Rewritings due to feedback

thesis/Abschlussarbeit.tex

@@ -20,6 +20,7 @@ listof=totoc,
 \usepackage[,hhmmss]{datetime}
 \usepackage{float}
 \usepackage{xspace}
+\usepackage{mathtools}
 
 \newtheorem{lemma}{Lemma}[section]
 \newtheorem{theorem}{Theorem}[section]
@@ -122,11 +123,11 @@ The two main theorems for the single-user security of $\text{EdDSA}_{\text{sp}}$
 	\[ \advantage{\group{G}, \adversary{A}}{\text{EUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
 \end{theorem}
 
-The proof begins by showing that the UF-NMA security of EdDSA implies the SUF-CMA/EUF-CMA security of EdDSA with different types of parsing, in the random oracle model. With this step, subsequent proofs can be performed without worrying about signature generation, and a unified chain of reduction can be used to prove the security of EdDSA with both parsing variants. Next, an algebraic intermediate game \igame is introduced. This intermediate game serves as a separation for proofs in the random oracle model and those in the algebraic group model. Finally, the intermediate game \igame is reduced to the special discrete logarithm variant \sdlog.
+The proof begins by showing that the EUF-NMA security of EdDSA implies the SUF-CMA/EUF-CMA security of EdDSA with different types of parsing, in the random oracle model. With this step, subsequent proofs can be performed without worrying about signature generation, and a unified chain of reduction can be used to prove the security of EdDSA with both parsing variants. Next, an algebraic intermediate game \igame is introduced. This intermediate game serves as a separation for proofs in the random oracle model and those in the algebraic group model. Finally, the intermediate game \igame is reduced to the special discrete logarithm variant \sdlog.
 
 The chain of reductions can be depicted as:
 
-\[ \sdlog \overset{\text{AGM}}{\Rightarrow} \igame \overset{\text{ROM}}{\Rightarrow} \text{UF-NMA} \overset{\text{ROM}}{\Rightarrow} \cma_{\text{EdDSA sp}} / \text{EUF-CMA}_{\text{EdDSA lp}} \]
+\[ \sdlog \overset{\text{AGM}}{\Rightarrow} \igame \overset{\text{ROM}}{\Rightarrow} \text{EUF-NMA} \overset{\text{ROM}}{\Rightarrow} \cma_{\text{EdDSA sp}} / \text{EUF-CMA}_{\text{EdDSA lp}} \]
 
 \input{sections/security_of_eddsa/uf-nma_implies_suf-cma}
 \input{sections/security_of_eddsa/gamez_implies_uf-nma}
@@ -140,7 +141,7 @@ Now that the single-user security of EdDSA got analyzed, we can take a look at i
 
 Therefore, a similar approach to the proof in the single-user setting is used. It is not possible to reduce onto the \sdlog problem directly since the adversary gets multiple public keys and therefore might not provide a representation of the commitment looking like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A}$, which was needed for the discrete logarithm of the public key to be calculated. For this reason a variant of the one-more discrete logarithm assumption (OMDL) has to be used, as introduced in \cite{JC:BNPS03}.
 
-The proof starts by showing that the MU-UF-NMA security of EdDSA implies MU-SUF-CMA security of EdDSA in the random oracle model. Next an intermediate game is introduced onto which the MU-UF-NMA security of EdDSA is reduced. At last, the security of the intermediate game is reduced onto the security of the variant of the one-more discrete logarithm assumption.
+The proof starts by showing that the MU-EUF-NMA security of EdDSA implies MU-SUF-CMA security of EdDSA in the random oracle model. Next an intermediate game is introduced onto which the MU-EUF-NMA security of EdDSA is reduced. At last, the security of the intermediate game is reduced onto the security of the variant of the one-more discrete logarithm assumption.
 
 The two main theorems for the multi-user security of $\text{EdDSA}_{\text{sp}}$ and $\text{EdDSA}_{\text{lp}}$ are:
 
@@ -160,7 +161,7 @@ The two main theorems for the multi-user security of $\text{EdDSA}_{\text{sp}}$
 
 The chain of reductions can be depicted as:
 
-\[ \somdl \overset{\text{AGM}}{\Rightarrow} \igame \overset{\text{ROM}}{\Rightarrow} \text{MU-UF-NMA} \overset{\text{ROM}}{\Rightarrow} MU-\cma_{\text{EdDSA sp}} / \text{MU-EUF-CMA}_{\text{EdDSA lp}} \]
+\[ \somdl \overset{\text{AGM}}{\Rightarrow} \igame \overset{\text{ROM}}{\Rightarrow} \text{MU-EUF-NMA} \overset{\text{ROM}}{\Rightarrow} MU-\cma_{\text{EdDSA sp}} / \text{MU-EUF-CMA}_{\text{EdDSA lp}} \]
 
 \input{sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma}
 \input{sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma}

thesis/citation.bib

@@ -224,3 +224,22 @@
 	pages = {701--717},
 	file = {Full Text PDF:/home/rixxc/Zotero/storage/9XIETZ49/Schwartz - 1980 - Fast Probabilistic Algorithms for Verification of .pdf:application/pdf},
 }
+
+@article{galbraith_public_2002,
+	title = {Public key signatures in the multi-user setting},
+	volume = {83},
+	issn = {0020-0190},
+	url = {https://www.sciencedirect.com/science/article/pii/S0020019001003386},
+	doi = {10.1016/S0020-0190(01)00338-6},
+	abstract = {This paper addresses the security of public key signature schemes in a “multi-user” setting. We bound the advantage of an adversary in producing an existential forgery on any one of a set of target public keys by the advantage of an adversary in producing an existential forgery on a single public key for any public key signature algorithm. We then improve the concrete security of this general reduction for certain specific discrete logarithm based signature algorithms such as that of Schnorr.},
+	language = {en},
+	number = {5},
+	urldate = {2023-06-21},
+	journal = {Information Processing Letters},
+	author = {Galbraith, S. and Malone-Lee, J. and Smart, N. P.},
+	month = sep,
+	year = {2002},
+	keywords = {Cryptography, Digital signatures, Provable security},
+	pages = {263--266},
+	file = {ScienceDirect Full Text PDF:/home/rixxc/Zotero/storage/Y9TGWX5X/Galbraith et al. - 2002 - Public key signatures in the multi-user setting.pdf:application/pdf;ScienceDirect Snapshot:/home/rixxc/Zotero/storage/G84HRF8K/S0020019001003386.html:text/html},
+}

thesis/macros.tex

@@ -6,7 +6,7 @@
 \newcommand{\secparamter}{\lambda}
 \newcommand{\randomsample}{\leftarrow}
 \newcommand{\randomassign}{\leftarrow}
-\newcommand{\assign}{:=} % TODO: \coloneqq
+\newcommand{\assign}{\coloneqq}
 \newcommand{\encoded}[1]{\underline{#1}}
 \newcommand{\m}{m}
 \newcommand{\signature}{\sigma}
@@ -22,6 +22,7 @@
 \newcommand{\ch}{\textbf{ch}}
 \newcommand{\messagespace}{\mathcal{M}}
 \newcommand{\pset}[1]{\mathbf{#1}}
+\newcommand{\context}{\textit{context}}
 
 % Special Dlog
 \newcommand{\sdlog}{\text{Ed-DLog}\xspace}
@@ -35,9 +36,9 @@
 \newcommand{\ioracle}{\textit{Chall}\xspace}
 
 % EdDSA procedures
-\newcommand{\keygen}{\textit{KeyGen}\xspace}
+\newcommand{\keygen}{\textsf{KeyGen}\xspace}
-\newcommand{\sign}{\textit{Sign}\xspace}
+\newcommand{\sign}{\textsf{Sign}\xspace}
-\newcommand{\verify}{\textit{Verify}\xspace}
+\newcommand{\verify}{\textsf{Verify}\xspace}
 
 % Security Notions
 \newcommand{\cma}{\text{SUF-CMA}\xspace}

thesis/sections/conclusion.tex

@@ -6,7 +6,7 @@ It has also been proven that the most common instantiations Ed25519 and Ed448 pr
 
 Moreover, it has been proven that the signature scheme does not lose much of its security considering a multi-user setting. More specific, with a generous assumption of the existence of $2^{35} (\approx 32 \text{ billion})$ public keys the scheme loses only one bit of security.
 
-According to the results of this thesis, the EdDSA proved to be a secure signature scheme and that the modifications done to the original Schnorr signature scheme have very little affect on the security of the signature scheme. In fact, the only noticeable loss in security was introduced by the clamping of the private key.
+According to the results of this thesis, EdDSA has been proven to be a secure signature scheme and that the modifications done to the original Schnorr signature scheme have very little affect on the security of the signature scheme. In fact, the only noticeable loss in security was introduced by the clamping of the private key.
 
 \paragraph{Acknowledgments}
 

thesis/sections/concrete_security.tex

@@ -1,17 +1,17 @@
 \section{Concrete Security of EdDSA}
 
-Now that a security bound on the complexity of an adversary breaking EdDSA has been established the concrete security of the signature scheme can be analyzed. The security level of a cryptographic scheme can be determined by analysing the success ration of an adversary. The success ration of an attacker can be determined by analyzing its success probability and its runtime. The success ration is simply the advantage of an adversary devided by its runtime.
+Now that a security bound on the complexity of an adversary breaking EdDSA has been established the concrete security of the signature scheme can be analyzed. The security level of a cryptographic scheme can be determined by analysing the success ratio of an adversary. The success ratio of an attacker can be determined by analyzing its success probability and its runtime. The success ratio is simply the advantage of an adversary devided by its runtime. This follows the approach for concrete security of Bellare and Ristenpart \cite{EC:BelRis09} but the definition of success ratio and bit security is taken from \cite{AC:HofJagKil11}.
 
-\begin{definition}[Success Ration]
+\begin{definition}[Success Ratio \cite{AC:HofJagKil11}]
-	Let adversary $\adversary{A}$ be an adversary with runtime Time($\adversary{A}$) and advantage $\advantage{\adversary{A}}{}$. Its success ration is defined as following:
+	Let adversary $\adversary{A}$ be an adversary with runtime Time($\adversary{A}$) and advantage $\advantage{\adversary{A}}{}$. Its success ratio is defined as following:
 	
 	\[ SR(\adversary{A}) = \frac{\advantage{\adversary{A}}{}}{Time(\adversary{A})}. \]
 \end{definition}
 
-With this definition of the success ration the bit security of a cryptographic scheme can be defined.
+With this definition of the success ratio the bit security of a cryptographic scheme can be defined.
 
-\begin{definition}[Bit Security]
+\begin{definition}[Bit Security \cite{AC:HofJagKil11}]
-	A cryptographic scheme has $\kappa$ bit security if the success ration of all adversaries with a runtime $Time(\adversary{A}) \leq 2^\kappa$ is upper bounded by $2^{-\kappa}$.
+	A cryptographic scheme has $\kappa$ bit security if the success ratio of all adversaries with a runtime $Time(\adversary{A}) \leq 2^\kappa$ is upper bounded by $2^{-\kappa}$.
 \end{definition}
 
 This definition can be used to calculate the bit security of concrete instantiations of EdDSA. The most popular instantations of EdDSA are Ed25519 and Ed443, as they are also specified in the RFC and the NIST standard.
@@ -42,9 +42,9 @@ Ed25519 is one of the most widely used instantiations of EdDSA. According to the
 \end{center}
 
 \begin{proof}
-	\item At first the runtime of the adversaries against Ed25519 in the single user setting is analyzed. The success probability of an adversary $\adversary{B}$ in the \sdlog game is $\advantage{\curve, n, c, L, \adversary{B}}{\sdlog} \leq \frac{(\groupqueries + 3)^2 + 1}{2^{n-1-c}}$. When instantiated with the values for Ed25519, an adversary $\adversary{B}$ is able to solve the \sdlog game with constant probability after about $2^{125}$ group operations. Therefore, the runtime of the adversary $\adversary{B}$ in the \sdlog game can be upper bounded by $2^{125}$. The runtime of an adversary $\adversary{A}$ against Ed25519 is roughly the same as the adversary $\adversary{B}$ against \sdlog and can therefore also be upper bounded by $2^{125}$. This, together with the advantage of adversary $\adversary{A}$, can be used to upper bound its success ration.
+	\item At first the runtime of the adversaries against Ed25519 in the single user setting is analyzed. This can be done by analyzing the runtime of an adversary $\adversary{B}$ against \sdlog, since the runtime of both adversaries is roughly the same. The success probability of an adversary $\adversary{B}$ in the \sdlog game is $\advantage{\curve, n, c, L, \adversary{B}}{\sdlog} \leq \frac{(\groupqueries + 3)^2 + 1}{2^{n-1-c}}$. When instantiated with the values for Ed25519, an adversary $\adversary{B}$ is able to solve the \sdlog game with constant probability after about $2^{125}$ group operations. Therefore, the runtime of the adversary $\adversary{B}$ in the \sdlog game can be upper bounded by $2^{125}$. The runtime of an adversary $\adversary{A}$ against Ed25519 is roughly the same as the adversary $\adversary{B}$ against \sdlog and can therefore also be upper bounded by $2^{125}$. This, together with the advantage of adversary $\adversary{A}$, can be used to upper bound its success ratio.
 	
-	Since the runtime of the adversary is upper bounded by $2^{125}$ the amount of hash quries $\hashqueries$ and group operations $\groupqueries$ can also be upper bounded by $2^{125}$. A reasonable upper bound for the signing quries $\oraclequeries$ is $2^{64}$, as they are online and can not be computed by the adversary in secret. This provides following equation for the success ration:
+	Since the runtime of the adversary is upper bounded by $2^{125}$ the amount of hash quries $\hashqueries$ and group operations $\groupqueries$ can also be upper bounded by $2^{125}$. A reasonable upper bound for the signing quries $\oraclequeries$ is $2^{64}$, as they are online and can not be computed by the adversary in secret. This provides following equation for the success ratio:
 	
 	\begin{align*}
 		SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\
@@ -57,9 +57,9 @@ Ed25519 is one of the most widely used instantiations of EdDSA. According to the
 	
 	This shows that Ed25519 provides $125$-bit security in the single-user setting.
 	
-	To get a security level in the multi-user setting an upper bound on the number of instances $N$ is needed. In \cite{C:KilMasPan16} Kiltz et al. mentioned that the existance of at lease $N = 2^{30} (\approx 1 \text{ billion})$ public keys can be assumed. For the following calculations the number of instances is assumed to be $N \leq 2^{35}$. An adversary $\adversary{B}$ against \somdl has a constant probability of winning the game after about $2^{125}$ group operations. Hence, its runtime is upper bounded by $2^{125}$. The success ration can then be calculated in the same way as it has been done in the single-user setting.
+	To get a security level in the multi-user setting an upper bound on the number of instances $N$ is needed. In \cite{C:KilMasPan16} Kiltz et al. mentioned that the existance of at lease $N = 2^{30} (\approx 1 \text{ billion})$ public keys can be assumed. For the following calculations the number of instances is assumed to be $N \leq 2^{35}$. An adversary $\adversary{B}$ against \somdl has a constant probability of winning the game after about $2^{125}$ group operations. Hence, its runtime is upper bounded by $2^{125}$. The success ratio can then be calculated in the same way as it has been done in the single-user setting.
 	
