rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Included Henriks annotations up to chapter 4, thanks Henrik

Browse Source
This commit is contained in:
Aaron Kaiser
2023-05-30 22:10:18 +02:00
parent 7b5a9598ac
commit cd19dbb4aa
6 changed files with 26 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
thesis/sections/preliminaries.tex
View File

@@ -2,9 +2,9 @@
\subsection{Code-based reduction proofs}
To perform the security proof of the EdDSA signature scheme code based game playing proofs are used as introduced in \cite{EC:BelRog06}. For this proofs an adversary is tasked to play (and win) against a predefined game. The game is defined by a set of instructions which are executed consecutively. At one point the game calls the adversary with some input and gets some output from the adversary. The game then decides, depending on the output of the adversary, whether the adversary won or not. In addition the adversary might get oracle access to one or more procedures, meaning that the adversary is only able to observe the output of the procedure call given a specific input. Those procedures are called oracles. The advantage of the adversary in a game describes its ability to win the game more reliably than using generic attacks (e.g. guessing the answer to the game).
To perform the security proof of the EdDSA signature scheme, code-based game playing proofs are used as introduced in \cite{EC:BelRog06}. In these proofs, an adversary is tasked to play (and win) against a predefined game. The game is defined by a set of instructions which are executed consecutively. At one point the game calls the adversary with some input and gets some output back from it. The game then decides, depending on the output of the adversary, whether it has won or not. In addition the adversary might get oracle access to one or more procedures, meaning that the adversary is only able to observe the output of the procedure call given a specific input. Those procedures are called oracles. The adversaries's advantage in a game is the adversaries's ability to win the game more reliably than through the use of generic attacks (e.g. guessing the answer to the game).
During the proof these games are being modified until an adversary against the modified game can also be used as an adversary against another game. This method is called a reduction proof. It shows that one problem (described by one game) can be reduced to another problem. In other words it says that if problem A can be reduced onto problem B any algorithm solving problem A can be transformed into an algorithm solving problem B.
During the proof ,these games are being modified until an adversary against the modified game can also be used as an adversary against another game. This method is called a reduction proof. It shows that one problem (described by one game) can be reduced to another problem. In other words, it says that if problem A can be reduced onto problem B, any algorithm solving problem A can be transformed into an algorithm solving problem B.
\subsubsection{Identical-Until-Bad Games}
@@ -48,7 +48,7 @@ Especially the programmability of the random oracle will be used in the followin
\subsection{Algebraic Group Model (AGM)}
The algebraic group model was introduced in 2018 by Fuchsbauer et al. \cite{C:FucKilLos18}. In the algebraic group model, all adversaries are modeled as being algebraic. This means that the adversary has to know a representation for each group element regarding all group elements the adversary received from the challenger. This representation has to be provided to the challenger for every group element the adversary outputs or inputs as an oracle parameter. For example, if the adversary receives the group elements $\groupelement{A}$ and $\groupelement{B}$ from the challenger and at one point outputs group element $\groupelement{C}$ the adversary also has to output a vector $\overset{\rightharpoonup}{c} = (c_1, c_2)$ which satisfies: $\groupelement{C} = c_1 \groupelement{A} + c_2 \groupelement{B}$. For the game proofs the group element $\groupelement{C}$ and its representation $\overset{\rightharpoonup}{c}$ is denoted as $\agmgroupelement{C}{c}$.
The algebraic group model was introduced in 2018 by Fuchsbauer et al. \cite{C:FucKilLos18}. In the algebraic group model, all adversaries are modeled as being algebraic. This means that the adversary has to know a representation for each group element regarding all group elements the adversary received from the challenger. This representation has to be provided to the challenger for every group element the adversary outputs or inputs as an oracle parameter. For example, if the adversary receives the group elements $\groupelement{A}$ and $\groupelement{B}$ from the challenger and at one point outputs group element $\groupelement{C}$ the adversary also has to output a vector $\overset{\rightharpoonup}{c} = (c_1, c_2)$ which satisfies: $\groupelement{C} = c_1 \groupelement{A} + c_2 \groupelement{B}$. For the game proofs, the group element $\groupelement{C}$, and its representation $\overset{\rightharpoonup}{c}$ is denoted as $\agmgroupelement{C}{c}$.
\subsection{Generic Group Model (GGM)}
@@ -56,4 +56,4 @@ Unlike the random oracle model or the algebraic group model the generic group mo
The generic group model was first introduced by Shoup in 1997 \cite{EC:Shoup97}. In this paper, Shoup proved an information-theoretic lower bound for the discrete logarithm problem. He did that by replacing group elements with labels that are random bit strings. In this way he hid all group-specific representations of the elements. Group actions are only possible via oracles, which are provided to the adversary by the challenger. The only action the adversary can perform on its own is to compare elements for equality by comparing labels.
In 2005, Maurer proposed an alternative proposed an alternative definition of the generic group model \cite{IMA:Maurer05}. The proofs conducted in this thesis will use the generic group model as defined by Shoup.
In 2005, Maurer proposed an alternative definition of the generic group model \cite{IMA:Maurer05}. The proofs conducted in this thesis will use the generic group model as defined by Shoup.