159 lines
9.0 KiB
TeX
159 lines
9.0 KiB
TeX
\subsection{Digital Signature Scheme}
|
|
|
|
A digital signature scheme is a method to ensure the authenticity of data. The signer, which is in the possession of a private key, generates a signature for specific message. The verifier then is able to verify the authenticity of this data using the public key and the generated signature.
|
|
|
|
\begin{definition}
|
|
A digital signature scheme SIG = (\keygen,\sign,\verify) is a tuple of algorithms.
|
|
|
|
\begin{itemize}[label={}]
|
|
\item \textbf{\keygen}: The key generation algorithm, which upon receiving the schema parameter as input outputs a matching tuple of public and private key.
|
|
\item \textbf{\sign}: The signature algorithm, which upon receiving the secret key and the message outputs a signature for that message.
|
|
\item \textbf{\verify}: The verification algorithm, which upon receiving the public key, the message and the signature decides whether the signature is valid for the specific set of input parameters.
|
|
\end{itemize}
|
|
|
|
For the digital signature scheme to be correct it is required that $\forall (\pubkey, \privkey) \in \keygen(par), \m \in \messagespace, \signature \in \sign(\privkey, \m): \verify(\pubkey, \m, \signature) = 1$
|
|
\end{definition}
|
|
|
|
A common security notion for digital signature schemes is the existential unforgeability under chosen message attack security (EUF-CMA). It requires that no adversary is able to forge a signature, for a given key, on a message for which they have not been provided with a valid signature. A stronger notion that is often used is strong unforgeability under chosen message attack (SUF-CMA), which only requires the adversary to provide a message signature pair that has not been provided to the adversary. With this security notion, the adversary also wins if it is able to forge a new valid signature from an already valid one. Both of these notions are in the single-user setting. In the multi-user setting of these security notions, the adversary is supplied with $N$ public keys and had to forge a signature for one of those public keys. In the following, the multi-user definitions of the EUF-CMA and SUF-CMA security notions are defined, respectively MU-EUF-CMA and SUF-CMA. The single-user variant of these security notions can be seen as a special case of the multi-user definitions with $N=1$.
|
|
|
|
\subsubsection{MU-EUF-CMA}
|
|
|
|
\begin{definition}[MU-EUF-CMA]
|
|
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the MU-EUF-CMA game be defined in figure \ref{game:mu-euf-cma}. $SIG$ is MU-SUF-CMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{MU-EUF-CMA}}(\secparamter)$ is negligible in $\secparamter$.
|
|
|
|
\[ \advantage{SIG,\adversary{A}}{\text{MU-EUF-CMA}}(\secparamter) \assign \prone{\text{MU-EUF-CMA}^{\adversary{A}}} \leq negl(\secparamter) \]
|
|
\end{definition}
|
|
|
|
\begin{figure}[h]
|
|
\hrule
|
|
\normalsize
|
|
\vspace{1mm}
|
|
\begin{algorithmic}
|
|
\Statex \underline{\game $\text{MU-EUF-CMA}$}
|
|
\State \textbf{for} $i \in \{1,2,...,N\}$
|
|
\State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$
|
|
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp, \inp)}(\pubkey_1, \pubkey_2, ..., \pubkey_n)$
|
|
\State \Return $\exists i \in \{1,2,...,N\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1 \wedge (\pubkey_i, \m^*) \notin M$
|
|
\end{algorithmic}
|
|
\vspace{2mm}
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\oracle \Osign($i \in \{1,2,...,n\}$, $\m \in \messagespace$)}
|
|
\State $\signature \randomassign \sign(\privkey_i, \m)$
|
|
\State $M \assign M \cup \{(\pubkey_i, \m)\}$
|
|
\State \Return $\signature$
|
|
\end{algorithmic}
|
|
\hrule
|
|
\caption{MU-EUF-CMA Security Game}
|
|
\label{game:mu-euf-cma}
|
|
\end{figure}
|
|
|
|
\subsubsection{MU-SUF-CMA}
|
|
|
|
\begin{definition}[MU-SUF-CMA]
|
|
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the MU-SUF-CMA game be defined in figure \ref{game:mu-suf-cma}. $SIG$ is MU-SUF-CMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{MU-SUF-CMA}}(\secparamter)$ is negligible in $\secparamter$.
|
|
|
|
\[ \advantage{SIG,\adversary{A}}{\text{MU-SUF-CMA}}(\secparamter) \assign \prone{\text{MU-SUF-CMA}^{\adversary{A}}} \leq negl(\secparamter) \]
|
|
\end{definition}
|
|
|
|
\begin{figure}[h]
|
|
\hrule
|
|
\normalsize
|
|
\vspace{1mm}
|
|
\begin{algorithmic}
|
|
\Statex \underline{\game $\text{MU-SUF-CMA}$}
|
|
\State \textbf{for} $i \in \{1,2,...,N\}$
|
|
\State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$
|
|
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp, \inp)}(\pubkey_1, \pubkey_2, ..., \pubkey_n)$
|
|
\State \Return $\exists i \in \{1,2,...,N\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1 \wedge (\pubkey_i, \m^*, \signature^*) \notin M$
|
|
\end{algorithmic}
|
|
\vspace{2mm}
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\oracle \Osign($i \in \{1,2,...,n\}$, $\m \in \messagespace$)}
|
|
\State $\signature \randomassign \sign(\privkey_i, \m)$
|
|
\State $M \assign M \cup \{(\pubkey_i, \m, \signature)\}$
|
|
\State \Return $\signature$
|
|
\end{algorithmic}
|
|
\hrule
|
|
\caption{MU-SUF-CMA Security Game}
|
|
\label{game:mu-suf-cma}
|
|
\end{figure}
|
|
|
|
\subsubsection{MU-UF-NMA}
|
|
|
|
The MU-UF-NMA security game is similar to the MU-EUF-CMA game. The only difference is that the adversary does not has access to an oracle to obtain valid signatures for arbitrary messages. Again the UF-NMA security notation is a special case of the MU-UF-NMA security notation with $N=1$.
