rewrote multi-user proofs

thesis/sections/edggm/omdl.tex

@@ -2,7 +2,6 @@
 
 This section provides a lower bound on the hardness of the modified version of the one-more discrete logarithm problem in the generic group model. The variant of the one-more discrete logarithm problem was introduced in the definition \ref{def:somdl}. \somdl differs from the original one-more discrete logarithm problem by only allowing the adversary to query the discrete logarithm of all challenges but one. Also the discrete logarithms are chosen from a predefined set that is the result of the special key generation algorithm used in EdDSA. The following proof uses the generic group model for twisted Edwards curves. There already exists a proof for the one-more discrete logarithm problem in the generic group model \cite{EPRINT:BauFucPlo21}. This proof provides a lower bound on the original definition of the one-more discrete logarithm problem. This proof is not directly applicable to this definition of \sdlog, since the secret scalars are not chosen uniformly at random from $\field{L}$ and the group structure is not just a prime order group. Also since a more restricted version of the one-more discrete logarithm problem is used a simpler proof, than that in \cite{EPRINT:BauFucPlo21} can be used, providing a better bound on \somdl.
 
-% TODO: N in theorem
 \begin{theorem}
 	\label{theorem:somdl_ggm}
 	Let $n$, $N$, $c$ be positive integers. Consider a twisted Edwards curve $\curve$ with a cofactor of $2^c$ and a generating set consisting of $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_m})$. Among these, let $\groupelement{B}$ be the generator of the largest prime order subgroup with an order of $L$. Let $\adversary{A}$ be a generic adversary receiving $N$ group elements as challenge and making at most $\groupqueries$ group operations queries. Then,
@@ -26,7 +25,8 @@ This section provides a lower bound on the hardness of the modified version of t
 	\vspace{1mm}
 	\begin{algorithmic}
 		\Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)}
-		\State \Return $\{a_i | i \in \{1,2,...,N\} \backslash j\}$
+		\Comment{max. one query}
+		\State \Return $\{a_i | i \in \{1,2,...,N\} \backslash \{j\}\}$
 	\end{algorithmic}
 	\vspace{1mm}
 	\begin{algorithmic}
@@ -93,7 +93,7 @@ This section provides a lower bound on the hardness of the modified version of t
 		\State \quad $\sum[R_i(\overset{\rightharpoonup}{a}) + S_i] = \sum[P_i]$
 		\State \quad $P_i \assign R_i(\overset{\rightharpoonup}{a}) + S_i$
 		\EndBox
-		\State \Return $\{a_i | i \in \{1,2,...,N\} \backslash j\}$
+		\State \Return $\{a_i | i \in \{1,2,...,N\} \backslash \{j\}\}$
 	\end{algorithmic}
 	\vspace{1mm}
 	\begin{algorithmic}
@@ -143,7 +143,7 @@ This section provides a lower bound on the hardness of the modified version of t
 		\BeginBox[draw=orange]
 		\State \textbf{for } $i \in \{1,2,...,N\}$
 		\Comment{$G_8$}
-		\State \quad \textbf{if } $a_i \neq \bot$
+		\State \quad \textbf{if } $a_i = \bot$
 		\State \qquad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$
 		\EndBox
 		\BeginBox[draw=blue]
@@ -161,7 +161,7 @@ This section provides a lower bound on the hardness of the modified version of t
 	\begin{algorithmic}
 		\Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)}
 		\BeginBox[draw=orange]
-		\State \textbf{for } $i \in \{1,2,...,N\} \backslash j$
+		\State \textbf{for } $i \in \{1,2,...,N\} \backslash \{j\}$
 		\Comment{$G_8$}
 		\State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$
 		\EndBox 
@@ -174,7 +174,7 @@ This section provides a lower bound on the hardness of the modified version of t
 		\State \textbf{for } $P_i \in \pset{P}$
 		\State \quad $\sum[R_i(\overset{\rightharpoonup}{a}) + S_i] = \sum[P_i]$
 		\State \quad $P_i \assign R_i(\overset{\rightharpoonup}{a}) + S_i$
-		\State \Return $\{a_i | i \in \{1,2,...,N\} \backslash j\}$
+		\State \Return $\{a_i | i \in \{1,2,...,N\} \backslash \{j\}\}$
 	\end{algorithmic}
 	\vspace{1mm}
 	\begin{algorithmic}