rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: rixxc:eb130f8bc5ce33cd311cff8a593cf7b5abb6c2dd
Branches Tags
rixxc:main
..
compare: rixxc:8d7e0014e7342829e03bf3c57dab0ab465d673d4
Branches Tags
rixxc:main

10 Commits
eb130f8bc5 ... 8d7e0014e7

Author SHA1 Message Date
Aaron Kaiser
8d7e0014e7 Add correct Eidesstattliche Erklärung 2023-07-13 11:46:34 +02:00
Aaron Kaiser
635859a97d Add Eidesstattliche Erklärung 2023-07-13 11:40:23 +02:00
Aaron Kaiser
7e1f5951de Remove Ehrenwörtliche Erklärung 2023-07-13 11:37:29 +02:00
Aaron Kaiser
f431393616 Use N in sets of security definitions 2023-07-13 11:28:36 +02:00
Aaron Kaiser
ead86c9fb7 Add reference to theorem 2023-07-13 11:26:15 +02:00
Aaron Kaiser
432581423f Add N parameter to multi user games 2023-07-13 11:18:07 +02:00
Aaron Kaiser
8d6f37310c simplified equations 2023-07-12 22:11:02 +02:00
Aaron Kaiser
a75f324d8f Copy presentation into webroot 2023-06-29 09:31:36 +02:00
Aaron Kaiser
331422ca21 Fixed presentation 2023-06-29 09:29:52 +02:00
Aaron Kaiser
f4b4c94061 Added presentation 2023-06-28 22:32:07 +02:00
33 changed files with 2299 additions and 162 deletions
Expand all files Collapse all files

2
.drone.yml
View File

@@ -24,7 +24,7 @@ steps:
- pdflatex Abschlussarbeit
- pdflatex Abschlussarbeit
- cp "Abschlussarbeit".pdf /webroot
- cp ../presentation/presentation.pdf /webroot
volumes:
- name: webroot
host:

BIN
Eidesstattliche_Erklaerung_mehrsprachig_digital_2_signed.pdf Normal file
View File

Binary file not shown.

31
presentation/Ruhr-Universität_Bochum_logo.svg Normal file
View File

@@ -0,0 +1,31 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.0//EN" "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd">
<!-- Created with Inkscape (http://www.inkscape.org/) by Marsupilami -->
<svg
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
version="1.0"
width="768"
height="768"
viewBox="-4.251975 -4.251975 150.23645 150.23645"
id="svg2632">
<defs
id="defs2634" />
<path
d="M 141.7325,141.7325 L 0,141.7325 L 0,0 L 141.7325,0 L 141.7325,141.7325 z"
id="path2484"
style="fill:#003560;fill-opacity:1;fill-rule:nonzero;stroke:none" />
<path
d="M 104.67975,106.02463 L 104.67975,92.45963 L 114.076,92.45963 C 118.3885,92.45963 121.79475,94.44213 121.79475,99.11463 C 121.79475,103.89338 117.886,106.02463 113.616,106.02463 L 104.67975,106.02463 z M 104.67975,123.24213 L 104.67975,108.71338 L 114.22725,108.71338 C 118.94475,108.71338 122.7585,110.90088 122.7585,115.87838 C 122.7585,120.95338 119.05225,123.24213 114.3235,123.24213 L 104.67975,123.24213 z M 101.47725,125.98463 L 115.091,125.98463 C 120.62725,125.98463 126.006,122.83463 126.006,115.97588 C 126.006,111.66213 123.31725,107.90338 118.236,107.14088 L 118.236,107.08963 C 122.456,106.07713 124.9435,102.56963 124.9435,98.60588 C 124.9435,92.76838 120.92975,89.71963 114.83225,89.71963 L 101.47725,89.71963 L 101.47725,125.98463 z"
id="path2496"
style="fill:#ffffff;fill-opacity:1;fill-rule:nonzero;stroke:none" />
<path
d="M 80.23637,126.593 C 88.72012,126.593 94.91512,121.7205 94.91512,112.87925 L 94.91512,89.768 L 87.09637,89.768 L 87.09637,112.62675 C 87.09637,117.35175 84.75762,119.78425 80.39262,119.78425 C 75.71262,119.78425 73.58387,116.89175 73.58387,112.62675 L 73.58387,89.768 L 65.66387,89.768 L 65.66387,113.33675 C 65.66387,122.2255 71.45512,126.593 80.23637,126.593"
id="path2500"
style="fill:#ffffff;fill-opacity:1;fill-rule:nonzero;stroke:none" />
<path
d="M 52.90237,113.85425 C 57.96487,110.983 59.91487,106.7155 59.91487,102.39925 C 59.91487,95.28925 54.83112,89.7505 47.31612,89.7505 L 31.29362,89.7505 L 31.29362,125.96425 L 39.16612,125.96425 L 39.16612,96.14925 L 45.35737,96.14925 C 49.76737,96.14925 52.21362,98.7805 52.21362,102.39925 C 52.21362,105.51675 50.29362,108.67425 45.40862,108.67425 L 40.45237,108.67425 L 52.90237,125.96425 L 61.58862,125.96425 L 52.90237,113.85425 z"
id="path2504"
style="fill:#ffffff;fill-opacity:1;fill-rule:nonzero;stroke:none" />
</svg>
<!-- version: 20090314, original size: 141.7325 141.7325, border: 3% -->
Side by Side

After

Width:  |  Height:  |  Size: 2.5 KiB

2
presentation/TODO Normal file
View File

@@ -0,0 +1,2 @@
Zwischentitelfolien
Name für SOMDL

81
presentation/beamercolorthemeRub.sty Normal file
View File

@@ -0,0 +1,81 @@
% Copyright 2007 by Till Tantau
% Edited by Sebastian Jeworutzki 2012
% This file may be distributed and/or modified
%
% 1. under the LaTeX Project Public License and/or
% 2. under the GNU Public License.
%
% See the file doc/licenses/LICENSE for more details.
\ProvidesPackage{beamercolorthemeRub}[27/09/12 15:22:18]
% Paket graphicx laden
\RequirePackage{graphicx}
% Farben definieren
\definecolor{gelbgruen}{cmyk}{0.5,0,1,0}
\definecolor{lichtgrau}{cmyk}{0.03,0.03,0.03,0.1}
\definecolor{saphierblau}{cmyk}{1,0.5,0,.6}
\definecolor{alertred}{rgb}{0.80,0.12,0.12}
% Farben für den Präsentationsmodus
\mode<presentation>
% Farben den Strukturelementen zuordnen
\setbeamercolor*{Title bar}{bg=white, fg=saphierblau}
\setbeamercolor*{frametitle}{parent=Title bar}
\setbeamercolor*{framesubtitle}{fg=saphierblau}
\setbeamercolor*{block title}{bg=saphierblau,fg=white}
\setbeamercolor*{block body}{bg=saphierblau!15,fg=black}
\setbeamercolor{block title alerted}{bg=alertred, fg=white}
\setbeamercolor{block body alerted}{bg=alertred!15,fg=black}
\setbeamercolor{block title example}{bg=gelbgruen, fg=white}
\setbeamercolor{block body example}{bg=gelbgruen!15,fg=black}
% Titelseite
\setbeamercolor*{title page}{fg=saphierblau}
\setbeamercolor*{title}{fg=saphierblau}
\setbeamercolor*{kopf}{fg=black, bg=lichtgrau}
\setbeamercolor*{titlegraphic}{fg=saphierblau, bg=lichtgrau}
\setbeamercolor*{date}{fg=gelbgruen}
% Weitere Textelemente
\setbeamercolor{example text}{fg=gelbgruen!50!black}
\setbeamercolor*{alerted text}{fg=alertred}
% Alle Strukturierungselemente wie Aufzählungzeichen in saphierblau
\usecolortheme[named=saphierblau]{structure}
% Farben für den „aufgeräumten Modus“
\ifbeamer@empty
\setbeamercolor{normal text}{fg=saphierblau,bg=white}
\setbeamercolor*{Location bar}{fg=saphierblau,bg=white}
\setbeamercolor*{section in head/foot}{fg=saphierblau,bg=white}
\else
\setbeamercolor{normal text}{fg=saphierblau,bg=lichtgrau}
\setbeamercolor*{Location bar}{fg=saphierblau,bg=lichtgrau}
\setbeamercolor*{section in head/foot}{fg=saphierblau,bg=lichtgrau}
\fi
% Farben für Handouts
\mode<handout>
% Bei Handout Hintergrundfarbe auf weiß setzten
\setbeamercolor*{kopf}{fg=black, bg=white}
\setbeamercolor*{titlegraphic}{fg=saphierblau, bg=white}
\setbeamercolor{normal text}{fg=saphierblau,bg=white}
\setbeamercolor*{Location bar}{fg=saphierblau,bg=white}
\setbeamercolor*{section in head/foot}{fg=saphierblau,bg=white}
\setbeamercolor*{normal text}{fg=saphierblau,bg=white} %Hintergrund
\setbeamercolor*{Location bar}{fg=saphierblau,bg=white} %Fußzeile
\setbeamercolor*{block title}{fg=saphierblau,bg=white}
\setbeamercolor*{block body}{bg=white,fg=saphierblau}
\setbeamercolor*{block title alerted}{bg=alertred, fg=white}
\setbeamercolor*{block body alerted}{bg=alertred!15,fg=saphierblau}
\setbeamercolor*{block title example}{bg=gelbgruen, fg=white}
\setbeamercolor*{block body example}{bg=gelbgruen!15,fg=saphierblau}
\setbeamercolor{structure}{fg=black}
\setbeamercolor*{item}{fg=black!50}
\mode
<all>

64
presentation/beamerfontthemeRub.sty Normal file
View File

@@ -0,0 +1,64 @@
% Copyright 2007 by Till Tantau
% Edited by Sebastian Jeworutzki 2012
% This file may be distributed and/or modified
%
% 1. under the LaTeX Project Public License and/or
% 2. under the GNU Public License.
%
% See the file doc/licenses/LICENSE for more details.
\ProvidesPackage{beamerfontthemeRub}[27/09/12 19:41:02]
% Schriften aus dem Corporate Design laden
% % ToDo: Vielleicht global verfuegbar machen?
% % ifxetexorluatex seen at
% % http://tex.stackexchange.com/a/47579
\RequirePackage{ifxetex, ifluatex}
\newif\ifxetexorluatex
\ifxetex
\xetexorluatextrue
\else
\ifluatex
\xetexorluatextrue
\else
\xetexorluatexfalse
\fi
\fi
\ifxetexorluatex
\RequirePackage{fontspec}
\setmainfont{RubFlama}
\setsansfont{RubFlama}
\setromanfont{RUB Scala TZ}
\else
%\RequirePackage{rubfonts2009}
\RequirePackage[T1]{fontenc} %
\RequirePackage[utf8]{inputenc} % ToDo: Möglicherweise unerwünscht.
\fi
\mode<presentation>
% Schrift im Frametitle
\setbeamerfont{section in head/foot}{size=\fontsize{6pt}{8pt}\selectfont,series=\normalfont}
\setbeamerfont{block title}{size=\normalsize,series=\normalfont}
\setbeamerfont{head author}{series=\normalfont,size=\fontsize{5pt}{1em}}
\setbeamerfont{head institute}{series=\bfseries,size=\fontsize{5pt}{1em}}
\setbeamerfont{frametitle}{size=\fontsize{14pt}{15pt}}
% Title page: default
\setbeamerfont{title}{series=\bfseries,size=\fontsize{14pt}{1.2em}}
\setbeamerfont{subtitle}{series=\normalfont,size=\fontsize{14pt}{1.2em}}
\setbeamerfont{date}{series=\bfseries,size=\fontsize{14pt}{1.2em}}
\setbeamerfont{author}{series=\normalfont,size=\fontsize{8pt}{1em}}
\setbeamerfont{institute}{series=\bfseries,size=\fontsize{8pt}{1em}}
\mode<handout>
% Bei Handout Blocküberschriften verändern
\setbeamerfont{block title}{series=\itshape\bfseries}
\setbeamerfont{block title alerted}{series=\bfseries}
\setbeamerfont{block title example}{series=\itshape}
\mode
<all>

BIN
presentation/beamericonarticle.pdf Normal file
View File

Binary file not shown.

BIN
presentation/beamericonbook.pdf Normal file
View File

Binary file not shown.

