2023-04-16
Cait-Sith Security (4): Signing
For the sake of simplicity, we use a simpler key generation
and triple protocol as ideal functionalities,
to isolate the analysis of our presignature and signature protocols.
Presigning
Definition (Presignatures):
P [ Presign ] P i ( 1 ) Presign i τ ( ) : ‾ ( a i , b i , c i , A , B , C ) ← Triple i ( τ , 0 ) ( ) ( k i , d i , kd i , K , D , KD ) ← Triple i ( τ , 1 ) ( ) ↱ i τ ( ⋆ , λ ( P ) ⋅ kd i , 1 ) ↱ i τ ( ⋆ , λ ( P ) ⋅ ( k i + a i ) , 2 ) ↱ i τ ( ⋆ , λ ( P ) ⋅ ( x i + b i ) , 3 ) kd _ ∙ ↰ i τ ( ⋆ , 1 ) ka _ ∙ ↰ i τ ( ⋆ , 2 ) xb _ ∙ ↰ i τ ( ⋆ , 3 ) kd ← ∑ j kd j if kd ⋅ G ≠ KD : stop ( ⋆ , 1 ) ka ← ∑ j ka j if ka ⋅ G ≠ K + A : stop ( ⋆ , 2 ) xb ← ∑ j xb j if xb ⋅ G ≠ X + B : stop ( ⋆ , 3 ) R ← 1 kd ⋅ D σ i ← ka ⋅ x i − xb ⋅ a i + c i return ( X , x i , R , k i , σ i ) F [ Setup ] f ← $ F q [ X ] _ ≤ t − 1 Key i ( ) : ‾ return ( f ( 0 ) ⋅ G , f ( i ) ) ⊗ F [ Triple ] f A , τ , f B , τ ← $ F q [ X ] _ ≤ t − 1 f C , τ ← $ { f ∈ F q [ X ] _ ≤ t − 1 ∣ f ( 0 ) = f A , τ ( 0 ) ⋅ f B , τ } Triple i τ ( ) : ‾ ( a i , b i , c i ) ← ( f A , τ ( i ) , f B , τ ( i ) , f C , τ ( i ) ) ( A , B , C ) ← ( f A , τ ( 0 ) ⋅ G , f B , τ ( 0 ) ⋅ G , f C , τ ( 0 ) ⋅ G ) return ( a i , b i , c i , A , B , C ) ⊗ F [ Triple ] ⊗ F [ SyncComm ] N ⊚ F [ Stop ] Leakage : = { stop } \boxed{
\begin{matrix}
\colorbox{FBCFE8}{\large
$\mathscr{P}[\text{Presign}]$
}\cr
\cr
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$P_i$
}\cr
\cr
&\underline{
(1)\text{Presign}_i^\tau():
}\cr
&\enspace
(a_i, b_i, c_i, A, B, C) \gets \text{Triple}_i^{(\tau, 0)}()
\cr
&\enspace
(k_i, d_i, \text{kd}_i, K, D, \text{KD}) \gets \text{Triple}_i^{(\tau, 1)}()
\cr
&\enspace
\Rsh^\tau_i(\star, \lambda(\mathcal{P}) \cdot \text{kd}_i, 1)
\cr
&\enspace
\Rsh^\tau_i(\star, \lambda(\mathcal{P}) \cdot (k_i + a_i), 2)
\cr
&\enspace
\Rsh^\tau_i(\star, \lambda(\mathcal{P}) \cdot (x_i + b_i), 3)
\cr
&\enspace\cr
&\enspace
\text{kd}\_\bullet \Lsh^\tau_i(\star, 1)
\cr
&\enspace
\text{ka}\_\bullet \Lsh^\tau_i(\star, 2)
\cr
&\enspace
\text{xb}\_\bullet \Lsh^\tau_i(\star, 3)
\cr
&\enspace
\text{kd} \gets \sum_j \text{kd}_j
\cr
&\enspace
\texttt{if } \text{kd} \cdot G \neq \text{KD}:\enspace\texttt{stop}(\star, 1)
\cr
&\enspace
\text{ka} \gets \sum_j \text{ka}_j
\cr
&\enspace
\texttt{if } \text{ka} \cdot G \neq K + A:\enspace\texttt{stop}(\star, 2)
\cr
&\enspace
\text{xb} \gets \sum_j \text{xb}_j
\cr
&\enspace
\texttt{if } \text{xb} \cdot G \neq X + B:\enspace\texttt{stop}(\star, 3)
\cr
&\enspace\cr
&\enspace
R \gets \frac{1}{\text{kd}} \cdot D
\cr
&\enspace
\sigma_i \gets \text{ka} \cdot x_i - \text{xb} \cdot a_i + c_i
\cr
&\enspace
\texttt{return } (X, x_i, R, k_i, \sigma_i)
\cr
\end{aligned}
}
}
\quad
\begin{matrix}
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$F[\text{Setup}]$
}\cr
\cr
&f \xleftarrow{\$} \mathbb{F}_q[X]\_{\leq t - 1}\cr
\cr
&\underline{
\text{Key}_i():
}\cr
&\enspace
\texttt{return } (f(0) \cdot G, f(i))
\cr
\end{aligned}
}
}\cr
\otimes\cr
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$F[\text{Triple}]$
}\cr
\cr
&f^{A, \tau}, f^{B, \tau} \xleftarrow{\$} \mathbb{F}_q[X]\_{\leq t - 1}\cr
&f^{C, \tau} \xleftarrow{\$} \{ f \in \mathbb{F}_q[X]\_{\leq t - 1} \mid f(0) = f^{A, \tau}(0) \cdot f^{B, \tau} \}
\cr
\cr
&\underline{
\text{Triple}_i^\tau():
}\cr
&\enspace
(a_i, b_i, c_i) \gets
(f^{A, \tau}(i), f^{B, \tau}(i), f^{C, \tau}(i))
\cr
&\enspace
(A, B, C) \gets (f^{A, \tau}(0) \cdot G, f^{B, \tau}(0) \cdot G, f^{C, \tau}(0) \cdot G)
\cr
&\enspace
\texttt{return } (a_i, b_i, c_i, A, B, C)
\cr
\end{aligned}
}
