diff --git a/thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex b/thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex index 943f21f..0e9c49d 100644 --- a/thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex +++ b/thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex @@ -1,23 +1,21 @@ \subsection{\sdlog $\overset{\text{AGM}}{\Rightarrow}$ \igame} \label{sec:sdlog_imlies_igame} -%TODO check if all c_i's are replaced by chall_i - -This section shows that \sdlog implies \igame using the Algebraic Group Model. The section starts by introducing a special variant of the discrete logarithm problem followed by an intuition of the proof and at last giving a detailed security proof. +This section shows that \sdlog implies \igame using the algebraic group model. The section begins with an introduction to a special variant of the discrete logarithm problem, followed by an intuition of the proof, and finally a detailed security proof. \paragraph{\underline{Introducing \sdlog}} -The \sdlog game is a variant of the discrete logarithm game which represents the clearing and setting of bits in the secret scalar during the EdDSA key generation. The only difference to the normal discrete logarithm game is that the secret scalars are not chosen uniformly random from $\field{L}$ with $L$ being the order of the generator but rather from the set $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$. This set represents all valid private keys according to the key generation algorithm. The hardness of this version of the discrete logarithm problem is further analyzed in section \ref{sec:sdlog}. The \sdlog game is depicted in figure \ref{fig:sdlog}. +The \sdlog game is a variant of the discrete logarithm game that represents the clearing and setting of bits in the secret scalar during EdDSA key generation. The only difference to the normal discrete logarithm game is that the secret scalars are not randomly chosen from $\field{L}$, where $L$ is the order of the generator, but from the set $\{2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c\}$. This set represents all valid private keys according to the key generation algorithm. The hardness of this version of the discrete logarithm problem is further analyzed in section \ref{sec:sdlog}. The \sdlog game is illustrated in figure \ref{fig:sdlog}. \begin{definition}[\sdlog] \label{def:sdlog} For an adversary $\adversary{A}$ we define its advantage in the \sdlog game as following: - \[ \advantage{\adversary{A}}{\text{\sdlog}}(\secparamter) \assign | \Pr[\text{\sdlog}^{\adversary{A}} \Rightarrow 1] |. \] + \[ \advantage{\group{G}, \adversary{A}}{\text{\sdlog}}(\secparamter) \assign | \Pr[\text{\sdlog}^{\adversary{A}} \Rightarrow 1] |. \] \end{definition} -\begin{figure} +\begin{figure}[h] \hrule \vspace{1mm} \begin{algorithmic}[1] @@ -42,9 +40,8 @@ The \sdlog game is a variant of the discrete logarithm game which represents the \paragraph{\underline{Proof Overview}} -The adversary has to call the \ioracle oracle with a commitment $\groupelement{R}$ to get a challenge from the challenger. Due to the nature of Algebraic Group Model the adversary also has to provide a representation of the group element $\groupelement{R}$, as the linear combination of all known group elements. Since only the generator of the group and the public key are known to the adversary the representation looks like this: $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A}$. Together with a valid to the \igame game this can be used to calculate the discrete logarithm of the public key. +The adversary must call the \ioracle oracle with a commitment $\groupelement{R}$ to get a challenge from the challenger. Due to the nature of the algebraic group model, the adversary must also provide a representation of the group element $\groupelement{R}$ as a linear combination of all known group elements. Since only the generator of the group and the public key are known to the adversary, the representation looks like this: $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A}$. Together with a valid solution to the \igame game, this can be used to compute the discrete logarithm of the public key. -% TODO: clarify encoding of c \begin{figure} \hrule \begin{multicols}{2} @@ -82,9 +79,11 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R \paragraph{\underline{Formal Proof}} \begin{proof} - \item \paragraph{\underline{AGM}} This proof takes place in the algebraic group model. Meaning that the adversary has to provide a representation along each group element it provides to the reduction. The adversary has to provide an element $\groupelement{R}$, which is an element in the prime order subgroup of the Twisted Edwards curve. Leaving the question whether the representation should be defined relative to the prime order subgroup or the Twisted Edwards curve. The answer to this question is that it is enough to provide the representation relative to the prime order subgroup. The reason for that is shown in the following paragraph. + \item The proofs begin by showing that the only valid representation of a group element in the prime order subgroup is the one relative to