changed challenge font
This commit is contained in:
@@ -17,6 +17,7 @@
|
||||
\newcommand{\group}[1]{\mathbb{#1}}
|
||||
\newcommand{\oraclequeries}{q_o}
|
||||
\newcommand{\test}{\overset{?}{=}}
|
||||
\newcommand{\ch}{\textbf{ch}}
|
||||
|
||||
% Special Dlog
|
||||
\newcommand{\sdlog}{DLog' }
|
||||
@@ -33,7 +34,7 @@
|
||||
% Security Notions
|
||||
\newcommand{\cma}{SUF-CMA }
|
||||
\newcommand{\adversary}[1]{\mathcal{#1}}
|
||||
\newcommand{\advantage}[2]{Adv_{#1}^{#2}}
|
||||
\newcommand{\advantage}[2]{\text{Adv}_{#1}^{#2}}
|
||||
\newcommand{\prone}[1]{Pr[#1 \Rightarrow 1]}
|
||||
|
||||
% Oracle
|
||||
|
||||
@@ -32,7 +32,7 @@ For an adversary $\adversary{A}$ we define its advantage in the \sdlog game as f
|
||||
\label{theorem:advgamez}
|
||||
Let $\adversary{A}$ be an adversary against \igame with $\group{G}$ being a cyclic group of prime order $L$, making at most $\oraclequeries$ oracle queries. Then
|
||||
|
||||
\[ \advantage{\igame,\adversary{A}}{\group{G}} \leq \advantage{\sdlog,\adversary{B}}{\group{G}} - \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
|
||||
\[ \advantage{\igame,\adversary{A}}{\group{G}} \leq \advantage{\sdlog,\adversary{B}}{\group{G}} - \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
|
||||
\end{theorem}
|
||||
|
||||
\paragraph{\underline{Proof Overview}}
|
||||
@@ -49,22 +49,22 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
|
||||
\State \quad $a \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$
|
||||
\State \quad $\groupelement{A} \assign a \groupelement{B}$
|
||||
\State \quad $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
|
||||
\State \quad \Return $\exists \groupelement{R}^*, chall^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - chall^* \groupelement{A}) \wedge (\groupelement{R}^*, chall^*) \in Q$
|
||||
\State \quad \Return $\exists \groupelement{R}^*, \ch^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - \ch^* \groupelement{A}) \wedge (\groupelement{R}^*, \ch^*) \in Q$
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\oracle \ioracle($\agmgroupelement{R_i}{r_i} \in \group{G}$)}
|
||||
\State \quad Let $\groupelement{R}_i = r_1 \groupelement{B} + r_2 \groupelement{A}$
|
||||
\State \quad $chall_i \randomsample \{0,1\}^{2b}$
|
||||
\State \quad $\ch_i \randomsample \{0,1\}^{2b}$
|
||||
\BeginBox[draw=blue]
|
||||
\State \quad \textbf{If} $2^c chall_i \equiv -r_2 \pmod L$ \textbf{then}
|
||||
\State \quad \textbf{If} $2^c \ch_i \equiv -r_2 \pmod L$ \textbf{then}
|
||||
\State \qquad $bad \assign true$
|
||||
\BeginBox[draw=red,dashed]
|
||||
\State \qquad $abort$
|
||||
\EndBox
|
||||
\EndBox
|
||||
\State \quad $Q \assign Q \cup \{ (\groupelement{R}_i, chall_i) \}$
|
||||
\State \quad \Return $chall_i$
|
||||
\State \quad $Q \assign Q \cup \{ (\groupelement{R}_i, \ch_i) \}$
|
||||
\State \quad \Return $\ch_i$
|
||||
\end{algorithmic}
|
||||
\end{multicols}
|
||||
\hrule
|
||||
@@ -78,16 +78,16 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
|
||||
\item \paragraph{\underline{$G_0$:}} Let $G_0$ be \igame. By definition,
|
||||
|
||||
% TODO: Hier Sicherheitsparameter?
