Added EdDSA' proof
This commit is contained in:
@@ -62,31 +62,28 @@ The EdDSA signature scheme is defined using a twisted Edwards curve. Twisted Edw
|
||||
\begin{multicols}{3}
|
||||
\scriptsize
|
||||
\begin{algorithmic}[1]
|
||||
\Procedure{KeyGen}{}
|
||||
\Statex \underline{\textbf{\keygen}}
|
||||
\State $k \randomsample \{0,1\}^b$
|
||||
\State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$
|
||||
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
|
||||
\State $A \assign sB$
|
||||
\State \Return (\encoded{$A$}, $k$)
|
||||
\EndProcedure
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
\Procedure{Sign}{$k$, $m$}
|
||||
\Statex \underline{\textbf{\sign}($k$, $m$)}
|
||||
\State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$
|
||||
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
|
||||
\State $(r'_0, r'_1, ..., r'_{2b-1}) \assign H(h_b | ... | b_{2b-1} | m)$
|
||||
\State $(r'_0, r'_1, ..., r'_{2b-1}) \assign H(h_b | ... | h_{2b-1} | m)$
|
||||
\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
|
||||
\State $R \assign rB$
|
||||
\State $S \assign (r + sH(\encoded{R} | \encoded{A} | m)) \pmod l$
|
||||
\State \Return $\sigma \assign (\encoded{R}, S)$
|
||||
\EndProcedure
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
\Procedure{Verify}{$\encoded{A}, \sigma \assign (\encoded{R}, S), m$}
|
||||
\State \Return $2^c SB \\= 2^c R + 2^c H(\encoded{R} | \encoded{A} | m)A$
|
||||
\EndProcedure
|
||||
\Statex \underline{\textbf{\verify}($\encoded{A}, \sigma \assign (\encoded{R}, S), m$)}
|
||||
\State \Return $2^c SB \test 2^c R + 2^c H(\encoded{R} | \encoded{A} | m)A$
|
||||
\end{algorithmic}
|
||||
\end{multicols}
|
||||
\hrule
|
||||
@@ -96,4 +93,147 @@ The EdDSA signature scheme is defined using a twisted Edwards curve. Twisted Edw
|
||||
|
||||
\subsection{Replacing Hash Function Calls}
|
||||
|
||||
To make working with the random oracle easier in the following proofs some calls to the hash function are being replaced with calls to a pseudo random generator and a pseudo random function. After that it will be shown that the advantage winning the \cma game of both versions of the signature scheme is roughly the same.
|
||||
To make working with the random oracle easier in the following proofs a variant of the EdDSA signature scheme is introduced which has some calls to the random oracle replaced by directly sampling a value uniformly at random or using a random function. After that it will be shown that the advantage winning the \cma game in both versions of the signature scheme is roughly the same.
|
||||
|
||||
\paragraph{\underline{Introducing EdDSA'}}
|
||||
|
||||
The EdDSA' signature scheme is depicted in figure \ref{fig:eddsa'}. The difference to the original EdDSA signature scheme is that the value $h$ is sampled uniformly at random from $\{0,1\}^{2b}$ and $r'$ is the result of a call to random function instead of the hash function.
|
||||
|
||||
\begin{figure}
|
||||
\hrule
|
||||
\begin{multicols}{3}
|
||||
\scriptsize
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\textbf{\keygen}}
|
||||
\State $(h_0, h_1, ..., h_{2b-1}) \randomsample \{0,1\}^{2b}$
|
||||
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
|
||||
\State $A \assign sB$
|
||||
\State \Return (\encoded{$A$}, $k \assign (s, h_b | ... | h_{2b-1})$)
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\textbf{\sign}($k \assign (s, h_b | ... | h_{2b-1})$, $m$)}
|
||||
\State $(r'_0, r'_1, ..., r'_{2b-1}) \assign RF(h_b | ... | h_{2b-1} | m)$
|
||||
\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
|
||||
\State $R \assign rB$
|
||||
\State $S \assign (r + sH(\encoded{R} | \encoded{A} | m)) \pmod l$
|
||||
\State \Return $\sigma \assign (\encoded{R}, S)$
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\textbf{\verify}($\encoded{A}, \sigma \assign (\encoded{R}, S), m$)}
|
||||
\State \Return $2^c SB \test 2^c R + 2^c H(\encoded{R} | \encoded{A} | m)A$
|
||||
\end{algorithmic}
|
||||
\end{multicols}
|
||||
\hrule
|
||||
\caption{Generic description of the algorithms \keygen, \sign and \verify used by the EdDSA' signature scheme}
|
||||
\label{fig:eddsa'}
|
||||
\end{figure}
|
||||
|
||||
\begin{theorem}
|
||||
\label{theorem:adveddsa'}
|
||||
% TODO: Was soll ich hier schreiben?