}\cr
\otimes\cr
F[\text{Triple}]\cr
\otimes\cr
F[\text{SyncComm}]^{\mathbb{N}}\cr
\circledcirc \cr
F[\text{Stop}]
\end{matrix}\cr
\cr
\text{Leakage} := \{\texttt{stop}\}
\end{matrix}
} P [ P r e s i g n ] P i ( 1 ) P r e s i g n i τ ( ) : ( a i , b i , c i , A , B , C ) ← T r i p l e i ( τ , 0 ) ( ) ( k i , d i , k d i , K , D , K D ) ← T r i p l e i ( τ , 1 ) ( ) ↱ i τ ( ⋆ , λ ( P ) ⋅ k d i , 1 ) ↱ i τ ( ⋆ , λ ( P ) ⋅ ( k i + a i ) , 2 ) ↱ i τ ( ⋆ , λ ( P ) ⋅ ( x i + b i ) , 3 ) k d _ ∙ ↰ i τ ( ⋆ , 1 ) k a _ ∙ ↰ i τ ( ⋆ , 2 ) x b _ ∙ ↰ i τ ( ⋆ , 3 ) k d ← j ∑ k d j if k d ⋅ G = K D : stop ( ⋆ , 1 ) k a ← j ∑ k a j if k a ⋅ G = K + A : stop ( ⋆ , 2 ) x b ← j ∑ x b j if x b ⋅ G = X + B : stop ( ⋆ , 3 ) R ← k d 1 ⋅ D σ i ← k a ⋅ x i − x b ⋅ a i + c i return ( X , x i , R , k i , σ i ) F [ S e t u p ] f $ F q [ X ] _ ≤ t − 1 K e y i ( ) : return ( f ( 0 ) ⋅ G , f ( i )) ⊗ F [ T r i p l e ] f A , τ , f B , τ $ F q [ X ] _ ≤ t − 1 f C , τ $ { f ∈ F q [ X ] _ ≤ t − 1 ∣ f ( 0 ) = f A , τ ( 0 ) ⋅ f B , τ } T r i p l e i τ ( ) : ( a i , b i , c i ) ← ( f A , τ ( i ) , f B , τ ( i ) , f C , τ ( i )) ( A , B , C ) ← ( f A , τ ( 0 ) ⋅ G , f B , τ ( 0 ) ⋅ G , f C , τ ( 0 ) ⋅ G ) return ( a i , b i , c i , A , B , C ) ⊗ F [ T r i p l e ] ⊗ F [ S y n c C o m m ] N ⊚ F [ S t o p ] L e a k a g e := { stop } □ \square □
The functionalities we use here are perfect, in essence.
The idea behind the presignature functionality
is relatively simple.
One triple is used to help multiply k k k x x x k k k k k k
For convenience, we make it so that the presignature gives us X X X x x x
Another convention is that the same key x x x N \mathbb{N} N τ \tau τ
Definition (Ideal Presignatures):
P [ IdealPresign ] P i ( 1 ) Presign i τ ( ) : ‾ Sync i τ ( ⋆ , 0 ) WaitSync i τ ( ⋆ , 0 ) return Presign i τ ( ) F [ Presign ] f X , f K , τ , ← $ F q [ X ] _ ≤ t − 1 f Σ , τ , ← $ { f ∈ F q [ X ] _ ≤ t − 1 ∣ f ( 0 ) = 0 } Presign i τ ( ) : ‾ X ← f X ( 0 ) ⋅ G x i ← f X ( i ) R ← 1 f K , τ ( 0 ) ⋅ G k i ← f K , τ ( i ) σ i ← f X ( 0 ) ⋅ f K , τ ( 0 ) + f Σ , τ ( i ) return ( X , x i , R , k i , σ i ) K τ ( ) : ‾ return f K , τ ( 0 ) ⋅ G XK τ ( ) : ‾ return f X ( 0 ) ⋅ f K , τ ( 0 ) ⋅ G ⊗ F [ Sync ] N ⊚ F [ Stop ] Leakage : = { stop } \boxed{
\begin{matrix}
\colorbox{FBCFE8}{\large
$\mathscr{P}[\text{IdealPresign}]$
}\cr
\cr
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$P_i$
}\cr
\cr
&\underline{
(1)\text{Presign}_i^\tau():
}\cr
&\enspace
\text{Sync}^{\tau}_i(\star, 0)
\cr
&\enspace
\text{WaitSync}^\tau_i(\star, 0)
\cr
&\enspace
\texttt{return } \text{Presign}_i^\tau()
\cr
\end{aligned}
}
}
\quad
\begin{matrix}
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$F[\text{Presign}]$
}\cr
\cr
&f^X, f^{K, \tau}, \xleftarrow{\$} \mathbb{F}_q[X]\_{\leq t - 1}\cr
&f^{\Sigma, \tau}, \xleftarrow{\$} \{ f \in \mathbb{F}_q[X]\_{\leq t - 1} \mid f(0) = 0 \}\cr
\cr
&\underline{
\text{Presign}_i^\tau():
}\cr
&\enspace
X \gets f^X(0) \cdot G
\cr
&\enspace
x_i \gets f^X(i)
\cr
&\enspace
R \gets \frac{1}{f^{K, \tau}(0)} \cdot G
\cr
&\enspace
k_i \gets f^{K, \tau}(i)
\cr
&\enspace
\sigma_i \gets f^X(0) \cdot f^{K, \tau}(0) + f^{\Sigma, \tau}(i)
\cr
&\enspace
\texttt{return } (X, x_i, R, k_i, \sigma_i)
\cr
\cr
&\underline{
\text{K}^\tau():
}\cr
&\enspace
\texttt{return } f^{K, \tau}(0) \cdot G
\cr
&\underline{
\text{XK}^\tau():
}\cr
&\enspace
\texttt{return } f^{X}(0) \cdot f^{K, \tau}(0) \cdot G
\cr
\end{aligned}
}
}\cr
\otimes\cr
F[\text{Sync}]^{\mathbb{N}}\cr
\circledcirc \cr
F[\text{Stop}]
\end{matrix}\cr
\cr
\text{Leakage} := \{\texttt{stop}\}
\end{matrix}
