did a lot

2023-04-04 16:07:24 +02:00
parent a9f00cb311
commit 2c92ebf8bd
5 changed files with 291 additions and 32 deletions
--- a/thesis/citation.bib
+++ b/thesis/citation.bib
@@ -47,6 +47,34 @@
 	file = {eddsa-20150704.pdf:/home/rixxc/Zotero/storage/JK693Q38/eddsa-20150704.pdf:application/pdf},
 }

+@article{matt_algpseudocodex_nodate,
+	title = {Algpseudocodex {Package} {Documentation}},
+	abstract = {This package allows typesetting pseudocode in LATEX. It is based on algpseudocode from the algorithmicx package and uses the same syntax, but adds several new features and improvements. Notable features include customizable indent guide lines and the ability to draw boxes around parts of the code for highlighting differences. This package also has better support for long code lines spanning several lines and improved comments.},
+	language = {en},
+	author = {Matt, Christian},
+	file = {Matt - Algpseudocodex Package Documentation.pdf:/home/rixxc/Zotero/storage/G3AZ8PFR/Matt - Algpseudocodex Package Documentation.pdf:application/pdf},
+}
+
+@incollection{shacham_algebraic_2018,
+	address = {Cham},
+	title = {The {Algebraic} {Group} {Model} and its {Applications}},
+	volume = {10992},
+	isbn = {978-3-319-96880-3 978-3-319-96881-0},
+	url = {https://link.springer.com/10.1007/978-3-319-96881-0_2},
+	abstract = {One of the most important and successful tools for assessing hardness assumptions in cryptography is the Generic Group Model (GGM). Over the past two decades, numerous assumptions and protocols have been analyzed within this model. While a proof in the GGM can certainly provide some measure of conﬁdence in an assumption, its scope is rather limited since it does not capture group-speciﬁc algorithms that make use of the representation of the group.},
+	language = {en},
+	urldate = {2023-02-17},
+	booktitle = {Advances in {Cryptology} – {CRYPTO} 2018},
+	publisher = {Springer International Publishing},
+	author = {Fuchsbauer, Georg and Kiltz, Eike and Loss, Julian},
+	editor = {Shacham, Hovav and Boldyreva, Alexandra},
+	year = {2018},
+	doi = {10.1007/978-3-319-96881-0_2},
+	note = {Series Title: Lecture Notes in Computer Science},
+	pages = {33--62},
+	file = {Fuchsbauer et al. - 2018 - The Algebraic Group Model and its Applications.pdf:/home/rixxc/Zotero/storage/K3GHQMRK/Fuchsbauer et al. - 2018 - The Algebraic Group Model and its Applications.pdf:application/pdf},
+}
+
@techreport{josefsson_edwards-curve_2017,
 	type = {Request for {Comments}},
 	title = {Edwards-{Curve} {Digital} {Signature} {Algorithm} ({EdDSA})},
@@ -62,3 +90,101 @@
 	note = {Num Pages: 60},
 	file = {Full Text PDF:/home/rixxc/Zotero/storage/U24MZYBY/Josefsson and Liusvaara - 2017 - Edwards-Curve Digital Signature Algorithm (EdDSA).pdf:application/pdf},
 }
+
+@article{bernstein_multi-user_nodate,
+	title = {Multi-user {Schnorr} security, revisited},
