Added Proofs for lax parsing

2023-05-02 17:36:07 +02:00
parent 419018dec3
commit 8a7b0d4d75
9 changed files with 210 additions and 30 deletions
--- a/thesis/Abschlussarbeit.tex
+++ b/thesis/Abschlussarbeit.tex
@@ -18,6 +18,7 @@ listof=totoc,
 \usepackage[parfill]{parskip}
 \usepackage[urlcolor=blue,hidelinks]{hyperref}
 \usepackage[,hhmmss]{datetime}
 \usepackage{float}
 \newtheorem{lemma}{Lemma}[section]
 \newtheorem{theorem}{Theorem}[section]
@@ -116,18 +117,17 @@ TODO
 This section takes a look at the single-user security of EdDSA. This is done by showing the \cma security of EdDSA assuming the security of a special version of the DLog problem. This special version is derived from the key generation procedure. Section \ref{sec:sdlog} provides a concrete bound on the security of this version of the DLog problem, which is a result of the special key generation algorithm used by EdDSA.
-The proof starts by showing that the UF-NMA security of EdDSA implies \cma security of EdDSA in the Random Oracle Model. Next an intermediate game is introduced onto which the UF-NMA security of EdDSA is reduced. At last, the security of the intermediate game is reduced onto the security of a special version of DLog.
+The proof starts by showing that the UF-NMA security of EdDSA implies \cma / EUF-CMA security of EdDSA in the Random Oracle Model. Whether EdDSA is \cma or EUF-CMA secure is decided by how the integer $S$ is decoded during the verification of the Signature. The use of strict parsing ensures \cma security while the use of lax parsing only guaranties EUF-CMA security. This will be further analyzed in the security proof. Next an intermediate game is introduced onto which the UF-NMA security of EdDSA is reduced. At last, the security of the intermediate game is reduced onto the security of a special version of the discrete logarithm problem.
 The chain of reductions can be depicted as:
-\[ \sdlog \Rightarrow \igame \Rightarrow \text{UF-NMA} \Rightarrow \cma \]
+\[ \sdlog \Rightarrow \igame \Rightarrow \text{UF-NMA} \Rightarrow \cma_{\text{EdDSA with strict parsing}} / \text{EUF-CMA}_{\text{EdDSA with lax parsing}} \]
 \input{sections/security_of_eddsa/uf-nma_implies_suf-cma}
 \input{sections/security_of_eddsa/gamez_implies_uf-nma}
 \input{sections/security_of_eddsa/dlog'_implies_gamez}
 \newpage
 \section{The Security of EdDSA in a Multi-User Setting}
 % TODO: citation: as introduced in ... (paper name or not?)
--- a/thesis/macros.tex
+++ b/thesis/macros.tex
@@ -41,7 +41,7 @@
 \newcommand{\cma}{\text{SUF-CMA} }
 \newcommand{\adversary}[1]{\mathcal{#1}}
 \newcommand{\advantage}[2]{\text{Adv}_{#1}^{#2}}
-\newcommand{\prone}[1]{Pr[#1 \Rightarrow 1]}
+\newcommand{\prone}[1]{\Pr[#1 \Rightarrow 1]}
 % Oracle
 \newcommand{\Osign}{\textit{Sign} }
--- a/thesis/sections/eddsa.tex
+++ b/thesis/sections/eddsa.tex
@@ -1,4 +1,5 @@
 \section{EdDSA Signatures}
 \label{sec:eddsa}
 % TODO: Referenz zum ersten Paper 2011 oder lieber zum journal paper 2012?
@@ -17,7 +18,7 @@ The generic version of EdDSA from the "EdDSA for more Curves" paper, the RFC 803
 The list of the parameters can be found in table \ref{tab:parameter}.
-\subsection{Encoding Function}
+\subsection{Encoding of Group Elements}
 The encoding function encodes points on the twisted Edwards cuve into b-bit bitstring and vice versa. It is assumed to be unambiguous, with each point on the twisted Edwards curve having exactly one bitstring representing that point and invalid bitstring being rejected during decoding of the point. This way by decoding a b-bit bitstring into an cuve point implicitly ensures that the decoded point is a valid point on the specified twisted Edwards curve. The requirement for this property comes from the specified encoding function in \cite{EPRINT:BJLSY15}.
@@ -27,6 +28,16 @@ The message space $\messagespace$ is defined as a bitstring of arbitrary length.
 Looking at the RFC and the FIPS standard the context is passed into a "dom" function which concatenates the context with some additional data. The resulting data is then passed as additional data to each hash function call during the generation and verification of the signature. Since the proofs are conducted in the random oracle model the position of the data in the hash function call and the actual content of the message and the context are not relevant for the output of the random oracle call. Unless the reduction explicitly uses the content of message, which they do not in this case. Therefore, the context can be modeled as being part of the message.