} P [ I d e a l P r e s i g n ] P i ( 1 ) P r e s i g n i τ ( ) : S y n c i τ ( ⋆ , 0 ) W a i t S y n c i τ ( ⋆ , 0 ) return P r e s i g n i τ ( ) F [ P r e s i g n ] f X , f K , τ , $ F q [ X ] _ ≤ t − 1 f Σ , τ , $ { f ∈ F q [ X ] _ ≤ t − 1 ∣ f ( 0 ) = 0 } P r e s i g n i τ ( ) : X ← f X ( 0 ) ⋅ G x i ← f X ( i ) R ← f K , τ ( 0 ) 1 ⋅ G k i ← f K , τ ( i ) σ i ← f X ( 0 ) ⋅ f K , τ ( 0 ) + f Σ , τ ( i ) return ( X , x i , R , k i , σ i ) K τ ( ) : return f K , τ ( 0 ) ⋅ G X K τ ( ) : return f X ( 0 ) ⋅ f K , τ ( 0 ) ⋅ G ⊗ F [ S y n c ] N ⊚ F [ S t o p ] L e a k a g e := { stop } □ \square □
The ideal functionality basically spits out presignatures at will,
all under the same key.
We also get access to k ⋅ G k \cdot G k ⋅ G k x ⋅ G kx \cdot G k x ⋅ G k − 1 ⋅ G k^{-1} \cdot G k − 1 ⋅ G k x ⋅ G kx \cdot G k x ⋅ G
Lemma:
For a negligible ϵ \epsilon ϵ t − 1 t - 1 t − 1
P [ Presign ] ⇝ ϵ P [ IdealPresign ] \mathscr{P}[\text{Presign}] \overset{\epsilon}{\leadsto} \mathscr{P}[\text{IdealPresign}] P [ P r e s i g n ] ⇝ ϵ P [ I d e a l P r e s i g n ] Proof:
First, we note that P [ Presign ] ⇝ P 0 \mathscr{P}[\text{Presign}] \leadsto \mathscr{P}^0 P [ P r e s i g n ] ⇝ P 0 P i P_i P i
P i ( 1 ) Presign i τ ( ) : ‾ ( a i , b i , c i , A , B , C ) ← Triple i ( τ , 0 ) ( ) ( k i , d i , kd i , K , D , KD ) ← Triple i ( τ , 1 ) ( ) ↱ i τ ( ⋆ , ( λ ( P ) ⋅ kd i , λ ( P ) ⋅ ( k i + a i ) , λ ( P ) ⋅ ( x i + b i ) ) , 0 ) ( kd _ ∙ , ka _ ∙ , xb _ ∙ ) ↰ i τ ( ⋆ , 0 ) kd ← ∑ j kd j if kd ⋅ G ≠ KD : stop ( ⋆ , 0 ) ka ← ∑ j ka j if ka ⋅ G ≠ K + A : stop ( ⋆ , 0 ) xb ← ∑ j xb j if xb ⋅ G ≠ X + B : stop ( ⋆ , 0 ) R ← 1 kd ⋅ D σ i ← ka ⋅ x i − xb ⋅ a i + c i return ( X , R , k i , σ i ) \boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$P_i$
}\cr
\cr
&\underline{
(1)\text{Presign}_i^\tau():
}\cr
&\enspace
(a_i, b_i, c_i, A, B, C) \gets \text{Triple}_i^{(\tau, 0)}()
\cr
&\enspace
(k_i, d_i, \text{kd}_i, K, D, \text{KD}) \gets \text{Triple}_i^{(\tau, 1)}()
\cr
&\enspace
\Rsh^\tau_i(\star, (\lambda(\mathcal{P}) \cdot \text{kd}_i, \lambda(\mathcal{P}) \cdot (k_i + a_i), \lambda(\mathcal{P}) \cdot (x_i + b_i)), 0)
\cr
\cr
&\enspace
(\text{kd}\_\bullet, \text{ka}\_\bullet, \text{xb}\_\bullet) \Lsh^\tau_i(\star, 0)
\cr
&\enspace
\text{kd} \gets \sum_j \text{kd}_j
\cr
&\enspace
\texttt{if } \text{kd} \cdot G \neq \text{KD}:\enspace\texttt{stop}(\star, 0)
\cr
&\enspace
\text{ka} \gets \sum_j \text{ka}_j
\cr
&\enspace
\texttt{if } \text{ka} \cdot G \neq K + A:\enspace\texttt{stop}(\star, 0)
\cr
&\enspace
\text{xb} \gets \sum_j \text{xb}_j
\cr
&\enspace
\texttt{if } \text{xb} \cdot G \neq X + B:\enspace\texttt{stop}(\star, 0)
\cr
&\enspace\cr
&\enspace
R \gets \frac{1}{\text{kd}} \cdot D
\cr
&\enspace
\sigma_i \gets \text{ka} \cdot x_i - \text{xb} \cdot a_i + c_i
\cr
&\enspace
\texttt{return } (X, R, k_i, \sigma_i)
\cr
\end{aligned}
}
} P i ( 1 ) P r e s i g n i τ ( ) : ( a i , b i , c i , A , B , C ) ← T r i p l e i ( τ , 0 ) ( ) ( k i , d i , k d i , K , D , K D ) ← T r i p l e i ( τ , 1 ) ( ) ↱ i τ ( ⋆ , ( λ ( P ) ⋅ k d i , λ ( P ) ⋅ ( k i + a i ) , λ ( P ) ⋅ ( x i + b i )) , 0 ) ( k d _ ∙ , k a _ ∙ , x b _ ∙ ) ↰ i τ ( ⋆ , 0 ) k d ← j ∑ k d j if k d ⋅ G = K D : stop ( ⋆ , 0 ) k a ← j ∑ k a j if k a ⋅ G = K + A : stop ( ⋆ , 0 ) x b ← j ∑ x b j if x b ⋅ G = X + B : stop ( ⋆ , 0 ) R ← k d 1 ⋅ D σ i ← k a ⋅ x i − x b ⋅ a i + c i return ( X , R , k i , σ i ) A sketch of the simulator here would be to delay sending messages
from malicious to honest parties until all three bundles have been sent,
and to detect failures early to make all aborts look the same.
