rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
f4b4c940619872e3e952e1f741ffb8e72a759584
masterthesis/presentation/presentation.tex
Aaron Kaiser f4b4c94061 Added presentation
2023-06-28 22:32:07 +02:00

1038 lines
40 KiB
TeX
Raw Blame History

\documentclass{beamer}
%Information to be included in the title page:
\title{A formal Security Analysis of the EdDSA Signature Scheme}
\author{Aaron Kaiser}
\institute{Fakultät für Informatik}
\date{2023}
\usetheme[alternativetitlepage=bild]{Rub}
\titlegraphic{curve.png}
\usepackage[noend]{algpseudocodex}
\usepackage{xcolor}
\usepackage{tikz}
\usepackage{multicol}
\usepackage{tabularx}
\usepackage[parfill]{parskip}
\usepackage{float}
\usepackage{xspace}
\usepackage{mathtools}
\usepackage[normalem]{ulem}
\include{../thesis/macros}
\begin{document}
\frame{\titlepage}
\begin{frame}
\frametitle{Outline}
\begin{enumerate}
\item Overview
\item Motivation
\item Related work
\item Preliminaries
\item The EdDSA signature scheme
\item Singe- and multi-user Proofs for EdDSA
\item GGM proofs of the underlying assumptions
\item Concrete security
\end{enumerate}
\end{frame}
\begin{frame}
\frametitle{Overview}
\framesubtitle{What is this thesis about?}
\begin{enumerate}
\item Providing a tight security proof for the EdDSA signature scheme
\item Showing the security level of concrete instantiations of EdDSA
\end{enumerate}
\end{frame}
\begin{frame}
\frametitle{Overview}
\framesubtitle{Results}
Results of this thesis:
\begin{enumerate}
\item EdDSA is tightly secure under Ed-DLog assumption in the single-user setting
\item EdDSA is tightly secure under the N-Ed-DLog-Reveal assumption in the multi-user setting
\item \textcolor{gray}{Ed25519 provides 125/124 bits of security in the single/multi-user setting}
\item \textcolor{gray}{Ed448 provides 221/220 bits of security in the single/multi-user setting}
\end{enumerate}
\end{frame}
\begin{frame}
\frametitle{Overview}
\framesubtitle{Results}
Results of this thesis:
\begin{enumerate}
\item EdDSA is tightly secure under Ed-DLog assumption in the single-user setting
\item EdDSA is tightly secure under the N-Ed-DLog-Reveal assumption in the multi-user setting
\item Ed25519 provides 125/124 bits of security in the single/multi-user setting
\item Ed448 provides 221/220 bits of security in the single/multi-user setting
\end{enumerate}
\end{frame}
\begin{frame}
\frametitle{Motivation}
EdDSA is everywhere...
\includegraphics[scale=0.9]{images/signal.png}
\includegraphics[scale=0.1]{images/whatsapp.png}
\includegraphics[scale=0.1]{images/wireguard.png}
\includegraphics[scale=0.05]{images/SSH.png}
\includegraphics[scale=0.1]{images/FIDO_logo_black_RGB.png}
\end{frame}
\begin{frame}
\frametitle{Motivation}
No existing tight security proof since publication in 2015
\end{frame}
\begin{frame}
\frametitle{Related Work}
\begin{itemize}
\item Brendel et al. 2021 \cite{SP:BCJZ21}: First security proof for Ed25519
\item Chalkias et al. 2020 \cite{EPRINT:ChaGarNik20}: Analysis of different EdDSA implementations
\item Fuchsbauer et al. 2020 \cite{EC:FucPloSeu20}: Tight security proof for Schnorr Signatures using AGM
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Security Notions}
\framesubtitle{Digital Signature Scheme}
\begin{definition}
A digital signature scheme SIG = (\keygen,\sign,\verify) is a tuple of algorithms.
\begin{itemize}
\item \textbf{\keygen}: The key generation algorithm, which upon receiving the security parameter as input outputs a matching tuple of public and private key.
\item \textbf{\sign}: The signature algorithm, which upon receiving a secret key and a message, outputs a signature for that message.
\item \textbf{\verify}: The verification algorithm, which upon receiving a public key, a message and a signature, outputs $1$ if the signature gets accepted and $0$ otherwise.
