rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixed security parameter

Browse Source
This commit is contained in:
Aaron Kaiser
2023-04-05 12:38:22 +02:00
parent 2c92ebf8bd
commit d2765beab9
6 changed files with 54 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex
View File

@@ -7,7 +7,7 @@ This section shows that the \cma security of EdDSA signature scheme implies the
\label{theorem:adv_uf-nma}
Let $\adversary{A}$ be an adversary against $\cma_{\text{EdDSA}}$, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
\[ \advantage{\adversary{A}}{\text{\cma}}(k) = \advantage{\adversary{B}}{\text{UF-NMA}}(k) - \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
\[ \advantage{\adversary{A}}{\text{\cma}}(\secparamter) = \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter) - \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
\end{theorem}
\paragraph{\underline{Proof Overview}} The UF-NMA security definition is close to the security definition of \cma but is missing the \Osign oracle. To show that UF-NMA security implies \cma security the reduction has to simulate the \Osign oracle without the knowledge of the private key.
@@ -103,7 +103,7 @@ The proof starts by providing an algorithm which generates correctly distributed
\begin{proof}
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:uf-nma_implies_suf-cma_games} by excluding all boxes except the gray filled one and let $G_0$ be $\text{\cma}_{\text{EdDSA}}$. By definition,
\[ \advantage{\text{EdDSA},\adversary{A}}{\cma}(k) = \Pr[\text{\cma}_{\text{EdDSA}}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
\[ \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) = \Pr[\text{\cma}_{\text{EdDSA}}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
\item \paragraph{\underline{$G_1:$}} $G_1$ is now defined by replacing the gray filled box with the blue one. This change inlines the call to the hash function and introduces a bad flag, which is set in the case that the hash value is already set. This change is only conceptual, since it does not alter the behavior of the oracle. Hence,
@@ -118,7 +118,7 @@ The proof starts by providing an algorithm which generates correctly distributed
\item Finally, Game $G_3$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
\begin{align}
\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{UF-NMA}}(k) \label{eq:adv_uf-nma}
\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter) \label{eq:adv_uf-nma}
\end{align}.
\begin{figure}