Added EdDSA' proof

2023-03-27 19:34:56 +02:00
parent da198c2184
commit c5bdf84b77
4 changed files with 159 additions and 19 deletions
--- a/thesis/Abschlussarbeit.tex
+++ b/thesis/Abschlussarbeit.tex
@@ -19,7 +19,7 @@ listof=totoc,
 \usepackage[urlcolor=blue,hidelinks]{hyperref}
 \usepackage[,hhmmss]{datetime}
-\newtheorem{theorem}{Theorem}
+\newtheorem{theorem}{Theorem}[section]
 \newtheorem{definition}{Definition}[section]
 \begin{document}
--- a/thesis/macros.tex
+++ b/thesis/macros.tex
@@ -19,21 +19,22 @@
 \newcommand{\hashqueries}{q_h}
 \newcommand{\test}{\overset{?}{=}}
 \newcommand{\ch}{\textbf{ch}}
 \newcommand{\messagespace}{\mathcal{M}}
 % Special Dlog
 \newcommand{\sdlog}{DLog' }
 % Intermediate Game
-\newcommand{\igame}{Game Z }
+\newcommand{\igame}{\textbf{Game Z} }
-\newcommand{\ioracle}{Chall }
+\newcommand{\ioracle}{\text{Chall} }
 % EdDSA procedures
-\newcommand{\keygen}{KeyGen }
+\newcommand{\keygen}{\text{KeyGen} }
-\newcommand{\sign}{Sign }
+\newcommand{\sign}{\text{Sign} }
-\newcommand{\verify}{Verify }
+\newcommand{\verify}{\text{Verify} }
 % Security Notions
-\newcommand{\cma}{SUF-CMA }
+\newcommand{\cma}{\text{SUF-CMA} }
 \newcommand{\adversary}[1]{\mathcal{#1}}
 \newcommand{\advantage}[2]{\text{Adv}_{#1}^{#2}}
 \newcommand{\prone}[1]{Pr[#1 \Rightarrow 1]}
--- a/thesis/sections/eddsa.tex
+++ b/thesis/sections/eddsa.tex
@@ -62,31 +62,28 @@ The EdDSA signature scheme is defined using a twisted Edwards curve. Twisted Edw
 	\begin{multicols}{3}
 		\scriptsize
 		\begin{algorithmic}[1] 
-			\Procedure{KeyGen}{}
+			\Statex \underline{\textbf{\keygen}}
 			\State $k \randomsample \{0,1\}^b$
 			\State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$
 			\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
 			\State $A \assign sB$
 			\State \Return (\encoded{$A$}, $k$)
 			\EndProcedure
 		\end{algorithmic}
 		\columnbreak
 		\begin{algorithmic}[1] 
-			\Procedure{Sign}{$k$, $m$}
+			\Statex \underline{\textbf{\sign}($k$, $m$)}
 			\State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$
 			\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
-			\State $(r'_0, r'_1, ..., r'_{2b-1}) \assign H(h_b | ... | b_{2b-1} | m)$
+			\State $(r'_0, r'_1, ..., r'_{2b-1}) \assign H(h_b | ... | h_{2b-1} | m)$
 			\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
 			\State $R \assign rB$
 			\State $S \assign (r + sH(\encoded{R} | \encoded{A} | m)) \pmod l$
 			\State \Return $\sigma \assign (\encoded{R}, S)$
 			\EndProcedure
 		\end{algorithmic}
 		\columnbreak
 		\begin{algorithmic}[1] 
-			\Procedure{Verify}{$\encoded{A}, \sigma \assign (\encoded{R}, S), m$}
+			\Statex \underline{\textbf{\verify}($\encoded{A}, \sigma \assign (\encoded{R}, S), m$)}
-			\State \Return $2^c SB \\= 2^c R + 2^c H(\encoded{R} | \encoded{A} | m)A$
+			\State \Return $2^c SB \test 2^c R + 2^c H(\encoded{R} | \encoded{A} | m)A$
 			\EndProcedure
 		\end{algorithmic}
 	\end{multicols}
 	\hrule
@@ -96,4 +93,147 @@ The EdDSA signature scheme is defined using a twisted Edwards curve. Twisted Edw
 \subsection{Replacing Hash Function Calls}
-To make working with the random oracle easier in the following proofs some calls to the hash function are being replaced with calls to a pseudo random generator and a pseudo random function. After that it will be shown that the advantage winning the \cma game of both versions of the signature scheme is roughly the same.