From P 0 \mathcal{P}^0 P 0 P [ IdealPresign ] \mathcal{P}[\text{IdealPresign}] P [ I d e a l P r e s i g n ]
Γ H 0 … ⊗ S α j τ , β j τ , d j τ , δ j τ ← $ F q α τ ← ∑ j α j τ , β τ ← ∑ j β j τ , δ τ ← ∑ j δ j τ γ j τ ← $ { ( γ 1 , … , γ n ) ∣ ∑ j γ j = α ⋅ β } ( X , x k τ , R τ , k k τ , σ k τ ) ← Presign k τ ( ) K τ ← K τ ( ) , XK τ ← XK τ ( ) A τ ← α τ ⋅ G − K τ B τ ← β τ ⋅ G − X C τ ← α τ β τ − α τ ⋅ X − β τ ⋅ K τ + XK τ D τ ← δ τ ⋅ R τ , KD τ ← δ τ ⋅ G Triple k τ , 0 ( ) : ‾ a k ← α k τ − k k τ b k ← β k τ − k k τ c k ← γ k τ − α ⋅ x − β ⋅ k + σ k τ return ( a k , b k , c k , A τ , B τ , C τ ) Triple k τ , 1 ( ) : ‾ return ( k k τ , d k τ , δ k τ , K τ , D τ , KD τ ) m τ _ i j ← ⊥ ↱ k τ ( S , m ^ _ ∙ = ( kd _ ∙ , ka _ ∙ , xb _ ∙ ) , 0 ) : ‾ m τ _ k j ← m ^ _ k j ( ∀ j ∈ S ) Sync k ( S ∩ H , 0 ) for j ∈ H . ∀ k ∈ M . m τ _ k j ≠ ⊥ : ( kd k , ka k , xb k ) ← m _ k j kd ^ = ∑ _ j ∈ H δ j τ + ∑ _ k ∈ M kd k ka ^ = ∑ _ j ∈ H α j τ + ∑ _ k ∈ M ka k xb ^ = ∑ _ j ∈ H β j τ + ∑ _ k ∈ M xb k if kd ^ ⋅ G ≠ KD τ ∨ ka ^ ⋅ G ≠ K τ + A τ ∨ xb ^ ⋅ G ≠ X + B τ : stop ( { j } , 0 ) ↰ k τ ( S , 0 ) : ‾ WaitSync k ( S ∩ H , 0 ) wait _ ( k , 0 ) ∀ j ∈ S . m τ _ j k ≠ ⊥ r j ← m τ _ j k ( j ∈ S ∩ M ) r j ← ( δ j τ , α j τ , β j τ ) ( j ∈ S ∩ H ) return r _ ∙ … ∘ F [ Presign ] ⊚ F [ Stop ] \begin{matrix}
\boxed{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$\Gamma^0_H$
}\cr
&\ldots
\end{aligned}
}
\otimes
\boxed{
\small{
\begin{aligned}
&\colorbox{bae6fd}{\large
$S$
}\cr
&\alpha^\tau_j, \beta^\tau_j, d^\tau_j, \delta^\tau_j \xleftarrow{\$} \mathbb{F}_q\cr
&\alpha^\tau \gets \sum_j \alpha^\tau_j, \beta^\tau \gets \sum_j \beta^\tau_j, \delta^\tau \gets \sum_j \delta^\tau_j\cr
&\gamma^\tau_j \xleftarrow{\$} \{(\gamma_1, \ldots, \gamma_n) \mid \sum_j \gamma_j = \alpha \cdot \beta \}\cr
&(X, x^\tau_k, R^\tau, k^\tau_k, \sigma^\tau_k) \gets \text{Presign}^\tau_k()\cr
&K^\tau \gets \text{K}^\tau(), \text{XK}^\tau \gets \text{XK}^\tau()\cr
\cr
&A^\tau \gets \alpha^\tau \cdot G - K^\tau\cr
&B^\tau \gets \beta^\tau \cdot G - X\cr
&C^\tau \gets \alpha^\tau \beta^\tau - \alpha^\tau \cdot X - \beta^\tau \cdot K^\tau + \text{XK}^\tau\cr
&D^\tau \gets \delta^\tau \cdot R^\tau, \text{KD}^\tau \gets \delta^\tau \cdot G\cr
\cr
&\underline{
\text{Triple}^{\tau, 0}_k():
}\cr
&\enspace
a_k \gets \alpha^\tau_k - k^\tau_k
\cr
&\enspace
b_k \gets \beta^\tau_k - k^\tau_k
\cr
&\enspace
c_k \gets \gamma^\tau_k - \alpha \cdot x - \beta \cdot k + \sigma^\tau_k
\cr
&\enspace
\texttt{return } (a_k, b_k, c_k, A^\tau, B^\tau, C^\tau)
\cr
\cr
&\underline{
\text{Triple}^{\tau, 1}_k():
}\cr
&\enspace
\texttt{return } (k^\tau_k, d^\tau_k, \delta^\tau_k, K^\tau, D^\tau, \text{KD}^\tau)
\cr
\cr
\cr
&m^\tau\_{ij} \gets \bot\cr
\cr
&\underline{
\Rsh^{\tau}_k(S, \hat{m}\_\bullet = (\text{kd}\_\bullet, \text{ka}\_\bullet, \text{xb}\_\bullet), 0):
}\cr
&\enspace