628
presentation/beamerinnerthemeRub.sty Normal file
View File

@@ -0,0 +1,628 @@
% Copyright 2007 by Till Tantau
% Edited by: Sebastian Jeworutzki 2012
%
% This file may be distributed and/or modified
%
% 1. under the LaTeX Project Public License and/or
% 2. under the GNU Public License.
%
% See the file doc/licenses/LICENSE for more details.
\ProvidesPackage{beamerinnerthemeRub}[27/09/12 15:28:08]
% Tikz wird benötigt
\RequirePackage{tikz}
% In den Präsentationsmodus wechseln
\mode<presentation>
% Standard-Stil für die Titelseite festlegen:
\DeclareOptionBeamer{alternativetitlepage}[normal]{\def\beamer@Rub@alternativetitlepage{#1}}
\ExecuteOptionsBeamer{alternativetitlepage=normal}
\ProcessOptionsBeamer
%% Bild definieren:
% Logo für die Titelseite
\pgfdeclareimage[width=1.8cm]{logoTitle}{logo}
% Bilder für das Literaturverzeichnis
\pgfdeclareimage[width=14pt,height=12pt]{beamericonbook}{beamericonbook}
\pgfdeclareimage[width=14pt,height=12pt]{beamericonbookshaded}{beamericonbook.20}
\pgfaliasimage{beamericonbook.!20opaque}{beamericonbookshaded}
\pgfaliasimage{beamericonbook.!15opaque}{beamericonbookshaded}
\pgfaliasimage{beamericonbook.!10opaque}{beamericonbookshaded}
\pgfaliasimage{beamericonbook.!5opaque}{beamericonbookshaded}
\pgfaliasimage{beamericonbook.!2opaque}{beamericonbookshaded}
\pgfdeclareimage[width=11pt,height=14pt]{beamericonarticle}{beamericonarticle}
\pgfdeclareimage[width=11pt,height=14pt]{beamericonarticleshaded}{beamericonarticle.20}
\pgfaliasimage{beamericonarticle.!20opaque}{beamericonarticleshaded}
\pgfaliasimage{beamericonarticle.!15opaque}{beamericonarticleshaded}
\pgfaliasimage{beamericonarticle.!10opaque}{beamericonarticleshaded}
\pgfaliasimage{beamericonarticle.!5opaque}{beamericonarticleshaded}
\pgfaliasimage{beamericonarticle.!2opaque}{beamericonarticleshaded}
% Hilfsfunktion für das Sponsor-Logo
\newcount\sponsor
\sponsor=0
\newcommand{\sponsorlogo}[2][\empty]{
\pgfdeclareimage[#1]{sponsor}{#2}
\sponsor=1
}
% Funktion für das Titelbild Redefinieren -> Wenn diese nicht aufgerufen wird, MaxTitleImage nicht aufrufen
\renewcommand\titlegraphic[1]{\def\inserttitlegraphicrub{#1}}
\newcommand{\TitleImage}{\@ifundefined{inserttitlegraphicrub}{}{\MaxTitleImage}}
% Funktion für das Titelbild
% Sicherstellen, dass das Bild maximiert wird.
\RequirePackage{calc}
\newcommand{\MaxTitleImage}{
\newlength\graphicheight % Register anlegen
\newlength\graphicwidth
\setlength\graphicheight{\heightof{\includegraphics[width=\paperwidth]{\inserttitlegraphicrub}}} %Standard: an Breite orientieren und Breite messen
\setlength\graphicwidth{\widthof{\includegraphics[width=\paperwidth]{\inserttitlegraphicrub}}}
\ifdim \graphicheight<\paperheight % Sollte bei maximierter Breite, das Bild nicht hoch genug sein, an Höhe orientieren
\includegraphics[height=\paperheight, keepaspectratio = true]{\inserttitlegraphicrub}
\else
\includegraphics[width=\paperwidth, keepaspectratio = true]{\inserttitlegraphicrub}
\fi
}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% Title page
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% Normal
\defbeamertemplate*{title page normal}{Rub} % Template definieren
{ % Beginn der Definition: Normal
\thispagestyle{empty}
\begin{tikzpicture}[remember picture,overlay]
% Node mit dem weißen Hintergrund
\node[anchor=north west, inner sep=0pt] at (current page.north west)
{\begin{tikzpicture}
\draw[style={white, line width=0pt, fill=white}] (0,0) rectangle (0.90\paperwidth,0.9\paperheight);%8.2cm);
\end{tikzpicture}};
% Node mit dem Text
\node[anchor=north west, inner sep=0pt, xshift=1cm,yshift=-0.5cm] at (current page.north west) {
\begin{minipage}{11.5cm}
\begin{beamercolorbox}{title}
\begin{tiny}\textbf{RUHR-UNIVERSIT{\"A}T}~BOCHUM \end{tiny} \\ [1cm]
\usebeamerfont{title}\inserttitle\par%
\ifx\insertsubtitle\@empty% Falls kein Untertitel definiert wurde, nichts unternehmen
\else%
\vskip0.25em% Ansonsten Abstand und Untertitel einfügen
{\usebeamerfont{subtitle}\usebeamercolor[fg]{subtitle}\insertsubtitle\par}%
\fi%
\end{beamercolorbox}%
\vskip8pt%
\begin{beamercolorbox}{date}
\usebeamerfont{date}\insertdate
\end{beamercolorbox}
\vskip1em\par
\begin{beamercolorbox}{institute}
\usebeamerfont{institute}\insertinstitute
\end{beamercolorbox}
\begin{beamercolorbox}{author}
\usebeamerfont{author}\insertauthor
\end{beamercolorbox}
\vspace{2em}
% Sponsorlogo einfügen - sponosr ist 0, falls kein Bild angebeben wurde
\ifnum\sponsor>0
\pgfuseimage{sponsor}
\else
\fi
\vfill
\end{minipage}};
% Node mit dem Logo
\node[anchor=north west,xshift=-2.15cm, yshift=1pt, rectangle, inner sep=0pt,line width=0pt] at (current page.north east){\pgfuseimage{logoTitle}};
\end{tikzpicture}
} % Ende der Definition: Normal
%% Alternativ
\defbeamertemplate*{title page alternativ}{Rub}
{ % Beginn der Definition: Alternativ
\thispagestyle{empty}
\begin{tikzpicture}[remember picture,overlay]
% Erste Node: Setzt ganz oben links an, von dem Punkt aus kann dann in der zweiten tikzpicture Umgebung ausgegangen werden
\node[anchor=north west, inner sep=0pt] at (current page.north west) {
\begin{tikzpicture}[remember picture,overlay]
% Node mit Titelgrafik.
\node[anchor=north west, inner sep=0pt,yshift=0cm,xshift=-2mm,line width=0pt] at (current page.north west) {\TitleImage};
%Logo
\node[anchor=north west,xshift=-2.45cm, yshift=1pt, rectangle, inner sep=0pt] at (current page.north east){\pgfuseimage{logoTitle}};
% Weißer Hintergrund. Das Bild wird überdeckt.
\draw[style={white, line width=0pt, fill=white}] (current page.south west) rectangle (\paperwidth,-52mm);
% Node mit dem Text
\node[anchor=north west, inner sep=0pt, xshift=7mm,yshift=-55mm] at (current page.north west) {
\begin{minipage}{\linewidth}
\begin{beamercolorbox}{title}
% \pgfuseimage{wortmarkeTitle}\\[0.3cm]
\begin{tiny}\textbf{RUHR-UNIVERSIT{\"A}T}~BOCHUM \end{tiny} \\ [0.3cm]
\usebeamerfont{title}\inserttitle\par%
\ifx\insertsubtitle\@empty%
\else%
\vskip0.20em%
{\usebeamerfont{subtitle}\usebeamercolor[fg]{subtitle}\insertsubtitle\par}%
\fi%
\end{beamercolorbox}%
\vskip8pt%
\begin{beamercolorbox}{date}
\noindent\usebeamerfont{date}\insertdate
\end{beamercolorbox}
\vskip1em\par
\ifnum\sponsor=0 % Prüfen ob es ein Sponsorlogo gibt
\noindent\begin{minipage}{\linewidth} % wenn nein, ganze Zeile nutzen
\else
\begin{minipage}{8cm} % wenn ja, Platz fürs Logo lassen
\fi
\begin{beamercolorbox}[sep=0pt]{institute}
\noindent\usebeamerfont{institute}\insertinstitute
\end{beamercolorbox}
\begin{beamercolorbox}{author}
\noindent\usebeamerfont{author}\insertauthor
\end{beamercolorbox}
\end{minipage}
\vfill
\end{minipage}};
\end{tikzpicture}};
% Sponsor-Logo
\node[anchor=north west, xshift=-45mm, yshift=17mm, rectangle, inner sep=0pt, line width=0pt, minimum width=35mm, text height=15mm, minimum height=15mm] at (current page.south east){
\ifnum\sponsor>0
\pgfuseimage{sponsor}
\else
\fi};
\end{tikzpicture}
} % Ende der Definition: Alternativ
%% Alternativ mit großem Bild
\defbeamertemplate*{title page bild}{Rub}
{ % Beginn der Definition: Bild
\thispagestyle{empty}
\begin{tikzpicture}[remember picture,overlay]
% Erste Node: Setzt ganz oben links an, von dem Punkt aus kann dann in der zweiten tikzpicture Umgebung ausgegangen werden
\node[anchor=north west, inner sep=0pt] at (current page.north west) {
\begin{tikzpicture}[remember picture,overlay]
% Bild im Hintergrund
\node[anchor=north west, inner sep=0pt, xshift=-2mm] at (current page.north west) {\TitleImage};
% Weißer Fläche mit Text
\draw[style={white, line width=0pt, fill=white}] (current page.north west) rectangle (0.90\paperwidth,-45mm);
% Text
\node[anchor=north west, inner sep=0pt, xshift=.3cm,yshift=-0.5cm] at (current page.north west) {
\begin{minipage}{\linewidth}
\begin{beamercolorbox}{title}
% \pgfuseimage{wortmarkeTitle}\\[0.3cm]
\begin{tiny}\textbf{RUHR-UNIVERSIT{\"A}T}~BOCHUM \end{tiny}\\ [0.3cm]
\usebeamerfont{title}\inserttitle\par%
\ifx\insertsubtitle\@empty%
\else%
\vskip0.20em%
{\usebeamerfont{subtitle}\usebeamercolor[fg]{subtitle}\insertsubtitle\par}%
\fi%
\end{beamercolorbox}%
\vskip0.5em\par
\begin{beamercolorbox}[sep=0pt]{date}
\usebeamerfont{date}\insertdate
\end{beamercolorbox}
\vskip1em\par
\ifnum\sponsor=0 % Prüfen ob es ein Sponsorlogo gibt
\begin{minipage}{\linewidth} % wenn nein, ganze Zeile nutzen
\else
\begin{minipage}{8cm} % wenn ja, Platz fürs Logo lassen
\fi
\begin{beamercolorbox}[sep=0pt]{institute}
\usebeamerfont{institute}\insertinstitute
\end{beamercolorbox}
\begin{beamercolorbox}{author}
\usebeamerfont{author}\insertauthor
\end{beamercolorbox}
\vspace{1cm}
\end{minipage}
\end{minipage}};
% Sponsor-Logo
\node[anchor=north west,xshift=-50mm, yshift=-29mm, rectangle, inner sep=0pt, line width=0pt, minimum width=35mm, text height=15mm, minimum height=15mm] at (current page.north east){
\ifnum\sponsor>0
\pgfuseimage{sponsor}
\else
\fi};
% Logo
\node[anchor=north west,xshift=-2.25cm, yshift=1pt, rectangle, inner sep=0pt, line width=0pt] at (current page.north east){\pgfuseimage{logoTitle}};
\end{tikzpicture}};
\end{tikzpicture}
} % Ende der Definition: Bild
%% Alternativ mit großem Bild/empty (aufgeräumter Modus)
\defbeamertemplate*{title page bildempty}{Rub}
{ % Beginn der Definition: Bild
\thispagestyle{empty}
\begin{tikzpicture}[remember picture,overlay]
% Erste Node: Setzt ganz oben links an, von dem Punkt aus kann dann in der zweiten tikzpicture Umgebung ausgegangen werden
\node[anchor=north west, inner sep=0pt] at (current page.north west) {
\begin{tikzpicture}[remember picture,overlay]
% Bild im Hintergrund
\node[anchor=north west, inner sep=0pt, xshift=-2mm] at (current page.north west) {\TitleImage};
% Text
\node[anchor=north west, inner sep=0pt, xshift=.3cm,yshift=-0.5cm] at (current page.north west) {
\begin{minipage}{\linewidth}
\begin{beamercolorbox}{title}
% \pgfuseimage{wortmarkeTitle}\\[0.3cm]
\begin{tiny}\textbf{RUHR-UNIVERSIT{\"A}T}~BOCHUM \end{tiny} \\ [0.3cm]
\usebeamerfont{title}\inserttitle\par%
\ifx\insertsubtitle\@empty%
\else%
\vskip0.20em%
{\usebeamerfont{subtitle}\usebeamercolor[fg]{subtitle}\insertsubtitle\par}%
\fi%
\end{beamercolorbox}%
\begin{beamercolorbox}[sep=8pt]{date}
\usebeamerfont{date}\hspace{-0.5em}\insertdate
\end{beamercolorbox}
\vskip1em\par
\ifnum\sponsor=0 % Prüfen ob es ein Sponsorlogo gibt
\begin{minipage}{\linewidth} % wenn nein, ganze Zeile nutzen
\else
\begin{minipage}{8cm} % wenn ja, Platz fürs Logo lassen
\fi
\begin{beamercolorbox}[sep=-1pt]{institute}
\usebeamerfont{institute}\insertinstitute
\end{beamercolorbox}
\begin{beamercolorbox}{author}
\usebeamerfont{author}\insertauthor
\end{beamercolorbox}
\vspace{1cm}
\end{minipage}
\end{minipage}};
% Sponsor-Logo
\node[anchor=north west,xshift=-50mm, yshift=-29mm, rectangle, inner sep=0pt, line width=0pt, minimum width=35mm, text height=15mm, minimum height=15mm] at (current page.north east){
\ifnum\sponsor>0
\pgfuseimage{sponsor}
\else
\fi};
% Logo
\node[anchor=south west,xshift=3mm, yshift=3mm, rectangle, inner sep=0pt, line width=0pt] at (current page.south west){\pgfuseimage{logoTitle}};
\end{tikzpicture}};
\end{tikzpicture}
} % Ende der Definition: Bild
% Optionen zum Titelseitenformat ausführen
\defbeamertemplate*{title page}{Rub}[1][]
{
\usebeamertemplate{title page \beamer@Rub@alternativetitlepage}% hier wird der Wert der Variable aus dem Optionsfeld eingesetzt, und somit das entsprechende Titelbild definiert
}
% Macro zum Aufruf der Titelseite (um Fußzeile zu löschen)
\newcommand{\titleframe}{
\setbeamertemplate{footline}{}
\setbeamertemplate{headline}{}
\frame{\titlepage}
\setbeamertemplate{footline}[Rub theme]
\setbeamertemplate{headline}[Rub theme]
}
% Part page: Rub
\defbeamertemplate*{part page}{Rub}[1][]
{
\begin{centering}
{\usebeamerfont{part name}\usebeamercolor[fg]{part name}\partname~\insertromanpartnumber}
\vskip1em\par
\begin{beamercolorbox}[sep=8pt,center,#1]{part title}
\usebeamerfont{part title}\insertpart\par
\end{beamercolorbox}
\end{centering}
}
%
% Table of contents
%
%\defbeamertemplateparent{sections/subsections in toc}{section in toc,subsection in toc,subsubsection in toc}
{}
%\defbeamertemplateparent{sections/subsections in toc shaded}{section in toc shaded,subsection in toc shaded,subsubsection in toc shaded}[1][20]
%{[#1]}
% (sub-)section in toc: Rub
\defbeamertemplate*{section in toc}{Rub}
{\inserttocsection\par}
\defbeamertemplate*{subsection in toc}{Rub}
{\leavevmode\leftskip=1.5em\inserttocsubsection\par}
\defbeamertemplate*{subsubsection in toc}{Rub}
{\leavevmode\normalsize\usebeamerfont{subsection in toc}\leftskip=3em%
\usebeamerfont{subsubsection in toc}\inserttocsubsubsection\par}
% (sub-)section in toc shaded, Rub
\defbeamertemplate*{section in toc shaded}{Rub}[1][20]
{\begin{colormixin}{#1!parent.bg}\usebeamertemplate{section in toc}\end{colormixin}\unskip}
\defbeamertemplate*{subsection in toc shaded}{Rub}[1][20]
{\begin{colormixin}{#1!parent.bg}\usebeamertemplate{subsection in toc}\end{colormixin}\unskip}
\defbeamertemplate*{subsubsection in toc shaded}{Rub}[1][20]
{\begin{colormixin}{#1!parent.bg}\usebeamertemplate{subsubsection in toc}\end{colormixin}\unskip}
%
% Item
%
%\defbeamertemplateparent{items}{itemize items,enumerate items}
%{}
% Itemize items
%\defbeamertemplateparent{itemize items}{itemize item,itemize subitem,itemize subsubitem}
%{}
% Itemize items, Rub
\defbeamertemplate*{itemize item}{Rub}{\scriptsize\raise1.25pt\hbox{\donotcoloroutermaths$\blacktriangleright$}}
\defbeamertemplate*{itemize subitem}{Rub}{\tiny\raise1.5pt\hbox{\donotcoloroutermaths$\blacktriangleright$}}
\defbeamertemplate*{itemize subsubitem}{Rub}{\tiny\raise1.5pt\hbox{\donotcoloroutermaths$\blacktriangleright$}}
% Enumerate items, Rub
%\defbeamertemplateparent{enumerate items}{enumerate item,enumerate subitem,enumerate subsubitem,enumerate mini}
%{}
\defbeamertemplate*{enumerate item}{Rub}{\insertenumlabel.}
\defbeamertemplate*{enumerate subitem}{Rub}{\insertenumlabel.\insertsubenumlabel}
\defbeamertemplate*{enumerate subsubitem}{Rub}{\insertenumlabel.\insertsubenumlabel.\insertsubsubenumlabel}
\defbeamertemplate*{enumerate mini template}{Rub}{\insertenumlabel}
% Description item width
\defbeamertemplate*{description item}{Rub}{\insertdescriptionitem}
% Itemize/Enumerate body
\defbeamertemplate*{itemize/enumerate body begin}{Rub}{}
\defbeamertemplate*{itemize/enumerate body end}{Rub}{}
\defbeamertemplate*{itemize/enumerate subbody begin}{Rub}{}
\defbeamertemplate*{itemize/enumerate subbody end}{Rub}{}
\defbeamertemplate*{itemize/enumerate subsubbody begin}{Rub}{}
\defbeamertemplate*{itemize/enumerate subsubbody end}{Rub}{}
% Alerted text
\defbeamertemplate*{alerted text begin}{Rub}{\setbeamercolor{local structure}{parent=alerted text}}
% Structured text
% empyt Rubs
% Bibliography items
\defbeamertemplate*{bibliography item}{Rub}
{\hspace{3.2mm}\lower3.5pt\hbox{\hskip2pt\pgfuseimage{beamericonarticle}\hskip1pt}}
\defbeamertemplate*{bibliography entry article}{Rub}{}
\defbeamertemplate*{bibliography entry title}{Rub}{\par}
\defbeamertemplate*{bibliography entry location}{Rub}{\par}
\defbeamertemplate*{bibliography entry note}{Rub}{\par}
% Buttons
\newdimen\beamer@dima%
\newdimen\beamer@dimb%
\defbeamertemplate*{button}{Rub}
{%
\setbox\beamer@tempbox=\hbox{{\insertbuttontext}}%
\ht\beamer@tempbox=6pt%
\dp\beamer@tempbox=0pt%
\setbox\beamer@tempbox=\vbox{\box\beamer@tempbox\vskip2pt}%
\beamer@tempdim=\wd\beamer@tempbox%
\beamer@dima=\beamer@tempdim\advance\beamer@dima by2.2pt
\beamer@dimb=\beamer@tempdim\advance\beamer@dimb by4pt
\begin{pgfpicture}{-4pt}{0pt}{\the\beamer@tempdim}{8pt}
\color{bg}
\pgfsetlinewidth{0.8pt}
\pgfpathqmoveto{0pt}{0pt}
\pgfpathqcurveto{-2.2pt}{0pt}{-4pt}{1.8pt}{-4pt}{4pt}
\pgfpathqcurveto{-4pt}{6.2pt}{-2.2pt}{8pt}{0pt}{8pt}
\pgfpathlineto{\pgfpoint{\the\beamer@tempdim}{8pt}}
\pgfpathcurveto%
{\pgfpoint{\the\beamer@dima}{8pt}}%
{\pgfpoint{\the\beamer@dimb}{6.2pt}}%
{\pgfpoint{\the\beamer@dimb}{4pt}}
\pgfpathcurveto%
{\pgfpoint{\the\beamer@dimb}{1.8pt}}%
{\pgfpoint{\the\beamer@dima}{0pt}}%
{\pgfpoint{\the\beamer@tempdim}{0pt}}
\pgfpathclose
\pgfusepathqfill
\colorlet{bg}{parent.bg}
\usebeamercolor[fg]{button border}
\pgfpathqmoveto{0pt}{0pt}
\pgfpathqcurveto{-2.2pt}{0pt}{-4pt}{1.8pt}{-4pt}{4pt}
\pgfpathqcurveto{-4pt}{6.2pt}{-2.2pt}{8pt}{0pt}{8pt}
\pgfpathlineto{\pgfpoint{\the\beamer@tempdim}{8pt}}
\pgfpathcurveto%
{\pgfpoint{\the\beamer@dima}{8pt}}%
{\pgfpoint{\the\beamer@dimb}{6.2pt}}%
{\pgfpoint{\the\beamer@dimb}{4pt}}
\pgfpathcurveto%
{\pgfpoint{\the\beamer@dimb}{1.8pt}}%
{\pgfpoint{\the\beamer@dima}{0pt}}%
{\pgfpoint{\the\beamer@tempdim}{0pt}}
\pgfpathclose
\pgfusepathqstroke
\end{pgfpicture}%
\hskip-\beamer@tempdim%
\box\beamer@tempbox%
\kern4pt%
}
% Abstract
\defbeamertemplate*{abstract title}{Rub}
{%
\begin{center}%
\abstractname
\end{center}%
}
\defbeamertemplate*{abstract begin}{Rub}
{\beamercolorbox[vmode]{abstract}\leftskip2em\rightskip2em plus 1fill\usebeamerfont*{abstract}}
\defbeamertemplate*{abstract end}{Rub}
{\medskip\endbeamercolorbox}
% Verse
\defbeamertemplate*{verse begin}{Rub}
{\beamercolorbox[vmode]{verse}}
\defbeamertemplate*{verse end}{Rub}
{\endbeamercolorbox}
% Quotation
\defbeamertemplate*{quotation begin}{Rub}
{\beamercolorbox[vmode]{quotation}}
\defbeamertemplate*{quotation end}{Rub}
{\endbeamercolorbox}
% Quote
\defbeamertemplate*{quote begin}{Rub}
{\beamercolorbox[vmode]{quote}}
\defbeamertemplate*{quote end}{Rub}
{\endbeamercolorbox}
% Footnotes
\defbeamertemplate*{footnote}{Rub}
{
\parindent 1em\noindent%
\raggedright
\hbox to 1.8em{\hfil\insertfootnotemark}\insertfootnotetext\par%
}
% Captions
\defbeamertemplate*{caption}{Rub}
{%
\raggedright
{%
\usebeamercolor[fg]{caption name}%
\usebeamerfont*{caption name}%
\insertcaptionname:%
}
\insertcaption\par
}
% Blocks
\defbeamertemplate*{block begin}{Rub}
{
\par\vskip\medskipamount%
\begin{beamercolorbox}[colsep*=.75ex]{block title}
\usebeamerfont*{block title}\insertblocktitle%
\end{beamercolorbox}%
{\parskip0pt\par}%
\ifbeamercolorempty[bg]{block title}
{}
{\ifbeamercolorempty[bg]{block body}{}{\nointerlineskip\vskip-0.5pt}}%
\usebeamerfont{block body}%
\begin{beamercolorbox}[colsep*=.75ex,vmode]{block body}%
\ifbeamercolorempty[bg]{block body}{\vskip-.25ex}{\vskip-.75ex}\vbox{}%
}
\defbeamertemplate*{block end}{Rub}
{\end{beamercolorbox}\vskip\smallskipamount}
\defbeamertemplate*{block alerted begin}{Rub}
{
\par\vskip\medskipamount%
\begin{beamercolorbox}[colsep*=.75ex]{block title alerted}
\usebeamerfont*{block title alerted}\insertblocktitle%
\end{beamercolorbox}%
{\parskip0pt\par}%
\ifbeamercolorempty[bg]{block title alerted}
{}
{\ifbeamercolorempty[bg]{block body alerted}{}{\nointerlineskip\vskip-0.5pt}}%
\usebeamerfont{block body alerted}%
\begin{beamercolorbox}[colsep*=.75ex,vmode]{block body alerted}%
\ifbeamercolorempty[bg]{block body alerted}{\vskip-.25ex}{\vskip-.75ex}\vbox{}%
}
\defbeamertemplate*{block alerted end}{Rub}
{\end{beamercolorbox}\vskip\smallskipamount}
\defbeamertemplate*{block example begin}{Rub}
{
\par\vskip\medskipamount%
\begin{beamercolorbox}[colsep*=.75ex]{block title example}
\usebeamerfont*{block title example}\insertblocktitle%
\end{beamercolorbox}%
{\parskip0pt\par}%
\ifbeamercolorempty[bg]{block title example}
{}
{\ifbeamercolorempty[bg]{block body example}{}{\nointerlineskip\vskip-0.5pt}}%
\usebeamerfont{block body example}%
\begin{beamercolorbox}[colsep*=.75ex,vmode]{block body example}%
\ifbeamercolorempty[bg]{block body example}{\vskip-.25ex}{\vskip-.75ex}\vbox{}%
}
\defbeamertemplate*{block example end}{Rub}
{\end{beamercolorbox}\vskip\smallskipamount}
% Theorems
%\defbeamertemplateparent{theorems}{theorem begin,theorem end}
%{}
\defbeamertemplate*{theorem begin}{Rub}
{%
\begin{\inserttheoremblockenv}
{%
\inserttheoremname
\ifx\inserttheoremaddition\@empty\else\ (\inserttheoremaddition)\fi%
}%
}
\defbeamertemplate*{theorem end}{Rub}
{\end{\inserttheoremblockenv}}
% Proofs
\defbeamertemplate*{proof begin}{Rub}
{\begin{block}{\insertproofname}}
\defbeamertemplate*{proof end}{Rub}
{\end{block}}
\defbeamertemplate*{qed symbol}{Rub}
{\openbox}
\setbeamertemplate{sections/subsections in toc}[square]
\setbeamertemplate{items}[square]
\mode
<all>