+To make working with the random oracle easier in the following proofs a variant of the EdDSA signature scheme is introduced which has some calls to the random oracle replaced by directly sampling a value uniformly at random or using a random function. After that it will be shown that the advantage winning the \cma game in both versions of the signature scheme is roughly the same.
 \paragraph{\underline{Introducing EdDSA'}}
 The EdDSA' signature scheme is depicted in figure \ref{fig:eddsa'}. The difference to the original EdDSA signature scheme is that the value $h$ is sampled uniformly at random from $\{0,1\}^{2b}$ and $r'$ is the result of a call to random function instead of the hash function.
 \begin{figure}
 	\hrule
 	\begin{multicols}{3}
 		\scriptsize
 		\begin{algorithmic}[1] 
 			\Statex \underline{\textbf{\keygen}}
 			\State $(h_0, h_1, ..., h_{2b-1}) \randomsample \{0,1\}^{2b}$
 			\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
 			\State $A \assign sB$
 			\State \Return (\encoded{$A$}, $k \assign (s, h_b | ... | h_{2b-1})$)
 		\end{algorithmic}
 		\columnbreak
 		\begin{algorithmic}[1] 
 			\Statex \underline{\textbf{\sign}($k \assign (s, h_b | ... | h_{2b-1})$, $m$)}
 			\State $(r'_0, r'_1, ..., r'_{2b-1}) \assign RF(h_b | ... | h_{2b-1} | m)$
 			\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
 			\State $R \assign rB$
 			\State $S \assign (r + sH(\encoded{R} | \encoded{A} | m)) \pmod l$
 			\State \Return $\sigma \assign (\encoded{R}, S)$
 		\end{algorithmic}
 		\columnbreak
 		\begin{algorithmic}[1] 
 			\Statex \underline{\textbf{\verify}($\encoded{A}, \sigma \assign (\encoded{R}, S), m$)}
 			\State \Return $2^c SB \test 2^c R + 2^c H(\encoded{R} | \encoded{A} | m)A$
 		\end{algorithmic}
 	\end{multicols}
 	\hrule
 	\caption{Generic description of the algorithms \keygen, \sign and \verify used by the EdDSA' signature scheme}
 	\label{fig:eddsa'}
 \end{figure}
 \begin{theorem}
 	\label{theorem:adveddsa'}
 	% TODO: Was soll ich hier schreiben?
 	TODO. Then
 	%TODO: richtigre Richtung?
 	\[ \advantage{\textbf{EdDSA'},\adversary{A}}{\cma}(k) \leq \advantage{\textbf{EdDSA},\adversary{A}}{\cma}(k) - \frac{2\oraclequeries}{2^b} \]
 \end{theorem}
 \paragraph{\underline{Proof Overview}}
 The different games used in the proof are depicted in figure \ref{fig:eddsa'games}. The proof uses the random oracle model. The main idea that the values $h$ and $r_i$ look uniformly random to the adversary if he never queries the random oracle with $k$ or a value starting with $h_b | ... | h_{2b-1}$. Therefor those calls to the random oracle can be replaced with the sampling of truly random values.
