Fixed security parameter
This commit is contained in:
@@ -115,45 +115,7 @@ TODO
|
||||
|
||||
\subsection{Edwards Curves}
|
||||
|
||||
\subsection{Security Notions}
|
||||
|
||||
\subsubsection{Identical-until-bad Games}
|
||||
|
||||
\subsubsection{Digital Signature Scheme}
|
||||
|
||||
|
||||
|
||||
\subsubsection{\cma}
|
||||
|
||||
\cma is a security notion for digital signature schemes. In this game the attacker is given access to a \Osign oracle, which generates valid signatures for arbitrary messages. The attacker wins the game if he is able to provide a message signature pair which is valid and was not generated by the \Osign oracle. The security game is depicted in figure \ref{game:cma}.
|
||||
|
||||
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme. $SIG$ is \cma secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\cma}(k)$ is negligible in $\secparamter$.
|
||||
|
||||
\[ \advantage{SIG,\adversary{A}}{\cma}(\secparamter) \assign \prone{\cma^{\adversary{A}}} \leq \epsilon \]
|
||||
|
||||
\begin{figure}
|
||||
\hrule
|
||||
\begin{multicols}{2}
|
||||
\normalsize
|
||||
\begin{algorithmic}[1]
|
||||
\State \underline{\game \cma}
|
||||
\State $(\pubkey, \privkey) \randomassign \keygen(1^\secparamter)$
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp)}(\pubkey)$
|
||||
\State \Return $\verify(\pubkey, \m^*, \signature^*) = 1 \wedge (\m^*, \signature^*) \notin M$
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
\Procedure{Sign}{$\m$}
|
||||
\State $\signature \randomassign \sign(\privkey, \m)$
|
||||
\State $M \assign M \cup \{(\m, \signature)\}$
|
||||
\State \Return $\signature$
|
||||
\EndProcedure
|
||||
\end{algorithmic}
|
||||
\end{multicols}
|
||||
\hrule
|
||||
\caption{\cma Security Game}
|
||||
\label{game:cma}
|
||||
\end{figure}
|
||||
\include{sections/security_notions}
|
||||
|
||||
\subsection{Random Oracle Model (ROM)}
|
||||
|
||||
|
||||
@@ -136,7 +136,7 @@ The EdDSA' signature scheme is depicted in figure \ref{fig:eddsa'}. The differen
|
||||
TODO. Then
|
||||
|
||||
%TODO: richtigre Richtung?
|
||||
\[ \advantage{\text{EdDSA'},\adversary{A}}{\cma}(k) \leq \advantage{\text{EdDSA},\adversary{A}}{\cma}(k) - \frac{2\hashqueries}{2^b} \]
|
||||
\[ \advantage{\text{EdDSA'},\adversary{A}}{\cma}(\secparamter) \leq \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) - \frac{2\hashqueries}{2^b} \]
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}}
|
||||
@@ -214,7 +214,7 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
|
||||
\begin{proof}
|
||||
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:eddsa'games} by excluding all boxes expect the grey filled ones and $G_0$ be $\cma_{\text{EdDSA}}$. By definition,
|
||||
|
||||
\[ \advantage{\text{EdDSA},\adversary{A}}{\cma}(k) = \Pr[\cma_{\text{EdDSA}}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
\[ \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) = \Pr[\cma_{\text{EdDSA}}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
|
||||
\item \paragraph{\underline{$G_1:$}} Let $G_1$ be defined by additionally including all blue boxes and excluding the grey filled boxes. This change inlines calls to the random oracle and introduces to if conditions in the random oracle which are setting a bad flag if the condition is triggert. Since the behavior of the game does not change the changes are conceptual and the probability of winning the game is not affected. Hence,
|
||||
|
||||
@@ -231,7 +231,7 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
|
||||
%TODO: Signatur von RF genauer beschreiben?
|
||||
\item \paragraph{\underline{$G_4:$}} $G_4$ replaces the blue filled boxes with the orange boxes. With this change the \cma game parameterized with the EdDSA' game is obtained. This change is only conceptual since the adversary is not able to query the random oracle with the inputs used for those calls and due to the nature of the random oracle model the adversary has no information on those values. Therefor an adversary can not differentiate between the values being the result of the hash function or chosen uniformly at random. Hence,
|
||||
|
||||
\[ \Pr[G_3^{\adversary{A}} \Rightarrow 1] = \Pr[G_4^{\adversary{A}} \Rightarrow 1] = \advantage{\text{EdDSA'},\adversary{A}}{\cma}(k) \].
|
||||
\[ \Pr[G_3^{\adversary{A}} \Rightarrow 1] = \Pr[G_4^{\adversary{A}} \Rightarrow 1] = \advantage{\text{EdDSA'},\adversary{A}}{\cma}(\secparamter) \].
|
||||
|
||||
\item This proves theorem \ref{theorem:adveddsa'}.