104
presentation/beamerouterthemeRub.sty Normal file
View File

@@ -0,0 +1,104 @@
% Copyright 2007 by Till Tantau
% Edited by Sebastian Jeworutzki 2012
% This file may be distributed and/or modified
%
% 1. under the LaTeX Project Public License and/or
% 2. under the GNU Public License.
%
% See the file doc/licenses/LICENSE for more details.
\ProvidesPackage{beamerouterthemeRub}[27/09/12 15:35:45]
% Tikz wird benötigt
\RequirePackage{tikz}
% Einige benötigte Längenvariablen erzeugen
\newdimen\beamer@Rubwidth
\newdimen\beamer@headheight
\beamer@headheight=0.17\paperheight
\mode<presentation>
\defbeamertemplate*{frametitle}{Rub theme}
{%
\begin{tikzpicture}[remember picture, overlay]
% Erste Node: Setzt ganz oben links an, von dem Punkt aus kann dann in der zweiten tikzpicture Umgebung ausgegangen werden
\node[anchor=north west, inner sep=0pt] at (current page.north west) {
\begin{tikzpicture}[remember picture,overlay]
% Wegen der Maße werden die Bilder in der picture Umgebung definiert
\pgfdeclareimage[height=0.13\paperheight]{logo}{logo}
% Weißer Hintergrund für den Frame Title
\draw[anchor=north west, inner sep=0pt,style={white, line width=0pt, fill=white}] (current page.north west)
rectangle (0.9\paperwidth,-0.16\paperheight);
% Logo oben
\ifbeamer@empty % Nicht im Empty-Modus ausführen
\else
\node[anchor=north east,xshift=-0.05\paperwidth, rectangle, inner sep=0pt, yshift=1pt] at (current page.north east) {\pgfuseimage{logo}};
% Wortmarke oben
\node[anchor=west,xshift=0.03\paperwidth,yshift=-0.03\paperheight, rectangle, inner sep=0pt] at (current page.north west) { \begin{tiny}\textbf{RUHR-UNIVERSIT{\"A}T}~BOCHUM\end{tiny} };
\fi
% Node mit dem Text
\node[anchor=north west,xshift=0.03\paperwidth,yshift=-0.06\paperheight, rectangle, inner sep=0pt] at (current page.north west) {
\begin{minipage}{0.82\paperwidth}
% Institute ist überflüssig
%\ifx\insertinstitute\@empty%
% \else%
% \usebeamerfont{head institute}\insertinstitute\\[0.7em]
% \fi%
% \usebeamerfont{head author}\insertauthor
\usebeamerfont*{frametitle}\color{saphierblau}{\textbf{\insertframetitle}}
\ifx\insertframesubtitle\@empty%
\else%
\newline\usebeamerfont*{framesubtitle}\color{saphierblau}{\insertframesubtitle}
\fi%
\ifbeamer@section
\par
\usebeamerfont{section in head/foot} \insertsubsectionhead
\fi
\end{minipage}};
\end{tikzpicture}};
\end{tikzpicture}
}
\defbeamertemplate*{headline}{Rub theme}
{%
% Hier ist Platz für eine Headline über dem Frametitle
% Beispielsweise für den aktuellen Gliederungspunkt etc..
}
% Fußzeile
\defbeamertemplate*{footline}{Rub theme}
{
\ifbeamer@empty % Nicht im Empty-Modus ausführen
\linethickness{0pt}
\framelatex{
\begin{beamercolorbox}[leftskip=.3cm,wd=\paperwidth,ht=0.3\beamer@headheight,sep=0.1cm]{section in head/foot}
\usebeamerfont{section in head/foot}%
\hfill
\insertframenumber%$|$\inserttotalframenumber
\end{beamercolorbox}}
\else
\linethickness{0pt}
\framelatex{
\begin{beamercolorbox}[leftskip=.3cm,wd=\paperwidth,ht=0.3\beamer@headheight,sep=0.1cm]{section in head/foot}
\usebeamerfont{section in head/foot}%
\insertshortauthor~$|$~\insertshorttitle~$|$~\insertshortdate
\hfill
\insertframenumber%$|$\inserttotalframenumber
\hspace*{10pt}
\end{beamercolorbox}}
\fi
}
% Im Empty-Modus ausführen
\ifbeamer@empty
\fi
\mode
<all>

148
presentation/beamerthemeRub.sty Normal file
View File

@@ -0,0 +1,148 @@
% Copyright 2007 by Till Tantau
% Edited by Sebastian Jeworutzki 2012
% This file may be distributed and/or modified
%
% 1. under the LaTeX Project Public License and/or
% 2. under the GNU Public License.
%
% See the file doc/licenses/LICENSE for more details.
\ProvidesPackage{beamerthemeRub}[27/09/12 15:37:39]
\mode<presentation>
% Optionen entgegennehmen und an beamerinnertheme weitergeben, um die Art der Titelseite auszuwählen
\DeclareOptionBeamer{height}{\PassOptionsToPackage{height=#1}{beamerouterthemesidebar}}
\DeclareOptionBeamer{alternativetitlepage}[normal]{\PassOptionsToPackage{alternativetitlepage=#1}{beamerinnerthemeRub}}
\DeclareOptionBeamer{print}{\PassOptionsToPackage{print=#1}{}}
% Option für empty (aufgeräumten) Modus
\newif\ifbeamer@empty
\beamer@emptyfalse
\DeclareOptionBeamer{empty}{\beamer@emptytrue}
% Option für Gliederungspunkte unter Überschrift
\newif\ifbeamer@section
\beamer@sectionfalse
\DeclareOptionBeamer{section}{\beamer@sectiontrue}
\ProcessOptionsBeamer
% Einzelne Thema-Elemente laden
\useoutertheme{Rub}
\useinnertheme{Rub}
\usecolortheme{Rub}
\usefonttheme{Rub}
% Einstellungen für einzelne Elemente
\setbeamertemplate{blocks}[]
\setbeamercovered{transparent}
% Navigationssymbole ausblenden
\setbeamertemplate{navigation symbols}{}
% Den deutschen Captiontext abkürzen
\AtBeginDocument{%
\renewcommand{\figurename}{Abb.}%
\renewcommand{\tablename}{Tab.}%
}
% Kleinere Bildunterschriften
\setbeamertemplate{caption}{\small {\color{saphierblau}\insertcaptionname} \insertcaption }
% Seitenränder allgemein
\setbeamersize{text margin left=5mm,
text margin right=5mm}
% Seiteneinrichtung für die Frame-Optionen t,b,c
\define@key{beamerframe}{b}[true]{% bottom
\beamer@frametopskip=10mm plus 1fill\relax%
\beamer@framebottomskip=1mm\relax%
\beamer@frametopskipautobreak=\beamer@frametopskip\relax%
\beamer@framebottomskipautobreak=\beamer@framebottomskip\relax%
\def\beamer@initfirstlineunskip{}%
}
\define@key{beamerframe}{t}[true]{% top
\beamer@frametopskip=11mm\relax%
\beamer@framebottomskip=0mm plus 1fill\relax%
\beamer@frametopskipautobreak=0cm\relax%
\beamer@framebottomskipautobreak=\beamer@framebottomskip\relax%
\def\beamer@initfirstlineunskip{%
\def\beamer@firstlineitemizeunskip{%
% \vskip-\partopsep\vskip-\topsep\vskip-\parskip%
\global\let\beamer@firstlineitemizeunskip=\relax}%
\everypar{\global\let\beamer@firstlineitemizeunskip=\relax}}
}
\define@key{beamerframe}{c}[true]{% bottom
\beamer@frametopskip=10mm plus 1fill\relax%
\beamer@framebottomskip=0mm plus 1fill\relax%
\beamer@frametopskipautobreak=\beamer@frametopskip\relax%
\beamer@framebottomskipautobreak=\beamer@framebottomskip\relax%
\def\beamer@initfirstlineunskip{}%
}
% Tabellenlinien und farbig hinterlegt Tabellenüberschriften
\RequirePackage{booktabs}
\RequirePackage{colortbl}
\RequirePackage{etoolbox} %provides patchcmd
% after package colortbl is loaded
% http://tex.stackexchange.com/questions/159378/cline-disappears-in-beamer
\makeatletter
\patchcmd\@cline
{\arrayrulewidth\hfill}% search
{\arrayrulewidth\hfill\kern\z@}% replace
{}% success
{\errmessage{Patching \string\@cline\space failed}}% failure
\makeatother
\RequirePackage{array}
\arrayrulecolor{saphierblau}
\newcolumntype{+}{>{\global\let\currentrowstyle\relax}}
\newcolumntype{^}{>{\currentrowstyle}}
\newcommand{\rowstyle}[1]{\gdef\currentrowstyle{#1}%
#1\ignorespaces
}
\newcommand{\thead}{\rowstyle{\bfseries}}
% Anpassung Inhaltsverzeichnis
\def\sectionintoc{}
\def\beamer@sectionintoc#1#2#3#4#5{%
\ifnum\c@tocdepth>0%
\ifnum#4=\beamer@showpartnumber%
{
\beamer@saveanother%
\gdef\beamer@todo{}%
\beamer@slideinframe=#1\relax%
\expandafter\only\beamer@tocsections{\gdef\beamer@todo{%
\beamer@tempcount=#5\relax%
\advance\beamer@tempcount by\beamer@sectionadjust%
\edef\inserttocsectionnumber{\the\beamer@tempcount}%
\def\inserttocsection{\hyperlink{Navigation#3}{#2}}%
\beamer@tocifnothide{\ifnum\c@section=#1\beamer@toc@cs\else\beamer@toc@os\fi}%
{
\ifbeamer@pausesections\pause\fi%
\ifx\beamer@toc@ooss\beamer@hidetext
\vskip0.5em % hier ist der Abstand zwischen den Einträgen definiert
\else
\vfill
\fi
{%
\hbox{\vbox{%
\def\beamer@breakhere{\\}%
\beamer@tocact{\ifnum\c@section=#1\beamer@toc@cs\else\beamer@toc@os\fi}{section in toc}}}%
\par%
}%
}%
}
}%
\beamer@restoreanother%
}
\beamer@todo%
\fi\fi%
}
\mode
<all>

BIN
presentation/curve.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 78 KiB

BIN
presentation/images/FIDO_logo_black_RGB.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
presentation/images/FIDO_logo_black_RGB.webp Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.5 KiB

BIN
presentation/images/SSH.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

2
presentation/images/links Normal file
View File

@@ -0,0 +1,2 @@
SSH: https://upload.wikimedia.org/wikipedia/commons/0/00/Unofficial_SSH_Logo.svg
FIDO: https://fidoalliance.org/overview/legal/logo-usage/

BIN
presentation/images/signal.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
presentation/images/whatsapp.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 289 KiB

BIN
presentation/images/wireguard.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 79 KiB

BIN
presentation/logo.pdf Normal file
View File

Binary file not shown.

