248 lines
19 KiB
TeX
248 lines
19 KiB
TeX
\subsection{EUF-NMA $\overset{\text{ROM}}{\Rightarrow} \text{SUF-CMA}_{\text{EdDSA sp}}$} \label{proof:uf-nma_implies_suf-cma}
|
|
|
|
This section shows that the EUF-NMA security of EdDSA implies the \cma security of EdDSA with strict parsing using the random oracle model. The section begins with an intuition for the proof, followed by the detailed security proof.
|
|
|
|
\begin{theorem}[\cite{SP:BCJZ21}]
|
|
\label{theorem:adv_uf-nma}
|
|
Let $\adversary{A}$ be an adversary against $\cma$, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and let $\group{G}$ be a group of prime order $L$. Then,
|
|
|
|
\[ \advantage{\group{G}, \adversary{A}}{\text{\cma}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\text{EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
|
|
\end{theorem}
|
|
|
|
\paragraph{\underline{Proof Overview}} The EUF-NMA security definition is close to the \cma security definition, but lacks the \Osign oracle. To show that EUF-NMA security implies \cma security, the reduction must simulate the \Osign oracle without knowledge of the private key.
|
|
|
|
The EdDSA signature scheme is based on the Schnorr signature scheme, which is a canonical identification scheme to which the Fiat-Shamir transformation is applied. This means that EdDSA roughly follows the structure of a canonical identification scheme by first computing a commitment $R$, computing a challenge $\ch$ using the hash function, and then computing the response $S$ based on the commitment, challenge, and private key. The signature is the commitment and response tuple.
|
|
|
|
To generate a signature without knowing the private key, the challenge and response are chosen randomly, and the commitment is calculated based on the chosen challenge and response. The random oracle is then programmed to output the challenge given the commitment and the message as input. In this way, the resulting tuple of challenge and response is a valid signature for the given message.
|
|
|
|
For the reduction to be able to program the random oracle, the adversary must not have queried the hash function with this exact input before asking for the signature. Since the input to the hash query includes the commitment, which is the result of a random function and therefore unknown to the adversary prior to the \Osign query. For this reason, the adversary can only guess it.
|
|
|
|
This method of simulating the \Osign oracle and the resulting loss of advantage was first introduced in \cite{SP:BCJZ21}.
|
|
|
|
\paragraph{\underline{Formal Proof}}
|
|
|
|
\begin{figure}
|
|
\hrule
|
|
\vspace{1mm}
|
|
\begin{algorithmic}
|
|
\Statex \underline{\simalg(\groupelement{A})}
|
|
\State $\textbf{ch} \randomsample \{0,1\}^{2b}$
|
|
\State $s \randomsample \{0,1\}^{2b}$
|
|
\State $S \assign \sum_{i=0}^{2b-1} 2^i s_i \pmod L$
|
|
\State $R \assign S\groupelement{B} - \textbf{ch}\groupelement{A}$
|
|
\State \Return $(\encoded{R}, \textbf{ch}, S)$
|
|
\end{algorithmic}
|
|
\hrule
|
|
\caption{\simalg}
|
|
\label{fig:sim}
|
|
\end{figure}
|
|
|
|
\begin{figure}