-	This provides a success ration of:
+	This provides a success ratio of:
 	
 	\begin{align*}
 		SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{MU-SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\
@@ -101,7 +101,7 @@ Another popular instantiation of the EdDSA signature scheme is Ed448. It uses th
 \end{center}
 
 \begin{proof}
-	\item This can be used to upper bound the success ration of an adversary $\adversary{A}$ against Ed448. To begin, the runtime of an adversary $\adversary{B}$ against \sdlog is upper bounded, using the values from the Ed448 signature scheme. The adversary $\adversary{B}$ achieves a constant probability of winning the \sdlog game after $2^{223}$ group operations. This also upper bounds its runtime. Now the success ration of adversary $\adversary{A}$ against Ed448 can be calculated as following:
+	\item This can be used to upper bound the success ratio of an adversary $\adversary{A}$ against Ed448. To begin, the runtime of an adversary $\adversary{B}$ against \sdlog is upper bounded, using the values from the Ed448 signature scheme. The adversary $\adversary{B}$ achieves a constant probability of winning the \sdlog game after $2^{223}$ group operations. This also upper bounds its runtime. Now the success ratio of adversary $\adversary{A}$ against Ed448 can be calculated as following:
 	
 	\begin{align*}
 		SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\
@@ -114,7 +114,7 @@ Another popular instantiation of the EdDSA signature scheme is Ed448. It uses th
 	
 	This shows that Ed448 provides $221$-bit security in the single-user setting.
 	
-	Now the same is done for the multi-user security of Ed448. This yields following upper bound for the success ration:
+	Now the same is done for the multi-user security of Ed448. This yields following upper bound for the success ratio:
 	
 	\begin{align*}
 		SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{MU-SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\

thesis/sections/eddsa.tex

@@ -3,13 +3,13 @@
 
 This section takes a closer look at the differences between the existing EdDSA specifications and the original Schnorr signature scheme. This section is partly inspired by \cite{SP:BCJZ21}.
 
-As mentioned above, there are two papers by Bernstein et al., that define the EdDSA signature scheme \cite{CHES:BDLSY11,EPRINT:BJLSY15}. The 2015 paper \cite{EPRINT:BJLSY15} describes a more generic version of the EdDSA signature scheme than the original publication \cite{CHES:BDLSY11}. According to \cite{EPRINT:BJLSY15}, the EdDSA signature scheme is defined by 11 parameters, as shown in table \ref{tab:parameter}. The paper also describes two variants of EdDSA. One is called PureEdDSA and the other is called HashEdDSA. HashEdDSA is a prehashing variant of the PureEdDSA signature scheme. This means that, in HashEdDSA, the message is being hashed by a hash function before it is signed or verified. Both variants can be described by the definition of the EdDSA signature scheme, by using a different perhash function. In PureEdDSA the prehash function is simply the identity function. Another important variation in the EdDSA standard is the decoding of the signature. \cite{EPRINT:BJLSY15} describes two variations on how signatures can be decoded during verification. Both variations are described further in this section, as they have a major impact on the security of the EdDSA signature scheme.
+As mentioned above, there are two papers by Bernstein et al., that define the EdDSA signature scheme \cite{CHES:BDLSY11,EPRINT:BJLSY15}. The 2015 paper \cite{EPRINT:BJLSY15} describes a more generic version of the EdDSA signature scheme than the original publication \cite{CHES:BDLSY11}. According to \cite{EPRINT:BJLSY15}, the EdDSA signature scheme is defined by 11 parameters, as shown in table \ref{tab:parameter}. The paper also describes two variants of EdDSA. One is called PureEdDSA and the other is called HashEdDSA. HashEdDSA is a prehashing variant of the PureEdDSA signature scheme. This means that, in HashEdDSA, the message is being hashed by a hash function before it is signed or verified. Both variants can be described by the definition of the EdDSA signature scheme, by using a different preqhash function. In PureEdDSA the prehash function is simply the identity function. Another important variation in the EdDSA standard is the decoding of the signature. \cite{EPRINT:BJLSY15} describes two variations on how signatures can be decoded during verification. Both variations are described further in this section, as they have a major impact on the security of the EdDSA signature scheme.
 
 There also exist two major standards for the EdDSA signature scheme. The first one is the RFC 8032, which was introduced by the IETF in 2017 \cite{josefsson_edwards-curve_2017}. In addition to publishing concrete parameterizations for the Ed25519 and Ed448 signature schemes, it also includes a variant of the EdDSA signature scheme that includes a context. The context is a separate string that can be used to separate the use of EdDSA between different protocols. As argued below, the inclusion of this context does not affect the security of the signature scheme and can be modeled as being part of the message.
 
 The 2023 FIPS 186-5 standard \cite{moody_digital_2023} also includes the EdDSA signature scheme as specified in RFC 8032.
 
-The EdDSA signature scheme is depicted in figure \ref{fig:eddsa}.
+A version of the EdDSA signature scheme, representing all mentioned standards, is depicted in figure \ref{fig:eddsa}.
 
 \begin{center}
 	\begin{table}[!ht]
@@ -24,7 +24,7 @@ The EdDSA signature scheme is depicted in figure \ref{fig:eddsa}.
 			$c$ & The cofactor of the twisted Edwards curve. \\
 			$n$ & The number of bits used for the secret scalar of the public key. \\
 			$a, d$ & The curve parameter of the twisted Edwards curve. \\
-			$B$ & A generator point of the prime order subgroup of $E$. \\
+			$\groupelement{B}$ & A generator point of the prime order subgroup of $E$. \\
 			$L$ & The order of the prime order subgroup. \\
 			$H'(\inp)$ & A prehash function applied to the message prior to applying the \sign or \verify procedure.
 		\end{tabularx}
@@ -75,7 +75,7 @@ The encoding function encodes points on the twisted Edwards curve into a b-bit b
 
 The message space $\messagespace$ is defined as a bitstring of arbitrary length. To make the proof applicable to the EdDSA variant with context, the context can be modeled as part of the message. 
 
-Looking at the RFC and FIPS standards, the context is passed to a "dom" function which concatenates the context with some additional data. The resulting data is then passed as additional data to each hash function call during signature generation and verification. Since the proofs are performed in the random oracle model, the position of the data in the hash function call, the actual content of the message, and the context are not relevant to the output of the random oracle call, unless the reduction explicitly uses the content of the message, which it does not in this case. Therefore, the context can be modeled as being part of the message.
+Looking at the RFC and FIPS standards, the context is passed to a "dom" function which concatenates the context with some additional data. The resulting data is then passed as additional data to each hash function call during signature generation and verification. Since the proofs are performed in the random oracle model, the position of the data in the hash function call, the actual content of the message, and the context are not relevant to the distribution of the random oracle. The context can be modeled as being part of the message, since the random oracle has the same uniform random distribution with or without the context.
 \subsection{Signature}
 
 The signature is defined as a $2b$ bitstring of the encoded curve points $\groupelement{R}$ concatenated with the $b$-bit little endian encoding of the scalar $S$.

thesis/sections/edggm.tex

@@ -2,7 +2,7 @@
 
 The following section gives specific bounds on the difficulty of certain variations of the discrete logarithm and one-more discrete logarithm problems introduced in the previous proofs. These proofs are given in the generic group model. In the generic group model, group elements are represented as random bitstrings, and the adversary can only perform group operations by invoking an oracle.
 
-In order to build a generic group model for twisted Edwards curves, it is essential to examine the group structure. As shown in section \ref{sec:sdlog_imlies_igame}, a twisted Edwards curve can be uniquely decomposed into a collection of cyclic subgroups. The generating set for this twisted Edwards curve is defined as a set of generators for these cyclic subgroups. With a fixed generating set, any point on the twisted Edwards curve can be uniquely expressed as a linear combination of the generators in that set. Consequently, the adversary is given the entire generator set as a description of the twisted Edwards curve. In addition, the adversary has access to a group operation oracle, GOp, which, given two labels and a bit indicating whether the group elements should be added or subtracted, returns the label of the resulting group element.
+In order to build a generic group model for twisted Edwards curves, it is essential to examine the group structure. As shown in section \ref{sec:sdlog_imlies_igame}, a twisted Edwards curve can be uniquely decomposed into a collection of cyclic subgroups. The generating set for this twisted Edwards curve is defined as a set of generators for these cyclic subgroups. With a fixed generating set, any point on the twisted Edwards curve can be uniquely expressed as a linear combination of the generators in that set. Consequently, the adversary is given labels of the entire generator set as a description of the twisted Edwards curve. In addition, the adversary has access to a group operation oracle, GOp, which, given two labels and a bit indicating whether the group elements should be added or subtracted, returns the label of the resulting group element.
 
 The labels are bitstrings of length $\lceil \log_2(L) \rceil$, with $L$ being the order of the group.
 

thesis/sections/edggm/omdl.tex

@@ -1,15 +1,15 @@
 \subsection{Bounds on \somdl} \label{sec:somdl}
 
-This section provides a lower bound on the hardness of the modified version of the one-more discrete logarithm problem in the generic group model. The variant of the one-more discrete logarithm problem was introduced in the definition \ref{def:somdl}. \somdl differs from the original one-more discrete logarithm problem by only allowing the adversary to query the discrete logarithm of all challenges but one. Also the discrete logarithms are chosen from a predefined set that is the result of the special key generation algorithm used in EdDSA. The following proof uses the generic group model for twisted Edwards curves. There already exists a proof for the one-more discrete logarithm problem in the generic group model \cite{EPRINT:BauFucPlo21}. This proof provides a lower bound on the original definition of the one-more discrete logarithm problem. This proof is not directly applicable to this definition of \sdlog, since the secret scalars are not chosen uniformly at random from $\field{L}$ and the group structure is not just a prime order group. Also since a more restricted version of the one-more discrete logarithm problem is used a simpler proof, than that in \cite{EPRINT:BauFucPlo21} can be used, providing a better bound on \somdl.
+This section provides a lower bound on the hardness of the modified version of the one-more discrete logarithm problem in the generic group model. The variant of the one-more discrete logarithm problem was introduced in the definition \ref{def:somdl}. \somdl differs from the original one-more discrete logarithm problem by only allowing the adversary to query the discrete logarithm of all challenges but one. Also the discrete logarithms of the group elements in the challenge to the adversary are chosen from a predefined set that is the result of the special key generation algorithm used in EdDSA. The following proof uses the generic group model for twisted Edwards curves. There already exists a proof for the one-more discrete logarithm problem in the generic group model \cite{EPRINT:BauFucPlo21}. This proof provides a lower bound on the original definition of the one-more discrete logarithm problem. This proof is not directly applicable to this definition of \somdl, since the secret scalars are not chosen uniformly at random from $\field{L}$ and the group structure is not just a prime order group. Since a more restricted version of the one-more discrete logarithm problem is used a simpler proof than that in \cite{EPRINT:BauFucPlo21} can be used, providing a better bound on \somdl.
 
 \begin{theorem}
 	\label{theorem:somdl_ggm}
-	Let $n$, $N$, $c$ be positive integers. Consider a twisted Edwards curve $\curve$ with a cofactor of $2^c$ and a generating set consisting of $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_m})$. Among these, let $\groupelement{B}$ be the generator of the largest prime order subgroup with an order of $L$. Let $\adversary{A}$ be a generic adversary receiving $N$ group elements as challenge and making at most $\groupqueries$ group operations queries. Then,
+	Let $n$, $N$, $c$ be positive integers. Consider a twisted Edwards curve $\curve$ with a cofactor of $2^c$ and a generating set consisting of $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_m})$. Among these, let $\groupelement{B}$ be the generator of the largest prime order subgroup with an order of $L$. Let $\adversary{A}$ be a generic adversary against \somdl receiving $N$ group elements as challenge and making at most $\groupqueries$ group operations queries. Then,
 	
 	\[ \advantage{\curve, n, c, L, \adversary{A}}{\somdl} \leq \frac{2(\groupqueries + N + 2)^2 + 1}{2^{n-1-c}}. \]
 \end{theorem}
 
-\paragraph{\underline{Proof Overview}} This proof uses the same approach as the discrete logarithm proof in the generic group model by replacing the group elements with polynomials and choosing the challenge after the adversary provided its solution. The tricky part is that the adversary is able to query the discrete logarithms of the $N - 1$ group elements, provided to it as a challenge. The proof starts by replacing all group elements with multivariate polynomials representing their discrete logarithms. The indeterminants of those polynomials are the discrete logarithms of each group element, provided to the adversary as challenges. Once the adversary requests the discrete logarithms for all but one group element of the challenge those discrete logarithms are chosen uniformly at random and all polynomials are partially evaluated. This leaves polynomials with just one indeterminate, representing the discrete logarithm of the last challenge. This challenge is then chosen after the adversary provided its solution, leaving the adversay no option but to guess the remaining discrete logarithm. The \somdl game in the generic group model is depicted in figure \ref{fig:somdl_ggm}.
+\paragraph{\underline{Proof Overview}} This proof uses the same approach as the discrete logarithm proof in the generic group model by replacing the group elements with polynomials and choosing the challenge after the adversary provided its solution. The tricky part is that the adversary is able to query the discrete logarithms of all but one of the $N$ group elements, provided to it as a challenge. The proof starts by replacing all group elements with multivariate polynomials representing their discrete logarithms. The indeterminants of those polynomials are the discrete logarithms of each group element, provided to the adversary as challenges. Once the adversary requests the discrete logarithms for all but one group element of the challenge those discrete logarithms are chosen uniformly at random and all polynomials are partially evaluated. This leaves polynomials with just one indeterminate, representing the discrete logarithm of the last challenge. This challenge is then chosen after the adversary provided its solution, leaving the adversay no option but to guess the remaining discrete logarithm. The \somdl game in the generic group model is depicted in figure \ref{fig:somdl_ggm}.
 
 \begin{figure}[h]
 	\hrule
@@ -201,7 +201,7 @@ This section provides a lower bound on the hardness of the modified version of t
 \end{figure}
 
 \begin{proof}
-	\item The proof starts by replacing group elements with polynomials. This happens in games $G_1$ and $G_2$. After that it is argued that the challenger makes a mistake in its simulation, by comparing polynomials instead of evaluating them, with only negligible probability. This is shown in $G_3 - G_6$. At last, since the polynomials are not evaluated during the simulation, one discrete logarithm is not used before the adversary provided its solution. Therefore, it can be chosen after the adversary provided its solution, which is shown in $G_7$ and $G_8$.
+	\item The proof starts by replacing group elements with polynomials. This happens in games $G_1$ and $G_2$. After that it is argued that the challenger makes a mistake in its simulation with only negligible probability by comparing polynomials directly instead of evaluating them. This is shown in $G_3 - G_6$. At last, since the polynomials are not evaluated during the simulation, one discrete logarithm is not used before the adversary provides its solution. Therefore, it can be chosen after the adversary provided its solution, which is shown in $G_7$ and $G_8$.
 	