 \subsection{Signature}
 The signature is a defined as a $2b$ bitstrig of the encoded curve points $\groupelement{R}$ concatenated with the $b$-bit little endian encoding of the scalar $S$.
 $S$ being defined as the $b$-bit little endian encoding poses a problem. It might be possible that the decoded $S$ is larger than the order $L$ of the generator. The original paper \cite{EPRINT:BJLSY15} proposes two variants to handle decoded $S$ values, which are larger than $L$. The first approach is to replace $S$ with $S \pmod L$ and continue the verification of the signature. This will be called the lax parsing. The other approach is to reject all $S$ values larger than $L$ and fail the verification of the signature in that case. Parsing the integer like this will be called strict parsing.
 The later proofs show that those two approaches lead to different security properties of the signature. Using strict parsing results in the SUF-CMA security while using lax parsing "only" ensures EUF-CMA security.
 The RFC as well as the FIPS standard both require strict parsing.
 \subsection{Differences from Schnorr Signatures}
 As already pointed out in \cite{SP:BCJZ21} there are some minor differences from traditional Schnorr signature which prevent already existing proofs of the Schnorr signature scheme to be applied to EdDSA. This section points out the differences of the EdDSA signature scheme from traditional Schnorr signature scheme.
@@ -59,7 +70,7 @@ The commitment is chosen as the result of a hash function instead of uniformly a
 % TODO: Ist das ok hier einfach zu kopieren?
 \begin{center}
-	\begin{table}[t]
+	\begin{table}[!ht]
 		\centering
 		\begin{tabularx}{\textwidth}{@{}lX@{}}
 			\textbf{Parameter} & \textbf{Description} \\
@@ -82,7 +93,7 @@ The commitment is chosen as the result of a hash function instead of uniformly a
-\begin{figure}
+\begin{figure}[H]
 	\hrule
 	\begin{multicols}{3}
 		\scriptsize
@@ -161,7 +172,7 @@ The EdDSA' signature scheme is depicted in figure \ref{fig:eddsa'}. The differen
 	Let $\adversary{A}$ be and adversary against SUF-CMA security of the EdDSA signature scheme. Then
 	%TODO: richtigre Richtung?
-	\[ \advantage{\text{EdDSA'},\adversary{A}}{\cma}(\secparamter) \leq \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) - \frac{2\hashqueries}{2^b}. \]
+	\[ \advantage{\text{EdDSA'},\adversary{A}}{\cma}(\secparamter) \leq \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) - \frac{2 (\hashqueries + 1)}{2^b}. \]
 \end{theorem}
 \paragraph{\underline{Proof Overview}}
@@ -254,13 +265,13 @@ The different games used in the proof are depicted in figure \ref{fig:eddsa'game
 	\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1]. \]
-	\item \paragraph{\underline{$G_2:$}} $G_2$ now introduces the abort condition in the red box. The game aborts if the flag $bad_1$ is set. For each individual query the $bad_1$ flag is set with a probability at most $\frac{1}{2^b}$. The flag is set if the message equals $k$. $k$ is a value chosen uniformly at random from $\{0,1\}^b$ and is hidden from the adversary. Therefor the adversary can can only guess this value. By the union bound over all hash queries $\hashqueries$ we obtain $\Pr[bad_1] \leq \frac{\hashqueries}{2^b}$. Since $G_1$ and $G_2$ are identical-until-bad games regarding the $bad_1$ flag, we have
+	\item \paragraph{\underline{$G_2:$}} $G_2$ now introduces the abort condition in the red box. The game aborts if the flag $bad_1$ is set. For each individual query the $bad_1$ flag is set with a probability at most $\frac{1}{2^b}$. The flag is set if the message equals $k$. $k$ is a value chosen uniformly at random from $\{0,1\}^b$ and is hidden from the adversary. Therefor the adversary can can only guess this value. By the union bound over all hash queries $\hashqueries$ plus the one hash, which is performed by the challenger during signature verification, we obtain $\Pr[bad_1] \leq \frac{\hashqueries + 1}{2^b}$. Since $G_1$ and $G_2$ are identical-until-bad games regarding the $bad_1$ flag, we have
-	\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad_1] \leq \frac{\hashqueries}{2^b}. \]
+	\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad_1] \leq \frac{\hashqueries + 1}{2^b}. \]
-	\item \paragraph{\underline{$G_3:$}} $G_3$ now also introduces the abort condition in the green box. This game also aborts if a message is queried which starts with $h_b | ... | h_{2b-1}$. For each individual query the $bad_2$ flag is set with a probability at most $\frac{1}{2^b}$. The value $h$ is the result of a random oracle call with $k$ as input. Since the adversary is not able to query the random oracle with input $k$, due to the abort condition introduced ion $G_2$, the adversary has no information on $h$. Therefor the adversary can only guess the value of $h$. By the union bound over all hash queries $\hashqueries$ we obtain $\Pr[bad_2] \leq \frac{\hashqueries}{2^b}$. Since $G_2$ and $G_3$ are identical-until-bad games regarding the $bad_2$ flag, we have