|
|
\hrule
|
|
\begin{multicols}{2}
|
|
\large
|
|
\begin{algorithmic}
|
|
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$} / \textcolor{green}{$G_3$}}
|
|
\State $(h_0, h_1, ..., h_{2b-1}) \randomsample \{0,1\}^{2b}$
|
|
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
|
|
\State $\groupelement{A} \assign s \groupelement{B}$
|
|
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp)}(\groupelement{A})$
|
|
\State \Return $\verify(\groupelement{A}, \m^*,\signature^*) \wedge (\m^*, \signature^*) \notin \pset{Q}$
|
|
\end{algorithmic}
|
|
\columnbreak
|
|
\begin{algorithmic}
|
|
\Statex \underline{\oracle \sign($\m \in \messagespace$)}
|
|
\Comment{$G_0 - G_2$}
|
|
\State $(r'_0, r'_1, ..., r'_{2b-1}) = RF(h_b | ... | h_{2b-1} | \m)$
|
|
\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
|
|
\State $R \assign rB$
|
|
\BeginBox[draw=black]
|
|
\State $S \assign (r + sH(\encoded{R} | \encoded{A} | \m)) \pmod L$
|
|
\Comment{$G_0$}
|
|
\EndBox
|
|
\BeginBox[draw=blue]
|
|
\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | \m] \neq \bot \textbf{ then}$
|
|
\Comment{$G_1 - G_2$}
|
|
\State \quad $bad \assign true$
|
|
\BeginBox[draw=red,dashed]
|
|
\State \quad $abort$
|
|
\Comment{$G_2$}
|
|
\EndBox
|
|
\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | \m] = \bot \textbf{ then}$
|
|
\State \quad $\sum[\encoded{R} | \encoded{A} | \m] \randomsample \{0,1\}^{2b}$
|
|
\State $S \assign (r + s\sum[\encoded{R} | \encoded{A} | \m]) \pmod L$
|
|
\EndBox
|
|
\State $\signature \assign (\encoded{R}, S)$
|
|
\State $\pset{Q} \assign \pset{Q} \cup \{(\m, \signature)\}$
|
|
\State \Return $\signature$
|
|
\end{algorithmic}
|
|
\end{multicols}
|
|
\begin{multicols}{2}
|
|
\begin{algorithmic}
|
|
\Statex \underline{\oracle $H(\m \in \{0,1\}^*)$}
|
|
\State $\textbf{if } \sum[\m] = \bot \textbf{ then}$
|
|
\State \quad $\sum[\m] \randomsample \{0,1\}^{2b}$
|
|
\State \Return $\sum[\m]$
|
|
\end{algorithmic}
|
|
\columnbreak
|
|
\begin{algorithmic}
|
|
\BeginBox[draw=green]
|
|
\State \underline{\oracle \sign($\m \in \messagespace$)}
|
|
\Comment{$G_3$}
|
|
\State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A})$
|
|
\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | \m] \neq \bot \textbf{ then}$
|
|
\State \quad $bad \assign true$
|
|
\State \quad $abort$
|
|
\State $\sum[\encoded{R} | \encoded{A} | \m] = \textbf{ch}$
|
|
\State $\signature \assign (\encoded{R}, S)$
|
|
\State $\pset{Q} \assign \pset{Q} \cup \{(\m, \signature)\}$
|
|
\State \Return $\signature$
|
|
\EndBox
|
|
\end{algorithmic}
|
|
\end{multicols}
|
|
\hrule
|
|
\caption{Games $G_0 - G_3$}
|
|
\label{fig:uf-nma_implies_suf-cma_games}
|
|
\end{figure}
|
|
|
|
\begin{proof}
|
|
\item The proof begins by providing an algorithm that generates a correctly distributed tuple of commitment, challenge, and response. This algorithm is called \simalg and is shown in figure \ref{fig:sim}. This procedure is taken from \cite{SP:BCJZ21}. A proof can be found in the same paper. The formula for the min-entropy of the commitment $\groupelement{R}$ is also taken from that paper.