+	abstract = {Three recent proposals for standardization of next-generation ECC signatures have included “key preﬁxing” modiﬁcations to Schnorr’s signature system. Bernstein, Duif, Lange, Schwabe, and Yang stated in 2011 that key preﬁxing is “an inexpensive way to alleviate concerns that several public keys could be attacked simultaneously”.},
+	language = {en},
+	author = {Bernstein, Daniel J},
+	file = {Bernstein - Multi-user Schnorr security, revisited.pdf:/home/rixxc/Zotero/storage/KYQWEQIV/Bernstein - Multi-user Schnorr security, revisited.pdf:application/pdf},
+}
+
+@incollection{tibouchi_one-more_2021,
+	address = {Cham},
+	title = {The {One}-{More} {Discrete} {Logarithm} {Assumption} in the {Generic} {Group} {Model}},
+	volume = {13093},
+	isbn = {978-3-030-92067-8 978-3-030-92068-5},
+	url = {https://link.springer.com/10.1007/978-3-030-92068-5_20},
+	abstract = {The one more-discrete logarithm assumption (OMDL) underlies the security analysis of identiﬁcation protocols, blind signature and multi-signature schemes, such as blind Schnorr signatures and the recent MuSig2 multi-signatures. As these schemes produce standard Schnorr signatures, they are compatible with existing systems, e.g. in the context of blockchains. OMDL is moreover assumed for many results on the impossibility of certain security reductions.},
+	language = {en},
+	urldate = {2023-02-24},
+	booktitle = {Advances in {Cryptology} – {ASIACRYPT} 2021},
+	publisher = {Springer International Publishing},
+	author = {Bauer, Balthazar and Fuchsbauer, Georg and Plouviez, Antoine},
+	editor = {Tibouchi, Mehdi and Wang, Huaxiong},
+	year = {2021},
+	doi = {10.1007/978-3-030-92068-5_20},
+	note = {Series Title: Lecture Notes in Computer Science},
+	pages = {587--617},
+	file = {Bauer et al. - 2021 - The One-More Discrete Logarithm Assumption in the .pdf:/home/rixxc/Zotero/storage/FQDR3E7V/Bauer et al. - 2021 - The One-More Discrete Logarithm Assumption in the .pdf:application/pdf},
+}
+
+@book{karpfinger_algebra_2021,
+	address = {Berlin, Heidelberg},
+	title = {Algebra: {Gruppen} - {Ringe} - {Körper}},
+	isbn = {978-3-662-61951-3 978-3-662-61952-0},
+	shorttitle = {Algebra},
+	url = {http://link.springer.com/10.1007/978-3-662-61952-0},
+	language = {de},
+	urldate = {2023-04-04},
+	publisher = {Springer},
+	author = {Karpfinger, Christian and Meyberg, Kurt},
+	year = {2021},
+	doi = {10.1007/978-3-662-61952-0},
+	keywords = {Galois-Theorie, Gruppentheorie, Körpertheorie, Lehrbuch, Lösung algebraischer Gleichungen, Prüfungsvorbereitung, Reziprozitätsgesetz, Ringtheorie, Zahlentheorie},
+	file = {Full Text PDF:/home/rixxc/Zotero/storage/HVWL6D9I/Karpfinger and Meyberg - 2021 - Algebra Gruppen - Ringe - Körper.pdf:application/pdf},
+}
+
+@incollection{karpfinger_hauptsatz_2021,
+	address = {Berlin, Heidelberg},
+	title = {Der {Hauptsatz} über endliche abelsche {Gruppen}},
+	isbn = {978-3-662-61952-0},
+	url = {https://doi.org/10.1007/978-3-662-61952-0_10},
