masterthesis/thesis/sections/edggm/sdlog.tex

\subsection{Bounds on \sdlog} \label{sec:sdlog}

This section focuses on establishing a lower bound on the hardness of a modified version of the discrete logarithm problem in the generic group model. This variant is introduced in the definition \ref{def:sdlog} and works similarly to the original discrete logarithm problem, except for the secret scalar generation, which is derived from the key generation algorithm of the EdDSA signature scheme. The following proof is given in the generic group model for twisted Edwards curves.

\begin{theorem}
	\label{theorem:sdlog_ggm}
	Let $n$ and $c$ be positive integers. Consider a twisted Edwards curve $\curve$ with a cofactor of $2^c$ and a generating set consisting of $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_m})$. Among these, let $\groupelement{B}$ be the generator of the largest prime order subgroup with an order of $L$. Let $\adversary{A}$ be a generic adversary making at most $\oraclequeries$ group operations. Then,
	
	\[ \advantage{\curve, n, c, L, \adversary{A}}{\sdlog} \leq \frac{(\oraclequeries + 3)^2 + 1}{2^{n-1-c}}. \]
\end{theorem}

\paragraph{\underline{Proof Overview}} This proof closely resembles the original proof on the lower bound for the discrete logarithm problem by Shoup \cite{EC:Shoup97}. The initial step involves working with the discrete logarithms of group elements rather than the actual group elements themselves. In the generic group model, this is equivalent as each group element can be uniquely represented by its discrete logarithms with respect to a generating set. For consistency  the generating set is denoted as $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_m})$, with $\groupelement{B}$ being the generator of the prime order subgroup and $\groupelement{E_2}$ to $\groupelement{E_m}$ being the generators of the other subgroups. Subsequently, the discrete logarithm in the prime order subgroup is replaced by an indeterminate. By doing this, the discrete logarithm in the prime order subgroup can be chosen after the adversary has provided their solution. As a result, the generic adversary can only guess the discrete logarithm in the prime order subgroup, since it is generated only after the adversary has already submitted their solution. Figure \ref{fig:sdlog_ggm} shows the \sdlog game in the generic group model.

\begin{figure}[h]
	\hrule
	\vspace{2mm}
	\begin{algorithmic}
		\Statex \underline{\game \sdlog}
		\vspace{1mm}
		\State $a \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$
		\State $\groupelement{A} \assign a \groupelement{B}$
		\State $a^* \randomassign \adversary{A}^{GOp(\inp, \inp, \inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A}))$
		\State \Return $a^* \test a$
	\end{algorithmic}
	\vspace{1mm}
	\begin{algorithmic}
		\Statex \underline{\oracle GOp($x, y \in \mathbf{S}, b \in \{0,1\}$)}
		\State \Return $Enc(\sum^{-1}[x] + (-1)^b \sum^{-1}[y])$
	\end{algorithmic}
	\vspace{1mm}
	\begin{algorithmic}
		\Statex \underline{\textbf{Procedure} Enc($\groupelement{X} \in \curve$)}
		\vspace{1mm}
		\State \textbf{If } $\sum[\groupelement{X}] = \bot$ \textbf{ then}
		\State \quad $\sum[\groupelement{X}] \randomsample \{0,1\}^{\lceil log_2(|\curve|) \rceil} \backslash \pset{S}$
		\State \quad $\mathbf{S} \assign \pset{S} \cup \{\sum[X]\}$
		\State \Return $\sum[\groupelement{X}]$
	\end{algorithmic}
	\hrule
	\caption{\sdlog in the generic group model}
	\label{fig:sdlog_ggm}
\end{figure}

