-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathDDH.ec
104 lines (65 loc) · 2.45 KB
/
DDH.ec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
(* DDH.h *)
(* Decisional Diffie-Hellman Assumption *)
prover [""]. (* no provers *)
require import AllCore Distr.
(***************************** Exponents and Keys *****************************)
(* group of keys *)
type key.
op (^^) : key -> key -> key. (* binary operation *)
op kid : key. (* identity *)
op kinv : key -> key. (* inverse *)
axiom kmulA (x y z : key) : x ^^ y ^^ z = x ^^ (y ^^ z).
axiom kid_l (x : key) : kid ^^ x = x.
axiom kid_r (x : key) : x ^^ kid = x.
axiom kinv_l (x : key) : kinv x ^^ x = kid.
axiom kinv_r (x : key) : x ^^ kinv x = kid.
(* commutative semigroup of exponents *)
type exp.
op e : exp. (* some exponent *)
op ( * ) : exp -> exp -> exp. (* multiplication *)
axiom mulC (q r : exp) : q * r = r * q.
axiom mulA (q r s : exp) : q * r * s = q * (r * s).
(* full (every element has non-zero weight), uniform (all elements
with non-zero weight have same weight) and lossless (sum of all
weights is 1%r) distribution over exp
consequently exp has only finitely many elements *)
op dexp : exp distr.
axiom dexp_fu : is_full dexp.
axiom dexp_uni : is_uniform dexp.
axiom dexp_ll : is_lossless dexp.
(* connection between key and exp, via generator key and
exponentiation operation *)
op g : key. (* generator *)
op (^) : key -> exp -> key. (* exponentiation *)
axiom double_exp_gen (q1 q2 : exp) : (g ^ q1) ^ q2 = g ^ (q1 * q2).
(* the following axioms say that each key is uniquely generated from g
by exponentiation *)
axiom gen_surj (x : key) : exists (q : exp), x = g ^ q.
axiom gen_inj (q r : exp) : g ^ q = g ^ r => q = r.
(******************** Decisional Diffie-Hellman Assumption ********************)
(* DDH Adversary *)
module type DDH_ADV = {
proc main(k1 k2 k3 : key) : bool
}.
module DDH1 (Adv : DDH_ADV) = {
proc main() : bool = {
var b : bool; var q1, q2 : exp;
q1 <$ dexp; q2 <$ dexp;
b <@ Adv.main(g ^ q1, g ^ q2, g ^ (q1 * q2));
return b;
}
}.
module DDH2 (Adv : DDH_ADV) = {
proc main() : bool = {
var b : bool; var q1, q2, q3 : exp;
q1 <$ dexp; q2 <$ dexp; q3 <$ dexp;
b <@ Adv.main(g ^ q1, g ^ q2 , g ^ q3);
return b;
}
}.
(* the *advantage* of a DDH adversary Adv is
`|Pr[DDH1(Adv).main() @ &m : res] - Pr[DDH2(Adv).main() @ &m : res]|
this will be negligible under certain assumptions about the group
key, the commutative semigroup exp, and the efficiency of Adv
(including that Adv doesn't compute the inverse of fun q => g ^
q *)