 	\item \paragraph{\underline{$G_0:$}} Let $G_0$ be depicted in figure \ref{fig:somdl_games_ggm_1} by excluding all boxes but the black ones. Clearly, this is equivalent to the \somdl game in the generic group model. Therefore, 
 	
@@ -211,15 +211,15 @@ This section provides a lower bound on the hardness of the modified version of t
 	
 	\[ \prone{G_0^{\adversary{A}}} = \prone{G_1^{\adversary{A}}}. \]
 	
-	\item \paragraph{\underline{$G_2:$}} $G_2$ replaces the blue boxes with the red ones. This change affects the discrete logarithm of the group elements in the prime order subgroup. The discrete logarithm is now represented as a multivariate polynomial. Each indeterminate of the polynomial represents the discrete logarithm of one of the group elements in the challenge to the adversary. The discrete logarithm of the group element in the challenge to the adversary is then instantiated with the indeterminate representing the discrete logarithm of that challenge, instead of the discrete logarithm itself. This change is only conceptual, since the polynomials are evaluated, with the discrete logarithm vector of the group elements in the challenge, before being compared in the Enc procedure. Hence,
+	\item \paragraph{\underline{$G_2:$}} $G_2$ replaces the blue boxes with the red ones. This change affects the discrete logarithm of the group elements in the prime order subgroup. The discrete logarithm is now represented as a multivariate polynomial. Each indeterminate of the polynomial represents the discrete logarithm of one of the group elements in the challenge to the adversary. The discrete logarithm of the group element in the challenge to the adversary is then instantiated with the indeterminate representing the discrete logarithm of that challenge, instead of the discrete logarithm itself. This change is only conceptual, since the polynomials are evaluated with the discrete logarithm vector of the group elements in the challenge before being compared in the Enc procedure. Hence,
 	
 	\[ \prone{G_1^{\adversary{A}}} = \prone{G_2^{\adversary{A}}}. \]
 	
-	\item \paragraph{\underline{$G_3:$}} $G_3$ also introduces the $bad_1$ flag in the DL query. Without loss of generality the following explanation assumes that the adversary queries the DL oracle with input $j = N$. Each polynomial, generated by the challenger, is a linear multivariate polynomial of degree one. This is due to the fact that the challenger starts with linear multivariate polynomials of degree one in $\field{L}[Z_1, ..., Z_N]$ and only adds them to generate new polynomials. This means that each polynomial $P_i \in \field{L}[Z_1,...,Z_N]$, generated by the challenger, can be split into two polynomials $R_i \in \field{L}[Z_1,...,Z_{N-1}], S_i \in \field{L}[Z_N]$ so that $P_i = R_i + S_i$, simply by distributing the monials between the polynomials $R_i$ and $S_i$. Now the polynomial $P_i$ can be partially evaluated by setting $P_i = R_i(\overset{\rightharpoonup}{a}) + S_i$. For the simulation to be correct, when replacing the polynomial $P_i$ with $R_i(\overset{\rightharpoonup}{a}) + S_i$, it has to be ensured that distinct polynomials stay distinct after being partially evaluated. To ensure this, it is necessary to check that no two distinct polynomials $R_i, R_j$ result in the same value when evaluated with $\overset{\rightharpoonup}{a}$. In the case of this happening the $bad_1$ flag is set to true. Afterward, each generated polynomial is partially evaluated as described and the table $\sum$, which stores the association between group elements and labels, is updated to reflect this partial evaluation as well. From now on, each polynomial used by the challenger is in $\field{L}[Z_N]$. This change is purely conceptual, since the polynomials still get fully evaluated before being compared in the Enc procedure. Therefore,
+	\item \paragraph{\underline{$G_3:$}} $G_3$ introduces the $bad_1$ flag in the DL query. Without loss of generality the following explanation assumes that the adversary queries the DL oracle with input $j = N$. Each polynomial, generated by the challenger, is a linear multivariate polynomial of degree one. This is due to the fact that the challenger starts with linear multivariate polynomials of degree one in $\field{L}[Z_1, ..., Z_N]$ and only adds them to generate new polynomials. This means that each polynomial $P_i \in \field{L}[Z_1,...,Z_N]$, generated by the challenger, can be split into two polynomials $R_i \in \field{L}[Z_1,...,Z_{N-1}], S_i \in \field{L}[Z_N]$ so that $P_i = R_i + S_i$, simply by distributing the monials between the polynomials $R_i$ and $S_i$. Now the polynomial $P_i$ can be partially evaluated by setting $P_i = R_i(\overset{\rightharpoonup}{a}) + S_i$. For the simulation to be correct, when replacing the polynomial $P_i$ with $R_i(\overset{\rightharpoonup}{a}) + S_i$, it has to be ensured that distinct polynomials stay distinct after being partially evaluated. To ensure this, it is necessary to check that no two distinct polynomials $R_i, R_j$ result in the same value when evaluated with $\overset{\rightharpoonup}{a}$. In the case of this happening the $bad_1$ flag is set to true. Afterward, each generated polynomial is partially evaluated as described and the table $\sum$, which stores the association between group elements and labels, is updated to reflect this partial evaluation as well. From now on, each polynomial used by the challenger is in $\field{L}[Z_N]$. This change is purely conceptual, since the polynomials still get fully evaluated before being compared in the Enc procedure. Therefore,
 	
 	\[ \prone{G_2^{\adversary{A}}} = \prone{G_3^{\adversary{A}}}. \]
 	
-	\item \paragraph{\underline{$G_4:$}} In $G_4$ the abort instruction in the orange box is introduced, which is executed after the $bad_1$ flag is set. The $bad_1$ flag is set if distinct polynomials result in the same polynomial, after being partially evaluated. To calculate the probability of this happening the Schwart-Zippel lemma can be utilized. For every $R_i, R_j \in \pset{R} \wedge R_i \neq R_j$ a polynomial $R^* \assign R_i - R_j$ can be constructed. If and only if $R_i(\overset{\rightharpoonup}{a}) = R_j(\overset{\rightharpoonup}{a})$ then $R^*(\overset{\rightharpoonup}{a}) = 0$. Since $R^* \neq 0$, the degree of $R^*$ being $1$ and $\overset{\rightharpoonup}{a}$ being chosen uniformly at random from $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ the Schwartz-Zippel lemma can be used to calculate the probability of $R^*(\overset{\rightharpoonup}{a}) = 0$, which is $\Pr[R^*(\overset{\rightharpoonup}{a}) = 0] \leq \frac{1}{2^{n - 1 - c}}$. The challenger can generate at most $\groupqueries + N + 2$ many polynomials, one per DL query and $N + 2$ for encoding the input to the adversary. By the Union bound over all $(\groupqueries + N + 2)^2$ possible pairs of polynomials an upper bound on the $bad_1$ flag being set can be calculated as $\Pr[bad_1] \leq \frac{(\groupqueries + N + 2)^2}{2^{n - 1 - c}}$. Since $G_3$ and $G_4$ are identical-until-bad games,
+	\item \paragraph{\underline{$G_4:$}} In $G_4$ the abort instruction in the orange box is introduced, which is executed after the $bad_1$ flag is set. The $bad_1$ flag is set if distinct polynomials result in the same polynomial, after being partially evaluated. To calculate the probability of this happening the Schwart-Zippel lemma can be utilized. For every $R_i, R_j \in \pset{R} \wedge R_i \neq R_j$ a polynomial $R^* \assign R_i - R_j$ can be constructed. If and only if $R_i(\overset{\rightharpoonup}{a}) = R_j(\overset{\rightharpoonup}{a})$ then $R^*(\overset{\rightharpoonup}{a}) = 0$. Since $R^* \neq 0$, the degree of $R^*$ being $1$ and $\overset{\rightharpoonup}{a}$ being chosen uniformly at random from $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ the Schwartz-Zippel lemma can be used to calculate the probability of $R^*(\overset{\rightharpoonup}{a}) = 0$, which is $\Pr[R^*(\overset{\rightharpoonup}{a}) = 0] \leq \frac{1}{2^{n - 1 - c}}$. The challenger can generate at most $\groupqueries + N + 2$ many polynomials, one per group operation query GOp and $N + 2$ for encoding the input to the adversary. By the Union bound over all $(\groupqueries + N + 2)^2$ possible pairs of polynomials an upper bound on the $bad_1$ flag being set can be calculated as $\Pr[bad_1] \leq \frac{(\groupqueries + N + 2)^2}{2^{n - 1 - c}}$. Since $G_3$ and $G_4$ are identical-until-bad games,
 	
 	\[ |\prone{G_3^{\adversary{A}}} - \prone{G_4^{\adversary{A}}}| \leq \frac{(\groupqueries + N + 2)^2}{2^{n - 1 - c}}. \]
 	
@@ -249,7 +249,7 @@ This section provides a lower bound on the hardness of the modified version of t
 	
 	\item Since at least one discrete logarithm is chosen after the adversary provided its solution, its only chance is to  guess it. Therefore, the probability of the adversary of winning $G_7$ is upper bounded by the probability of it guessing that discrete logarithm. Hence,
 	
-	\[ \prone{G_7^{\adversary{A}}} \leq \frac{1}{2^{n - 1 - c}}. \]
+	\[ \prone{G_8^{\adversary{A}}} \leq \frac{1}{2^{n - 1 - c}}. \]
 	
 	\item This proves theorem \ref{theorem:somdl_ggm}.
 \end{proof}

thesis/sections/edggm/sdlog.tex

@@ -179,25 +179,25 @@ The following proof utilizes the Schwartz-Zippel lemma \cite{schwartz_fast_1980}
 \end{figure}
 
 \begin{proof}
-	\item Let $G_0$ represent the \sdlog game in the generic group model. In this proof, the discrete logarithm within the prime order subgroup of the group element $\groupelement{A}$ will be substituted with an indeterminate. Following that, it will be demonstrated that the challenger, by working with polynomials rather than actual discrete logarithms, makes errors in the simulation with negligible probability. Finally, it will be established that the discrete logarithm of the group element $\groupelement{A}$ can be selected after the adversary has submitted its solution for the game.
+	\item Let $G_0$ be the \sdlog game in the generic group model. In this proof, the discrete logarithm within the prime order subgroup of the group element $\groupelement{A}$ will be substituted with an indeterminate. Following that, it will be demonstrated that the challenger, by working with polynomials rather than actual discrete logarithms, makes errors in the simulation with negligible probability. Finally, it will be established that the discrete logarithm of the group element $\groupelement{A}$ can be selected after the adversary has submitted its solution for the game.
 	
 	\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:sdlog_games_ggm_1} by excluding all boxes except the black ones. This is identical to the \sdlog in the generic group model. By definition,
 	
 	\[ \advantage{\curve, n, c, L, \adversary{A}}{\sdlog} = \prone{G_0^{\adversary{A}}}. \]
 	
-	\item \paragraph{\underline{$G_1:$}} $G_1$ is defined by substituting some black boxes with blue ones, causing the challenger to work with discrete logarithms rather than group elements. This modification remains undetectable to the adversary, as it only deals with labels representing group elements, and each group element can be uniquely represented by its discrete logarithms. These discrete logarithms are denoted by an integer vector, where each element corresponds to the discrete logarithm concerning the generator in the generating set. The addition of these vectors is carried out component-wise. This change remains conceptual, since it only changes how the challenger internally represents group elements. Each group element still gets the same label assigned. Therefore,
+	\item \paragraph{\underline{$G_1:$}} $G_1$ is defined by substituting some black boxes with blue ones, causing the challenger to work with discrete logarithms rather than group elements. This modification is undetectable to the adversary, as it only deals with labels representing group elements, and each group element can be uniquely represented by its discrete logarithms. These discrete logarithms are denoted by an integer vector, where each element corresponds to the discrete logarithm concerning the generator in the generating set. The addition of these vectors is carried out component-wise. This change remains conceptual, since it only changes how the challenger internally represents group elements. Each group element is still assigned the same label. Therefore,
 	
 	\[ \prone{G_0^{\adversary{A}}} = \prone{G_1^{\adversary{A}}}. \]
 	
-	\item \paragraph{\underline{$G_2:$}} In $G_2$, the blue boxes are replaced with the red ones, which involves replacing the discrete logarithm of the prime order subgroup with a polynomial. The polynomial has one indeterminant, denoted by $Z$, which represents the discrete logarithm, in the prime order subgroup, of the challenge. The polynomial that serves as the discrete logarithm of the prime order subgroup is simply $P = Z$. It is important to note that this change is only conceptual since the polynomial is ultimately evaluated at the secret scalar $a$ in the Enc procedure. Hence,
+	\item \paragraph{\underline{$G_2:$}} In $G_2$, the blue boxes are replaced with the red ones, which involves replacing the discrete logarithm of group elements in the prime order subgroup with a polynomial. The polynomial has one indeterminant, denoted by $Z$, which represents the discrete logarithm of group element in the prime order subgroup, provided to the adversary as a challenge. Therefore, the polynomial that serves as the discrete logarithm of the challenge in the prime order subgroup is simply $P = Z$. It is important to note that this change is only conceptual since the polynomial is ultimately evaluated at the secret scalar $a$ in the Enc procedure. Hence,
 	
 	\[ \prone{G_1^{\adversary{A}}} = \prone{G_2^{\adversary{A}}}. \]
 	
-	\item \paragraph{\underline{$G_3:$}} $G_3$ introduces the if condition within the green box. This condition checks if the challenger generated two distinct polynomials that would produce the same value when evaluated at $a$. This verification ensures that polynomials can be directly compared later on, rather than needing to evaluate them. If the if condition evaluates to true, a bad flag is set to true, indicating that the challenger might incorrectly assume that two discrete logarithms, represented by the polynomials, are different by only comparing the polynomials. This modification is purely conceptual, as it only affects internal variables and does not influence the game's behavior. Therefore,
+	\item \paragraph{\underline{$G_3:$}} $G_3$ introduces the if condition within the green box. This condition checks if the challenger generated two distinct polynomials that would produce the same value when evaluated at $a$. This condition ensures that polynomials can be directly compared later on, rather than needing to evaluate them. If the if condition evaluates to true, a bad flag is set to true, indicating that the challenger might incorrectly assume that two discrete logarithms, represented by the polynomials, are different by only comparing the polynomials. This modification is purely conceptual, as it only affects internal variables and does not influence the game's behavior. Therefore,
 	
 	\[ \prone{G_1^{\adversary{A}}} = \prone{G_2^{\adversary{A}}}. \]
 	
