From cf19ceb0fe473a50112b4b6c833f1fc0ce8d08c3 Mon Sep 17 00:00:00 2001 From: Aaron Kaiser Date: Sun, 30 Apr 2023 13:51:54 +0200 Subject: [PATCH] Formalized schmemes --- thesis/Abschlussarbeit.tex | 2 +- .../mu-uf-nma_implies_mu-suf-cma.tex | 4 +- .../omdl'_implies_mu-gamez.tex | 4 +- thesis/sections/notation.tex | 11 ++ thesis/sections/security_notions.tex | 114 ++++++++++++++---- 5 files changed, 106 insertions(+), 29 deletions(-) create mode 100644 thesis/sections/notation.tex diff --git a/thesis/Abschlussarbeit.tex b/thesis/Abschlussarbeit.tex index 6c9a193..bebbeaf 100644 --- a/thesis/Abschlussarbeit.tex +++ b/thesis/Abschlussarbeit.tex @@ -107,7 +107,7 @@ TODO \newpage \section{Related Work} -\section{Notation} +\input{sections/notation} \section{Preliminaries} diff --git a/thesis/sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma.tex b/thesis/sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma.tex index 698692b..e33f660 100644 --- a/thesis/sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma.tex +++ b/thesis/sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma.tex @@ -143,14 +143,14 @@ Again the programmability of the random oracle together with the \simalg algorit To prove (\ref{eq:adv_mu-uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{MU-UF-NMA}$ that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversaryb_mu-uf-nma} is run in the $\text{MU-UF-NMA}$ game and adversary $\adversary{B}$ simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly. - Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R}, S))$. Every valid signature outputted by adversary $\adversary{A}$ has to fulfill following equation for one public key $\groupelement{A_i}$: $2^c S \groupelement{B} = 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}$. For the signature to be valid in the \cma game the signature for this message and public key must have not been queried via the \Osign oracle. Therefore the output of $H'(\encoded{R}|\encoded{A_i}|m)$ has not been set by adversary $\adversary{B}$ but was forwarded from the MU-UF-NMA challenger. Meaning $H'(\encoded{R}|\encoded{A_i}|m) = H(\encoded{R}|\encoded{A_i}|m)$. Hence, + Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R}, S))$. Every valid signature outputted by adversary $\adversary{A}$ has to fulfill following equation for one public key $\groupelement{A_i}$: $2^c S \groupelement{B} = 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}$. For the signature to be valid in the MU-\cma game the signature for this message and public key must not been queried via the \Osign oracle. Therefore the output of $H'(\encoded{R}|\encoded{A_i}|m)$ has not been set by adversary $\adversary{B}$ but was forwarded from the MU-UF-NMA challenger. Meaning $H'(\encoded{R}|\encoded{A_i}|m) = H(\encoded{R}|\encoded{A_i}|m)$. Hence, \begin{align*} 2^c S \groupelement{B} &= 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i} \\ \Leftrightarrow 2^c S \groupelement{B} &= 2^c R + 2^c H(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i} \end{align*} - Since the public keys and the results of the hash queries are forwarded from the MU-UF-NMA challenger the forged signature from $\adversary{A}$ in the MU-\cma game is also valid for the MU-UF-NMA challenger. + Since the public keys and the results of the hash queries are forwarded from the MU-UF-NMA challenger the forged signature from $\adversary{A}$ in the MU-\cma game is also a valid forgery for the MU-UF-NMA challenger. \item This proves theorem \ref{theorem:adv_mu-uf-nma}. \end{proof} \ No newline at end of file diff --git a/thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex b/thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex index 0950f38..948f633 100644 --- a/thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex +++ b/thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex @@ -2,7 +2,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model. The section starts by introducing a special variant of the one-more discrete logarithm problem followed by an intuition of the proof and at last giving a detailed security