BIN
presentation/presentation.pdf Normal file
View File

Binary file not shown.

1113
presentation/presentation.tex Normal file
View File

File diff suppressed because it is too large Load Diff

55
thesis/Abschlussarbeit.tex
View File

@@ -52,7 +52,7 @@ A formal Security Analysis of the EdDSA Signature Scheme
\begin{center}\textbf{
{\Large{Ruhr-Universität Bochum\\}}
\vspace{2em}
{\large{Fakultät für Mathematik\\
{\large{Fakultät für Informatik\\
\vspace{1em}
Lehrstuhl für Kryptographie}}\\
}
@@ -116,14 +116,14 @@ The two main theorems for the single-user security of $\text{EdDSA}_{\text{sp}}$
\label{theorem:eddsa_sp_su}
Let $\adversary{A}$ be an adversary against the SUF-CMA security of EdDSA with strict parsing, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
\[ \advantage{\group{G}, \adversary{A}}{\text{SUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
\[ \advantage{\group{G}, \adversary{A}}{\text{SUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries (\hashqueries + 1) \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}} \]
\end{theorem}
\begin{theorem}[Security of EdDSA with lax parsing in the single-user setting]
\label{theorem:eddsa_lp_su}
Let $\adversary{A}$ be an adversary against the EUF-CMA security of EdDSA with lax parsing, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
\[ \advantage{\group{G}, \adversary{A}}{\text{EUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
\[ \advantage{\group{G}, \adversary{A}}{\text{EUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries (\hashqueries + 1) \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}} \]
\end{theorem}
The proof begins by showing that the EUF-NMA security of EdDSA implies the SUF-CMA/EUF-CMA security of EdDSA with different types of parsing, in the random oracle model. With this step, subsequent proofs can be performed without worrying about signature generation, and a unified chain of reduction can be used to prove the security of EdDSA with both parsing variants. Next, an algebraic intermediate game \igame is introduced. This intermediate game serves as a separation for proofs in the random oracle model and those in the algebraic group model. Finally, the intermediate game \igame is reduced to the special discrete logarithm variant \sdlog.
@@ -144,27 +144,28 @@ Now that the single-user security of EdDSA got analyzed, we can take a look at i
Therefore, a similar approach to the proof in the single-user setting is used. It is not possible to reduce onto the \sdlog problem directly since the adversary gets multiple public keys and therefore might not provide a representation of the commitment looking like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A}$, which was needed for the discrete logarithm of the public key to be calculated. For this reason a variant of the one-more discrete logarithm assumption (OMDL) has to be used, as introduced in \cite{JC:BNPS03}.
The proof starts by showing that the MU-EUF-NMA security of EdDSA implies MU-SUF-CMA security of EdDSA in the random oracle model. Next an intermediate game is introduced onto which the MU-EUF-NMA security of EdDSA is reduced. At last, the security of the intermediate game is reduced onto the security of the variant of the one-more discrete logarithm assumption.
The proof starts by showing that the $N$-MU-EUF-NMA security of EdDSA implies $N$-MU-SUF-CMA security of EdDSA in the random oracle model. Next an intermediate game is introduced onto which the $N$-MU-EUF-NMA security of EdDSA is reduced. At last, the security of the intermediate game is reduced onto the security of the variant of the one-more discrete logarithm assumption.
The two main theorems for the multi-user security of $\text{EdDSA}_{\text{sp}}$ and $\text{EdDSA}_{\text{lp}}$ are:
\begin{theorem}[Security of EdDSA with strict parsing in the multi-user setting]
\label{theorem:eddsa_sp_mu}
Let $\adversary{A}$ be an adversary against the MU-SUF-CMA security of EdDSA with strict parsing, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
Let $\adversary{A}$ be an adversary against the $N$-MU-SUF-CMA security of EdDSA with strict parsing, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
\[ \advantage{\group{G}, \adversary{A}}{\text{MU-SUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
\[ \advantage{\group{G}, \adversary{A}}{\text{$N$-MU-SUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries (\hashqueries + N) \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}} \]
\end{theorem}
\begin{theorem}[Security of EdDSA with lax parsing in the multi-user setting]
\label{theorem:eddsa_lp_mu}
Let $\adversary{A}$ be an adversary against the MU-EUF-CMA security of EdDSA with lax parsing, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
Let $\adversary{A}$ be an adversary against the $N$-MU-EUF-CMA security of EdDSA with lax parsing, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
\[ \advantage{\group{G}, \adversary{A}}{\text{MU-EUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
\[ \advantage{\group{G}, \adversary{A}}{\text{$N$-MU-EUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries (\hashqueries + N) \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}} \]
\end{theorem}
The chain of reductions can be depicted as:
\[ \somdl \overset{\text{AGM}}{\Rightarrow} \igame \overset{\text{ROM}}{\Rightarrow} \text{MU-EUF-NMA} \overset{\text{ROM}}{\Rightarrow} MU-\cma_{\text{EdDSA sp}} / \text{MU-EUF-CMA}_{\text{EdDSA lp}} \]
\[ \somdl \overset{\text{AGM}}{\Rightarrow} \igame \overset{\text{ROM}}{\Rightarrow} \text{$N$-MU-EUF-NMA} \overset{\text{ROM}}{\Rightarrow} \text{$N$-MU-\cma}_{\text{EdDSA sp}} \]
\[ \somdl \overset{\text{AGM}}{\Rightarrow} \igame \overset{\text{ROM}}{\Rightarrow} \text{$N$-MU-EUF-NMA} \overset{\text{ROM}}{\Rightarrow} \text{$N$-MU-EUF-CMA}_{\text{EdDSA lp}} \]
\input{sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma}
\input{sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma}
@@ -184,40 +185,4 @@ By combining the loss of advantage during all of the proofs above, combined with
\bibliographystyle{ieeetr}
\bibliography{cryptobib/abbrev0,cryptobib/crypto,./citation}
\newpage\
\newpage\
\section*{Ehrenwörtliche Erklärung}
\selectlanguage{ngerman}
\addcontentsline{toc}{section}{Ehrenwörtliche Erklärung}
\noindent
Hiermit versichere ich,
%Name
Aaron Kaiser
wohnhaft
%Adresse
Universitätsstr. 110, 44799 Bochum, dass ich die vorliegende Arbeit selbstständig verfasst und keine anderen als die angegebenen Quellen und Hilfsmittel benutzt habe,
dass alle Stellen der Arbeit, die wörtlich oder sinngemäß aus anderen Quellen übernommen wurden, als solche kenntlich gemacht sind und dass die Arbeit in gleicher
oder ähnlicher Form noch keiner Prüfungsbehörde vorgelegt wurde.
\vspace{4\baselineskip}
\noindent
%Ort
Bochum,
\today\hspace{5.19625cm}\underline{\hspace{5.9cm}}\\
\phantom{\hspace{11.5cm}}{\small{
%Name
Aaron Kaiser
}}
\newpage\
\thispagestyle{empty}
\end{document}

4
thesis/macros.tex
View File

@@ -26,7 +26,7 @@
% Special Dlog
\newcommand{\sdlog}{\text{Ed-DLog}\xspace}
\newcommand{\somdl}{\text{Ed-OMDL}\xspace}
\newcommand{\somdl}{\text{$N$-Ed-DLog-Reveal}\xspace}
% SIM algotithm
\newcommand{\simalg}{\textit{Sim}\xspace}
@@ -48,7 +48,7 @@
% Oracle
\newcommand{\Osign}{\textit{Sign}\xspace}
\newcommand{\Odl}{\textif{DL}\xspace}
\newcommand{\Odl}{\textif{Reveal}\xspace}
% Structrues
\newcommand{\curve}{E}

40
thesis/sections/concrete_security.tex
View File

@@ -20,7 +20,7 @@ This definition can be used to calculate the bit security of concrete instantiat
\begin{theorem}[Ed25519 Bit Security]
\label{theorem:ed25519}
The Ed25519 signature scheme provides 125-bit security in the single-user setting and 124-bit security in the multi-user setting against algebraic adversaries.
The Ed25519 signature scheme provides 125-bit security in the single-user setting and 124-bit security in the multi-user setting against generic adversaries.
\end{theorem}
Ed25519 is one of the most widely used instantiations of EdDSA. According to the RFC it is supposed to provide around 128-bit of security. It uses the twisted Edwards curve Ed25519 and SHA-512 as a hash function \cite{josefsson_edwards-curve_2017} \cite{moody_digital_2023}. This provides the following values, needed to calculate the security level of Ed25519 according to the security proof in this thesis:
@@ -48,10 +48,10 @@ Ed25519 is one of the most widely used instantiations of EdDSA. According to the
\begin{align*}
SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\
&\leq \frac{\advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
&\leq \frac{\frac{(\groupqueries + 3)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
&\leq \frac{(2^{125} + 3)^2 + 1}{2^{250} 2^{125}} + \frac{2(2^{125} + 1)}{2^{256} 2^{125}} + \frac{2^{64} 2^{125} + 2^{64}}{2^{252} 2^{125}} \\
&\approx 2^{-125} + 2^{-316} + 2^{-189} \\
&\leq \frac{\advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries (\hashqueries + 1) \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}}{Time(\adversary{A})} \\
&\leq \frac{\frac{(\groupqueries + 3)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries (\hashqueries + 1) \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}}{Time(\adversary{A})} \\
&\leq \frac{(2^{125} + 3)^2 + 1}{2^{250} 2^{125}} + \frac{2(2^{125} + 1)}{2^{256} 2^{125}} + \frac{2^{64} (2^{125} + 1) 2^{260}}{2^{512} 2^{125}} \\
&\approx 2^{-125} + 2^{-316} + 2^{-188} \\
&\approx 2^{-125}
\end{align*}
@@ -62,11 +62,11 @@ Ed25519 is one of the most widely used instantiations of EdDSA. According to the
This provides a success ratio of:
\begin{align*}
SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{MU-SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\
&\leq \frac{\advantage{\curve, n, c, L, \adversary{A}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
&\leq \frac{\frac{2(\groupqueries + N + 2)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
&\leq \frac{2 (2^{125} + 2^{35} + 2)^2 + 1}{2^{250} 2^{125}} + \frac{2(2^{125} + 1)}{2^{256} 2^{125}} + \frac{2^{64} 2^{125} + 2^{64} 2^{35}}{2^{252} 2^{125}} \\
&\approx 2^{-124} + 2^{-316} + 2^{-189} \\
SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{$N$-MU-SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\
&\leq \frac{\advantage{\curve, n, c, L, \adversary{A}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries (\hashqueries + N) \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}}{Time(\adversary{A})} \\
&\leq \frac{\frac{2(\groupqueries + N + 2)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries (\hashqueries + N) \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}}{Time(\adversary{A})} \\
&\leq \frac{2 (2^{125} + 2^{35} + 2)^2 + 1}{2^{250} 2^{125}} + \frac{2(2^{125} + 1)}{2^{256} 2^{125}} + \frac{2^{64} (2^{125} + 2^{35}) 2^{260}}{2^{512} 2^{125}} \\
&\approx 2^{-124} + 2^{-316} + 2^{-188} \\
&\approx 2^{-124}
\end{align*}
@@ -79,7 +79,7 @@ Ed25519 is one of the most widely used instantiations of EdDSA. According to the
\begin{theorem}[Ed448 Bit Security]
\label{theorem:ED448}
The Ed448 signature scheme provides 221-bit security in the single-user setting and 220-bit security in the multi-user setting against algebraic adversaries.
The Ed448 signature scheme provides 221-bit security in the single-user setting and 220-bit security in the multi-user setting against generic adversaries.
\end{theorem}
Another popular instantiation of the EdDSA signature scheme is Ed448. It uses the Ed448 twisted Edwards curve and SHAKE256 as hash function. It is supposed to provide around 224 bits of security and was also standardized by the IETF and NIST \cite{josefsson_edwards-curve_2017} \cite{moody_digital_2023}. The respective standards provide following values:
@@ -105,10 +105,10 @@ Another popular instantiation of the EdDSA signature scheme is Ed448. It uses th
\begin{align*}
SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\
&\leq \frac{\advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
&\leq \frac{\frac{(\groupqueries + 3)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
&\leq \frac{(2^{223} + 3)^2 + 1}{2^{444} 2^{223}} + \frac{2(2^{223} + 1)}{2^{456} 2^{223}} + \frac{2^{64} 2^{223} + 2^{64}}{2^{446} 2^{223}} \\
&\approx 2^{-221} + 2^{-455} + 2^{-382} \\
&\leq \frac{\advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries (\hashqueries + 1) \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}}{Time(\adversary{A})} \\
&\leq \frac{\frac{(\groupqueries + 3)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries (\hashqueries + 1) \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}}{Time(\adversary{A})} \\
&\leq \frac{(2^{223} + 3)^2 + 1}{2^{444} 2^{223}} + \frac{2(2^{223} + 1)}{2^{456} 2^{223}} + \frac{2^{64} (2^{223} + 1) 2^{466}}{2^{912} 2^{223}} \\
&\approx 2^{-221} + 2^{-455} + 2^{-372} \\
&\approx 2^{-221}
\end{align*}
@@ -117,11 +117,11 @@ Another popular instantiation of the EdDSA signature scheme is Ed448. It uses th
Now the same is done for the multi-user security of Ed448. This yields following upper bound for the success ratio:
\begin{align*}
SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{MU-SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\
&\leq \frac{\advantage{\curve, n, c, L, \adversary{A}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
&\leq \frac{\frac{2(\groupqueries + N + 2)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
&\leq \frac{2 (2^{223} + 2^{35} + 2)^2 + 1}{2^{444} 2^{223}} + \frac{2(2^{223} + 1)}{2^{456} 2^{223}} + \frac{2^{64} 2^{223} + 2^{64} 2^{35}}{2^{446} 2^{223}} \\
&\approx 2^{-220} + 2^{-445} + 2^{-382} \\
SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{$N$-MU-SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\
&\leq \frac{\advantage{\curve, n, c, L, \adversary{A}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries (\hashqueries + N) \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}}{Time(\adversary{A})} \\
&\leq \frac{\frac{2(\groupqueries + N + 2)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries (\hashqueries + N) \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}}{Time(\adversary{A})} \\
&\leq \frac{2 (2^{223} + 2^{35} + 2)^2 + 1}{2^{444} 2^{223}} + \frac{2(2^{223} + 1)}{2^{456} 2^{223}} + \frac{2^{64} (2^{223} + 2^{35}) 2^{466}}{2^{912} 2^{223}} \\
&\approx 2^{-220} + 2^{-445} + 2^{-372} \\
&\approx 2^{-220}
\end{align*}