-	\item \paragraph{\underline{$G_4:$}} $G_4$ terminates if the bad flag is activated. This bad flag signifies situations where collisions of discrete logarithms would not be identified by merely comparing polynomials without evaluating them. The likelihood of the bad flag being activated can be determined using the Schwartz-Zippel lemma. The set $\pset{P}$ is a set of all polynomials generated by the challenger and the polynomial $P$ represents the newly generated one. During the encoding of a newly generated group element the challenger checks that no two distinct polynomials evaluate to the same value at $a$. For a fixed $P_i \in \pset{P} \neq P$ we define $P^* = P_i - P$. If and only if $P_i(a) = P(a)$ then $P^*(a) = 0$. Since $P^* \neq 0$, the degree of $P^*$ being $1$ and $a$ being chosen uniformly at random from $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ the Schwarz-Zippel lemma can be used to calculate the probability that $P^*(a) = 0$, which is $\Pr[P^*(a) = 0] \leq \frac{1}{2^{n-1-c}}$. Since the set $\pset{P}$ can hold at most $\groupqueries + 3$ many polynomials (one per DL call, and three by encoding the input to the adversary) by the Union bound over all polynomials in $\pset{P}$ the probability of bad being set, for each individual oracle query, is less or equal to $\frac{\groupqueries + 3}{2^{n-1-c}}$. By the Union bound over all oracle queries the probability of bad being set to true is $\Pr[bad] \leq \frac{(\groupqueries + 3)^2}{2^{n-1-c}}$. For this reason,
+	\item \paragraph{\underline{$G_4:$}} $G_4$ terminates if the bad flag defined in the previous game is set. This bad flag signifies situations where collisions of discrete logarithms would not be identified by merely comparing polynomials without evaluating them. The likelihood of the bad flag being set can be determined using the Schwartz-Zippel lemma. The set $\pset{P}$ is a set of all polynomials generated by the challenger and the polynomial $P$ represents the newly generated one. During the encoding of a newly generated group element the challenger checks that no two distinct polynomials evaluate to the same value at $a$. For a fixed $P_i \in \pset{P} \neq P$ we define $P^* = P_i - P$. If and only if $P_i(a) = P(a)$ then $P^*(a) = 0$. Since $P^* \neq 0$, the degree of $P^*$ being $1$ and $a$ being chosen uniformly at random from $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$ the Schwarz-Zippel lemma can be used to calculate the probability that $P^*(a) = 0$, which is $\Pr[P^*(a) = 0] \leq \frac{1}{2^{n-1-c}}$. Since the set $\pset{P}$ can hold at most $\groupqueries + 3$ many polynomials (one per call to the group operation oracle GOp, and three by encoding the input to the adversary) by the Union bound over all polynomials in $\pset{P}$ the probability of bad being set, for each individual oracle query, is less or equal to $\frac{\groupqueries + 3}{2^{n-1-c}}$. By the Union bound over all oracle queries the probability of bad being set to true is $\Pr[bad] \leq \frac{(\groupqueries + 3)^2}{2^{n-1-c}}$. For this reason,
 	
 	\[ |\prone{G_2^{\adversary{A}}} - \prone{G_3^{\adversary{A}}}| \leq \Pr[bad] \leq \frac{(\groupqueries + 3)^2}{2^{n-1-c}}. \]
 	

thesis/sections/introduction.tex

@@ -12,13 +12,13 @@ In a 2020 paper, Brendel et al. showed that Ed25519 satisfies EUF-CMA and SUF-CM
 
 Tightness is a property of a security proof. A security proof is said to be tight if the probability of success of an adversary $\adversary{B}$ attacking problem B, constructed from adversary $\adversary{A}$ attacking problem A, is at most smaller than the probability of success of $\adversary{A}$ by a small constant factor.
 
-Tight security proofs are desirable because they prove the security of multiple instantiations of a cryptographic scheme. In practice, cryptographic schemes are instantiated with primitives that are efficient in order to obtain an overall efficient scheme. If a security proof is not tight, it may not provide meaningful bounds on the security of the scheme, since it may be instantiated with efficient primitives that have parameters too small for the security proof to provide a meaningful bound. The use of less efficient primitives, to which the security proof provides meaningful bounds, may be undesirable for performance reasons.
+Tight security proofs are desirable because they tightly bind the hardness of the underlying assumption to the security of a cryptographic scheme. Without a tight security proof, it is not ruled out that an adversary may be discovered who needs considerably less effort to break the security of a cryptographic scheme compared to adversaries against its underlying assumption \cite{SAC:ChaMenSar11}. For that reason, much larger parameters must be used to securely instantiate the cryptographic scheme compared to the parameters needed to achieve the same level of security in the underlying assumption. This is undesired in practice, as usually a scheme becomes less efficient the larger its parameters are chosen.
 
-For the Schnorr signature scheme, a tight security reduction can be achieved by using the algebraic group model and the random oracle model to directly show the EUF-CMA security using the discrete logarithm assumption, as shown by Fuchsbauer et al. \cite{EC:FucPloSeu20}.
+For the Schnorr signature scheme, a tight security reduction can be achieved by using the algebraic group model and the random oracle model to directly show the EUF-CMA security using the discrete logarithm assumption, as shown by Fuchsbauer et al. \cite{EC:FucPloSeu20}, instead of analyzing it as a canonical identification scheme onto which the Fiat-Schamir transformation is applied.
 
-This is also the approach used in this thesis. A tight security proof for the EdDSA signature scheme can be achieved by utilizing the algebraic group model and random oracle model. However, some details of the EdDSA signature scheme have to be taken into account, which mainly is the different group structure and the key clamping, introduced by the key generation algorithm. Also, the way the signature is parsed has a major impact on the security guarantees of the EdDSA signature scheme. By allowing only one bitstring representation of a scalar, strict parsing ensures SUF-CMA security. Allowing multiple bitstring representations of the same scalar, lax parsing, results only in EUF-CMA security.
+This thesis uses a similar approach to the one in the paper by Fuchsbauer et al. \cite{EC:FucPloSeu20} to achieve a tight security proof for EdDSA. The tight security proof is achieved by utilizing the algebraic group model and the random oracle model. However, some details of the EdDSA signature scheme have to be taken into account, which mainly is the different group structure and the key clamping, introduced by the key generation algorithm. Also, the way the signature is parsed has a major impact on the security guarantees of the EdDSA signature scheme. There are two variations how to parse the signature. One is called strict parsing and the other one is called lax parsing. Strict parsing allows only one bitstring representation of a scalar value, while lax parsing allows multiple bitstring representations of the same scalar value. Strict parsing ensures SUF-CMA security, while lax parsing only ensures EUF-CMA security.
 
-Another important property of a signature scheme, also briefly mentioned in the paper \cite{SP:BCJZ21}, is its multi-security. When looking at practical applications of a signature scheme, not only one user is using the signature scheme, but many users are involved, all of whom have their own key pair. In most cases, an adversary is satisfied with compromising one of the users. This leaves the question of whether an adversary gains an advantage in compromising a single user if he is provided with many public keys and can request signatures for any of the provided public keys. The multi-user security of Schnorr-like signature schemes has been analyzed in several papers \cite{EPRINT:Bernstein15,C:KilMasPan16}, but none of them apply to EdDSA or give a tight reduction.
+Another important property of a signature scheme, also briefly mentioned in \cite{SP:BCJZ21}, is its multi-security. When looking at practical applications of a signature scheme, not only one user is using the signature scheme, but many users are involved, all of whom have their own key pair. In most cases, an adversary is satisfied with compromising one of the users. This leaves the question whether an adversary gains an advantage in compromising a single user if he is provided with many public keys and can request signatures for any of the provided public keys. The multi-user security of Schnorr-like signature schemes has been analyzed in several papers \cite{EPRINT:Bernstein15,C:KilMasPan16}, but none of them apply to EdDSA or give a tight reduction.
 
 This thesis uses the same method of providing a tight security proof in the algebraic group model and the random oracle model to prove the security of EdDSA in the multi-user setting using a variant of the one more discrete logarithm assumption, which also takes the key clamping of EdDSA into account.
 

thesis/sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma.tex

@@ -1,6 +1,6 @@
-\subsection{MU-\igame $\overset{\text{ROM}}{\Rightarrow}$ MU-UF-NMA}
+\subsection{MU-\igame $\overset{\text{ROM}}{\Rightarrow}$ MU-EUF-NMA}
 
-This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signature scheme using the Random Oracle Model. The section starts by first providing an intuition of the proof followed by the detailed security proof.
+This section shows that MU-\igame implies MU-EUF-NMA security of the EdDSA signature scheme using the Random Oracle Model. The section starts by first providing an intuition of the proof followed by the detailed security proof.
 
 \paragraph{\underline{Introducing MU-\igame}} This game follows closely the definition of the \igame game. It again replaces the random oracle with the \ioracle oracle. The only difference to the \igame game is that the adversary gets access to $N$ public keys. The adversary again has to output a valid result for any commitment challenge pair generated by the \ioracle oracle for any of the public keys. The MU-\igame game is depicted in figure \ref{game:mu-igame}.
 
@@ -38,7 +38,7 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat
 	\label{theorem:adv_mu-igame}
 	Let $\adversary{A}$ be an adversary against MU-\igame. Then,
 	
-	\[ \advantage{\adversary{A}}{\text{MU-UF-NMA}}(\secparamter) = \advantage{\adversary{B}}{\text{MU-\igame}}(\secparamter). \]
+	\[ \advantage{\adversary{A}}{\text{MU-EUF-NMA}}(\secparamter) = \advantage{\adversary{B}}{\text{MU-\igame}}(\secparamter). \]
 \end{theorem}
 
 \paragraph{\underline{Proof Overview}} Like the single-user setting the adversary has to query the random oracle to get the hash value $H(\encoded{R}|\encoded{A_i}|m)$. Again the programmability of the random oracle can be used to embed the challenge from \ioracle oracle into the answer of the random oracle. By embedding the challenge from the \ioracle oracle answer into the answer of the random oracle, a valid forgery of the signature also becomes a valid solution for the MU-\igame game.
@@ -72,11 +72,11 @@ This section shows that MU-\igame implies MU-UF-NMA security of the EdDSA signat
 \end{figure}
 
 \begin{proof}
-	\item Now it is argued that the \ioracle oracle can be used to simulate the hash function in a way that the answer of the MU-UF-NMA adversary can be used as an valid solution for the MU-\igame challenger.
+	\item Now it is argued that the \ioracle oracle can be used to simulate the hash function in a way that the answer of the MU-EUF-NMA adversary can be used as an valid solution for the MU-\igame challenger.
 	
-	\item Let $G_0$ be defined in figure \ref{fig:mu-igame_implies_mu-uf-nma}. Then $G_0$ is the same as MU-UF-NMA with EdDSA. By definition,
+	\item Let $G_0$ be defined in figure \ref{fig:mu-igame_implies_mu-uf-nma}. Then $G_0$ is the same as MU-EUF-NMA with EdDSA. By definition,
 	
-	\[ \advantage{\text{EdDSA}, \adversary{A}}{\text{MU-UF-NMA}}(\secparamter) = \Pr[\text{MU-UF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
+	\[ \advantage{\text{EdDSA}, \adversary{A}}{\text{MU-EUF-NMA}}(\secparamter) = \Pr[\text{MU-EUF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
 	
 	\item $G_0$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
 	

thesis/sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma.tex

@@ -1,15 +1,15 @@
-\subsection{MU-UF-NMA $\overset{\text{ROM}}{\Rightarrow}$ $\text{MU-SUF-CMA}_{\text{EdDSA sp}}$}
+\subsection{MU-EUF-NMA $\overset{\text{ROM}}{\Rightarrow}$ $\text{MU-SUF-CMA}_{\text{EdDSA sp}}$}
 
-This section shows that the MU-UF-NMA security of the EdDSA signature scheme implies the MU-SUF-CMA security of the EdDSA signature scheme using the random oracle model. The section starts with providing an intuition of the proof, followed by the detailed security proof.
+This section shows that the MU-EUF-NMA security of the EdDSA signature scheme implies the MU-SUF-CMA security of the EdDSA signature scheme using the random oracle model. The section starts with providing an intuition of the proof, followed by the detailed security proof.
 
 \begin{theorem}
 	\label{theorem:adv_mu-uf-nma}
 	Let $n$ and $N$ be positive integer and $\adversary{A}$ an adversary against MU-SUF-CMA, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
 	
-	\[ \advantage{\adversary{A}}{\text{MU-\cma}}(\secparamter) \leq \advantage{\adversary{B}}{\text{MU-UF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
+	\[ \advantage{\adversary{A}}{\text{MU-\cma}}(\secparamter) \leq \advantage{\adversary{B}}{\text{MU-EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
 \end{theorem}
 
-\paragraph{\underline{Proof Overview}} This proof closely follows the proof in section \ref{proof:uf-nma_implies_suf-cma}. The only difference of both security notions is the absence of the \Osign oracle in MU-UF-NMA. For this reason, the reduction must simulate the \Osign oracle without the knowledge of the private keys. This is achieved by generating a valid and well-distributed tuple of commitment, challenge, and response using the \simalg procedure, introduced in section \ref{proof:uf-nma_implies_suf-cma}, and then programming the random oracle to output that challenge for the corresponding input. The different games are shown in figure \ref{fig:mu-uf-nma_implies_mu-suf-cma_games}.
+\paragraph{\underline{Proof Overview}} This proof closely follows the proof in section \ref{proof:uf-nma_implies_suf-cma}. The only difference of both security notions is the absence of the \Osign oracle in MU-EUF-NMA. For this reason, the reduction must simulate the \Osign oracle without the knowledge of the private keys. This is achieved by generating a valid and well-distributed tuple of commitment, challenge, and response using the \simalg procedure, introduced in section \ref{proof:uf-nma_implies_suf-cma}, and then programming the random oracle to output that challenge for the corresponding input. The different games are shown in figure \ref{fig:mu-uf-nma_implies_mu-suf-cma_games}.
 
 \paragraph{\underline{Formal Proof}}
 
@@ -104,7 +104,7 @@ This section shows that the MU-UF-NMA security of the EdDSA signature scheme imp
 	\item Finally, Game $G_3$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
 	
 	\begin{align}
-		\Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{MU-UF-NMA}}(\secparamter). \label{eq:adv_mu-uf-nma}
+		\Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{MU-EUF-NMA}}(\secparamter). \label{eq:adv_mu-uf-nma}
 	\end{align}
 
 	\begin{figure}[h]
@@ -136,11 +136,11 @@ This section shows that the MU-UF-NMA security of the EdDSA signature scheme imp
 			\State \Return $\sum[m]$
 		\end{algorithmic}
 		\hrule
-		\caption{Adversary $\adversary{B}$ breaking $\text{MU-UF-NMA}$}
+		\caption{Adversary $\adversary{B}$ breaking $\text{MU-EUF-NMA}$}
 		\label{fig:adversaryb_mu-uf-nma}
 	\end{figure}
 	
-	To prove (\ref{eq:adv_mu-uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{MU-UF-NMA}$ that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversaryb_mu-uf-nma} is run in the $\text{MU-UF-NMA}$ game and adversary $\adversary{B}$ simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly.
+	To prove (\ref{eq:adv_mu-uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{MU-EUF-NMA}$ that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversaryb_mu-uf-nma} is run in the $\text{MU-EUF-NMA}$ game and adversary $\adversary{B}$ simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly.
 	