\paragraph{\underline{Formal Proof}}

\begin{figure}[h]
	\hrule
	\vspace{2mm}
	\begin{algorithmic}
		\Statex \underline{\game \textcolor{black}{$G_0$} / \textcolor{blue}{$G_1$} /\textcolor{red}{$G_2$} / \textcolor{green}{$G_3$} / \textcolor{orange}{$G_4$}}
		\vspace{1mm}
		\BeginBox[draw=black]
		\State $a \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$
		\Comment{$G_0 - G_4$}
		\EndBox
		\BeginBox[draw=black]
		\State $\groupelement{A} \assign a \groupelement{B}$
		\Comment{$G_0$}
		\EndBox
		\BeginBox[draw=blue]
		\State $\groupelement{A} \assign (a, 0, ..., 0)$
		\Comment{$G_1$}
		\EndBox
		\BeginBox[draw=red]
		\State $P \assign Z$
		\Comment{$G_2 - G_4$}
		\State $\groupelement{A} \assign (P, 0, ..., 0)$
		\EndBox
		\State $a^* \randomassign \adversary{A}^{GOp(\inp, \inp, \inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A}))$
		\State \Return $a^* \test a$
	\end{algorithmic}
	\vspace{1mm}
	\begin{algorithmic}
		\Statex \underline{\oracle GOp($x, y \in \mathbf{S}, b \in \{0,1\}$)}
		\State \quad \Return $Enc(\sum^{-1}[x] + (-1)^b \sum^{-1}[y])$
	\end{algorithmic}
	\vspace{1mm}
	\begin{algorithmic}
		\BeginBox[draw=black]
		\State \underline{\textbf{Procedure} Enc($\groupelement{X} \in \curve$)}
		\Comment{$G_0$}
		\EndBox
		\BeginBox[draw=blue]
		\State \underline{\textbf{Procedure} Enc($\groupelement{X} \in \field{L} \times \field{ord(E_2)} \times ... \times \field{ord(E_n)}$)}
		\Comment{$G_1$}
		\EndBox
		\BeginBox[draw=red]
		\State \underline{\textbf{Procedure} Enc($\groupelement{X} \in \field{L}[Z] \times \field{ord(E_2)} \times ... \times \field{ord(E_n)}$)}
		\Comment{$G_2 - G_4$}
		\vspace{1mm}
		\State Let $X = (P, x_2, ..., x_n)$
		\State $\pset{P} = \pset{P} \cup \{P\}$
		\EndBox
		\BeginBox[draw=green]
		\State \textbf{if } $\exists P_i \in \pset{P}: P_i(a) = P(a) \wedge P_i \neq P$
		\Comment{$G_3 - G_4$}
		\State \quad $bad \assign true$
		\BeginBox[draw=orange,dashed]
		\State \quad abort
		\Comment{$G_4$}
		\EndBox
		\EndBox
		\BeginBox[draw=red]
		\State $X \assign (P(a), x_2, ..., x_n)$
		\Comment{$G_2 - G_4$}
		\EndBox
		\State \textbf{If } $\sum[\groupelement{X}] = \bot$ \textbf{ then}
		\State \quad $\sum[\groupelement{X}] \randomsample \{0,1\}^{\lceil log_2(|\curve|) \rceil} \backslash \mathbf{S}$
		\State \quad $\mathbf{S} \assign \mathbf{S} \cup \{\sum[X]\}$
		\State \Return $\sum[\groupelement{X}]$
	\end{algorithmic}
	\hrule
	\caption{$G_0 - G_4$}
	\label{fig:sdlog_games_ggm_1}
\end{figure}

\begin{figure}[h]
	\hrule
	\vspace{2mm}
	\begin{algorithmic}
		\Statex \underline{\game \textcolor{black}{$G_4$} / \textcolor{blue}{$G_5$} /\textcolor{red}{$G_6$} / \textcolor{green}{$G_7$}}
		\vspace{1mm}
		\BeginBox[draw=black]
		\State $a \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$
		\Comment{$G_4 - G_6$}
		\EndBox
		\State $P \assign Z$
		\State $\groupelement{A} \assign (P, 0, ..., 0)$
		\State $a^* \randomassign \adversary{A}^{GOp(\inp, \inp, \inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A}))$
		\BeginBox[draw=green]
		\State $a \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8\}$
		\Comment{$G_7$}
		\EndBox
		\BeginBox[draw=red]
		\State \textbf{if } $\exists P_i, P_j \in \pset{P}: P_i(a) = P_j(a) \wedge P_i \neq P$
		\Comment{$G_6 - G_7$}
		\State \quad $bad \assign true$
		\State \quad abort
		\EndBox
		\State \Return $a^* \test a$
	\end{algorithmic}
	\vspace{1mm}
	\begin{algorithmic}
		\Statex \underline{\oracle GOp($x, y \in \mathbf{S}, b \in \{0,1\}$)}
		\State \quad \Return $Enc(\sum^{-1}[x] + (-1)^b \sum^{-1}[y])$
	\end{algorithmic}
	\vspace{1mm}
	\begin{algorithmic}
		\State \underline{\textbf{Procedure} Enc($\groupelement{X} \in \field{L}[Z] \times \field{ord(E_2)} \times ... \times \field{ord(E_n)}$)}
		\vspace{1mm}
		\State Let $X = (P, x_2, ..., x_n)$
		\State $\pset{P} = \pset{P} \cup \{P\}$
		\BeginBox[draw=black]
		\State \textbf{if } $\exists P_i \in \pset{P}: P_i(a) = P(a) \wedge P_i \neq P$
		\Comment{$G_4 - G_5$}
		\State \quad $bad \assign true$
		\State \quad abort
		\EndBox
		\BeginBox[draw=black]
		\State $X \assign (P(a), x_2, ..., x_n)$
		\Comment{$G_4$}
		\EndBox
		\State \textbf{If } $\sum[\groupelement{X}] = \bot$ \textbf{ then}
		\State \quad $\sum[\groupelement{X}] \randomsample \{0,1\}^{\lceil log_2(|\curve|) \rceil} \backslash \mathbf{S}$
		\State \quad $\mathbf{S} \assign \mathbf{S} \cup \{\sum[X]\}$
		\State \Return $\sum[\groupelement{X}]$
	\end{algorithmic}
	\hrule
	\caption{$G_4 - G_7$}
	\label{fig:sdlog_games_ggm_2}
\end{figure}