|
||||
TODO. Then
|
||||
|
||||
%TODO: richtigre Richtung?
|
||||
\[ \advantage{\textbf{EdDSA'},\adversary{A}}{\cma}(k) \leq \advantage{\textbf{EdDSA},\adversary{A}}{\cma}(k) - \frac{2\oraclequeries}{2^b} \]
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}}
|
||||
|
||||
The different games used in the proof are depicted in figure \ref{fig:eddsa'games}. The proof uses the random oracle model. The main idea that the values $h$ and $r_i$ look uniformly random to the adversary if he never queries the random oracle with $k$ or a value starting with $h_b | ... | h_{2b-1}$. Therefor those calls to the random oracle can be replaced with the sampling of truly random values.
|
||||
|
||||
\begin{figure}
|
||||
\hrule
|
||||
\begin{multicols}{2}
|
||||
\large
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$} / \textcolor{green}{$G_3$} / \textcolor{orange}{$G_4$}}
|
||||
\State $k \randomsample \{0,1\}^b$
|
||||
\BeginBox[fill=lightgray]
|
||||
\State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$
|
||||
\EndBox
|
||||
\BeginBox[draw=blue,fill=cyan]
|
||||
\State $\textbf{if } \sum[k] = \bot \textbf{ then}$
|
||||
\State \quad $\sum[k] \randomsample \{0,1\}^{2b}$
|
||||
\State $(h_0, h_1, ..., h_{2b-1}) \assign \sum[k]$
|
||||
\EndBox
|
||||
\BeginBox[draw=orange]
|
||||
\State $(h_0, h_1, ..., h_{2b-1}) \randomsample \{0,1\}^{2b}$
|
||||
\EndBox
|
||||
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
|
||||
\State $A \assign sB$
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp)}(A)$
|
||||
\State \Return $\verify(A, \m^*,\signature^*) \wedge (\m^*, \signature^*) \notin Q$
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\oracle \sign($m \in \messagespace$)}
|
||||
\BeginBox[fill=lightgray]
|
||||
\State $(r'_0, r'_1, ..., r'_{2b-1}) \assign H(h_b | ... | h_{2b-1} | m)$
|
||||
\EndBox
|
||||
\BeginBox[draw=blue,fill=cyan]
|
||||
\State $\textbf{if } \sum[h_b | ... | h_{2b-1} | m] = \bot \textbf{ then}$
|
||||
\State \quad $\sum[h_b | ... | h_{2b-1} | m] \randomsample \{0,1\}^{2b}$
|
||||
\State $(r'_0, r'_1, ..., r'_{2b-1}) \assign \sum[h_b | ... | h_{2b-1} | m]$
|
||||
\EndBox
|
||||
\BeginBox[draw=orange]
|
||||
\State $(r'_0, r'_1, ..., r'_{2b-1}) = RF(h_b | ... | h_{2b-1} | m)$
|
||||
\EndBox
|
||||
\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
|
||||
\State $R \assign rB$
|
||||
\State $S \assign (r + sH(\encoded{R} | \encoded{A} | m)) \pmod l$
|
||||
\State $\signature \assign (\encoded{R}, S)$
|
||||
\State $Q \assign Q \cup \{(\m, \signature)\}$
|
||||
\State \Return $\signature$
|
||||
\end{algorithmic}
|
||||
\end{multicols}
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
|
||||
\BeginBox[draw=blue]
|
||||
\State $\textbf{if } m = k \textbf{ then}$
|
||||
\State \quad $bad_1 \assign true$
|
||||
\BeginBox[draw=red,dashed]
|
||||
\State \quad $abort$
|
||||
\EndBox
|
||||
\State $\textbf{if } m \text{ starts with } h_b|...|h_{2b-1} \textbf{ then}$
|
||||
\State \quad $bad_2 \assign true$
|
||||
\BeginBox[draw=green,dashed]
|
||||
\State \quad $abort$
|
||||
\EndBox
|
||||
\EndBox
|
||||
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
||||
\State \quad $\sum[m] \randomsample \{0,1\}^{2b}$
|
||||
\State \Return $\sum[m]$
|
||||
\end{algorithmic}
|
||||
\hrule
|
||||
\caption{Game $G_0 - G_4$}
|
||||
\label{fig:eddsa'games}
|
||||
\end{figure}
|
||||
|
||||
\begin{proof}
|
||||
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:eddsa'games} by excluding all boxes expect the grey filled ones and $G_0$ be $\cma_{EdDSA}$. By definition,
