Added Proofs for lax parsing

thesis/sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma.tex

@@ -1,4 +1,4 @@
-\subsection{MU-UF-NMA $\Rightarrow$ MU-SUF-CMA (ROM)}
+\subsection{MU-UF-NMA $\Rightarrow$ $\text{MU-SUF-CMA}_{\text{EdDSA with strict parsing}}$ (ROM)}
 
 This section shows that the MU-UF-NMA security of the EdDSA signature scheme implies the MU-SUF-CMA security of the EdDSA signature scheme using the Random Oracle Model. The section starts with providing an intuition of the proof followed by the detailed security proof.
 
@@ -143,14 +143,81 @@ Again the programmability of the random oracle together with the \simalg algorit
 	
 	To prove (\ref{eq:adv_mu-uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{MU-UF-NMA}$ that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversaryb_mu-uf-nma} is run in the $\text{MU-UF-NMA}$ game and adversary $\adversary{B}$ simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly.
 	
-	Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R}, S))$. Every valid signature outputted by adversary $\adversary{A}$ has to fulfill following equation for one public key $\groupelement{A_i}$: $2^c S \groupelement{B} = 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}$. For the signature to be valid in the MU-\cma game the signature for this message and public key must not been queried via the \Osign oracle. Therefore the output of $H'(\encoded{R}|\encoded{A_i}|m)$ has not been set by adversary $\adversary{B}$ but was forwarded from the MU-UF-NMA challenger. Meaning $H'(\encoded{R}|\encoded{A_i}|m) = H(\encoded{R}|\encoded{A_i}|m)$. Hence,
+	Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. Every valid signature outputted by adversary $\adversary{A}$ has to fulfill following equation for one public key $\groupelement{A_i}$: $2^c S \groupelement{B} = 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}$. Again there is only one valid encoded $S$ for each $\groupelement{R}$, $m$, $\groupelement{A_i}$ tuple that satisfies the verification equation. For the signature to be a valid forgery it must not be outputted by the \Osign oracle for this specific $m^*$ and $\groupelement{A_i}$. No new valid signature can be generated from a valid one by just changing the $S$ value. This means that at either $\groupelement{R}$, $m$ or $\groupelement{A_i}$ have to be changed to generate a new valid signature from an already valid signature. Since all these parameters are part of the hash query to generate the challenge the resulting hash value has to be forwarded from the $H$ hash oracle provided to the adversary $\adversary{B}$. For this reason $H'(\encoded{R^*}|\encoded{A_i}|m^*) = H(\encoded{R^*}|\encoded{A_i}|m^*)$. Hence,
 	
 	\begin{align*}
-		2^c S \groupelement{B} &= 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i} \\
-		\Leftrightarrow 2^c S \groupelement{B} &= 2^c R + 2^c H(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}
+		2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A_i}|m^*) \groupelement{A_i} \\
+		\Leftrightarrow 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H(\encoded{R^*}|\encoded{A_i}|m^*) \groupelement{A_i}
 	\end{align*}
 
 	Since the public keys and the results of the hash queries are forwarded from the MU-UF-NMA challenger the forged signature from $\adversary{A}$ in the MU-\cma game is also a valid forgery for the MU-UF-NMA challenger.
 	
