120 lines
5.6 KiB
TeX
120 lines
5.6 KiB
TeX
\subsection{\igame $=>$ UF-NMA (ROM)}
|
|
|
|
This section shows that \igame implies the UF-NMA security if the EdDSA signature scheme using the Algebraic Group Model. The section starts by first providing an intuition if the proof followed by the detailed security proof.
|
|
|
|
\paragraph{\underline{Introducing \igame}} The intermediate game \igame is introduced to create a separation between proofs in the random oracle model and the algebraic group model. This is archived by replacing the random oracle by the \ioracle oracle, which takes a commitment and outputs a challenge. This also strips away the message and focuses on the forgery of an arbitrary message. The \igame game is depicted in figure \ref{game:igame}.
|
|
|
|
\begin{definition}[\igame]
|
|
For an adversary $\adversary{A}$ we define its advantage in the \igame game as following:
|
|
|
|
\[ \advantage{\adversary{A}}{\igame}(\secparamter) \assign | \Pr[\igame^{\adversary{A}} \Rightarrow 1] | \].
|
|
\end{definition}
|
|
|
|
\begin{figure}
|
|
\hrule
|
|
\begin{multicols}{2}
|
|
\large
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\game \igame}
|
|
\State $a \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$
|
|
\State $\groupelement{A} \assign a \groupelement{B}$
|
|
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
|
|
\State \Return $\exists \groupelement{R}^*, \ch^*: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A} \wedge (\groupelement{R}^*, \ch^*) \in Q$
|
|
\end{algorithmic}
|
|
\columnbreak
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\oracle \ioracle($\groupelement{R_i} \in \group{G}$)}
|
|
\State $\ch_i \randomsample \{0,1\}^{2b}$
|
|
\State $Q \assign Q \cup \{ (\groupelement{R}_i, \ch_i) \}$
|
|
\State \Return $\ch_i$
|
|
\end{algorithmic}
|
|
\end{multicols}
|
|
\hrule
|
|
\caption{\igame}
|
|
\label{game:igame}
|
|
\end{figure}
|
|
|
|
\begin{theorem}
|
|
\label{theorem:adv_igame}
|
|
Let $\adversary{A}$ be an adversary against $\text{UF-NMA}_{\text{EdDSA}}$. Then,
|
|
|
|
\[ \advantage{\adversary{A}}{UF-NMA}(\secparamter) = \advantage{\adversary{B}}{\igame}(\secparamter) \].
|
|
\end{theorem}
|
|
|
|
\paragraph{\underline{Proof Overview}} The adversary has to query the random oracle to get the hash value $H(\encoded{R} | \encoded{A} | m)$. The programmability of the random oracle can be used to embed the challenge from the \ioracle oracle into the answer of the random oracle. This way a valid forgery of a signature also provides a valid solution for the \igame game.
|
|
|
|
\paragraph{\underline{Formal Proof}}
|
|
|
|
\begin{figure}
|
|
\hrule
|
|
\begin{multicols}{2}
|
|
\large
|
|
\begin{algorithmic}[1]
|
|
\State \underline{\game $G_0$}
|
|
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp)}(\groupelement{A})$
|
|
\State \Return $\verify(\groupelement{A}, \m^*,\signature^*)$
|
|
\end{algorithmic}
|
|
\columnbreak
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
|
|
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
|
\State \quad $\sum[m] \randomsample \{0,1\}^{2b}$
|
|
\State \Return $\sum[m]$
|
|
\end{algorithmic}
|
|
\end{multicols}
|
|
\hrule
|
|
\caption{$G_0$}
|
|
\label{fig:igame_implies_uf-nma}
|
|
\end{figure}
|
|
|
|
\begin{proof}
|
|
\item \paragraph{\underline{$G_0$}} Let $G_0$ be defined in figure \ref{fig:igame_implies_uf-nma} and let $G_0$ be $\text{UF-NMA}_{\text{EdDSA}}$. By definition,
|
|
|
|
\[ \advantage{\text{EdDSA}, \adversary{A}}{\text{UF-NMA}}(\secparamter) = \Pr[\text{UF-NMA}_{\text{EdDSA}}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
|
|
|
\item $G_0$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
|
|
|
\begin{align}
|
|
\Pr[G_0^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\igame}(\secparamter) \label{eq:adv_igame}
|
|
\end{align}.
|
|
|
|
\begin{figure}
|
|
\hrule
|
|
\begin{multicols}{2}
|
|
\large
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\textbf{Adversary} $\adversary{B}^{\ioracle(\inp)}(\groupelement{A})$}
|
|
\State $(\m^*, \signature^* \assign (\encoded{R}, S)) \randomassign \adversary{A}^{H(\inp)}(\groupelement{A})$
|
|
\State \Return $S$
|
|
\end{algorithmic}
|
|
\columnbreak
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
|
|
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
|
\State \quad $\textbf{if } \encoded{R} | \encoded{A} | m' \assign m \wedge \groupelement{R} \in \curve \textbf{ then}$
|
|
\State \qquad $\sum[m] \randomsample \ioracle(2^c \groupelement{R})$
|
|
\State \quad \textbf{else}
|
|
\State \qquad $\sum[m] \randomsample \{0,1\}^{2b}$
|
|
\State \Return $\sum[m]$
|
|
\end{algorithmic}
|
|
\end{multicols}
|
|
\hrule
|
|
\caption{Adversary $\adversary{B}$ breaking \igame}
|
|
\label{fig:adversary_igame}
|
|
\end{figure}
|
|
|
|
\item To proof (\ref{eq:adv_igame}), we define an adversary $\adversary{B}$ attacking \igame that simulates $\adversary{A}$'s view in $G_0$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_igame} is run in the \igame game and adversary $\adversary{B}$ simulates the random oracle $H$ for the adversary $\adversary{A}$. $H$ is simulates perfectly.
|
|
|
|
Finally, consider $\adversary{A}$'s output $(\m^*, \signature^* \assign (\encoded{R}, S))$. It is known that:
|
|
|
|
\begin{align*}
|
|
2^c S \groupelement{B} &= 2^c \groupelement{R} + 2^c H(\encoded{R} | \encoded{A} | m) \groupelement{A} \\
|
|
2^c \groupelement{R} &= 2^c S \groupelement{B} - 2^c H(\encoded{R} | \encoded{A} | m) \groupelement{A} \\
|
|
2^c \groupelement{R} &= 2^c S \groupelement{B} - 2^c \ioracle(2^c \groupelement{R}) \groupelement{A} \\
|
|
\groupelement{R}' &= 2^c S \groupelement{B} - 2^c \ioracle(\groupelement{R}') \groupelement{A}
|
|
\end{align*}
|
|
|
|
Therefore $S$ is a valid solution for the \igame game.
|
|
|
|
\item This proves theorem \ref{theorem:adv_igame}.
|
|
\end{proof} |