 \begin{figure}
 	\hrule
 	\begin{multicols}{2}
 		\large
 		\begin{algorithmic}[1] 
 			\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$} / \textcolor{green}{$G_3$} / \textcolor{orange}{$G_4$}}
 			\State $k \randomsample \{0,1\}^b$
 			\BeginBox[fill=lightgray]
 			\State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$
 			\EndBox
 			\BeginBox[draw=blue,fill=cyan]
 			\State $\textbf{if } \sum[k] = \bot \textbf{ then}$
 			\State \quad $\sum[k] \randomsample \{0,1\}^{2b}$
 			\State $(h_0, h_1, ..., h_{2b-1}) \assign \sum[k]$
 			\EndBox
 			\BeginBox[draw=orange]
 			\State $(h_0, h_1, ..., h_{2b-1}) \randomsample \{0,1\}^{2b}$
 			\EndBox
 			\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
 			\State $A \assign sB$
 			\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp)}(A)$
 			\State \Return $\verify(A, \m^*,\signature^*) \wedge (\m^*, \signature^*) \notin Q$
 		\end{algorithmic}
 		\columnbreak
 		\begin{algorithmic}[1] 
 			\Statex \underline{\oracle \sign($m \in \messagespace$)}
 			\BeginBox[fill=lightgray]
 			\State $(r'_0, r'_1, ..., r'_{2b-1}) \assign H(h_b | ... | h_{2b-1} | m)$
 			\EndBox
 			\BeginBox[draw=blue,fill=cyan]
 			\State $\textbf{if } \sum[h_b | ... | h_{2b-1} | m] = \bot \textbf{ then}$
 			\State \quad $\sum[h_b | ... | h_{2b-1} | m] \randomsample \{0,1\}^{2b}$
 			\State $(r'_0, r'_1, ..., r'_{2b-1}) \assign \sum[h_b | ... | h_{2b-1} | m]$
 			\EndBox
 			\BeginBox[draw=orange]
 			\State $(r'_0, r'_1, ..., r'_{2b-1}) = RF(h_b | ... | h_{2b-1} | m)$
 			\EndBox
 			\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
 			\State $R \assign rB$
 			\State $S \assign (r + sH(\encoded{R} | \encoded{A} | m)) \pmod l$
 			\State $\signature \assign (\encoded{R}, S)$
 			\State $Q \assign Q \cup \{(\m, \signature)\}$
 			\State \Return $\signature$
 		\end{algorithmic}
 	\end{multicols}
 	\begin{algorithmic}[1] 
 		\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
 		\BeginBox[draw=blue]
 		\State $\textbf{if } m = k \textbf{ then}$
 		\State \quad $bad_1 \assign true$
 		\BeginBox[draw=red,dashed]
 		\State \quad $abort$
 		\EndBox
 		\State $\textbf{if } m \text{ starts with } h_b|...|h_{2b-1} \textbf{ then}$
 		\State \quad $bad_2 \assign true$
 		\BeginBox[draw=green,dashed]
 		\State \quad $abort$
 		\EndBox
 		\EndBox
 		\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
 		\State \quad $\sum[m] \randomsample \{0,1\}^{2b}$
 		\State \Return $\sum[m]$
 	\end{algorithmic}
 	\hrule
 	\caption{Game $G_0 - G_4$}
 	\label{fig:eddsa'games}
 \end{figure}
 \begin{proof}
 	\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:eddsa'games} by excluding all boxes expect the grey filled ones and $G_0$ be $\cma_{EdDSA}$. By definition,
 	\[ \advantage{\textbf{EdDSA},\adversary{A}}{\cma}(k) = \Pr[\cma^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
 	\item \paragraph{\underline{$G_1:$}} Let $G_1$ be defined by additionally including all blue boxes and excluding the grey filled boxes. This change inlines calls to the random oracle and introduces to if conditions in the random oracle which are setting a bad flag if the condition is triggert. Since the behavior of the game does not change the changes are conceptual and the probability of winning the game is not affected. Hence,
 	\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \].
 	\item \paragraph{\underline{$G_2:$}} $G_2$ now introduces the abort condition in the red box. The game aborts if the flag $bad_1$ is set. For each individual query the $bad_1$ flag is set with a probability at most $\frac{1}{2^b}$. The flag is set if the message equals $k$. $k$ is a value chosen uniformly at random from $\{0,1\}^b$ and is hidden from the adversary. Therefor the adversary can can only guess this value. By the union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad_1] \leq \frac{\oraclequeries}{2^b}$. Since $G_1$ and $G_2$ are identical-until-bad games regarding the $bad_1$ flag, we have
 	\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad_1] \leq \frac{\oraclequeries}{2^b} \].
 	\item \paragraph{\underline{$G_3:$}} $G_3$ now also introduces the abort condition in the green box. This game also aborts if a message is queried which starts with $h_b | ... | h_{2b-1}$. For each individual query the $bad_2$ flag is set with a probability at most $\frac{1}{2^b}$. The value $h$ is the result of a random oracle call with $k$ as input. Since the adversary is not able to query the random oracle with input $k$, due to the abort condition introduced ion $G_2$, the adversary has no information on $h$. Therefor the adversary can only guess the value of $h$. By the union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad_2] \leq \frac{\oraclequeries}{2^b}$. Since $G_2$ and $G_3$ are identical-until-bad games regarding the $bad_2$ flag, we have
 	\[ |\Pr[G_2^{\adversary{A}} \Rightarrow 1] - \Pr[G_3^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad_2] \leq \frac{\oraclequeries}{2^b} \].
