rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

more proofs

Browse Source
This commit is contained in:
Aaron Kaiser
2023-04-20 12:03:33 +02:00
parent 0baf01b6ca
commit f527b43068
6 changed files with 166 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
thesis/Abschlussarbeit.tex
View File

@@ -160,7 +160,7 @@ The chain of reductions can be depicted as:
\subsection{Bounds on \sdlog} \label{sec:sdlog}
\subsection{Bounds on OMDlog'}
\subsection{Bounds on OMDlog'} \label{sec:somdl}
\section{Concrete Security of EdDSA}

1
thesis/macros.tex
View File

@@ -45,6 +45,7 @@
% Oracle
\newcommand{\Osign}{\textit{Sign} }
\newcommand{\Odl}{\textif{DL} }
% Structrues
\newcommand{\curve}{E}

18
thesis/sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma.tex
View File

@@ -6,7 +6,7 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat
%TODO: Fix collision
\begin{definition}[MU-\igame]
Let $n$ and $n$ be positive integers. For an adversary $\adversary{A}$ we define its advantage in the MU-\igame as following:
Let $n$ and $N$ be positive integers. For an adversary $\adversary{A}$ we define its advantage in the MU-\igame as following:
\[ \advantage{\adversary{A}}{\text{MU-\igame}}(\secparamter) \assign | \Pr[\text{MU-\igame}^{\adversary{A}} \Rightarrow 1] | \].
\end{definition}
@@ -17,11 +17,11 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat
\large
\begin{algorithmic}[1]
\Statex \underline{\game \igame}
\State \textbf{for} $i \in \{1,2,...,n\}$
\State \textbf{for} $i \in \{1,2,...,N\}$
\State \quad $a_i \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_n})$
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in Q, i \in \{1,2,...,n\} \in : \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in Q, i \in \{1,2,...,N\} \in : \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$
\end{algorithmic}
\vspace{2mm}
\begin{algorithmic}[1]
@@ -52,12 +52,12 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat
\large
\begin{algorithmic}[1]
\State \underline{\game $G_0$}
\State \textbf{for} $i \in \{1,2,...,n\}$
\State \textbf{for} $i \in \{1,2,...,N\}$
\State \quad $(h_{i_0}, h_{i_1}, ..., h_{i_{2b-1}}) \randomsample \{0,1\}^{2b}$
\State \quad $s_i \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
\State \quad $\groupelement{A_i} \assign s_i \groupelement{B}$
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_n})$
\State \Return $\exists i \in \{1,2,...,n\}: \verify(\groupelement{A_i}, \m^*,\signature^*)$
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
\State \Return $\exists i \in \{1,2,...,N\}: \verify(\groupelement{A_i}, \m^*,\signature^*)$
\end{algorithmic}
\columnbreak
\begin{algorithmic}[1]
@@ -88,8 +88,8 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat
\vspace{1mm}
\large
\begin{algorithmic}[1]
\Statex \underline{\textbf{Adversary} $\adversary{B}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_n})$}
\State $(\m^*, \signature^* \assign (\encoded{R}, S)) \randomassign \adversary{A}^{H(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_n})$
\Statex \underline{\textbf{Adversary} $\adversary{B}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$}
\State $(\m^*, \signature^* \assign (\encoded{R}, S)) \randomassign \adversary{A}^{H(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
\State \Return $S$
\end{algorithmic}
\vspace{2mm}