|
||||
\[ \advantage{\igame,\adversary{A}}{\group{G}} = \Pr[\igame^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \]
|
||||
\[ \advantage{\group{G}}{\igame}(\adversary{A}) = \Pr[\igame^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
||||
|
||||
\item \paragraph{\underline{$G_1$:}} Game $G_1$ is exactly the same as $G_0$ with the only change being the bad flag being set inside an if condition. The bad flag is set if $2^c chall_i = -r_2$. This represents cases where not all solutions from the adversary $\adversary{A}$ can be used to calculate the discrete logarithm of $\groupelement{A}$. This is just a conceptual change since the behavior of the game does not change whether the flag is set or not. Hence,
|
||||
\item \paragraph{\underline{$G_1$:}} Game $G_1$ is exactly the same as $G_0$ with the only change being the bad flag being set inside an if condition. The bad flag is set if $2^c \ch_i = -r_2$. This represents cases where not all solutions from the adversary $\adversary{A}$ can be used to calculate the discrete logarithm of $\groupelement{A}$. This is just a conceptual change since the behavior of the game does not change whether the flag is set or not. Hence,
|
||||
|
||||
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \]
|
||||
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \].
|
||||
|
||||
\item \paragraph{\underline{$G_2:$}} Game $G_2$ aborts if the flag bad is set. For each individual \ioracle query the bad flag is set with probability at most $\frac{1}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. $c_i$ is chosen by the game after the adversary has provided the representation of $\groupelement{R_i}$ and therefor the value of $r_2$. This way the adversary has no way of choosing $chall_i$ after $r_2$ and can not influence the probability of the abort being triggert. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $chall_i \pmod L$. $chall_i$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ during the check in the if condition. At first there are $2^{2b}$ possible values for $chall_i$. After the reduction module $L$ there are $min\{2^{2b}, L\}$ possible values left for $chall_i$. In the case that the values $L$ is smaller than $2^{2b}$ (this is the case in most instantiations of EdDSA) then the $chall_i$'s are not uniformly distributed in $\field{L}$. Since an adversary could use this information the min entropy of $chall_i$ has to be concidert, which takes this into account. By the Union bound over all $\oraclequeries$ queries we obtain $\Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
|
||||
\item \paragraph{\underline{$G_2:$}} Game $G_2$ aborts if the flag bad is set. For each individual \ioracle query the bad flag is set with probability at most $\frac{1}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. $c_i$ is chosen by the game after the adversary has provided the representation of $\groupelement{R_i}$ and therefor the value of $r_2$. This way the adversary has no way of choosing $\ch_i$ after $r_2$ and can not influence the probability of the abort being triggert. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $\ch_i \pmod L$. $\ch_i$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ during the check in the if condition. At first there are $2^{2b}$ possible values for $\ch_i$. After the reduction module $L$ there are $min\{2^{2b}, L\}$ possible values left for $\ch_i$. In the case that the values $L$ is smaller than $2^{2b}$ (this is the case in most instantiations of EdDSA) then the $\ch_i$'s are not uniformly distributed in $\field{L}$. Since an adversary could use this information the min entropy of $\ch_i$ has to be concidert, which takes this into account. By the Union bound over all $\oraclequeries$ queries we obtain $\Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
|
||||
% TODO: Müsste das nicht floor statt ceil sein?
|
||||
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
|
||||
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
|
||||
|
||||
\item Finally, Game $G_2$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
||||
|
||||
@@ -102,21 +102,21 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\textbf{Adversary} $\adversary{B}(\groupelement{A})$}
|
||||
\State \quad $s^* \randomassign \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
|
||||
\State \quad \textbf{If} $\nexists \agmgroupelement{R^*}{r^*}, chall^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - chall^* \groupelement{A}) \wedge (\agmgroupelement{R^*}{r^*}, chall^*) \in Q$ \textbf{then}
|
||||
\State \quad \textbf{If} $\nexists \agmgroupelement{R^*}{r^*}, \ch^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - \ch^* \groupelement{A}) \wedge (\agmgroupelement{R^*}{r^*}, \ch^*) \in Q$ \textbf{then}
|
||||
\State \qquad $abort$
|
||||
\State \quad Let $R^* = r_1 \groupelement{B} + r_2 \groupelement{A}$
|
||||
\State \quad \Return $(2^c s^* - r_1)(r_2 + 2^c chall^*)^{-1}$
|
||||
\State \quad \Return $(2^c s^* - r_1)(r_2 + 2^c \ch^*)^{-1}$
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\oracle \ioracle($\agmgroupelement{R_i}{r_i} \in \group{G}$)}
|
||||
\State \quad Let $\groupelement{R}_i = r_1 \groupelement{B} + r_2 \groupelement{A}$
|
||||
\State \quad $chall_i \randomsample \{0,1\}^{2b}$
|
||||
\State \quad \textbf{If} $2^c chall_i \equiv -r_2 \pmod L$ \textbf{then}
|
||||
\State \quad $\ch_i \randomsample \{0,1\}^{2b}$
|
||||
\State \quad \textbf{If} $2^c \ch_i \equiv -r_2 \pmod L$ \textbf{then}
|
||||
\State \qquad $bad \assign true$
|
||||
\State \qquad $abort$
|
||||
\State \quad $Q \assign Q \cup \{ (\agmgroupelement{R_i}{r_i}, chall_i) \}$
|
||||
\State \quad \Return $chall_i$
|
||||
\State \quad $Q \assign Q \cup \{ (\agmgroupelement{R_i}{r_i}, \ch_i) \}$
|
||||
\State \quad \Return $\ch_i$
|
||||
\end{algorithmic}
|
||||
\end{multicols}
|
||||
\hrule
|
||||
@@ -126,15 +126,15 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
|
||||
|
||||
To prove (\ref{eq:advbsdlog}), we define an adversary $\adversary{B}$ attacking \sdlog that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversarybsdlog} is run in the \sdlog game and adversary $\adversary{B}$ simulates \ioracle for adversary $\adversary{A}$. \ioracle is simulated perfectly.