\end{itemize}
For the digital signature scheme to be correct, it is required that $\forall (\pubkey, \privkey) \in \keygen(par), \m \in \messagespace, \signature \in \sign(\privkey, \m): \verify(\pubkey, \m, \signature) = 1$
\end{definition}
\end{frame}
\begin{frame}
\frametitle{Security Notions}
\framesubtitle{$N\text{-MU-EUF-CMA}$}
\begin{figure}[h]
\hrule
\normalsize
\vspace{1mm}
\begin{algorithmic}
\Statex \underline{\game $N\text{-MU-EUF-CMA}$}
\State \textbf{for} $i \in \{1,2,...,N\}$
\State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp, \inp)}(\pubkey_1, \pubkey_2, ..., \pubkey_n)$
\State \Return $\exists i \in \{1,2,...,N\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1 \wedge (\pubkey_i, \m^*) \notin M$
\end{algorithmic}
\vspace{2mm}
\begin{algorithmic}
\Statex \underline{\oracle \Osign($i \in \{1,2,...,n\}$, $\m \in \messagespace$)}
\State $\signature \randomassign \sign(\privkey_i, \m)$
\State $M \assign M \cup \{(\pubkey_i, \m)\}$
\State \Return $\signature$
\end{algorithmic}
\hrule
\caption{$N$-MU-EUF-CMA Security Game}
\label{game:mu-euf-cma}
\end{figure}
\end{frame}
\begin{frame}
\frametitle{Security Notions}
\framesubtitle{$N\text{-MU-SUF-CMA}$}
\begin{figure}[h]
\hrule
\normalsize
\vspace{1mm}
\begin{algorithmic}
\Statex \underline{\game $N\text{-MU-SUF-CMA}$}
\State \textbf{for} $i \in \{1,2,...,N\}$
\State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp, \inp)}(\pubkey_1, \pubkey_2, ..., \pubkey_n)$
\State \Return $\exists i \in \{1,2,...,N\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1 \wedge (\pubkey_i, \m^*, \signature^*) \notin M$
\end{algorithmic}
\vspace{2mm}
\begin{algorithmic}
\Statex \underline{\oracle \Osign($i \in \{1,2,...,n\}$, $\m \in \messagespace$)}
\State $\signature \randomassign \sign(\privkey_i, \m)$
\State $M \assign M \cup \{(\pubkey_i, \m, \signature)\}$
\State \Return $\signature$
\end{algorithmic}
\hrule
\caption{$N$-MU-SUF-CMA Security Game}
\end{figure}
\end{frame}
\begin{frame}
\frametitle{Security Notions}
\framesubtitle{$N\text{-MU-EUF-NMA}$}
\begin{figure}[h]
\hrule
\vspace{1mm}
\begin{algorithmic}
\State \underline{\game $N\text{-MU-EUF-NMA}$}
\State \textbf{for} $i \in \{1,2,...,N\}$
\State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$
\State $(\m^*, \signature^*) \randomassign \adversary{A}(\pubkey_1, \pubkey_2, \pubkey_n)$
\State \Return $\exists i \in \{1,2,...,N\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1$
\end{algorithmic}
\hrule
\caption{$N$-MU-EUF-NMA Security Game}
\label{game:mu-uf-nma}
\end{figure}
\end{frame}
\begin{frame}
\frametitle{Random Oracle Model (ROM)}
\begin{itemize}
\item Hash functions are modeled as public oracle
\item Oracle behaves like a true random function
\item Challenger can observe all inputs
\item Challenger can program the random oracle
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Algebraic Group Model (AGM)}
\begin{itemize}
\item Adversary has to provide a representation of all group elements
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Generic Group Model (GGM)}
\begin{itemize}
\item GGM hides all group-specific representation of group elements
\item Adversary works with random labels instead of actual group elements
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Standards}
\begin{itemize}
\item Paper by Bernstein et al. \cite{CHES:BDLSY11,EPRINT:BJLSY15}
\item RFC 8032 \cite{josefsson_edwards-curve_2017}
\item FIPS 186-5 \cite{moody_digital_2023}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{The EdDSA Signature Scheme}
\begin{table}
\small
\begin{tabularx}{\textwidth}{@{}lX@{}}
\textbf{Parameter} & \textbf{Description} \\
\hline
$q$ & An odd prime power $q$. EdDSA uses an elliptic curve over the finite field $\mathbb{F}_{q}$. \\
$b$ & An integer $b$ with $2^{b-1} > q$. The bit size of encoded points on the twisted Edwards curve. \\
$Enc(\inp)$ & A $(b-1)$-bit encoding of elements in the underlying finite field. \\
$H(\inp)$ & A cryptographic hash function producing $2b$-bit output. \\
$c$ & The cofactor of the twisted Edwards curve. \\
$n$ & The number of bits used for the secret scalar of the public key. \\
$a, d$ & The curve parameter of the twisted Edwards curve. \\
$\groupelement{B}$ & A generator point of the prime order subgroup of $E$. \\
$L$ & The order of the prime order subgroup. \\
$H'(\inp)$ & A prehash function applied to the message prior to applying the \sign or \verify procedure.