 	Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. Every valid signature outputted by adversary $\adversary{A}$ has to fulfill the following equation for one public key $\groupelement{A_i}$: $2^c S \groupelement{B} = 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}$. Again there is only one valid encoded $S$ for each $\groupelement{R}$, $m$, $\groupelement{A_i}$ tuple that satisfies the verification equation. For the signature to be a valid forgery it must not be outputted by the \Osign oracle for this specific $m^*$ and $\groupelement{A_i}$. No new valid signature can be generated from a valid one by just changing the $S$ value. This means that either $\groupelement{R}$, $m$ or $\groupelement{A_i}$ have to be changed to generate a new valid signature from an already valid signature. Since all these parameters are part of the hash query to generate the challenge the resulting hash value has to be forwarded from the $H$ hash oracle provided to the adversary $\adversary{B}$. For this reason $H'(\encoded{R^*}|\encoded{A_i}|m^*) = H(\encoded{R^*}|\encoded{A_i}|m^*)$. Hence,
 	
@@ -149,22 +149,22 @@ This section shows that the MU-UF-NMA security of the EdDSA signature scheme imp
 		\Leftrightarrow 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H(\encoded{R^*}|\encoded{A_i}|m^*) \groupelement{A_i}
 	\end{align*}
 
-	Since the public keys and the results of the hash queries are forwarded from the MU-UF-NMA challenger the forged signature from $\adversary{A}$ in the MU-\cma game is also a valid forgery for the MU-UF-NMA challenger.
+	Since the public keys and the results of the hash queries are forwarded from the MU-EUF-NMA challenger the forged signature from $\adversary{A}$ in the MU-\cma game is also a valid forgery for the MU-EUF-NMA challenger.
 	
 	\item In the main procedure the adversary $\adversary{B}$ simply calls adversary $\adversary{A}$ and outputs its forged signature. To simulate the hash function $\adversary{B}$ simply forwards the queries to adversary $\adversary{A}$ and to a signature $\adversary{B}$ obtains the pair of commitment, challenge, and solution from the \simalg procedure, which is just samples two values and calculates the last one using a simple equation, and then programs its random oracle. Therefore, the runtime of adversary $\adversary{B}$ is roughly the same as the runtime of adversary $\adversary{A}$.
 	
 	\item This proves theorem \ref{theorem:adv_mu-uf-nma}.
 \end{proof}
 
-\subsection{MU-UF-NMA $\overset{\text{ROM}}{\Rightarrow}$ $\text{MU-EUF-CMA}_{\text{EdDSA lp}}$}
+\subsection{MU-EUF-NMA $\overset{\text{ROM}}{\Rightarrow}$ $\text{MU-EUF-CMA}_{\text{EdDSA lp}}$}
 
-This section shows that MU-UF-NMA security of EdDSA implies the MU-EUF-CMA security of EdDSA with lax parsing used in the random oracle model. This proof is very similar to the proof MU-SUF-CMA proof of EdDSA with strict parsing. The modification to the games are the same as in the proof above with the only modifications being in the win condition, which is $\exists j \in \{1,2,...,N\}: \verify(\groupelement{A_j}, \m^*) \wedge (\groupelement{A_j}, \m^*) \notin \pset{Q}$. For this reason this proof starts at showing the existence of an adversary $\adversary{B}$ breaking MU-UF-NMA security. Similar to the proof in the single-user setting, the SUF-CMA security of EdDSA with lax parsing cannot be shown, as there are multiple valid encodings of $S$ for one signature. This way the adversary would be able to generate a new valid signature from an obtained one by simply choosing a different encoding of $S$. This would result in the output of $H'(\encoded{R^*}|\encoded{A}|m^*)$ being programmed by the reduction itself and therefore the signature not being valid for the UF-NMA challenger.
+This section shows that MU-EUF-NMA security of EdDSA implies the MU-EUF-CMA security of EdDSA with lax parsing used in the random oracle model. This proof is very similar to the proof MU-SUF-CMA proof of EdDSA with strict parsing. The modification to the games are the same as in the proof above with the only modifications being in the win condition, which is $\exists j \in \{1,2,...,N\}: \verify(\groupelement{A_j}, \m^*) \wedge (\groupelement{A_j}, \m^*) \notin \pset{Q}$. For this reason this proof starts at showing the existence of an adversary $\adversary{B}$ breaking MU-EUF-NMA security. Similar to the proof in the single-user setting, the SUF-CMA security of EdDSA with lax parsing cannot be shown, as there are multiple valid encodings of $S$ for one signature. This way the adversary would be able to generate a new valid signature from an obtained one by simply choosing a different encoding of $S$. This would result in the output of $H'(\encoded{R^*}|\encoded{A}|m^*)$ being programmed by the reduction itself and therefore the signature not being valid for the EUF-NMA challenger.
 
 \begin{theorem}
 	\label{theorem:adv2_mu-uf-nma}
 	Let $n$ and $N$ be positive integers and $\adversary{A}$ an adversary against MU-EUF-CMA, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
 	
-	\[ \advantage{\adversary{A}}{\text{MU-EUF-CMA}}(\secparamter) \leq \advantage{\adversary{B}}{\text{MU-UF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
+	\[ \advantage{\adversary{A}}{\text{MU-EUF-CMA}}(\secparamter) \leq \advantage{\adversary{B}}{\text{MU-EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
 \end{theorem}
 
 \paragraph{\underline{Formal Proof}}
@@ -172,7 +172,7 @@ This section shows that MU-UF-NMA security of EdDSA implies the MU-EUF-CMA secur
 \begin{proof}
 	\item 
 	\begin{align}
-		\Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{MU-UF-NMA}}(\secparamter). \label{eq:adv2_mu-uf-nma}
+		\Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{MU-EUF-NMA}}(\secparamter). \label{eq:adv2_mu-uf-nma}
 	\end{align}
 	
 	\begin{figure}[h]
@@ -204,20 +204,20 @@ This section shows that MU-UF-NMA security of EdDSA implies the MU-EUF-CMA secur
 			\State \Return $\sum[m]$
 		\end{algorithmic}
 		\hrule
-		\caption{Adversary $\adversary{B}$ breaking $\text{MU-UF-NMA}$}
+		\caption{Adversary $\adversary{B}$ breaking $\text{MU-EUF-NMA}$}
 		\label{fig:adversary_b_mu-uf-nma}
 	\end{figure}
 
-	To prove (\ref{eq:adv2_mu-uf-nma}), we define an adversary $\adversary{B}$ attacking MU-UF-NMA that simulates $\adversary{A}$'s view on $G_3$. Adversary $\adversary{B}$, formally defined in figure \ref{fig:adversary_b_mu-uf-nma}, is run in the MU-UF-NMA game and simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly.
+	To prove (\ref{eq:adv2_mu-uf-nma}), we define an adversary $\adversary{B}$ attacking MU-EUF-NMA that simulates $\adversary{A}$'s view on $G_3$. Adversary $\adversary{B}$, formally defined in figure \ref{fig:adversary_b_mu-uf-nma}, is run in the MU-EUF-NMA game and simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly.
 	
-	Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. Every valid signature outputted by adversary $\adversary{A}$ has to fulfill the following equation for one public key $\groupelement{A_i}$: $2^c S \groupelement{B} = 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}$. Like in the single-user setting the adversary can create a new valid signature from an already valid one by choosing a different bitstring representation of the $S$ value that maps to the same $S \pmod L$. Since we are in the MU-EUF-CMA setting the adversary has to forge a signature for a message $m^*$ and public key $A_i$ to which it has not queried a signature before. For this reason, the output of $H'(\encoded{R^*}|\encoded{A_i}|m^*)$ has not been set by the adversary $\adversary{B}$, but was forwarded from the $H$ hash oracle provided by the MU-UF-NMA challenger. For this reason $H'(\encoded{R^*}|\encoded{A_i}|m^*) = H(\encoded{R^*}|\encoded{A_i}|m^*)$. Therefore,
+	Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. Every valid signature outputted by adversary $\adversary{A}$ has to fulfill the following equation for one public key $\groupelement{A_i}$: $2^c S \groupelement{B} = 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}$. Like in the single-user setting the adversary can create a new valid signature from an already valid one by choosing a different bitstring representation of the $S$ value that maps to the same $S \pmod L$. Since we are in the MU-EUF-CMA setting the adversary has to forge a signature for a message $m^*$ and public key $A_i$ to which it has not queried a signature before. For this reason, the output of $H'(\encoded{R^*}|\encoded{A_i}|m^*)$ has not been set by the adversary $\adversary{B}$, but was forwarded from the $H$ hash oracle provided by the MU-EUF-NMA challenger. For this reason $H'(\encoded{R^*}|\encoded{A_i}|m^*) = H(\encoded{R^*}|\encoded{A_i}|m^*)$. Therefore,
 	
 	\begin{align*}
 		2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A_i}|m^*) \groupelement{A_i}\\
 		\Leftrightarrow 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H(\encoded{R^*}|\encoded{A_i}|m^*) \groupelement{A_i}.
 	\end{align*}
 
-	This shows that the forged signature from adversary $\adversary{A}$ is also a valid forged signature for the MU-UF-NMA challenger.
+	This shows that the forged signature from adversary $\adversary{A}$ is also a valid forged signature for the MU-EUF-NMA challenger.
 	
 	\item Since the adversary $\adversary{B}$ is the same as in the proof above, its runtime is roughly the same as the runtime of adversary $\adversary{A}$, for the same reason.
 	

thesis/sections/mu_security_of_eddsa/sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma.tex

@@ -1 +1 @@
-\section{MU-\igame $\Rightarrow$ MU-UF-NMA}
+\section{MU-\igame $\Rightarrow$ MU-EUF-NMA}

thesis/sections/notation.tex

@@ -2,8 +2,7 @@
 
 \subsubsection{General Notation}
 
-% TODO: Notation mit residual ring und finite field abklären.
+For an integer n, $\field{n}$ is defined as the residual ring $\mathbb{Z}/n\mathbb{Z}$. $a \randomsample A$ denotes sampling the element $a$ from a non-empty finite set $A$ uniformly at random. $\assign$ denotes a deterministic assignment of a variable. $\{0,1\}^n$ is the set of all bitstrings of length n, while $\{0,1\}^*$ denotes the set of finite bitstring of arbitrary length. $(x,y)$ is a tuple of the two elements $x$ and $y$. $\{x,y\}$ is a set of the elements $x$ and $y$. At the beginning of a game a set is initialized to be the empty set $\{\}$. $\sum$ denotes a table and $\sum[x]$ denotes the value of the table at position $x$. Each position of the table is uninitialized at the beginning of a game. An uninitialized position in the table is denoted with the bottom symbol $\bot$. A function $f: \mathbb{N} \rightarrow \mathbb{R}$ is called negligible if for all polynomials $p$ there exists a $N \in \mathbb{N}$ so that $\forall n \geq N: f(n) < \frac{1}{p(n)}$ is true. $\pset{S} \in f(x)$ denotes the set $\pset{S}$ of outputs of $f$ given $x$ as input.  All algorithms are probabilistic polynomial time (ppt) unless stated otherwise. $o \randomassign \adversary{A}(I)$ denotes running the algorithm $\adversary{A}$ with input $I$ with uniform random coins and $o$ describing its output. If $\adversary{A}$ has additionally access to an oracle $O$ this is denoted as $o \randomassign \adversary{A}^{O(\inp)}(I)$. A security game consists of a main procedure and optionally some oracle procedures. When a game is played, the main procedure is run and adversary $\adversary{A}$ is given some inputs and access to the oracle procedures. Based on the output of the adversary $\adversary{A}$ and its oracle calls, the main procedure outputs $1$ or $0$ depending on whether the adversary $\adversary{A}$ won the game. The message space of the signature scheme is defined as $\messagespace$.
-For an integer n, $\field{n}$ is defined as the residual ring $\mathbb{Z}/n\mathbb{Z}$. $a \randomsample A$ denotes sampling the element $a$ from a non-empty set $A$ uniformly at random. $\assign$ denotes a deterministic assignment of a variable. $\{0,1\}^n$ is a bitstring of length n, while $\{0,1\}^*$ denotes a finite bitstring of arbitrary length. $(x,y)$ is a tuple of the two elements $x$ and $y$. $\{x,y\}$ is a set of the elements $x$ and $y$. At the beginning of a game a set is initialized to be the empty set $\{\}$. $\sum$ denotes a table and $\sum[x]$ denotes the value of the table at position $x$. Each position of the table is uninitialized at the beginning of the game. An uninitialized position in the table is denoted with the bottom symbol $\bot$. A function $f: \mathbb{N} \rightarrow \mathbb{R}$ is called negligible if there exists a $N \in \mathbb{N}$ so that for all polynomials $p$: $\forall n \geq N: f(n) < \frac{1}{p(n)}$ is true. All algorithms are probabilistic polynomial time (ppt) unless stated otherwise. $o \randomassign \adversary{A}(I)$ denotes running the algorithm $\adversary{A}$ with input $I$ with uniform random coins and $o$ describing its output. If $\adversary{A}$ has additionally access to an oracle $O$ this is denoted as $o \randomassign \adversary{A}^{O(\inp)}(I)$. A security game consists of a main procedure and optionally some oracle procedures. When the game is played, the main procedure is run and adversary $\adversary{A}$ is given some inputs and access to the oracle procedures. Based on the output of the adversary $\adversary{A}$ and its oracle calls, the main procedure outputs $1$ or $0$ depending on whether the adversary $\adversary{A}$ won the game.
 
 \subsubsection{Algebraic Notation}
 

thesis/sections/preliminaries.tex

@@ -1,36 +1,36 @@
 \section{Preliminaries}
 
+\input{sections/notation}
+
 \subsection{Code-based reduction proofs}
 
-To perform the security proof of the EdDSA signature scheme, code-based game playing proofs are used. as introduced in \cite{EC:BelRog06}. In these proofs, an adversary is tasked to play (and win) against a predefined game. The game is defined by a set of instructions which are executed consecutively. At one point the game calls the adversary with some input and gets some output back from it. The game then decides, depending on the output of the adversary, whether it has won or not. In addition the adversary might get oracle access to one or more procedures, meaning that the adversary is only able to observe the output of the procedure call given a specific input. Those procedures are called oracles. The adversaries's advantage in a game is the adversaries's ability to win the game more reliably than through the use of generic attacks, such as guessing the answer to the game.
+To perform the security proof of the EdDSA signature scheme, code-based game playing proofs are used. as introduced in \cite{EC:BelRog06}. In these proofs, an adversary is tasked to play (and win) against a predefined game. The game is defined by a set of instructions which are executed consecutively. At one point the game calls the adversary with some input and gets some output back from it. The game then decides, depending on the output of the adversary, whether it has won or not. In addition the adversary might get access to one or more procedures, of which the adversary is only able to observe the output of the procedure call given a specific input. Those procedures are called oracles. The adversary's advantage in a game is the adversary's ability to win the game more reliably than through the use of trivial attacks, such as guessing the answer to the game.
 