+	abstract = {Das Ziel dieses Kapitels ist es, die endlichen abelschen Gruppen zu klassifizieren. Wir zeigen, dass jede endliche abelsche Gruppe inneres direktes Produkt zyklischer Gruppen ist, genauer: Ist G eine endliche abelsche Gruppe, so gibt es nicht notwendig verschiedene Primzahlen \$\$p\_1 ,{\textbackslash}ldots ,{\textbackslash},p\_r\$\$p1,…,prund natürliche Zahlen \$\${\textbackslash}nu \_1 ,{\textbackslash}ldots ,{\textbackslash},{\textbackslash}nu \_r\$\$ν1,…,νr, so dass \$\$G {\textbackslash}cong \{{\textbackslash}mathbb \{Z\}\}/\{p\_1{\textasciicircum}\{{\textbackslash}nu \_1\}\} {\textbackslash}times {\textbackslash}cdots {\textbackslash}times \{{\textbackslash}mathbb \{Z\}\}/\{p\_r{\textasciicircum}\{{\textbackslash}nu \_r\}\}\$\$G≅Z/p1ν1×⋯×Z/prνr. Wir erreichen eine vollständige Übersicht über alle endlichen abelschen Gruppen.},
+	language = {de},
+	urldate = {2023-04-04},
+	booktitle = {Algebra: {Gruppen} - {Ringe} - {Körper}},
+	publisher = {Springer},
+	author = {Karpfinger, Christian and Meyberg, Kurt},
+	editor = {Karpfinger, Christian and Meyberg, Kurt},
+	year = {2021},
+	doi = {10.1007/978-3-662-61952-0_10},
+	pages = {143--149},
+	file = {Full Text PDF:/home/rixxc/Zotero/storage/WXIHFNNT/Karpfinger and Meyberg - 2021 - Der Hauptsatz über endliche abelsche Gruppen.pdf:application/pdf},
+}
+
+@incollection{karpfinger_direkte_2021,
+	address = {Berlin, Heidelberg},
+	title = {Direkte und semidirekte {Produkte}},
+	isbn = {978-3-662-61952-0},
+	url = {https://doi.org/10.1007/978-3-662-61952-0_6},
+	abstract = {In Kap. 5wurden sämtliche zyklische Gruppen bestimmt. Um nun weitere Klassen von Gruppen klassifizieren können, versuchen wir, die im Allgemeinen sehr komplexen Gruppen in Produkte von kleineren oder einfacheren Gruppen zu zerlegen.},
+	language = {de},
+	urldate = {2023-04-04},
+	booktitle = {Algebra: {Gruppen} - {Ringe} - {Körper}},
+	publisher = {Springer},
+	author = {Karpfinger, Christian and Meyberg, Kurt},
+	editor = {Karpfinger, Christian and Meyberg, Kurt},
+	year = {2021},
+	doi = {10.1007/978-3-662-61952-0_6},
+	pages = {83--102},
+	file = {Full Text PDF:/home/rixxc/Zotero/storage/A3Y23M69/Karpfinger and Meyberg - 2021 - Direkte und semidirekte Produkte.pdf:application/pdf},
+}
+
+@incollection{karpfinger_satze_2021,
+	address = {Berlin, Heidelberg},
+	title = {Die {Sätze} von {Sylow}},
+	isbn = {978-3-662-61952-0},
+	url = {https://doi.org/10.1007/978-3-662-61952-0_8},
+	abstract = {Die Sylow’schen Sätzen enthalten Aussagen über die Existenz und Anzahl von p-Untergruppen einer endlichen Gruppe. Diese Sätze sind Grundstein für die gesamte Strukturtheorie endlicher Gruppen.},
+	language = {de},
+	urldate = {2023-04-04},
+	booktitle = {Algebra: {Gruppen} - {Ringe} - {Körper}},
+	publisher = {Springer},
+	author = {Karpfinger, Christian and Meyberg, Kurt},
+	editor = {Karpfinger, Christian and Meyberg, Kurt},
+	year = {2021},
+	doi = {10.1007/978-3-662-61952-0_8},
+	pages = {115--129},
+	file = {Full Text PDF:/home/rixxc/Zotero/storage/WKJLTLKJ/Karpfinger and Meyberg - 2021 - Die Sätze von Sylow.pdf:application/pdf},
+}
--- a/thesis/macros.tex
+++ b/thesis/macros.tex
@@ -43,4 +43,7 @@
 \newcommand{\prone}[1]{Pr[#1 \Rightarrow 1]}