+	\item \paragraph{\underline{$G_3:$}} $G_3$ now also introduces the abort condition in the green box. This game also aborts if a message is queried which starts with $h_b | ... | h_{2b-1}$. For each individual query the $bad_2$ flag is set with a probability at most $\frac{1}{2^b}$. The value $h$ is the result of a random oracle call with $k$ as input. Since the adversary is not able to query the random oracle with input $k$, due to the abort condition introduced ion $G_2$, the adversary has no information on $h$. Therefor the adversary can only guess the value of $h$. By the union bound over all hash queries $\hashqueries$ plus the one hash, which is performed by the challenger during signature verification, we obtain $\Pr[bad_2] \leq \frac{\hashqueries + 1}{2^b}$. Since $G_2$ and $G_3$ are identical-until-bad games regarding the $bad_2$ flag, we have
-	\[ |\Pr[G_2^{\adversary{A}} \Rightarrow 1] - \Pr[G_3^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad_2] \leq \frac{\hashqueries}{2^b}. \]
+	\[ |\Pr[G_2^{\adversary{A}} \Rightarrow 1] - \Pr[G_3^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad_2] \leq \frac{\hashqueries + 1}{2^b}. \]
 	%TODO: Signatur von RF genauer beschreiben?
 	\item \paragraph{\underline{$G_4:$}} $G_4$ replaces the blue boxes in the main game and the \Osign oracle with the orange boxes. This change is only conceptual since the adversary is not able to query the random oracle with the inputs used for those calls and due to the nature of the random oracle model the adversary has no information on those values. Therefore, an adversary can not differentiate between the values being the result of the hash function or chosen uniformly at random. Hence,
--- a/thesis/sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma.tex
+++ b/thesis/sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma.tex
@@ -1,4 +1,4 @@
-\subsection{MU-UF-NMA $\Rightarrow$ MU-SUF-CMA (ROM)}
+\subsection{MU-UF-NMA $\Rightarrow$ $\text{MU-SUF-CMA}_{\text{EdDSA with strict parsing}}$ (ROM)}
 This section shows that the MU-UF-NMA security of the EdDSA signature scheme implies the MU-SUF-CMA security of the EdDSA signature scheme using the Random Oracle Model. The section starts with providing an intuition of the proof followed by the detailed security proof.
@@ -143,14 +143,81 @@ Again the programmability of the random oracle together with the \simalg algorit
 	To prove (\ref{eq:adv_mu-uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{MU-UF-NMA}$ that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversaryb_mu-uf-nma} is run in the $\text{MU-UF-NMA}$ game and adversary $\adversary{B}$ simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly.
-	Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R}, S))$. Every valid signature outputted by adversary $\adversary{A}$ has to fulfill following equation for one public key $\groupelement{A_i}$: $2^c S \groupelement{B} = 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}$. For the signature to be valid in the MU-\cma game the signature for this message and public key must not been queried via the \Osign oracle. Therefore the output of $H'(\encoded{R}|\encoded{A_i}|m)$ has not been set by adversary $\adversary{B}$ but was forwarded from the MU-UF-NMA challenger. Meaning $H'(\encoded{R}|\encoded{A_i}|m) = H(\encoded{R}|\encoded{A_i}|m)$. Hence,
+	Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. Every valid signature outputted by adversary $\adversary{A}$ has to fulfill following equation for one public key $\groupelement{A_i}$: $2^c S \groupelement{B} = 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}$. Again there is only one valid encoded $S$ for each $\groupelement{R}$, $m$, $\groupelement{A_i}$ tuple that satisfies the verification equation. For the signature to be a valid forgery it must not be outputted by the \Osign oracle for this specific $m^*$ and $\groupelement{A_i}$. No new valid signature can be generated from a valid one by just changing the $S$ value. This means that at either $\groupelement{R}$, $m$ or $\groupelement{A_i}$ have to be changed to generate a new valid signature from an already valid signature. Since all these parameters are part of the hash query to generate the challenge the resulting hash value has to be forwarded from the $H$ hash oracle provided to the adversary $\adversary{B}$. For this reason $H'(\encoded{R^*}|\encoded{A_i}|m^*) = H(\encoded{R^*}|\encoded{A_i}|m^*)$. Hence,
 	\begin{align*}
-		2^c S \groupelement{B} &= 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i} \\
+		2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A_i}|m^*) \groupelement{A_i} \\
-		\Leftrightarrow 2^c S \groupelement{B} &= 2^c R + 2^c H(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}
+		\Leftrightarrow 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H(\encoded{R^*}|\encoded{A_i}|m^*) \groupelement{A_i}
 	\end{align*}
 	Since the public keys and the results of the hash queries are forwarded from the MU-UF-NMA challenger the forged signature from $\adversary{A}$ in the MU-\cma game is also a valid forgery for the MU-UF-NMA challenger.