all known elements in the subgroup and cannot include elements from outside the subgroup. This is followed by a discussion of the individual games-hops. - The Twisted Edwards curve $\curve$ over the finite field $\field{q}$ is an finite abelian group. Even though the group $\curve$ might not be cyclic the fundamental theorem of finitely generated abelian groups tells us that each finite abelian groups can be uniquely decomposed into the direct product of cyclic subgroups \cite{karpfinger_hauptsatz_2021}. Meaning that $\curve$ can be represented as $\curve = \langle a_1 \rangle \bigotimes \langle a_2 \rangle \bigotimes ... \bigotimes \langle a_n \rangle$. The set of generators for each of the cyclic groups is called the generating set of $\curve$. Lets recall a well known theorem of algebra: + \item \paragraph{\underline{AGM}} This proof is done in the algebraic group model. This means that the adversary has to provide a representation along each group element he provides to the reduction. The adversary must provide an element $\groupelement{R}$ which is an element in the prime order subgroup of the twisted Edwards curve. The question remains whether the representation should be defined relative to the prime order subgroup or the twisted Edwards curve. The answer to this question is that it is sufficient to define the representation relative to the prime order subgroup. The reason for this is given in the following paragraph. + + The twisted Edwards curve $\curve$ over the finite field $\mathbb{F}_{q}$ is a finite abelian group. Even though the group $\curve$ may not be cyclic, the Fundamental Theorem of Finitely Generated Abelian Groups tells us that every finite abelian group can be uniquely decomposed into the direct product of cyclic subgroups \cite{karpfinger_hauptsatz_2021}. This means that $\curve$ can be written as $\curve = \langle a_1 \rangle \bigotimes \langle a_2 \rangle \bigotimes ... \bigotimes \langle a_n \rangle$. The set of generators for each of the cyclic groups is called the generating set of $\curve$. Let us recall a well-known theorem of algebra: \item \begin{theorem}[Characterization of Inner Direct Products \cite{karpfinger_direkte_2021}] Let $N_1, ..., N_n$ be subgroups of an group $\group{G}$. Following statements are equivalent: @@ -96,20 +95,19 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R \end{enumerate} \end{theorem} - Due to Sylow's theorems the decomposition has to include the large prime order subgroup $\group{G}$ used for EdDSA \cite{karpfinger_satze_2021} and since Twisted Edwards curve (like all Elliptic curves) are abelian each subgroup is also a normal subgroup. Together this means that the representation of each element $\groupelement{X} \in \curve$ is unique relative to the generating set. Since each element $\groupelement{Y} \in \group{G}$ can be represented as $\groupelement{Y} \assign y \groupelement{B}$, with $\groupelement{B}$ being the generator of the prime order subgroup, this has to be the only representation regarding the generation set. Meaning that an adversary in the algebraic group model has to provide a representation in the prime order subgroup $\group{G}$. + Due to Sylow's theorems, the decomposition must include the large prime order subgroup $\group{G}$ used for EdDSA \cite{karpfinger_satze_2021}, and since twisted Edwards curves (like all elliptic curves) are abelian, each subgroup is also a normal subgroup. Together this means that the representation of each element $\groupelement{X} \in \curve$ is unique relative to the generating set. Since each element $\groupelement{Y} \in \group{G}$ can be represented as $\groupelement{Y} \assign y \groupelement{B}$, where $\groupelement{B}$ is the generator of the prime order subgroup, this must be the only representation with respect to the generating set. This means that an adversary, in the algebraic group model, must provide a representation in the prime order subgroup $\group{G}$. - The only two group elements in $\group{G}$ provided to the adversary are the public key $\groupelement{A}$ and the generator $\groupelement{B}$. Therefore the representation of the element $\groupelement{R}$, provided to the \ioracle oracle, looks like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A}$. + The only two group elements in $\group{G}$ provided to the adversary are the public key $\groupelement{A}$ and the generator $\groupelement{B}$. Therefore, the representation of the element $\groupelement{R}$, provided to the \ioracle oracle, looks like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A}$. - \item \paragraph{\underline{$G_0$:}} Let $G_0$ be defined in figure \ref{fig:igamewithabort} by excluding all boxes and $G_0$ be \igame. By definition, + \item \paragraph{\underline{$G_0$:}} Let $G_0$ be defined in figure \ref{fig:igamewithabort} by excluding all boxes. $G_0$ is the same as \igame. By definition, \[ \advantage{\group{G},\adversary{A}}{\igame}(\secparamter) = \Pr[\igame^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \] - \item \paragraph{\underline{$G_1$:}} Game $G_1$ is exactly the same as $G_0$ with the only change being the bad flag being set inside