|
||||
|
||||
\[ \advantage{\textbf{EdDSA},\adversary{A}}{\cma}(k) = \Pr[\cma^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
|
||||
\item \paragraph{\underline{$G_1:$}} Let $G_1$ be defined by additionally including all blue boxes and excluding the grey filled boxes. This change inlines calls to the random oracle and introduces to if conditions in the random oracle which are setting a bad flag if the condition is triggert. Since the behavior of the game does not change the changes are conceptual and the probability of winning the game is not affected. Hence,
|
||||
|
||||
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \].
|
||||
|
||||
\item \paragraph{\underline{$G_2:$}} $G_2$ now introduces the abort condition in the red box. The game aborts if the flag $bad_1$ is set. For each individual query the $bad_1$ flag is set with a probability at most $\frac{1}{2^b}$. The flag is set if the message equals $k$. $k$ is a value chosen uniformly at random from $\{0,1\}^b$ and is hidden from the adversary. Therefor the adversary can can only guess this value. By the union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad_1] \leq \frac{\oraclequeries}{2^b}$. Since $G_1$ and $G_2$ are identical-until-bad games regarding the $bad_1$ flag, we have
|
||||
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad_1] \leq \frac{\oraclequeries}{2^b} \].
|
||||
|
||||
\item \paragraph{\underline{$G_3:$}} $G_3$ now also introduces the abort condition in the green box. This game also aborts if a message is queried which starts with $h_b | ... | h_{2b-1}$. For each individual query the $bad_2$ flag is set with a probability at most $\frac{1}{2^b}$. The value $h$ is the result of a random oracle call with $k$ as input. Since the adversary is not able to query the random oracle with input $k$, due to the abort condition introduced ion $G_2$, the adversary has no information on $h$. Therefor the adversary can only guess the value of $h$. By the union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad_2] \leq \frac{\oraclequeries}{2^b}$. Since $G_2$ and $G_3$ are identical-until-bad games regarding the $bad_2$ flag, we have
|
||||
|
||||
\[ |\Pr[G_2^{\adversary{A}} \Rightarrow 1] - \Pr[G_3^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad_2] \leq \frac{\oraclequeries}{2^b} \].
|
||||
|
||||
\item \paragraph{\underline{$G_4:$}} $G_4$ replaces the blue filled boxes with the orange boxes. With this change the \cma game parameterized with the EdDSA' game is obtained. This change is only conceptual since the adversary is not able to query the random oracle with the inputs used for those calls and due to the nature of the random oracle model the adversary has no information on those values. Therefor an adversary can not differentiate between the values being the result of the hash function or chosen uniformly at random. Hence,
|
||||
|
||||
\[ \Pr[G_3^{\adversary{A}} \Rightarrow 1] = \Pr[G_4^{\adversary{A}} \Rightarrow 1] = \advantage{\textbf{EdDSA'},\adversary{A}}{\cma}(k) \].
|
||||
|
||||
\item This proves theorem \ref{theorem:adveddsa'}.
|
||||
\end{proof}
|
||||
|
||||
%TODO: Das kann man sicherlich schöner formulieren
|
||||
In the following proofs when referring to the EdDSA signature scheme actually the EdDSA' signature scheme is used to make the proof more staight forward. In the end when calculating the loss due to the reduction the loss introduced by the EdDSA' signature scheme will be included.
|
||||
Reference in New Issue
Block a user