243 lines
16 KiB
TeX
243 lines
16 KiB
TeX
\subsection{UF-NMA $\Rightarrow$ $\text{\cma}_{\text{EdDSA with strict parsing}}$ (ROM)} \label{proof:uf-nma_implies_suf-cma}
|
|
|
|
% TODO: "intuition for the proof" vs. "intuition of the proof"?
|
|
This section shows that the UF-NMA security of EdDSA implies the \cma security of EdDSA with strict parsing using the random oracle model. The section starts by first providing an intuition for the proof followed by the detailed security proof.
|
|
|
|
\begin{theorem}
|
|
\label{theorem:adv_uf-nma}
|
|
Let $\adversary{A}$ be an adversary against $\cma$, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
|
|
|
|
\[ \advantage{\adversary{A}}{\text{\cma}}(\secparamter) = \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter) - \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
|
\end{theorem}
|
|
|
|
\paragraph{\underline{Proof Overview}} The UF-NMA security definition is close to the security definition of \cma but is missing the \Osign oracle. To show that UF-NMA security implies \cma security the reduction has to simulate the \Osign oracle without the knowledge of the private key.
|
|
|
|
The EdDSA signature scheme is based on the Schnorr signature scheme which basis is a canonical identification scheme onto which the Fiat-Shamir transformation is applied. This means EdDSA roughly follows the structure of a canonical identification scheme by first calculating a commitment $R$, calculating a challenge $h$ using the hash function and then calculating the response $S$ based on commitment, challenge and secret key. The signature is the tuple of commitment and response.
|
|
|
|
To generate a signature without the knowledge of the private key the challenge and the response are choosen randomly and the commitment is calculated based on the chosen challenge and response. The random oracle is then programmed to output the challenge given the commitment and the message as input. This way the resulting tuple of commitment and response is a valid signature for the given message.
|
|
|
|
\paragraph{\underline{Formal Proof}}
|
|
|
|
The proof starts by providing an algorithm which generates correctly distributed tuple of commitment, challenge and response. This algorithm is called \simalg and is depicted in figure \ref{fig:sim}. TODO
|
|
%TODO: Beweis für Sim Algorithmus
|
|
|
|
\begin{figure}
|
|
\hrule
|
|
\vspace{1mm}
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\simalg(\groupelement{A})}
|
|
\State $\textbf{ch} \randomsample \{0,1\}^{2b}$
|
|
\State $s \randomsample \{0,1\}^{2b}$
|
|
\State $S \assign \sum_{i=0}^{2b-1} 2^i s_i \pmod L$
|
|
\State $R \assign S\groupelement{B} - \textbf{ch}\groupelement{A}$
|
|
\State \Return $(\encoded{R}, \textbf{ch}, S)$
|
|
\end{algorithmic}
|
|
\hrule
|
|
\caption{\simalg}
|
|
\label{fig:sim}
|
|
\end{figure}
|
|
|
|
\begin{figure}
|
|
\hrule
|
|
\begin{multicols}{2}
|
|
\large
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$} / \textcolor{green}{$G_3$}}
|
|
\State $(h_0, h_1, ..., h_{2b-1}) \randomsample \{0,1\}^{2b}$
|
|
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
|
|
\State $\groupelement{A} \assign s \groupelement{B}$
|
|
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp)}(\groupelement{A})$
|
|
\State \Return $\verify(\groupelement{A}, \m^*,\signature^*) \wedge (\m^*, \signature^*) \notin Q$
|
|
\end{algorithmic}
|
|
\columnbreak
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\oracle \sign($\m \in \messagespace$)}
|
|
\Comment{$G_0 - G_2$}
|
|
\State $(r'_0, r'_1, ..., r'_{2b-1}) = RF(h_b | ... | h_{2b-1} | \m)$
|
|
\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
|
|
\State $R \assign rB$
|
|
\BeginBox[draw=black]
|
|
\State $S \assign (r + sH(\encoded{R} | \encoded{A} | \m)) \pmod L$
|
|
\Comment{$G_0$}
|
|
\EndBox
|
|
\BeginBox[draw=blue]
|
|
\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | \m] \neq \bot \textbf{ then}$
|
|
