rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Proof Overview for Dlog' => Game Z

Browse Source
This commit is contained in:
Aaron Kaiser
2023-02-27 18:30:45 +01:00
parent e6acb62385
commit ef1610a1e0
2 changed files with 30 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
thesis/Abschlussarbeit.tex
View File

@@ -197,7 +197,7 @@ The EdDSA signature scheme is defined using a twisted Edwards curve. Twisted Edw
\begin{tabularx}{\textwidth}{@{}lX@{}} \begin{tabularx}{\textwidth}{@{}lX@{}}
\textbf{Parameter} & \textbf{Description} \\ \textbf{Parameter} & \textbf{Description} \\
\hline \hline
$q$ & An odd prime power $q$. EdDSA uses an elliptic curve over the finite field $\field{F}_q$. \\ $q$ & An odd prime power $q$. EdDSA uses an elliptic curve over the finite field $\field{q}$. \\
$b$ & An integer $b$ with $2^{b-1} > q$. The bit size of encoded points on the twisted Edwards curve. \\ $b$ & An integer $b$ with $2^{b-1} > q$. The bit size of encoded points on the twisted Edwards curve. \\
$Enc(\inp)$ & A $(b-1)$-bit encoding of elements in the underlying finite field. \\ $Enc(\inp)$ & A $(b-1)$-bit encoding of elements in the underlying finite field. \\
$H(\inp)$ & A cryptographic hash function producing $2b$-bit output. \\ $H(\inp)$ & A cryptographic hash function producing $2b$-bit output. \\
@@ -259,10 +259,10 @@ To make working with the random oracle easier in the following proofs some calls
\section{The Security of EdDSA in a Single-User Setting} \section{The Security of EdDSA in a Single-User Setting}
This section takes a look at the single-user security of EdDSA. This is done by showing the \cma security of EdDSA assuming the security of a special version of the DLog problem. This special version is derived from the key generation procedure. Section \ref{sec:dlog'} provides a concrete bound on the security of this version of the DLog problem. This section takes a look at the single-user security of EdDSA. This is done by showing the \cma security of EdDSA assuming the security of a special version of the DLog problem. This special version is derived from the key generation procedure. Section \ref{sec:dlog'} provides a concrete bound on the security of this version of the DLog problem, which is a result of the special key generation algorithm used by EdDSA.
% TODO: richtige Richtung? % TODO: richtige Richtung?
The proof starts by showing that the UF-NMA security of EdDSA implies \cma security of EdDSA in the Random Oracle Model. Next a intermediate game is introduced onto which the UF-NMA securtiy of EdDSA is reduced. At last, the security of the intermediate game is reduced onto the security of a special version of DLog, which is a result of the special key generation algorithm used by EdDSA. The proof starts by showing that the UF-NMA security of EdDSA implies \cma security of EdDSA in the Random Oracle Model. Next a intermediate game is introduced onto which the UF-NMA securtiy of EdDSA is reduced. At last, the security of the intermediate game is reduced onto the security of a special version of DLog.
The chain of reductions can be depicted as: The chain of reductions can be depicted as:
@@ -271,17 +271,35 @@ The chain of reductions can be depicted as:
\subsection{UF-NMA $=>$ \cma (ROM)} \subsection{UF-NMA $=>$ \cma (ROM)}
% TODO: "intuition for the proof" vs. "intuition of the proof"? % TODO: "intuition for the proof" vs. "intuition of the proof"?
This section shows that the \cma security of EdDSA signature scheme implies the UF-NMA security of EdDSA signature scheme using the Random Oracle Model. The section starts by providing an intuition for the proof followed by the detailed security proof. This section shows that the \cma security of EdDSA signature scheme implies the UF-NMA security of EdDSA signature scheme using the Random Oracle Model. The section starts by first providing an intuition for the proof followed by the detailed security proof.
\paragraph{Proof Overview} The UF-NMA security definition is close to the security definition of \cma but is missing the \Osign oracle. To show that UF-NMA security implies \cma security the reduction has to simulate the \Osign oracle without the knowledge of the private key. \paragraph{Proof Overview} The UF-NMA security definition is close to the security definition of \cma but is missing the \Osign oracle. To show that UF-NMA security implies \cma security the reduction has to simulate the \Osign oracle without the knowledge of the private key.
The EdDSA signature scheme is based on the Schnorr signature scheme which basis is a canonical identification scheme onto which the Fiat-Shamir transformation is applied. This means EdDSA roughly follows the scheme by first calculating a commitment $R$, calculating a challenge $h$ using the hash function and then calculating the response $S$ based on commitment and challenge. The signature is the tuple of commitment and response. The EdDSA signature scheme is based on the Schnorr signature scheme which basis is a canonical identification scheme onto which the Fiat-Shamir transformation is applied. This means EdDSA roughly follows the structure of a canonical identification scheme by first calculating a commitment $R$, calculating a challenge $h$ using the hash function and then calculating the response $S$ based on commitment, challenge and secret key. The signature is the tuple of commitment and response.
To generate a signature without the knowledge of the private key the challenge and the response are choosen randomly and the commitment is calculated based on the choosen challenge and response. The random oracle is then programmed to output the challenge given the commitment and the message as input. This way the resulting tuple of commitment and response is a valid signature for the given message. To generate a signature without the knowledge of the private key the challenge and the response are choosen randomly and the commitment is calculated based on the choosen challenge and response. The random oracle is then programmed to output the challenge given the commitment and the message as input. This way the resulting tuple of commitment and response is a valid signature for the given message.
\paragraph{Formal Proof} \paragraph{Formal Proof}
\subsection{\igame $=>$ UF-NAM} \subsection{\igame $=>$ UF-NMA (ROM)}
This section shows that \igame implies the UF-NMA security if the EdDSA signature scheme using the Algebraic Group Model. The section starts by first providing an intuition if the proof followed by the detailed security proof.
\subsection{DLog' $=>$ \igame (AGM)}
This section shows that DLog implies \igame using the Algebraic Group Model. The section starts by first providing an intuition if the proof followed by the detailed security proof.
\paragraph{Proof Overview}
The adversary has to call the \ioracle oracle with a commitment $\groupelement{R}$ to get a challenge from the challenger. Due to the nature of Generic Group Model the adversary also has to provide a representation of the group element $\groupelement{R}$, as the linear combination of all known group elements. Since only the generator of the group and the public key are known to the adversary the representation looks like this $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A}$. Upon providing a valid solution for the game \igame the reduction also gains following equation $\groupelement{R} = 2^c s \groupelement{B} - 2^c c \groupelement{A}$. Both equations yield:
\begin{align*}
r_1 \groupelement{B} + r_2 \groupelement{A} &= 2^c s \groupelement{B} - 2^c c \groupelement{A} \\
(r_2 + 2^c c)A &= (2^c s - r_1)B \\
A &= (2^c s - r_1)(r_2 + 2^c c)^{-1} B
\end{align*}
Assuming that $r_2 + 2^c c$ is invertable in $\field{L}$ (not equal to $0$) we can use both equations to calculate the discrete logarithm of $\groupelement{A}$. To ensure that $r_2 + 2^c c$ is invertable the reduction has to abort if $-r_2$ equals $2^c c$ with $c$ being randomly choosen in the \ioracle oracle.
\newpage \newpage
\section{The Security of EdDSA in a Multi-User Setting} \section{The Security of EdDSA in a Multi-User Setting}