-During the proof, these games are being modified until an adversary against the modified game can also be used as an adversary against another game. This method is called a reduction proof. It shows that one problem (described by one game) can be reduced to another problem. In other words, it says that if problem A can be reduced onto problem B, any algorithm solving problem A can be transformed into an algorithm solving problem B.
+During the proof, these games are being modified until an adversary $\adversary{B}$ against another problem can be constructed, that simulates the view of an adversary against the modified game. For each modification, it must be argued that there is only a negligible probability that this modification can be detected by an adversary. The adversary $\adversary{B}$ is called a reduction. By constructing an adversary $\adversary{B}$ against another problem it can be shown that any adversary attacking the modified game, simulated by adversary $\adversary{B}$, can also be used to break another game, attacked by adversary $\adversary{B}$. In other words, it says that if problem A can be reduced onto problem B, any algorithm solving problem A can be transformed into an algorithm solving problem B. This can be used to show the security of cryptographic schemes by transforming all adversaries $\adversary{A}$ against the security of the cryptographic scheme into an adversary $\adversary{B}$ attacking a hard mathematic assumption, to which it is believed that no efficient adversary exists.
 
 \subsubsection{Identical-Until-Bad Games}
 
 While modifying the games it has to be ensured that the advantage for an attacker to distinguish between the original and modified game is negligible. This can be achieved by constructing so called identical-until-bad games. 
 
-\begin{definition}[identical-until-bad games \cite{EC:BelRog06}]
+\begin{definition}[Identical-until-bad games \cite{EC:BelRog06}]
 	Two games are called identical-until-bad games if they are syntactically equivalent except for instructions following the setting of a bad flag to true.
 \end{definition}
 
 \begin{lemma}[Fundamental lemma of game-playing \cite{EC:BelRog06}]
 	Let G and H be identical-until-bad games and let $\adversary{A}$ be an adversary. Then,
 	
-	\[ Adv(G^{\adversary{A}}, H^{\adversary{A}}) = |\prone{G^{\adversary{A}}} - \prone{H^{\adversary{A}}}| \leq \Pr[bad] \]
+	\[ |\prone{G^{\adversary{A}}} - \prone{H^{\adversary{A}}}| \leq \Pr[bad] \]
 \end{lemma}
 
 This means that the advantage to distinguish between two identical-until-bad games is bound by the probability of the bad flag being set.
 
-\input{sections/notation}
-
 \input{sections/security_notions}
 
 \subsection{Elliptic Curves}
 
 The EdDSA signature scheme has been defined using twisted Edwards curves as the underlying group structure. Twisted Edwards curves are a special form of elliptic curves. For the proofs performed in this thesis, no specific properties of twisted Edwards curves are used. Therefore, they will not be introduced in great detail. For more details on twisted Edwards curves, see the paper by Bernstein et al. \cite{EPRINT:BBJLP08}. The use of twisted Edwards curves in EdDSA is mainly for performance reasons \cite{CHES:BDLSY11}.
 
-The proofs assume two properties of the underlying group structure, which are true for every elliptic curve. The first is that the underlying group is a generic group, which means that it is only possible to perform the well-defined group operation on the group elements, which is widely assumed to be true for elliptic curves. The second assumption is, that the underlying group is an abelian group. Every elliptic curve is an abelian group. Elliptic curves often use additive group notation, which means that the group operation is called addition.
+The proofs only assume that the underlying group is albian, which is true for every elliptic curve. Later, the hardness of a special variant of the discrete logarithm assumption is analyzed in the generic group model, to calculate the concrete security level of EdDSA. For proofs in the generic group model to apply the underlying group must be generic, which is widely assumed to be true for elliptic curves. A group is generic if just the well-defined group operations can be performed on the group elements. For elliptic curves the additive group notation is used.
 
 Elliptic curves also have a property called the cofactor. The cofactor of an elliptic curve refers to the number of points on the elliptic curve divided by the number of points in a particular subgroup. The EdDSA signature scheme is not defined to use the entire twisted Edwards curve but instead uses the largest prime order subgroup of that twisted Edwards curve. Therefore, if the number of points on the twisted Edwards curve is $N$ and the order of the prime order subgroup is $L$, the cofactor with respect to this subgroup is $\frac{N}{L}$.
 
@@ -49,8 +49,8 @@ The algebraic group model was introduced in 2018 by Fuchsbauer et al. \cite{C:Fu
 
 \subsection{Generic Group Model (GGM)}
 
-Unlike the random oracle model or the algebraic group model the generic group model is not used to construct reductions from one problem to another. Rather, it is used to obtain an information-theoretic lower bound on the complexity of generic adversaries against a given problem. Generic algorithms are algorithms that perform only the defined group actions on group elements and do not exploit group-specific representations of the element.
+Unlike the random oracle model or the algebraic group model the generic group model is not used to construct reductions from one problem to another. Rather, it is used to obtain information-theoretic lower bounds on the complexity of generic adversaries against a given problem. Generic algorithms are algorithms that perform only the defined group operations on group elements and do not exploit group-specific representations of the element.
 
-The generic group model was first introduced by Shoup in 1997 \cite{EC:Shoup97}. In this paper, Shoup proved an information-theoretic lower bound for the discrete logarithm problem. He did that by replacing group elements with labels that are random bit strings. In this way he hid all group-specific representations of the elements. Group actions are only possible via oracles, which are provided to the adversary by the challenger. The only action the adversary can perform on its own is to compare elements for equality by comparing labels.
+The generic group model was first introduced by Shoup in 1997 \cite{EC:Shoup97}. In the generic group model the adversary does not work directly with the group elements directly. Instead the challenger provides the adversary with random bitstrings, called labels, instead of group elements. Each unique label represents an unique group element. The adversary can then use oracles to perform the defined group operations on the group elements, represented by labels. The challenger then responds with the label of the resulting group element. In this way, every structure of the group is hidden from the adversary, as it works only with random labels. The only operation the adversary can perform on its own is to compare group elements for equality by comparing labels.
 
 In 2005, Maurer proposed an alternative definition of the generic group model \cite{IMA:Maurer05}. The proofs conducted in this thesis will use the generic group model as defined by Shoup.

thesis/sections/related_work.tex

@@ -1,20 +1,14 @@
 \section{Related Work}
 
-\paragraph{Standards for EdDSA} The EdDSA signature scheme was introduced in 2011 by Bernstein et al. as the specific instance Ed25519, which is the EdDSA signature scheme instantiated with the twisted Edwards curve Edwards25519 \cite{CHES:BDLSY11}. Later in 2015, with a paper by Bernstein et al., a more general version of EdDSA was introduced, which mainly lifted some restrictions on the underlying finite field of the elliptic curve \cite{EPRINT:BJLSY15}. It also introduced a prehashing variant of EdDSA called HashEdDSA, while the original version is called PureEdDSA. In HashEdDSA, the message is hashed before the signature algorithm is invoked. This has advantages on memory-constrained devices because it does not have to store the entire message. In 2017, the IETF published a standard for EdDSA in its RFC 8032 \cite{josefsson_edwards-curve_2017}. This standard removes some ambiguity regarding the decoding of integers and points of the elliptic curve during signature verification. It also introduces a new variant of the signature scheme that includes an additional parameter named "context". In addition to standardizing a general version of EdDSA, the RFC included parameters for specific instantiations Ed25519 and Ed448. In 2023, this standard was adopted by the NIST in its "Digital Signature Standard (DSS)" FIPS 186-5 \cite{moody_digital_2023}.
+\paragraph{Standards for EdDSA} The EdDSA signature scheme was introduced in 2011 by Bernstein et al. as the specific instance Ed25519, which is the EdDSA signature scheme instantiated with the twisted Edwards curve Edwards25519 \cite{CHES:BDLSY11}. Later in 2015, with a paper by Bernstein et al., a more general version of EdDSA was introduced, which mainly lifted some restrictions on the underlying finite field of the elliptic curve \cite{EPRINT:BJLSY15}. It also introduced a prehashing variant of EdDSA called HashEdDSA, while the original version is called PureEdDSA. In HashEdDSA, the message is hashed before the signature algorithm is invoked. This has advantages on memory-constrained devices because it does not have to store the entire message. In 2017, the IETF published a standard for EdDSA in its RFC 8032 \cite{josefsson_edwards-curve_2017}. This standard removes some ambiguity regarding the decoding of integers and points of the elliptic curve during signature verification. It also introduces a new variant of the signature scheme that includes an additional parameter named \context. In addition to standardizing a general version of EdDSA, the RFC included parameters for specific instantiations Ed25519 and Ed448. In 2023, this standard was adopted by the NIST in its "Digital Signature Standard (DSS)" FIPS 186-5 \cite{moody_digital_2023}.
 
-\paragraph{Schnorr Signatures and Fiat-Schamir Transformation} The EdDSA and Schnorr signature schemes have a similar structure. The Schnorr signature scheme has been introduced by Claus Peter Schnorr in 1991 \cite{JC:Schnorr91}. It has proven to be a robust and efficient signature scheme and has undergone several security analyses. The foundation of the Schnorr signature scheme is the canonical identification scheme.
+\paragraph{Schnorr Signatures and Fiat-Schamir Transformation} The EdDSA and Schnorr signature schemes have a similar structure. The Schnorr signature scheme has been introduced by Claus Peter Schnorr in 1991 \cite{JC:Schnorr91}. It has proven to be a robust and efficient signature scheme and has undergone several security analyses \cite{EPRINT:Bernstein15,C:KilMasPan16,EC:FucPloSeu20,EC:PoiSte96,AC:PaiVer05,C:GarBhaLok08,EC:Seurin12}. The foundation of the Schnorr signature scheme is the canonical identification scheme \cite{EC:AABN02} to which the Fiat-Schamir transformation \cite{C:FiaSha86} is applied. There are many proofs showing that the Fiat-Schamir transformation yields a secure signature scheme, using canonical identification schemes with different properties (e.g. \cite{C:OhtOka98,JC:PoiSte00,EC:AABN02}).
-
-A canonical identification scheme (CID), as defined in \cite{EC:AABN02}, is a three-way protocol between two parties. The prover attempts to prove the knowledge of a secret key to the verifier, who only knows the public key. This is done by exchanging three messages between the two parties. First, the prover initiates the protocol by sending a commitment $R$ to the verifier. The verifier respondes with a random challenge $\ch$ from a predefined challenge set $\textbf{CHSet}$. The prover then uses the commitment, the challenge, and its secret key to compute a response $s$. The verifier then can use the commitment, challenge, and response together with the public key of the prover to verify the response and thereby verify that the prover is actually in the possession of the private key.
-
-To obtain a signature scheme from the canonical identification scheme, it must be made non-interactive. This can be achieved using the Fiat-Schamir transformation. The transformation was introduced by Fiat and Schamir in 1986 \cite{C:FiaSha86}. The role of the verifier in the canonical identification scheme (besides verifying the solution) is to provide a challenge to the prover. This is a crucial part of the scheme's security, since otherwise the prover might be able to choose a commitment and a challenge in a way that allows him generate a valid solution without being in the possession of the secret key. 
-
-The Fiat-Schamir transformation replaces the verifier with a pseudorandom function. This pseudorandom function takes the commitment and an arbitrary message as input and outputs the challenge. Now the challenge is computable by the prover without the need to interact with another party. This allows the prover to compute the solution. The commitment together with the solution can now be considered a signature for the message used to generate the challenge. To verify the signature, a verifier can use the same pseudorandom function to compute the challenge based on the commitment and the message, and apply the verification algorithm from the canonical identification scheme to verify the solution and thus the validity of the signature. In practice, a hash function is often used as the pseudorandom function. There are many proofs showing that the Fiat-Schamir transformation yields a secure signature scheme, using canonical identification schemes with different properties (e.g. \cite{C:OhtOka98,JC:PoiSte00,EC:AABN02}).
 
 \paragraph{Related Proofs}  As mentioned above, there exists a paper proving the security of the Ed25519 signature scheme \cite{SP:BCJZ21}. In this paper, the authors extracted the underlying canonical identification scheme from EdDSA and used the reset lemma from \cite{C:BelPal02} to prove the impersonation security of the canonical identification scheme under the discrete logarithm assumption. This reduction turned out to be non-tight. They then reduced the EUF-CMA security of the Ed25519 signature scheme to the impersonation security of the underlying canonical identification scheme. To do this, they had to guess the position of the hash query in which they had to  embed a challenge, further losing tightness.
 
 A paper by Chalkias, Garillot and Nikolaenko analyzes the security of Ed25519 with respect to different signature decoding methods and the implementation of additional checks during the signature verification \cite{EPRINT:ChaGarNik20}. This paper also analyzes lesser known security properties such as strongly binding signatures, but already assumes SUF-CMA security of Ed25519. They also analyzed the impact of cofactorless vs. cofactored verification with respect to batch verification of Ed25519 signatures.
 
-The multi-user security of EdDSA was briefly analyzed in a paper by Bernstein after he exposed a flaw in a tight multi-user security proof for the Schnorr signature scheme by Galbraith, Malone-Lee, and Smart \cite{EPRINT:Bernstein15}. In this paper, Bernstein provided a tight security proof for the multi-user security of key-prefixed Schnorr signatures. The EdDSA signature scheme is also a key-prefixed version of a Schnorr signature. However, due to the clamping introduced in the key generation algorithm of EdDSA, these results do not apply directly to EdDSA. Attempting to use the same method as in Bersteins paper would again result in a non-tight security proof, as already mentioned in the same paper.
+The multi-user security of EdDSA was briefly analyzed in a paper by Bernstein \cite{EPRINT:Bernstein15} after he exposed a flaw in a tight multi-user security proof for the Schnorr signature scheme by Galbraith, Malone-Lee, and Smart \cite{galbraith_public_2002}. In this paper, Bernstein provided a tight security proof for the multi-user security of key-prefixed Schnorr signatures. The EdDSA signature scheme is also a key-prefixed version of a Schnorr signature. However, due to the clamping introduced in the key generation algorithm of EdDSA, these results do not apply directly to EdDSA. Attempting to use the same method as in Bersteins paper would again result in a non-tight security proof, as already mentioned in the same paper.
 