 	\item This proves theorem \ref{theorem:adv_mu-uf-nma}.
 \end{proof}
 \subsection{MU-UF-NMA $\Rightarrow$ $\text{MU-EUF-CMA}_{\text{EdDSA with lax parsing}}$ (ROM)}
 This section shows that MU-UF-NMA security of EdDSA implies the MU-EUF-CMA security of EdDSA with lax parsing using in the random oracle model. This proof is very similar to the proof MU-SUF-CMA proof of EdDSA with strict parsing. The modification to the games are the same as in the proof above with the only modifications being in the win condition, which is $\exists j \in \{1,2,...,N\}: \verify(\groupelement{A_j}, \m^*) \wedge (\groupelement{A_j}, \m^*) \notin Q$. For this reason this proof starts at showing the existence of an adversary $\adversary{B}$ breaking MU-UF-NMA security.
 \begin{theorem}
 	\label{theorem:adv2_mu-uf-nma}
 	Let $n$ and $N$ be positive integer and $\adversary{A}$ an adversary against MU-EUF-CMA, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
 	\[ \advantage{\adversary{A}}{\text{MU-EUF-CMA}}(\secparamter) = \advantage{\adversary{B}}{\text{MU-UF-NMA}}(\secparamter) - \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
 \end{theorem}
 \paragraph{\underline{Formal Proof}}
 \begin{proof}
 	\item 
 	\begin{align}
 		\Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{MU-UF-NMA}}(\secparamter). \label{eq:adv2_mu-uf-nma}
 	\end{align}
 	\begin{figure}
 		\hrule
 		\begin{multicols}{2}
 			\large
 			\begin{algorithmic}[1]
 				\Statex \underline{\textbf{Adversary} $\adversary{B}^{H(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$}
 				\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H'(\inp), \sign(\inp, \inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
 				\State \Return $(\m^*, \signature^*)$
 			\end{algorithmic}
 			\columnbreak
 			\begin{algorithmic}[1] 
 				\Statex \underline{\oracle \sign($j \in \{1,2,...,N\}$, $\m \in \messagespace$)}
 				\State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A_j})$
 				\State $\textbf{if } \sum[\encoded{R} | \encoded{A_j} | m] \neq \bot \textbf{ then}$
 				\State \quad $bad \assign true$
 				\State \quad $abort$
 				\State $\sum[\encoded{R} | \encoded{A_j} | m] = \textbf{ch}$
 				\State $\signature \assign (\encoded{R}, S)$
 				\State $Q \assign Q \cup \{(\groupelement{A_j}, \m)\}$
 				\State \Return $\signature$
 			\end{algorithmic}
 		\end{multicols}
 		\begin{algorithmic}[1] 
 			\Statex \underline{\oracle $H'(m \in \{0,1\}^*)$}
 			\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
 			\State \quad $\sum[m] \assign H(m)$
 			\State \Return $\sum[m]$
 		\end{algorithmic}
 		\hrule
 		\caption{Adversary $\adversary{B}$ breaking $\text{MU-UF-NMA}$}
 		\label{fig:adversary_b_mu-uf-nma}
 	\end{figure}
 	To prove (\ref{eq:adv2_mu-uf-nma}), we define an adversary $\adversary{B}$ attacking MU-UF-NMA that simulates $\adversary{A}$'s view on $G_3$. Adversary $\adversary{B}$, formally defined in figure \ref{fig:adversary_b_mu-uf-nma}, is run in the MU-UF-NMA game and simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly.
 	Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. Every valid signature outputted by adversary $\adversary{A}$ has to fulfill following equation for one public key $\groupelement{A_i}$: $2^c S \groupelement{B} = 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}$. Like in the single-user setting the adversary can create a new valid signature from an already valid one by choosing a different bitstring representation of the $S$ value that maps to the same $S \pmod L$. Since we are in the MU-EUF-CMA setting the adversary has to forge a signature for a message $m^*$ and public key $A_i$ to which it has not queried a signature before. For this reason the output of $H'(\encoded{R}|\encoded{A_i}|m)$ has not been set by the adversary $\adversary{B}$ but was forwarded from the $H$ hash oracle provided by the MU-UF-NMA challenger. For this reason $H'(\encoded{R^*}|\encoded{A_i}|m^*) = H(\encoded{R^*}|\encoded{A_i}|m^*)$. Therefore,
 	\begin{align*}
 		2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A_i}|m^*) \groupelement{A_i}\\
 		\Leftrightarrow 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H(\encoded{R^*}|\encoded{A_i}|m^*) \groupelement{A_i}.
