126 lines
10 KiB
TeX
126 lines
10 KiB
TeX
\section{Preliminaries}
|
|
|
|
\subsection{Code-based reduction proofs}
|
|
|
|
To perform the security proof of the EdDSA signature scheme code based game playing proofs are used as introduced in \cite{EC:BelRog06}. For this proofs an adversary is tasked to play (and win) against a predefined game. The game is defined by a set of instructions which are executed consecutively. At one point the game calls the adversary with some input and gets some output from the adversary. The game then decides, depending on the output of the adversary, whether the adversary won or not. In addition the adversary might get oracle access to one or more procedures, meaning that the adversary is only able to observe the output of the procedure call given a specific input. Those procedures are called oracles. The advantage of the adversary in a game describes its ability to win the game more reliably than using generic attacks (e.g. guessing the answer to the game).
|
|
|
|
During the proof these games are being modified until an adversary against the modified game can also be used as an adversary against another game. This method is called a reduction proof. It shows that one problem (described by one game) can be reduced to another problem. In other words it says that if problem A can be reduced onto problem B any algorithm solving problem A can be transformed into an algorithm solving problem B.
|
|
|
|
\subsubsection{Identical-Until-Bad Games}
|
|
|
|
While modifying the games it has to be ensured that the advantage for an attacker to distinguish between the original and modified game is negligible. This can be achieved by constructing so called identical-until-bad games.
|
|
|
|
\begin{definition}[identical-until-bad games \cite{EC:BelRog06}]
|
|
Two games are called identical-until-bad games if they are syntactically equivalent except for instructions following the setting of a bad flag to true.
|
|
\end{definition}
|
|
|
|
\begin{lemma}[Fundamental lemma of game-playing \cite{EC:BelRog06}]
|
|
Let G and H be identical-until-bad games and let $\adversary{A}$ be an adversary. Then,
|
|
|
|
\[ Adv(G^{\adversary{A}}, H^{\adversary{A}}) = |\prone{G^{\adversary{A}}} - \prone{H^{\adversary{A}}}| \leq \Pr[bad] \]
|
|
\end{lemma}
|
|
|
|
This means that the advantage to distinguish between two identical-until-bad games is bound by the probability of the bad flag being set.
|
|
|
|
\input{sections/notation}
|
|
|
|
\input{sections/security_notions}
|
|
|
|
\subsection{Fiat-Shamir Transformation}
|
|
|
|
The Fiat-Schamir transformation is a transformation which creates a digital signature scheme from a canonical identification scheme. The transformation was introduces by Fiat-Schmir in 1986 \cite{C:FiaSha86}. To transform a canonical identification scheme into a signature scheme it has to be become non-interactive. The role of the verifier in the canonical identification scheme (besides verifying the solution) is to provide a challenge to the proofer. This is a crucial part for the security of the scheme since otherwise the proofer might be able to choose a commitment and solution in a way that lets him generate a valid transcript without being in the possession of the secret key.
|
|
|
|
The Fiat-Schamir transformation replaces the verifier by a pseudorandom function. This pseudorandom function takes the commitment and a a message as input and outputs the challenge. Now the challenge is computable by the proofer without the need to interact with another party. With this the proofer is able to calculate the response. The commitment together with the solution can now be considered a signature for that message. To verify the signature a verifier can use the same pseudorandom function to calculate the challenge based on the commitment and the message and apply the verification algorithm from the canonical identification scheme to verify the solution and thereby the validity of the signature. In practice a hash function is often used as the pseudorandom function. The Fiat-Schamir transformation is depicted in figure \ref{fig:fs-transformation}.
|
|
|
|
If the canonical identification scheme is IMP-PA secure then the digital signature scheme, resulting from the Fiat-Schamir transformation of that canonical identification scheme, is UF-CMA secure in the random oracle model (the meaning of the random oracle model will be explained in section \ref{sec:rom}) \cite{EC:PoiSte96}. %TODO: Ist das das richtige Paper?
|
|
|
|
\begin{figure}[H]
|
|
\hrule
|
|
\vspace{1mm}
|
|
\begin{multicols}{3}
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\textbf{KeyGen}(par)}
|
|
\State $(\pubkey, \privkey) \randomassign \keygen(1^\secparamter)$
|
|
\State \Return $(\pubkey, \privkey)$
|
|
\end{algorithmic}
|
|
\columnbreak
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\textbf{Sign}(\privkey, \m)}
|
|
\State $(R, st) \randomassign P_1(\privkey)$
|
|
\State $\ch \assign F(R|\m)$
|
|
\State $s \assign P_2(\privkey, R, \ch, st)$
|
|
\State \Return $(R, s)$
|
|
\end{algorithmic}
|
|
\columnbreak
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\textbf{Verify}(\pubkey, \m, $\signature \assign (R,s)$)}
|
|
\State $\ch \assign F(R|\m)$
|
|
\State \Return $V(\pubkey, R, \ch, s)$
|
|
\end{algorithmic}
|
|
\end{multicols}
|
|
|
|
\hrule
|
|
\caption{Fiat-Schamir transformation of a CID \assign (KeyGen, P, V)}
|
|
\label{fig:fs-transformation}
|
|
\end{figure}
|
|
|
|
\subsection{Schnorr Signatures}
|
|
|
|
The Schnorr signature scheme is a signature scheme which was introduced by Claus Peter Schnorr in 1991 \cite{JC:Schnorr91}. The Schnorr signature scheme proved to be a robust and efficient signature scheme. For two prime numbers $p$ and $q$ with $q|p-1$ and and element $g \in \field{p}$ with order $q$ the Schnorr signature scheme is depicted in figure \ref{fig:schorr}. Since the scheme is defined on $\field{p}$ multiplicative notation is used for this scheme as an exception.