24
thesis/sections/edggm/omdl.tex
View File

@@ -19,12 +19,12 @@ This section provides a lower bound on the hardness of the modified version of t
\State \textbf{for} $i \in \{1,2,...,N\}$
\State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), DL(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$
\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), \textit{Reveal}(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$
\State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N)$
\end{algorithmic}
\vspace{1mm}
\begin{algorithmic}
\Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)}
\Statex \underline{\oracle \textit{Reveal}($j \in \{1,2,...,N\}$)}
\Comment{max. one query}
\State \Return $\{a_i | i \in \{1,2,...,N\} \backslash \{j\}\}$
\end{algorithmic}
@@ -72,12 +72,12 @@ This section provides a lower bound on the hardness of the modified version of t
\Comment{$G_2 - G_4$}
\State \quad $\groupelement{A_i} \assign (P_i, 0, ..., 0)$
\EndBox
\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), DL(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$
\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), \textit{Reveal}(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$
\State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N)$
\end{algorithmic}
\vspace{1mm}
\begin{algorithmic}
\Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)}
\Statex \underline{\oracle \textit{Reveal}($j \in \{1,2,...,N\}$)}
\BeginBox[draw=green]
\State \textbf{for } $P_i \in \pset{P}$
\Comment{$G_3 - G_4$}
@@ -139,7 +139,7 @@ This section provides a lower bound on the hardness of the modified version of t
\EndBox
\State \quad $P_i \assign Z_i$
\State \quad $\groupelement{A_i} \assign (P_i, 0, ..., 0)$
\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), DL(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$
\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), \textit{Reveal}(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$
\BeginBox[draw=orange]
\State \textbf{for } $i \in \{1,2,...,N\}$
\Comment{$G_8$}
@@ -159,7 +159,7 @@ This section provides a lower bound on the hardness of the modified version of t
\end{algorithmic}
\vspace{1mm}
\begin{algorithmic}
\Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)}
\Statex \underline{\oracle \textit{Reveal}($j \in \{1,2,...,N\}$)}
\BeginBox[draw=orange]
\State \textbf{for } $i \in \{1,2,...,N\} \backslash \{j\}$
\Comment{$G_8$}
@@ -215,7 +215,7 @@ This section provides a lower bound on the hardness of the modified version of t
\[ \prone{G_1^{\adversary{A}}} = \prone{G_2^{\adversary{A}}}. \]
\item \paragraph{\underline{$G_3:$}} $G_3$ introduces the $bad_1$ flag in the DL query. Without loss of generality the following explanation assumes that the adversary queries the DL oracle with input $j = N$. Each polynomial, generated by the challenger, is a linear multivariate polynomial of degree one. This is due to the fact that the challenger starts with linear multivariate polynomials of degree one in $\field{L}[Z_1, ..., Z_N]$ and only adds them to generate new polynomials. This means that each polynomial $P_i \in \field{L}[Z_1,...,Z_N]$, generated by the challenger, can be split into two polynomials $R_i \in \field{L}[Z_1,...,Z_{N-1}], S_i \in \field{L}[Z_N]$ so that $P_i = R_i + S_i$, simply by distributing the monials between the polynomials $R_i$ and $S_i$. Now the polynomial $P_i$ can be partially evaluated by setting $P_i = R_i(\overset{\rightharpoonup}{a}) + S_i$. For the simulation to be correct, when replacing the polynomial $P_i$ with $R_i(\overset{\rightharpoonup}{a}) + S_i$, it has to be ensured that distinct polynomials stay distinct after being partially evaluated. To ensure this, it is necessary to check that no two distinct polynomials $R_i, R_j$ result in the same value when evaluated with $\overset{\rightharpoonup}{a}$. In the case of this happening the $bad_1$ flag is set to true. Afterward, each generated polynomial is partially evaluated as described and the table $\sum$, which stores the association between group elements and labels, is updated to reflect this partial evaluation as well. From now on, each polynomial used by the challenger is in $\field{L}[Z_N]$. This change is purely conceptual, since the polynomials still get fully evaluated before being compared in the Enc procedure. Therefore,
\item \paragraph{\underline{$G_3:$}} $G_3$ introduces the $bad_1$ flag in the \textit{Reveal} query. Without loss of generality the following explanation assumes that the adversary queries the \textit{Reveal} oracle with input $j = N$. Each polynomial, generated by the challenger, is a linear multivariate polynomial of degree one. This is due to the fact that the challenger starts with linear multivariate polynomials of degree one in $\field{L}[Z_1, ..., Z_N]$ and only adds them to generate new polynomials. This means that each polynomial $P_i \in \field{L}[Z_1,...,Z_N]$, generated by the challenger, can be split into two polynomials $R_i \in \field{L}[Z_1,...,Z_{N-1}], S_i \in \field{L}[Z_N]$ so that $P_i = R_i + S_i$, simply by distributing the monials between the polynomials $R_i$ and $S_i$. The polynom $S_i$ only contains the monial $Z_n$, while the polynom $R_i$ contains the remaining monials and the constant. Now the polynomial $P_i$ can be partially evaluated by setting $P_i = R_i(\overset{\rightharpoonup}{a}) + S_i$. For the simulation to be correct, when replacing the polynomial $P_i$ with $R_i(\overset{\rightharpoonup}{a}) + S_i$, it has to be ensured that distinct polynomials stay distinct after being partially evaluated. To ensure this, it is necessary to check that no two distinct polynomials $R_i, R_j$ result in the same value when evaluated with $\overset{\rightharpoonup}{a}$. In the case of this happening the $bad_1$ flag is set to true. Afterward, each generated polynomial is partially evaluated as described and the table $\sum$, which stores the association between group elements and labels, is updated to reflect this partial evaluation as well. From now on, each polynomial used by the challenger is in $\field{L}[Z_N]$. This change is purely conceptual, since the polynomials still get fully evaluated before being compared in the Enc procedure. Therefore,
\[ \prone{G_2^{\adversary{A}}} = \prone{G_3^{\adversary{A}}}. \]
@@ -229,21 +229,21 @@ This section provides a lower bound on the hardness of the modified version of t
\[ \prone{G_4^{\adversary{A}}} = \prone{G_5^{\adversary{A}}}. \]
\item \paragraph{\underline{$G_6:$}} $G_6$ aborts if the $bad_2$ flag is set. The $bad_2$ flag is set if any two distinct polynomials evaluate to the same value, when evaluated with the vector of discrete logarithms. There are two cases. The first case is that the adversary has queried the DL oracle. The second case is that the adversary did not queried the DL oracle.
\item \paragraph{\underline{$G_6:$}} $G_6$ aborts if the $bad_2$ flag is set. The $bad_2$ flag is set if any two distinct polynomials evaluate to the same value, when evaluated with the vector of discrete logarithms. There are two cases. The first case is that the adversary has queried the \textit{Reveal} oracle. The second case is that the adversary did not queried the \textit{Reveal} oracle.
In the first case the adversary got the discrete logarithms of all but one challenge. Without loss of generality it is assumed that the adversary queried the discrete logarithm of all but the $N$th group element. In this case all polynomials in $\pset{P}$ are in $\field{L}[Z_N]$, since at the time of the DL query all polynomials, generated up to this point, are partially evaluated and are in $\field{Z}[Z_N]$. All polynomials that are generated after this point are generated by the addition of the existing polynomials and are therefore also in $\field{L}[Z_N]$. In this case the Schwartz-Zippel lemma can be applied since the adversary has no information on the remaining discrete logarithm. This is the same scenario as in the \sdlog proof.
In the first case the adversary got the discrete logarithms of all but one challenge. Without loss of generality it is assumed that the adversary queried the discrete logarithm of all but the $N$th group element. In this case all polynomials in $\pset{P}$ are in $\field{L}[Z_N]$, since at the time of the \textit{Reveal} query all polynomials, generated up to this point, are partially evaluated and are in $\field{Z}[Z_N]$. All polynomials that are generated after this point are generated by the addition of the existing polynomials and are therefore also in $\field{L}[Z_N]$. In this case the Schwartz-Zippel lemma can be applied since the adversary has no information on the remaining discrete logarithm. This is the same scenario as in the \sdlog proof.
In the case where the adversary did not queried the DL oracle the adversary has no information on any of the discrete logarithms. All polynomials in $\pset{P}$ are in $\field{Z}[N_1, ..., Z_N]$. In this case the Schwartz-Zippel lemma can be applied, since the all discrete logarithms are chosen uniformly at random and the adversary has no information on them, prior to them being chosen.
In the case where the adversary did not queried the \textit{Reveal} oracle the adversary has no information on any of the discrete logarithms. All polynomials in $\pset{P}$ are in $\field{Z}[N_1, ..., Z_N]$. In this case the Schwartz-Zippel lemma can be applied, since the all discrete logarithms are chosen uniformly at random and the adversary has no information on them, prior to them being chosen.
The probability of $bad_2$ being true can be calculated using the Schwartz-Zippel lemma, as described in the game-hop to $G_4$. With the Union bound over all polynomial pairs in $\pset{P}$ the probability of $bad_2$ being true is $\Pr[bad_2] \leq \frac{(\groupqueries + N + 2)^2}{2^{n - 1 - c}}$. $G_5$ and $G_6$ are identical-until-bad games, therefore:
\[ |\prone{G_5^{\adversary{A}}} - \prone{G_6^{\adversary{A}}}| \leq \frac{(\groupqueries + N + 2)^2}{2^{n - 1 - c}}. \]
\item \paragraph{\underline{$G_7:$}} $G_7$ removes the evaluation of polynomials in the Enc procedure. It is argued that this change is only conceptual. When the evaluation of polynomials is removed, the polynomials are compared directly. Group elements represented by different polynomials are assigned different labels by the challenger. This is equivalent to the original definition as long as different polynomials do not evaluate to the same value, when evaluated with the discrete logarithms. This inconsistency in the simulation can be detected by the adversary when it gets some information on the discrete logarithms. This can either be during the query to the DL oracle or after the adversary provided its solution. In both cases there is an if condition checking for this inconsistency. If such an inconsistency is detected the game aborts. This change is only conceptual, since the different polynomials correspond to different group elements, in the cases where the game does not abort, and since the adversary only sees the labels it cannot detect whether the challenger works with polynomials or concrete discrete logarithms. Hence,
\item \paragraph{\underline{$G_7:$}} $G_7$ removes the evaluation of polynomials in the Enc procedure. It is argued that this change is only conceptual. When the evaluation of polynomials is removed, the polynomials are compared directly. Group elements represented by different polynomials are assigned different labels by the challenger. This is equivalent to the original definition as long as different polynomials do not evaluate to the same value, when evaluated with the discrete logarithms. This inconsistency in the simulation can be detected by the adversary when it gets some information on the discrete logarithms. This can either be during the query to the \textit{Reveal} oracle or after the adversary provided its solution. In both cases there is an if condition checking for this inconsistency. If such an inconsistency is detected the game aborts. This change is only conceptual, since the different polynomials correspond to different group elements, in the cases where the game does not abort, and since the adversary only sees the labels it cannot detect whether the challenger works with polynomials or concrete discrete logarithms. Hence,
\[ \prone{G_6^{\adversary{A}}} = \prone{G_7^{\adversary{A}}}. \]
\item \paragraph{\underline{$G_8:$}} In $G_8$ the discrete logarithms of the challenge are only generated right before they are used. Since the discrete logarithms are not used during the Enc function anymore they the challenger can generate them not at the start of the game but only right before they are used. The discrete logarithms are only used during the inconsistency checks in the DL oracle or after the adversary has provided its solution. $N - 1$ discrete logarithms are used in the DL oracle to check for inconsistencies and to partially evaluate the polynomials. After the adversary provided its solution the remaining discrete logarithms can chosen to fully evaluate all polynomials. This can be either all discrete logarithm, in the case that the adversary did not queried the DL oracle, or the remaining one, in the case that the adversary did queried the DL oracle. This change is only conceptual, since the initialization of variables is only moved right before the variable is used. Therefore,
\item \paragraph{\underline{$G_8:$}} In $G_8$ the discrete logarithms of the challenge are only generated right before they are used. Since the discrete logarithms are not used during the Enc function anymore they the challenger can generate them not at the start of the game but only right before they are used. The discrete logarithms are only used during the inconsistency checks in the \textit{Reveal} oracle or after the adversary has provided its solution. $N - 1$ discrete logarithms are used in the \textit{Reveal} oracle to check for inconsistencies and to partially evaluate the polynomials. After the adversary provided its solution the remaining discrete logarithms can chosen to fully evaluate all polynomials. This can be either all discrete logarithm, in the case that the adversary did not queried the \textit{Reveal} oracle, or the remaining one, in the case that the adversary did queried the \textit{Reveal} oracle. This change is only conceptual, since the initialization of variables is only moved right before the variable is used. Therefore,
\[ \prone{G_7^{\adversary{A}}} = \prone{G_8^{\adversary{A}}}. \]

