128 lines
6.4 KiB
TeX
128 lines
6.4 KiB
TeX
\subsection{\igame $\overset{\text{ROM}}{\Rightarrow}$ UF-NMA}
|
|
|
|
This section shows that \igame implies the UF-NMA security of the EdDSA signature scheme using the random oracle model. The section begins with the introduction of an intermediate game \igame, followed by an intuition of the proof and the detailed security proof.
|
|
|
|
\paragraph{\underline{Introducing \igame}} The intermediate game \igame is introduced to create a separation between proofs in the random oracle model and the algebraic group model. This is archived by replacing the random oracle with the \ioracle oracle, which takes a commitment and issues a challenge. This also removes the message and focuses on forging an arbitrary signature. The \igame game is shown in the figure \ref{game:igame}.
|
|
|
|
\begin{definition}[\igame]
|
|
For an adversary $\adversary{A}$. The advantage of $\adversary{A}$ in the \igame game is defined as following:
|
|
|
|
\[ \advantage{\group{G},\adversary{A}}{\igame}(\secparamter) \assign | \Pr[\igame^{\adversary{A}} \Rightarrow 1] |. \]
|
|
\end{definition}
|
|
|
|
\begin{figure}[h]
|
|
\hrule
|
|
\begin{multicols}{2}
|
|
\large
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\game \igame}
|
|
\State $a \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$
|
|
\State $\groupelement{A} \assign a \groupelement{B}$
|
|
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
|
|
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in \pset{Q}: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A}$
|
|
\end{algorithmic}
|
|
\columnbreak
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\oracle \ioracle($\groupelement{R_i} \in \group{G}$)}
|
|
\State $\ch_i \randomsample \{0,1\}^{2b}$
|
|
\State $\pset{Q} \assign \pset{Q} \cup \{ (\groupelement{R}_i, \ch_i) \}$
|
|
\State \Return $\ch_i$
|
|
\end{algorithmic}
|
|
\end{multicols}
|
|
\hrule
|
|
\caption{\igame}
|
|
\label{game:igame}
|
|
\end{figure}
|
|
|
|
\begin{theorem}
|
|
\label{theorem:adv_igame}
|
|
Let $\adversary{A}$ be an adversary against $\text{UF-NMA}$. Then,
|
|
|
|
\[ \advantage{\group{G}, \adversary{A}}{\text{UF-NMA}}(\secparamter) = \advantage{\group{G}, \adversary{B}}{\text{\igame}}(\secparamter). \]
|
|
\end{theorem}
|
|
|
|
\paragraph{\underline{Proof Overview}} The adversary must query the random oracle to obtain the hash value $H(\encoded{R} | \encoded{A} | m)$. The programmability of the random oracle can be used to embed the challenge from the \ioracle into the answer from the random oracle. In this way, a valid signature forgery also provides a valid solution to the \igame game.
|
|
|
|
\paragraph{\underline{Formal Proof}}
|
|
|
|
\begin{figure}[h]
|
|
\hrule
|
|
\begin{multicols}{2}
|
|
\large
|
|
\begin{algorithmic}[1]
|
|
\State \underline{\game $G_0$}
|
|
\State $(h_0, h_1, ..., h_{2b-1}) \randomsample \{0,1\}^{2b}$
|
|
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
|
|
\State $\groupelement{A} \assign s \groupelement{B}$
|
|
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp)}(\groupelement{A})$
|
|
\State \Return $\verify(\groupelement{A}, \m^*,\signature^*)$
|
|
\end{algorithmic}
|
|
\columnbreak
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
|
|
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
|
\State \quad $\sum[m] \randomsample \{0,1\}^{2b}$
|
|
\State \Return $\sum[m]$
|
|
\end{algorithmic}
|
|
\end{multicols}
|
|
\hrule
|
|
\caption{$G_0$}
|
|
\label{fig:igame_implies_uf-nma}
|
|
\end{figure}
|
|
|
|
\begin{proof}
|
|
\item This proof does not require any game hop, since the random oracle can be simulated using the \ioracle oracle.
|
|
|
|
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:igame_implies_uf-nma}. Clearly, $G_0$ is $\text{UF-NMA}$. By definition,
|
|
|
|
\[ \advantage{\group{G}, \adversary{A}}{\text{UF-NMA}}(\secparamter) = \Pr[\text{UF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
|
|
|
|
\item $G_0$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
|
|
|
\begin{align}
|
|
\Pr[G_0^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\text{\igame}}(\secparamter). \label{eq:adv_igame}
|
|
\end{align}
|
|
|
|
\begin{figure}[h]
|
|
\hrule
|
|
\vspace{1mm}
|
|
\begin{multicols}{2}
|
|
\large
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\textbf{Adversary} $\adversary{B}^{\ioracle(\inp)}(\groupelement{A})$}
|
|
\State $(\m^*, \signature^* \assign (\encoded{R}, S)) \randomassign \adversary{A}^{H(\inp)}(\groupelement{A})$
|
|
\State \Return $S$
|
|
\end{algorithmic}
|
|
\columnbreak
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
|
|
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
|
\State \quad $\textbf{if } \encoded{R} | \encoded{A} | m' \assign m \wedge \groupelement{R} \in \curve \textbf{ then}$
|
|
\State \qquad $\sum[m] \randomsample \ioracle(2^c \groupelement{R})$
|
|
\State \quad \textbf{else}
|
|
\State \qquad $\sum[m] \randomsample \{0,1\}^{2b}$
|
|
\State \Return $\sum[m]$
|
|
\end{algorithmic}
|
|
\end{multicols}
|
|
\hrule
|
|
\caption{Adversary $\adversary{B}$ breaking \igame}
|
|
\label{fig:adversary_igame}
|
|
\end{figure}
|
|
|
|
\item To prove (\ref{eq:adv_igame}), we define an adversary $\adversary{B}$ attacking \igame that simulates the view of $\adversary{A}$ in $G_0$. The adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_igame} is run in the \igame game, and the adversary $\adversary{B}$ simulates the random oracle $H$ for the adversary $\adversary{A}$. $H$ is perfectly simulated because the \ioracle oracle also outputs a uniformly random 2b-bit bitstring. For this reason, $H$ returns a uniformly random 2b-bit bitstring for all queries, as expected.
|
|
|
|
Finally, consider $\adversary{A}$'s output $(\m^*, \signature^* \assign (\encoded{R}, S))$. It is known that:
|
|
|
|
\begin{align*}
|
|
2^c S \groupelement{B} &= 2^c \groupelement{R} + 2^c H(\encoded{R} | \encoded{A} | m) \groupelement{A} \\
|
|
\Leftrightarrow 2^c \groupelement{R} &= 2^c S \groupelement{B} - 2^c H(\encoded{R} | \encoded{A} | m) \groupelement{A} \\
|
|
\Leftrightarrow 2^c \groupelement{R} &= 2^c S \groupelement{B} - 2^c \ioracle(2^c \groupelement{R}) \groupelement{A} \\
|
|
\Leftrightarrow \groupelement{R}' &= 2^c S \groupelement{B} - 2^c \ioracle(\groupelement{R}') \groupelement{A}
|
|
\end{align*}
|
|
|
|
Therefore, $S$ is a valid solution for the \igame game.
|
|
|
|
\item The runtime of adversary $\adversary{B}$ is clearly ppt, since it just outputs the solution of adversary $\adversary{A}$, and in the random oracle it either calls the \ioracle oracle or samples a value uniformly at random.
|
|
|
|
\item This proves theorem \ref{theorem:adv_igame}.
|
|
\end{proof} |