56 lines
8.6 KiB
TeX
56 lines
8.6 KiB
TeX
\section{Preliminaries}
|
|
|
|
\input{sections/notation}
|
|
|
|
\subsection{Code-based reduction proofs}
|
|
|
|
To perform the security proof of the EdDSA signature scheme, code-based game playing proofs are used. as introduced in \cite{EC:BelRog06}. In these proofs, an adversary is tasked to play (and win) against a predefined game. The game is defined by a set of instructions which are executed consecutively. At one point the game calls the adversary with some input and gets some output back from it. The game then decides, depending on the output of the adversary, whether it has won or not. In addition the adversary might get access to one or more procedures, of which the adversary is only able to observe the output of the procedure call given a specific input. Those procedures are called oracles. The adversary's advantage in a game is the adversary's ability to win the game more reliably than through the use of trivial attacks, such as guessing the answer to the game.
|
|
|
|
During the proof, these games are being modified until an adversary $\adversary{B}$ against another problem can be constructed, that simulates the view of an adversary against the modified game. For each modification, it must be argued that there is only a negligible probability that this modification can be detected by an adversary. The adversary $\adversary{B}$ is called a reduction. By constructing an adversary $\adversary{B}$ against another problem it can be shown that any adversary attacking the modified game, simulated by adversary $\adversary{B}$, can also be used to break another game, attacked by adversary $\adversary{B}$. In other words, it says that if problem A can be reduced onto problem B, any algorithm solving problem A can be transformed into an algorithm solving problem B. This can be used to show the security of cryptographic schemes by transforming all adversaries $\adversary{A}$ against the security of the cryptographic scheme into an adversary $\adversary{B}$ attacking a hard mathematic assumption, to which it is believed that no efficient adversary exists.
|
|
|
|
\subsubsection{Identical-Until-Bad Games}
|
|
|
|
While modifying the games it has to be ensured that the advantage for an attacker to distinguish between the original and modified game is negligible. This can be achieved by constructing so called identical-until-bad games.
|
|
|
|
\begin{definition}[Identical-until-bad games \cite{EC:BelRog06}]
|
|
Two games are called identical-until-bad games if they are syntactically equivalent except for instructions following the setting of a bad flag to true.
|
|
\end{definition}
|
|
|
|
\begin{lemma}[Fundamental lemma of game-playing \cite{EC:BelRog06}]
|
|
Let G and H be identical-until-bad games and let $\adversary{A}$ be an adversary. Then,
|
|
|
|
\[ |\prone{G^{\adversary{A}}} - \prone{H^{\adversary{A}}}| \leq \Pr[bad] \]
|
|
\end{lemma}
|
|
|
|
This means that the advantage to distinguish between two identical-until-bad games is bound by the probability of the bad flag being set.
|
|
|
|
\input{sections/security_notions}
|
|
|
|
\subsection{Elliptic Curves}
|
|
|
|
The EdDSA signature scheme has been defined using twisted Edwards curves as the underlying group structure. Twisted Edwards curves are a special form of elliptic curves. For the proofs performed in this thesis, no specific properties of twisted Edwards curves are used. Therefore, they will not be introduced in great detail. For more details on twisted Edwards curves, see the paper by Bernstein et al. \cite{EPRINT:BBJLP08}. The use of twisted Edwards curves in EdDSA is mainly for performance reasons \cite{CHES:BDLSY11}.
|
|
|
|
The proofs only assume that the underlying group is albian, which is true for every elliptic curve. Later, the hardness of a special variant of the discrete logarithm assumption is analyzed in the generic group model, to calculate the concrete security level of EdDSA. For proofs in the generic group model to apply the underlying group must be generic, which is widely assumed to be true for elliptic curves. A group is generic if just the well-defined group operations can be performed on the group elements. For elliptic curves the additive group notation is used.