|
|
|
|
\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:uf-nma_implies_suf-cma_games} by excluding all boxes except the black one. Clearly $G_0$ is the game $\text{\cma}$ for EdDSA. By definition,
|
|
|
|
\[ \advantage{\group{G},\adversary{A}}{\cma}(\secparamter) = \Pr[\text{\cma}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
|
|
|
|
\item \paragraph{\underline{$G_1:$}} $G_1$ is now defined by replacing the black box with the blue one. This change inlines the call to the hash function and introduces a bad flag in the \Osign oracle, which is set in case the hash value for the challenge is already set before the \Osign oracle is called. In this cases the adversary already queried the challenge for that signature, resulting in the challenger not being able to program the random oracle on that input. Without being able to program the random oracle the challenger is not able to generate a valid signature, without knowing the private key. This change is only conceptual, since it does not change the behavior of the oracle and only changes internal variables of the game. Therefore,
|
|
|
|
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1]. \]
|
|
|
|
\item \paragraph{\underline{$G_2:$}} $G_2$ also contains the abort statement in the red box. The abort condition is triggered when the $bad$ flag is set. Without loss of generality, it is assumed that the adversary queries the \sign oracle only once for each message, since the signature generated is deterministic and an adversary would not gain more information by multiple queries on the same message. For each individual signature query, the probability of the $bad$ flag being set is at most $\frac{\hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. The only parameter of the hash function that is unknown to the adversary prior to calling the \sign oracle is the commitment $R$. For an adversary to trigger the abort condition, he must guess the commitment $\groupelement{R}$ used during one of the \sign queries. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min-entropy of $\groupelement{R}$. $r'$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ when multiplied by the generator $\groupelement{B}$. At first there are $2^{2b}$ possible values for $r'$. After the reduction modulo $L$ there are $min\{2^{2b}, L\}$ possible values for $r'$. If the values of $L$ are less than $2^{2b}$ (which is the case in most instances of EdDSA), then the $r'$'s are not uniformly distributed in $\field{L}$. Since an adversary could use this information, the min entropy of $\groupelement{R}$ must be considered, which takes this into account. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
|
|
|
|
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
|
|
|
|
\item \paragraph{\underline{$G_3:$}} $G_3$ replaces the \sign oracle with the \sign oracle in the green box. Now the signature is not generated by using the secret key, but by using the \simalg procedure and manually setting the result of the hash function call. This change is conceptual only. \simalg returns a correctly distributed tuple $(R, \ch, S)$, with $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c \ch \groupelement{A}$, and it has been excluded that $H'(\encoded{R} | \encoded{A} | \m)$ is set before calling the \sign oracle, so that the random oracle can be programmed to output $\ch$ when calling $H'(\encoded{R} | \encoded{A} | m)$. This ensures that $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c H'(\encoded{R} | \encoded{A} | \m) \groupelement{A}$, which means that $\signature \assign (\encoded{R}, S)$ is a valid signature for the message $\m$ and was generated without using the private key $s$. Therefore,
|
|
|
|
\[ \Pr[G_2^{\adversary{A}} \Rightarrow 1] = \Pr[G_3^{\adversary{A}} \Rightarrow 1]. \]
|
|
|
|
\item Finally, Game $G_3$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
|
|
|
\begin{align}
|
|
\Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\text{EUF-NMA}}(\secparamter). \label{eq:adv_uf-nma}
|
|
\end{align}
|
|
|
|
\begin{figure}
|
|
\hrule
|
|
\begin{multicols}{2}
|
|
\large
|
|
\begin{algorithmic}
|
|
\Statex \underline{\textbf{Adversary} $\adversary{B}^{H(\inp)}(\groupelement{A})$}
|
|
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H'(\inp), \sign(\inp)}(\groupelement{A})$
|
|
\State \Return $(\m^*, \signature^*)$
|
|
\end{algorithmic}
|
|
\columnbreak
|
|
\begin{algorithmic}
|
|
\Statex \underline{\oracle \sign($m \in \messagespace$)}
|
|
\State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A})$
|
|
\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | m] \neq \bot \textbf{ then}$
|
|
\State \quad $bad \assign true$
|
|
\State \quad $abort$
|
|
\State $\sum[\encoded{R} | \encoded{A} | m] = \textbf{ch}$
|
|
\State $\signature \assign (\encoded{R}, S)$
|
|
\State $\pset{Q} \assign \pset{Q} \cup \{(\m, \signature)\}$
|
|
\State \Return $\signature$
|
|
\end{algorithmic}
|
|
\end{multicols}
|
|
\begin{algorithmic}
|
|
\Statex \underline{\oracle $H'(m \in \{0,1\}^*)$}
|
|
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
|
\State \quad $\sum[m] \assign H(m)$
|
|
\State \Return $\sum[m]$
|
|
\end{algorithmic}
|
|
\hrule
|
|
\caption{Adversary $\adversary{B}$ breaking $\text{EUF-NMA}$}
|
|
\label{fig:adversarybuf-nma}
|
|
\end{figure}
|
|
|
|
To prove (\ref{eq:adv_uf-nma}), an adversary $\adversary{B}$ is defined that attacks $\text{EUF-NMA}$ simulating the view of $\adversary{A}$ in $G_3$. The adversary $\adversary{B}$, formally defined in figure \ref{fig:adversarybuf-nma}, is run in the $\text{EUF-NMA}$ game, and the adversary $\adversary{B}$ simulates \Osign for the adversary $\adversary{A}$. \Osign is simulated perfectly. The hash queries of $\adversary{A}$ are forwarded to the EUF-NMA challenger, when not set by the reduction itself.
