125 lines
6.8 KiB
TeX
125 lines
6.8 KiB
TeX
\subsection{MU-\igame $\overset{\text{ROM}}{\Rightarrow}$ MU-UF-NMA}
|
|
|
|
This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signature scheme using the Random Oracle Model. The section starts by first providing an intuition of the proof followed by the detailed security proof.
|
|
|
|
\paragraph{\underline{Introducing MU-\igame}} This game followed closely the definition of the \igame game. It again replaces the random oracle with the \ioracle oracle. The only difference to the \igame game is that the adversary gets access to $N$ public keys. The adversary again has to output a valid result for any commitment challenge pair generated by the \ioracle oracle for any of the public keys. The MU-\igame game is depicted in figure \ref{game:mu-igame}.
|
|
|
|
\begin{definition}[MU-\igame]
|
|
Let $n$ and $N$ be positive integers. For an adversary $\adversary{A}$, receiving $N$ public keys as input, we define its advantage in the MU-\igame as following:
|
|
|
|
\[ \advantage{\adversary{A}}{\text{MU-\igame}}(\secparamter) \assign | \Pr[\text{MU-\igame}^{\adversary{A}} \Rightarrow 1] |. \]
|
|
\end{definition}
|
|
|
|
\begin{figure}[h]
|
|
\hrule
|
|
\vspace{1mm}
|
|
\large
|
|
\begin{algorithmic}
|
|
\Statex \underline{\game \igame}
|
|
\State \textbf{for} $i \in \{1,2,...,N\}$
|
|
\State \quad $a_i \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$
|
|
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
|
|
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
|
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in \pset{Q}, i \in \{1,2,...,N\} \in : \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$
|
|
\end{algorithmic}
|
|
\vspace{2mm}
|
|
\begin{algorithmic}
|
|
\Statex \underline{\oracle \ioracle($\groupelement{R_i} \in \group{G}$)}
|
|
\State $\ch_i \randomsample \{0,1\}^{2b}$
|
|
\State $\pset{Q} \assign \pset{Q} \cup \{ (\groupelement{R}_i, \ch_i) \}$
|
|
\State \Return $\ch_i$
|
|
\end{algorithmic}
|
|
\hrule
|
|
\caption{MU-\igame}
|
|
\label{game:mu-igame}
|
|
\end{figure}
|
|
|
|
\begin{theorem}
|
|
\label{theorem:adv_mu-igame}
|
|
Let $\adversary{A}$ be an adversary against MU-\igame. Then,
|
|
|
|
\[ \advantage{\adversary{A}}{\text{MU-UF-NMA}}(\secparamter) = \advantage{\adversary{B}}{\text{MU-\igame}}(\secparamter). \]
|
|
\end{theorem}
|
|
|
|
\paragraph{\underline{Proof Overview}} Like the single-user setting the adversary has to query the random oracle to get the hash value $H(\encoded{R}|\encoded{A_i}|m)$. Again the programmability of the random oracle can be used to embed the challenge from \ioracle oracle into the answer of the random oracle. By embedding the challenge from the \ioracle oracle answer into the answer of the random oracle, a valid forgery of the signature also becomes a valid solution for the MU-\igame game.
|
|
|
|
\paragraph{\underline{Formal Proof}}
|
|
|
|
\begin{figure}[h]
|
|
\hrule
|
|
\begin{multicols}{2}
|
|
\large
|
|
\begin{algorithmic}
|
|
\State \underline{\game $G_0$}
|
|
\State \textbf{for} $i \in \{1,2,...,N\}$
|
|
\State \quad $(h_{i_0}, h_{i_1}, ..., h_{i_{2b-1}}) \randomsample \{0,1\}^{2b}$
|
|
\State \quad $s_i \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
|
|
\State \quad $\groupelement{A_i} \assign s_i \groupelement{B}$
|
|
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
|
\State \Return $\exists i \in \{1,2,...,N\}: \verify(\groupelement{A_i}, \m^*,\signature^*)$
|
|
\end{algorithmic}
|
|
\columnbreak
|
|
\begin{algorithmic}
|
|
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
|
|
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
|
\State \quad $\sum[m] \randomsample \{0,1\}^{2b}$
|
|
\State \Return $\sum[m]$
|
|
\end{algorithmic}
|
|
\end{multicols}
|
|
\hrule
|
|
\caption{$G_0$}
|
|
\label{fig:mu-igame_implies_mu-uf-nma}
|
|
\end{figure}
|
|
|
|
\begin{proof}
|
|
\item Now it is argued that the \ioracle oracle can be used to simulate the hash function in a way that the answer of the MU-UF-NMA adversary can be used as an valid solution for the MU-\igame challenger.
