Added EdDSA' proof
This commit is contained in:
@@ -78,14 +78,13 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
|
||||
\begin{proof}
|
||||
\item \paragraph{\underline{$G_0$:}} Let $G_0$ be \igame. By definition,
|
||||
|
||||
% TODO: Hier Sicherheitsparameter?
|
||||
\[ \advantage{\group{G},\adversary{A}}{\igame}(k) = \Pr[\igame^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
|
||||
\item \paragraph{\underline{$G_1$:}} Game $G_1$ is exactly the same as $G_0$ with the only change being the bad flag being set inside an if condition. The bad flag is set if $2^c \ch_i = -r_2$. This represents cases where not all solutions from the adversary $\adversary{A}$ can be used to calculate the discrete logarithm of $\groupelement{A}$. This is just a conceptual change since the behavior of the game does not change whether the flag is set or not. Hence,
|
||||
|
||||
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \].
|
||||
|
||||
\item \paragraph{\underline{$G_2:$}} Game $G_2$ aborts if the flag bad is set. For each individual \ioracle query the bad flag is set with probability at most $\frac{1}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. $c_i$ is chosen by the game after the adversary has provided the representation of $\groupelement{R_i}$ and therefor the value of $r_2$. This way the adversary has no way of choosing $\ch_i$ after $r_2$ and can not influence the probability of the abort being triggert. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $\ch_i \pmod L$. $\ch_i$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ during the check in the if condition. At first there are $2^{2b}$ possible values for $\ch_i$. After the reduction module $L$ there are $min\{2^{2b}, L\}$ possible values left for $\ch_i$. In the case that the values $L$ is smaller than $2^{2b}$ (this is the case in most instantiations of EdDSA) then the $\ch_i$'s are not uniformly distributed in $\field{L}$. Since an adversary could use this information the min entropy of $\ch_i$ has to be concidert, which takes this into account. By the Union bound over all $\oraclequeries$ queries we obtain $\Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
|
||||
\item \paragraph{\underline{$G_2:$}} Game $G_2$ aborts if the flag bad is set. For each individual \ioracle query the bad flag is set with probability at most $\frac{1}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. $c_i$ is chosen by the game after the adversary has provided the representation of $\groupelement{R_i}$ and therefor the value of $r_2$. This way the adversary has no way of choosing $\ch_i$ after $r_2$ and can not influence the probability of the abort being triggert. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $\ch_i \pmod L$. $\ch_i$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ during the check in the if condition. At first there are $2^{2b}$ possible values for $\ch_i$. After the reduction module $L$ there are $min\{2^{2b}, L\}$ possible values left for $\ch_i$. In the case that the values $L$ is smaller than $2^{2b}$ (this is the case in most instantiations of EdDSA) then the $\ch_i$'s are not uniformly distributed in $\field{L}$. Since an adversary could use this information the min entropy of $\ch_i$ has to be concidert, which takes this into account. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
|
||||
% TODO: Müsste das nicht floor statt ceil sein?
|
||||
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
|
||||
@@ -137,5 +136,5 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
|
||||
|
||||
Assuming that $r_2 + 2^c \ch^*$ is invertible in $\field{L}$ (i.e. not equal to $0$), which is ensured due to the abort in $G_2$, both equations can be used to calculate the discrete logarithm of $\groupelement{A}$.
|
||||
|
||||
\item This proves Theorem \ref{theorem:advgamez}.
|
||||
\item This proves theorem \ref{theorem:advgamez}.
|
||||
\end{proof}
|
||||
Reference in New Issue
Block a user