\end{tabularx}
\caption{Parameter of the EdDSA signature scheme}
\end{table}
\end{frame}
\begin{frame}
\frametitle{The EdDSA Signature Scheme}
\begin{table}
\small
\begin{tabularx}{\textwidth}{@{}lX@{}}
\textbf{Parameter} & \textbf{Description} \\
\hline
$b$ & An integer $b$ with $2^{b-1} > q$. The bit size of encoded points on the twisted Edwards curve. \\
$H(\inp)$ & A cryptographic hash function producing $2b$-bit output. \\
$c$ & The cofactor of the twisted Edwards curve. \\
$n$ & The number of bits used for the secret scalar of the public key. \\
$\groupelement{B}$ & A generator point of the prime order subgroup of $E$. \\
$L$ & The order of the prime order subgroup. \\
\end{tabularx}
\caption{Parameter of the EdDSA signature scheme}
\end{table}
\end{frame}
\begin{frame}
\frametitle{The EdDSA Signature Scheme}
\begin{algorithmic}
\State \underline{\textbf{\keygen}}
\State $k \randomsample \{0,1\}^b$
\State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
\State $A \assign sB$
\State \Return (\encoded{$A$}, $k$)
\end{algorithmic}
\end{frame}
\begin{frame}
\frametitle{The EdDSA Signature Scheme}
\begin{algorithmic}
\Statex \underline{\textbf{\sign}($k$, $m$)}
\State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
\State $(r'_0, r'_1, ..., r'_{2b-1}) \assign H(h_b | ... | h_{2b-1} | m)$
\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
\State $R \assign rB$
\State $\ch \assign H(\encoded{R} | \encoded{A} | m)$
\State $S \assign (r + \ch \cdot s) \pmod L$
\State \Return $\sigma \assign (\encoded{R}, S)$
\end{algorithmic}
\end{frame}
\begin{frame}
\frametitle{The EdDSA Signature Scheme}
\begin{algorithmic}
\Statex \underline{\textbf{\sign}($k$, $m$)}
\BeginBox[draw=red]
\State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$
\Comment{Recover secret scalar}
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
\EndBox
\State $(r'_0, r'_1, ..., r'_{2b-1}) \assign H(h_b | ... | h_{2b-1} | m)$
\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
\State $R \assign rB$
\State $\ch \assign H(\encoded{R} | \encoded{A} | m)$
\State $S \assign (r + \ch \cdot s) \pmod L$
\State \Return $\sigma \assign (\encoded{R}, S)$
\end{algorithmic}
\end{frame}
\begin{frame}
\frametitle{The EdDSA Signature Scheme}
\begin{algorithmic}
\Statex \underline{\textbf{\sign}($k$, $m$)}
\State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
\BeginBox[draw=red]
\State $(r'_0, r'_1, ..., r'_{2b-1}) \assign H(h_b | ... | h_{2b-1} | m)$
\Comment{Calculate commitment}
\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
\State $R \assign rB$
\EndBox
\State $\ch \assign H(\encoded{R} | \encoded{A} | m)$
\State $S \assign (r + \ch \cdot s) \pmod L$
\State \Return $\sigma \assign (\encoded{R}, S)$
\end{algorithmic}
\end{frame}
\begin{frame}
\frametitle{The EdDSA Signature Scheme}
\begin{algorithmic}
\Statex \underline{\textbf{\sign}($k$, $m$)}
\State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
\State $(r'_0, r'_1, ..., r'_{2b-1}) \assign H(h_b | ... | h_{2b-1} | m)$
\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
\State $R \assign rB$
\BeginBox[draw=red]
\State $\ch \assign H(\encoded{R} | \encoded{A} | m)$
\Comment{Calculate challenge}
\EndBox
\State $S \assign (r + \ch \cdot s) \pmod L$
\State \Return $\sigma \assign (\encoded{R}, S)$
\end{algorithmic}
\end{frame}
\begin{frame}
\frametitle{The EdDSA Signature Scheme}
\begin{algorithmic}
\Statex \underline{\textbf{\sign}($k$, $m$)}
\State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
\State $(r'_0, r'_1, ..., r'_{2b-1}) \assign H(h_b | ... | h_{2b-1} | m)$
\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
\State $R \assign rB$
\State $\ch \assign H(\encoded{R} | \encoded{A} | m)$
\BeginBox[draw=red]
\State $S \assign (r + \ch \cdot s) \pmod L$
\Comment{Calculate response}
\EndBox
\State \Return $\sigma \assign (\encoded{R}, S)$
\end{algorithmic}
\end{frame}
\begin{frame}
\frametitle{The EdDSA Signature Scheme}
\begin{algorithmic}
\Statex \underline{\textbf{\verify}($\encoded{A}, \sigma \assign (\encoded{R}, S), m$)}
\State \Return $2^c SB \test 2^c R + 2^c H(\encoded{R} | \encoded{A} | m)A$
\end{algorithmic}
\end{frame}
\begin{frame}
\frametitle{The EdDSA Signature Scheme}
\framesubtitle{Signature Parsing}
\begin{itemize}
\item Strict parsing: Reject all bitstring representations of $S > L$
\item Lax parsing: Allow all bitstring representations of $S$ and work with $S \pmod L$
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{The EdDSA Signature Scheme}
\framesubtitle{Encoding of Group Elements}
\begin{itemize}
\item Decoding function ensures that point is on curve
\item Multiple bitstrings might map to the same point on the curve
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{The EdDSA' Signature Scheme}