|
|
|
|
\item Let $G_0$ be defined in figure \ref{fig:mu-igame_implies_mu-uf-nma}. Then $G_0$ is the same as MU-UF-NMA with EdDSA. By definition,
|
|
|
|
\[ \advantage{\text{EdDSA}, \adversary{A}}{\text{MU-UF-NMA}}(\secparamter) = \Pr[\text{MU-UF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
|
|
|
|
\item $G_0$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
|
|
|
\begin{align}
|
|
\Pr[G_0^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\text{MU-\igame}}(\secparamter). \label{eq:adv_mu-igame}
|
|
\end{align}
|
|
|
|
\begin{figure}[h]
|
|
\hrule
|
|
\vspace{1mm}
|
|
\large
|
|
\begin{algorithmic}
|
|
\Statex \underline{\textbf{Adversary} $\adversary{B}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$}
|
|
\State $(\m^*, \signature^* \assign (\encoded{R}, S)) \randomassign \adversary{A}^{H(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
|
\State \Return $S$
|
|
\end{algorithmic}
|
|
\vspace{2mm}
|
|
\begin{algorithmic}
|
|
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
|
|
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
|
\State \quad $\textbf{if } \encoded{R} | \encoded{A} | m' \assign m \wedge \groupelement{R}, \groupelement{A} \in \curve \textbf{ then}$
|
|
\State \qquad $\sum[m] \randomsample \ioracle(2^c \groupelement{R})$
|
|
\State \quad \textbf{else}
|
|
\State \qquad $\sum[m] \randomsample \{0,1\}^{2b}$
|
|
\State \Return $\sum[m]$
|
|
\end{algorithmic}
|
|
\hrule
|
|
\caption{Adversary $\adversary{B}$ breaking \igame}
|
|
\label{fig:adversary_mu-igame}
|
|
\end{figure}
|
|
|
|
\item To proof (\ref{eq:adv_mu-igame}), we define an adversary $\adversary{B}$ attacking MU-\igame that simulates $\adversary{A}$'s view in $G_0$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_mu-igame} is run in the \igame game and adversary $\adversary{B}$ simulates the random oracle $H$ for the adversary $\adversary{A}$. $H$ is perfectly simulated because the \ioracle oracle also outputs a uniformly random 2b-bit bitstring. For this reason, $H$ returns a uniformly random 2b-bit bitstring for all queries, as expected.
|
|
|
|
Finally, consider $\adversary{A}$'s output $(\m^*, \signature^* \assign (\encoded{R}, S))$. It is known that:
|
|
|
|
\begin{align*}
|
|
2^c S \groupelement{B} &= 2^c \groupelement{R} + 2^c H(\encoded{R} | \encoded{A_i} | m) \groupelement{A_i} \\
|
|
\Leftrightarrow 2^c \groupelement{R} &= 2^c S \groupelement{B} - 2^c H(\encoded{R} | \encoded{A_i} | m) \groupelement{A_i} \\
|
|
\Leftrightarrow 2^c \groupelement{R} &= 2^c S \groupelement{B} - 2^c \ioracle(2^c \groupelement{R}) \groupelement{A_i} \\
|
|
\groupelement{R}' &= 2^c S \groupelement{B} - 2^c \ioracle(\groupelement{R}') \groupelement{A_i}
|
|
\end{align*}
|
|
|
|
Therefore, $S$ is a valid solution for the MU-\igame game.
|
|
|
|
\item This proves theorem \ref{theorem:adv_mu-igame}.
|
|
\end{proof} |