\Comment{$G_1 - G_2$}
|
|
\State \quad $bad \assign true$
|
|
\BeginBox[draw=red,dashed]
|
|
\State \quad $abort$
|
|
\Comment{$G_2$}
|
|
\EndBox
|
|
\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | \m] = \bot \textbf{ then}$
|
|
\State \quad $\sum[\encoded{R} | \encoded{A} | \m] \randomsample \{0,1\}^{2b}$
|
|
\State $S \assign (r + s\sum[\encoded{R} | \encoded{A} | \m]) \pmod L$
|
|
\EndBox
|
|
\State $\signature \assign (\encoded{R}, S)$
|
|
\State $Q \assign Q \cup \{(\m, \signature)\}$
|
|
\State \Return $\signature$
|
|
\end{algorithmic}
|
|
\end{multicols}
|
|
\begin{multicols}{2}
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\oracle $H(\m \in \{0,1\}^*)$}
|
|
\State $\textbf{if } \sum[\m] = \bot \textbf{ then}$
|
|
\State \quad $\sum[\m] \randomsample \{0,1\}^{2b}$
|
|
\State \Return $\sum[\m]$
|
|
\end{algorithmic}
|
|
\columnbreak
|
|
\begin{algorithmic}[1]
|
|
%TODO: Nummer vor Oracle
|
|
\BeginBox[draw=green]
|
|
\State \underline{\oracle \sign($\m \in \messagespace$)}
|
|
\Comment{$G_3$}
|
|
\State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A})$
|
|
\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | \m] \neq \bot \textbf{ then}$
|
|
\State \quad $bad \assign true$
|
|
\State \quad $abort$
|
|
\State $\sum[\encoded{R} | \encoded{A} | \m] = \textbf{ch}$
|
|
\State $\signature \assign (\encoded{R}, S)$
|
|
\State $Q \assign Q \cup \{(\m, \signature)\}$
|
|
\State \Return $\signature$
|
|
\EndBox
|
|
\end{algorithmic}
|
|
\end{multicols}
|
|
\hrule
|
|
\caption{Games $G_0 - G_3$}
|
|
\label{fig:uf-nma_implies_suf-cma_games}
|
|
\end{figure}
|
|
|
|
\begin{proof}
|
|
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:uf-nma_implies_suf-cma_games} by excluding all boxes except the black one and let $G_0$ be $\text{\cma}$. By definition,
|
|
|
|
\[ \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) = \Pr[\text{\cma}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
|
|
|
|
\item \paragraph{\underline{$G_1:$}} $G_1$ is now defined by replacing the black box with the blue one. This change inlines the call to the hash function and introduces a bad flag, which is set in the case that the hash value is already set. This change is only conceptual, since it does not alter the behavior of the oracle. Hence,
|
|
|
|
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1]. \]
|
|
|
|
\item \paragraph{\underline{$G_2:$}} $G_2$ also includes the abort instruction in the red box. The abort condition is triggered if the $bad$ flag is set. Without loss of generality it is assumed that the adversary queries the \sign oracle only once with each message since the signature generated is deterministic and an adversary would not gain more information by multiple queries with the same message. For each individual sign query the probability for the $bad$ flag to be set is at most $\frac{\hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. The only parameter, which is unknown to the adversary prior to calling the \sign oracle is the commitment $R$. For an adversary to trigger the abort condition he has to guess the commitment $\groupelement{R}$ used during on of the \sign queries. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $\groupelement{R}$. $r'$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ when multiplied with the generator $\groupelement{B}$. At first there are $2^{2b}$ possible values for $r'$. After the reduction module $L$ there are $min\{2^{2b}, L\}$ possible values left for $r'$. In the case that the values $L$ is smaller than $2^{2b}$ (this is the case in most instantiations of EdDSA) then the $r'$'s are not uniformly distributed in $\field{L}$. Since an adversary could use this information the min entropy of $\groupelement{R}$ has to be considered, which takes this into account. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
|
|
|
|
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
|
|
|
