141 lines
8.9 KiB
TeX
141 lines
8.9 KiB
TeX
\subsection{\sdlog $=>$ \igame (AGM)}
|
|
|
|
%TODO check if all c_i's are replaced by chall_i
|
|
|
|
This section shows that \sdlog implies \igame using the Algebraic Group Model. The section starts by introducing a special variant of the discret logarithm problem followed by an intuition of the proof and at last giving a detailed security proof.
|
|
|
|
\paragraph{\underline{Introducing \sdlog}}
|
|
|
|
The \sdlog game is a variant of the discrete logarithm game which represents the clearing and setting of bits in the secret scalar during the EdDSA key generation. The only difference to the normal discrete logarithm game is that the secret scalars are not choosen uniformly random from $\field{L}$ with $L$ being the order of the generator but rather from the set $\{2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8\}$. This set represents all valid private keys according to the key generation algorithm. The hardness of this version of the discrete logarithm problem is further analyzed in section \ref{sec:sdlog}. The \sdlog game is depicted in figure \ref{fig:sdlog}.
|
|
|
|
\begin{definition}[\sdlog]
|
|
For an adversary $\adversary{A}$ we define its advantage in the \sdlog game as following:
|
|
|
|
\[ \advantage{\adversary{A}}{\sdlog}(k) \assign | \Pr[\sdlog \Rightarrow 1] | \]
|
|
\end{definition}
|
|
|
|
|
|
\begin{figure}
|
|
\hrule
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\game \sdlog}
|
|
\State \quad $a \randomsample \{ 2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8 \}$
|
|
\State \quad $\groupelement{A} \assign a \groupelement{B}$
|
|
\State \quad $a' \randomassign \adversary{A}(\groupelement{A})$
|
|
\State \quad \Return $a \test a'$
|
|
\end{algorithmic}
|
|
\hrule
|
|
\caption{\sdlog}
|
|
\label{fig:sdlog}
|
|
\end{figure}
|
|
|
|
\begin{theorem}
|
|
\label{theorem:advgamez}
|
|
Let $\adversary{A}$ be an adversary against \igame with $\group{G}$ being a cyclic group of prime order $L$, making at most $\oraclequeries$ oracle queries. Then
|
|
|
|
\[ \advantage{\group{G},\adversary{A}}{\igame}(k) \leq \advantage{\group{G},\adversary{B}}{\sdlog}(k) - \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
|
|
\end{theorem}
|
|
|
|
\paragraph{\underline{Proof Overview}}
|
|
|
|
The adversary has to call the \ioracle oracle with a commitment $\groupelement{R}$ to get a challenge from the challenger. Due to the nature of Algebraic Group Model the adversary also has to provide a representation of the group element $\groupelement{R}$, as the linear combination of all known group elements. Since only the generator of the group and the public key are known to the adversary the representation looks like this: $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A}$. Together with a valid to the \igame game this can be used to calculate the discrete logarithm of the public key.
|
|
|
|
% TODO: clarify encoding of c
|
|
\begin{figure}
|
|
\hrule
|
|
\begin{multicols}{2}
|
|
\large
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$}}
|
|
\State \quad $a \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$
|
|
\State \quad $\groupelement{A} \assign a \groupelement{B}$
|
|
\State \quad $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
|
|
\State \quad \Return $\exists \groupelement{R}^*, \ch^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - \ch^* \groupelement{A}) \wedge (\groupelement{R}^*, \ch^*) \in Q$
|
|
\end{algorithmic}
|
|
\columnbreak
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\oracle \ioracle($\agmgroupelement{R_i}{r_i} \in \group{G}$)}
|
|
\State \quad Let $\groupelement{R}_i = r_1 \groupelement{B} + r_2 \groupelement{A}$
|
|
\State \quad $\ch_i \randomsample \{0,1\}^{2b}$
|
|
\BeginBox[draw=blue]
|
|
\State \quad \textbf{If} $2^c \ch_i \equiv -r_2 \pmod L$ \textbf{then}
|
|
\State \qquad $bad \assign true$
|
|
\BeginBox[draw=red,dashed]
|
|
\State \qquad $abort$
|
|
\EndBox
|
|
\EndBox
|
|
\State \quad $Q \assign Q \cup \{ (\groupelement{R}_i, \ch_i) \}$
|
|
\State \quad \Return $\ch_i$
|
|
\end{algorithmic}
|
|
\end{multicols}
|
|
\hrule
|
|
\caption{Games $G_0 - G_2$}
|
|
\label{fig:igamewithabort}
|
|
\end{figure}
|
|
|
|
\paragraph{\underline{Formal Proof}}
|
|
|
|
\begin{proof}
|
|
\item \paragraph{\underline{$G_0$:}} Let $G_0$ be \igame. By definition,
|
|
|
|
% TODO: Hier Sicherheitsparameter?