|
||||
|
||||
Finally, consider $\adversary{A}$ output $s^*$. We know that one $R^* = 2^c s^*B - 2^c chall^*A$. We can use this together with the representation of $R^*$ to get following equation:
|
||||
Finally, consider $\adversary{A}$ output $s^*$. We know that one $R^* = 2^c s^*B - 2^c \ch^*A$. We can use this together with the representation of $R^*$ to get following equation:
|
||||
|
||||
\begin{align*}
|
||||
r_1 \groupelement{B} + r_2 \groupelement{A} &= 2^c s^* \groupelement{B} - 2^c chall^* \groupelement{A} \\
|
||||
(r_2 + 2^c chall^*)A &= (2^c s^* - r_1)B \\
|
||||
A &= (2^c s^* - r_1)(r_2 + 2^c chall^*)^{-1} B
|
||||
r_1 \groupelement{B} + r_2 \groupelement{A} &= 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A} \\
|
||||
(r_2 + 2^c \ch^*)A &= (2^c s^* - r_1)B \\
|
||||
A &= (2^c s^* - r_1)(r_2 + 2^c \ch^*)^{-1} B
|
||||
\end{align*}
|
||||
|
||||
Assuming that $r_2 + 2^c chall^*$ is invertible in $\field{L}$ (i.e. not equal to $0$), which is ensured due to the abort in $G_2$, both equations can be used to calculate the discrete logarithm of $\groupelement{A}$.
|
||||
Assuming that $r_2 + 2^c \ch^*$ is invertible in $\field{L}$ (i.e. not equal to $0$), which is ensured due to the abort in $G_2$, both equations can be used to calculate the discrete logarithm of $\groupelement{A}$.
|
||||
|
||||
\item This proves Theorem \ref{theorem:advgamez}.
|
||||
\end{proof}
|
||||
@@ -11,14 +11,14 @@ This section shows that \igame implies the UF-NMA security if the EdDSA signatur
|
||||
\State \quad $a \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$
|
||||
\State \quad $\groupelement{A} \assign a \groupelement{B}$
|
||||
\State \quad $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
|
||||
\State \quad \Return $\exists \groupelement{R}^*, c^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - c^* \groupelement{A}) \wedge (\groupelement{R}^*, c^*) \in Q$
|
||||
\State \quad \Return $\exists \groupelement{R}^*, \ch^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - \ch^* \groupelement{A}) \wedge (\groupelement{R}^*, \ch^*) \in Q$
|
||||
\end{algorithmic}
|
||||
\columnbreak
|
||||
\begin{algorithmic}[1]
|
||||
\Statex \underline{\oracle \ioracle($\groupelement{R_i} \in \group{G}$)}
|
||||
\State \quad $chall_i \randomsample \{0,1\}^{2b}$
|
||||
\State \quad $\ch_i \randomsample \{0,1\}^{2b}$
|
||||
\State \quad $Q \assign Q \cup \{ (\groupelement{R}_i, c_i) \}$
|
||||
\State \quad \Return $chall_i$
|
||||
\State \quad \Return $\ch_i$
|
||||
\end{algorithmic}
|
||||
\end{multicols}
|
||||
\hrule
|
||||
|
||||
Reference in New Issue
Block a user