\item \paragraph{\underline{$G_3:$}} $G_3$ replaces the \sign oracle by the \sign oracle in the green box. This change is only conceptual. \simalg outputs a correctly distributed tuple $(R, \textbf{ch}, S)$ with $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c \textbf{ch} \groupelement{A}$ and it was ruled out that $H(\encoded{R} | \encoded{A} | \m)$ is set prior to calling the \sign oracle the random oracle can be programmed to output $\textbf{ch}$ upon calling $H(\encoded{R} | \encoded{A} | m)$. Therefore, it is ensured that $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c H(\encoded{R} | \encoded{A} | \m) \groupelement{A}$, which means that $\signature \assign (\encoded{R}, S)$ is a valid signature for the message $\m$ and was generated without the usage of the private key $s$. Therefore,
|
|
|
|
\[ \Pr[G_2^{\adversary{A}} \Rightarrow 1] = \Pr[G_3^{\adversary{A}} \Rightarrow 1]. \]
|
|
|
|
\item Finally, Game $G_3$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
|
|
|
\begin{align}
|
|
\Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter). \label{eq:adv_uf-nma}
|
|
\end{align}
|
|
|
|
\begin{figure}
|
|
\hrule
|
|
\begin{multicols}{2}
|
|
\large
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\textbf{Adversary} $\adversary{B}^{H(\inp)}(\groupelement{A})$}
|
|
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H'(\inp), \sign(\inp)}(\groupelement{A})$
|
|
\State \Return $(\m^*, \signature^*)$
|
|
\end{algorithmic}
|
|
\columnbreak
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\oracle \sign($m \in \messagespace$)}
|
|
\State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A})$
|
|
\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | m] \neq \bot \textbf{ then}$
|
|
\State \quad $bad \assign true$
|
|
\State \quad $abort$
|
|
\State $\sum[\encoded{R} | \encoded{A} | m] = \textbf{ch}$
|
|
\State $\signature \assign (\encoded{R}, S)$
|
|
\State $Q \assign Q \cup \{(\m, \signature)\}$
|
|
\State \Return $\signature$
|
|
\end{algorithmic}
|
|
\end{multicols}
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\oracle $H'(m \in \{0,1\}^*)$}
|
|
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
|
\State \quad $\sum[m] \assign H(m)$
|
|
\State \Return $\sum[m]$
|
|
\end{algorithmic}
|
|
\hrule
|
|
\caption{Adversary $\adversary{B}$ breaking $\text{UF-NMA}$}
|
|
\label{fig:adversarybuf-nma}
|
|
\end{figure}
|
|
|
|
To prove (\ref{eq:adv_uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{UF-NMA}$ that simulates $\adversary{A}$'s view in $G_3$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversarybuf-nma} is run in the $\text{UF-NMA}$ game and adversary $\adversary{B}$ simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly.
|
|
|
|
Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. It is known that $2^c S^* \groupelement{B} = 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}$. When using strict parsing any the decoded $S$ from the signature it is known that $0 \leq S < L$. Therefore there is only one valid encoded $S$ for each $R$, $\m$ pair that satisfies the equation. This means that from no new and valid signature can be generated by only changing the $S$ value of an already valid signature. Hence, also $R$ or $m$ has to be altered to generate a new valid signature from another one. Since $R$ and $m$ are inputs to the hash query, which is used to generate the challenge, the result for this hash query are forwarded from the $H$ hash oracle provided to the adversary $\adversary{B}$. For this reason $H'(\encoded{R^*}|\encoded{A}|m^*) = H(\encoded{R^*}|\encoded{A}|m^*)$. Therefore,
|
|
|
|
\begin{align*}
|
|
2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}\\
|
|
\Leftrightarrow 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}.
|
|
\end{align*}
|
|
|
|
Meaning that the forged signature from adversary $\adversary{A}$ is also a valid signature in the UF-NMA game.
|
|
|
|
\item This proves theorem \ref{theorem:adv_uf-nma}.
