rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Formalized schmemes

Browse Source
This commit is contained in:
Aaron Kaiser
2023-04-30 13:51:54 +02:00
parent 397abfe5fe
commit cf19ceb0fe
5 changed files with 106 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
thesis/sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma.tex
View File

@@ -143,14 +143,14 @@ Again the programmability of the random oracle together with the \simalg algorit
To prove (\ref{eq:adv_mu-uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{MU-UF-NMA}$ that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversaryb_mu-uf-nma} is run in the $\text{MU-UF-NMA}$ game and adversary $\adversary{B}$ simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly.
Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R}, S))$. Every valid signature outputted by adversary $\adversary{A}$ has to fulfill following equation for one public key $\groupelement{A_i}$: $2^c S \groupelement{B} = 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}$. For the signature to be valid in the \cma game the signature for this message and public key must have not been queried via the \Osign oracle. Therefore the output of $H'(\encoded{R}|\encoded{A_i}|m)$ has not been set by adversary $\adversary{B}$ but was forwarded from the MU-UF-NMA challenger. Meaning $H'(\encoded{R}|\encoded{A_i}|m) = H(\encoded{R}|\encoded{A_i}|m)$. Hence,
Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R}, S))$. Every valid signature outputted by adversary $\adversary{A}$ has to fulfill following equation for one public key $\groupelement{A_i}$: $2^c S \groupelement{B} = 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}$. For the signature to be valid in the MU-\cma game the signature for this message and public key must not been queried via the \Osign oracle. Therefore the output of $H'(\encoded{R}|\encoded{A_i}|m)$ has not been set by adversary $\adversary{B}$ but was forwarded from the MU-UF-NMA challenger. Meaning $H'(\encoded{R}|\encoded{A_i}|m) = H(\encoded{R}|\encoded{A_i}|m)$. Hence,
\begin{align*}
2^c S \groupelement{B} &= 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i} \\
\Leftrightarrow 2^c S \groupelement{B} &= 2^c R + 2^c H(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}
\end{align*}
Since the public keys and the results of the hash queries are forwarded from the MU-UF-NMA challenger the forged signature from $\adversary{A}$ in the MU-\cma game is also valid for the MU-UF-NMA challenger.
Since the public keys and the results of the hash queries are forwarded from the MU-UF-NMA challenger the forged signature from $\adversary{A}$ in the MU-\cma game is also a valid forgery for the MU-UF-NMA challenger.
\item This proves theorem \ref{theorem:adv_mu-uf-nma}.
\end{proof}

4
thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex
View File

@@ -2,7 +2,7 @@
This section shows that \somdl implies MU-\igame using the Algebraic Group Model. The section starts by introducing a special variant of the one-more discrete logarithm problem followed by an intuition of the proof and at last giving a detailed security proof.
\paragraph{\underline{Introducing \sdlog}} Similar to \sdlog being a variant of the discrete logarithm problem the \somdl is a variant of the one-more discrete logarithm problem which represents the special distribution of secret keys resulting from the key generation algorithm of the EdDSA signature scheme. The only difference to the original one-more discrete logarithm game as introduced in \cite{JC:BNPS03} is that the secret scalars are chosen from the set $\{2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8\}$ which represents all valid secret scalars regarding the key generation algorithm. A lower bound on the hardness of the \sdlog problem is further analyzed in section \ref{sec:somdl}. The \somdl game is depicted in figure \ref{fig:somdl}.
\paragraph{\underline{Introducing \somdl}} Similar to \sdlog being a variant of the discrete logarithm problem the \somdl is a variant of the one-more discrete logarithm problem which represents the special distribution of secret keys resulting from the key generation algorithm of the EdDSA signature scheme. The only difference to the original one-more discrete logarithm game as introduced in \cite{JC:BNPS03} is that the secret scalars are chosen from the set $\{2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8\}$ which represents all valid secret scalars regarding the key generation algorithm. A lower bound on the hardness of the \somdl problem is further analyzed in section \ref{sec:somdl}. The \somdl game is depicted in figure \ref{fig:somdl}.
\begin{definition}[\somdl]
Let $n$ and $N$ be positive integer. For an adversary $\adversary{A}$ we define its advantage in the \somdl game as following:
@@ -116,7 +116,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
\Comment{$\groupelement{A_j} = a_j \groupelement{B}$}
\State \quad $r_b \assign r_b + r_{j+1} a_j$
\State $a_i \assign (2^c s^* - r_b)(r_i + 2^c \ch^*)^{-1}$
\Comment{$\groupelement{R} = r_b \groupelement{B} + r_i \groupelement{A_i}$}
\Comment{$\groupelement{R^*} = r_b \groupelement{B} + r_i \groupelement{A_i}$}
\State \Return $(a_1, a_2, ..., a_N)$
\end{algorithmic}
\vspace{2mm}