 In 2016, Kiltz et al. provided a tight bound on the multi-user security of Schorr signatures without the need for key-prefixing \cite{C:KilMasPan16}. The tightness was a result of the random self-reducibility property of the underlying canonical identification scheme. Again, this property cannot be achieved by EdDSA due to the clamping introduced by the key generation algorithm.
 

thesis/sections/security_notions.tex

@@ -6,22 +6,20 @@ A digital signature scheme is a method to ensure the authenticity of data. The s
 	A digital signature scheme SIG = (\keygen,\sign,\verify) is a tuple of algorithms.
 	
 	\begin{itemize}[label={}]
-		\item \textbf{\keygen}: The key generation algorithm, which upon receiving the schemas parameter as input outputs a matching tuple of public and private key.
+		\item \textbf{\keygen}: The key generation algorithm, which upon receiving the security parameter as input outputs a matching tuple of public and private key.
-		\item \textbf{\sign}: The signature algorithm, which upon receiving the secret key and the message, outputs a signature for that message.
+		\item \textbf{\sign}: The signature algorithm, which upon receiving a secret key and a message, outputs a signature for that message.
-		\item \textbf{\verify}: The verification algorithm, which upon receiving the public key, the message and the signature decides whether the signature is valid for the specific set of input parameters.
+		\item \textbf{\verify}: The verification algorithm, which upon receiving a public key, a message and a signature, outputs $1$ if the signature gets accepted and $0$ otherwise.
 	\end{itemize}
 
 	For the digital signature scheme to be correct, it is required that $\forall (\pubkey, \privkey) \in \keygen(par), \m \in \messagespace, \signature \in \sign(\privkey, \m): \verify(\pubkey, \m, \signature) = 1$
 \end{definition}
 
-A common security notion for digital signature schemes is the existential unforgeability under chosen message attack (EUF-CMA) security. It requires that no adversary is able to forge a signature, for a given public key, for a message to which they have not been provided with a valid signature. A stronger notion, that is often used, is strong unforgeability under chosen message attack (SUF-CMA), which only requires the adversary to provide a message signature pair that has not been provided to the adversary. With this security notion, the adversary also wins if it is able to forge a new valid signature from an already valid one. Both of these notions are in the single-user setting. In the multi-user setting of these security notions, the adversary is supplied with $N$ public keys and has to forge a signature for one of those public keys. In the following, the multi-user definitions of the EUF-CMA and SUF-CMA security notions are defined, respectively MU-EUF-CMA and MU-SUF-CMA. The single-user variant of these security notions can be seen as a special case of the multi-user definitions with $N=1$.
+A common security notion for digital signature schemes is the existential unforgeability under chosen message attack (EUF-CMA) security. It requires that no adversary is able to forge a signature for a message to which they have not observed a valid signature, given a public key. A stronger notion, that is often used, is strong unforgeability under chosen message attack (SUF-CMA), which only requires the adversary to provide a message signature pair that has not been provided to the adversary. With this security notion, the adversary also wins if it is able to forge a new valid signature from an already valid one. Both of these notions are in the single-user setting. In the multi-user setting of these security notions, the adversary is supplied with $N$ public keys and has to forge a signature for one of those public keys. In the following, the multi-user definitions of the EUF-CMA and SUF-CMA security notions are defined, respectively MU-EUF-CMA and MU-SUF-CMA. The single-user variant of these security notions can be seen as a special case of the multi-user definitions in which the adversary is only provided with one public key.
-
-\subsubsection{MU-EUF-CMA}
 
 \begin{definition}[MU-EUF-CMA]
-	Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the MU-EUF-CMA game be defined in figure \ref{game:mu-euf-cma}. $SIG$ is MU-EUF-CMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{MU-EUF-CMA}}(\secparamter)$ is negligible in $\secparamter$.
+	Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the N-MU-EUF-CMA game be defined in figure \ref{game:mu-euf-cma}. $SIG$ is N-MU-EUF-CMA secure if for all ppt adversaries $\adversary{A}$, we have
 	
-	\[ \advantage{SIG,\adversary{A}}{\text{MU-EUF-CMA}}(\secparamter) \assign \prone{\text{MU-EUF-CMA}^{\adversary{A}}} \leq negl(\secparamter) \]
+	\[ \advantage{SIG,\adversary{A}}{\textsf{N-MU-EUF-CMA}}(\secparamter) \assign \prone{\textsf{N-MU-EUF-CMA}^{\adversary{A}}} \leq negl(\secparamter). \]
 \end{definition}
 
 \begin{figure}[h]
@@ -29,7 +27,7 @@ A common security notion for digital signature schemes is the existential unforg
 	\normalsize
 	\vspace{1mm}
 	\begin{algorithmic}
-		\Statex \underline{\game $\text{MU-EUF-CMA}$}
+		\Statex \underline{\game $\text{N-MU-EUF-CMA}$}
 		\State \textbf{for} $i \in \{1,2,...,N\}$
 		\State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$
 		\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp, \inp)}(\pubkey_1, \pubkey_2, ..., \pubkey_n)$
@@ -43,16 +41,14 @@ A common security notion for digital signature schemes is the existential unforg
 		\State \Return $\signature$
 	\end{algorithmic}
 	\hrule
-	\caption{MU-EUF-CMA Security Game}
+	\caption{N-MU-EUF-CMA Security Game}
 	\label{game:mu-euf-cma}
 \end{figure}
 
-\subsubsection{MU-SUF-CMA}
-
 \begin{definition}[MU-SUF-CMA]
-	Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the MU-SUF-CMA game be defined in figure \ref{game:mu-suf-cma}. $SIG$ is MU-SUF-CMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{MU-SUF-CMA}}(\secparamter)$ is negligible in $\secparamter$.
+	Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the MU-SUF-CMA game be defined in figure \ref{game:mu-suf-cma}. $SIG$ is MU-SUF-CMA secure if for all ppt adversaries $\adversary{A}$, we have
 	
-	\[ \advantage{SIG,\adversary{A}}{\text{MU-SUF-CMA}}(\secparamter) \assign \prone{\text{MU-SUF-CMA}^{\adversary{A}}} \leq negl(\secparamter) \]
+	\[ \advantage{SIG,\adversary{A}}{\textsf{N-MU-SUF-CMA}}(\secparamter) \assign \prone{\textsf{N-MU-SUF-CMA}^{\adversary{A}}} \leq negl(\secparamter). \]
 \end{definition}
 
 \begin{figure}[h]
@@ -60,7 +56,7 @@ A common security notion for digital signature schemes is the existential unforg
 	\normalsize
 	\vspace{1mm}
 	\begin{algorithmic}
-		\Statex \underline{\game $\text{MU-SUF-CMA}$}
+		\Statex \underline{\game $\text{N-MU-SUF-CMA}$}
 		\State \textbf{for} $i \in \{1,2,...,N\}$
 		\State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$
 		\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp, \inp)}(\pubkey_1, \pubkey_2, ..., \pubkey_n)$
@@ -74,86 +70,80 @@ A common security notion for digital signature schemes is the existential unforg
 		\State \Return $\signature$
 	\end{algorithmic}
 	\hrule
-	\caption{MU-SUF-CMA Security Game}
+	\caption{N-MU-SUF-CMA Security Game}
 	\label{game:mu-suf-cma}
 \end{figure}
 
-\subsubsection{MU-UF-NMA}
+The MU-EUF-NMA security game is similar to the MU-EUF-CMA game. The only difference is that the adversary does not has access to an oracle to obtain valid signatures for arbitrary messages. Again the EUF-NMA security notation is a special case of the MU-EUF-NMA security notation with $N=1$.
 
-The MU-UF-NMA security game is similar to the MU-EUF-CMA game. The only difference is that the adversary does not has access to an oracle to obtain valid signatures for arbitrary messages. Again the UF-NMA security notation is a special case of the MU-UF-NMA security notation with $N=1$.
+\begin{definition}[MU-EUF-NMA]
+	Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the N-MU-EUF-NMA game be defined in figure \ref{game:mu-uf-nma}. $SIG$ is N-MU-EUF-NMA secure if for all ppt adversaries $\adversary{A}$, we have
 	
-\begin{definition}[MU-UF-NMA]
+	\[ \advantage{SIG,\adversary{A}}{\textsf{N-MU-EUF-NMA}}(\secparamter) \assign \prone{\textsf{N-MU-EUF-NMA}^{\adversary{A}}} \leq negl(\secparamter). \]
-	Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the MU-UF-NMA game be defined in figure \ref{game:mu-uf-nma}. $SIG$ is MU-UF-NMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{MU-UF-NMA}}(\secparamter)$ is negligible in $\secparamter$.
-	
-	\[ \advantage{SIG,\adversary{A}}{\text{MU-UF-NMA}}(\secparamter) \assign \prone{\text{MU-UF-NMA}^{\adversary{A}}} \leq negl(\secparamter) \]
 \end{definition}
 
 \begin{figure}[h]
 	\hrule
 	\vspace{1mm}
 	\begin{algorithmic}
-		\State \underline{\game $\text{MU-UF-NMA}$}
+		\State \underline{\game $\text{N-MU-EUF-NMA}$}
 		\State \textbf{for} $i \in \{1,2,...,N\}$
 		\State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$
-		\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp)}(\pubkey_1, \pubkey_2, \pubkey_n)$
+		\State $(\m^*, \signature^*) \randomassign \adversary{A}(\pubkey_1, \pubkey_2, \pubkey_n)$
 		\State \Return $\exists i \in \{1,2,...,N\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1$
 	\end{algorithmic}
 	\hrule
-	\caption{MU-UF-NMA Security Game}
+	\caption{N-MU-EUF-NMA Security Game}
 	\label{game:mu-uf-nma}
 \end{figure}
 
 \subsection{Security Assumptions}
 
-This thesis proves the security of the EdDSA signature scheme using two assumptions. The single-user security of EdDSA can be proved using the discrete logarithm assumption, while the multi-user security of EdDSA requires the stronger one-more discrete logarithm assumption. Both security assumptions are presented in this section.
+This thesis proves the security of the EdDSA signature scheme using two assumptions. The single-user security of EdDSA can be proven using the discrete logarithm assumption, while the multi-user security of EdDSA requires the stronger one-more discrete logarithm assumption. Both security assumptions are presented in this section.
 
 \subsubsection{Discrete Logarithm Problem}
 
 \begin{definition}[Discrete Logarithm Problem]
-	Let $\group{G}$ be a cyclic group of order $L$ with a generator $\groupelement{B}$. Let the discrete logarithm game be defined in figure \ref{game:dlog}. The advantage of an adversary $\adversary{A}$ is defined by its ability to win the discrete logarithm game.
+	Let $\group{G}$ be a cyclic group of order $L$ with a generator $\groupelement{B}$. The advantage of an adversary $\adversary{A}$ is defined as following:
 	
-	\[ \advantage{\group{G}, \adversary{A}}{Dlog} \assign \prone{\text{Dlog}^{\adversary{A}}} \]
+	\[ \advantage{\group{G}, \adversary{A}}{\textsf{DLog}} \assign \Pr[a \test a' | a \randomsample \field{L}; a' \randomassign \adversary{A}(a\groupelement{B})]. \]
 \end{definition}
 
-\begin{figure}[h]
-	\hrule
-	\vspace{1mm}
-	\begin{algorithmic}
-		\Statex \underline{\game Dlog}
-		\State $a \randomsample \field{L}$
-		\State $\groupelement{A} \assign a \groupelement{B}$
-		\State $a' \randomassign \adversary{A}(\groupelement{A})$
-		\State \Return $a \test a'$
-	\end{algorithmic}
-	\vspace{1mm}
-	\hrule
-	\caption{Dlog}
-	\label{game:dlog}
-\end{figure}
-
 \subsubsection{One-More Discrete Logarithm}
 
 The one-more discrete logarithm assumption is stronger than the discrete logarithm assumption. In this assumption the adversary is supplied with $N$ group elements and an oracle to obtain the discrete logarithm of up to $N-1$ group elements. The task of the adversary is to output the discrete logarithm for all supplied group elements.
 
 \begin{definition}[One-More Discrete Logarithm Problem \cite{JC:BNPS03}]
-	Let $\group{G}$ be a cyclic group of order $L$ with a generator $\groupelement{B}$. Let the one-more discrete logarithm game be defined in figure \ref{game:om-dlog}. The advantage of an adversary $\adversary{A}$ is defined by its ability to win the one-more discrete logarithm game.
+	Let $\group{G}$ be a cyclic group of order $L$ with a generator $\groupelement{B}$. Let the one-more discrete logarithm game be defined in figure \ref{game:om-dlog}. The advantage of an adversary $\adversary{A}$ is defined as following:
 	
-	\[ \advantage{\group{G}, \adversary{A}}{OM-Dlog} \assign \prone{\text{OM-Dlog}^{\adversary{A}}} \]
+	\[ \advantage{\group{G}, \adversary{A}}{\textsf{OM-DLog}} \assign \prone{\textsf{OM-DLog}^{\adversary{A}}}. \]
 \end{definition}
 
 \begin{figure}[h]
 	\hrule
 	\vspace{1mm}
-	\begin{algorithmic}
+	\begin{multicols}{2}
-		\Statex \underline{\game OM-Dlog}
+		\begin{algorithmic}
-		\State \textbf{for} $i \in \{1,2,...,N\}$
+			\Statex \underline{\game OM-DLog}
-		\State \quad $a_i \randomsample \field{L}$
+			\State $\pset{L} \assign \{\}$
-		\State \quad $\groupelement{A_i} \assign a \groupelement{B}$
+			\State $N \assign 0$
-		\State $\overset{\rightharpoonup}{a'} \randomassign \adversary{A}^{DL(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
+			\State $(a'_1, ..., a'_N) \randomassign \adversary{A}^{DL(\inp), CH()}()$
-		\State \Return $\forall i \in \{1,2,...,N\}: a_i \test a'_i$
+			\State \Return $\forall i \in \{1,2,...,N\}: a_i \test a'_i$
-	\end{algorithmic}
+		\end{algorithmic}
+		\columnbreak
+		\begin{algorithmic}
+			\Statex \underline{\oracle CH()}
+			\State $N \assign N + 1$
+			\State $a_i \randomsample \field{L}$
+			\State $\groupelement{A_i} \assign a_i \groupelement{B}$
+			\State $\pset{L} \assign \pset{L} \cup \{a_i\}$
+			\State \Return $\groupelement{A_i}$
+		\end{algorithmic}
+	\end{multicols}
 	\vspace{1mm}
 	\hrule
 	\caption{One-More Discrete Logarithm}
 	\label{game:om-dlog}
 \end{figure}
+
+The DL oracle outputs the discrete logarithm of the input element in respect to the generator $\groupelement{B}$ and is allowed to be called $N - 1$ times.

thesis/sections/security_of_eddsa/gamez_implies_uf-nma.tex

@@ -1,6 +1,6 @@
-\subsection{\igame $\overset{\text{ROM}}{\Rightarrow}$ UF-NMA}
+\subsection{\igame $\overset{\text{ROM}}{\Rightarrow}$ EUF-NMA}
 
-This section shows that \igame implies the UF-NMA security of the EdDSA signature scheme using the random oracle model. The section begins with the introduction of an intermediate game \igame, followed by an intuition of the proof and the detailed security proof.
+This section shows that \igame implies the EUF-NMA security of the EdDSA signature scheme using the random oracle model. The section begins with the introduction of an intermediate game \igame, followed by an intuition of the proof and the detailed security proof.
 