m^\tau\_{kj} \gets \hat{m}\_{kj}\ (\forall j \in S)
\cr
&\enspace
\text{Sync}_k(S \cap \mathcal{H}, 0)
\cr
&\enspace
\texttt{for } j \in \mathcal{H}.\ \forall k \in \mathcal{M}.\ m^\tau\_{kj} \neq \bot:
\cr
&\enspace\enspace
(\text{kd}_k, \text{ka}_k, \text{xb}_k) \gets m\_{k j}
\cr
&\enspace
\hat{\text{kd}} = \sum\_{j \in \mathcal{H}} \delta^\tau_j + \sum\_{k \in \mathcal{M}} \text{kd}_k
\cr
&\enspace\enspace
\hat{\text{ka}} = \sum\_{j \in \mathcal{H}} \alpha^\tau_j + \sum\_{k \in \mathcal{M}} \text{ka}_k
\cr
&\enspace\enspace
\hat{\text{xb}} = \sum\_{j \in \mathcal{H}} \beta^\tau_j + \sum\_{k \in \mathcal{M}} \text{xb}_k
\cr
&\enspace\enspace
\texttt{if } \hat{\text{kd}} \cdot G \neq \text{KD}^\tau \lor \hat{\text{ka}} \cdot G \neq K^\tau + A^\tau \lor \hat{\text{xb}} \cdot G \neq X + B^\tau:
\cr
&\enspace\enspace\enspace
\texttt{stop}(\{j\}, 0)
\cr
\cr
&\underline{
\Lsh^{\tau}_k(S, 0):
}\cr
&\enspace
\text{WaitSync}_k(S \cap \mathcal{H}, 0)
\cr
&\enspace
\texttt{wait}\_{(k, 0)} \forall j \in S.\ m^\tau\_{jk} \neq \bot
\cr
&\enspace
r_j \gets m^\tau\_{jk}\ (j \in S \cap \mathcal{M})
\cr
&\enspace
r_j \gets (\delta^\tau_j, \alpha^\tau_j, \beta^\tau_j)\ (j \in S \cap \mathcal{H})
\cr
&\enspace
\texttt{return } r\_\bullet
\cr
\cr
&\ldots\cr
\end{aligned}
}
}
\cr
\circ\cr
F[\text{Presign}] \circledcirc F[\text{Stop}]
\end{matrix} Γ H 0 … ⊗ S α j τ , β j τ , d j τ , δ j τ $ F q α τ ← j ∑ α j τ , β τ ← j ∑ β j τ , δ τ ← j ∑ δ j τ γ j τ $ {( γ 1 , … , γ n ) ∣ j ∑ γ j = α ⋅ β } ( X , x k τ , R τ , k k τ , σ k τ ) ← P r e s i g n k τ ( ) K τ ← K τ ( ) , X K τ ← X K τ ( ) A τ ← α τ ⋅ G − K τ B τ ← β τ ⋅ G − X C τ ← α τ β τ − α τ ⋅ X − β τ ⋅ K τ + X K τ D τ ← δ τ ⋅ R τ , K D τ ← δ τ ⋅ G T r i p l e k τ , 0 ( ) : a k ← α k τ − k k τ b k ← β k τ − k k τ c k ← γ k τ − α ⋅ x − β ⋅ k + σ k τ return ( a k , b k , c k , A τ , B τ , C τ ) T r i p l e k τ , 1 ( ) : return ( k k τ , d k τ , δ k τ , K τ , D τ , K D τ ) m τ _ ij ← ⊥ ↱ k τ ( S , m ^ _ ∙ = ( k d _ ∙ , k a _ ∙ , x b _ ∙ ) , 0 ) : m τ _ kj ← m ^ _ kj ( ∀ j ∈ S ) S y n c k ( S ∩ H , 0 ) for j ∈ H . ∀ k ∈ M . m τ _ kj = ⊥ : ( k d k , k a k , x b k ) ← m _ kj k d ^ = ∑ _ j ∈ H δ j τ + ∑ _ k ∈ M k d k k a ^ = ∑ _ j ∈ H α j τ + ∑ _ k ∈ M k a k x b ^ = ∑ _ j ∈ H β j τ + ∑ _ k ∈ M x b k if k d ^ ⋅ G = K D τ ∨ k a ^ ⋅ G = K τ + A τ ∨ x b ^ ⋅ G = X + B τ : stop ({ j } , 0 ) ↰ k τ ( S , 0 ) : W a i t S y n c k ( S ∩ H , 0 ) wait _ ( k , 0 ) ∀ j ∈ S . m τ _ jk = ⊥ r j ← m τ _ jk ( j ∈ S ∩ M ) r j ← ( δ j τ , α j τ , β j τ ) ( j ∈ S ∩ H ) return r _ ∙ … ∘ F [ P r e s i g n ] ⊚ F [ S t o p ] The idea behind the simulator is that you generate random values
for the messages you're going to receive,
and then use those to reverse engineer what the large values
like A , B A, B A , B
■ \blacksquare ■
Signing
Signatures are pretty straightforward once you have presignatures.