|
|
\[ \advantage{\group{G},\adversary{A}}{\igame}(k) = \Pr[\igame^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
|
|
|
\item \paragraph{\underline{$G_1$:}} Game $G_1$ is exactly the same as $G_0$ with the only change being the bad flag being set inside an if condition. The bad flag is set if $2^c \ch_i = -r_2$. This represents cases where not all solutions from the adversary $\adversary{A}$ can be used to calculate the discrete logarithm of $\groupelement{A}$. This is just a conceptual change since the behavior of the game does not change whether the flag is set or not. Hence,
|
|
|
|
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \].
|
|
|
|
\item \paragraph{\underline{$G_2:$}} Game $G_2$ aborts if the flag bad is set. For each individual \ioracle query the bad flag is set with probability at most $\frac{1}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. $c_i$ is chosen by the game after the adversary has provided the representation of $\groupelement{R_i}$ and therefor the value of $r_2$. This way the adversary has no way of choosing $\ch_i$ after $r_2$ and can not influence the probability of the abort being triggert. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $\ch_i \pmod L$. $\ch_i$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ during the check in the if condition. At first there are $2^{2b}$ possible values for $\ch_i$. After the reduction module $L$ there are $min\{2^{2b}, L\}$ possible values left for $\ch_i$. In the case that the values $L$ is smaller than $2^{2b}$ (this is the case in most instantiations of EdDSA) then the $\ch_i$'s are not uniformly distributed in $\field{L}$. Since an adversary could use this information the min entropy of $\ch_i$ has to be concidert, which takes this into account. By the Union bound over all $\oraclequeries$ queries we obtain $\Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
|
|
% TODO: Müsste das nicht floor statt ceil sein?
|
|
|
|
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
|
|
|
|
\item Finally, Game $G_2$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
|
|
|
\begin{align}
|
|
\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G},\adversary{B}}{\sdlog}(k) \label{eq:advbsdlog}
|
|
\end{align}
|
|
|
|
\begin{figure}
|
|
\hrule
|
|
\begin{multicols}{2}
|
|
\large
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\textbf{Adversary} $\adversary{B}(\groupelement{A})$}
|
|
\State \quad $s^* \randomassign \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
|
|
\State \quad \textbf{If} $\nexists \agmgroupelement{R^*}{r^*}, \ch^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - \ch^* \groupelement{A}) \wedge (\agmgroupelement{R^*}{r^*}, \ch^*) \in Q$ \textbf{then}
|
|
\State \qquad $abort$
|
|
\State \quad Let $R^* = r_1 \groupelement{B} + r_2 \groupelement{A}$
|
|
\State \quad \Return $(2^c s^* - r_1)(r_2 + 2^c \ch^*)^{-1}$
|
|
\end{algorithmic}
|
|
\columnbreak
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\oracle \ioracle($\agmgroupelement{R_i}{r_i} \in \group{G}$)}
|
|
\State \quad Let $\groupelement{R}_i = r_1 \groupelement{B} + r_2 \groupelement{A}$
|
|
\State \quad $\ch_i \randomsample \{0,1\}^{2b}$
|
|
\State \quad \textbf{If} $2^c \ch_i \equiv -r_2 \pmod L$ \textbf{then}
|
|
\State \qquad $bad \assign true$
|
|
\State \qquad $abort$
|
|
\State \quad $Q \assign Q \cup \{ (\agmgroupelement{R_i}{r_i}, \ch_i) \}$
|
|
\State \quad \Return $\ch_i$
|
|
\end{algorithmic}
|
|
\end{multicols}
|
|
\hrule
|
|
\caption{Adversary $\adversary{B}$ breaking \sdlog}
|
|
\label{fig:adversarybsdlog}
|
|
\end{figure}
|
|
|
|
To prove (\ref{eq:advbsdlog}), we define an adversary $\adversary{B}$ attacking \sdlog that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversarybsdlog} is run in the \sdlog game and adversary $\adversary{B}$ simulates \ioracle for adversary $\adversary{A}$. \ioracle is simulated perfectly.
|
|
|
|
Finally, consider $\adversary{A}$ output $s^*$. We know that one $R^* = 2^c s^*B - 2^c \ch^*A$. We can use this together with the representation of $R^*$ to get following equation:
|
|
|
|
\begin{align*}
|
|
r_1 \groupelement{B} + r_2 \groupelement{A} &= 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A} \\
|
|
(r_2 + 2^c \ch^*)A &= (2^c s^* - r_1)B \\
|
|
A &= (2^c s^* - r_1)(r_2 + 2^c \ch^*)^{-1} B
|
|
\end{align*}
|
|
|
|
Assuming that $r_2 + 2^c \ch^*$ is invertible in $\field{L}$ (i.e. not equal to $0$), which is ensured due to the abort in $G_2$, both equations can be used to calculate the discrete logarithm of $\groupelement{A}$.
|
|
|
|
\item This proves Theorem \ref{theorem:advgamez}.
|
|
\end{proof} |