34
thesis/sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma.tex
View File

@@ -1,13 +1,13 @@
\subsection{MU-\igame $\overset{\text{ROM}}{\Rightarrow}$ MU-EUF-NMA}
\subsection{$N$-MU-\igame $\overset{\text{ROM}}{\Rightarrow}$ $N$-MU-EUF-NMA}
This section shows that MU-\igame implies MU-EUF-NMA security of the EdDSA signature scheme using the Random Oracle Model. The section starts by first providing an intuition of the proof followed by the detailed security proof.
This section shows that $N$-MU-\igame implies $N$-MU-EUF-NMA security of the EdDSA signature scheme using the Random Oracle Model. The section starts by first providing an intuition of the proof followed by the detailed security proof.
\paragraph{\underline{Introducing MU-\igame}} This game follows closely the definition of the \igame game. It again replaces the random oracle with the \ioracle oracle. The only difference to the \igame game is that the adversary gets access to $N$ public keys. The adversary again has to output a valid result for any commitment challenge pair generated by the \ioracle oracle for any of the public keys. The MU-\igame game is depicted in figure \ref{game:mu-igame}.
\paragraph{\underline{Introducing $N$-MU-\igame}} This game follows closely the definition of the \igame game. It again replaces the random oracle with the \ioracle oracle. The only difference to the \igame game is that the adversary gets access to $N$ public keys. The adversary again has to output a valid result for any commitment challenge pair generated by the \ioracle oracle for any of the public keys. The $N$-MU-\igame game is depicted in figure \ref{game:mu-igame}.
\begin{definition}[MU-\igame]
Let $n$ and $N$ be positive integers. For an adversary $\adversary{A}$, receiving $N$ public keys as input, we define its advantage in the MU-\igame as following:
\begin{definition}[$N$-MU-\igame]
Let $n$ and $N$ be positive integers. For an adversary $\adversary{A}$, receiving $N$ public keys as input, we define its advantage in the $N$-MU-\igame as following:
\[ \advantage{\adversary{A}}{\text{MU-\igame}}(\secparamter) \assign | \Pr[\text{MU-\igame}^{\adversary{A}} \Rightarrow 1] |. \]
\[ \advantage{\adversary{A}}{\text{$N$-MU-\igame}}(\secparamter) \assign | \Pr[\text{$N$-MU-\igame}^{\adversary{A}} \Rightarrow 1] |. \]
\end{definition}
\begin{figure}[h]
@@ -15,7 +15,7 @@ This section shows that MU-\igame implies MU-EUF-NMA security of the EdDSA signa
\vspace{1mm}
\large
\begin{algorithmic}
\Statex \underline{\game \igame}
\Statex \underline{\game $N$-MU-\igame}
\State \textbf{for} $i \in \{1,2,...,N\}$
\State \quad $a_i \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
@@ -30,18 +30,18 @@ This section shows that MU-\igame implies MU-EUF-NMA security of the EdDSA signa
\State \Return $\ch_i$
\end{algorithmic}
\hrule
\caption{MU-\igame}
\caption{$N$-MU-\igame}
\label{game:mu-igame}
\end{figure}
\begin{theorem}
\label{theorem:adv_mu-igame}
Let $\adversary{A}$ be an adversary against MU-\igame. Then,
Let $\adversary{A}$ be an adversary against $N$-MU-\igame. Then,
\[ \advantage{\adversary{A}}{\text{MU-EUF-NMA}}(\secparamter) = \advantage{\adversary{B}}{\text{MU-\igame}}(\secparamter). \]
\[ \advantage{\adversary{A}}{\text{$N$-MU-EUF-NMA}}(\secparamter) = \advantage{\adversary{B}}{\text{$N$-MU-\igame}}(\secparamter). \]
\end{theorem}
\paragraph{\underline{Proof Overview}} Like the single-user setting the adversary has to query the random oracle to get the hash value $H(\encoded{R}|\encoded{A_i}|m)$. Again the programmability of the random oracle can be used to embed the challenge from \ioracle oracle into the answer of the random oracle. By embedding the challenge from the \ioracle oracle answer into the answer of the random oracle, a valid forgery of the signature also becomes a valid solution for the MU-\igame game.
\paragraph{\underline{Proof Overview}} Like the single-user setting the adversary has to query the random oracle to get the hash value $H(\encoded{R}|\encoded{A_i}|m)$. Again the programmability of the random oracle can be used to embed the challenge from \ioracle oracle into the answer of the random oracle. By embedding the challenge from the \ioracle oracle answer into the answer of the random oracle, a valid forgery of the signature also becomes a valid solution for the $N$-MU-\igame game.
\paragraph{\underline{Formal Proof}}
@@ -72,16 +72,16 @@ This section shows that MU-\igame implies MU-EUF-NMA security of the EdDSA signa
\end{figure}
\begin{proof}
\item Now it is argued that the \ioracle oracle can be used to simulate the hash function in a way that the answer of the MU-EUF-NMA adversary can be used as an valid solution for the MU-\igame challenger.
\item Now it is argued that the \ioracle oracle can be used to simulate the hash function in a way that the answer of the $N$-MU-EUF-NMA adversary can be used as an valid solution for the $N$-MU-\igame challenger.
\item Let $G_0$ be defined in figure \ref{fig:mu-igame_implies_mu-uf-nma}. Then $G_0$ is the same as MU-EUF-NMA with EdDSA. By definition,
\item Let $G_0$ be defined in figure \ref{fig:mu-igame_implies_mu-uf-nma}. Then $G_0$ is the same as $N$-MU-EUF-NMA with EdDSA. By definition,
\[ \advantage{\text{EdDSA}, \adversary{A}}{\text{MU-EUF-NMA}}(\secparamter) = \Pr[\text{MU-EUF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
\[ \advantage{\text{EdDSA}, \adversary{A}}{\text{$N$-MU-EUF-NMA}}(\secparamter) = \Pr[\text{$N$-MU-EUF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
\item $G_0$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
\begin{align}
\Pr[G_0^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\text{MU-\igame}}(\secparamter). \label{eq:adv_mu-igame}
\Pr[G_0^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\text{$N$-MU-\igame}}(\secparamter). \label{eq:adv_mu-igame}
\end{align}
\begin{figure}[h]
@@ -108,7 +108,7 @@ This section shows that MU-\igame implies MU-EUF-NMA security of the EdDSA signa
\label{fig:adversary_mu-igame}
\end{figure}
\item To proof (\ref{eq:adv_mu-igame}), we define an adversary $\adversary{B}$ attacking MU-\igame that simulates $\adversary{A}$'s view in $G_0$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_mu-igame} is run in the \igame game and adversary $\adversary{B}$ simulates the random oracle $H$ for the adversary $\adversary{A}$. $H$ is perfectly simulated because the \ioracle oracle also outputs a uniformly random 2b-bit bitstring. For this reason, $H$ returns a uniformly random 2b-bit bitstring for all queries, as expected.
\item To proof (\ref{eq:adv_mu-igame}), we define an adversary $\adversary{B}$ attacking $N$-MU-\igame that simulates $\adversary{A}$'s view in $G_0$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_mu-igame} is run in the \igame game and adversary $\adversary{B}$ simulates the random oracle $H$ for the adversary $\adversary{A}$. $H$ is perfectly simulated because the \ioracle oracle also outputs a uniformly random 2b-bit bitstring. For this reason, $H$ returns a uniformly random 2b-bit bitstring for all queries, as expected.
Finally, consider $\adversary{A}$'s output $(\m^*, \signature^* \assign (\encoded{R}, S))$. It is known that:
@@ -119,7 +119,7 @@ This section shows that MU-\igame implies MU-EUF-NMA security of the EdDSA signa
\groupelement{R}' &= 2^c S \groupelement{B} - 2^c \ioracle(\groupelement{R}') \groupelement{A_i}
\end{align*}
Therefore, $S$ is a valid solution for the MU-\igame game.
Therefore, $S$ is a valid solution for the $N$-MU-\igame game.
\item This proves theorem \ref{theorem:adv_mu-igame}.
\end{proof}

44
thesis/sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma.tex
View File

@@ -1,15 +1,15 @@
\subsection{MU-EUF-NMA $\overset{\text{ROM}}{\Rightarrow}$ $\text{MU-SUF-CMA}_{\text{EdDSA sp}}$}
\subsection{$N$-MU-EUF-NMA $\overset{\text{ROM}}{\Rightarrow}$ $\text{$N$-MU-SUF-CMA}_{\text{EdDSA sp}}$}
This section shows that the MU-EUF-NMA security of the EdDSA signature scheme implies the MU-SUF-CMA security of the EdDSA signature scheme using the random oracle model. The section starts with providing an intuition of the proof, followed by the detailed security proof.
This section shows that the $N$-MU-EUF-NMA security of the EdDSA signature scheme implies the $N$-MU-SUF-CMA security of the EdDSA signature scheme using the random oracle model. The section starts with providing an intuition of the proof, followed by the detailed security proof.
\begin{theorem}
\label{theorem:adv_mu-uf-nma}
Let $n$ and $N$ be positive integer and $\adversary{A}$ an adversary against MU-SUF-CMA, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
Let $n$ and $N$ be positive integer and $\adversary{A}$ an adversary against $N$-MU-SUF-CMA, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
\[ \advantage{\adversary{A}}{\text{MU-\cma}}(\secparamter) \leq \advantage{\adversary{B}}{\text{MU-EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
\[ \advantage{\adversary{A}}{\text{$N$-MU-\cma}}(\secparamter) \leq \advantage{\adversary{B}}{\text{$N$-MU-EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
\end{theorem}
\paragraph{\underline{Proof Overview}} This proof closely follows the proof in section \ref{proof:uf-nma_implies_suf-cma}. The only difference of both security notions is the absence of the \Osign oracle in MU-EUF-NMA. For this reason, the reduction must simulate the \Osign oracle without the knowledge of the private keys. This is achieved by generating a valid and well-distributed tuple of commitment, challenge, and response using the \simalg procedure, introduced in section \ref{proof:uf-nma_implies_suf-cma}, and then programming the random oracle to output that challenge for the corresponding input. The different games are shown in figure \ref{fig:mu-uf-nma_implies_mu-suf-cma_games}.
\paragraph{\underline{Proof Overview}} This proof closely follows the proof in section \ref{proof:uf-nma_implies_suf-cma}. The only difference of both security notions is the absence of the \Osign oracle in $N$-MU-EUF-NMA. For this reason, the reduction must simulate the \Osign oracle without the knowledge of the private keys. This is achieved by generating a valid and well-distributed tuple of commitment, challenge, and response using the \simalg procedure, introduced in section \ref{proof:uf-nma_implies_suf-cma}, and then programming the random oracle to output that challenge for the corresponding input. The different games are shown in figure \ref{fig:mu-uf-nma_implies_mu-suf-cma_games}.
\paragraph{\underline{Formal Proof}}
@@ -83,11 +83,11 @@ This section shows that the MU-EUF-NMA security of the EdDSA signature scheme im
\end{figure}
\begin{proof}
\item Now the original MU-SUF-CMA game is manipulated in a way that makes it possible to simulate signatures without the knowledge of the secret key. During each of the game-hops the probability for an adversary to detect this change is upper bounded.
\item Now the original $N$-MU-SUF-CMA game is manipulated in a way that makes it possible to simulate signatures without the knowledge of the secret key. During each of the game-hops the probability for an adversary to detect this change is upper bounded.
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:mu-uf-nma_implies_mu-suf-cma_games} by excluding all boxes except the black one. $G_0$ is the MU-SUF-CMA for EdDSA. By definition,
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:mu-uf-nma_implies_mu-suf-cma_games} by excluding all boxes except the black one. $G_0$ is the $N$-MU-SUF-CMA for EdDSA. By definition,
\[ \advantage{\text{EdDSA},\adversary{A}}{\text{MU-}\cma}(\secparamter) = \Pr[\text{\text{MU-}\cma}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
\[ \advantage{\text{EdDSA},\adversary{A}}{\text{$N$-MU-}\cma}(\secparamter) = \Pr[\text{\text{$N$-MU-}\cma}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
\item \paragraph{\underline{$G_1:$}} $G_1$ now is defined by replacing the black box with the blue one. This change inlines the call to the hash function and introduces a bad flag, which is set if the hash value is already set. The bad flag being set represents cases where the adversary already queried the random oracle for the challenge used for that signature and therefore the random oracle cannot be programmed. This results in the challenger not being able to produce a valid signature. This change is only conceptual, as it does not alter the behavior of the oracle. Therefore,
@@ -95,7 +95,7 @@ This section shows that the MU-EUF-NMA security of the EdDSA signature scheme im
\item \paragraph{\underline{$G_2:$}} $G_2$ is defined by also introducing the abort instruction in the red box. Again, without loss of generality it is assumed that the adversary only queried each public key/message pair only once since the signatures are deterministic and the attacker would not gain any additional information by querying the \Osign oracle multiple times with the same input. Since the commitment $\groupelement{R}$ is the only unknown input to the hash function, the probability of the bad flag being set for each individual \Osign query is at most $\frac{\hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
\item \paragraph{\underline{$G_3:$}} In $G_3$ the \Osign oracle is replaced by the \Osign oracle in the green box. Instead of calculating the response using the secret key, the \simalg algorithm is used to generate a tuple of commitment, challenge, and response. Then the random oracle is programmed to output the specific challenge given $\encoded{R} | \encoded{A_j} | \m$ as an input. This change is only conceptual, since \simalg outputs a correctly distributed set and it was ruled out in earlier games that the random oracle was previously queries with this input. Hence,
@@ -104,7 +104,7 @@ This section shows that the MU-EUF-NMA security of the EdDSA signature scheme im
\item Finally, Game $G_3$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
\begin{align}
\Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{MU-EUF-NMA}}(\secparamter). \label{eq:adv_mu-uf-nma}
\Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{$N$-MU-EUF-NMA}}(\secparamter). \label{eq:adv_mu-uf-nma}
\end{align}
\begin{figure}[h]
@@ -136,11 +136,11 @@ This section shows that the MU-EUF-NMA security of the EdDSA signature scheme im
\State \Return $\sum[m]$
\end{algorithmic}
\hrule
\caption{Adversary $\adversary{B}$ breaking $\text{MU-EUF-NMA}$}
\caption{Adversary $\adversary{B}$ breaking $\text{$N$-MU-EUF-NMA}$}
\label{fig:adversaryb_mu-uf-nma}
\end{figure}
To prove (\ref{eq:adv_mu-uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{MU-EUF-NMA}$ that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversaryb_mu-uf-nma} is run in the $\text{MU-EUF-NMA}$ game and adversary $\adversary{B}$ simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly.
To prove (\ref{eq:adv_mu-uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{$N$-MU-EUF-NMA}$ that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversaryb_mu-uf-nma} is run in the $\text{$N$-MU-EUF-NMA}$ game and adversary $\adversary{B}$ simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly.
Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. Every valid signature outputted by adversary $\adversary{A}$ has to fulfill the following equation for one public key $\groupelement{A_i}$: $2^c S \groupelement{B} = 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}$. Again there is only one valid encoded $S$ for each $\groupelement{R}$, $m$, $\groupelement{A_i}$ tuple that satisfies the verification equation. For the signature to be a valid forgery it must not be outputted by the \Osign oracle for this specific $m^*$ and $\groupelement{A_i}$. No new valid signature can be generated from a valid one by just changing the $S$ value. This means that either $\groupelement{R}$, $m$ or $\groupelement{A_i}$ have to be changed to generate a new valid signature from an already valid signature. Since all these parameters are part of the hash query to generate the challenge the resulting hash value has to be forwarded from the $H$ hash oracle provided to the adversary $\adversary{B}$. For this reason $H'(\encoded{R^*}|\encoded{A_i}|m^*) = H(\encoded{R^*}|\encoded{A_i}|m^*)$. Hence,
@@ -149,22 +149,22 @@ This section shows that the MU-EUF-NMA security of the EdDSA signature scheme im
\Leftrightarrow 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H(\encoded{R^*}|\encoded{A_i}|m^*) \groupelement{A_i}
\end{align*}
Since the public keys and the results of the hash queries are forwarded from the MU-EUF-NMA challenger the forged signature from $\adversary{A}$ in the MU-\cma game is also a valid forgery for the MU-EUF-NMA challenger.
Since the public keys and the results of the hash queries are forwarded from the $N$-MU-EUF-NMA challenger the forged signature from $\adversary{A}$ in the $N$-MU-\cma game is also a valid forgery for the $N$-MU-EUF-NMA challenger.
\item In the main procedure the adversary $\adversary{B}$ simply calls adversary $\adversary{A}$ and outputs its forged signature. To simulate the hash function $\adversary{B}$ simply forwards the queries to adversary $\adversary{A}$ and to a signature $\adversary{B}$ obtains the pair of commitment, challenge, and solution from the \simalg procedure, which is just samples two values and calculates the last one using a simple equation, and then programs its random oracle. Therefore, the runtime of adversary $\adversary{B}$ is roughly the same as the runtime of adversary $\adversary{A}$.
\item This proves theorem \ref{theorem:adv_mu-uf-nma}.
\end{proof}
\subsection{MU-EUF-NMA $\overset{\text{ROM}}{\Rightarrow}$ $\text{MU-EUF-CMA}_{\text{EdDSA lp}}$}
\subsection{$N$-MU-EUF-NMA $\overset{\text{ROM}}{\Rightarrow}$ $\text{$N$-MU-EUF-CMA}_{\text{EdDSA lp}}$}
This section shows that MU-EUF-NMA security of EdDSA implies the MU-EUF-CMA security of EdDSA with lax parsing used in the random oracle model. This proof is very similar to the proof MU-SUF-CMA proof of EdDSA with strict parsing. The modification to the games are the same as in the proof above with the only modifications being in the win condition, which is $\exists j \in \{1,2,...,N\}: \verify(\groupelement{A_j}, \m^*) \wedge (\groupelement{A_j}, \m^*) \notin \pset{Q}$. For this reason this proof starts at showing the existence of an adversary $\adversary{B}$ breaking MU-EUF-NMA security. Similar to the proof in the single-user setting, the SUF-CMA security of EdDSA with lax parsing cannot be shown, as there are multiple valid encodings of $S$ for one signature. This way the adversary would be able to generate a new valid signature from an obtained one by simply choosing a different encoding of $S$. This would result in the output of $H'(\encoded{R^*}|\encoded{A}|m^*)$ being programmed by the reduction itself and therefore the signature not being valid for the EUF-NMA challenger.
This section shows that $N$-MU-EUF-NMA security of EdDSA implies the $N$-MU-EUF-CMA security of EdDSA with lax parsing used in the random oracle model. This proof is very similar to the proof $N$-MU-SUF-CMA proof of EdDSA with strict parsing. The modification to the games are the same as in the proof above with the only modifications being in the win condition, which is $\exists j \in \{1,2,...,N\}: \verify(\groupelement{A_j}, \m^*) \wedge (\groupelement{A_j}, \m^*) \notin \pset{Q}$. For this reason this proof starts at showing the existence of an adversary $\adversary{B}$ breaking $N$-MU-EUF-NMA security. Similar to the proof in the single-user setting, the SUF-CMA security of EdDSA with lax parsing cannot be shown, as there are multiple valid encodings of $S$ for one signature. This way the adversary would be able to generate a new valid signature from an obtained one by simply choosing a different encoding of $S$. This would result in the output of $H'(\encoded{R^*}|\encoded{A}|m^*)$ being programmed by the reduction itself and therefore the signature not being valid for the EUF-NMA challenger.
\begin{theorem}
\label{theorem:adv2_mu-uf-nma}
Let $n$ and $N$ be positive integers and $\adversary{A}$ an adversary against MU-EUF-CMA, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
Let $n$ and $N$ be positive integers and $\adversary{A}$ an adversary against $N$-MU-EUF-CMA, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
\[ \advantage{\adversary{A}}{\text{MU-EUF-CMA}}(\secparamter) \leq \advantage{\adversary{B}}{\text{MU-EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
\[ \advantage{\adversary{A}}{\text{$N$-MU-EUF-CMA}}(\secparamter) \leq \advantage{\adversary{B}}{\text{$N$-MU-EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
\end{theorem}
\paragraph{\underline{Formal Proof}}
@@ -172,7 +172,7 @@ This section shows that MU-EUF-NMA security of EdDSA implies the MU-EUF-CMA secu
\begin{proof}
\item
\begin{align}
\Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{MU-EUF-NMA}}(\secparamter). \label{eq:adv2_mu-uf-nma}
\Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{$N$-MU-EUF-NMA}}(\secparamter). \label{eq:adv2_mu-uf-nma}
\end{align}
\begin{figure}[h]
@@ -204,20 +204,20 @@ This section shows that MU-EUF-NMA security of EdDSA implies the MU-EUF-CMA secu
\State \Return $\sum[m]$
\end{algorithmic}
\hrule
\caption{Adversary $\adversary{B}$ breaking $\text{MU-EUF-NMA}$}
\caption{Adversary $\adversary{B}$ breaking $\text{$N$-MU-EUF-NMA}$}
\label{fig:adversary_b_mu-uf-nma}
\end{figure}
To prove (\ref{eq:adv2_mu-uf-nma}), we define an adversary $\adversary{B}$ attacking MU-EUF-NMA that simulates $\adversary{A}$'s view on $G_3$. Adversary $\adversary{B}$, formally defined in figure \ref{fig:adversary_b_mu-uf-nma}, is run in the MU-EUF-NMA game and simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly.
To prove (\ref{eq:adv2_mu-uf-nma}), we define an adversary $\adversary{B}$ attacking $N$-MU-EUF-NMA that simulates $\adversary{A}$'s view on $G_3$. Adversary $\adversary{B}$, formally defined in figure \ref{fig:adversary_b_mu-uf-nma}, is run in the $N$-MU-EUF-NMA game and simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly.
Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. Every valid signature outputted by adversary $\adversary{A}$ has to fulfill the following equation for one public key $\groupelement{A_i}$: $2^c S \groupelement{B} = 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}$. Like in the single-user setting the adversary can create a new valid signature from an already valid one by choosing a different bitstring representation of the $S$ value that maps to the same $S \pmod L$. Since we are in the MU-EUF-CMA setting the adversary has to forge a signature for a message $m^*$ and public key $A_i$ to which it has not queried a signature before. For this reason, the output of $H'(\encoded{R^*}|\encoded{A_i}|m^*)$ has not been set by the adversary $\adversary{B}$, but was forwarded from the $H$ hash oracle provided by the MU-EUF-NMA challenger. For this reason $H'(\encoded{R^*}|\encoded{A_i}|m^*) = H(\encoded{R^*}|\encoded{A_i}|m^*)$. Therefore,
Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. Every valid signature outputted by adversary $\adversary{A}$ has to fulfill the following equation for one public key $\groupelement{A_i}$: $2^c S \groupelement{B} = 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}$. Like in the single-user setting the adversary can create a new valid signature from an already valid one by choosing a different bitstring representation of the $S$ value that maps to the same $S \pmod L$. Since we are in the $N$-MU-EUF-CMA setting the adversary has to forge a signature for a message $m^*$ and public key $A_i$ to which it has not queried a signature before. For this reason, the output of $H'(\encoded{R^*}|\encoded{A_i}|m^*)$ has not been set by the adversary $\adversary{B}$, but was forwarded from the $H$ hash oracle provided by the $N$-MU-EUF-NMA challenger. For this reason $H'(\encoded{R^*}|\encoded{A_i}|m^*) = H(\encoded{R^*}|\encoded{A_i}|m^*)$. Therefore,
\begin{align*}
2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A_i}|m^*) \groupelement{A_i}\\
\Leftrightarrow 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H(\encoded{R^*}|\encoded{A_i}|m^*) \groupelement{A_i}.
\end{align*}
This shows that the forged signature from adversary $\adversary{A}$ is also a valid forged signature for the MU-EUF-NMA challenger.
This shows that the forged signature from adversary $\adversary{A}$ is also a valid forged signature for the $N$-MU-EUF-NMA challenger.
\item Since the adversary $\adversary{B}$ is the same as in the proof above, its runtime is roughly the same as the runtime of adversary $\adversary{A}$, for the same reason.