\begin{figure}
\hrule
\begin{multicols}{2}
\scriptsize
\begin{algorithmic}
\Statex \underline{\textbf{\keygen}}
\State $(h_0, h_1, ..., h_{2b-1}) \randomsample \{0,1\}^{2b}$
\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
\State $A \assign sB$
\State \Return (\encoded{$A$}, $k \assign (s, h_b | ... | h_{2b-1})$)
\end{algorithmic}
\columnbreak
\begin{algorithmic}
\Statex \underline{\textbf{\sign}($k \assign (s, h_b | ... | h_{2b-1})$, $m$)}
\State $(r'_0, r'_1, ..., r'_{2b-1}) \assign RF(h_b | ... | h_{2b-1} | m)$
\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
\State $R \assign rB$
\State $S \assign (r + sH(\encoded{R} | \encoded{A} | m)) \pmod L$
\State \Return $\sigma \assign (\encoded{R}, S)$
\end{algorithmic}
\end{multicols}
\hrule
\caption{Generic description of the algorithms \keygen, \sign and \verify used by the EdDSA' signature scheme}
\end{figure}
\end{frame}
\begin{frame}
\frametitle{The EdDSA' Signature Scheme}
\begin{theorem}
\label{theorem:adveddsa'}
Let $\adversary{A}$ be an adversary against SUF-CMA security of the EdDSA signature scheme. Then
\[ \advantage{\text{EdDSA'},\adversary{A}}{\cma}(\secparamter) \leq \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) + \frac{2 (\hashqueries + 1)}{2^b}. \]
\end{theorem}
\end{frame}
\begin{frame}
\frametitle{Single-User Security}
\begin{theorem}[Security of EdDSA with strict parsing in the single-user setting]
\label{theorem:eddsa_sp_su}
Let $\adversary{A}$ be an adversary against the SUF-CMA security of EdDSA with strict parsing, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
\[ \advantage{\group{G}, \adversary{A}}{\text{SUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
\end{theorem}
\end{frame}
\begin{frame}
\frametitle{Single-User Security}
\begin{theorem}[Security of EdDSA with lax parsing in the single-user setting]
\label{theorem:eddsa_lp_su}
Let $\adversary{A}$ be an adversary against the EUF-CMA security of EdDSA with lax parsing, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
\[ \advantage{\group{G}, \adversary{A}}{\text{EUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
\end{theorem}
\end{frame}
\begin{frame}
\frametitle{Single-User Security}
\[ \sdlog \overset{\text{AGM}}{\Rightarrow} \igame \overset{\text{ROM}}{\Rightarrow} \text{EUF-NMA} \overset{\text{ROM}}{\Rightarrow} \cma_{\text{EdDSA sp}} \]
\[ \sdlog \overset{\text{AGM}}{\Rightarrow} \igame \overset{\text{ROM}}{\Rightarrow} \text{EUF-NMA} \overset{\text{ROM}}{\Rightarrow} \text{EUF-CMA}_{\text{EdDSA lp}} \]
\end{frame}
\begin{frame}
\frametitle{Single-User Security}
\framesubtitle{$\text{EUF-NMA} \overset{\text{ROM}}{\Rightarrow} \cma_{\text{EdDSA sp}} / \text{EUF-CMA}_{\text{EdDSA lp}}$}
\begin{theorem}[\cite{SP:BCJZ21}]
Let $\adversary{A}$ be an adversary against $\cma$, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and let $\group{G}$ be a group of prime order $L$. Then,
\[ \advantage{\group{G}, \adversary{A}}{\text{\cma}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\text{EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
\end{theorem}
\end{frame}
\begin{frame}
\frametitle{Single-User Security}
\framesubtitle{$\text{EUF-NMA} \overset{\text{ROM}}{\Rightarrow} \cma_{\text{EdDSA sp}}$}
Proof Idea:
\begin{itemize}
\item Simulate signatures without private key
\begin{enumerate}
\item Choose commitment and solution uniformly at random
\item Calculate corresponding challenge
\item Program random oracle to output that challenge for the signature
\end{enumerate}
\item Forward random oracle quries to challenger
\item A valid signature forgery in the SUF-CMA game is also a valid forgery in the UF-NMA game
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Single-User Security}
\framesubtitle{$\igame \overset{\text{ROM}}{\Rightarrow} \text{EUF-NMA}$}
\begin{figure}[h]
\hrule
\begin{multicols}{2}
\normalsize
\begin{algorithmic}
\Statex \underline{\game \igame}
\State $a \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$
\State $\groupelement{A} \assign a \groupelement{B}$
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in \pset{Q}: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A}$
\end{algorithmic}
\columnbreak
\begin{algorithmic}
\Statex \underline{\oracle \ioracle($\groupelement{R_i} \in \group{G}$)}
\State $\ch_i \randomsample \{0,1\}^{2b}$
\State $\pset{Q} \assign \pset{Q} \cup \{ (\groupelement{R}_i, \ch_i) \}$
\State \Return $\ch_i$
\end{algorithmic}
\end{multicols}
\hrule
\caption{\igame}
\end{figure}
\end{frame}
\begin{frame}
\frametitle{Single-User Security}
\framesubtitle{$\igame \overset{\text{ROM}}{\Rightarrow} \text{EUF-NMA}$}
\begin{theorem}
Let $\adversary{A}$ be an adversary against $\text{EUF-NMA}$. Then,
