144 lines
8.2 KiB
TeX
144 lines
8.2 KiB
TeX
\subsection{\somdl $\Rightarrow$ MU-\igame (AGM)}
|
|
|
|
This section shows that \somdl implies MU-\igame using the Algebraic Group Model. The section starts by introducing a special variant of the one-more discrete logarithm problem followed by an intuition of the proof and at last giving a detailed security proof.
|
|
|
|
\paragraph{\underline{Introducing \sdlog}} Similar to \sdlog being a variant of the discrete logarithm problem the \somdl is a variant of the one-more discrete logarithm problem which represents the special distribution of secret keys resulting from the key generation algorithm of the EdDSA signature scheme. The only difference to the original one-more discrete logarithm game as introduced in \cite{JC:BNPS03} is that the secret scalars are chosen from the set $\{2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8\}$ which represents all valid secret scalars regarding the key generation algorithm. A lower bound on the hardness of the \sdlog problem is further analyzed in section \ref{sec:somdl}. The \somdl game is depicted in figure \ref{fig:somdl}.
|
|
|
|
\begin{definition}[\somdl]
|
|
Let $n$ and $N$ be positive integer. For an adversary $\adversary{A}$ we define its advantage in the \somdl game as following:
|
|
|
|
\[ \advantage{\adversary{A}}{\text{\somdl}}(\secparamter) \assign | \Pr[\text{\somdl}^{\adversary{A}} \Rightarrow 1] | \].
|
|
\end{definition}
|
|
|
|
\begin{figure}
|
|
\hrule
|
|
\vspace{1mm}
|
|
\large
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\game \somdl}
|
|
\State \textbf{for} $i \in \{1,2,...,N\}$
|
|
\State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8 \}$
|
|
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
|
|
\State $I \assign 0$
|
|
\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{DL(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
|
\State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N) \wedge I < N$
|
|
\end{algorithmic}
|
|
\vspace{2mm}
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\oracle $DL(i \in \{1,2,...,N\})$}
|
|
\State $I \assign I + 1$
|
|
\State \Return $a_i$
|
|
\end{algorithmic}
|
|
\vspace{1mm}
|
|
\hrule
|
|
\caption{\somdl}
|
|
\label{fig:somdl}
|
|
\end{figure}
|
|
|
|
\begin{theorem}
|
|
\label{theorem:adv_omdl'}
|
|
Let $\adversary{A}$ be an adversary against \igame with $\group{G}$ being a cyclic group of prime order $L$, making at most $\oraclequeries$ oracle queries. Then
|
|
|
|
\[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\somdl}(\secparamter) - \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
|
|
\end{theorem}
|
|
|
|
\paragraph{\underline{Proof Overview}} In the multi-user setting the adversary gets access to not only the generator $\groupelement{B}$ and one public key $\groupelement{A}$ but rather a set of public keys $\groupelement{A_1}$ to $\groupelement{A_N}$. For this reason the representation of a group element, the adversary has to provide looks the following: $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$. Since there are multiple group elements with unknown discrete logarithms it is not possible to directly calculate the discrete logarithm of one of the public keys given a valid forgery of a signature. Upon receiving a valid solution the \textit{DL} oracle can be used to get the discrete logarithm of all the public keys except the one for which the solution is valid. This way it again possible to construct a representation looking like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_i}$. Then it is again possible to calculate the discrete logarithm of $\groupelement{A_i}$ and win the \somdl game.
