From ef1610a1e0638da1eb2966fad2726ed4dd85b5b6 Mon Sep 17 00:00:00 2001
From: Aaron Kaiser <a_kaiser@posteo.de>
Date: Mon, 27 Feb 2023 18:30:45 +0100
Subject: [PATCH] Proof Overview for Dlog' => Game Z

---
 thesis/Abschlussarbeit.tex | 30 ++++++++++++++++++++++++------
 thesis/macros.tex          |  8 ++++++--
 2 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/thesis/Abschlussarbeit.tex b/thesis/Abschlussarbeit.tex
index 9462cd8..a741e8d 100644
--- a/thesis/Abschlussarbeit.tex
+++ b/thesis/Abschlussarbeit.tex
@@ -197,7 +197,7 @@ The EdDSA signature scheme is defined using a twisted Edwards curve. Twisted Edw
 		\begin{tabularx}{\textwidth}{@{}lX@{}}
 			\textbf{Parameter} & \textbf{Description} \\
 			\hline
-			$q$ & An odd prime power $q$. EdDSA uses an elliptic curve over the finite field $\field{F}_q$. \\
+			$q$ & An odd prime power $q$. EdDSA uses an elliptic curve over the finite field $\field{q}$. \\
 			$b$ & An integer $b$ with $2^{b-1} > q$. The bit size of encoded points on the twisted Edwards curve. \\
 			$Enc(\inp)$ & A $(b-1)$-bit encoding of elements in the underlying finite field. \\
 			$H(\inp)$ & A cryptographic hash function producing $2b$-bit output. \\
@@ -259,10 +259,10 @@ To make working with the random oracle easier in the following proofs some calls
 
 \section{The Security of EdDSA in a Single-User Setting}
 
-This section takes a look at the single-user security of EdDSA. This is done by showing the \cma security of EdDSA assuming the security of a special version of the DLog problem. This special version is derived from the key generation procedure. Section \ref{sec:dlog'} provides a concrete bound on the security of this version of the DLog problem.
+This section takes a look at the single-user security of EdDSA. This is done by showing the \cma security of EdDSA assuming the security of a special version of the DLog problem. This special version is derived from the key generation procedure. Section \ref{sec:dlog'} provides a concrete bound on the security of this version of the DLog problem, which is a result of the special key generation algorithm used by EdDSA.
 
 % TODO: richtige Richtung?
-The proof starts by showing that the UF-NMA security of EdDSA implies \cma security of EdDSA in the Random Oracle Model. Next a intermediate game is introduced onto which the UF-NMA securtiy of EdDSA is reduced. At last, the security of the intermediate game is reduced onto the security of a special version of DLog, which is a result of the special key generation algorithm used by EdDSA.
+The proof starts by showing that the UF-NMA security of EdDSA implies \cma security of EdDSA in the Random Oracle Model. Next a intermediate game is introduced onto which the UF-NMA securtiy of EdDSA is reduced. At last, the security of the intermediate game is reduced onto the security of a special version of DLog.
 
 The chain of reductions can be depicted as:
 
@@ -271,17 +271,35 @@ The chain of reductions can be depicted as:
 \subsection{UF-NMA $=>$ \cma (ROM)}
 
 % TODO: "intuition for the proof" vs. "intuition of the proof"?
-This section shows that the \cma security of EdDSA signature scheme implies the UF-NMA security of EdDSA signature scheme using the Random Oracle Model. The section starts by providing an intuition for the proof followed by the detailed security proof.
+This section shows that the \cma security of EdDSA signature scheme implies the UF-NMA security of EdDSA signature scheme using the Random Oracle Model. The section starts by first providing an intuition for the proof followed by the detailed security proof.
 
 \paragraph{Proof Overview} The UF-NMA security definition is close to the security definition of \cma but is missing the \Osign oracle. To show that UF-NMA security implies \cma security the reduction has to simulate the \Osign oracle without the knowledge of the private key. 
 