\[ \advantage{\group{G}, \adversary{A}}{\text{EUF-NMA}}(\secparamter) = \advantage{\group{G}, \adversary{B}}{\text{\igame}}(\secparamter). \]
\end{theorem}
\end{frame}
\begin{frame}
\frametitle{Single-User Security}
\framesubtitle{$\igame \overset{\text{ROM}}{\Rightarrow} \text{EUF-NMA}$}
Proof Idea:
\begin{itemize}
\item Forward random oracle quries to \ioracle oracle
\item A valid signature forgery provides a valid solution for \igame
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Single-User Security}
\framesubtitle{$\sdlog \overset{\text{AGM}}{\Rightarrow} \igame$}
\begin{figure}[h]
\hrule
\vspace{1mm}
\begin{algorithmic}
\Statex \underline{\game \sdlog}
\State $a \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$
\State $\groupelement{A} \assign a \groupelement{B}$
\State $a' \randomassign \adversary{A}(\groupelement{A})$
\State \Return $a \test a'$
\end{algorithmic}
\vspace{1mm}
\hrule
\caption{\sdlog}
\end{figure}
\end{frame}
\begin{frame}
\frametitle{Single-User Security}
\framesubtitle{$\sdlog \overset{\text{AGM}}{\Rightarrow} \igame$}
\begin{theorem}
\label{theorem:advgamez}
Let $\adversary{A}$ be an adversary against \igame with $\group{G}$ being a cyclic group of prime order $L$, making at most $\oraclequeries$ oracle queries. Then
\[ \advantage{\group{G},\adversary{A}}{\igame}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\sdlog}(\secparamter) + \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
\end{theorem}
\end{frame}
\begin{frame}
\frametitle{Single-User Security}
\framesubtitle{$\sdlog \overset{\text{AGM}}{\Rightarrow} \igame$}
Proof Idea:
\begin{itemize}
\item Adversary provides a valid solution: $R^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A}$
\item Adversary also provides: $\groupelement{R^*} = r_1 \groupelement{B} + r_2 \groupelement{A}$
\item Rewrite equations: $A = (2^c s^* - r_1)(r_2 + 2^c \ch^*)^{-1} B$
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Multi-User Security}
\begin{theorem}[Security of EdDSA with strict parsing in the multi-user setting]
Let $\adversary{A}$ be an adversary against the $N$-MU-SUF-CMA security of EdDSA with strict parsing, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
\[ \advantage{\group{G}, \adversary{A}}{\text{MU-SUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
\end{theorem}
\end{frame}
\begin{frame}
\frametitle{Multi-User Security}
\begin{theorem}[Security of EdDSA with lax parsing in the multi-user setting]
\label{theorem:eddsa_lp_mu}
Let $\adversary{A}$ be an adversary against the MU-EUF-CMA security of EdDSA with lax parsing, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
\[ \advantage{\group{G}, \adversary{A}}{\text{MU-EUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
\end{theorem}
\end{frame}
\begin{frame}
\frametitle{Multi-User Security}
\[ \somdl \overset{\text{AGM}}{\Rightarrow} \igame \overset{\text{ROM}}{\Rightarrow} \text{MU-EUF-NMA} \overset{\text{ROM}}{\Rightarrow} \text{MU-\cma}_{\text{EdDSA sp}} \]
\[ \somdl \overset{\text{AGM}}{\Rightarrow} \igame \overset{\text{ROM}}{\Rightarrow} \text{MU-EUF-NMA} \overset{\text{ROM}}{\Rightarrow} \text{MU-EUF-CMA}_{\text{EdDSA lp}} \]
\end{frame}
\begin{frame}
\frametitle{Multi-User Security}
\framesubtitle{$\somdl \overset{\text{AGM}}{\Rightarrow} \igame$}
\begin{figure}[h]
\hrule
\vspace{1mm}
\large
\begin{algorithmic}
\Statex \underline{\game \somdl}
\State \textbf{for} $i \in \{1,2,...,N\}$
\State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{DL(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
\State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N)$
\end{algorithmic}
\vspace{2mm}
\begin{algorithmic}
\Statex \underline{\oracle $DL(j \in \{1,2,...,N\})$}
\Comment{max. one query}
\vspace{1mm}
\State \Return $\{a_i|i \in \{1,2,...,N\}\backslash \{j\}\}$
\end{algorithmic}
\vspace{1mm}
\hrule
\caption{\somdl}
\label{fig:somdl}
\end{figure}
\end{frame}
\begin{frame}
\frametitle{Multi-User Security}
\framesubtitle{$\somdl \overset{\text{AGM}}{\Rightarrow} \igame$}
Proof Idea:
\begin{itemize}
\item Similar to single-user proof
\item Query discrete logarithms of all but one challenge group element $A_i$
\item Construct a representation $\groupelement{R^*} = r_1 \groupelement{B} + r_2 \groupelement{A_i}$
\item Calculate discrete logarithm of $\groupelement{A_i}$
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{\sdlog}
\begin{theorem}
\label{theorem:sdlog_ggm}
Let $n$ and $c$ be positive integers. Consider a twisted Edwards curve $\curve$ with a cofactor of $2^c$ and a generating set consisting of $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_m})$. Among these, let $\groupelement{B}$ be the generator of the largest prime order subgroup with an order of $L$. Let $\adversary{A}$ be a generic adversary making at most $\groupqueries$ group operations. Then,