 	\end{align*}
 	This shows that the forged signature from adversary $\adversary{A}$ is also a valid forged signature for the MU-UF-NMA challenger.
 	\item This proofs theorem \ref{theorem:adv2_mu-uf-nma}.
 \end{proof}
--- a/thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex
+++ b/thesis/sections/mu_security_of_eddsa/omdl'_implies_mu-gamez.tex
@@ -136,7 +136,7 @@ This section shows that \somdl implies MU-\igame using the Algebraic Group Model
 		\label{fig:adversary_omdl'}
 	\end{figure}
-	To prove (\ref{eq:adv_omdl'}), we define an adversary $\adversary{B}$ attacking \sdlog that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_omdl'} is run in the \sdlog game and adversary $\adversary{B}$ simulates \ioracle for adversary $\adversary{A}$. \ioracle is simulated perfectly.
+	To prove (\ref{eq:adv_omdl'}), we define an adversary $\adversary{B}$ attacking \somdl that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_omdl'} is run in the \somdl game and adversary $\adversary{B}$ simulates \ioracle for adversary $\adversary{A}$. \ioracle is simulated perfectly.
 	Finally, consider $\adversary{A}$'s output $s^*$. It is known that $\groupelement{R^*} = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$ for one of the public keys and one tuple $(R^*, \ch^*)$ generated by the \ioracle oracle. Using the \textit{DL} oracle we can get the discrete logarithms of all public keys but the one for which $s^*$ is a valid solution in the MU-\igame game. This way the \textit{DL} oracle gets called exactly $N-1$ times which is smaller than $N$ which is required by the \somdl game. Together with the representation of $R^*$ provided during the \ioracle oracle call and the discrete logarithms of the public keys we are able to generate a representation of $R^*$ looking like $\groupelement{R^*} = r_b \groupelement{B} + r_i \groupelement{A_i}$. By equating both equations we get:
--- a/thesis/sections/notation.tex
+++ b/thesis/sections/notation.tex
@@ -2,10 +2,9 @@
 \subsubsection{General Notation}
-For an integer n, $\field{n}$ is defined as the residual ring $\mathbb{Z}/n\mathbb{Z}$. $a \randomsample A$ denotes sampling the element $a$ from an non-empty set $A$ uniformly at random. A function $f: \mathbb{N} \rightarrow \mathbb{R}$ is called negligible if there exists a $N \in \mathbb{N}$ for all polynomials $p$ so that $\forall n \geq N: f(n) < \frac{1}{p(n)}$. All algorithms are probabilistic polynomial time (ppt) unless stated otherwise. $o \randomassign \adversary{A}(I)$ denotes running the algorithm $\adversary{A}$ with input $I$ and uniformly random coins and $o$ describing its output. If $\adversary{A}$ has additionally access to an oracle $O$ this is denoted as $o \randomassign \adversary{A}^{O(\inp)}(I)$. A security game consists of a main procedure and optionally some oracle procedures. The main procedure runs and adversary $\adversary{A}$ given some inputs and access to the oracle procedures and getting some output from the adversary $\adversary{A}$. Based on the output of the adversary $\adversary{A}$ and its oracle calls the main procedure outputs $1$ or $0$ depending on whether the adversary $\adversary{A}$ won the game.
+% TODO: Notation mit residual ring und finite field abklären.
 For an integer n, $\field{n}$ is defined as the residual ring $\mathbb{Z}/n\mathbb{Z}$. $a \randomsample A$ denotes sampling the element $a$ from an non-empty set $A$ uniformly at random. $\assign$ denotes a deterministic assignment of a variable. $\{0,1\}^n$ is a bitstring of length n, while $\{0,1\}^*$ denotes a finite bitstring of arbitrary length. $(x,y)$ is a tuple of the two elements $x$ and $y$. $\{x,y\}$ is a set of the elements $x$ and $y$. At the beginning of a game a set is initialized to be the empty set $\{\}$. $\sum$ denotes a table and $\sum[x]$ denotes the value of the table at position $x$. Each position of the table is uninitialized at the beginning of the game. An uninitialized position in the table is denote with the bottom symbol $\bot$. A function $f: \mathbb{N} \rightarrow \mathbb{R}$ is called negligible if there exists a $N \in \mathbb{N}$ for all polynomials $p$ so that $\forall n \geq N: f(n) < \frac{1}{p(n)}$. All algorithms are probabilistic polynomial time (ppt) unless stated otherwise. $o \randomassign \adversary{A}(I)$ denotes running the algorithm $\adversary{A}$ with input $I$ and uniformly random coins and $o$ describing its output. If $\adversary{A}$ has additionally access to an oracle $O$ this is denoted as $o \randomassign \adversary{A}^{O(\inp)}(I)$. A security game consists of a main procedure and optionally some oracle procedures. The main procedure runs and adversary $\adversary{A}$ given some inputs and access to the oracle procedures and getting some output from the adversary $\adversary{A}$. Based on the output of the adversary $\adversary{A}$ and its oracle calls the main procedure outputs $1$ or $0$ depending on whether the adversary $\adversary{A}$ won the game.