|
|
|
|
Elliptic curves also have a property called the cofactor. The cofactor of an elliptic curve refers to the number of points on the elliptic curve divided by the number of points in a particular subgroup. The EdDSA signature scheme is not defined to use the entire twisted Edwards curve but instead uses the largest prime order subgroup of that twisted Edwards curve. Therefore, if the number of points on the twisted Edwards curve is $N$ and the order of the prime order subgroup is $L$, the cofactor with respect to this subgroup is $\frac{N}{L}$.
|
|
|
|
\subsection{Random Oracle Model (ROM)}
|
|
\label{sec:rom}
|
|
|
|
Some of the following proofs are conducted in the random oracle model. The random oracle model was introduced by Bellare and Rogaway in 1993 \cite{CCS:BelRog93}. In the random oracle model some primitives (in this case hash functions) are modeled as public random oracles. This means that instead of calling the hash function, the adversary has to call the random oracle provided by the challenger. This random oracle must behave like a true random function.
|
|
|
|
To simulate a truly random function in polynomial time, a process called "lazy-sampling" can be used. Lazy-sampling means that the challenger has a table that starts out empty. When the adversary queries a value from the random oracle, the challenger checks if that input is in the table. If the input is in the table, the challenger returns the output value according to the table. Otherwise, the challenger chooses an output value from a uniform random distribution and inserts it into the table for that particular input value. The challenger then returns that value.
|
|
|
|
The random oracle paradigm allows the challenger to observe and influence the behavior of the adversary. Since the random oracle behaves like a truly random function, the adversary must query the random oracle to know the output value for a given input value. Therefore, the challenger can observe any input value the adversary would have used to the hash function. Also, the challenger has the ability to program specific output values of the random oracle, as long as it is correctly distributed and consistent. Consistent means that at no time should the random oracle output two different values for the same input value.
|
|
|
|
\subsection{Algebraic Group Model (AGM)}
|
|
|
|
The algebraic group model was introduced in 2018 by Fuchsbauer et al. \cite{C:FucKilLos18}. In the algebraic group model, all adversaries are modeled as being algebraic. This means that the adversary has to know a representation for each group element regarding all group elements the adversary received from the challenger. This representation has to be provided to the challenger for every group element the adversary outputs or inputs as an parameter to an oracle query. For example, if the adversary receives the group elements $\groupelement{A}$ and $\groupelement{B}$ from the challenger and at one point outputs group element $\groupelement{C}$ the adversary also has to output a vector $\overset{\rightharpoonup}{c} = (c_1, c_2)$ which satisfies: $\groupelement{C} = c_1 \groupelement{A} + c_2 \groupelement{B}$. For the game proofs, the group element $\groupelement{C}$, and its representation $\overset{\rightharpoonup}{c}$ is denoted as $\agmgroupelement{C}{c}$.
|
|
|
|
\subsection{Generic Group Model (GGM)}
|
|
|
|
Unlike the random oracle model or the algebraic group model the generic group model is not used to construct reductions from one problem to another. Rather, it is used to obtain information-theoretic lower bounds on the complexity of generic adversaries against a given problem. Generic algorithms are algorithms that perform only the defined group operations on group elements and do not exploit group-specific representations of the element.
|
|
|
|
The generic group model was first introduced by Shoup in 1997 \cite{EC:Shoup97}. In the generic group model the adversary does not work directly with the group elements directly. Instead the challenger provides the adversary with random bitstrings, called labels, instead of group elements. Each unique label represents an unique group element. The adversary can then use oracles to perform the defined group operations on the group elements, represented by labels. The challenger then responds with the label of the resulting group element. In this way, every structure of the group is hidden from the adversary, as it works only with random labels. The only operation the adversary can perform on its own is to compare group elements for equality by comparing labels.
|
|
|
|
In 2005, Maurer proposed an alternative definition of the generic group model \cite{IMA:Maurer05}. The proofs conducted in this thesis will use the generic group model as defined by Shoup. |