, instead of the discrete logarithm itself. This change is only conceptual, since the polynomials are evaluated, with the discrete logarithm vector of the group elements in the challenge, before being compared in the Enc procedure. Hence,
|
||||
|
||||
\[ \prone{G_1^{\adversary{A}}} = \prone{G_2^{\adversary{A}}}. \]
|
||||
|
||||
\item \paragraph{\underline{$G_3:$}} $G_3$ also introduces the $bad_1$ flag in the DL query. Without loss of generality the following explanation assumes that the adversary queries the DL oracle with input $j = N$. Each polynomial, generated by the challenger, is a linear multivariate polynomial of degree one. This is due to the fact that the challenger starts with linear multivariate polynomials of degree one in $\field{L}[Z_1, ..., Z_N]$ and only adds them to generate new polynomials. This means that each polynomial $P_i \in \field{L}[Z_1,...,Z_N]$, generated by the challenger, can be split into two polynomials $R_i \in \field{L}[Z_1,...,Z_{N-1}], S_i \in \field{L}[Z_N]$ so that $P_i = R_i + S_i$, simply by distributing the monials between the polynomials $R_i$ and $S_i$. Now the polynomial $P_i$ can be partially evaluated by setting $P_i = R_i(\overset{\rightharpoonup}{a}) + S_i$. For the simulation to be correct, when replacing the polynomial $P_i$ with $R_i(\overset{\rightharpoonup}{a}) + S_i$, it has to be ensured that distinct polynomials stay distinct after being partially evaluated. To ensure this it has to be checked that no two distinct polynomials $R_i, R_j$ result in the same value, when evaluated with $\overset{\rightharpoonup}{a}$. In the case of this happening the $bad_1$ flag is set to true. Afterward, each generated polynomial is partially evaluated as described and the table $\sum$, which stores the association between group elements and lables, is updated to reflect this partial evaluation as well. From now on each polynomial used by the challenger is in $\field{L}[Z_N]$. This change is purely conceptual, since the polynomials still get fully evaluated before being compared in the Enc procedure. Therefore,
|
||||
|
||||
\[ \prone{G_2^{\adversary{A}}} = \prone{G_3^{\adversary{A}}} \]
|
||||
|
||||
\item \paragraph{\underline{$G_4:$}} In $G_4$ the abort instruction in the orange box is introduced, which is executed after the $bad_1$ flag is set. The $bad_1$ flag is set if distinct polynomials result in the same polynomial, after being partially evaluated. To calculate the probability of this happening the Schwart-Zippel lemma can be utilized. For every $R_i, R_j \in \pset{R} \wedge R_i \neq R_j$ a polynomial $R^* \assign R_i - R_j$ can be constructed. If and only if $R_i(\overset{\rightharpoonup}{a}) = R_j(\overset{\rightharpoonup}{a})$ then $R^*(\overset{\rightharpoonup}{a}) = 0$. Since $R^* \neq 0$, the degree of $R^*$ being $1$ and $\overset{\rightharpoonup}{a}$ being chosen uniformly at random from $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ the Schwartz-Zippel lemma can be used to calculate the probability of $R^*(\overset{\rightharpoonup}{a}) = 0$, which is $\Pr[R^*(\overset{\rightharpoonup}{a}) = 0] \leq \frac{1}{2^{n - 1 - c}}$. The challenger can generate at most $\oraclequeries + N + 2$ many polynomials, one per DL query and $N + 2$ for encoding the input to the adversary. By the Union bound over all $(\oraclequeries + N + 2)^2$ possible pairs of polynomials an upper bound on the $bad_1$ flag being set can be calculated as $\Pr[bad_1] \leq \frac{(\oraclequeries + N + 2)^2}{2^{n - 1 - c}}$. Since $G_3$ and $G_4$ are identical-until-bad games,
|
||||
|
||||
\[ |\prone{G_3^{\adversary{A}}} - \prone{G_4^{\adversary{A}}}| \leq \frac{(\oraclequeries + N + 2)^2}{2^{n - 1 - c}}. \]
|
||||
|
||||
To improve the readability, $G_4$ is also depicted in figure \ref{fig:sdlog_games_ggm_2} by only including the black boxes. The following game-hops are illustrated in the same figure.
