Suggestions for pqARKG-H security proof #31
Conversation
pqarkg-h-security/pqarkg-h.tex
Outdated
| @@ -369,7 +369,7 @@ \section{Reduction of \ALGBASE to \ALGNAME in \msks security experiment} | |||
| also defeats \expmsksbase. | |||
| Given such an adversary \bdv, | |||
| we construct an adversary \adv that defeats \expmsksbase | |||
| as defined in \figref{adv-reduction}. | |||
| as defined in \figref{exp-msks-pqarkg}. | |||
There was a problem hiding this comment.
This was not meant to reference the experiment, but the adversary construction. Let's instead clarify the text to remove that confusion.
| @@ -12,7 +12,7 @@ | |||
| \addbibresource{pqarkg-h.bib} | |||
|
|
|||
| \author{Emil Lundberg\\Yubico AB\\[email protected]} | |||
| \title{pqARKG-H: An extension of pqARKG for Hierarchical Deterministic Keys} | |||
| \title{Quantum-safe Hierarchical Deterministic Keys with the pqARKG-H extension} | |||
There was a problem hiding this comment.
Let's move this to a different changeset. I'm not sold on this title, I think it over-emphasizes the quantum part and under-emphasizes the HDK part which is the actual innovation here.
pqarkg-h-security/pqarkg-h.tex
Outdated
| In conclusion, we see that \adv wins its game precisely when \bdv wins its game. Therefore: | ||
|
|
||
| $$ \advantage{\msks}{\ALGNAME,\bdv} \geq \advantage{\msks}{\ALGBASE,\adv} $$ | ||
|
|
||
| On the other hand, given an adversary \adv that defeats \expmsksbase, we can trivially construct an adversary \bdv that defeats \expmsksnew by invoking \adv and additionally returning $b^*=1$. Therefore the advantages are equal: |
There was a problem hiding this comment.
Is this necessary? I reckon that "\adv wins its game precisely when \bdv wins its game" on its own is enough to conclude equality, is it not?
| \begin{proof} | ||
|
|
||
| Given an adversary \bdv that defeats \expmsksnew, | ||
| we construct an adversary \adv that defeats \expmsksbase. |
There was a problem hiding this comment.
I like the general outline of this, but let's move this to a separate changeset apart from the smaller fixes.
| allowing the ARKG delegating party (the party holding the ARKG private seed) to add any number of additional blinding layers | ||
| on top of the one performed by the ARKG subordinate party (the party generating public keys). |
There was a problem hiding this comment.
It is the subordinate party that adds the additional blinding layers - namely reducing them to the single additional blinding factor b passed to the delegating party. I'll keep this as is.
pqarkg-h-security/pqarkg-h.tex
Outdated
| To~prevent choosing $b = -\tau$ so that it cancels the blinding factor~$\tau$ | ||
| computed in step~2 of~\algdsk of~\ALGBASE, this~$b$ is also mixed into the PRF arguments to compute~$\tau$. | ||
| This disrupts any algebraic relationship between $b$ and~$\tau$, | ||
| thus preventing the subordinate party from extracting the private seed~\sk by a malicious choice of~$b$. | ||
| thus preventing the a compromised subordinate party from extracting the private seed~\sk by a malicious choice of~$b$. |
There was a problem hiding this comment.
I don't think this addition is necessary.
pqarkg-h-security/pqarkg-h.tex
Outdated
| This enables the delegating party to share a derived public \ALGNAME seed with a subordinate party without having to disclose~$b$. | ||
| This is desirable if the delegating party does not wish to reveal | ||
| the relationship with other keys in an HDK tree which might be used for unrelated purposes; | ||
| knowing~$b$ would enable the subordinate party to unblind the derived public key~\pkp to reveal the root public seed~\pkbl. | ||
| Instead, the subordinate party may determine $k$ and~\aux and compute steps 3--5 of \algdpk with $\pkbl=\pkbd$ and~$b=1$, |
There was a problem hiding this comment.
I'll cherry-pick parts of this but keep the overall structure the same. Thanks!
Probably easiest to review/cherry-pick commit-by-commit. Context is discussion in: sander/hierarchical-deterministic-keys#94