rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
048dd04b863efbfbec79320ee6abc3e5ea2955a3
masterthesis/thesis/sections/security_of_eddsa/gamez_implies_uf-nma.tex

124 lines
5.9 KiB
TeX
Raw Blame History

\subsection{\igame $\Rightarrow$ UF-NMA (ROM)}
This section shows that \igame implies the UF-NMA security of the EdDSA signature scheme using the Random Oracle Model. The section starts by first providing introducing an intermediate game \igame followed by an intuition of the proof and the detailed security proof.
\paragraph{\underline{Introducing \igame}} The intermediate game \igame is introduced to create a separation between proofs in the random oracle model and the algebraic group model. This is archived by replacing the random oracle by the \ioracle oracle, which takes a commitment and outputs a challenge. This also strips away the message and focuses on the forgery of an arbitrary message. The \igame game is depicted in figure \ref{game:igame}.
\begin{definition}[\igame]
For an adversary $\adversary{A}$ we define its advantage in the \igame game as following:
\[ \advantage{\adversary{A}}{\igame}(\secparamter) \assign | \Pr[\igame^{\adversary{A}} \Rightarrow 1] |. \]
\end{definition}
\begin{figure}
\hrule
\begin{multicols}{2}
\large
\begin{algorithmic}[1]
\Statex \underline{\game \igame}
\State $a \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$
\State $\groupelement{A} \assign a \groupelement{B}$
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in \pset{Q}: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A}$
\end{algorithmic}
\columnbreak
\begin{algorithmic}[1]
\Statex \underline{\oracle \ioracle($\groupelement{R_i} \in \group{G}$)}
\State $\ch_i \randomsample \{0,1\}^{2b}$
\State $\pset{Q} \assign \pset{Q} \cup \{ (\groupelement{R}_i, \ch_i) \}$
\State \Return $\ch_i$
\end{algorithmic}
\end{multicols}
\hrule
\caption{\igame}
\label{game:igame}
\end{figure}
\begin{theorem}
\label{theorem:adv_igame}
Let $\adversary{A}$ be an adversary against $\text{UF-NMA}$. Then,
\[ \advantage{\adversary{A}}{\text{UF-NMA}}(\secparamter) = \advantage{\adversary{B}}{\text{\igame}}(\secparamter). \]
\end{theorem}
\paragraph{\underline{Proof Overview}} The adversary has to query the random oracle to get the hash value $H(\encoded{R} | \encoded{A} | m)$. The programmability of the random oracle can be used to embed the challenge from the \ioracle oracle into the answer of the random oracle. This way a valid forgery of a signature also provides a valid solution for the \igame game.
\paragraph{\underline{Formal Proof}}
\begin{figure}
\hrule
\begin{multicols}{2}
\large
\begin{algorithmic}[1]
\State \underline{\game $G_0$}
\State $(h_0, h_1, ..., h_{2b-1}) \randomsample \{0,1\}^{2b}$
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
\State $\groupelement{A} \assign s \groupelement{B}$
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp)}(\groupelement{A})$
\State \Return $\verify(\groupelement{A}, \m^*,\signature^*)$
\end{algorithmic}
\columnbreak
\begin{algorithmic}[1]
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
\State \quad $\sum[m] \randomsample \{0,1\}^{2b}$
\State \Return $\sum[m]$
\end{algorithmic}
\end{multicols}
\hrule
\caption{$G_0$}
\label{fig:igame_implies_uf-nma}
\end{figure}
\begin{proof}
\item \paragraph{\underline{$G_0$}} Let $G_0$ be defined in figure \ref{fig:igame_implies_uf-nma} and let $G_0$ be $\text{UF-NMA}$. By definition,
\[ \advantage{\text{EdDSA}, \adversary{A}}{\text{UF-NMA}}(\secparamter) = \Pr[\text{UF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
\item $G_0$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
\begin{align}
\Pr[G_0^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\text{\igame}}(\secparamter). \label{eq:adv_igame}
\end{align}
\begin{figure}
\hrule
\vspace{1mm}
\begin{multicols}{2}
\large
\begin{algorithmic}[1]
\Statex \underline{\textbf{Adversary} $\adversary{B}^{\ioracle(\inp)}(\groupelement{A})$}
\State $(\m^*, \signature^* \assign (\encoded{R}, S)) \randomassign \adversary{A}^{H(\inp)}(\groupelement{A})$
\State \Return $S$
\end{algorithmic}
\columnbreak
\begin{algorithmic}[1]
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
\State \quad $\textbf{if } \encoded{R} | \encoded{A} | m' \assign m \wedge \groupelement{R} \in \curve \textbf{ then}$
\State \qquad $\sum[m] \randomsample \ioracle(2^c \groupelement{R})$
\State \quad \textbf{else}
\State \qquad $\sum[m] \randomsample \{0,1\}^{2b}$
\State \Return $\sum[m]$
\end{algorithmic}
\end{multicols}
\hrule
\caption{Adversary $\adversary{B}$ breaking \igame}
\label{fig:adversary_igame}
\end{figure}
\item To proof (\ref{eq:adv_igame}), we define an adversary $\adversary{B}$ attacking \igame that simulates $\adversary{A}$'s view in $G_0$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_igame} is run in the \igame game and adversary $\adversary{B}$ simulates the random oracle $H$ for the adversary $\adversary{A}$. $H$ is simulated perfectly.
Finally, consider $\adversary{A}$'s output $(\m^*, \signature^* \assign (\encoded{R}, S))$. It is known that:
\begin{align*}
2^c S \groupelement{B} &= 2^c \groupelement{R} + 2^c H(\encoded{R} | \encoded{A} | m) \groupelement{A} \\
\Leftrightarrow 2^c \groupelement{R} &= 2^c S \groupelement{B} - 2^c H(\encoded{R} | \encoded{A} | m) \groupelement{A} \\
\Leftrightarrow 2^c \groupelement{R} &= 2^c S \groupelement{B} - 2^c \ioracle(2^c \groupelement{R}) \groupelement{A} \\
\Leftrightarrow \groupelement{R}' &= 2^c S \groupelement{B} - 2^c \ioracle(\groupelement{R}') \groupelement{A}
\end{align*}
Therefore $S$ is a valid solution for the \igame game.
\item This proves theorem \ref{theorem:adv_igame}.
\end{proof}
Reference in New Issue View Git Blame Copy Permalink