 \subsubsection{Algebraic Notation}
-A group description is denoted as a tuple $\mathbf{G} = (L, \mathbb{G}, \groupelement{B})$ with $\mathbb{G}$ being a cyclic group of prime order $L$ generated by group element $\groupelement{B}$. The group uses additive notation for its group law and group elements are denoted by uppercase letters. It is assumed that there exists a group generation algorithm that, upon inputting $1^\secparamter$, outputs a group description $\mathbf{G}$ with $L$ being $\secparamter$ bits in length.
+A group description is denoted as a tuple $\mathbf{G} = (L, \mathbb{G}, \groupelement{B})$ with $\mathbb{G}$ being a cyclic group of prime order $L$ generated by group element $\groupelement{B}$. The group uses additive notation for its group law and group elements are denoted by uppercase letters $\groupelement{A}$. Encoded group elements are denoted by underlining $\encoded{A}$. Further information on the encoding of group elements can be found in section \ref{sec:eddsa}. It is assumed that there exists a group generation algorithm that, upon inputting $1^\secparamter$, outputs a group description $\mathbf{G}$ with $L$ being $\secparamter$ bits in length.
 \subsubsection{Game Notation}
--- a/thesis/sections/preliminaries.tex
+++ b/thesis/sections/preliminaries.tex
@@ -34,7 +34,7 @@ The Fiat-Schamir transformation replaces the verifier by a pseudorandom function
 If the canonical identification scheme is IMP-PA secure then the digital signature scheme, resulting from the Fiat-Schamir transformation of that canonical identification scheme, is UF-CMA secure in the random oracle model (the meaning of the random oracle model will be explained in section \ref{sec:rom}) \cite{EC:PoiSte96}. %TODO: Ist das das richtige Paper?
-\begin{figure}
+\begin{figure}[H]
 	\hrule
 	\vspace{1mm}
 	\begin{multicols}{3}
@@ -68,7 +68,7 @@ If the canonical identification scheme is IMP-PA secure then the digital signatu
 The Schnorr signature scheme is a signature scheme which was introduced by Claus Peter Schnorr in 1991 \cite{JC:Schnorr91}. The Schnorr signature scheme proved to be a robust and efficient signature scheme. For two prime numbers $p$ and $q$ with $q|p-1$ and and element $g \in \field{p}$ with order $q$ the Schnorr signature scheme is depicted in figure \ref{fig:schorr}. Since the scheme is defined on $\field{p}$ multiplicative notation is used for this scheme as an exception.
-\begin{figure}[h]
+\begin{figure}[H]
 	\hrule
 	\vspace{1mm}
 	\begin{multicols}{3}
@@ -99,7 +99,7 @@ The Schnorr signature scheme is a signature scheme which was introduced by Claus
 	\label{fig:schorr}
 \end{figure}
-\subsection{Edwards Curves}
+\subsection{Elliptic Curves}
 \subsection{Random Oracle Model (ROM)}
 \label{sec:rom}
--- a/thesis/sections/security_notions.tex
+++ b/thesis/sections/security_notions.tex
@@ -105,6 +105,39 @@ Strong Existential Unforgeability against Chosen Message Attack (\cma) is a secu
 	\label{game:cma}
 \end{figure}
 \subsubsection{EUF-CMA}
 Existential Unforgability against Chosen Message Attack (EUF-CMA) is similar to the SUF-CMA security notion. The adversary also gets access to an \Osign oracle which generates arbitrary signatures. Unlike in the SUF-CMA game the adversary wins the EUF-CMA game only if he forges a valid signature for a message that was not queries by the \Osign oracle. The security game is depicted in figure \ref{game:euf-cma}.
 \begin{definition}[\cma]
 	Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme. $SIG$ is EUF-CMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{EUF-CMA}}(\secparamter)$ is negligible in $\secparamter$.
 	\[ \advantage{SIG,\adversary{A}}{\text{EUF-CMA}}(\secparamter) \assign \prone{\text{EUF-CMA}^{\adversary{A}}} \leq \epsilon \]
 \end{definition}
 \begin{figure}[h]
 	\hrule
 	\begin{multicols}{2}
 		\normalsize
 		\begin{algorithmic}[1] 
 			\Statex \underline{\game $\text{\cma}$}
 			\State $(\pubkey, \privkey) \randomassign \keygen(1^\secparamter)$
 			\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp)}(\pubkey)$
 			\State \Return $\verify(\pubkey, \m^*, \signature^*) \test 1 \wedge \m^* \notin M$
 		\end{algorithmic}
 		\columnbreak
 		\begin{algorithmic}[1] 
 			\Statex \underline{\oracle \Osign($\m \in \messagespace$)}
 			\State $\signature \randomassign \sign(\privkey, \m)$
 			\State $M \assign M \cup \{\m\}$
 			\State \Return $\signature$
 		\end{algorithmic}
 	\end{multicols}
 	\hrule
 	\caption{EUF-CMA Security Game}
 	\label{game:euf-cma}
 \end{figure}
 \subsubsection{UF-NMA}
 Unforgeability against No Message Attack (UF-NMA) is a security notion for digital signature schemes. The difference to the \cma game is that the adversary does not get access to an \Osign oracle, which provides it with valid signatures for arbitrary messages. Like in the \cma setting the adversary is tasked to provide a valid signature for an arbitrary message. The game is depicted in figure \ref{game:uf-nma}.