|
||||
|
||||
\item \paragraph{\underline{$G_5:$}} $G_5$ introduces the check in the blue box. This check ensures that after the adversary provided its solution no two distinct polynomials where generated by the challenger that evaluate to the same value, when evaluated with the vector of discrete logarithms. If this happens the $bad_2$ flag is set. This change is only conceptual, as it only changes internal variables, which have no effect on the behavior of the challenger. Hence,
|
||||
|
||||
\[ \prone{G_4^{\adversary{A}}} = \prone{G_5^{\adversary{A}}}. \]
|
||||
|
||||
\item \paragraph{\underline{$G_6:$}} $G_6$ aborts if the $bad_2$ flag is set. The $bad_2$ flag is set if any two distinct polynomials evaluate to the same value, when evaluated with the vector of discrete logarithms. There are two cases. The first case is that the adversary queried the DL oracle. The second case is that the adversary did not queried the DL oracle.
|
||||
|
||||
In the first case the adversary got the discrete logarithms of all but one challenge. Without loss of generality it is assumed that the adversary got the discrete logarithm of all but the $N$th group element. In this case all polynomials in $\pset{P}$ are in $\field{L}[Z_N]$, since at the time of DL query all polynomials, generated up to this point, are partially evaluated and are in $\field{Z}[Z_N]$. All polynomials that are generated after that point are generated by the addition of the existing polynomials and are therefore also in $\field{L}[Z_N]$. In this case the Schwartz-Zippel lemma can be applied since the adversary has no information on the remaining discrete logarithm. This is the same scenario as in the \sdlog proof.
|
||||
|
||||
In the case where the adversary did not queried the DL oracle the adversary has no information on any of the discrete logarithms. All polynomials in $\pset{P}$ are in $\field{Z}[N_1, ..., Z_N]$. In this case the Schwartz-Zippel lemma can be applied, since the all discrete logarithms are chosen uniformly at random and the adversary has no information on them.
|
||||
|
||||
The probability of $bad_2$ being true can be calculated using the Schwartz-Zippel lemma, as described in the game-hop to $G_4$. With the Union bound over all polynomial pairs in $\pset{P}$ the probability of $bad_2$ being true is $\Pr[bad_2] \leq \frac{(\oraclequeries + N + 2)^2}{2^{n - 1 - c}}$. $G_5$ and $G_6$ are identical-until-bad games, therefore:
|
||||
|
||||
\[ |\prone{G_5^{\adversary{A}}} - \prone{G_6^{\adversary{A}}}| \leq \frac{(\oraclequeries + N + 2)^2}{2^{n - 1 - c}}. \]
|
||||
|
||||
\item \paragraph{\underline{$G_7:$}} $G_7$ removes the evaluation of the polynomials in the Enc procedure. This change is conceptual, since the game aborts if two distinct polynomials would evaluate to the same value. Therefore, it is sufficient to directly compare polynomials in the cases where the game does not abort. Since the change is only conceptual:
|
||||
|
||||
\[ \prone{G_6^{\adversary{A}}} = \prone{G_7^{\adversary{A}}}. \]
|
||||
|
||||
\item \paragraph{\underline{$G_8:$}} In $G_8$ the discrete logarithms of the challenge are only generated right before they are used. This change is only conceptual, since the discrete logarithms are not used prior to being chosen. Therefore,
|
||||
|
||||
\[ \prone{G_6^{\adversary{A}}} = \prone{G_7^{\adversary{A}}}. \]
|
||||
|
||||
\item Since at least one discrete logarithm is chosen after the adversary provided its solution, its best chance is to guess it. Therefore, the probability of the adversary of winning $G_7$ is upper bounded by the probability of it guessing that discrete logarithm. Hence,
|
||||
|
||||
\[ \prone{G_7^{\adversary{A}}} \leq \frac{1}{2^{n - 1 - c}}. \]
|
||||
|
||||
\item This proves theorem \ref{theorem:somdl_ggm}.