 \paragraph{\underline{Introducing \igame}} The intermediate game \igame is introduced to create a separation between proofs in the random oracle model and the algebraic group model. This is achieved by replacing the random oracle with the \ioracle oracle, which takes a commitment and issues a challenge. This also removes the message and focuses on forging an arbitrary signature. The \igame game is shown in figure \ref{game:igame}. The game has been inspired by the IDLOG game from \cite{C:KilMasPan16}.
 
@@ -36,9 +36,9 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur
 
 \begin{theorem}
 	\label{theorem:adv_igame}
-	Let $\adversary{A}$ be an adversary against $\text{UF-NMA}$. Then,
+	Let $\adversary{A}$ be an adversary against $\text{EUF-NMA}$. Then,
 	
-	\[ \advantage{\group{G}, \adversary{A}}{\text{UF-NMA}}(\secparamter) = \advantage{\group{G}, \adversary{B}}{\text{\igame}}(\secparamter). \]
+	\[ \advantage{\group{G}, \adversary{A}}{\text{EUF-NMA}}(\secparamter) = \advantage{\group{G}, \adversary{B}}{\text{\igame}}(\secparamter). \]
 \end{theorem}
 
 \paragraph{\underline{Proof Overview}} The adversary must query the random oracle to obtain the hash value $H(\encoded{R} | \encoded{A} | m)$. The programmability of the random oracle can be used to embed the challenge from the \ioracle into the answer from the random oracle. In this way, a valid signature forgery also provides a valid solution to the \igame game.
@@ -73,9 +73,9 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur
 \begin{proof}
 	\item This proof does not require any game hop, since the random oracle can be simulated using the \ioracle oracle.
 	
-	\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:igame_implies_uf-nma}. Clearly, $G_0$ is $\text{UF-NMA}$. By definition,
+	\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:igame_implies_uf-nma}. Clearly, $G_0$ is $\text{EUF-NMA}$. By definition,
 	
-	\[ \advantage{\group{G}, \adversary{A}}{\text{UF-NMA}}(\secparamter) = \Pr[\text{UF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
+	\[ \advantage{\group{G}, \adversary{A}}{\text{EUF-NMA}}(\secparamter) = \Pr[\text{EUF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
 	
 	\item $G_0$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
 	

thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex

@@ -1,15 +1,15 @@
-\subsection{UF-NMA $\overset{\text{ROM}}{\Rightarrow} \text{SUF-CMA}_{\text{EdDSA sp}}$} \label{proof:uf-nma_implies_suf-cma}
+\subsection{EUF-NMA $\overset{\text{ROM}}{\Rightarrow} \text{SUF-CMA}_{\text{EdDSA sp}}$} \label{proof:uf-nma_implies_suf-cma}
 
-This section shows that the UF-NMA security of EdDSA implies the \cma security of EdDSA with strict parsing using the random oracle model. The section begins with an intuition for the proof, followed by the detailed security proof.
+This section shows that the EUF-NMA security of EdDSA implies the \cma security of EdDSA with strict parsing using the random oracle model. The section begins with an intuition for the proof, followed by the detailed security proof.
 
 \begin{theorem}
 	\label{theorem:adv_uf-nma}
 	Let $\adversary{A}$ be an adversary against $\cma$, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and let $\group{G}$ be a group of prime order $L$. Then,
 	
-	\[ \advantage{\group{G}, \adversary{A}}{\text{\cma}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\text{UF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
+	\[ \advantage{\group{G}, \adversary{A}}{\text{\cma}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\text{EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
 \end{theorem}
 
-\paragraph{\underline{Proof Overview}} The UF-NMA security definition is close to the \cma security definition, but lacks the \Osign oracle. To show that UF-NMA security implies \cma security, the reduction must simulate the \Osign oracle without knowledge of the private key. 
+\paragraph{\underline{Proof Overview}} The EUF-NMA security definition is close to the \cma security definition, but lacks the \Osign oracle. To show that EUF-NMA security implies \cma security, the reduction must simulate the \Osign oracle without knowledge of the private key. 
 
 The EdDSA signature scheme is based on the Schnorr signature scheme, which is a canonical identification scheme to which the Fiat-Shamir transformation is applied. This means that EdDSA roughly follows the structure of a canonical identification scheme by first computing a commitment $R$, computing a challenge $\ch$ using the hash function, and then computing the response $S$ based on the commitment, challenge, and private key. The signature is the commitment and response tuple. 
 
@@ -127,7 +127,7 @@ This method of simulating the \Osign oracle and the resulting loss of advantage
 	\item Finally, Game $G_3$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
 	
 	\begin{align}
-		\Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\text{UF-NMA}}(\secparamter). \label{eq:adv_uf-nma}
+		\Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\text{EUF-NMA}}(\secparamter). \label{eq:adv_uf-nma}
 	\end{align}
 
 	\begin{figure}
@@ -159,35 +159,35 @@ This method of simulating the \Osign oracle and the resulting loss of advantage
 			\State \Return $\sum[m]$
 		\end{algorithmic}
 		\hrule
-		\caption{Adversary $\adversary{B}$ breaking $\text{UF-NMA}$}
+		\caption{Adversary $\adversary{B}$ breaking $\text{EUF-NMA}$}
 		\label{fig:adversarybuf-nma}
 	\end{figure}
 
-	To prove (\ref{eq:adv_uf-nma}), an adversary $\adversary{B}$ is defined that attacks $\text{UF-NMA}$ simulating the view of $\adversary{A}$ in $G_3$. The adversary $\adversary{B}$, formally defined in figure \ref{fig:adversarybuf-nma}, is run in the $\text{UF-NMA}$ game, and the adversary $\adversary{B}$ simulates \Osign for the adversary $\adversary{A}$. \Osign is simulated perfectly. The hash queries of $\adversary{A}$ are forwarded to the UF-NMA challenger, when not set by the reduction itself.
+	To prove (\ref{eq:adv_uf-nma}), an adversary $\adversary{B}$ is defined that attacks $\text{EUF-NMA}$ simulating the view of $\adversary{A}$ in $G_3$. The adversary $\adversary{B}$, formally defined in figure \ref{fig:adversarybuf-nma}, is run in the $\text{EUF-NMA}$ game, and the adversary $\adversary{B}$ simulates \Osign for the adversary $\adversary{A}$. \Osign is simulated perfectly. The hash queries of $\adversary{A}$ are forwarded to the EUF-NMA challenger, when not set by the reduction itself.
 	
-	Finally, consider $\adversary{A}$'s output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. It is known that $2^c S^* \groupelement{B} = 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}$. If strict parsing is used to decode $S$ from the signature, it is known that $0 \leq S < L$. Therefore, for every $R$, $\m$ pair, there is only one valid encoded $S$ that satisfies the equation. This means that a new and valid signature cannot be generated by simply changing the $S$ value of an already valid signature. Therefore, $R$ or $m$ must also be changed in order to create a new valid signature from another. Since $R$ and $m$ are inputs to the hash query used to generate the challenge, the result of this hash query is passed from the $H$ hash oracle provided to the adversary $\adversary{B}$ instead of being set by $\adversary{B}$ itself. Also, the existence of multiple encodings of the commitment $\groupelement{R}$ does not pose a problem, since if another representation of the same $\groupelement{R}$ is chosen, its hash value for the corresponding challenge has not been set by $\adversary{B}$ and therefore must have been passed from the UF-NMA challenger. For this reason, $H'(\encoded{R^*}|\encoded{A}|m^*) = H(\encoded{R^*}|\encoded{A}|m^*)$. Therefore,
+	Finally, consider $\adversary{A}$'s output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. It is known that $2^c S^* \groupelement{B} = 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}$. If strict parsing is used to decode $S$ from the signature, it is known that $0 \leq S < L$. Therefore, for every $R$, $\m$ pair, there is only one valid encoded $S$ that satisfies the equation. This means that a new and valid signature cannot be generated by simply changing the $S$ value of an already valid signature. Therefore, $R$ or $m$ must also be changed in order to create a new valid signature from another. Since $R$ and $m$ are inputs to the hash query used to generate the challenge, the result of this hash query is passed from the $H$ hash oracle provided to the adversary $\adversary{B}$ instead of being set by $\adversary{B}$ itself. Also, the existence of multiple encodings of the commitment $\groupelement{R}$ does not pose a problem, since if another representation of the same $\groupelement{R}$ is chosen, its hash value for the corresponding challenge has not been set by $\adversary{B}$ and therefore must have been passed from the EUF-NMA challenger. For this reason, $H'(\encoded{R^*}|\encoded{A}|m^*) = H(\encoded{R^*}|\encoded{A}|m^*)$. Therefore,
 	
 	\begin{align*}
 		2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}\\
 		\Leftrightarrow 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}.
 	\end{align*}
 	
-	This means that the forged signature of the adversary $\adversary{A}$ is also a valid signature in the UF-NMA game.
+	This means that the forged signature of the adversary $\adversary{A}$ is also a valid signature in the EUF-NMA game.
 	
 	\item The runtime of adversary $\adversary{B}$ is roughly the same as the runtime of adversary $\adversary{A}$. Simulating a \Osign query simply executes the ppt procedure \simalg and sets the hash function output, the hash function $H'$ simply forwards the query to the $H$ hash function, and the adversary $\adversary{B}$ simply calls $\adversary{A}$ and outputs its forged signature.
 	
 	\item This proves theorem \ref{theorem:adv_uf-nma}.
 \end{proof}
 
-\subsection{UF-NMA $\overset{\text{ROM}}{\Rightarrow} \text{SUF-CMA}_{\text{EdDSA lp}}$}
+\subsection{EUF-NMA $\overset{\text{ROM}}{\Rightarrow} \text{SUF-CMA}_{\text{EdDSA lp}}$}
 
-This section shows that the UF-NMA security of EdDSA implies the EUF-CMA security of EdDSA with lax parsing using the random oracle model. This proof is very similar to the proof of the SUF-CMA security of EdDSA with strict parsing. The modification of the games is the same as in the proof above, with the only difference being the winning condition, which is $\verify(\groupelement{A}, \m^*,\signature^*) \wedge \m^* \notin \pset{Q}$. For this reason, this proof begins by showing the existence of an adversary $\adversary{B}$ who breaks UF-NMA security. The SUF-CMA security cannot be proved because there may be multiple encodings of $S$ that map to the same $S \pmod L$, and therefore a new valid signature could be forged from an old one by simply choosing a different encoding of $S$, which would cause the output $H'(\encoded{R^*}|\encoded{A}|m^*)$ to be set by the reduction itself, and therefore the forged signature would not be a valid signature for the UF-NMA challenger.
+This section shows that the EUF-NMA security of EdDSA implies the EUF-CMA security of EdDSA with lax parsing using the random oracle model. This proof is very similar to the proof of the SUF-CMA security of EdDSA with strict parsing. The modification of the games is the same as in the proof above, with the only difference being the winning condition, which is $\verify(\groupelement{A}, \m^*,\signature^*) \wedge \m^* \notin \pset{Q}$. For this reason, this proof begins by showing the existence of an adversary $\adversary{B}$ who breaks EUF-NMA security. The SUF-CMA security cannot be proved because there may be multiple encodings of $S$ that map to the same $S \pmod L$, and therefore a new valid signature could be forged from an old one by simply choosing a different encoding of $S$, which would cause the output $H'(\encoded{R^*}|\encoded{A}|m^*)$ to be set by the reduction itself, and therefore the forged signature would not be a valid signature for the EUF-NMA challenger.
 
 \begin{theorem}
 	\label{theorem:adv2_uf-nma}
 	Let $\adversary{A}$ be an adversary against EUF-CMA, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
 	
-	\[ \advantage{\group{G}, \adversary{A}}{\text{EUF-CMA}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\text{UF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
+	\[ \advantage{\group{G}, \adversary{A}}{\text{EUF-CMA}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\text{EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
 \end{theorem}
 
 \paragraph{\underline{Formal Proof}}
@@ -195,7 +195,7 @@ This section shows that the UF-NMA security of EdDSA implies the EUF-CMA securit
 \begin{proof}
 	\item 
 	\begin{align}
-		\prone{G_3^{\adversary{A}}} = \advantage{\group{G}, \adversary{B}}{\text{UF-NMA}}(\secparamter). \label{eq:adv2_uf-nma}
+		\prone{G_3^{\adversary{A}}} = \advantage{\group{G}, \adversary{B}}{\text{EUF-NMA}}(\secparamter). \label{eq:adv2_uf-nma}
 	\end{align}
 
 	\begin{figure}
@@ -227,11 +227,11 @@ This section shows that the UF-NMA security of EdDSA implies the EUF-CMA securit
 			\State \Return $\sum[m]$
 		\end{algorithmic}
 		\hrule
-		\caption{Adversary $\adversary{B}$ breaking $\text{UF-NMA}$}
+		\caption{Adversary $\adversary{B}$ breaking $\text{EUF-NMA}$}
 		\label{fig:adversary_b_suf-nma}
 	\end{figure}
 
-	To prove (\ref{eq:adv2_uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{UF-NMA}$ that simulates the view of $\adversary{A}$ in $G_3$. The adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_b_suf-nma} is run in the $\text{UF-NMA}$ game and the adversary $\adversary{B}$ simulates \Osign for the adversary $\adversary{A}$. \Osign is simulated perfectly. The hash queries of $\adversary{A}$ are forwarded to the UF-NMA challenger, when not set by the reduction itself.
+	To prove (\ref{eq:adv2_uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{EUF-NMA}$ that simulates the view of $\adversary{A}$ in $G_3$. The adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_b_suf-nma} is run in the $\text{EUF-NMA}$ game and the adversary $\adversary{B}$ simulates \Osign for the adversary $\adversary{A}$. \Osign is simulated perfectly. The hash queries of $\adversary{A}$ are forwarded to the EUF-NMA challenger, when not set by the reduction itself.
 	
 	Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. It is known that $2^c S^* \groupelement{B} = 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}$. Because we are in the EUF-CMA setting, the adversary $\adversary{A}$ is required to provide a signature for a message $m^*$ for which it has not requested a signature from the \Osign oracle. Since the signature for the message $m^*$ was not requested in the Sign oracle, the output of $H'(\encoded{R^*}|\encoded{A}|m^*)$ was not set by the adversary B, but must have been forwarded from the $H$ hash oracle. For this reason, $H'(\encoded{R^*}|\encoded{A}|m^*) = H(\encoded{R^*}|\encoded{A}|m^*)$. Therefore,
 	
@@ -240,7 +240,7 @@ This section shows that the UF-NMA security of EdDSA implies the EUF-CMA securit
 		\Leftrightarrow 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}.
 	\end{align*}
 	
-	This means that the forged signature of the adversary $\adversary{A}$ is also a valid signature in the UF-NMA game.
+	This means that the forged signature of the adversary $\adversary{A}$ is also a valid signature in the EUF-NMA game.
 	
 	\item Since the adversary $\adversary{B}$ is the same as in the proof above, the runtime is roughly the same as the runtime of $\adversary{A}$, for the same reasons.