@@ -162,6 +195,8 @@ MU-SUF-CMA is the multi-user variant of the SUF-CMA security notion. Instead of
 	\label{game:mu-suf-cma}
 \end{figure}
 \subsubsection{MU-EUF-CMA}
 \subsubsection{MU-UF-NMA}
 MU-UF-NMA  is the multi-user variant of the UF-NMA security notion. Instead of one public key the adversary gets access to $n$ public keys and has to forge a signature for any of the public keys. Unlike the MU-SUF-CMA the adversary does not get access to a signing oracle. The game is depicted in figure \ref{game:mu-uf-nma}.
@@ -185,4 +220,6 @@ MU-UF-NMA  is the multi-user variant of the UF-NMA security notion. Instead of o
 	\hrule
 	\caption{MU-UF-NMA Security Game}
 	\label{game:mu-uf-nma}
-\end{figure}
+\end{figure}
 \subsection{Security Assumptions}
--- a/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex
+++ b/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex
@@ -1,7 +1,7 @@
-\subsection{UF-NMA $\Rightarrow$ \cma (ROM)} \label{proof:uf-nma_implies_suf-cma}
+\subsection{UF-NMA $\Rightarrow$ $\text{\cma}_{\text{EdDSA with strict parsing}}$ (ROM)} \label{proof:uf-nma_implies_suf-cma}
 % TODO: "intuition for the proof" vs. "intuition of the proof"?
-This section shows that the UF-NMA security of EdDSA signature scheme implies the \cma security of EdDSA signature scheme using the Random Oracle Model. The section starts by first providing an intuition for the proof followed by the detailed security proof.
+This section shows that the UF-NMA security of EdDSA implies the \cma security of EdDSA with strict parsing using the random oracle model. The section starts by first providing an intuition for the proof followed by the detailed security proof.
 \begin{theorem}
 	\label{theorem:adv_uf-nma}
@@ -164,14 +164,80 @@ The proof starts by providing an algorithm which generates correctly distributed
 	To prove (\ref{eq:adv_uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{UF-NMA}$ that simulates $\adversary{A}$'s view in $G_3$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversarybuf-nma} is run in the $\text{UF-NMA}$ game and adversary $\adversary{B}$ simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly.
-	Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R}, S))$. It is known that $2^c S \groupelement{B} = 2^c \groupelement{R} + 2^c H'(\encoded{R}|\encoded{A}|m) \groupelement{A}$. Since the signature for the message $\m^*$ has not been queried in the \Osign oracle the output of $H'(\encoded{R}|\encoded{A}|m)$ has not been set by the adversary $\adversary{B}$ but was forwarded from the $H$ hash oracle. For this reason $H'(\encoded{R}|\encoded{A}|m) = H(\encoded{R}|\encoded{A}|m)$. Therefore,
+	Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. It is known that $2^c S^* \groupelement{B} = 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}$. When using strict parsing any the decoded $S$ from the signature it is known that $0 \leq S < L$. Therefore there is only one valid encoded $S$ for each $R$, $\m$ pair that satisfies the equation. This means that from no new and valid signature can be generated by only changing the $S$ value of an already valid signature. Hence, also $R$ or $m$ has to be altered to generate a new valid signature from another one. Since $R$ and $m$ are inputs to the hash query, which is used to generate the challenge, the result for this hash query are forwarded from the $H$ hash oracle provided to the adversary $\adversary{B}$. For this reason $H'(\encoded{R^*}|\encoded{A}|m^*) = H(\encoded{R^*}|\encoded{A}|m^*)$. Therefore,
 	\begin{align*}
-		2^c S \groupelement{B} &= 2^c \groupelement{R} + 2^c H'(\encoded{R}|\encoded{A}|m) \groupelement{A}\\
+		2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}\\
-		\Leftrightarrow 2^c S \groupelement{B} &= 2^c \groupelement{R} + 2^c H(\encoded{R}|\encoded{A}|m) \groupelement{A}.
+		\Leftrightarrow 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}.
 	\end{align*}
 	Meaning that the forged signature from adversary $\adversary{A}$ is also a valid signature in the UF-NMA game.