 % Oracle
-\newcommand{\Osign}{\textit{Sign} }
+\newcommand{\Osign}{\textit{Sign} }
+
+% Structrues
+\newcommand{\curve}{E}
--- a/thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex
+++ b/thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex
@@ -2,7 +2,7 @@

 %TODO check if all c_i's are replaced by chall_i

-This section shows that \sdlog implies \igame using the Algebraic Group Model. The section starts by introducing a special variant of the discret logarithm problem followed by an intuition of the proof and at last giving a detailed security proof.
+This section shows that \sdlog implies \igame using the Algebraic Group Model. The section starts by introducing a special variant of the discrete logarithm problem followed by an intuition of the proof and at last giving a detailed security proof.

 \paragraph{\underline{Introducing \sdlog}}

@@ -11,7 +11,7 @@ The \sdlog game is a variant of the discrete logarithm game which represents the
 \begin{definition}[\sdlog]
 	For an adversary $\adversary{A}$ we define its advantage in the \sdlog game as following:
 	
-	\[ \advantage{\adversary{A}}{\sdlog}(k) \assign | \Pr[\sdlog \Rightarrow 1] | \]
+	\[ \advantage{\adversary{A}}{\sdlog}(k) \assign | \Pr[\sdlog^{\adversary{A}} \Rightarrow 1] | \].
 \end{definition}


@@ -77,7 +77,25 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
 \paragraph{\underline{Formal Proof}}

 \begin{proof}
-	\item \paragraph{\underline{$G_0$:}} Let $G_0$ be \igame. By definition,
+	\item \paragraph{\underline{AGM}} This proof takes place in the algebraic group model. Meaning that the adversary has to provide a representation along each group element it provides to the reduction. The adversary has to provide an element $\groupelement{R}$, which is an element in the prime order subgroup of the Twisted Edwards curve. Leaving the question whether the representation should be defined relative to the prime order subgroup or the Twisted Edwards curve. The answer to this question is that it is enough to provide the representation relative to the prime order subgroup. The reason for that is shown in the following paragraph.
+	
+	The Twisted Edwards curve $\curve$ over the finite field $\field{q}$ is an finite abelian group. Even though the group $\curve$ might not be cyclic the fundamental theorem of finitely generated abelian groups tells us that each finite abelian groups can be uniquely decomposed into the direct product of cyclic subgroups \cite{karpfinger_hauptsatz_2021}. Meaning that $\curve$ can be represented as $\curve = \langle a_1 \rangle \bigotimes \langle a_2 \rangle \bigotimes ... \bigotimes \langle a_n \rangle$. The set of generators for each of the cyclic groups is called the generating set of $\curve$. Lets recall a well known theorem of algebra:
+	\item \begin{theorem}
+		Let $N_1, ..., N_n$ be subgroups of an group $\group{G}$, following statements are equivalent:
+		
+		\begin{enumerate}[label=(\arabic*)]
+			\item $N_1, ..., N_n \trianglelefteq \group{G}$ and $\group{G} = N_1 \bigotimes ... \bigotimes N_n$.
+			\item Each $x \in \group{G}$ can uniquely be represented in the following way:
+			
+			\[ x = a_i \cdot ... \cdot a_n, a_i \in N_i \]
+		\end{enumerate}
+	\end{theorem}.\cite{karpfinger_direkte_2021}
+
+	Due to Sylow theorems the decomposition has to include the large prime order subgroup $\group{G}$ used for EdDSA \cite{karpfinger_satze_2021} and since Twisted Edwards curve (like all Elliptic curves) are abelian each subgroup is also a normal subgroup. Together this means that the representation of each element $\groupelement{X} \in \curve$ is unique relative to the generating set. Since each element $\groupelement{Y} \in \group{G}$ can be represented as $\groupelement{Y} \assign y \groupelement{B}$, with $\groupelement{B}$ being the generator of the prime order subgroup, this has to be the only representation regarding the generation set. Meaning that an adversary in the algebraic group model has to provide a representation in the prime order subgroup $\group{G}$.
+	
+	The only two group elements in $\group{G}$ provided to the adversary are the public key $\groupelement{A}$ and the generator $\groupelement{B}$. Therefore the representation of the element $\groupelement{R}$, provided to the \ioracle oracle, looks like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A}$.
+	
+	\item \paragraph{\underline{$G_0$:}} Let $G_0$ be defined in figure \ref{fig:igamewithabort} by excluding all boxes and $G_0$ be \igame. By definition,
 	
 	\[ \advantage{\group{G},\adversary{A}}{\igame}(k) = \Pr[\igame^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
 	
@@ -85,7 +103,7 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
 	
 	\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \].
 	
-	\item \paragraph{\underline{$G_2:$}} Game $G_2$ aborts if the flag bad is set. For each individual \ioracle query the $bad$ flag is set with probability at most $\frac{1}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. $c_i$ is chosen by the game after the adversary has provided the representation of $\groupelement{R_i}$ and therefor the value of $r_2$. This way the adversary has no way of choosing $\ch_i$ after $r_2$ and can not influence the probability of the abort being triggered. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $\ch_i \pmod L$. $\ch_i$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ during the check in the if condition. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
+	\item \paragraph{\underline{$G_2:$}} Game $G_2$ aborts if the flag bad is set. For each individual \ioracle query the $bad$ flag is set with probability at most $\frac{1}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. $c_i$ is chosen by the game after the adversary has provided the representation of $\groupelement{R_i}$ and therefore the value of $r_2$. This way the adversary has no way of choosing $\ch_i$ after $r_2$ and can not influence the probability of the abort being triggered. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $\ch_i \pmod L$. $\ch_i$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ during the check in the if condition. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
 	% TODO: Müsste das nicht floor statt ceil sein?
 	