\begin{proof}
	\item Let $G_0$ represent the \sdlog game in the generic group model. In this proof, the discrete logarithm within the prime order subgroup of the group element $\groupelement{A}$ will be substituted with an indeterminate. Following that, it will be demonstrated that the challenger, by working with polynomials rather than actual discrete logarithms, makes errors in the simulation with negligible probability. Finally, it will be established that the discrete logarithm of the group element $\groupelement{A}$ can be selected after the adversary has submitted its solution for the game.
	
	\item This proof utilizes the Schwartz-Zippel lemma \cite{schwartz_fast_1980}. The Schwarz-Zippel lemma is defined as following:
	
	\begin{definition}[Schwartz-Zippel lemma]
		Let $L$ be a prime number and $P \in \mathbb{F}_{L}[X_1, ..., X_n]$ be a non-zero polynomial of total degree $d \geq 0$ over a field $\mathbb{F}_{L}$. Let $S$ be a finite subset of $\mathbb{F}_{L}$ and let $x$ be selected uniformly at random from $S$. Then
		
		\[ \Pr[P(x) = 0] \leq \frac{d}{|S|}. \]
	\end{definition}
	
	\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:sdlog_games_ggm_1} by excluding all boxes except the black ones. This is identical to the \sdlog in the generic group model. By definition,
	
	\[ \advantage{\curve, n, c, L, \adversary{A}}{\sdlog} = \prone{G_0^{\adversary{A}}}. \]
	
	\item \paragraph{\underline{$G_1:$}} $G_1$ is defined by substituting some black boxes with blue ones, causing the challenger to work with discrete logarithms rather than group elements. This modification remains undetectable to the adversary, as it only deals with labels representing group elements, and each group element can be uniquely represented by its discrete logarithms. These discrete logarithms are denoted by an integer vector, where each element corresponds to the discrete logarithm concerning the generator in the generating set. The addition of these vectors is carried out component-wise. This change remains conceptual, since it only changes how the challenger internally represents group element. Each group element still gets the same label assigned. Therefore,
	
	\[ \prone{G_0^{\adversary{A}}} = \prone{G_1^{\adversary{A}}}. \]
	
	\item \paragraph{\underline{$G_2:$}} In $G_2$, the blue boxes are replaced with the red ones, which involves replacing the discrete logarithm of the prime order subgroup with a polynomial. The polynomial has one indeterminant, denoted by $Z$, which represents the discrete logarithm, in the prime order subgroup, of the challenge. The polynomial that serves as the discrete logarithm of the prime order subgroup is simply $P = Z$. It's important to note that this change is only conceptual since the polynomial is ultimately evaluated at the secret scalar $a$ in the Enc procedure. Hence,
	
	\[ \prone{G_1^{\adversary{A}}} = \prone{G_2^{\adversary{A}}}. \]
	
	\item \paragraph{\underline{$G_3:$}} $G_3$ introduces the "if" condition within the green box. This condition checks if the challenger generated two distinct polynomials that would produce the same value when evaluated at $a$. This verification ensures that polynomials can be directly compared later on, rather than needing to evaluate them. If the "if" condition evaluates to true, a bad flag is set to true, indicating that the challenger might incorrectly assume that two discrete logarithms, represented by the polynomials, are different by only comparing the polynomials. This modification is purely conceptual, as it only affects internal variables and does not influence the game's behavior. Therefore,
	
	\[ \prone{G_1^{\adversary{A}}} = \prone{G_2^{\adversary{A}}}. \]
	