|
|
\end{proof}
|
|
|
|
\subsection{UF-NMA $\Rightarrow$ $\text{EUF-CMA}_{\text{EdDSA with lax parsing}}$ (ROM)}
|
|
|
|
This section shows that the UF-NMA security of EdDSA implies the EUF-CMA security of EdDSA with lax parsing using the random oracle model. This proof is very similar to the proof of the SUF-CMA security of EdDSA with strict parsing. The modification of the games are the same as in the proof above with the only difference being the win condition, which is $\verify(\groupelement{A}, \m^*,\signature^*) \wedge \m^* \notin Q$. For this reason this proofs starts at showing the existence of an adversary $\adversary{B}$ breaking UF-NMA security.
|
|
|
|
\begin{theorem}
|
|
\label{theorem:adv2_uf-nma}
|
|
Let $\adversary{A}$ be an adversary against EUF-CMA, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
|
|
|
|
\[ \advantage{\adversary{A}}{\text{EUF-CMA}}(\secparamter) = \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter) - \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
|
|
\end{theorem}
|
|
|
|
\paragraph{\underline{Formal Proof}}
|
|
|
|
\begin{proof}
|
|
\item
|
|
\begin{align}
|
|
\prone{G_3^{\adversary{A}}} = \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter). \label{eq:adv2_uf-nma}
|
|
\end{align}
|
|
|
|
\begin{figure}
|
|
\hrule
|
|
\begin{multicols}{2}
|
|
\large
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\textbf{Adversary} $\adversary{B}^{H(\inp)}(\groupelement{A})$}
|
|
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H'(\inp), \sign(\inp)}(\groupelement{A})$
|
|
\State \Return $(\m^*, \signature^*)$
|
|
\end{algorithmic}
|
|
\columnbreak
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\oracle \sign($m \in \messagespace$)}
|
|
\State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A})$
|
|
\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | m] \neq \bot \textbf{ then}$
|
|
\State \quad $bad \assign true$
|
|
\State \quad $abort$
|
|
\State $\sum[\encoded{R} | \encoded{A} | m] = \textbf{ch}$
|
|
\State $\signature \assign (\encoded{R}, S)$
|
|
\State $Q \assign Q \cup \{\m\}$
|
|
\State \Return $\signature$
|
|
\end{algorithmic}
|
|
\end{multicols}
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\oracle $H'(m \in \{0,1\}^*)$}
|
|
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
|
\State \quad $\sum[m] \assign H(m)$
|
|
\State \Return $\sum[m]$
|
|
\end{algorithmic}
|
|
\hrule
|
|
\caption{Adversary $\adversary{B}$ breaking $\text{UF-NMA}$}
|
|
\label{fig:adversary_b_suf-nma}
|
|
\end{figure}
|
|
|
|
To prove (\ref{eq:adv2_uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{UF-NMA}$ that simulates $\adversary{A}$'s view in $G_3$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_b_suf-nma} is run in the $\text{UF-NMA}$ game and adversary $\adversary{B}$ simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly.
|
|
|
|
Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. It is known that $2^c S^* \groupelement{B} = 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}$. The same argument as in the proof above cannot be used since the lax parser could map multiple $2b$-bit bitstrings onto the same $S^* \pmod L$. Therefore the adversary $\adversary{A}$ could generate a new valid signature from a by \Osign generated one by simply choosing a different bitstring representation of the same $S^* \pmod L$. Since in this case $\sum[\encoded{R^*}|\encoded{A}|m^*]$ was set by the adversary $\adversary{B}$ this signature is not valid for the UF-NMA challenger. But since we are in the EUF-CMA setting we require the adversary $\adversary{A}$ to output a signature for a message $m^*$ for that it has not requested a signature via the \Osign oracle. Since the signature for the message $m^*$ has not been queried in the Sign oracle the output of $H'(\encoded{R^*}|\encoded{A}|m^*)$ has not been set by the adversary B but was forwarded from the $H$ hash oracle. For this reason $H'(\encoded{R^*}|\encoded{A}|m^*) = H(\encoded{R^*}|\encoded{A}|m^*)$. Therefore,
|
|
|
|
\begin{align*}
|
|
2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}\\
|
|
\Leftrightarrow 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}.
|
|
\end{align*}
|
|
|
|
Meaning that the forged signature from adversary $\adversary{A}$ is also a valid signature in the UF-NMA game.
|
|
|
|
\item This proves theorem \ref{theorem:adv2_uf-nma}.
|
|
\end{proof} |