proof. -\paragraph{\underline{Introducing \sdlog}} Similar to \sdlog being a variant of the discrete logarithm problem the \somdl is a variant of the one-more discrete logarithm problem which represents the special distribution of secret keys resulting from the key generation algorithm of the EdDSA signature scheme. The only difference to the original one-more discrete logarithm game as introduced in \cite{JC:BNPS03} is that the secret scalars are chosen from the set $\{2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8\}$ which represents all valid secret scalars regarding the key generation algorithm. A lower bound on the hardness of the \sdlog problem is further analyzed in section \ref{sec:somdl}. The \somdl game is depicted in figure \ref{fig:somdl}. +\paragraph{\underline{Introducing \somdl}} Similar to \sdlog being a variant of the discrete logarithm problem the \somdl is a variant of the one-more discrete logarithm problem which represents the special distribution of secret keys resulting from the key generation algorithm of the EdDSA signature scheme. The only difference to the original one-more discrete logarithm game as introduced in \cite{JC:BNPS03} is that the secret scalars are chosen from the set $\{2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8\}$ which represents all valid secret scalars regarding the key generation algorithm. A lower bound on the hardness of the \somdl problem is further analyzed in section \ref{sec:somdl}. The \somdl game is depicted in figure \ref{fig:somdl}. \begin{definition}[\somdl] Let $n$ and $N$ be positive integer. For an adversary $\adversary{A}$ we define its advantage in the \somdl game as following: @@ -116,7 +116,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model \Comment{$\groupelement{A_j} = a_j \groupelement{B}$} \State \quad $r_b \assign r_b + r_{j+1} a_j$ \State $a_i \assign (2^c s^* - r_b)(r_i + 2^c \ch^*)^{-1}$ - \Comment{$\groupelement{R} = r_b \groupelement{B} + r_i \groupelement{A_i}$} + \Comment{$\groupelement{R^*} = r_b \groupelement{B} + r_i \groupelement{A_i}$} \State \Return $(a_1, a_2, ..., a_N)$ \end{algorithmic} \vspace{2mm} diff --git a/thesis/sections/notation.tex b/thesis/sections/notation.tex new file mode 100644 index 0000000..9380c56 --- /dev/null +++ b/thesis/sections/notation.tex @@ -0,0 +1,11 @@ +\section{Notation} + +\subsection{General Notation} + +For an integer n, $\field{n}$ is defined as the residual ring $\mathbb{Z}/n\mathbb{Z}$. $a \randomsample A$ denotes sampling the element $a$ from an non-empty set $A$ uniformly at random. A function $f: \mathbb{N} \rightarrow \mathbb{R}$ is called negligible if there exists a $N \in \mathbb{N}$ for all polynomials $p$ so that $\forall n \geq N: f(n) < \frac{1}{p(n)}$. All algorithms are probabilistic polynomial time (ppt) unless stated otherwise. $o \randomassign \adversary{A}(I)$ denotes running the algorithm $\adversary{A}$ with input $I$ and uniformly random coins and $o$ describing its output. If $\adversary{A}$ has additionally access to an oracle $O$ this is denoted as $o \randomassign \adversary{A}^{O(\inp)}(I)$. A security game consists of a main procedure and optionally some oracle procedures. The main procedure runs and adversary $\adversary{A}$ given some inputs and access to the oracle procedures and getting some output from the adversary $\adversary{A}$. Based on the output of the adversary $\adversary{A}$ and its oracle calls the main procedure outputs $1$ or $0$ depending on whether the adversary $\adversary{A}$ won the game. + +\subsection{Algebraic Notation} + +A group description is denoted as a tuple $\mathbf{G} = (L, \mathbb{G}, \groupelement{B})$ with $\mathbb{G}$ being a cyclic group of prime order $L$ generated by group element $\groupelement{B}$. The group uses additive notation for its group law and group elements are denoted by uppercase letters. It is assumed that there exists a group generation algorithm that, upon inputting $1^\secparamter$, outputs a group description $\mathbf{G}$ with $L$ being $\secparamter$ bits in length. + +\subsection{Game Notation} \ No newline at end of file diff --git