	\item \paragraph{\underline{$G_4:$}} $G_4$ terminates if the bad flag is activated. This bad flag signifies situations where collisions of discrete logarithms would not be identified by merely comparing polynomials without evaluating them. The likelihood of the bad flag being activated can be determined using the Schwartz-Zippel lemma. The set $\pset{P}$ is a set of all polynomials generated by the challenger and the polynomial $P$ represents the newly generated one. During the encoding of a newly generated group element the challenger checks that no two distinct polynomials evaluate to the same value at $a$. For a fixed $P_i \in \pset{P} \neq P$ we define $P^* = P_i - P$. If and only if $P_i(a) = P(a)$ then $P^*(a) = 0$. Since $P^* \neq 0$, the degree of $P^*$ being $1$ and $a$ being chosen uniformly at random from $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ the Schwarz-Zippel lemma can be used to calculate the probability that $P^*(a) = 0$, which is $\Pr[P^*(a) = 0] \leq \frac{1}{2^{n-1-c}}$. Since the set $\pset{P}$ can hold at most $\oraclequeries + 3$ many polynomials (one per DL call, and three by encoding the input to the adversary) by the Union bound over all polynomials in $\pset{P}$ the probability of bad being set, for each individual oracle query, is less or equal to $\frac{\oraclequeries + 3}{2^{n-1-c}}$. By the Union bound over all oracle queries the probability of bad being set to true is $\Pr[bad] \leq \frac{(\oraclequeries + 3)^2}{2^{n-1-c}}$. For this reason,
	
	\[ |\prone{G_2^{\adversary{A}}} - \prone{G_3^{\adversary{A}}}| \leq \Pr[bad] \leq \frac{(\oraclequeries + 3)^2}{2^{n-1-c}}. \]
	
	For improved readability, $G_4$ is also depicted in \ref{fig:sdlog_games_ggm_2} by including only the black boxes and excluding all others. The subsequent game-hops are also illustrated in the same figure.
	
	\item \paragraph{\underline{$G_5:$}} $G_5$ removes the evaluation of the polynomial in the Enc procedure. This alteration is purely conceptual, as the previous abort condition ensured that no two distinct polynomials would yield the same value upon evaluation. Consequently, it is feasible to work directly with the polynomials rather than evaluating them.
	
	\[ \prone{G_4^{\adversary{A}}} = \prone{G_5^{\adversary{A}}}. \]
	
	\item \paragraph{\underline{$G_6:$}} The difference in $G_6$ is that the abort condition was moved into the main game after the adversary provided its solution. Because of this change the secret scalar $a$ is not being used before the adversary provided its solution to the challenger. Therefore, the secret scalar $a$ can be chosen after the adversary provided its solution, which means that it has no better chance to guess the solution. To demonstrate that this alteration is solely conceptual, it will be proven that $G_6$ aborts if and only if $G_5$ would do the same.
	
	$G_5$ aborts $\Rightarrow G_6$ aborts: If $G_5$ aborts, it means that a polynomial $P_i$ has been added to the set $\pset{P}$ during the call to the Enc procedure, which satisfies the abort condition. In $G_6$, the polynomials in the set $\pset{S}$ remain the same, since the instruction for adding polynomials to the set during the Enc procedure has not been altered between the games. After the adversary provides its solution, the challenger checks for any pair of polynomials in the set that meet the abort condition. Thus, $G_6$ will abort if $G_5$ would have aborted.
	
	$G_6$ aborts $\Rightarrow G_5$ aborts: If $G_6$ were to abort, the set $\pset{P}$ would contain a pair of polynomials that satisfy the abort condition. The distinction between $G_6$ and $G_5$ is that $G_5$ checks for the existence of such a pair immediately after inserting a new polynomial. Consequently, if $G_6$ were to abort, $G_5$ would also abort.
	
	This proofs that this change is only conceptual. Hence,
	
	\[ \prone{G_5^{\adversary{A}}} = \prone{G_6^{\adversary{A}}}. \]
	
	\item \paragraph{\underline{$G_7:$}} The generation of the secret scalar $a$ in $G_7$ occurs after the adversary has provided its solution. This modification is purely conceptual, as the secret scalar is not utilized prior to this point. Thus,
	
	\[ \prone{G_6^{\adversary{A}}} = \prone{G_7^{\adversary{A}}}. \]
	
	\item As a result, the adversary has no improved likelihood of computing its solution $a^*$ other than guessing, given that the challenger does not select $a$ until the adversary has submitted its solution. Since $a$ being chosen uniformly at random from the set $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ the probability for the adversary to win $G_7$ is:
	
	\[ \prone{G_7^{\adversary{A}}} \leq \frac{1}{2^{n-1-c}}. \]
	
	\item This proofs theorem \ref{theorem:sdlog_ggm}.
\end{proof}