 	\item \paragraph{\underline{$G_4:$}} $G_4$ replaces the blue filled boxes with the orange boxes. With this change the \cma game parameterized with the EdDSA' game is obtained. This change is only conceptual since the adversary is not able to query the random oracle with the inputs used for those calls and due to the nature of the random oracle model the adversary has no information on those values. Therefor an adversary can not differentiate between the values being the result of the hash function or chosen uniformly at random. Hence,
 	\[ \Pr[G_3^{\adversary{A}} \Rightarrow 1] = \Pr[G_4^{\adversary{A}} \Rightarrow 1] = \advantage{\textbf{EdDSA'},\adversary{A}}{\cma}(k) \].
 	\item This proves theorem \ref{theorem:adveddsa'}.
 \end{proof}
 %TODO: Das kann man sicherlich schöner formulieren
 In the following proofs when referring to the EdDSA signature scheme actually the EdDSA' signature scheme is used to make the proof more staight forward. In the end when calculating the loss due to the reduction the loss introduced by the EdDSA' signature scheme will be included.
--- a/thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex
+++ b/thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex
@@ -78,14 +78,13 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
 \begin{proof}
 	\item \paragraph{\underline{$G_0$:}} Let $G_0$ be \igame. By definition,
 	% TODO: Hier Sicherheitsparameter?
 	\[ \advantage{\group{G},\adversary{A}}{\igame}(k) = \Pr[\igame^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
 	\item \paragraph{\underline{$G_1$:}} Game $G_1$ is exactly the same as $G_0$ with the only change being the bad flag being set inside an if condition. The bad flag is set if $2^c \ch_i = -r_2$. This represents cases where not all solutions from the adversary $\adversary{A}$ can be used to calculate the discrete logarithm of $\groupelement{A}$. This is just a conceptual change since the behavior of the game does not change whether the flag is set or not. Hence,
 	\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \].
-	\item \paragraph{\underline{$G_2:$}} Game $G_2$ aborts if the flag bad is set. For each individual \ioracle query the bad flag is set with probability at most $\frac{1}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. $c_i$ is chosen by the game after the adversary has provided the representation of $\groupelement{R_i}$ and therefor the value of $r_2$. This way the adversary has no way of choosing $\ch_i$ after $r_2$ and can not influence the probability of the abort being triggert. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $\ch_i \pmod L$. $\ch_i$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ during the check in the if condition. At first there are $2^{2b}$ possible values for $\ch_i$. After the reduction module $L$ there are $min\{2^{2b}, L\}$ possible values left for $\ch_i$. In the case that the values $L$ is smaller than $2^{2b}$ (this is the case in most instantiations of EdDSA) then the $\ch_i$'s are not uniformly distributed in $\field{L}$. Since an adversary could use this information the min entropy of $\ch_i$ has to be concidert, which takes this into account. By the Union bound over all $\oraclequeries$ queries we obtain $\Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
+	\item \paragraph{\underline{$G_2:$}} Game $G_2$ aborts if the flag bad is set. For each individual \ioracle query the bad flag is set with probability at most $\frac{1}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. $c_i$ is chosen by the game after the adversary has provided the representation of $\groupelement{R_i}$ and therefor the value of $r_2$. This way the adversary has no way of choosing $\ch_i$ after $r_2$ and can not influence the probability of the abort being triggert. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $\ch_i \pmod L$. $\ch_i$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ during the check in the if condition. At first there are $2^{2b}$ possible values for $\ch_i$. After the reduction module $L$ there are $min\{2^{2b}, L\}$ possible values left for $\ch_i$. In the case that the values $L$ is smaller than $2^{2b}$ (this is the case in most instantiations of EdDSA) then the $\ch_i$'s are not uniformly distributed in $\field{L}$. Since an adversary could use this information the min entropy of $\ch_i$ has to be concidert, which takes this into account. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
 	% TODO: Müsste das nicht floor statt ceil sein?
 	\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
@@ -137,5 +136,5 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
 	Assuming that $r_2 + 2^c \ch^*$ is invertible in $\field{L}$ (i.e. not equal to $0$), which is ensured due to the abort in $G_2$, both equations can be used to calculate the discrete logarithm of $\groupelement{A}$.
-	\item This proves Theorem \ref{theorem:advgamez}.
+	\item This proves theorem \ref{theorem:advgamez}.
 \end{proof}