|
|
|
|
\begin{definition}[MU-UF-NMA]
|
|
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the MU-UF-NMA game be defined in figure \ref{game:mu-uf-nma}. $SIG$ is MU-UF-NMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{MU-UF-NMA}}(\secparamter)$ is negligible in $\secparamter$.
|
|
|
|
\[ \advantage{SIG,\adversary{A}}{\text{MU-UF-NMA}}(\secparamter) \assign \prone{\text{MU-UF-NMA}^{\adversary{A}}} \leq negl(\secparamter) \]
|
|
\end{definition}
|
|
|
|
\begin{figure}[h]
|
|
\hrule
|
|
\vspace{1mm}
|
|
\begin{algorithmic}[1]
|
|
\State \underline{\game $\text{MU-UF-NMA}$}
|
|
\State \textbf{for} $i \in \{1,2,...,N\}$
|
|
\State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$
|
|
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp)}(\pubkey_1, \pubkey_2, \pubkey_n)$
|
|
\State \Return $\exists i \in \{1,2,...,N\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1$
|
|
\end{algorithmic}
|
|
\hrule
|
|
\caption{MU-UF-NMA Security Game}
|
|
\label{game:mu-uf-nma}
|
|
\end{figure}
|
|
|
|
\subsection{Security Assumptions}
|
|
|
|
This thesis proves the security of the EdDSA signature scheme under two assumptions. The single-user security of EdDSA can be proved under the discrete logarithm assumption, while the multi-user security of EdDSA requires the stronger one-more discrete logarithm assumption. Both security assumptions are presented in this section.
|
|
|
|
\subsubsection{Discrete Logarithm Problem}
|
|
|
|
\begin{definition}[Discrete Logarithm Problem]
|
|
Let $\group{G}$ be a cyclic group of order $L$ with a generator $\groupelement{B}$. Let the discrete logarithm game be defined in figure \ref{game:dlog}. The advantage of an adversary $\adversary{A}$ is defined by its ability to win the discrete logarithm game.
|
|
|
|
\[ \advantage{\group{G}, \adversary{A}}{Dlog} \assign \prone{\text{Dlog}^{\adversary{A}}} \]
|
|
\end{definition}
|
|
|
|
\begin{figure}[h]
|
|
\hrule
|
|
\vspace{1mm}
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\game Dlog}
|
|
\State $a \randomsample \field{L}$
|
|
\State $\groupelement{A} \assign a \groupelement{B}$
|
|
\State $a' \randomassign \adversary{A}(\groupelement{A})$
|
|
\State \Return $a \test a'$
|
|
\end{algorithmic}
|
|
\vspace{1mm}
|
|
\hrule
|
|
\caption{Dlog}
|
|
\label{game:dlog}
|
|
\end{figure}
|
|
|
|
\subsubsection{One-More Discrete Logarithm}
|
|
|
|
The one-more discrete logarithm assumption is stronger than the discrete logarithm assumption. In this assumption the adversary is supplied with $N$ group elements and an oracle to obtain the discrete logarithm of up to $N-1$ group elements. The task of the adversary is to output the discrete logarithm for all supplied group elements.
|
|
|
|
\begin{definition}[One-More Discrete Logarithm Problem]
|
|
Let $\group{G}$ be a cyclic group of order $L$ with a generator $\groupelement{B}$. Let the one-more discrete logarithm game be defined in figure \ref{game:om-dlog}. The advantage of an adversary $\adversary{A}$ is defined by its ability to win the one-more discrete logarithm game.
|
|
|
|
\[ \advantage{\group{G}, \adversary{A}}{OM-Dlog} \assign \prone{\text{OM-Dlog}^{\adversary{A}}} \]
|
|
\end{definition}
|
|
|
|
\begin{figure}[h]
|
|
\hrule
|
|
\vspace{1mm}
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\game OM-Dlog}
|
|
\State \textbf{for} $i \in \{1,2,...,N\}$
|
|
\State \quad $a_i \randomsample \field{L}$
|
|
\State \quad $\groupelement{A_i} \assign a \groupelement{B}$
|
|
\State $\overset{\rightharpoonup}{a'} \randomassign \adversary{A}^{DL(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
|
\State \Return $\forall i \in \{1,2,...,N\}: a_i \test a'_i$
|
|
\end{algorithmic}
|
|
\vspace{1mm}
|
|
\hrule
|
|
\caption{One-More Discrete Logarithm}
|
|
\label{game:om-dlog}
|
|
\end{figure} |