Definition (Signing):
P [ Sign ] P i ( 1 ) Sign i τ ( ) : ‾ ( X , ∙ , R , k i , σ i ) ← Presign i τ ( ) m ← GetMessage τ ( ) s i ← Hash ( m ) ⋅ k i + x ( R ) ⋅ σ i ↱ i ( ⋆ , s i , 1 ) s _ ∙ ← ↰ i ( ⋆ , 1 ) s ← ∑ j s j if ¬ ECDSA . Verify ( X , m , ( R , s ) ) : stop ( ⋆ , 1 ) return s F [ Messages ] m τ ← ⊥ SetMessage τ ( m ) : ‾ if m τ = ⊥ : m τ ← m GetMessage τ ( ) : ‾ wait m τ ≠ ⊥ return m τ ⊗ F [ SyncComm ] N ⊚ F [ Stop ] Leakage : = { stop , SetMessage τ } ⊲ P [ Presign ] \boxed{
\begin{matrix}
\colorbox{FBCFE8}{\large
$\mathscr{P}[\text{Sign}]$
}\cr
\cr
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$P_i$
}\cr
\cr
&\underline{
(1)\text{Sign}_i^\tau():
}\cr
&\enspace
(X, \bullet, R, k_i, \sigma_i) \gets \text{Presign}_i^\tau()
\cr
&\enspace
m \gets \text{GetMessage}^\tau()
\cr
&\enspace
s_i \gets \text{Hash}(m) \cdot k_i + x(R) \cdot \sigma_i
\cr
&\enspace
\Rsh_i(\star, s_i, 1)
\cr
&\enspace
s\_\bullet \gets \Lsh_i(\star, 1)
\cr
&\enspace
s \gets \sum_j s_j
\cr
&\enspace
\texttt{if } \neg \text{ECDSA}.\text{Verify}(X, m, (R, s)):
\cr
&\enspace\enspace
\texttt{stop}(\star, 1)
\cr
&\enspace
\texttt{return } s
\cr
\end{aligned}
}
}
\quad
\begin{matrix}
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$F[\text{Messages}]$
}\cr
\cr
&m^\tau \gets \bot
\cr
&\underline{
\text{SetMessage}^\tau(m):
}\cr
&\enspace
\texttt{if } m^\tau = \bot: m^\tau \gets m
\cr
\cr
&\underline{
\text{GetMessage}^\tau():
}\cr
&\enspace
\texttt{wait } m^\tau \neq \bot
\cr
&\enspace
\texttt{return } m^\tau
\cr
\end{aligned}
}
}\cr
\otimes\cr
F[\text{SyncComm}]^\mathbb{N}\cr
\circledcirc \cr
F[\text{Stop}]
\end{matrix}\cr
\cr
\text{Leakage} := \{\texttt{stop}, \text{SetMessage}^\tau\}
\end{matrix}
}
\lhd \mathscr{P}[\text{Presign}] P [ S i g n ] P i ( 1 ) S i g n i τ ( ) : ( X , ∙ , R , k i , σ i ) ← P r e s i g n i τ ( ) m ← G e t M e s s a g e τ ( ) s i ← H a s h ( m ) ⋅ k i + x ( R ) ⋅ σ i ↱ i ( ⋆ , s i , 1 ) s _ ∙ ← ↰ i ( ⋆ , 1 ) s ← j ∑ s j if ¬ E C D S A . V e r i f y ( X , m , ( R , s )) : stop ( ⋆ , 1 ) return s F [ M e s s a g e s ] m τ ← ⊥ S e t M e s s a g e τ ( m ) : if m τ = ⊥ : m τ ← m G e t M e s s a g e τ ( ) : wait m τ = ⊥ return m τ ⊗ F [ S y n c C o m m ] N ⊚ F [ S t o p ] L e a k a g e := { stop , S e t M e s s a g e τ } ⊲ P [ P r e s i g n ] □ \square □
We assume that there's a separate functionality which provides consensus
on the message to sign in each instance.
Definition (Ideal Signing):
P [ IdealSign ] P i ( 1 ) Sign i τ ( ) : ‾ Sync i τ ( ⋆ , 0 ) WaitSync i τ ( ⋆ , 0 ) Ready i τ ( ⋆ ) return Sig i τ ( ) F [ Sign ] ready _ i j τ ← false x , k τ ← $ F q Ready i τ ( S ) : ‾ ready τ _ i j ← true ( ∀ j ∈ S ) WaitReady i τ ( S ) : ‾ wait _ ( i , 1 ) ∀ j ∈ S . ready τ _ j i Sig i τ ( ) : ‾ wait _ ( i , 1 ) ∀ j ∈ P . ∃ i . ready τ _ j i m ← GetMessage τ ( ) R ← 1 k τ ⋅ G s ← k ⋅ ( Hash ( m ) + x ( R ) ⋅ x ) return ( R , s ) Leak τ ( ) : ‾ return ( x ⋅ G , x k τ ⋅ G , k τ ⋅ G , 1 k τ ⋅ G ) ⊚ F [ Messages ] ⊗ F [ Sync ] N ⊚ F [ Stop ] Leakage : = { stop , SetMessage τ , GetMessage τ , Leak τ } ⊲ P [ Presign ] \boxed{
\begin{matrix}
\colorbox{FBCFE8}{\large
$\mathscr{P}[\text{IdealSign}]$
}\cr
\cr
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$P_i$
}\cr
\cr
&\underline{
(1)\text{Sign}_i^\tau():
}\cr
&\enspace
\text{Sync}^\tau_i(\star, 0)
\cr
&\enspace
\text{WaitSync}^\tau_i(\star, 0)
\cr
&\enspace
\text{Ready}^\tau_i(\star)
\cr
&\enspace
\texttt{return } \text{Sig}^\tau_i()
\cr
\end{aligned}
}
}
\quad
\begin{matrix}
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$F[\text{Sign}]$