an if condition. The bad flag is set if $2^c \ch_i = -r_2$. This represents cases where not all solutions from the adversary $\adversary{A}$ can be used to calculate the discrete logarithm of $\groupelement{A}$. This is just a conceptual change since the behavior of the game does not change whether the flag is set or not. Hence, + \item \paragraph{\underline{$G_1$:}} Game $G_1$ is exactly the same as $G_0$ with the only change being that the bad flag is set inside an if condition. The bad flag is set when $2^c \ch_i = -r_2$. This represents cases where not all solutions from the adversary $\adversary{A}$ can be used to calculate the discrete logarithm of $\groupelement{A}$. This is only a conceptual change, since the behavior of the game does not change whether the flag is set or not. Hence, \[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1]. \] - \item \paragraph{\underline{$G_2:$}} Game $G_2$ aborts if the flag bad is set. For each individual \ioracle query the $bad$ flag is set with probability at most $\frac{1}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. $c_i$ is chosen by the game after the adversary has provided the representation of $\groupelement{R_i}$ and therefore the value of $r_2$. This way the adversary has no way of choosing $\ch_i$ after $r_2$ and can not influence the probability of the abort being triggered. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $\ch_i \pmod L$. $\ch_i$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ during the check in the if condition. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have - % TODO: Müsste das nicht floor statt ceil sein? + \item \paragraph{\underline{$G_2:$}} The game $G_2$ is aborted if the bad flag is set. For each individual \ioracle query, the $bad$ flag is set with probability at most $\frac{1}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. $\ch_i$ is chosen by the game after the adversary has provided the representation of $\groupelement{R_i}$ and thus the value of $r_2$. This way the adversary has no way to choose $\ch_i$ after $r_2$ and therefore cannot influence the probability of the abort being triggered. $-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})$ is the min entropy of $\ch_i \pmod L$. $\ch_i$ is chosen uniformly at random from $\{0,1\}^{2b}$ and then reduced modulo $L$ during the if condition check. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have \[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \] @@ -119,7 +117,7 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R \Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G},\adversary{B}}{\sdlog}(\secparamter). \label{eq:advbsdlog} \end{align} - \begin{figure} + \begin{figure}[h] \hrule \begin{multicols}{2} \large @@ -148,7 +146,7 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R \label{fig:adversarybsdlog} \end{figure} - To prove (\ref{eq:advbsdlog}), we define an adversary $\adversary{B}$ attacking \sdlog that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversarybsdlog} is run in the \sdlog game and adversary $\adversary{B}$ simulates \ioracle for adversary $\adversary{A}$. \ioracle is simulated perfectly. + To prove (\ref{eq:advbsdlog}), we define an adversary $\adversary{B}$ attacking \sdlog, which simulates the view of $\adversary{A}$ in $G_2$. The adversary $\adversary{B}$ formally defined in figure \ref{fig:adversarybsdlog} is run in the \sdlog game and adversary $\adversary{B}$ simulates \ioracle for adversary $\adversary{A}$. The \ioracle oracle is simulated perfectly. Finally, consider $\adversary{A}$'s output $s^*$. We know that one $R^* = 2^c s^*B - 2^c \ch^*A$. We can use this together with the representation of $R^*$ to get following equation: @@ -160,5 +158,7 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R Assuming that $r_2 + 2^c \ch^*$ is invertible in $\field{L}$ (i.e. not equal to $0$), which is ensured due to the abort in $G_2$, both equations can be used to calculate the discrete logarithm of $\groupelement{A}$. + \item Obviously, the runtime of $\adversary{B}$ is ppt. The \ioracle just samples the challenge uniformly at random and returns it after checking the abort condition, which is ppt. After $\adversary{A}$ has provided its solution, adversary $\adversary{B}$ just does some additions, multiplications, and an inversion, which is all ppt. + \item This proves theorem \ref{theorem:advgamez}. \end{proof} \ No newline at end of file diff --git a/thesis/sections/security_of_eddsa/gamez_implies_uf-nma.tex b/thesis/sections/security_of_eddsa/gamez_implies_uf-nma.tex index 65f0b21..516d2ba 100644 --- a/thesis/sections/security_of_eddsa/gamez_implies_uf-nma.tex +++ b/thesis/sections/security_of_eddsa/gamez_implies_uf-nma.tex @@ -1,16 +1,16 @@ \subsection{\igame $\overset{\text{ROM}}{\Rightarrow}$ UF-NMA} -This section shows that \igame implies the UF-NMA security of the EdDSA signature scheme using the Random Oracle Model. The section starts by first providing introducing an intermediate game \igame followed by an intuition of the proof and the detailed security proof. +This section shows that \igame implies the UF-NMA security of the EdDSA signature