 	\item This proves theorem \ref{theorem:adv_uf-nma}.
 \end{proof}
 \subsection{UF-NMA $\Rightarrow$ $\text{EUF-CMA}_{\text{EdDSA with lax parsing}}$ (ROM)}
 This section shows that the UF-NMA security of EdDSA implies the EUF-CMA security of EdDSA with lax parsing using the random oracle model. This proof is very similar to the proof of the SUF-CMA security of EdDSA with strict parsing. The modification of the games are the same as in the proof above with the only difference being the win condition, which is $\verify(\groupelement{A}, \m^*,\signature^*) \wedge \m^* \notin Q$. For this reason this proofs starts at showing the existence of an adversary $\adversary{B}$ breaking UF-NMA security.
 \begin{theorem}
 	\label{theorem:adv2_uf-nma}
 	Let $\adversary{A}$ be an adversary against EUF-CMA, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
 	\[ \advantage{\adversary{A}}{\text{EUF-CMA}}(\secparamter) = \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter) - \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
 \end{theorem}
 \paragraph{\underline{Formal Proof}}
 \begin{proof}
 	\item 
 	\begin{align}
 		\prone{G_3^{\adversary{A}}} = \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter). \label{eq:adv2_uf-nma}
 	\end{align}
 	\begin{figure}
 		\hrule
 		\begin{multicols}{2}
 			\large
 			\begin{algorithmic}[1]
 				\Statex \underline{\textbf{Adversary} $\adversary{B}^{H(\inp)}(\groupelement{A})$}
 				\State $(\m^*, \signature^*) \randomassign \adversary{A}^{H'(\inp), \sign(\inp)}(\groupelement{A})$
 				\State \Return $(\m^*, \signature^*)$
 			\end{algorithmic}
 			\columnbreak
 			\begin{algorithmic}[1] 
 				\Statex \underline{\oracle \sign($m \in \messagespace$)}
 				\State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A})$
 				\State $\textbf{if } \sum[\encoded{R} | \encoded{A} | m] \neq \bot \textbf{ then}$
 				\State \quad $bad \assign true$
 				\State \quad $abort$
 				\State $\sum[\encoded{R} | \encoded{A} | m] = \textbf{ch}$
 				\State $\signature \assign (\encoded{R}, S)$
 				\State $Q \assign Q \cup \{\m\}$
 				\State \Return $\signature$
 			\end{algorithmic}
 		\end{multicols}
 		\begin{algorithmic}[1] 
 			\Statex \underline{\oracle $H'(m \in \{0,1\}^*)$}
 			\State $\textbf{if } \sum[m] = \bot \textbf{ then}$
 			\State \quad $\sum[m] \assign H(m)$
 			\State \Return $\sum[m]$
 		\end{algorithmic}
 		\hrule
 		\caption{Adversary $\adversary{B}$ breaking $\text{UF-NMA}$}
 		\label{fig:adversary_b_suf-nma}
 	\end{figure}
 	To prove (\ref{eq:adv2_uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{UF-NMA}$ that simulates $\adversary{A}$'s view in $G_3$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_b_suf-nma} is run in the $\text{UF-NMA}$ game and adversary $\adversary{B}$ simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly.
 	Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R^*}, S^*))$. It is known that $2^c S^* \groupelement{B} = 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}$. The same argument as in the proof above cannot be used since the lax parser could map multiple $2b$-bit bitstrings onto the same $S^* \pmod L$. Therefore the adversary $\adversary{A}$ could generate a new valid signature from a by \Osign generated one by simply choosing a different bitstring representation of the same $S^* \pmod L$. Since in this case $\sum[\encoded{R^*}|\encoded{A}|m^*]$ was set by the adversary $\adversary{B}$ this signature is not valid for the UF-NMA challenger. But since we are in the EUF-CMA setting we require the adversary $\adversary{A}$ to output a signature for a message $m^*$ for that it has not requested a signature via the \Osign oracle. Since the signature for the message $m^*$ has not been queried in the Sign oracle the output of $H'(\encoded{R^*}|\encoded{A}|m^*)$ has not been set by the adversary B but was forwarded from the $H$ hash oracle. For this reason $H'(\encoded{R^*}|\encoded{A}|m^*) = H(\encoded{R^*}|\encoded{A}|m^*)$. Therefore,
 	\begin{align*}
 		2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H'(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}\\
 		\Leftrightarrow 2^c S^* \groupelement{B} &= 2^c \groupelement{R^*} + 2^c H(\encoded{R^*}|\encoded{A}|m^*) \groupelement{A}.
 	\end{align*}
 	Meaning that the forged signature from adversary $\adversary{A}$ is also a valid signature in the UF-NMA game.
 	\item This proves theorem \ref{theorem:adv2_uf-nma}.
 \end{proof}