30
thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex
View File

@@ -1,8 +1,8 @@
\subsection{\somdl $\overset{\text{AGM}}{\Rightarrow}$ MU-\igame}
\subsection{\somdl $\overset{\text{AGM}}{\Rightarrow}$ $N$-MU-\igame}
This section shows that \somdl implies MU-\igame using the algebraic group model. The section starts by introducing a special variant of the one-more discrete logarithm problem followed by an intuition of the proof and at last giving a detailed security proof. The reduction cannot be directly performed using the \sdlog assumption, since the representation of the commitment contains more than one group element with unknown discrete logarithm, because the adversary against MU-\igame receives multiple public keys as input. Therefore, a new assumption, based on the one-more discrete logarithm assumption, has to be introduced.
This section shows that \somdl implies $N$-MU-\igame using the algebraic group model. The section starts by introducing a special variant of the one-more discrete logarithm problem followed by an intuition of the proof and at last giving a detailed security proof. The reduction cannot be directly performed using the \sdlog assumption, since the representation of the commitment contains more than one group element with unknown discrete logarithm, because the adversary against $N$-MU-\igame receives multiple public keys as input. Therefore, a new assumption, based on the one-more discrete logarithm assumption, has to be introduced.
\paragraph{\underline{Introducing \somdl}} Similar to \sdlog, which is a variant of the discrete logarithm problem the \somdl is a variant of the one-more discrete logarithm problem, which represents the special distribution of secret keys resulting from the key generation algorithm of the EdDSA signature scheme. The only differences to the original one-more discrete logarithm game as introduced in \cite{JC:BNPS03} are that the secret scalars are chosen from the set $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ which represents all valid secret scalars regarding the key generation algorithm and that the adversary is only able to query $N-1$ discrete logarithms of the challenge group elements at once. This modification makes the assumption weaker than the original one-more discrete logarithm assumption. A lower bound on the hardness of the \somdl problem is further analyzed in section \ref{sec:somdl}. The \somdl game is illustrated in figure \ref{fig:somdl}.
\paragraph{\underline{Introducing \somdl}} Similar to \sdlog, which is a variant of the discrete logarithm problem the \somdl is a variant of the one-more discrete logarithm problem, which represents the special distribution of secret keys resulting from the key generation algorithm of the EdDSA signature scheme. The only differences to the original one-more discrete logarithm game as introduced in \cite{JC:BNPS03} are that the secret scalars are chosen from the set $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ which represents all valid secret scalars regarding the key generation algorithm and that the adversary is only able to query $N-1$ discrete logarithms of the challenge group elements at once. This modification makes the assumption weaker than the original one-more discrete logarithm assumption. Since the resulting game is similar to the $N$-discrete logarithm problem with an additinal \textit{Reveal} query, it is called \somdl. A lower bound on the hardness of the \somdl problem is further analyzed in section \ref{sec:somdl}. The \somdl game is illustrated in figure \ref{fig:somdl}.
\begin{definition}[\somdl]
\label{def:somdl}
@@ -20,12 +20,12 @@ This section shows that \somdl implies MU-\igame using the algebraic group model
\State \textbf{for} $i \in \{1,2,...,N\}$
\State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{DL(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{Reveal(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
\State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N)$
\end{algorithmic}
\vspace{2mm}
\begin{algorithmic}
\Statex \underline{\oracle $DL(j \in \{1,2,...,N\})$}
\Statex \underline{\oracle $Reveal(j \in \{1,2,...,N\})$}
\Comment{max. one query}
\vspace{1mm}
\State \Return $\{a_i|i \in \{1,2,...,N\}\backslash \{j\}\}$
@@ -40,10 +40,10 @@ This section shows that \somdl implies MU-\igame using the algebraic group model
\label{theorem:adv_omdl'}
Let $\adversary{A}$ be an adversary against \igame with $\group{G}$ being a cyclic group of prime order $L$, receiving $N$ public keys and making at most $\oraclequeries$ oracle queries. Then
\[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\somdl}(\secparamter) + \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
\[ \advantage{\group{G},\adversary{A}}{\text{$N$-MU-\igame}}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\somdl}(\secparamter) + \frac{\oraclequeries N \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
\end{theorem}
\paragraph{\underline{Proof Overview}} In the multi-user setting the adversary gets access to not only the generator $\groupelement{B}$ and one public key $\groupelement{A}$ but rather a set of public keys $\groupelement{A_1}$ to $\groupelement{A_N}$. For this reason, the representation of a group element, the adversary has to provide, looks the following: $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$. Since there are multiple group elements with unknown discrete logarithms it is not possible to directly calculate the discrete logarithm of one of the public keys given a valid forgery of a signature. Upon receiving a valid solution the \textit{DL} oracle can be used to get the discrete logarithm of all the public keys except the one for which the solution is valid. This way it is again possible to construct a representation looking like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_i}$. Then it is again possible to calculate the discrete logarithm of $\groupelement{A_i}$ and win the \somdl game.
\paragraph{\underline{Proof Overview}} In the multi-user setting the adversary gets access to not only the generator $\groupelement{B}$ and one public key $\groupelement{A}$ but rather a set of public keys $\groupelement{A_1}$ to $\groupelement{A_N}$. For this reason, the representation of a group element, the adversary has to provide, looks the following: $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$. Since there are multiple group elements with unknown discrete logarithms it is not possible to directly calculate the discrete logarithm of one of the public keys given a valid forgery of a signature. Upon receiving a valid solution the \textit{Reveal} oracle can be used to get the discrete logarithm of all the public keys except the one for which the solution is valid. This way it is again possible to construct a representation looking like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_i}$. Then it is again possible to calculate the discrete logarithm of $\groupelement{A_i}$ and win the \somdl game.
\paragraph{\underline{Formal Proof}}
@@ -84,9 +84,9 @@ This section shows that \somdl implies MU-\igame using the algebraic group model
\begin{proof}
\item Now the individual game-hops are analyzed and the probability, that an adversary can distinguish between two games, is upper bounded.
\item \paragraph{\underline{$G_0$:}} Let $G_0$ be defined in figure \ref{fig:omdl'_implies_mu-igame} by excluding all boxes. Clearly, $G_0$ is the MU-\igame. By definition,
\item \paragraph{\underline{$G_0$:}} Let $G_0$ be defined in figure \ref{fig:omdl'_implies_mu-igame} by excluding all boxes. Clearly, $G_0$ is the $N$-MU-\igame. By definition,
\[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) = \Pr[\text{MU-\igame}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
\[ \advantage{\group{G},\adversary{A}}{\text{$N$-MU-\igame}}(\secparamter) = \Pr[\text{$N$-MU-\igame}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
\item \paragraph{\underline{$G_1$:}} $G_1$ is defined by including the if condition in the blue box, which sets a bad flag if the randomly chosen value $\ch$ fulfills $2^c \ch \equiv - r_i \pmod L$ for any $i \in \{2,3,...,N+1\}$. This represents challenges $\ch$ to which the solution might not be usable to break the discrete logarithm of one of the public keys, due to $(r_i + 2^c \ch)$ not being invertible in $\field{L}$. Since only the bad flag is introduced this change does not influence the behavior of the game and is therefore only conceptual.
@@ -94,7 +94,7 @@ This section shows that \somdl implies MU-\igame using the algebraic group model
\item \paragraph{\underline{$G_2:$}} $G_2$ also includes the abort instruction in the red box. The abort is triggered if the bad flag is set to true. For each individual \ioracle oracle query the bad flag is set with a probability of $\frac{N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. With $2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}$ being the min-entropy of $\ch$ and $N$ being the number of $r_i$ with which the equation $2^c \ch \equiv - r_i \pmod L$ could evaluate to true. By the Union bound over all $\oraclequeries$ oracle quries we obtain $\Pr[bad] \leq \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries N \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
\item Finally, Game $G_2$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
@@ -107,13 +107,13 @@ This section shows that \somdl implies MU-\igame using the algebraic group model
\large
\vspace{1mm}
\begin{algorithmic}
\Statex \underline{\textbf{Adversary} $\adversary{B}^{\textit{DL}(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$}
\Statex \underline{\textbf{Adversary} $\adversary{B}^{\textit{Reveal}(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$}
\State $s^* \randomassign \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
\State \textbf{If} $\nexists (\agmgroupelement{R^*}{r^*}, \ch^*) \in Q, i \in \{1,2,...,N\}: \groupelement{R^*} = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$ \textbf{then}
\State \quad $abort$
\State Let $\groupelement{R^*} = r^*_1 \groupelement{B} + r^*_2 \groupelement{A_1} + ... + r^*_{N+1} \groupelement{A_N}$
\State $r_b \assign r_1$
\State $(a_1, ..., a_{i-1}, a_{i+1}, ..., a_N) \randomassign DL(i)$
\State $(a_1, ..., a_{i-1}, a_{i+1}, ..., a_N) \randomassign \textit{Reveal}(i)$
\State \textbf{for} $j \in \{1,2,...,N\} \backslash \{i\}$
\State \quad $r_b \assign r_b + r_{j+1} a_j$
\Comment{$\groupelement{A_j} = a_j \groupelement{B}$}
@@ -140,7 +140,7 @@ This section shows that \somdl implies MU-\igame using the algebraic group model
To prove (\ref{eq:adv_omdl'}), we define an adversary $\adversary{B}$ attacking \somdl that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_omdl'} is run in the \somdl game and adversary $\adversary{B}$ simulates \ioracle for adversary $\adversary{A}$. \ioracle is simulated perfectly.
Finally, consider $\adversary{A}$'s output $s^*$. It is known that $\groupelement{R^*} = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$ for one of the public keys and one tuple $(R^*, \ch^*)$ generated by the \ioracle oracle. Using the \textit{DL} oracle we can get the discrete logarithms of all public keys but the one, for which $s^*$ is a valid solution in the MU-\igame game. Together with the representation of $R^*$, provided during the \ioracle oracle call, and the discrete logarithms of the public keys we are able to generate a representation of $R^*$, which looks like $\groupelement{R^*} = r_b \groupelement{B} + r_i \groupelement{A_i}$. By equating both equations we get:
Finally, consider $\adversary{A}$'s output $s^*$. It is known that $\groupelement{R^*} = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$ for one of the public keys and one tuple $(R^*, \ch^*)$ generated by the \ioracle oracle. Using the \textit{Reveal} oracle we can get the discrete logarithms of all public keys but the one, for which $s^*$ is a valid solution in the $N$-MU-\igame game. Together with the representation of $R^*$, provided during the \ioracle oracle call, and the discrete logarithms of the public keys we are able to generate a representation of $R^*$, which looks like $\groupelement{R^*} = r_b \groupelement{B} + r_i \groupelement{A_i}$. By equating both equations we get:
\begin{align*}
r_b \groupelement{B} + r_i \groupelement{A_i} &= 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i} \\
@@ -148,9 +148,9 @@ This section shows that \somdl implies MU-\igame using the algebraic group model
\Leftrightarrow \groupelement{A} &= (2^c s^* - r_b)(r_i + 2^c \ch^*)^{-1} \groupelement{B}
\end{align*}
Assuming that $r_i + 2^c \ch^*$ is invertible in $\field{L}$ (i.e., not equal to 0), which is ensured by the abort in $G_2$ for all $i$, both equations can be used to calculate the discrete logarithm of $A_i$. Together with the discrete logarithms of the other public keys, which were obtained by the \textit{DL} oracle, the adversary $\adversary{B}$ is able to craft a valid solution for the \somdl challenger.
Assuming that $r_i + 2^c \ch^*$ is invertible in $\field{L}$ (i.e., not equal to 0), which is ensured by the abort in $G_2$ for all $i$, both equations can be used to calculate the discrete logarithm of $A_i$. Together with the discrete logarithms of the other public keys, which were obtained by the \textit{Reveal} oracle, the adversary $\adversary{B}$ is able to craft a valid solution for the \somdl challenger.
\item The runtime of adversary $\adversary{B}$ is roughly the same as the runtime of adversary $\adversary{A}$. In the main procedure the adversary $\adversary{B}$ calls adversary $\adversary{A}$, queries the DL oracle and performs some simple calculations to obtain the discrete logarithm of all public keys. In the \ioracle the adversary simply samples a 2b bitstring uniformly at random.
\item The runtime of adversary $\adversary{B}$ is roughly the same as the runtime of adversary $\adversary{A}$. In the main procedure the adversary $\adversary{B}$ calls adversary $\adversary{A}$, queries the \textit{Reveal} oracle and performs some simple calculations to obtain the discrete logarithm of all public keys. In the \ioracle the adversary simply samples a 2b bitstring uniformly at random.
\item This proves theorem \ref{theorem:adv_omdl'}.
\end{proof}