}\cr
\cr
&\text{ready}\_{ij}^\tau \gets \texttt{false}\cr
&x, k^\tau \xleftarrow{\$} \mathbb{F}_q\cr
\cr
&\underline{
\text{Ready}^\tau_i(S):
}\cr
&\enspace
\text{ready}^\tau\_{ij} \gets \texttt{true}\ (\forall j \in S)
\cr
\cr
&\underline{
\text{WaitReady}^\tau_i(S):
}\cr
&\enspace
\texttt{wait}\_{(i, 1)} \forall j \in \mathcal{S}.\ \text{ready}^\tau\_{ji}
\cr
\cr
&\underline{
\text{Sig}^\tau_i():
}\cr
&\enspace
\texttt{wait}\_{(i, 1)} \forall j \in \mathcal{P}. \exists i.\ \text{ready}^\tau\_{ji}
\cr
&\enspace
m \gets \text{GetMessage}^\tau()
\cr
&\enspace
R \gets \frac{1}{k^\tau} \cdot G
\cr
&\enspace
s \gets k \cdot (\text{Hash}(m) + x(R) \cdot x)
\cr
&\enspace
\texttt{return } (R, s)
\cr
\cr
&\underline{
\text{Leak}^\tau():
}\cr
&\enspace
\texttt{return } (x \cdot G, xk^\tau \cdot G, k^\tau \cdot G, \frac{1}{k^\tau} \cdot G)
\cr
\end{aligned}
}
}\cr
\circledcirc\cr
F[\text{Messages}]\cr
\otimes\cr
F[\text{Sync}]^\mathbb{N}\cr
\circledcirc \cr
F[\text{Stop}]
\end{matrix}\cr
\cr
\text{Leakage} := \{\texttt{stop}, \text{SetMessage}^\tau, \text{GetMessage}^\tau, \text{Leak}^\tau\}
\end{matrix}
}
\lhd \mathscr{P}[\text{Presign}] P [ I d e a l S i g n ] P i ( 1 ) S i g n i τ ( ) : S y n c i τ ( ⋆ , 0 ) W a i t S y n c i τ ( ⋆ , 0 ) R e a d y i τ ( ⋆ ) return S i g i τ ( ) F [ S i g n ] r e a d y _ ij τ ← false x , k τ $ F q R e a d y i τ ( S ) : r e a d y τ _ ij ← true ( ∀ j ∈ S ) W a i t R e a d y i τ ( S ) : wait _ ( i , 1 ) ∀ j ∈ S . r e a d y τ _ ji S i g i τ ( ) : wait _ ( i , 1 ) ∀ j ∈ P . ∃ i . r e a d y τ _ ji m ← G e t M e s s a g e τ ( ) R ← k τ 1 ⋅ G s ← k ⋅ ( H a s h ( m ) + x ( R ) ⋅ x ) return ( R , s ) L e a k τ ( ) : return ( x ⋅ G , x k τ ⋅ G , k τ ⋅ G , k τ 1 ⋅ G ) ⊚ F [ M e s s a g e s ] ⊗ F [ S y n c ] N ⊚ F [ S t o p ] L e a k a g e := { stop , S e t M e s s a g e τ , G e t M e s s a g e τ , L e a k τ } ⊲ P [ P r e s i g n ] The ideal functionality unfortunately has to reflect
the round timing of the protocol itself.
Lemma:
For a negligible ϵ \epsilon ϵ t − 1 t - 1 t − 1
P [ Sign ] ⇝ ϵ P [ IdealSign ] \mathscr{P}[\text{Sign}] \overset{\epsilon}{\leadsto} \mathscr{P}[\text{IdealSign}] P [ S i g n ] ⇝ ϵ P [ I d e a l S i g n ] Proof:
First, we can replace P [ Presign ] \mathscr{P}[\text{Presign}] P [ P r e s i g n ] P [ IdealPresign ] \mathscr{P}[\text{IdealPresign}] P [ I d e a l P r e s i g n ]
From there, we can use a similar simulator as last time:
Γ H 0 … ⊗ S x i , k τ _ i , σ τ _ i ← $ F q ( i ∈ M ) k τ _ i , σ τ _ i ← ⊥ ( i ∈ H ) s _ i j ← ⊥ ( X , XK τ , K τ , R τ ) ← Leak τ ( ) Presign k τ ( ) : ‾ Ready k τ ( M ) return ( X , x i , K τ , R τ , k k τ , σ k τ ) K τ ( ) : ‾ return K τ XK τ ( ) : ‾ return XK τ ↰ k τ ( S , m _ ∙ , 1 ) : ‾ wait _ ( k , 1 ) ∀ j ∈ S ∩ M . s _ j k ≠ ⊥ r _ ∙ ← ⊥ r j ← s _ j k ( j ∈ S ∩ M ) WaitReady k τ ( S ∩ H ) for j ∈ S ∩ H : m ← GetMessage τ ( ) if ∣ { i ∈ H ∣ k i τ = ⊥ } ∣ = 1 : k j τ ← $ F q s ← Sig k τ ( ) σ j τ ← 1 x ( R ) ⋅ ( s − Hash ( m ) ⋅ ∑ i k i τ − x ( R ) ⋅ ∑ _ i ≠ j σ j τ ) else : k j τ , σ j τ ← $ F q r j ← Hash ( m ) ⋅ k j τ + x ( R ) ⋅ σ j τ return r _ ∙ ↱ k τ ( S , m _ ∙ , 1 ) : ‾ Ready k τ ( S ) for j ∈ S . s _ k j = ⊥ : s _ k j ← m j for j ∈ H . ∀ k ∈ M . s _ k j ≠ ⊥ : if ∑ _ k ∈ M s _ k j ≠ Hash ( m τ ) ⋅ ∑ k k k τ + x ( R τ ) ⋅ ∑ k σ k τ : stop ( { j } , 1 ) … ∘ F [ Messages ] ⊚ F [ Stop ] \begin{matrix}
\boxed{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$\Gamma^0_H$
}\cr
&\ldots
\end{aligned}
}
\otimes
\boxed{
\small{
\begin{aligned}
&\colorbox{bae6fd}{\large
$S$
}\cr