|
||||
\end{proof}
|
||||
@@ -4,12 +4,12 @@ This section focuses on establishing a lower bound on the hardness of a modified
|
||||
|
||||
\begin{theorem}
|
||||
\label{theorem:sdlog_ggm}
|
||||
Let $n$ and $c$ be positive integers. Consider a twisted Edwards curve $\curve$ with a cofactor of $2^c$ and a generating set consisting of $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_n})$. Among these, let $\groupelement{B}$ be the generator of the largest prime order subgroup with an order of $L$. Let $\adversary{A}$ be a generic adversary making at most $\oraclequeries$ group operations. Then,
|
||||
Let $n$ and $c$ be positive integers. Consider a twisted Edwards curve $\curve$ with a cofactor of $2^c$ and a generating set consisting of $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_m})$. Among these, let $\groupelement{B}$ be the generator of the largest prime order subgroup with an order of $L$. Let $\adversary{A}$ be a generic adversary making at most $\oraclequeries$ group operations. Then,
|
||||
|
||||
\[ \advantage{\curve, n, c, L, \adversary{A}}{\sdlog} \leq \frac{\oraclequeries^2 + 1}{2^{n-1-c}}. \]
|
||||
\[ \advantage{\curve, n, c, L, \adversary{A}}{\sdlog} \leq \frac{(\oraclequeries + 3)^2 + 1}{2^{n-1-c}}. \]
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}} This proof closely resembles the original proof on the lower bound for the discrete logarithm problem by Shoup \cite{EC:Shoup97}. The initial step involves working with the discrete logarithms of group elements rather than the actual group elements themselves. In the generic group model, this is equivalent as each group element can be uniquely represented by its discrete logarithms with respect to a generating set. For consistency the generating set is denoted as $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_n})$, with $\groupelement{B}$ being the generator of the prime order subgroup and $\groupelement{E_2}$ to $\groupelement{E_n}$ being the generators of the other subgroups. Subsequently, the discrete logarithm in the prime order subgroup is replaced by an indeterminate. By doing this, the discrete logarithm in the prime order subgroup can be chosen after the adversary has provided their solution. As a result, the generic adversary can only guess the discrete logarithm in the prime order subgroup, since it is generated only after the adversary has already submitted their solution. Figure \ref{fig:sdlog_ggm} shows the \sdlog game in the generic group model.
|
||||
\paragraph{\underline{Proof Overview}} This proof closely resembles the original proof on the lower bound for the discrete logarithm problem by Shoup \cite{EC:Shoup97}. The initial step involves working with the discrete logarithms of group elements rather than the actual group elements themselves. In the generic group model, this is equivalent as each group element can be uniquely represented by its discrete logarithms with respect to a generating set. For consistency the generating set is denoted as $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_m})$, with $\groupelement{B}$ being the generator of the prime order subgroup and $\groupelement{E_2}$ to $\groupelement{E_m}$ being the generators of the other subgroups. Subsequently, the discrete logarithm in the prime order subgroup is replaced by an indeterminate. By doing this, the discrete logarithm in the prime order subgroup can be chosen after the adversary has provided their solution. As a result, the generic adversary can only guess the discrete logarithm in the prime order subgroup, since it is generated only after the adversary has already submitted their solution. Figure \ref{fig:sdlog_ggm} shows the \sdlog game in the generic group model.
|
||||
|
||||
\begin{figure}[h]
|
||||
\hrule
|
||||
@@ -19,13 +19,13 @@ This section focuses on establishing a lower bound on the hardness of a modified
|
||||
\vspace{1mm}
|
||||
\State $a \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$
|
||||
\State $\groupelement{A} \assign a \groupelement{B}$
|
||||
\State $a^* \randomassign \adversary{A}^{GOp(\inp, \inp, \inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_n}), Enc(\groupelement{A}))$
|
||||
\State $a^* \randomassign \adversary{A}^{GOp(\inp, \inp, \inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A}))$
|
||||
\State \Return $a^* \test a$
|
||||