 	\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
@@ -94,7 +112,7 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
 	
 	\begin{align}
 		\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G},\adversary{B}}{\sdlog}(k) \label{eq:advbsdlog}
-	\end{align}
+	\end{align}.
 	
 	\begin{figure}
 		\hrule
@@ -127,7 +145,7 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
 	
 	To prove (\ref{eq:advbsdlog}), we define an adversary $\adversary{B}$ attacking \sdlog that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversarybsdlog} is run in the \sdlog game and adversary $\adversary{B}$ simulates \ioracle for adversary $\adversary{A}$. \ioracle is simulated perfectly.
 	
-	Finally, consider $\adversary{A}$ output $s^*$. We know that one $R^* = 2^c s^*B - 2^c \ch^*A$. We can use this together with the representation of $R^*$ to get following equation:
+	Finally, consider $\adversary{A}$'s output $s^*$. We know that one $R^* = 2^c s^*B - 2^c \ch^*A$. We can use this together with the representation of $R^*$ to get following equation:
 	
 	\begin{align*}
 		r_1 \groupelement{B} + r_2 \groupelement{A} &= 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A} \\
--- a/thesis/sections/security_of_eddsa/gamez_implies_uf-nma.tex
+++ b/thesis/sections/security_of_eddsa/gamez_implies_uf-nma.tex
@@ -2,6 +2,14 @@

 This section shows that \igame implies the UF-NMA security if the EdDSA signature scheme using the Algebraic Group Model. The section starts by first providing an intuition if the proof followed by the detailed security proof.