8
thesis/macros.tex
View File

@@ -1,7 +1,7 @@
% Games % Games
\newcommand{\game}{\textbf{Game} } \newcommand{\game}{\textbf{Game} }
\newcommand{\inp}{\cdot} \newcommand{\inp}{\cdot}
\newcommand{\field}[1]{\mathbb{#1}} \newcommand{\field}[1]{\mathbb{F}_{#1}}
\newcommand{\secparamter}{\lambda} \newcommand{\secparamter}{\lambda}
\newcommand{\randomsample}{\overset{{\scriptscriptstyle\$}}{\leftarrow}} \newcommand{\randomsample}{\overset{{\scriptscriptstyle\$}}{\leftarrow}}
\newcommand{\randomassign}{\leftarrow} \newcommand{\randomassign}{\leftarrow}
@@ -11,6 +11,11 @@
\newcommand{\signature}{\sigma} \newcommand{\signature}{\sigma}
\newcommand{\pubkey}{pk} \newcommand{\pubkey}{pk}
\newcommand{\privkey}{sk} \newcommand{\privkey}{sk}
\newcommand{\groupelement}[1]{#1}
% Intermediate Game
\newcommand{\igame}{Game Z }
\newcommand{\ioracle}{Chall }
% EdDSA procedures % EdDSA procedures
\newcommand{\keygen}{KeyGen } \newcommand{\keygen}{KeyGen }
@@ -18,7 +23,6 @@
\newcommand{\verify}{Verify } \newcommand{\verify}{Verify }
% Security Notions % Security Notions
\newcommand{\igame}{Game Z}
\newcommand{\cma}{SUF-CMA } \newcommand{\cma}{SUF-CMA }
\newcommand{\adversary}[1]{\mathcal{#1}} \newcommand{\adversary}[1]{\mathcal{#1}}
\newcommand{\advantage}[2]{Adv_{#1}^{#2}} \newcommand{\advantage}[2]{Adv_{#1}^{#2}}