18
thesis/sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma.tex
View File

@@ -4,7 +4,7 @@ This section shows that the MU-UF-NMA security of the EdDSA signature scheme imp
\begin{theorem}
\label{theorem:adv_mu-uf-nma}
Let $\adversary{A}$ be an adversary against MU-SUF-CMA, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
Let $n$ and $N$ be positive integer and $\adversary{A}$ an adversary against MU-SUF-CMA, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
\[ \advantage{\adversary{A}}{\text{MU-\cma}}(\secparamter) = \advantage{\adversary{B}}{\text{MU-UF-NMA}}(\secparamter) - \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
\end{theorem}
@@ -21,16 +21,16 @@ Again the programmability of the random oracle together with the \simalg algorit
\large
\begin{algorithmic}[1]
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$} / \textcolor{green}{$G_3$}}
\State \textbf{for} $j \in \{1,2,...,n\}$
\State \textbf{for} $j \in \{1,2,...,N\}$
\State \quad $(h_{j_0}, h_{j_1}, ..., h_{j_{2b-1}}) \randomsample \{0,1\}^{2b}$
\State \quad $s_i \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_{j_i}$
\State \quad $\groupelement{A_i} \assign s_i \groupelement{B}$
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp, \inp)}(\groupelement{A_1}, \groupelement{A_2},...,\groupelement{A_n})$
\State \Return $\exists j \in \{1,2,...,n\}: \verify(\groupelement{A_j}, \m^*,\signature^*) \wedge (\groupelement{A_j}, \m^*, \signature^*) \notin Q$
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp, \inp)}(\groupelement{A_1}, \groupelement{A_2},...,\groupelement{A_N})$
\State \Return $\exists j \in \{1,2,...,N\}: \verify(\groupelement{A_j}, \m^*,\signature^*) \wedge (\groupelement{A_j}, \m^*, \signature^*) \notin Q$
\end{algorithmic}
\columnbreak
\begin{algorithmic}[1]
\Statex \underline{\oracle \sign($j \in \{1,2,...,n\}$, $\m \in \messagespace$)}
\Statex \underline{\oracle \sign($j \in \{1,2,...,N\}$, $\m \in \messagespace$)}
\Comment{$G_0 - G_2$}
\State $(r'_0, r'_1, ..., r'_{2b-1}) = RF(h_{j_b} | ... | h_{j_{2b-1}} | \m)$
\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
@@ -67,7 +67,7 @@ Again the programmability of the random oracle together with the \simalg algorit
\begin{algorithmic}[1]
%TODO: Nummer vor Oracle
\BeginBox[draw=green]
\State \underline{\oracle \sign($j \in \{1,2,...,n\}$, $\m \in \messagespace$)}
\State \underline{\oracle \sign($j \in \{1,2,...,N\}$, $\m \in \messagespace$)}
\Comment{$G_3$}
\State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A_j})$
\State $\textbf{if } \sum[\encoded{R} | \encoded{A_j} | \m] \neq \bot \textbf{ then}$
@@ -113,13 +113,13 @@ Again the programmability of the random oracle together with the \simalg algorit
\begin{multicols}{2}
\large
\begin{algorithmic}[1]
\Statex \underline{\textbf{Adversary} $\adversary{B}(\groupelement{A})$}
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp, \inp)}(\groupelement{A})$
\Statex \underline{\textbf{Adversary} $\adversary{B}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$}
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp, \inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
\State \Return $(\m^*, \signature^*)$
\end{algorithmic}
\columnbreak
\begin{algorithmic}[1]
\Statex \underline{\oracle \sign($j \in \{1,2,...,n\}$, $\m \in \messagespace$)}
\Statex \underline{\oracle \sign($j \in \{1,2,...,N\}$, $\m \in \messagespace$)}
\State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A_j})$
\State $\textbf{if } \sum[\encoded{R} | \encoded{A_j} | m] \neq \bot \textbf{ then}$
\State \quad $bad \assign true$