a/thesis/sections/security_notions.tex b/thesis/sections/security_notions.tex index f142f9c..2335583 100644 --- a/thesis/sections/security_notions.tex +++ b/thesis/sections/security_notions.tex @@ -1,8 +1,77 @@ -\subsection{Security Notions} +\subsection{Identical-Until-Bad Games} -\subsubsection{Identical-Until-Bad Games} +\subsection{Canonical Identification Scheme} -\subsubsection{Digital Signature Scheme} +A canonical identification scheme (CID), as defined in \cite{EC:AABN02}, is a protocol between two parties. The prover tries to proof the knowledge of a secret key to the verfier which only knows the public key. This is achieved by exchanging three messages between the two parties. At first the prover starts the protocol by sending a commitment $R$ to the verifier. The verifer answers with a random challenge $\ch$ from a predefined challenge set $\textbf{CHSet}$. The prover then uses the commitment, challenge and its secret key to calculate a response $s$. The verifier then can use the commitment, challenge and response together with the public key of the prover to verify the response and thereby whether the prover is actually in the possession of the private key. + +\begin{definition}[CID] + A canonical identification scheme $\text{CID} = (\keygen, P, V)$ is a tuple of algorithms. + + \begin{itemize}[label={}] + \item \textbf{\keygen}: The key generation algorithm, which upon receiving the schema parameter as an input outputs a matching tuple of public and private key. + \item \textbf{P}: A set of two algorithms $P_1$ and $P_2$. $P_1$ receives the private key as input and outputs a set containing the commitment and a state. $P_2$ receives as input the secret key, the commitment, the challenge and the state and outputs the response. + \item \textbf{V}: V is the verification algorithm which upon receiving the public key, the commitment, the challenge and the response outputs a bit representing whether the response is valid for the set of parameters. + \end{itemize} + + For the canonical identification scheme to be correct it is required that $\forall (\pubkey, \privkey) \in \keygen(par), (R, st) \in P_1(\privkey), \ch \in \textbf{CHSet}, s \in P_2(\privkey, R, \ch, st): V(\pubkey, R, \ch, s) = 1$. +\end{definition} + +\subsubsection{IMP-PA} + +On security notion for a canonical identification scheme is the impersonation security against passive attackers (IMP-PA). For this security notion the adversary is tasked with impersonating the prover by outputting a valid solution $s$ for a randomly chosen challenge $\ch$ but allowing to request an arbitrary amount of valid transcripts from the challenger. The accompanying game is depicted in figure \ref{game:imp-pa}. + +\begin{figure}[h] + \hrule + \begin{multicols}{2} + \normalsize + \begin{algorithmic}[1] + \Statex \underline{\game $\text{IMP-PA}$} + \State $(\pubkey, \privkey) \randomassign \keygen(1^\secparamter)$ + \State $s^* \randomassign \adversary{A}^{Tran, Ch(\inp)}(\pubkey)$ + \State \Return $\exists (R^*, \ch^*) \in Q: V(\pubkey, R^*, \ch^*, s^*) \test 1$ + \end{algorithmic} + \columnbreak + \begin{algorithmic}[1] + \Statex \underline{\oracle Ch($R^*$)} + \Comment{one query} + \State $\ch^* \randomassign \textbf{CHSet}$ + \State $Q \assign \{(R^*, \ch^*)\}$ + \State \Return $\ch^*$ + \end{algorithmic} + \end{multicols} + \begin{algorithmic}[1] + \Statex \underline{\oracle Tran} + \State $(R, st) \randomassign P_1(\privkey)$ + \State $\ch \randomsample \textbf{CHSet}$ + \State $s \assign P_2(\privkey, R, \ch, st)$ + \State \Return $(R, \ch, s)$ + \end{algorithmic} + \hrule + \caption{IMP-PA Security Game} + \label{game:imp-pa} +\end{figure} + +\begin{definition}[IMP-PA] + Let $\text{CID} = (\keygen, P, V)$ be a canonical signature scheme. \textit{CID} is IMP-PA secure if for all ppt adversaries $\adversary{A}$ $\advantage{\textit{CID},\adversary{A}}{\text{IMP-PA}}(\secparamter)$ is negligible in $\secparamter$. + + \[ \advantage{\textit{CID},\adversary{A}}{\text{IMP-PA}}(\secparamter) \assign \prone{\text{IMP-PA}^{\adversary{A}}} \leq \epsilon \] +\end{definition} + +\subsection{Digital Signature Scheme} + +A