split file into multiple files

thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex

@@ -85,6 +85,7 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
 	\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1] \]
 	
 	\item \paragraph{\underline{$G_2:$}} Game $G_2$ aborts if the flag bad is set. For each individual \ioracle query the bad flag is set with probability at most $\frac{1}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. $c_i$ is chosen by the game after the adversary has provided the representation of $\groupelement{R_i}$ and therefor the value of $r_2$. This way the adversary has no way of choosing $chall_i$ after $r_2$ and can not influence the probability of the abort being triggert. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $chall_i \pmod L$. $chall_i$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ during the check in the if condition. At first there are $2^{2b}$ possible values for $chall_i$. After the reduction module $L$ there are $min\{2^{2b}, L\}$ possible values left for $chall_i$. In the case that the values $L$ is smaller than $2^{2b}$ (this is the case in most instantiations of EdDSA) then the $chall_i$'s are not uniformly distributed in $\field{L}$. Since an adversary could use this information the min entropy of $chall_i$ has to be concidert, which takes this into account. By the Union bound over all $\oraclequeries$ queries we obtain $\Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
+	% TODO: Müsste das nicht floor statt ceil sein?
 	
 	\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]