|
|
|
|
Finally, consider $\adversary{A}$'s output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. It is known that $2^c S^* \groupelement{B} = 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}$. If strict parsing is used to decode $S$ from the signature, it is known that $0 \leq S < L$. Therefore, for every $R$, $\m$ pair, there is only one valid encoded $S$ that satisfies the equation. This means that a new and valid signature cannot be generated by simply changing the $S$ value of an already valid signature. Therefore, $R$ or $m$ must also be changed in order to create a new valid signature from another. Since $R$ and $m$ are inputs to the hash query used to generate the challenge, the result of this hash query is passed from the $H$ hash oracle provided to the adversary $\adversary{B}$ instead of being set by $\adversary{B}$ itself. Also, the existence of multiple encodings of the commitment $\groupelement{R}$ does not pose a problem, since if another representation of the same $\groupelement{R}$ is chosen, its hash value for the corresponding challenge has not been set by $\adversary{B}$ and therefore must have been passed from the EUF-NMA challenger. For this reason, $H'(\encoded{R^*}|\encoded{A}|m^*) = H(\encoded{R^*}|\encoded{A}|m^*)$. Therefore,
|
|
|
|
\begin{align*}
|
|
2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}\\
|
|
\Leftrightarrow 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}.
|
|
\end{align*}
|
|
|
|
This means that the forged signature of the adversary $\adversary{A}$ is also a valid signature in the EUF-NMA game.
|
|
|
|
\item The runtime of adversary $\adversary{B}$ is roughly the same as the runtime of adversary $\adversary{A}$. Simulating a \Osign query simply executes the ppt procedure \simalg and sets the hash function output, the hash function $H'$ simply forwards the query to the $H$ hash function, and the adversary $\adversary{B}$ simply calls $\adversary{A}$ and outputs its forged signature.
|
|
|
|
\item This proves theorem \ref{theorem:adv_uf-nma}.
|
|
\end{proof}
|
|
|
|
\subsection{EUF-NMA $\overset{\text{ROM}}{\Rightarrow} \text{EUF-CMA}_{\text{EdDSA lp}}$}
|
|
|
|
This section shows that the EUF-NMA security of EdDSA implies the EUF-CMA security of EdDSA with lax parsing using the random oracle model. This proof is very similar to the proof of the SUF-CMA security of EdDSA with strict parsing. The modification of the games is the same as in the proof above, with the only difference being the winning condition, which is $\verify(\groupelement{A}, \m^*,\signature^*) \wedge \m^* \notin \pset{Q}$. For this reason, this proof begins by showing the existence of an adversary $\adversary{B}$ who breaks EUF-NMA security. The SUF-CMA security cannot be proved because there may be multiple encodings of $S$ that map to the same $S \pmod L$, and therefore a new valid signature could be forged from an old one by simply choosing a different encoding of $S$, which would cause the output $H'(\encoded{R^*}|\encoded{A}|m^*)$ to be set by the reduction itself, and therefore the forged signature would not be a valid signature for the EUF-NMA challenger.