digital signature scheme is a method to ensure the authenticity of data. The signer, which is in the possession of a private key, generates a signature for specific message. The verifier then is able to verify the authenticity of this data using the public key and the generated signature. + +\begin{definition} + A digital signature scheme SIG = (\keygen,\sign,\verify) is a tuple of algorithms. + + \begin{itemize}[label={}] + \item \textbf{\keygen}: The key generation algorithm, which upon receiving the schema parameter as input outputs a matching tuple of public and private key. + \item \textbf{\sign}: The signature algorithm, which upon receiving the secret key and the message outputs a signature for that message. + \item \textbf{\verify}: The verification algorithm, which upon receiving the public key, the message and the signature decides whether the signature is valid for the specific set of input parameters. + \end{itemize} + + For the digital signature scheme to be correct it is required that $\forall (\pubkey, \privkey) \in \keygen(par), \m \in \messagespace, \signature \in \sign(\privkey, \m): \verify(\pubkey, \m, \signature) = 1$ +\end{definition} \subsubsection{\cma} @@ -66,33 +135,30 @@ Unforgeability against No Message Attack (UF-NMA) is a security notion for digit MU-SUF-CMA is the multi-user variant of the SUF-CMA security notion. Instead of one public key the attacker gets $n$ public keys and is able to query signatures for arbitrary messages for any of the public keys. The goal of the adversary is to forge a signature for any of the public keys. The game is depicted in figure \ref{game:mu-suf-cma}. -%TODO: Parameter in definition (e.g. n-MU_SUF-CMA) \begin{definition}[MU-SUF-CMA] Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $n$ be an integer. $SIG$ is n-MU-SUF-CMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{MU-SUF-CMA}}(\secparamter)$ is negligible in $\secparamter$. \[ \advantage{SIG,\adversary{A}}{\text{MU-SUF-CMA}}(\secparamter) \assign \prone{\text{MU-SUF-CMA}^{\adversary{A}}} \leq \epsilon \] \end{definition} -\begin{figure} +\begin{figure}[h] \hrule - \begin{multicols}{2} - \normalsize - \begin{algorithmic}[1] - \Statex \underline{\game $\text{MU-SUF-CMA}$} - \State \textbf{for} $i \in \{1,2,...,n\}$ - \State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$ - \State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp, \inp)}(\pubkey_1, \pubkey_2, ..., \pubkey_n)$ - \State \Return $\exists i \in \{1,2,...,n\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1 \wedge (\pubkey_i, \m^*, \signature^*) \notin M$ - % TODO: Fix formatation - \end{algorithmic} - \columnbreak - \begin{algorithmic}[1] - \Statex \underline{\oracle \Osign($i \in \{1,2,...,n\}$, $\m \in \messagespace$)} - \State $\signature \randomassign \sign(\privkey_i, \m)$ - \State $M \assign M \cup \{(\pubkey_i, \m, \signature)\}$ - \State \Return $\signature$ - \end{algorithmic} - \end{multicols} + \normalsize + \vspace{1mm} + \begin{algorithmic}[1] + \Statex \underline{\game $\text{MU-SUF-CMA}$} + \State \textbf{for} $i \in \{1,2,...,n\}$ + \State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$ + \State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp, \inp)}(\pubkey_1, \pubkey_2, ..., \pubkey_n)$ + \State \Return $\exists i \in \{1,2,...,n\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1 \wedge (\pubkey_i, \m^*, \signature^*) \notin M$ + \end{algorithmic} + \vspace{2mm} + \begin{algorithmic}[1] + \Statex \underline{\oracle \Osign($i \in \{1,2,...,n\}$, $\m \in \messagespace$)} + \State $\signature \randomassign \sign(\privkey_i, \m)$ + \State $M \assign M \cup \{(\pubkey_i, \m, \signature)\}$ + \State \Return $\signature$ + \end{algorithmic} \hrule \caption{MU-SUF-CMA Security Game} \label{game:mu-suf-cma} @@ -108,7 +174,7 @@ MU-UF-NMA is the multi-user variant of the UF-NMA security notion. Instead of o \[ \advantage{SIG,\adversary{A}}{\text{MU-UF-NMA}}(\secparamter) \assign \prone{\text{MU-UF-NMA}^{\adversary{A}}} \leq \epsilon \] \end{definition} -\begin{figure} +\begin{figure}[h] \hrule \vspace{1mm} \begin{algorithmic}[1]