|
||||
\end{proof}
|
||||
|
||||
39
thesis/sections/security_notions.tex
Normal file
39
thesis/sections/security_notions.tex
Normal file
@@ -0,0 +1,39 @@
|
||||
\subsection{Security Notions}
|
||||
|
||||
\subsubsection{Identical-until-bad Games}
|
||||
|
||||
\subsubsection{Digital Signature Scheme}
|
||||
|
||||
|
||||
|
||||
\subsubsection{\cma}
|
||||
|
||||
\cma is a security notion for digital signature schemes. In this game the attacker is given access to a \Osign oracle, which generates valid signatures for arbitrary messages. The attacker wins the game if he is able to provide a message signature pair which is valid and was not generated by the \Osign oracle. The security game is depicted in figure \ref{game:cma}.
|
||||
|
||||
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme. $SIG$ is \cma secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\cma}(\secparamter)$ is negligible in $\secparamter$.
|
||||
|
||||
\[ \advantage{SIG,\adversary{A}}{\cma}(\secparamter) \assign \prone{\cma^{\adversary{A}}} \leq \epsilon \]
|
||||
|
||||
\begin{figure}
|
||||
\hrule
|
||||
\begin{multicols}{2}
|
||||
\normalsize
|
||||
\begin{algorithmic}[1]
|
||||
\State \underline{\game \cma}
|
||||
\State $(\pubkey, \privkey) \randomassign \keygen(1^\secparamter)$
|
||||
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp)}(\pubkey)$
|
||||
\State \Return $\verify(\pubkey, \m^*, \signature^*) = 1 \wedge (\m^*, \signature^*) \notin M$
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
\Procedure{Sign}{$\m$}
|
||||
\State $\signature \randomassign \sign(\privkey, \m)$
|
||||
\State $M \assign M \cup \{(\m, \signature)\}$
|
||||
\State \Return $\signature$
|
||||
\EndProcedure
|
||||
\end{algorithmic}
|
||||
\end{multicols}
|
||||
\hrule
|
||||
\caption{\cma Security Game}
|
||||
\label{game:cma}
|
||||
\end{figure}
|
||||
@@ -11,7 +11,7 @@ The \sdlog game is a variant of the discrete logarithm game which represents the
|
||||
\begin{definition}[\sdlog]
|
||||
For an adversary $\adversary{A}$ we define its advantage in the \sdlog game as following:
|
||||
|
||||
\[ \advantage{\adversary{A}}{\sdlog}(k) \assign | \Pr[\sdlog^{\adversary{A}} \Rightarrow 1] | \].
|
||||
\[ \advantage{\adversary{A}}{\sdlog}(\secparamter) \assign | \Pr[\sdlog^{\adversary{A}} \Rightarrow 1] | \].
|
||||
\end{definition}
|
||||
|
||||
|
||||
@@ -34,7 +34,7 @@ The \sdlog game is a variant of the discrete logarithm game which represents the
|
||||
\label{theorem:advgamez}
|
||||
Let $\adversary{A}$ be an adversary against \igame with $\group{G}$ being a cyclic group of prime order $L$, making at most $\oraclequeries$ oracle queries. Then
|
||||
|
||||
\[ \advantage{\group{G},\adversary{A}}{\igame}(k) \leq \advantage{\group{G},\adversary{B}}{\sdlog}(k) - \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
|
||||
\[ \advantage{\group{G},\adversary{A}}{\igame}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\sdlog}(\secparamter) - \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}}
|
||||
@@ -97,7 +97,7 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
|
||||
|
||||
\item \paragraph{\underline{$G_0$:}} Let $G_0$ be defined in figure \ref{fig:igamewithabort} by excluding all boxes and $G_0$ be \igame. By definition,
|
||||
|
||||
\[ \advantage{\group{G},\adversary{A}}{\igame}(k) = \Pr[\igame^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
\[ \advantage{\group{G},\adversary{A}}{\igame}(\secparamter) = \Pr[\igame^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
|
||||
\item \paragraph{\underline{$G_1$:}} Game $G_1$ is exactly the same as $G_0$ with the only change being the bad flag being set inside an if condition. The bad flag is set if $2^c \ch_i = -r_2$. This represents cases where not all solutions from the adversary $\adversary{A}$ can be used to calculate the discrete logarithm of $\groupelement{A}$. This is just a conceptual change since the behavior of the game does not change whether the flag is set or not. Hence,
|
||||
|
||||
@@ -111,7 +111,7 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
|
||||
\item Finally, Game $G_2$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||
|
||||
\begin{align}
|
||||
\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G},\adversary{B}}{\sdlog}(k) \label{eq:advbsdlog}
|
||||
\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G},\adversary{B}}{\sdlog}(\secparamter) \label{eq:advbsdlog}
|
||||
\end{align}.