+\paragraph{\underline{Introducing \igame}} The intermediate game \igame is introduced to create a separation between proofs in the random oracle model and the algebraic group model. This is archived by replacing the random oracle by the \ioracle oracle, which takes a commitment and outputs a challenge. This also strips away the message and focuses on the forgery of an arbitrary message. The \igame game is depicted in figure \ref{game:igame}.
+
+\begin{definition}[\igame]
+	For an adversary $\adversary{A}$ we define its advantage in the \igame game as following:
+	
+	\[ \advantage{\adversary{A}}{\igame}(k) \assign | \Pr[\igame^{\adversary{A}} \Rightarrow 1] | \].
+\end{definition}
+
 \begin{figure}
 	\hrule
 	\begin{multicols}{2}
@@ -11,7 +19,7 @@ This section shows that \igame implies the UF-NMA security if the EdDSA signatur
 			\State $a \randomsample \{2^{n-1}, 2^{n-1} + 8, ..., 2^n - 8\}$
 			\State $\groupelement{A} \assign a \groupelement{B}$
 			\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$	
-			\State \Return $\exists \groupelement{R}^*, \ch^*: \groupelement{R}^* = 2^c (s^* \groupelement{B} - \ch^* \groupelement{A}) \wedge (\groupelement{R}^*, \ch^*) \in Q$		
+			\State \Return $\exists \groupelement{R}^*, \ch^*: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A} \wedge (\groupelement{R}^*, \ch^*) \in Q$		
 		\end{algorithmic}
 		\columnbreak
 		\begin{algorithmic}[1] 
@@ -24,4 +32,89 @@ This section shows that \igame implies the UF-NMA security if the EdDSA signatur
 	\hrule
 	\caption{\igame}
 	\label{game:igame}
-\end{figure}
+\end{figure}
+
+\begin{theorem}
+	\label{theorem:adv_igame}
+	Let $\adversary{A}$ be an adversary against $\text{UF-NMA}_{\text{EdDSA}}$. Then,
+	
+	\[ \advantage{\adversary{A}}{UF-NMA}(k) = \advantage{\adversary{B}}{\igame}(k) \].
+\end{theorem}
+
+\paragraph{\underline{Proof Overview}} The adversary has to query the random oracle to get the hash value $H(\encoded{R} | \encoded{A} | m)$. The programmability of the random oracle can be used to embed the challenge from the \ioracle oracle into the answer of the random oracle. This way a valid forgery of a signature also provides a valid solution for the \igame game.
+
+\paragraph{\underline{Formal Proof}}
+
+\begin{figure}
+	\hrule
+	\begin{multicols}{2}
+		\large
+		\begin{algorithmic}[1]
+			\State \underline{\game $G_0$}
+			\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp)}(\groupelement{A})$
+			\State \Return $\verify(\groupelement{A}, \m^*,\signature^*)$
+		\end{algorithmic}
+		\columnbreak
+		\begin{algorithmic}[1] 
+			\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
+			\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
+			\State \quad $\sum[m] \randomsample \{0,1\}^{2b}$
+			\State \Return $\sum[m]$
+		\end{algorithmic}
+	\end{multicols}
+	\hrule
+	\caption{$G_0$}
+	\label{fig:igame_implies_uf-nma}
+\end{figure}
+
+\begin{proof}
+	\item \paragraph{\underline{$G_0$}} Let $G_0$ be defined in figure \ref{fig:igame_implies_uf-nma} and let $G_0$ be $\text{UF-NMA}_{\text{EdDSA}}$. By definition,
+	
+	\[ \advantage{\text{EdDSA}, \adversary{A}}{\text{UF-NMA}} = \Pr[\text{UF-NMA}_{\text{EdDSA}}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
+	
+	\item $G_0$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
+	
+	\begin{align}
+		\Pr[G_0^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\igame}(k) \label{eq:adv_igame}
+	\end{align}.
+
+	\begin{figure}
+		\hrule
+		\begin{multicols}{2}
+			\large
+			\begin{algorithmic}[1]
+				\Statex \underline{\textbf{Adversary} $\adversary{B}^{\ioracle(\inp)}(\groupelement{A})$}
+				\State $(\m^*, \signature^* \assign (\encoded{R}, S)) \randomassign \adversary{A}^{H(\inp)}(\groupelement{A})$
+				\State \Return $S$
+			\end{algorithmic}
+			\columnbreak
+			\begin{algorithmic}[1] 
+				\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
+				\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
+				\State \quad $\textbf{if } \encoded{R} | \encoded{A} | m' \assign m \wedge \groupelement{R} \in \curve \textbf{ then}$
+				\State \qquad $\sum[m] \randomsample \ioracle(2^c \groupelement{R})$
+				\State \quad \textbf{else}
+				\State \qquad $\sum[m] \randomsample \{0,1\}^{2b}$
+				\State \Return $\sum[m]$
+			\end{algorithmic}
+		\end{multicols}
+		\hrule
+		\caption{Adversary $\adversary{B}$ breaking \igame}
+		\label{fig:adversary_igame}
+	\end{figure}
+
+	\item To proof (\ref{eq:adv_igame}), we define an adversary $\adversary{B}$ attacking \igame that simulates $\adversary{A}$'s view in $G_0$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_igame} is run in the \igame game and adversary $\adversary{B}$ simulates the random oracle $H$ for the adversary $\adversary{A}$. $H$ is simulates perfectly.
+	
+	Finally, consider $\adversary{A}$'s output $(\m^*, \signature^* \assign (\encoded{R}, S))$. It is known that:
+	
+	\begin{align*}
+		 2^c S \groupelement{B} &= 2^c \groupelement{R} + 2^c H(\encoded{R} | \encoded{A} | m) \groupelement{A} \\
+		 2^c \groupelement{R} &= 2^c S \groupelement{B} - 2^c H(\encoded{R} | \encoded{A} | m) \groupelement{A} \\
+		 2^c \groupelement{R} &= 2^c S \groupelement{B} - 2^c \ioracle(2^c \groupelement{R}) \groupelement{A} \\
+		 \groupelement{R}' &= 2^c S \groupelement{B} - 2^c \ioracle(\groupelement{R}') \groupelement{A}
+	\end{align*}
+
+	Therefore $S$ is a valid solution for the \igame game.
+	
+	\item This proves theorem \ref{theorem:adv_igame}.
+\end{proof}
--- a/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex
+++ b/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex
@@ -5,7 +5,7 @@ This section shows that the \cma security of EdDSA signature scheme implies the