 	\item This proves theorem \ref{theorem:adv_mu-uf-nma}.
+\end{proof}
+
+\subsection{MU-UF-NMA $\Rightarrow$ $\text{MU-EUF-CMA}_{\text{EdDSA with lax parsing}}$ (ROM)}
+
+This section shows that MU-UF-NMA security of EdDSA implies the MU-EUF-CMA security of EdDSA with lax parsing using in the random oracle model. This proof is very similar to the proof MU-SUF-CMA proof of EdDSA with strict parsing. The modification to the games are the same as in the proof above with the only modifications being in the win condition, which is $\exists j \in \{1,2,...,N\}: \verify(\groupelement{A_j}, \m^*) \wedge (\groupelement{A_j}, \m^*) \notin Q$. For this reason this proof starts at showing the existence of an adversary $\adversary{B}$ breaking MU-UF-NMA security.
+
+\begin{theorem}
+	\label{theorem:adv2_mu-uf-nma}
+	Let $n$ and $N$ be positive integer and $\adversary{A}$ an adversary against MU-EUF-CMA, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
+	
+	\[ \advantage{\adversary{A}}{\text{MU-EUF-CMA}}(\secparamter) = \advantage{\adversary{B}}{\text{MU-UF-NMA}}(\secparamter) - \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
+\end{theorem}
+
+\paragraph{\underline{Formal Proof}}
+
+\begin{proof}
+	\item 
+	\begin{align}
+		\Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{MU-UF-NMA}}(\secparamter). \label{eq:adv2_mu-uf-nma}
+	\end{align}
+	
+	\begin{figure}
+		\hrule
+		\begin{multicols}{2}
+			\large
+			\begin{algorithmic}[1]
+				\Statex \underline{\textbf{Adversary} $\adversary{B}^{H(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$}
+				\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H'(\inp), \sign(\inp, \inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
+				\State \Return $(\m^*, \signature^*)$
+			\end{algorithmic}
+			\columnbreak
+			\begin{algorithmic}[1] 
+				\Statex \underline{\oracle \sign($j \in \{1,2,...,N\}$, $\m \in \messagespace$)}
+				\State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A_j})$
+				\State $\textbf{if } \sum[\encoded{R} | \encoded{A_j} | m] \neq \bot \textbf{ then}$
+				\State \quad $bad \assign true$
+				\State \quad $abort$
+				\State $\sum[\encoded{R} | \encoded{A_j} | m] = \textbf{ch}$
+				\State $\signature \assign (\encoded{R}, S)$
+				\State $Q \assign Q \cup \{(\groupelement{A_j}, \m)\}$
+				\State \Return $\signature$
+			\end{algorithmic}
+		\end{multicols}
+		\begin{algorithmic}[1] 
+			\Statex \underline{\oracle $H'(m \in \{0,1\}^*)$}
+			\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
+			\State \quad $\sum[m] \assign H(m)$
+			\State \Return $\sum[m]$
+		\end{algorithmic}
+		\hrule
+		\caption{Adversary $\adversary{B}$ breaking $\text{MU-UF-NMA}$}
+		\label{fig:adversary_b_mu-uf-nma}
+	\end{figure}
+
+	To prove (\ref{eq:adv2_mu-uf-nma}), we define an adversary $\adversary{B}$ attacking MU-UF-NMA that simulates $\adversary{A}$'s view on $G_3$. Adversary $\adversary{B}$, formally defined in figure \ref{fig:adversary_b_mu-uf-nma}, is run in the MU-UF-NMA game and simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly.
+	
+	Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. Every valid signature outputted by adversary $\adversary{A}$ has to fulfill following equation for one public key $\groupelement{A_i}$: $2^c S \groupelement{B} = 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}$. Like in the single-user setting the adversary can create a new valid signature from an already valid one by choosing a different bitstring representation of the $S$ value that maps to the same $S \pmod L$. Since we are in the MU-EUF-CMA setting the adversary has to forge a signature for a message $m^*$ and public key $A_i$ to which it has not queried a signature before. For this reason the output of $H'(\encoded{R}|\encoded{A_i}|m)$ has not been set by the adversary $\adversary{B}$ but was forwarded from the $H$ hash oracle provided by the MU-UF-NMA challenger. For this reason $H'(\encoded{R^*}|\encoded{A_i}|m^*) = H(\encoded{R^*}|\encoded{A_i}|m^*)$. Therefore,
+	
+	\begin{align*}
+		2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A_i}|m^*) \groupelement{A_i}\\
+		\Leftrightarrow 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H(\encoded{R^*}|\encoded{A_i}|m^*) \groupelement{A_i}.
+	\end{align*}
+
+	This shows that the forged signature from adversary $\adversary{A}$ is also a valid forged signature for the MU-UF-NMA challenger.
+	
+	\item This proofs theorem \ref{theorem:adv2_mu-uf-nma}.
+
 \end{proof}

thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex

@@ -136,7 +136,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
 		\label{fig:adversary_omdl'}
 	\end{figure}
 	
-	To prove (\ref{eq:adv_omdl'}), we define an adversary $\adversary{B}$ attacking \sdlog that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_omdl'} is run in the \sdlog game and adversary $\adversary{B}$ simulates \ioracle for adversary $\adversary{A}$. \ioracle is simulated perfectly.
+	To prove (\ref{eq:adv_omdl'}), we define an adversary $\adversary{B}$ attacking \somdl that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_omdl'} is run in the \somdl game and adversary $\adversary{B}$ simulates \ioracle for adversary $\adversary{A}$. \ioracle is simulated perfectly.
 	
 	Finally, consider $\adversary{A}$'s output $s^*$. It is known that $\groupelement{R^*} = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$ for one of the public keys and one tuple $(R^*, \ch^*)$ generated by the \ioracle oracle. Using the \textit{DL} oracle we can get the discrete logarithms of all public keys but the one for which $s^*$ is a valid solution in the MU-\igame game. This way the \textit{DL} oracle gets called exactly $N-1$ times which is smaller than $N$ which is required by the \somdl game. Together with the representation of $R^*$ provided during the \ioracle oracle call and the discrete logarithms of the public keys we are able to generate a representation of $R^*$ looking like $\groupelement{R^*} = r_b \groupelement{B} + r_i \groupelement{A_i}$. By equating both equations we get: