226 lines
17 KiB
TeX
226 lines
17 KiB
TeX
\subsection{MU-EUF-NMA $\overset{\text{ROM}}{\Rightarrow}$ $\text{MU-SUF-CMA}_{\text{EdDSA sp}}$}
|
|
|
|
This section shows that the MU-EUF-NMA security of the EdDSA signature scheme implies the MU-SUF-CMA security of the EdDSA signature scheme using the random oracle model. The section starts with providing an intuition of the proof, followed by the detailed security proof.
|
|
|
|
\begin{theorem}
|
|
\label{theorem:adv_mu-uf-nma}
|
|
Let $n$ and $N$ be positive integer and $\adversary{A}$ an adversary against MU-SUF-CMA, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
|
|
|
|
\[ \advantage{\adversary{A}}{\text{MU-\cma}}(\secparamter) \leq \advantage{\adversary{B}}{\text{MU-EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
|
\end{theorem}
|
|
|
|
\paragraph{\underline{Proof Overview}} This proof closely follows the proof in section \ref{proof:uf-nma_implies_suf-cma}. The only difference of both security notions is the absence of the \Osign oracle in MU-EUF-NMA. For this reason, the reduction must simulate the \Osign oracle without the knowledge of the private keys. This is achieved by generating a valid and well-distributed tuple of commitment, challenge, and response using the \simalg procedure, introduced in section \ref{proof:uf-nma_implies_suf-cma}, and then programming the random oracle to output that challenge for the corresponding input. The different games are shown in figure \ref{fig:mu-uf-nma_implies_mu-suf-cma_games}.
|
|
|
|
\paragraph{\underline{Formal Proof}}
|
|
|
|
\begin{figure}[h]
|
|
\hrule
|
|
\begin{multicols}{2}
|
|
\large
|
|
\begin{algorithmic}
|
|
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$} / \textcolor{green}{$G_3$}}
|
|
\State \textbf{for} $j \in \{1,2,...,N\}$
|
|
\State \quad $(h_{j_0}, h_{j_1}, ..., h_{j_{2b-1}}) \randomsample \{0,1\}^{2b}$
|
|
\State \quad $s_j \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_{j_i}$
|
|
\State \quad $\groupelement{A_j} \assign s_j \groupelement{B}$
|
|
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp, \inp)}(\groupelement{A_1}, \groupelement{A_2},...,\groupelement{A_N})$
|
|
\State \Return $\exists j \in \{1,2,...,N\}: \verify(\groupelement{A_j}, \m^*,\signature^*) \wedge (\groupelement{A_j}, \m^*, \signature^*) \notin \pset{Q}$
|
|
\end{algorithmic}
|
|
\columnbreak
|
|
\begin{algorithmic}
|
|
\Statex \underline{\oracle \sign($j \in \{1,2,...,N\}$, $\m \in \messagespace$)}
|
|
\Comment{$G_0 - G_2$}
|
|
\State $(r'_0, r'_1, ..., r'_{2b-1}) = RF(h_{j_b} | ... | h_{j_{2b-1}} | \m)$
|
|
\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
|
|
\State $R \assign rB$
|
|
\BeginBox[draw=black]
|
|
\State $S \assign (r + sH(\encoded{R} | \encoded{A_j} | \m)) \pmod L$
|
|
\Comment{$G_0$}
|
|
\EndBox
|
|
\BeginBox[draw=blue]
|
|
\State $\textbf{if } \sum[\encoded{R} | \encoded{A_j} | \m] \neq \bot \textbf{ then}$
|
|
\Comment{$G_1 - G_2$}
|
|
\State \quad $bad \assign true$
|
|
\BeginBox[draw=red,dashed]
|
|
\State \quad $abort$
|
|
\Comment{$G_2$}
|
|
\EndBox
|
|
\State $\textbf{if } \sum[\encoded{R} | \encoded{A_j} | \m] = \bot \textbf{ then}$
|
|
\State \quad $\sum[\encoded{R} | \encoded{A_j} | \m] \randomsample \{0,1\}^{2b}$
|
|
\State $S \assign (r + s\sum[\encoded{R} | \encoded{A_j} | \m]) \pmod L$
|
|
\EndBox
|
|
\State $\signature \assign (\encoded{R}, S)$
|
|
\State $\pset{Q} \assign \pset{Q} \cup \{(\groupelement{A_j}, \m, \signature)\}$
|
|
\State \Return $\signature$
|
|
\end{algorithmic}
|
|
\end{multicols}
|
|
\begin{multicols}{2}
|
|
\begin{algorithmic}
|
|
\Statex \underline{\oracle $H(\m \in \{0,1\}^*)$}
|
|
\State $\textbf{if } \sum[\m] = \bot \textbf{ then}$
|
|
\State \quad $\sum[\m] \randomsample \{0,1\}^{2b}$
|
|
\State \Return $\sum[\m]$
|
|
\end{algorithmic}
|
|
\columnbreak
|
|
\begin{algorithmic}
|
|
\BeginBox[draw=green]
|
|
\State \underline{\oracle \sign($j \in \{1,2,...,N\}$, $\m \in \messagespace$)}
|
|
\Comment{$G_3$}
|
|
\State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A_j})$
|
|
\State $\textbf{if } \sum[\encoded{R} | \encoded{A_j} | \m] \neq \bot \textbf{ then}$
|
|
\State \quad $bad \assign true$
|
|
\State \quad $abort$
|
|
\State $\sum[\encoded{R} | \encoded{A_j} | \m] = \textbf{ch}$
|
|
\State $\signature \assign (\encoded{R}, S)$
|
|
\State $\pset{Q} \assign \pset{Q} \cup \{(\groupelement{A_j}, \m, \signature)\}$
|
|
\State \Return $\signature$
|
|
\EndBox
|
|
\end{algorithmic}
|
|
\end{multicols}
|
|
\hrule
|
|
\caption{Games $G_0 - G_3$}
|
|
\label{fig:mu-uf-nma_implies_mu-suf-cma_games}
|
|
\end{figure}
|
|
|
|
\begin{proof}
|
|
\item Now the original MU-SUF-CMA game is manipulated in a way that makes it possible to simulate signatures without the knowledge of the secret key. During each of the game-hops the probability for an adversary to detect this change is upper bounded.
|
|
|
|
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:mu-uf-nma_implies_mu-suf-cma_games} by excluding all boxes except the black one. $G_0$ is the MU-SUF-CMA for EdDSA. By definition,
|
|
|
|
\[ \advantage{\text{EdDSA},\adversary{A}}{\text{MU-}\cma}(\secparamter) = \Pr[\text{\text{MU-}\cma}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
|
|
|
|
\item \paragraph{\underline{$G_1:$}} $G_1$ now is defined by replacing the black box with the blue one. This change inlines the call to the hash function and introduces a bad flag, which is set if the hash value is already set. The bad flag being set represents cases where the adversary already queried the random oracle for the challenge used for that signature and therefore the random oracle cannot be programmed. This results in the challenger not being able to produce a valid signature. This change is only conceptual, as it does not alter the behavior of the oracle. Therefore,
|
|
|
|
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1]. \]
|
|
|
|
\item \paragraph{\underline{$G_2:$}} $G_2$ is defined by also introducing the abort instruction in the red box. Again, without loss of generality it is assumed that the adversary only queried each public key/message pair only once since the signatures are deterministic and the attacker would not gain any additional information by querying the \Osign oracle multiple times with the same input. Since the commitment $\groupelement{R}$ is the only unknown input to the hash function, the probability of the bad flag being set for each individual \Osign query is at most $\frac{\hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
|
|
|
|
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
|
|
|
\item \paragraph{\underline{$G_3:$}} In $G_3$ the \Osign oracle is replaced by the \Osign oracle in the green box. Instead of calculating the response using the secret key, the \simalg algorithm is used to generate a tuple of commitment, challenge, and response. Then the random oracle is programmed to output the specific challenge given $\encoded{R} | \encoded{A_j} | \m$ as an input. This change is only conceptual, since \simalg outputs a correctly distributed set and it was ruled out in earlier games that the random oracle was previously queries with this input. Hence,
|
|
|
|
\[ \Pr[G_2^{\adversary{A}} \Rightarrow 1] = \Pr[G_3^{\adversary{A}} \Rightarrow 1]. \]
|
|
|
|
\item Finally, Game $G_3$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
|
|
|
\begin{align}
|
|
\Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{MU-EUF-NMA}}(\secparamter). \label{eq:adv_mu-uf-nma}
|
|
\end{align}
|
|
|
|
\begin{figure}[h]
|
|
\hrule
|
|
\begin{multicols}{2}
|
|
\large
|
|
\begin{algorithmic}
|
|
\Statex \underline{\textbf{Adversary} $\adversary{B}^{H(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$}
|
|
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H'(\inp), \sign(\inp, \inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
|
\State \Return $(\m^*, \signature^*)$
|
|
\end{algorithmic}
|
|
\columnbreak
|
|
\begin{algorithmic}
|
|
\Statex \underline{\oracle \sign($j \in \{1,2,...,N\}$, $\m \in \messagespace$)}
|
|
\State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A_j})$
|
|
\State $\textbf{if } \sum[\encoded{R} | \encoded{A_j} | m] \neq \bot \textbf{ then}$
|
|
\State \quad $bad \assign true$
|
|
\State \quad $abort$
|
|
\State $\sum[\encoded{R} | \encoded{A_j} | m] = \textbf{ch}$
|
|
\State $\signature \assign (\encoded{R}, S)$
|
|
\State $\pset{Q} \assign \pset{Q} \cup \{(\groupelement{A_j}, \m, \signature)\}$
|
|
\State \Return $\signature$
|
|
\end{algorithmic}
|
|
\end{multicols}
|
|
\begin{algorithmic}
|
|
\Statex \underline{\oracle $H'(m \in \{0,1\}^*)$}
|
|
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
|
\State \quad $\sum[m] \assign H(m)$
|
|
\State \Return $\sum[m]$
|
|
\end{algorithmic}
|
|
\hrule
|
|
\caption{Adversary $\adversary{B}$ breaking $\text{MU-EUF-NMA}$}
|
|
\label{fig:adversaryb_mu-uf-nma}
|
|
\end{figure}
|
|
|
|
To prove (\ref{eq:adv_mu-uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{MU-EUF-NMA}$ that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversaryb_mu-uf-nma} is run in the $\text{MU-EUF-NMA}$ game and adversary $\adversary{B}$ simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly.
|
|
|
|
Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. Every valid signature outputted by adversary $\adversary{A}$ has to fulfill the following equation for one public key $\groupelement{A_i}$: $2^c S \groupelement{B} = 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}$. Again there is only one valid encoded $S$ for each $\groupelement{R}$, $m$, $\groupelement{A_i}$ tuple that satisfies the verification equation. For the signature to be a valid forgery it must not be outputted by the \Osign oracle for this specific $m^*$ and $\groupelement{A_i}$. No new valid signature can be generated from a valid one by just changing the $S$ value. This means that either $\groupelement{R}$, $m$ or $\groupelement{A_i}$ have to be changed to generate a new valid signature from an already valid signature. Since all these parameters are part of the hash query to generate the challenge the resulting hash value has to be forwarded from the $H$ hash oracle provided to the adversary $\adversary{B}$. For this reason $H'(\encoded{R^*}|\encoded{A_i}|m^*) = H(\encoded{R^*}|\encoded{A_i}|m^*)$. Hence,
|
|
|
|
\begin{align*}
|
|
2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A_i}|m^*) \groupelement{A_i} \\
|
|
\Leftrightarrow 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H(\encoded{R^*}|\encoded{A_i}|m^*) \groupelement{A_i}
|
|
\end{align*}
|
|
|
|
Since the public keys and the results of the hash queries are forwarded from the MU-EUF-NMA challenger the forged signature from $\adversary{A}$ in the MU-\cma game is also a valid forgery for the MU-EUF-NMA challenger.
|
|
|
|
\item In the main procedure the adversary $\adversary{B}$ simply calls adversary $\adversary{A}$ and outputs its forged signature. To simulate the hash function $\adversary{B}$ simply forwards the queries to adversary $\adversary{A}$ and to a signature $\adversary{B}$ obtains the pair of commitment, challenge, and solution from the \simalg procedure, which is just samples two values and calculates the last one using a simple equation, and then programs its random oracle. Therefore, the runtime of adversary $\adversary{B}$ is roughly the same as the runtime of adversary $\adversary{A}$.
|
|
|
|
\item This proves theorem \ref{theorem:adv_mu-uf-nma}.
|
|
\end{proof}
|
|
|
|
\subsection{MU-EUF-NMA $\overset{\text{ROM}}{\Rightarrow}$ $\text{MU-EUF-CMA}_{\text{EdDSA lp}}$}
|
|
|
|
This section shows that MU-EUF-NMA security of EdDSA implies the MU-EUF-CMA security of EdDSA with lax parsing used in the random oracle model. This proof is very similar to the proof MU-SUF-CMA proof of EdDSA with strict parsing. The modification to the games are the same as in the proof above with the only modifications being in the win condition, which is $\exists j \in \{1,2,...,N\}: \verify(\groupelement{A_j}, \m^*) \wedge (\groupelement{A_j}, \m^*) \notin \pset{Q}$. For this reason this proof starts at showing the existence of an adversary $\adversary{B}$ breaking MU-EUF-NMA security. Similar to the proof in the single-user setting, the SUF-CMA security of EdDSA with lax parsing cannot be shown, as there are multiple valid encodings of $S$ for one signature. This way the adversary would be able to generate a new valid signature from an obtained one by simply choosing a different encoding of $S$. This would result in the output of $H'(\encoded{R^*}|\encoded{A}|m^*)$ being programmed by the reduction itself and therefore the signature not being valid for the EUF-NMA challenger.
|
|
|
|
\begin{theorem}
|
|
\label{theorem:adv2_mu-uf-nma}
|
|
Let $n$ and $N$ be positive integers and $\adversary{A}$ an adversary against MU-EUF-CMA, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
|
|
|
|
\[ \advantage{\adversary{A}}{\text{MU-EUF-CMA}}(\secparamter) \leq \advantage{\adversary{B}}{\text{MU-EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
|
\end{theorem}
|
|
|
|
\paragraph{\underline{Formal Proof}}
|
|
|
|
\begin{proof}
|
|
\item
|
|
\begin{align}
|
|
\Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{MU-EUF-NMA}}(\secparamter). \label{eq:adv2_mu-uf-nma}
|
|
\end{align}
|
|
|
|
\begin{figure}[h]
|
|
\hrule
|
|
\begin{multicols}{2}
|
|
\large
|
|
\begin{algorithmic}
|
|
\Statex \underline{\textbf{Adversary} $\adversary{B}^{H(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$}
|
|
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H'(\inp), \sign(\inp, \inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
|
\State \Return $(\m^*, \signature^*)$
|
|
\end{algorithmic}
|
|
\columnbreak
|
|
\begin{algorithmic}
|
|
\Statex \underline{\oracle \sign($j \in \{1,2,...,N\}$, $\m \in \messagespace$)}
|
|
\State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A_j})$
|
|
\State $\textbf{if } \sum[\encoded{R} | \encoded{A_j} | m] \neq \bot \textbf{ then}$
|
|
\State \quad $bad \assign true$
|
|
\State \quad $abort$
|
|
\State $\sum[\encoded{R} | \encoded{A_j} | m] = \textbf{ch}$
|
|
\State $\signature \assign (\encoded{R}, S)$
|
|
\State $\pset{Q} \assign \pset{Q} \cup \{(\groupelement{A_j}, \m)\}$
|
|
\State \Return $\signature$
|
|
\end{algorithmic}
|
|
\end{multicols}
|
|
\begin{algorithmic}
|
|
\Statex \underline{\oracle $H'(m \in \{0,1\}^*)$}
|
|
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
|
\State \quad $\sum[m] \assign H(m)$
|
|
\State \Return $\sum[m]$
|
|
\end{algorithmic}
|
|
\hrule
|
|
\caption{Adversary $\adversary{B}$ breaking $\text{MU-EUF-NMA}$}
|
|
\label{fig:adversary_b_mu-uf-nma}
|
|
\end{figure}
|
|
|
|
To prove (\ref{eq:adv2_mu-uf-nma}), we define an adversary $\adversary{B}$ attacking MU-EUF-NMA that simulates $\adversary{A}$'s view on $G_3$. Adversary $\adversary{B}$, formally defined in figure \ref{fig:adversary_b_mu-uf-nma}, is run in the MU-EUF-NMA game and simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly.
|
|
|
|
Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. Every valid signature outputted by adversary $\adversary{A}$ has to fulfill the following equation for one public key $\groupelement{A_i}$: $2^c S \groupelement{B} = 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}$. Like in the single-user setting the adversary can create a new valid signature from an already valid one by choosing a different bitstring representation of the $S$ value that maps to the same $S \pmod L$. Since we are in the MU-EUF-CMA setting the adversary has to forge a signature for a message $m^*$ and public key $A_i$ to which it has not queried a signature before. For this reason, the output of $H'(\encoded{R^*}|\encoded{A_i}|m^*)$ has not been set by the adversary $\adversary{B}$, but was forwarded from the $H$ hash oracle provided by the MU-EUF-NMA challenger. For this reason $H'(\encoded{R^*}|\encoded{A_i}|m^*) = H(\encoded{R^*}|\encoded{A_i}|m^*)$. Therefore,
|
|
|
|
\begin{align*}
|
|
2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A_i}|m^*) \groupelement{A_i}\\
|
|
\Leftrightarrow 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H(\encoded{R^*}|\encoded{A_i}|m^*) \groupelement{A_i}.
|
|
\end{align*}
|
|
|
|
This shows that the forged signature from adversary $\adversary{A}$ is also a valid forged signature for the MU-EUF-NMA challenger.
|
|
|
|
\item Since the adversary $\adversary{B}$ is the same as in the proof above, its runtime is roughly the same as the runtime of adversary $\adversary{A}$, for the same reason.
|
|
|
|
\item This proves theorem \ref{theorem:adv2_mu-uf-nma}.
|
|
|
|
\end{proof} |