\[ \advantage{\curve, n, c, L, \adversary{A}}{\sdlog} \leq \frac{(\groupqueries + 3)^2 + 1}{2^{n-1-c}}. \]
\end{theorem}
\end{frame}
\begin{frame}
\frametitle{\somdl}
\begin{theorem}
\label{theorem:somdl_ggm}
Let $n$, $N$, $c$ be positive integers. Consider a twisted Edwards curve $\curve$ with a cofactor of $2^c$ and a generating set consisting of $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_m})$. Among these, let $\groupelement{B}$ be the generator of the largest prime order subgroup with an order of $L$. Let $\adversary{A}$ be a generic adversary against \somdl receiving $N$ group elements as challenge and making at most $\groupqueries$ group operations queries. Then,
\[ \advantage{\curve, n, c, L, \adversary{A}}{\somdl} \leq \frac{2(\groupqueries + N + 2)^2 + 1}{2^{n-1-c}}. \]
\end{theorem}
\end{frame}
\begin{frame}
\begin{lemma}[Schwartz-Zippel lemma \cite{schwartz_fast_1980}]
Let $L$ be a prime number and $P \in \mathbb{F}_{L}[X_1, ..., X_n]$ be a non-zero polynomial of total degree $d \geq 0$ over a field $\mathbb{F}_{L}$. Let $S$ be a finite subset of $\mathbb{F}_{L}$ and let $x$ be selected uniformly at random from $S$. Then
\[ \Pr[P(x) = 0] \leq \frac{d}{|S|}. \]
\end{lemma}
\end{frame}
\begin{frame}
\begin{figure}[H]
\hrule
\tiny
\vspace{2mm}
\begin{algorithmic}
\Statex \underline{\game \textcolor{black}{$G_0$} / \textcolor{blue}{$G_1$} /\textcolor{red}{$G_2$} / \textcolor{green}{$G_3$} / \textcolor{orange}{$G_4$}}
\State \textbf{for} $i \in \{1,2,...,N\}$
\State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), DL(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$
\State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N)$
\end{algorithmic}
\vspace{1mm}
\begin{algorithmic}
\Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)}
\State \Return $\{a_i | i \in \{1,2,...,N\} \backslash \{j\}\}$
\end{algorithmic}
\vspace{1mm}
\begin{algorithmic}
\Statex \underline{\oracle GOp($x, y \in \mathbf{S}, b \in \{0,1\}$)}
\State \quad \Return $Enc(\sum^{-1}[x] + (-1)^b \sum^{-1}[y])$
\end{algorithmic}
\vspace{1mm}
\begin{algorithmic}
\State \underline{\textbf{Procedure} Enc($\groupelement{X} \in \curve$)}
\State \textbf{If } $\sum[\groupelement{X}] = \bot$ \textbf{ then}
\State \quad $\sum[\groupelement{X}] \randomsample \{0,1\}^{\lceil log_2(|\curve|) \rceil} \backslash \pset{S}$
\State \quad $\mathbf{S} \assign \pset{S} \cup \{\sum[X]\}$
\State \Return $\sum[\groupelement{X}]$
\end{algorithmic}
\hrule
\caption{$G_0$}
\end{figure}
\end{frame}
\begin{frame}
\begin{figure}[H]
\hrule
\tiny
\vspace{2mm}
\begin{algorithmic}
\Statex \underline{\game \textcolor{black}{$G_0$} / \textcolor{blue}{$G_1$} /\textcolor{red}{$G_2$} / \textcolor{green}{$G_3$} / \textcolor{orange}{$G_4$}}
\State \textbf{for} $i \in \{1,2,...,N\}$
\State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$
\BeginBox[draw=blue]
\State \quad $\groupelement{A_i} \assign (a_i, 0, ..., 0)$
\EndBox
\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), DL(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$
\State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N)$
\end{algorithmic}
\vspace{1mm}
\begin{algorithmic}
\Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)}
\State \Return $\{a_i | i \in \{1,2,...,N\} \backslash \{j\}\}$
\end{algorithmic}
\vspace{1mm}
\begin{algorithmic}
\Statex \underline{\oracle GOp($x, y \in \mathbf{S}, b \in \{0,1\}$)}
\State \quad \Return $Enc(\sum^{-1}[x] + (-1)^b \sum^{-1}[y])$
\end{algorithmic}
\vspace{1mm}
\begin{algorithmic}
\BeginBox[draw=blue]
\State \underline{\textbf{Procedure} Enc($\groupelement{X} \in \field{L} \times \field{ord(E_2)} \times ... \times \field{ord(E_n)}$)}
\EndBox
\State \textbf{If } $\sum[\groupelement{X}] = \bot$ \textbf{ then}
\State \quad $\sum[\groupelement{X}] \randomsample \{0,1\}^{\lceil log_2(|\curve|) \rceil} \backslash \pset{S}$
\State \quad $\mathbf{S} \assign \pset{S} \cup \{\sum[X]\}$
\State \Return $\sum[\groupelement{X}]$
\end{algorithmic}
\hrule
\caption{$G_1$}
\end{figure}
\end{frame}
\begin{frame}
\begin{figure}[H]
\hrule
\tiny
\vspace{2mm}
\begin{algorithmic}
\Statex \underline{\game \textcolor{black}{$G_0$} / \textcolor{blue}{$G_1$} /\textcolor{red}{$G_2$} / \textcolor{green}{$G_3$} / \textcolor{orange}{$G_4$}}
\State \textbf{for} $i \in \{1,2,...,N\}$
\State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$
\BeginBox[draw=red]
\State \quad $P_i \assign Z_i$
\State \quad $\groupelement{A_i} \assign (P_i, 0, ..., 0)$
\EndBox
\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), DL(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$
\State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N)$
\end{algorithmic}
\vspace{1mm}
\begin{algorithmic}
\Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)}