&x_i, k^\tau\_i, \sigma^\tau\_i \xleftarrow{\$} \mathbb{F}_q\ (i \in \mathcal{M})\cr
&k^\tau\_i, \sigma^\tau\_i \gets \bot\ (i \in \mathcal{H})\cr
&s\_{ij} \gets \bot\cr
&(X, \text{XK}^\tau, K^\tau, R^\tau) \gets \text{Leak}^\tau()\cr
\cr
&\underline{
\text{Presign}^\tau_k():
}\cr
&\enspace
\text{Ready}^\tau_k(\mathcal{M})
\cr
&\enspace
\texttt{return } (X, x_i, K^\tau, R^\tau, k^\tau_k, \sigma^\tau_k)
\cr
\cr
&\underline{
\text{K}^\tau():
}\cr
&\enspace
\texttt{return } K^\tau
\cr
\cr
\cr
&\underline{
\text{XK}^\tau():
}\cr
&\enspace
\texttt{return } \text{XK}^\tau
\cr
\cr
&\underline{
\Lsh^\tau_k(S, m\_\bullet, 1):
}\cr
&\enspace
\texttt{wait}\_{(k, 1)} \forall j \in S \cap \mathcal{M}.\ s\_{jk} \neq \bot
\cr
&\enspace
r\_\bullet \gets \bot
\cr
&\enspace
r_j \gets s\_{jk}\ (j \in S \cap \mathcal{M})
\cr
&\enspace
\text{WaitReady}^\tau_k(S \cap \mathcal{H})
\cr
&\enspace
\texttt{for } j \in S \cap \mathcal{H}:
\cr
&\enspace\enspace
m \gets \text{GetMessage}^\tau()
\cr
&\enspace\enspace
\texttt{if } |\{ i \in \mathcal{H} \mid k^\tau_i = \bot \}| = 1:
\cr
&\enspace\enspace\enspace
k^\tau_j \xleftarrow{\$} \mathbb{F}_q
\cr
&\enspace\enspace\enspace
s \gets \text{Sig}^\tau_k()
\cr
&\enspace\enspace\enspace
\sigma^\tau_j \gets \frac{1}{x(R)}\cdot \left(
s - \text{Hash}(m) \cdot \sum_i k^\tau_i - x(R) \cdot \sum\_{i \neq j} \sigma^\tau_j
\right)
\cr
&\enspace\enspace
\texttt{else}:
\cr
&\enspace\enspace\enspace
k^\tau_j, \sigma^\tau_j \xleftarrow{\$} \mathbb{F}_q
\cr
&\enspace\enspace
r_j \gets \text{Hash}(m) \cdot k^\tau_j + x(R) \cdot \sigma^\tau_j
\cr
&\enspace
\texttt{return } r\_\bullet
\cr
\cr
&\underline{
\Rsh^\tau_k(S, m\_\bullet, 1):
}\cr
&\enspace
\text{Ready}^\tau_k(S)
\cr
&\enspace
\texttt{for } j \in S.\ s\_{kj} = \bot:\ s\_{kj} \gets m_j
\cr
&\enspace
\texttt{for } j \in \mathcal{H}. \forall k \in \mathcal{M}. s\_{kj} \neq \bot:
\cr
&\enspace\enspace
\texttt{if } \sum\_{k \in \mathcal{M}} s\_{kj} \neq \text{Hash}(m^\tau) \cdot \sum_k k^\tau_k + x(R^\tau) \cdot \sum_k \sigma^\tau_k:
\cr
&\enspace\enspace\enspace
\texttt{stop}(\{j\}, 1)
\cr
&\ldots\cr
\end{aligned}
}
}
\cr
\circ\cr
F[\text{Messages}] \circledcirc F[\text{Stop}]
\end{matrix} Γ H 0 … ⊗ S x i , k τ _ i , σ τ _ i $ F q ( i ∈ M ) k τ _ i , σ τ _ i ← ⊥ ( i ∈ H ) s _ ij ← ⊥ ( X , X K τ , K τ , R τ ) ← L e a k τ ( ) P r e s i g n k τ ( ) : R e a d y k τ ( M ) return ( X , x i , K τ , R τ , k k τ , σ k τ ) K τ ( ) : return K τ X K τ ( ) : return X K τ ↰ k τ ( S , m _ ∙ , 1 ) : wait _ ( k , 1 ) ∀ j ∈ S ∩ M . s _ jk = ⊥ r _ ∙ ← ⊥ r j ← s _ jk ( j ∈ S ∩ M ) W a i t R e a d y k τ ( S ∩ H ) for j ∈ S ∩ H : m ← G e t M e s s a g e τ ( ) if ∣ { i ∈ H ∣ k i τ = ⊥ } ∣ = 1 : k j τ $ F q s ← S i g k τ ( ) σ j τ ← x ( R ) 1 ⋅ ( s − H a s h ( m ) ⋅ i ∑ k i τ − x ( R ) ⋅ ∑ _ i = j σ j τ ) else : k j τ , σ j τ $ F q r j ← H a s h ( m ) ⋅ k j τ + x ( R ) ⋅ σ j τ return r _ ∙ ↱ k τ ( S , m _ ∙ , 1 ) : R e a d y k τ ( S ) for j ∈ S . s _ kj = ⊥ : s _ kj ← m j for j ∈ H . ∀ k ∈ M . s _ kj = ⊥ : if ∑ _ k ∈ M s _ kj = H a s h ( m τ ) ⋅ k ∑ k k τ + x ( R τ ) ⋅ k ∑ σ k τ : stop ({ j } , 1 ) … ∘ F [ M e s s a g e s ] ⊚ F [ S t o p ] The strategy is the same as other simulators in this section, where
we use the fact that only the sum has to verify
correctly, in order to give junk values up until the last moment.
■ \blacksquare ■
The security of using presignatures
Here, we've limited ourselves to showing that our protocol
implements "ECDSA with presignatures",
as far as the security of "ECDSA with presignatures"
as a threshold signature scheme,
see Groth & Shoup 2021 .