|
|
|
|
\paragraph{\underline{Formal Proof}}
|
|
|
|
% TODO: clarify encoding of c
|
|
\begin{figure}
|
|
\hrule
|
|
\large
|
|
\vspace{1mm}
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$}}
|
|
\State \textbf{for} $i \in \{1,2,...,N\}$
|
|
\State \quad $a_i \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$
|
|
\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
|
|
\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
|
\State \Return $\exists (\groupelement{R}^*, \ch^*) \in Q, i \in \{1,2,...,N\}: \groupelement{R}^* = 2^c (s^* \groupelement{B} - \ch^* \groupelement{A_i})$
|
|
\end{algorithmic}
|
|
\vspace{2mm}
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\oracle \ioracle($\agmgroupelement{R}{r} \in \group{G}$)}
|
|
\State Let $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$
|
|
\State $\ch \randomsample \{0,1\}^{2b}$
|
|
\BeginBox[draw=blue]
|
|
\State \textbf{If} $\exists i \in \{2,3,...,N+1\}: 2^c \ch \equiv -r_i \pmod L$ \textbf{then}
|
|
\Comment{$G_1 - G_2$}
|
|
\State \quad $bad \assign true$
|
|
\BeginBox[draw=red,dashed]
|
|
\State \quad $abort$
|
|
\Comment{$G_2$}
|
|
\EndBox
|
|
\EndBox
|
|
\State $Q \assign Q \cup \{ (\groupelement{R}, \ch) \}$
|
|
\State \Return $\ch$
|
|
\end{algorithmic}
|
|
\hrule
|
|
\caption{Games $G_0 - G_2$}
|
|
\label{fig:omdl'_implies_mu-igame}
|
|
\end{figure}
|
|
|
|
\begin{proof}
|
|
\item \paragraph{\underline{$G_0$:}} Let $G_0$ be defined in figure \ref{fig:omdl'_implies_mu-igame} by excluding all boxes and $G_0$ be MU-\igame. By definition,
|
|
|
|
\[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) = \Pr[\text{MU-\igame}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
|
|
|
|
\item \paragraph{\underline{$G_1$:}} TODO %TODO
|
|
|
|
\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \].
|
|
|
|
\item \paragraph{\underline{$G_2:$}} TODO %TODO
|
|
|
|
\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
|
|
|
|
\item Finally, Game $G_2$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
|
|
|
|
\begin{align}
|
|
\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G},\adversary{B}}{\somdl}(\secparamter) \label{eq:adv_omdl'}
|
|
\end{align}.
|
|
|
|
\begin{figure}
|
|
\hrule
|
|
\large
|
|
\vspace{1mm}
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\textbf{Adversary} $\adversary{B}^{\textit{DL}(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$}
|
|
\State $s^* \randomassign \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
|
|
\State \textbf{If} $\nexists (\agmgroupelement{R^*}{r^*}, \ch^*) \in Q, i \in \{1,2,...,N\}: \groupelement{R}^* = 2^c (s^* \groupelement{B} - \ch^* \groupelement{A_i})$ \textbf{then}
|
|
\State \quad $abort$
|
|
\State Let $\groupelement{R^*} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$
|
|
\State $r^* \assign r_1$
|
|
\State \textbf{for} $j \in \{1,2,...,N\} \backslash \{i\}$
|
|
\State \quad $a_j \assign \textit{DL}(\groupelement{A_j})$
|
|
\Comment{$\groupelement{A_j} = a_j \groupelement{B}$}
|
|
\State \quad $r^* \assign r^* + a_j$
|
|
\State Let $R^* = r^* \groupelement{B} + r_i \groupelement{A_i}$
|
|
\State $a_i \assign (2^c s^* - r^*)(r_i + 2^c \ch^*)^{-1}$
|
|
\State \Return $(a_1, a_2, ..., a_N)$
|
|
\end{algorithmic}
|
|
\vspace{2mm}
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\oracle \ioracle($\agmgroupelement{R_i}{r_i} \in \group{G}$)}
|
|
\State Let $\groupelement{R}_i = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$
|
|
\State $\ch_i \randomsample \{0,1\}^{2b}$
|
|
\State \textbf{If} $\exists i \in \{2,3,...,N+1\}: 2^c \ch_i \equiv -r_i \pmod L$ \textbf{then}
|
|
\State \quad $bad \assign true$
|
|
\State \quad $abort$
|
|
\State $Q \assign Q \cup \{ (\groupelement{R}_i, \ch_i) \}$
|
|
\State \Return $\ch_i$
|
|
\end{algorithmic}
|
|
\hrule
|
|
\caption{Adversary $\adversary{B}$ breaking \somdl}
|
|
\label{fig:adversary_omdl'}
|
|
\end{figure}
|
|
|
|
To prove (\ref{eq:adv_omdl'}), we define an adversary $\adversary{B}$ attacking \sdlog that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_omdl'} is run in the \sdlog game and adversary $\adversary{B}$ simulates \ioracle for adversary $\adversary{A}$. \ioracle is simulated perfectly.
|
|
|
|
Finally, consider $\adversary{A}$'s output $s^*$. TODO %TODO:
|
|
|
|
|
|
\item This proves theorem \ref{theorem:adv_omdl'}.
|
|
\end{proof} |