|
|
|
|
\begin{figure}[H]
|
|
\hrule
|
|
\vspace{1mm}
|
|
\begin{multicols}{3}
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\textbf{KeyGen}(par)}
|
|
\State $x \randomsample \field{q}$
|
|
\State \Return $(X \assign g^x, x)$
|
|
\end{algorithmic}
|
|
\columnbreak
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\textbf{Sign}($s$, \m)}
|
|
\State $r \randomsample \field{q}$
|
|
\State $R \assign g^r$
|
|
\State $\ch \assign H(R|m)$
|
|
\State $s \assign r + s \ch \pmod q$
|
|
\State \Return $(R, s)$
|
|
\end{algorithmic}
|
|
\columnbreak
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\textbf{Verify}(\pubkey, \m, $\signature \assign (R,s)$)}
|
|
\State $\ch \assign F(R|\m)$
|
|
\State \Return $R \test g^s X^{-H(R|m)}$
|
|
\end{algorithmic}
|
|
\end{multicols}
|
|
|
|
\hrule
|
|
\caption{Schnorr Signature Scheme}
|
|
\label{fig:schorr}
|
|
\end{figure}
|
|
|
|
\subsection{Elliptic Curves}
|
|
|
|
\subsection{Random Oracle Model (ROM)}
|
|
\label{sec:rom}
|
|
|
|
Some of the following proofs are conducted in the random oracle model. The random oracle model was introduces by Bellare and Rogaway in 1993 \cite{CCS:BelRog93}. In the random oracle model some primitives (in this case hash functions) are modeled as public random oracles. Meaning that instead of calling the hash function the adversary has to call the random oracle supplied by the challenger. This random oracle has to behave like a truly random function.
|
|
|
|
To simulate a truly random function in polynomical time a process called "lazy-sampling" can be used. Lazy-sampling means that the challenger has a table which at the start is empty. When the adversary quries a value from the random oracle the challenger checks if that input is in the table. If the input is in the table the challenger returns the output value according to the table. Otherwise the challenger chooses an output value from a uniform random distribution and inserts it into the table for this specific input value. Then the challenger returns this value.
|
|
|
|
This method allows observing and influencing the behavior of the adversary. Since the random oracle behaves like a truly random function the adversary has to query the random oracle to know the output value for an specific input value. Therefore the challenger can observe any input value to the random oracle. Also the challenger has the ability to program specific output values of the random oracle as long as it is correctly distributed and is consistent. Consistent meaning that the random oracle should at no time output two different values for the same input value.
|
|
|
|
%TODO: Kann man das so schreiben?
|
|
Especially the programmability of the random oracle will be used in the following proofs and should be kept in mind.
|
|
|
|
\subsection{Algebraic Group Model (AGM)}
|
|
|
|
The algebraic group model was introduced in 2018 by Fuchsbauer et al. \cite{C:FucKilLos18}. In the algebraic group model all adversaries are modeled as being algebraic. This means that the adversary has to know a representation for each group element regarding all group elements the adversary received from the challenger. This representation has to be provided to the challenger for every group element the adversary outputs or inputs as an oracle parameter. For example if the adversary receives the group elements $\groupelement{A}$ and $\groupelement{B}$ from the challenger and at one point outputs group element $\groupelement{C}$ the adversary also has to output a vector $\overset{\rightharpoonup}{c} = (c_1, c_2)$ which satisfies: $\groupelement{C} = c_1 \groupelement{A} + c_2 \groupelement{B}$. For the game proofs the group element $\groupelement{C}$ and its representation $\overset{\rightharpoonup}{c}$ is denoted as $\agmgroupelement{C}{c}$.
|
|
|
|
\subsection{Generic Group Model (GGM)}
|
|
|
|
Unlike the random oracle model or the algebraic group model the generic group model is not used to build reductions from one to another problem. It is rather used to get information theoretic lower bound on the complexity of generic adversaries against a certain problem. Generic algorithms are algorithms that only perform the defined group actions on group elements and do not exploit group specific representations of the element.
|
|
|
|
The generic group model was first introduced by Shoup 1997 \cite{EC:Shoup97}. In this paper Shoup proved a information theoretic lower bound on the discrete logarithm problem. He archived that by replacing group elements by labels which are random bitstrings. This way he hid all group specific representations of the elements. Group actions are only able via oracles, which are provided to the adversary by the challenger. The only action the adversary can perform on its own is to compare elements for equality by comparing labels.
|
|
|
|
In 2005 Maurer proposed an alternative proposed an alternative definition of the generic group model \cite{IMA:Maurer05}. The proofs conducted in this thesis will use the generic group model as defined by Shoup. |