-The EdDSA signature scheme is based on the Schnorr signature scheme which basis is a canonical identification scheme onto which the Fiat-Shamir transformation is applied. This means EdDSA roughly follows the scheme by first calculating a commitment $R$, calculating a challenge $h$ using the hash function and then calculating the response $S$ based on commitment and challenge. The signature is the tuple of commitment and response. 
+The EdDSA signature scheme is based on the Schnorr signature scheme which basis is a canonical identification scheme onto which the Fiat-Shamir transformation is applied. This means EdDSA roughly follows the structure of a canonical identification scheme by first calculating a commitment $R$, calculating a challenge $h$ using the hash function and then calculating the response $S$ based on commitment, challenge and secret key. The signature is the tuple of commitment and response. 
 
 To generate a signature without the knowledge of the private key the challenge and the response are choosen randomly and the commitment is calculated based on the choosen challenge and response. The random oracle is then programmed to output the challenge given the commitment and the message as input. This way the resulting tuple of commitment and response is a valid signature for the given message.
 
 \paragraph{Formal Proof}
 
-\subsection{\igame $=>$ UF-NAM}
+\subsection{\igame $=>$ UF-NMA (ROM)}
+
+This section shows that \igame implies the UF-NMA security if the EdDSA signature scheme using the Algebraic Group Model. The section starts by first providing an intuition if the proof followed by the detailed security proof.
+
+\subsection{DLog' $=>$ \igame (AGM)}
+
+This section shows that DLog implies \igame using the Algebraic Group Model. The section starts by first providing an intuition if the proof followed by the detailed security proof.
+
+\paragraph{Proof Overview}
+
+The adversary has to call the \ioracle oracle with a commitment $\groupelement{R}$ to get a challenge from the challenger. Due to the nature of Generic Group Model the adversary also has to provide a representation of the group element $\groupelement{R}$, as the linear combination of all known group elements. Since only the generator of the group and the public key are known to the adversary the representation looks like this $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A}$. Upon providing a valid solution for the game \igame the reduction also gains following equation $\groupelement{R} = 2^c s \groupelement{B} - 2^c c \groupelement{A}$. Both equations yield:
+
+\begin{align*}
+		r_1 \groupelement{B} + r_2 \groupelement{A} &= 2^c s \groupelement{B} - 2^c c \groupelement{A} \\
+		(r_2 + 2^c c)A &= (2^c s - r_1)B \\
+		A &= (2^c s - r_1)(r_2 + 2^c c)^{-1} B
+\end{align*}
+
+Assuming that $r_2 + 2^c c$ is invertable in $\field{L}$ (not equal to $0$) we can use both equations to calculate the discrete logarithm of $\groupelement{A}$. To ensure that $r_2 + 2^c c$ is invertable the reduction has to abort if $-r_2$ equals $2^c c$ with $c$ being randomly choosen in the \ioracle oracle.
 
 \newpage
 \section{The Security of EdDSA in a Multi-User Setting}
diff --git a/thesis/macros.tex b/thesis/macros.tex
index b6a4770..92b0993 100644
--- a/thesis/macros.tex
+++ b/thesis/macros.tex
@@ -1,7 +1,7 @@
 % Games
 \newcommand{\game}{\textbf{Game} }
 \newcommand{\inp}{\cdot}
-\newcommand{\field}[1]{\mathbb{#1}}
+\newcommand{\field}[1]{\mathbb{F}_{#1}}
 \newcommand{\secparamter}{\lambda}
 \newcommand{\randomsample}{\overset{{\scriptscriptstyle\$}}{\leftarrow}}
 \newcommand{\randomassign}{\leftarrow}
@@ -11,6 +11,11 @@
 \newcommand{\signature}{\sigma}
 \newcommand{\pubkey}{pk}
 \newcommand{\privkey}{sk}
+\newcommand{\groupelement}[1]{#1}
+
+% Intermediate Game
+\newcommand{\igame}{Game Z }
+\newcommand{\ioracle}{Chall }
 
 % EdDSA procedures
 \newcommand{\keygen}{KeyGen }
@@ -18,7 +23,6 @@
 \newcommand{\verify}{Verify }
 
 % Security Notions
-\newcommand{\igame}{Game Z}
 \newcommand{\cma}{SUF-CMA }
 \newcommand{\adversary}[1]{\mathcal{#1}}
 \newcommand{\advantage}[2]{Adv_{#1}^{#2}}