143
thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex
View File

@@ -1 +1,144 @@
\subsection{\somdl $\Rightarrow$ MU-\igame (AGM)}
This section shows that \somdl implies MU-\igame using the Algebraic Group Model. The section starts by introducing a special variant of the one-more discrete logarithm problem followed by an intuition of the proof and at last giving a detailed security proof.
\paragraph{\underline{Introducing \sdlog}} Similar to \sdlog being a variant of the discrete logarithm problem the \somdl is a variant of the one-more discrete logarithm problem which represents the special distribution of secret keys resulting from the key generation algorithm of the EdDSA signature scheme. The only difference to the original one-more discrete logarithm game as introduced in \cite{JC:BNPS03} is that the secret scalars are chosen from the set $\{2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8\}$ which represents all valid secret scalars regarding the key generation algorithm. A lower bound on the hardness of the \sdlog problem is further analyzed in section \ref{sec:somdl}. The \somdl game is depicted in figure \ref{fig:somdl}.
\begin{definition}[\somdl]
Let $n$ and $N$ be positive integer. For an adversary $\adversary{A}$ we define its advantage in the \somdl game as following:
\[ \advantage{\adversary{A}}{\text{\somdl}}(\secparamter) \assign | \Pr[\text{\somdl}^{\adversary{A}} \Rightarrow 1] | \].
\end{definition}
\begin{figure}
\hrule
\vspace{1mm}
\large
\begin{algorithmic}[1]
\Statex \underline{\game \somdl}
\State \textbf{for} $i \in \{1,2,...,N\}$
\State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8 \}$
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
\State $I \assign 0$
\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{DL(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
\State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N) \wedge I < N$
\end{algorithmic}
\vspace{2mm}
\begin{algorithmic}[1]
\Statex \underline{\oracle $DL(i \in \{1,2,...,N\})$}
\State $I \assign I + 1$
\State \Return $a_i$
\end{algorithmic}
\vspace{1mm}
\hrule
\caption{\somdl}
\label{fig:somdl}
\end{figure}
\begin{theorem}
\label{theorem:adv_omdl'}
Let $\adversary{A}$ be an adversary against \igame with $\group{G}$ being a cyclic group of prime order $L$, making at most $\oraclequeries$ oracle queries. Then
\[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\somdl}(\secparamter) - \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
\end{theorem}
\paragraph{\underline{Proof Overview}} In the multi-user setting the adversary gets access to not only the generator $\groupelement{B}$ and one public key $\groupelement{A}$ but rather a set of public keys $\groupelement{A_1}$ to $\groupelement{A_N}$. For this reason the representation of a group element, the adversary has to provide looks the following: $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$. Since there are multiple group elements with unknown discrete logarithms it is not possible to directly calculate the discrete logarithm of one of the public keys given a valid forgery of a signature. Upon receiving a valid solution the \textit{DL} oracle can be used to get the discrete logarithm of all the public keys except the one for which the solution is valid. This way it again possible to construct a representation looking like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_i}$. Then it is again possible to calculate the discrete logarithm of $\groupelement{A_i}$ and win the \somdl game.
\paragraph{\underline{Formal Proof}}
% TODO: clarify encoding of c
\begin{figure}
\hrule
\large
\vspace{1mm}
\begin{algorithmic}[1]
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$}}
\State \textbf{for} $i \in \{1,2,...,N\}$
\State \quad $a_i \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in Q, i \in \{1,2,...,N\}: \groupelement{R}^* = 2^c (s^* \groupelement{B} - \ch^* \groupelement{A_i})$
\end{algorithmic}
\vspace{2mm}
\begin{algorithmic}[1]
\Statex \underline{\oracle \ioracle($\agmgroupelement{R}{r} \in \group{G}$)}
\State Let $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$
\State $\ch \randomsample \{0,1\}^{2b}$
\BeginBox[draw=blue]
\State \textbf{If} $\exists i \in \{2,3,...,N+1\}: 2^c \ch \equiv -r_i \pmod L$ \textbf{then}
\Comment{$G_1 - G_2$}
\State \quad $bad \assign true$
\BeginBox[draw=red,dashed]
\State \quad $abort$
\Comment{$G_2$}
\EndBox
\EndBox
\State $Q \assign Q \cup \{ (\groupelement{R}, \ch) \}$
\State \Return $\ch$
\end{algorithmic}
\hrule
\caption{Games $G_0 - G_2$}
\label{fig:omdl'_implies_mu-igame}
\end{figure}
\begin{proof}
\item \paragraph{\underline{$G_0$:}} Let $G_0$ be defined in figure \ref{fig:omdl'_implies_mu-igame} by excluding all boxes and $G_0$ be MU-\igame. By definition,
\[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) = \Pr[\text{MU-\igame}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
\item \paragraph{\underline{$G_1$:}} TODO %TODO
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \].
\item \paragraph{\underline{$G_2:$}} TODO %TODO
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
\item Finally, Game $G_2$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
\begin{align}
\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G},\adversary{B}}{\somdl}(\secparamter) \label{eq:adv_omdl'}
\end{align}.
\begin{figure}
\hrule
\large
\vspace{1mm}
\begin{algorithmic}[1]
\Statex \underline{\textbf{Adversary} $\adversary{B}^{\textit{DL}(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$}
\State $s^* \randomassign \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
\State \textbf{If} $\nexists (\agmgroupelement{R^*}{r^*}, \ch^*) \in Q, i \in \{1,2,...,N\}: \groupelement{R}^* = 2^c (s^* \groupelement{B} - \ch^* \groupelement{A_i})$ \textbf{then}
\State \quad $abort$
\State Let $\groupelement{R^*} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$
\State $r^* \assign r_1$
\State \textbf{for} $j \in \{1,2,...,N\} \backslash \{i\}$
\State \quad $a_j \assign \textit{DL}(\groupelement{A_j})$
\Comment{$\groupelement{A_j} = a_j \groupelement{B}$}
\State \quad $r^* \assign r^* + a_j$
\State Let $R^* = r^* \groupelement{B} + r_i \groupelement{A_i}$
\State $a_i \assign (2^c s^* - r^*)(r_i + 2^c \ch^*)^{-1}$
\State \Return $(a_1, a_2, ..., a_N)$
\end{algorithmic}
\vspace{2mm}
\begin{algorithmic}[1]
\Statex \underline{\oracle \ioracle($\agmgroupelement{R_i}{r_i} \in \group{G}$)}
\State Let $\groupelement{R}_i = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$
\State $\ch_i \randomsample \{0,1\}^{2b}$
\State \textbf{If} $\exists i \in \{2,3,...,N+1\}: 2^c \ch_i \equiv -r_i \pmod L$ \textbf{then}
\State \quad $bad \assign true$
\State \quad $abort$
\State $Q \assign Q \cup \{ (\groupelement{R}_i, \ch_i) \}$
\State \Return $\ch_i$
\end{algorithmic}
\hrule
\caption{Adversary $\adversary{B}$ breaking \somdl}
\label{fig:adversary_omdl'}
\end{figure}
To prove (\ref{eq:adv_omdl'}), we define an adversary $\adversary{B}$ attacking \sdlog that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_omdl'} is run in the \sdlog game and adversary $\adversary{B}$ simulates \ioracle for adversary $\adversary{A}$. \ioracle is simulated perfectly.
Finally, consider $\adversary{A}$'s output $s^*$. TODO %TODO:
\item This proves theorem \ref{theorem:adv_omdl'}.
\end{proof}