\end{algorithmic}
|
||||
\vspace{1mm}
|
||||
\begin{algorithmic}
|
||||
\Statex \underline{\oracle GOp($x, y \in \mathbf{S}, b \in \{0,1\}$)}
|
||||
\State \quad \Return $Enc(\sum^{-1}[x] + (-1)^b \sum^{-1}[y])$
|
||||
\State \Return $Enc(\sum^{-1}[x] + (-1)^b \sum^{-1}[y])$
|
||||
\end{algorithmic}
|
||||
\vspace{1mm}
|
||||
\begin{algorithmic}
|
||||
@@ -66,7 +66,7 @@ This section focuses on establishing a lower bound on the hardness of a modified
|
||||
\Comment{$G_2 - G_4$}
|
||||
\State $\groupelement{A} \assign (P, 0, ..., 0)$
|
||||
\EndBox
|
||||
\State $a^* \randomassign \adversary{A}^{GOp(\inp, \inp, \inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_n}), Enc(\groupelement{A}))$
|
||||
\State $a^* \randomassign \adversary{A}^{GOp(\inp, \inp, \inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A}))$
|
||||
\State \Return $a^* \test a$
|
||||
\end{algorithmic}
|
||||
\vspace{1mm}
|
||||
@@ -126,7 +126,7 @@ This section focuses on establishing a lower bound on the hardness of a modified
|
||||
\EndBox
|
||||
\State $P \assign Z$
|
||||
\State $\groupelement{A} \assign (P, 0, ..., 0)$
|
||||
\State $a^* \randomassign \adversary{A}^{GOp(\inp, \inp, \inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_n}), Enc(\groupelement{A}))$
|
||||
\State $a^* \randomassign \adversary{A}^{GOp(\inp, \inp, \inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A}))$
|
||||
\BeginBox[draw=green]
|
||||
\State $a \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8\}$
|
||||
\Comment{$G_7$}
|
||||
@@ -176,7 +176,7 @@ This section focuses on establishing a lower bound on the hardness of a modified
|
||||
\item This proof utilizes the Schwartz-Zippel lemma \cite{schwartz_fast_1980}. The Schwarz-Zippel lemma is defined as following:
|
||||
|
||||
\begin{definition}[Schwartz-Zippel lemma]
|
||||
Let $L$ be a prime number and $P \in \mathbb{F}_{L}[X]$ be a non-zero polynomial of total degree $d \geq 0$ over a field $\mathbb{F}_{L}$. Let $S$ be a finite subset of $\mathbb{F}_{L}$ and let $x$ be selected uniformly at random from $S$. Then
|
||||
Let $L$ be a prime number and $P \in \mathbb{F}_{L}[X_1, ..., X_n]$ be a non-zero polynomial of total degree $d \geq 0$ over a field $\mathbb{F}_{L}$. Let $S$ be a finite subset of $\mathbb{F}_{L}$ and let $x$ be selected uniformly at random from $S$. Then
|
||||
|
||||
\[ \Pr[P(x) = 0] \leq \frac{d}{|S|}. \]
|
||||
\end{definition}
|
||||
@@ -185,7 +185,7 @@ This section focuses on establishing a lower bound on the hardness of a modified
|
||||
|
||||
\[ \advantage{\curve, n, c, L, \adversary{A}}{\sdlog} = \prone{G_0^{\adversary{A}}}. \]
|
||||
|
||||
\item \paragraph{\underline{$G_1$}} $G_1$ is defined by substituting some black boxes with blue ones, causing the challenger to work with discrete logarithms rather than group elements. This modification remains undetectable to the adversary, as it only deals with labels representing group elements, and each group element can be uniquely represented by its discrete logarithms. These discrete logarithms are denoted by an integer vector, where each element corresponds to the discrete logarithm concerning the generator in the generating set. The addition of these vectors is carried out component-wise. This change remains conceptual, since it only changes how the challenger internally represents group element. Each group element still gets the same label assigned. Therefore,
|
||||
\item \paragraph{\underline{$G_1:$}} $G_1$ is defined by substituting some black boxes with blue ones, causing the challenger to work with discrete logarithms rather than group elements. This modification remains undetectable to the adversary, as it only deals with labels representing group elements, and each group element can be uniquely represented by its discrete logarithms. These discrete logarithms are denoted by an integer vector, where each element corresponds to the discrete logarithm concerning the generator in the generating set. The addition of these vectors is carried out component-wise. This change remains conceptual, since it only changes how the challenger internally represents group element. Each group element still gets the same label assigned. Therefore,
|
||||
|
||||
\[ \prone{G_0^{\adversary{A}}} = \prone{G_1^{\adversary{A}}}. \]
|
||||
|
||||
@@ -197,9 +197,9 @@ This section focuses on establishing a lower bound on the hardness of a modified