 \begin{theorem}
 	\label{theorem:adv_uf-nma}
-	Let $\adversary{A}$ be an adversary against \cma, making at most $\hashqueries$ hash queries. Then,
+	Let $\adversary{A}$ be an adversary against $\cma_{\text{EdDSA}}$, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
 	
 	\[ \advantage{\adversary{A}}{\text{\cma}}(k) = \advantage{\adversary{B}}{\text{UF-NMA}}(k) - \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
 \end{theorem}
@@ -41,45 +41,62 @@ The proof starts by providing an algorithm which generates correctly distributed
 	\begin{multicols}{2}
 		\large
 		\begin{algorithmic}[1] 
-			\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$}}
+			\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$} / \textcolor{green}{$G_3$}}
 			\State $(h_0, h_1, ..., h_{2b-1}) \randomsample \{0,1\}^{2b}$
 			\State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$
-			\State $A \assign sB$
-			\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp)}(A)$
-			\State \Return $\verify(A, \m^*,\signature^*) \wedge (\m^*, \signature^*) \notin Q$
+			\State $A \assign s \groupelement{B}$
+			\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp)}(\groupelement{A})$
+			\State \Return $\verify(\groupelement{A}, \m^*,\signature^*) \wedge (\m^*, \signature^*) \notin Q$
 		\end{algorithmic}
 		\columnbreak
 		\begin{algorithmic}[1] 
-			\Statex \underline{\oracle \sign($m \in \messagespace$)}
-			\State $(r'_0, r'_1, ..., r'_{2b-1}) = RF(h_b | ... | h_{2b-1} | m)$
+			\Statex \underline{\oracle \sign($\m \in \messagespace$)}
+			\State $(r'_0, r'_1, ..., r'_{2b-1}) = RF(h_b | ... | h_{2b-1} | \m)$
 			\State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$
 			\State $R \assign rB$
 			\BeginBox[fill=lightgray]
-			\State $S \assign (r + sH(\encoded{R} | \encoded{A} | m)) \pmod L$
+			\State $S \assign (r + sH(\encoded{R} | \encoded{A} | \m)) \pmod L$
 			\EndBox
 			\BeginBox[draw=blue]
-			\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | m] \neq \bot \textbf{ then}$
+			\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | \m] \neq \bot \textbf{ then}$
 			\State \quad $bad \assign true$
 			\BeginBox[draw=red,dashed]
 			\State \quad $abort$
 			\EndBox
-			\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | m] = \bot \textbf{ then}$
-			\State \quad $\sum[\encoded{R} | \encoded{A} | m] \randomsample \{0,1\}^{2b}$
-			\State $S \assign (r + s\sum[\encoded{R} | \encoded{A} | m]) \pmod L$
+			\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | \m] = \bot \textbf{ then}$
+			\State \quad $\sum[\encoded{R} | \encoded{A} | \m] \randomsample \{0,1\}^{2b}$
+			\State $S \assign (r + s\sum[\encoded{R} | \encoded{A} | \m]) \pmod L$
 			\EndBox
 			\State $\signature \assign (\encoded{R}, S)$
 			\State $Q \assign Q \cup \{(\m, \signature)\}$
 			\State \Return $\signature$
 		\end{algorithmic}
 	\end{multicols}
-	\begin{algorithmic}[1] 
-		\Statex \underline{\oracle $H(m \in \{0,1\}^*)$}
-		\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
-		\State \quad $\sum[m] \randomsample \{0,1\}^{2b}$
-		\State \Return $\sum[m]$
-	\end{algorithmic}
+	\begin{multicols}{2}
+		\begin{algorithmic}[1] 
+			\Statex \underline{\oracle $H(\m \in \{0,1\}^*)$}
+			\State $\textbf{if } \sum[\m] = \bot \textbf{ then}$
+			\State \quad $\sum[\m] \randomsample \{0,1\}^{2b}$
+			\State \Return $\sum[\m]$
+		\end{algorithmic}
+		\columnbreak
+		\begin{algorithmic}[1]
+			%TODO: Nummer vor Oracle
+			\BeginBox[draw=green]
+			\State \underline{\oracle \sign($\m \in \messagespace$)}
+			\State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A})$
+			\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | \m] \neq \bot \textbf{ then}$
+			\State \quad $bad \assign true$
+			\State \quad $abort$
+			\State $\sum[\encoded{R} | \encoded{A} | \m] = \textbf{ch}$
+			\State $\signature \assign (\encoded{R}, S)$
+			\State $Q \assign Q \cup \{(\m, \signature)\}$
+			\State \Return $\signature$
+			\EndBox
+		\end{algorithmic}
+	\end{multicols}
 	\hrule
-	\caption{Games $G_0 - G_2$}
+	\caption{Games $G_0 - G_3$}
 	\label{fig:uf-nma_implies_suf-cma_games}
 \end{figure}