4
thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex
View File

@@ -6,12 +6,12 @@ This section shows that \sdlog implies \igame using the Algebraic Group Model. T
\paragraph{\underline{Introducing \sdlog}}
The \sdlog game is a variant of the discrete logarithm game which represents the clearing and setting of bits in the secret scalar during the EdDSA key generation. The only difference to the normal discrete logarithm game is that the secret scalars are not choosen uniformly random from $\field{L}$ with $L$ being the order of the generator but rather from the set $\{2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8\}$. This set represents all valid private keys according to the key generation algorithm. The hardness of this version of the discrete logarithm problem is further analyzed in section \ref{sec:sdlog}. The \sdlog game is depicted in figure \ref{fig:sdlog}.
The \sdlog game is a variant of the discrete logarithm game which represents the clearing and setting of bits in the secret scalar during the EdDSA key generation. The only difference to the normal discrete logarithm game is that the secret scalars are not chosen uniformly random from $\field{L}$ with $L$ being the order of the generator but rather from the set $\{2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8\}$. This set represents all valid private keys according to the key generation algorithm. The hardness of this version of the discrete logarithm problem is further analyzed in section \ref{sec:sdlog}. The \sdlog game is depicted in figure \ref{fig:sdlog}.
\begin{definition}[\sdlog]
For an adversary $\adversary{A}$ we define its advantage in the \sdlog game as following:
\[ \advantage{\adversary{A}}{\sdlog}(\secparamter) \assign | \Pr[\sdlog^{\adversary{A}} \Rightarrow 1] | \].
\[ \advantage{\adversary{A}}{\text{\sdlog}}(\secparamter) \assign | \Pr[\text{\sdlog}^{\adversary{A}} \Rightarrow 1] | \].
\end{definition}