1
thesis/sections/mu_security_of_eddsa/sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma.tex
View File

@@ -1 +0,0 @@
\section{MU-\igame $\Rightarrow$ MU-EUF-NMA}

38
thesis/sections/security_notions.tex
View File

@@ -14,12 +14,12 @@ A digital signature scheme is a method to ensure the authenticity of data. The s
For the digital signature scheme to be correct, it is required that $\forall (\pubkey, \privkey) \in \keygen(par), \m \in \messagespace, \signature \in \sign(\privkey, \m): \verify(\pubkey, \m, \signature) = 1$
\end{definition}
A common security notion for digital signature schemes is the existential unforgeability under chosen message attack (EUF-CMA) security. It requires that no adversary is able to forge a signature for a message to which they have not observed a valid signature, given a public key. A stronger notion, that is often used, is strong unforgeability under chosen message attack (SUF-CMA), which only requires the adversary to provide a message signature pair that has not been provided to the adversary. With this security notion, the adversary also wins if it is able to forge a new valid signature from an already valid one. Both of these notions are in the single-user setting. In the multi-user setting of these security notions, the adversary is supplied with $N$ public keys and has to forge a signature for one of those public keys. In the following, the multi-user definitions of the EUF-CMA and SUF-CMA security notions are defined, respectively MU-EUF-CMA and MU-SUF-CMA. The single-user variant of these security notions can be seen as a special case of the multi-user definitions in which the adversary is only provided with one public key.
A common security notion for digital signature schemes is the existential unforgeability under chosen message attack (EUF-CMA) security. It requires that no adversary is able to forge a signature for a message to which they have not observed a valid signature, given a public key. A stronger notion, that is often used, is strong unforgeability under chosen message attack (SUF-CMA), which only requires the adversary to provide a message signature pair that has not been provided to the adversary. With this security notion, the adversary also wins if it is able to forge a new valid signature from an already valid one. Both of these notions are in the single-user setting. In the multi-user setting of these security notions, the adversary is supplied with $N$ public keys and has to forge a signature for one of those public keys. In the following, the multi-user definitions of the EUF-CMA and SUF-CMA security notions are defined, respectively $N$-MU-EUF-CMA and $N$-MU-SUF-CMA. The single-user variant of these security notions can be seen as a special case of the multi-user definitions in which the adversary is only provided with one public key.
\begin{definition}[MU-EUF-CMA]
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the N-MU-EUF-CMA game be defined in figure \ref{game:mu-euf-cma}. $SIG$ is N-MU-EUF-CMA secure if for all ppt adversaries $\adversary{A}$, we have
\begin{definition}[$N$-MU-EUF-CMA]
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the $N$-MU-EUF-CMA game be defined in figure \ref{game:mu-euf-cma}. $SIG$ is $N$-MU-EUF-CMA secure if for all ppt adversaries $\adversary{A}$, we have
\[ \advantage{SIG,\adversary{A}}{\textsf{N-MU-EUF-CMA}}(\secparamter) \assign \prone{\textsf{N-MU-EUF-CMA}^{\adversary{A}}} \leq negl(\secparamter). \]
\[ \advantage{SIG,\adversary{A}}{\textsf{$N$-MU-EUF-CMA}}(\secparamter) \assign \prone{\textsf{$N$-MU-EUF-CMA}^{\adversary{A}}} \leq negl(\secparamter). \]
\end{definition}
\begin{figure}[h]
@@ -27,7 +27,7 @@ A common security notion for digital signature schemes is the existential unforg
\normalsize
\vspace{1mm}
\begin{algorithmic}
\Statex \underline{\game $\text{N-MU-EUF-CMA}$}
\Statex \underline{\game $\text{$N$-MU-EUF-CMA}$}
\State \textbf{for} $i \in \{1,2,...,N\}$
\State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp, \inp)}(\pubkey_1, \pubkey_2, ..., \pubkey_n)$
@@ -35,20 +35,20 @@ A common security notion for digital signature schemes is the existential unforg
\end{algorithmic}
\vspace{2mm}
\begin{algorithmic}
\Statex \underline{\oracle \Osign($i \in \{1,2,...,n\}$, $\m \in \messagespace$)}
\Statex \underline{\oracle \Osign($i \in \{1,2,...,N\}$, $\m \in \messagespace$)}
\State $\signature \randomassign \sign(\privkey_i, \m)$
\State $M \assign M \cup \{(\pubkey_i, \m)\}$
\State \Return $\signature$
\end{algorithmic}
\hrule
\caption{N-MU-EUF-CMA Security Game}
\caption{$N$-MU-EUF-CMA Security Game}
\label{game:mu-euf-cma}
\end{figure}
\begin{definition}[MU-SUF-CMA]
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the MU-SUF-CMA game be defined in figure \ref{game:mu-suf-cma}. $SIG$ is MU-SUF-CMA secure if for all ppt adversaries $\adversary{A}$, we have
\begin{definition}[$N$-MU-SUF-CMA]
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the $N$-MU-SUF-CMA game be defined in figure \ref{game:mu-suf-cma}. $SIG$ is $N$-MU-SUF-CMA secure if for all ppt adversaries $\adversary{A}$, we have
\[ \advantage{SIG,\adversary{A}}{\textsf{N-MU-SUF-CMA}}(\secparamter) \assign \prone{\textsf{N-MU-SUF-CMA}^{\adversary{A}}} \leq negl(\secparamter). \]
\[ \advantage{SIG,\adversary{A}}{\textsf{$N$-MU-SUF-CMA}}(\secparamter) \assign \prone{\textsf{$N$-MU-SUF-CMA}^{\adversary{A}}} \leq negl(\secparamter). \]
\end{definition}
\begin{figure}[h]
@@ -56,7 +56,7 @@ A common security notion for digital signature schemes is the existential unforg
\normalsize
\vspace{1mm}
\begin{algorithmic}
\Statex \underline{\game $\text{N-MU-SUF-CMA}$}
\Statex \underline{\game $\text{$N$-MU-SUF-CMA}$}
\State \textbf{for} $i \in \{1,2,...,N\}$
\State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp, \inp)}(\pubkey_1, \pubkey_2, ..., \pubkey_n)$
@@ -64,36 +64,36 @@ A common security notion for digital signature schemes is the existential unforg
\end{algorithmic}
\vspace{2mm}
\begin{algorithmic}
\Statex \underline{\oracle \Osign($i \in \{1,2,...,n\}$, $\m \in \messagespace$)}
\Statex \underline{\oracle \Osign($i \in \{1,2,...,N\}$, $\m \in \messagespace$)}
\State $\signature \randomassign \sign(\privkey_i, \m)$
\State $M \assign M \cup \{(\pubkey_i, \m, \signature)\}$
\State \Return $\signature$
\end{algorithmic}
\hrule
\caption{N-MU-SUF-CMA Security Game}
\caption{$N$-MU-SUF-CMA Security Game}
\label{game:mu-suf-cma}
\end{figure}
The MU-EUF-NMA security game is similar to the MU-EUF-CMA game. The only difference is that the adversary does not has access to an oracle to obtain valid signatures for arbitrary messages. Again the EUF-NMA security notation is a special case of the MU-EUF-NMA security notation with $N=1$.
The $N$-MU-EUF-NMA security game is similar to the $N$-MU-EUF-CMA game. The only difference is that the adversary does not has access to an oracle to obtain valid signatures for arbitrary messages. Again the EUF-NMA security notation is a special case of the $N$-MU-EUF-NMA security notation with $N=1$.
\begin{definition}[MU-EUF-NMA]
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the N-MU-EUF-NMA game be defined in figure \ref{game:mu-uf-nma}. $SIG$ is N-MU-EUF-NMA secure if for all ppt adversaries $\adversary{A}$, we have
\begin{definition}[$N$-MU-EUF-NMA]
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the $N$-MU-EUF-NMA game be defined in figure \ref{game:mu-uf-nma}. $SIG$ is $N$-MU-EUF-NMA secure if for all ppt adversaries $\adversary{A}$, we have
\[ \advantage{SIG,\adversary{A}}{\textsf{N-MU-EUF-NMA}}(\secparamter) \assign \prone{\textsf{N-MU-EUF-NMA}^{\adversary{A}}} \leq negl(\secparamter). \]
\[ \advantage{SIG,\adversary{A}}{\textsf{$N$-MU-EUF-NMA}}(\secparamter) \assign \prone{\textsf{$N$-MU-EUF-NMA}^{\adversary{A}}} \leq negl(\secparamter). \]
\end{definition}
\begin{figure}[h]
\hrule
\vspace{1mm}
\begin{algorithmic}
\State \underline{\game $\text{N-MU-EUF-NMA}$}
\State \underline{\game $\text{$N$-MU-EUF-NMA}$}
\State \textbf{for} $i \in \{1,2,...,N\}$
\State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$
\State $(\m^*, \signature^*) \randomassign \adversary{A}(\pubkey_1, \pubkey_2, \pubkey_n)$
\State \Return $\exists i \in \{1,2,...,N\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1$
\end{algorithmic}
\hrule
\caption{N-MU-EUF-NMA Security Game}
\caption{$N$-MU-EUF-NMA Security Game}
\label{game:mu-uf-nma}
\end{figure}

4
thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex
View File

@@ -35,7 +35,7 @@ The \sdlog game is a variant of the discrete logarithm game that represents the
\label{theorem:advgamez}
Let $\adversary{A}$ be an adversary against \igame with $\group{G}$ being a cyclic group of prime order $L$, making at most $\oraclequeries$ oracle queries. Then
\[ \advantage{\group{G},\adversary{A}}{\igame}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\sdlog}(\secparamter) + \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
\[ \advantage{\group{G},\adversary{A}}{\igame}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\sdlog}(\secparamter) + \frac{\oraclequeries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
\end{theorem}
\paragraph{\underline{Proof Overview}}
@@ -109,7 +109,7 @@ The adversary must call the \ioracle oracle with a commitment $\groupelement{R}$
\item \paragraph{\underline{$G_2:$}} The game $G_2$ is aborted if the bad flag is set. For each individual \ioracle query, the $bad$ flag is set with probability at most $\frac{1}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. $\ch_i$ is chosen by the game after the adversary has provided the representation of $\groupelement{R_i}$ and thus the value of $r_2$. This way the adversary has no way to choose $\ch_i$ after $r_2$ and therefore cannot influence the probability of the abort being triggered. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $\ch_i \pmod L$. $\ch_i$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ during the if condition check. By the union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
\item Finally, Game $G_2$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying

12
thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex
View File

@@ -2,11 +2,11 @@
This section shows that the EUF-NMA security of EdDSA implies the \cma security of EdDSA with strict parsing using the random oracle model. The section begins with an intuition for the proof, followed by the detailed security proof.
\begin{theorem}
\begin{theorem}[\cite{SP:BCJZ21}]
\label{theorem:adv_uf-nma}
Let $\adversary{A}$ be an adversary against $\cma$, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and let $\group{G}$ be a group of prime order $L$. Then,
\[ \advantage{\group{G}, \adversary{A}}{\text{\cma}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\text{EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
\[ \advantage{\group{G}, \adversary{A}}{\text{\cma}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\text{EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
\end{theorem}
\paragraph{\underline{Proof Overview}} The EUF-NMA security definition is close to the \cma security definition, but lacks the \Osign oracle. To show that EUF-NMA security implies \cma security, the reduction must simulate the \Osign oracle without knowledge of the private key.
@@ -118,7 +118,7 @@ This method of simulating the \Osign oracle and the resulting loss of advantage
\item \paragraph{\underline{$G_2:$}} $G_2$ also contains the abort statement in the red box. The abort condition is triggered when the $bad$ flag is set. Without loss of generality, it is assumed that the adversary queries the \sign oracle only once for each message, since the signature generated is deterministic and an adversary would not gain more information by multiple queries on the same message. For each individual signature query, the probability of the $bad$ flag being set is at most $\frac{\hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. The only parameter of the hash function that is unknown to the adversary prior to calling the \sign oracle is the commitment $R$. For an adversary to trigger the abort condition, he must guess the commitment $\groupelement{R}$ used during one of the \sign queries. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min-entropy of $\groupelement{R}$. $r'$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ when multiplied by the generator $\groupelement{B}$. At first there are $2^{2b}$ possible values for $r'$. After the reduction modulo $L$ there are $min\{2^{2b}, L\}$ possible values for $r'$. If the values of $L$ are less than $2^{2b}$ (which is the case in most instances of EdDSA), then the $r'$'s are not uniformly distributed in $\field{L}$. Since an adversary could use this information, the min entropy of $\groupelement{R}$ must be considered, which takes this into account. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
\item \paragraph{\underline{$G_3:$}} $G_3$ replaces the \sign oracle with the \sign oracle in the green box. Now the signature is not generated by using the secret key, but by using the \simalg procedure and manually setting the result of the hash function call. This change is conceptual only. \simalg returns a correctly distributed tuple $(R, \ch, S)$, with $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c \ch \groupelement{A}$, and it has been excluded that $H'(\encoded{R} | \encoded{A} | \m)$ is set before calling the \sign oracle, so that the random oracle can be programmed to output $\ch$ when calling $H'(\encoded{R} | \encoded{A} | m)$. This ensures that $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c H'(\encoded{R} | \encoded{A} | \m) \groupelement{A}$, which means that $\signature \assign (\encoded{R}, S)$ is a valid signature for the message $\m$ and was generated without using the private key $s$. Therefore,
@@ -179,15 +179,15 @@ This method of simulating the \Osign oracle and the resulting loss of advantage
\item This proves theorem \ref{theorem:adv_uf-nma}.
\end{proof}
\subsection{EUF-NMA $\overset{\text{ROM}}{\Rightarrow} \text{SUF-CMA}_{\text{EdDSA lp}}$}
\subsection{EUF-NMA $\overset{\text{ROM}}{\Rightarrow} \text{EUF-CMA}_{\text{EdDSA lp}}$}
This section shows that the EUF-NMA security of EdDSA implies the EUF-CMA security of EdDSA with lax parsing using the random oracle model. This proof is very similar to the proof of the SUF-CMA security of EdDSA with strict parsing. The modification of the games is the same as in the proof above, with the only difference being the winning condition, which is $\verify(\groupelement{A}, \m^*,\signature^*) \wedge \m^* \notin \pset{Q}$. For this reason, this proof begins by showing the existence of an adversary $\adversary{B}$ who breaks EUF-NMA security. The SUF-CMA security cannot be proved because there may be multiple encodings of $S$ that map to the same $S \pmod L$, and therefore a new valid signature could be forged from an old one by simply choosing a different encoding of $S$, which would cause the output $H'(\encoded{R^*}|\encoded{A}|m^*)$ to be set by the reduction itself, and therefore the forged signature would not be a valid signature for the EUF-NMA challenger.
\begin{theorem}
\begin{theorem}[\cite{SP:BCJZ21}]
\label{theorem:adv2_uf-nma}
Let $\adversary{A}$ be an adversary against EUF-CMA, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
\[ \advantage{\group{G}, \adversary{A}}{\text{EUF-CMA}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\text{EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
\[ \advantage{\group{G}, \adversary{A}}{\text{EUF-CMA}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\text{EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
\end{theorem}
\paragraph{\underline{Formal Proof}}