@@ -96,11 +113,13 @@ The proof starts by providing an algorithm which generates correctly distributed
 	
 	\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
 	
-	\item Finally, Game $G_2$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
+	\item \paragraph{\underline{$G_3:$}} $G_3$ replaces the \sign oracle by the \sign oracle in the green box. This change is only conceptual. \simalg outputs a correctly distributed tuple $(R, \textbf{ch}, S)$ with $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c \textbf{ch} \groupelement{A}$ and it was ruled out that $H(\encoded{R} | \encoded{A} | \m)$ is set prior to calling the \sign oracle the random oracle can be programmed to output $\textbf{ch}$ upon calling $H(\encoded{R} | \encoded{A} | m)$. Therefore, it is ensured that $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c H(\encoded{R} | \encoded{A} | \m) \groupelement{A}$, which means that $\signature \assign (\encoded{R}, S)$ is a valid signature for the message $\m$ and was generated without the usage of the private key $s$.
+	
+	\item Finally, Game $G_3$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
 	
 	\begin{align}
 		\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{UF-NMA}}(k) \label{eq:adv_uf-nma}
-	\end{align}
+	\end{align}.

 	\begin{figure}
 		\hrule
@@ -108,7 +127,7 @@ The proof starts by providing an algorithm which generates correctly distributed
 			\large
 			\begin{algorithmic}[1]
 				\Statex \underline{\textbf{Adversary} $\adversary{B}(\groupelement{A})$}
-				\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp)}(A)$
+				\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp)}(\groupelement{A})$
 				\State \Return $(\m^*, \signature^*)$
 			\end{algorithmic}
 			\columnbreak
@@ -135,7 +154,7 @@ The proof starts by providing an algorithm which generates correctly distributed
 		\label{fig:adversarybuf-nma}
 	\end{figure}

-	To prove (\ref{eq:adv_uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{UF-NMA}_{\text{EdDSA}}$ that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversarybuf-nma} is run in the $\text{UF-NMA}_{\text{EdDSA}}$ game and adversary $\adversary{B}$ simulates \sign for adversary $\adversary{A}$. \sign is simulated perfectly. \simalg outputs a tuple $(\groupelement{R}, \textbf{ch}, S)$ satisfying $S\groupelement{B} = \groupelement{R} + \textbf{ch}\groupelement{A}$ for a given public key $\groupelement{A}$ and the random oracle is programmed to output $\textbf{ch}$ for the input $\encoded{R} | \encoded{A} | m$. Therefor the signature $\signature \assign (\encoded{R}, S)$ satisfies the verification equation $2^c S\groupelement{B} = 2^c \groupelement{R} + 2^c H(\encoded{R} | \encoded{A} | m)\groupelement{A}$ and is a valid signature for the message $\m$.
+	To prove (\ref{eq:adv_uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{UF-NMA}_{\text{EdDSA}}$ that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversarybuf-nma} is run in the $\text{UF-NMA}_{\text{EdDSA}}$ game and adversary $\adversary{B}$ simulates \sign for adversary $\adversary{A}$. \sign is simulated perfectly.
 	
 	% TODO: Ist die Begründung ausreichend?
 	Finally, consider $\adversary{A}$ output $(\m^*, \signature^*)$. Every valid signature outputted by adversary $\adversary{A}$ in the $\text{\cma}_{\text{EdDSA}}$ setting is also a valid signature in the $\text{UF-NMA}_{\text{EdDSA}}$ setting.