|
||||
|
||||
\begin{figure}
|
||||
|
||||
@@ -7,7 +7,7 @@ This section shows that \igame implies the UF-NMA security if the EdDSA signatur
|
||||
\begin{definition}[\igame]
|
||||
For an adversary $\adversary{A}$ we define its advantage in the \igame game as following:
|
||||
|
||||
\[ \advantage{\adversary{A}}{\igame}(k) \assign | \Pr[\igame^{\adversary{A}} \Rightarrow 1] | \].
|
||||
\[ \advantage{\adversary{A}}{\igame}(\secparamter) \assign | \Pr[\igame^{\adversary{A}} \Rightarrow 1] | \].
|
||||
\end{definition}
|
||||
|
||||
\begin{figure}
|
||||
@@ -38,7 +38,7 @@ This section shows that \igame implies the UF-NMA security if the EdDSA signatur
|
||||
\label{theorem:adv_igame}
|
||||
Let $\adversary{A}$ be an adversary against $\text{UF-NMA}_{\text{EdDSA}}$. Then,
|
||||
|
||||
\[ \advantage{\adversary{A}}{UF-NMA}(k) = \advantage{\adversary{B}}{\igame}(k) \].
|
||||
\[ \advantage{\adversary{A}}{UF-NMA}(\secparamter) = \advantage{\adversary{B}}{\igame}(\secparamter) \].
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}} The adversary has to query the random oracle to get the hash value $H(\encoded{R} | \encoded{A} | m)$. The programmability of the random oracle can be used to embed the challenge from the \ioracle oracle into the answer of the random oracle. This way a valid forgery of a signature also provides a valid solution for the \igame game.
|
||||
@@ -70,12 +70,12 @@ This section shows that \igame implies the UF-NMA security if the EdDSA signatur
|
||||
\begin{proof}
|
||||
\item \paragraph{\underline{$G_0$}} Let $G_0$ be defined in figure \ref{fig:igame_implies_uf-nma} and let $G_0$ be $\text{UF-NMA}_{\text{EdDSA}}$. By definition,
|
||||
|
||||
\[ \advantage{\text{EdDSA}, \adversary{A}}{\text{UF-NMA}} = \Pr[\text{UF-NMA}_{\text{EdDSA}}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
\[ \advantage{\text{EdDSA}, \adversary{A}}{\text{UF-NMA}}(\secparamter) = \Pr[\text{UF-NMA}_{\text{EdDSA}}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
|
||||
\item $G_0$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||
|
||||
\begin{align}
|
||||
\Pr[G_0^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\igame}(k) \label{eq:adv_igame}
|
||||
\Pr[G_0^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\igame}(\secparamter) \label{eq:adv_igame}
|
||||
\end{align}.
|
||||
|
||||
\begin{figure}
|
||||
|
||||
@@ -7,7 +7,7 @@ This section shows that the \cma security of EdDSA signature scheme implies the
|
||||
\label{theorem:adv_uf-nma}
|
||||
Let $\adversary{A}$ be an adversary against $\cma_{\text{EdDSA}}$, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
|
||||
|
||||
\[ \advantage{\adversary{A}}{\text{\cma}}(k) = \advantage{\adversary{B}}{\text{UF-NMA}}(k) - \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
|
||||
\[ \advantage{\adversary{A}}{\text{\cma}}(\secparamter) = \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter) - \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}} The UF-NMA security definition is close to the security definition of \cma but is missing the \Osign oracle. To show that UF-NMA security implies \cma security the reduction has to simulate the \Osign oracle without the knowledge of the private key.
|
||||
@@ -103,7 +103,7 @@ The proof starts by providing an algorithm which generates correctly distributed
|
||||
\begin{proof}
|
||||
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:uf-nma_implies_suf-cma_games} by excluding all boxes except the gray filled one and let $G_0$ be $\text{\cma}_{\text{EdDSA}}$. By definition,
|
||||
|
||||
\[ \advantage{\text{EdDSA},\adversary{A}}{\cma}(k) = \Pr[\text{\cma}_{\text{EdDSA}}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
\[ \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) = \Pr[\text{\cma}_{\text{EdDSA}}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
|
||||
\item \paragraph{\underline{$G_1:$}} $G_1$ is now defined by replacing the gray filled box with the blue one. This change inlines the call to the hash function and introduces a bad flag, which is set in the case that the hash value is already set. This change is only conceptual, since it does not alter the behavior of the oracle. Hence,
|
||||
|
||||
@@ -118,7 +118,7 @@ The proof starts by providing an algorithm which generates correctly distributed
|
||||
\item Finally, Game $G_3$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||
|
||||
\begin{align}
|
||||
\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{UF-NMA}}(k) \label{eq:adv_uf-nma}
|
||||
\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter) \label{eq:adv_uf-nma}
|
||||
\end{align}.
|
||||
|
||||
\begin{figure}
|
||||
|
||||
Reference in New Issue
Block a user