|
||||
|
||||
\[ \prone{G_1^{\adversary{A}}} = \prone{G_2^{\adversary{A}}}. \]
|
||||
|
||||
\item \paragraph{\underline{$G_4:$}} $G_4$ terminates if the bad flag is activated. This bad flag signifies situations where collisions of discrete logarithms would not be identified by merely comparing polynomials without evaluating them. The likelihood of the bad flag being activated can be determined using the Schwartz-Zippel lemma. The set $\pset{P}$ is a set of all polynomials generated by the challenger and the polynomial $P$ represents the newly generated one. During the encoding of a newly generated group element the challenger checks that no two distinct polynomials evaluate to the same value at $a$. For a fixed $P_i \in \pset{P}$ we define $P^* = P_i - P$. If and only if $P_i(a) = P(a) \wedge P_i \neq P$ then $P^*(a) = 0$. Since $P^* \neq 0$, the degree of $P^*$ being $1$ and $a$ being chosen uniformly at random from $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ the Schwarz-Zippel lemma can be used to calculate the probability that $P^*(a) = 0$, which is $\Pr[P^*(a) = 0] \leq \frac{1}{2^{n-1-c}}$. Since the set $\pset{P}$ can hold at most $\oraclequeries$ many polynomials by the Union bound over all polynomials in $\pset{P}$ the probability of bad being set, for each individual oracle query, is less or equal to $\frac{\oraclequeries}{2^{n-1-c}}$. By the Union bound over all oracle queries the probability of bad being set to true is $\Pr[bad] \leq \frac{\oraclequeries^2}{2^{n-1-c}}$. For this reason,
|
||||
\item \paragraph{\underline{$G_4:$}} $G_4$ terminates if the bad flag is activated. This bad flag signifies situations where collisions of discrete logarithms would not be identified by merely comparing polynomials without evaluating them. The likelihood of the bad flag being activated can be determined using the Schwartz-Zippel lemma. The set $\pset{P}$ is a set of all polynomials generated by the challenger and the polynomial $P$ represents the newly generated one. During the encoding of a newly generated group element the challenger checks that no two distinct polynomials evaluate to the same value at $a$. For a fixed $P_i \in \pset{P} \neq P$ we define $P^* = P_i - P$. If and only if $P_i(a) = P(a)$ then $P^*(a) = 0$. Since $P^* \neq 0$, the degree of $P^*$ being $1$ and $a$ being chosen uniformly at random from $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ the Schwarz-Zippel lemma can be used to calculate the probability that $P^*(a) = 0$, which is $\Pr[P^*(a) = 0] \leq \frac{1}{2^{n-1-c}}$. Since the set $\pset{P}$ can hold at most $\oraclequeries + 3$ many polynomials (one per DL call, and three by encoding the input to the adversary) by the Union bound over all polynomials in $\pset{P}$ the probability of bad being set, for each individual oracle query, is less or equal to $\frac{\oraclequeries + 3}{2^{n-1-c}}$. By the Union bound over all oracle queries the probability of bad being set to true is $\Pr[bad] \leq \frac{(\oraclequeries + 3)^2}{2^{n-1-c}}$. For this reason,
|
||||
|
||||
\[ |\prone{G_2^{\adversary{A}}} - \prone{G_3^{\adversary{A}}}| \leq \Pr[bad] \leq \frac{\oraclequeries^2}{2^{n-1-c}}. \]
|
||||
\[ |\prone{G_2^{\adversary{A}}} - \prone{G_3^{\adversary{A}}}| \leq \Pr[bad] \leq \frac{(\oraclequeries + 3)^2}{2^{n-1-c}}. \]
|
||||
|
||||
For improved readability, $G_4$ is also depicted in \ref{fig:sdlog_games_ggm_2} by including only the black boxes and excluding all others. The subsequent game-hops are also illustrated in the same figure.
|
||||
|
||||
@@ -223,7 +223,7 @@ This section focuses on establishing a lower bound on the hardness of a modified
|
||||
|
||||
\item As a result, the adversary has no improved likelihood of computing its solution $a^*$ other than guessing, given that the challenger does not select $a$ until the adversary has submitted its solution. Since $a$ being chosen uniformly at random from the set $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ the probability for the adversary to win $G_7$ is:
|
||||
|
||||
\[ \prone{G_7^{\adversary{A}}} = \frac{1}{2^{n-1-c}}. \]
|
||||
\[ \prone{G_7^{\adversary{A}}} \leq \frac{1}{2^{n-1-c}}. \]
|
||||
|
||||
\item This proofs theorem \ref{theorem:sdlog_ggm}.
|
||||
\end{proof}
|
||||
Reference in New Issue
Block a user