\State \Return $\{a_i | i \in \{1,2,...,N\} \backslash \{j\}\}$
\end{algorithmic}
\vspace{1mm}
\begin{algorithmic}
\Statex \underline{\oracle GOp($x, y \in \mathbf{S}, b \in \{0,1\}$)}
\State \quad \Return $Enc(\sum^{-1}[x] + (-1)^b \sum^{-1}[y])$
\end{algorithmic}
\vspace{1mm}
\begin{algorithmic}
\BeginBox[draw=red]
\State \underline{\textbf{Procedure} Enc($\groupelement{X} \in \field{L}[Z_1,...,Z_N] \times \field{ord(E_2)} \times ... \times \field{ord(E_n)}$)}
\State Let $X = (P, x_2, ..., x_n)$
\State $\pset{P} = \pset{P} \cup \{P\}$
\State $X \assign (P(\overset{\rightharpoonup}{a}), x_2, ..., x_n)$
\EndBox
\State \textbf{If } $\sum[\groupelement{X}] = \bot$ \textbf{ then}
\State \quad $\sum[\groupelement{X}] \randomsample \{0,1\}^{\lceil log_2(|\curve|) \rceil} \backslash \pset{S}$
\State \quad $\mathbf{S} \assign \pset{S} \cup \{\sum[X]\}$
\State \Return $\sum[\groupelement{X}]$
\end{algorithmic}
\hrule
\caption{$G_2$}
\end{figure}
\end{frame}
\begin{frame}
\begin{figure}[H]
\hrule
\vspace{2mm}
\begin{algorithmic}
\Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)}
\BeginBox[draw=green]
\State \textbf{for } $P_i \in \pset{P}$
\Comment{$G_3$}
\State \quad Let $P_i = R_i + S_i, R_i \in \field{L}[Z_1,...,Z_{j-1},Z_{j+1},...,Z_N], S_i \in \field{L}[Z_j]$
\State \quad $\pset{R} \assign \pset{R} \cup \{R_i\}$
\State \textbf{if } $\exists R_i, R_j \in \pset{R}: R_i(\overset{\rightharpoonup}{a}) = R_j(\overset{\rightharpoonup}{a}) \wedge R_i \neq R_j$
\State \quad $bad_1 \assign true$
\BeginBox[draw=orange,dashed]
\State \quad abort
\Comment{$G_4$}
\EndBox
\State \textbf{for } $P_i \in \pset{P}$
\State \quad $\sum[R_i(\overset{\rightharpoonup}{a}) + S_i] = \sum[P_i]$
\State \quad $P_i \assign R_i(\overset{\rightharpoonup}{a}) + S_i$
\EndBox
\State \Return $\{a_i | i \in \{1,2,...,N\} \backslash \{j\}\}$
\end{algorithmic}
\vspace{2mm}
\hrule
\caption{$G_3 - G_4$}
\end{figure}
\end{frame}
\begin{frame}
\begin{figure}[H]
\hrule
\tiny
\vspace{2mm}
\begin{algorithmic}
\Statex \underline{\game \textcolor{black}{$G_4$} / \textcolor{blue}{$G_5$} /\textcolor{red}{$G_6$} / \textcolor{green}{$G_7$} / \textcolor{orange}{$G_8$}}
\State \textbf{for} $i \in \{1,2,...,N\}$
\State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$
\State \quad $P_i \assign Z_i$
\State \quad $\groupelement{A_i} \assign (P_i, 0, ..., 0)$
\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), DL(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$
\BeginBox[draw=blue]
\State \textbf{if } $\exists P_i, P_j \in \pset{P}: P_i(\overset{\rightharpoonup}{a}) = P_j(\overset{\rightharpoonup}{a}) \wedge P_i \neq P_j$
\Comment{$G_5$}
\State \quad $bad_2 \assign true$
\BeginBox[draw=red,dashed]
\State \quad abort
\Comment{$G_6$}
\EndBox
\EndBox
\State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N)$
\end{algorithmic}
\vspace{1mm}
\begin{algorithmic}
\Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)}
\State ...
\end{algorithmic}
\vspace{1mm}
\begin{algorithmic}
\Statex \underline{\oracle GOp($x, y \in \mathbf{S}, b \in \{0,1\}$)}
\State \quad \Return $Enc(\sum^{-1}[x] + (-1)^b \sum^{-1}[y])$
\end{algorithmic}
\vspace{1mm}
\begin{algorithmic}
\State \underline{\textbf{Procedure} Enc($\groupelement{X} \in \field{L}[Z_1,...,Z_N] \times \field{ord(E_2)} \times ... \times \field{ord(E_n)}$)}
\State Let $X = (P, x_2, ..., x_n)$
\State $\pset{P} = \pset{P} \cup \{P\}$
\State $X \assign (P(\overset{\rightharpoonup}{a}), x_2, ..., x_n)$
\State \textbf{If } $\sum[\groupelement{X}] = \bot$ \textbf{ then}
\State \quad $\sum[\groupelement{X}] \randomsample \{0,1\}^{\lceil log_2(|\curve|) \rceil} \backslash \pset{S}$
\State \quad $\mathbf{S} \assign \pset{S} \cup \{\sum[X]\}$
\State \Return $\sum[\groupelement{X}]$
\end{algorithmic}
\hrule
\caption{$G_5 - G_6$}
\end{figure}
\end{frame}
\begin{frame}
\begin{figure}[H]
\hrule
\tiny
\vspace{2mm}
\begin{algorithmic}
\Statex \underline{\game \textcolor{black}{$G_4$} / \textcolor{blue}{$G_5$} /\textcolor{red}{$G_6$} / \textcolor{green}{$G_7$} / \textcolor{orange}{$G_8$}}
\State \textbf{for} $i \in \{1,2,...,N\}$
\State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$
\State \quad $P_i \assign Z_i$
\State \quad $\groupelement{A_i} \assign (P_i, 0, ..., 0)$
\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), DL(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$
\State \textbf{if } $\exists P_i, P_j \in \pset{P}: P_i(\overset{\rightharpoonup}{a}) = P_j(\overset{\rightharpoonup}{a}) \wedge P_i \neq P_j$
\State \quad $bad_2 \assign true$
\State \quad abort
\State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N)$
\end{algorithmic}
\vspace{1mm}
\begin{algorithmic}
\Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)}
\State ...