|
|
|
|
\begin{theorem}[\cite{SP:BCJZ21}]
|
|
\label{theorem:adv2_uf-nma}
|
|
Let $\adversary{A}$ be an adversary against EUF-CMA, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
|
|
|
|
\[ \advantage{\group{G}, \adversary{A}}{\text{EUF-CMA}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\text{EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries \lceil \frac{2^{2b} - 1}{L} \rceil}{2^{2b}}. \]
|
|
\end{theorem}
|
|
|
|
\paragraph{\underline{Formal Proof}}
|
|
|
|
\begin{proof}
|
|
\item
|
|
\begin{align}
|
|
\prone{G_3^{\adversary{A}}} = \advantage{\group{G}, \adversary{B}}{\text{EUF-NMA}}(\secparamter). \label{eq:adv2_uf-nma}
|
|
\end{align}
|
|
|
|
\begin{figure}
|
|
\hrule
|
|
\begin{multicols}{2}
|
|
\large
|
|
\begin{algorithmic}
|
|
\Statex \underline{\textbf{Adversary} $\adversary{B}^{H(\inp)}(\groupelement{A})$}
|
|
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H'(\inp), \sign(\inp)}(\groupelement{A})$
|
|
\State \Return $(\m^*, \signature^*)$
|
|
\end{algorithmic}
|
|
\columnbreak
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\oracle \sign($m \in \messagespace$)}
|
|
\State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A})$
|
|
\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | m] \neq \bot \textbf{ then}$
|
|
\State \quad $bad \assign true$
|
|
\State \quad $abort$
|
|
\State $\sum[\encoded{R} | \encoded{A} | m] = \textbf{ch}$
|
|
\State $\signature \assign (\encoded{R}, S)$
|
|
\State $\pset{Q} \assign \pset{Q} \cup \{\m\}$
|
|
\State \Return $\signature$
|
|
\end{algorithmic}
|
|
\end{multicols}
|
|
\begin{algorithmic}
|
|
\Statex \underline{\oracle $H'(m \in \{0,1\}^*)$}
|
|
\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
|
|
\State \quad $\sum[m] \assign H(m)$
|
|
\State \Return $\sum[m]$
|
|
\end{algorithmic}
|
|
\hrule
|
|
\caption{Adversary $\adversary{B}$ breaking $\text{EUF-NMA}$}
|
|
\label{fig:adversary_b_suf-nma}
|
|
\end{figure}
|
|
|
|
To prove (\ref{eq:adv2_uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{EUF-NMA}$ that simulates the view of $\adversary{A}$ in $G_3$. The adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_b_suf-nma} is run in the $\text{EUF-NMA}$ game and the adversary $\adversary{B}$ simulates \Osign for the adversary $\adversary{A}$. \Osign is simulated perfectly. The hash queries of $\adversary{A}$ are forwarded to the EUF-NMA challenger, when not set by the reduction itself.
|
|
|
|
Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. It is known that $2^c S^* \groupelement{B} = 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}$. Because we are in the EUF-CMA setting, the adversary $\adversary{A}$ is required to provide a signature for a message $m^*$ for which it has not requested a signature from the \Osign oracle. Since the signature for the message $m^*$ was not requested in the Sign oracle, the output of $H'(\encoded{R^*}|\encoded{A}|m^*)$ was not set by the adversary B, but must have been forwarded from the $H$ hash oracle. For this reason, $H'(\encoded{R^*}|\encoded{A}|m^*) = H(\encoded{R^*}|\encoded{A}|m^*)$. Therefore,
|
|
|
|
\begin{align*}
|
|
2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}\\
|
|
\Leftrightarrow 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}.
|
|
\end{align*}
|
|
|
|
This means that the forged signature of the adversary $\adversary{A}$ is also a valid signature in the EUF-NMA game.
|
|
|
|
\item Since the adversary $\adversary{B}$ is the same as in the proof above, the runtime is roughly the same as the runtime of $\adversary{A}$, for the same reasons.
|
|
|
|
\item This proves theorem \ref{theorem:adv2_uf-nma}.
|
|
\end{proof} |