\end{algorithmic}
\vspace{1mm}
\begin{algorithmic}
\Statex \underline{\oracle GOp($x, y \in \mathbf{S}, b \in \{0,1\}$)}
\State \quad \Return $Enc(\sum^{-1}[x] + (-1)^b \sum^{-1}[y])$
\end{algorithmic}
\vspace{1mm}
\begin{algorithmic}
\State \underline{\textbf{Procedure} Enc($\groupelement{X} \in \field{L}[Z_1,...,Z_N] \times \field{ord(E_2)} \times ... \times \field{ord(E_n)}$)}
\State Let $X = (P, x_2, ..., x_n)$
\State $\pset{P} = \pset{P} \cup \{P\}$
\State \sout{$X \assign (P(\overset{\rightharpoonup}{a}), x_2, ..., x_n)$}
\State \textbf{If } $\sum[\groupelement{X}] = \bot$ \textbf{ then}
\State \quad $\sum[\groupelement{X}] \randomsample \{0,1\}^{\lceil log_2(|\curve|) \rceil} \backslash \pset{S}$
\State \quad $\mathbf{S} \assign \pset{S} \cup \{\sum[X]\}$
\State \Return $\sum[\groupelement{X}]$
\end{algorithmic}
\hrule
\caption{$G_7$}
\end{figure}
\end{frame}
\begin{frame}
\begin{figure}[H]
\hrule
\tiny
\vspace{2mm}
\begin{algorithmic}
\Statex \underline{\game \textcolor{black}{$G_4$} / \textcolor{blue}{$G_5$} /\textcolor{red}{$G_6$} / \textcolor{green}{$G_7$} / \textcolor{orange}{$G_8$}}
\State \textbf{for} $i \in \{1,2,...,N\}$
\State \quad \sout{$a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$}
\State \quad $P_i \assign Z_i$
\State \quad $\groupelement{A_i} \assign (P_i, 0, ..., 0)$
\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), DL(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$
\BeginBox[draw=orange]
\State \textbf{for } $i \in \{1,2,...,N\}$
\State \quad \textbf{if } $a_i = \bot$
\State \qquad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$
\EndBox
\State \textbf{if } $\exists P_i, P_j \in \pset{P}: P_i(\overset{\rightharpoonup}{a}) = P_j(\overset{\rightharpoonup}{a}) \wedge P_i \neq P_j$
\State \quad $bad_2 \assign true$
\State \quad abort
\State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N)$
\end{algorithmic}
\vspace{1mm}
\begin{algorithmic}
\Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)}
\BeginBox[draw=orange]
\State \textbf{for } $i \in \{1,2,...,N\} \backslash \{j\}$
\State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$
\EndBox
\State ...
\end{algorithmic}
\vspace{1mm}
\begin{algorithmic}
\Statex \underline{\oracle GOp($x, y \in \mathbf{S}, b \in \{0,1\}$)}
\State \quad \Return $Enc(\sum^{-1}[x] + (-1)^b \sum^{-1}[y])$
\end{algorithmic}
\vspace{1mm}
\begin{algorithmic}
\State \underline{\textbf{Procedure} Enc($\groupelement{X} \in \field{L}[Z_1,...,Z_N] \times \field{ord(E_2)} \times ... \times \field{ord(E_n)}$)}
\State ...
\end{algorithmic}
\hrule
\caption{$G_8$}
\end{figure}
\end{frame}
\begin{frame}
\frametitle{Concrete Security}
\begin{definition}[Success Ratio \cite{AC:HofJagKil11}]
Let adversary $\adversary{A}$ be an adversary with runtime Time($\adversary{A}$) and advantage $\advantage{\adversary{A}}{}$. Its success ratio is defined as following:
\[ SR(\adversary{A}) = \frac{\advantage{\adversary{A}}{}}{Time(\adversary{A})}. \]
\end{definition}
\begin{definition}[Bit Security \cite{AC:HofJagKil11}]
A cryptographic scheme has $\kappa$ bit security if the success ratio of all adversaries with a runtime $Time(\adversary{A}) \leq 2^\kappa$ is upper bounded by $2^{-\kappa}$.
\end{definition}
\end{frame}
\begin{frame}
\frametitle{Concrete Security}
\framesubtitle{Ed25519}
\begin{align*}
SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\
&\leq \frac{\advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
&\leq \frac{\frac{(\groupqueries + 3)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\
&\leq \frac{(2^{125} + 3)^2 + 1}{2^{250} 2^{125}} + \frac{2(2^{125} + 1)}{2^{256} 2^{125}} + \frac{2^{64} 2^{125} + 2^{64}}{2^{252} 2^{125}} \\
&\approx 2^{-125} + 2^{-316} + 2^{-189} \\
&\approx 2^{-125}
\end{align*}
\end{frame}
\begin{frame}
\huge
\centering
\textbf{Thank you!}\\
Questions?
\end{frame}
\begin{frame}
\bibliographystyle{ieeetr}
\bibliography{../thesis/cryptobib/abbrev0,../thesis/cryptobib/crypto,../thesis/citation}
\end{frame}
\end{document}
Reference in New Issue View Git Blame Copy Permalink