scheme using the random oracle model. The section begins with the introduction of an intermediate game \igame, followed by an intuition of the proof and the detailed security proof. -\paragraph{\underline{Introducing \igame}} The intermediate game \igame is introduced to create a separation between proofs in the random oracle model and the algebraic group model. This is archived by replacing the random oracle by the \ioracle oracle, which takes a commitment and outputs a challenge. This also strips away the message and focuses on the forgery of an arbitrary message. The \igame game is depicted in figure \ref{game:igame}. +\paragraph{\underline{Introducing \igame}} The intermediate game \igame is introduced to create a separation between proofs in the random oracle model and the algebraic group model. This is archived by replacing the random oracle with the \ioracle oracle, which takes a commitment and issues a challenge. This also removes the message and focuses on forging an arbitrary signature. The \igame game is shown in the figure \ref{game:igame}. \begin{definition}[\igame] - For an adversary $\adversary{A}$ we define its advantage in the \igame game as following: + For an adversary $\adversary{A}$. The advantage of $\adversary{A}$ in the \igame game is defined as following: - \[ \advantage{\adversary{A}}{\igame}(\secparamter) \assign | \Pr[\igame^{\adversary{A}} \Rightarrow 1] |. \] + \[ \advantage{\group{G},\adversary{A}}{\igame}(\secparamter) \assign | \Pr[\igame^{\adversary{A}} \Rightarrow 1] |. \] \end{definition} -\begin{figure} +\begin{figure}[h] \hrule \begin{multicols}{2} \large @@ -38,14 +38,14 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur \label{theorem:adv_igame} Let $\adversary{A}$ be an adversary against $\text{UF-NMA}$. Then, - \[ \advantage{\adversary{A}}{\text{UF-NMA}}(\secparamter) = \advantage{\adversary{B}}{\text{\igame}}(\secparamter). \] + \[ \advantage{\group{G}, \adversary{A}}{\text{UF-NMA}}(\secparamter) = \advantage{\group{G}, \adversary{B}}{\text{\igame}}(\secparamter). \] \end{theorem} -\paragraph{\underline{Proof Overview}} The adversary has to query the random oracle to get the hash value $H(\encoded{R} | \encoded{A} | m)$. The programmability of the random oracle can be used to embed the challenge from the \ioracle oracle into the answer of the random oracle. This way a valid forgery of a signature also provides a valid solution for the \igame game. +\paragraph{\underline{Proof Overview}} The adversary must query the random oracle to obtain the hash value $H(\encoded{R} | \encoded{A} | m)$. The programmability of the random oracle can be used to embed the challenge from the \ioracle into the answer from the random oracle. In this way, a valid signature forgery also provides a valid solution to the \igame game. \paragraph{\underline{Formal Proof}} -\begin{figure} +\begin{figure}[h] \hrule \begin{multicols}{2} \large @@ -71,9 +71,11 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur \end{figure} \begin{proof} - \item \paragraph{\underline{$G_0$}} Let $G_0$ be defined in figure \ref{fig:igame_implies_uf-nma} and let $G_0$ be $\text{UF-NMA}$. By definition, + \item This proof does not require any game hop, since the random oracle can be simulated using the \ioracle oracle. - \[ \advantage{\text{EdDSA}, \adversary{A}}{\text{UF-NMA}}(\secparamter) = \Pr[\text{UF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \] + \item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:igame_implies_uf-nma}. Clearly, $G_0$ is $\text{UF-NMA}$. By definition, + + \[ \advantage{\group{G}, \adversary{A}}{\text{UF-NMA}}(\secparamter) = \Pr[\text{UF-NMA}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \] \item $G_0$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying @@ -81,7 +83,7 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\text{\igame}}(\secparamter). \label{eq:adv_igame} \end{align} - \begin{figure} + \begin{figure}[h] \hrule \vspace{1mm} \begin{multicols}{2} @@ -107,7 +109,7 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur \label{fig:adversary_igame} \end{figure} - \item To proof (\ref{eq:adv_igame}), we define an adversary $\adversary{B}$ attacking \igame that simulates $\adversary{A}$'s view in $G_0$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_igame} is run in the \igame game and adversary $\adversary{B}$ simulates the random oracle $H$ for the adversary $\adversary{A}$. $H$ is simulated perfectly. + \item To prove (\ref{eq:adv_igame}), we define an adversary $\adversary{B}$ attacking \igame that simulates the view of $\adversary{A}$ in $G_0$. The adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_igame} is run in the \igame game, and the adversary $\adversary{B}$ simulates the random oracle $H$ for the adversary $\adversary{A}$. $H$ is perfectly simulated because the \ioracle oracle also outputs a uniformly random 2b-bit bitstring. For this reason, $H$ returns a uniformly random 2b-bit bitstring for all queries, as expected. Finally, consider $\adversary{A}$'s output $(\m^*, \signature^* \assign (\encoded{R}, S))$. It is known that: @@ -118,7 +120,9 @@ This section shows that \igame implies the UF-NMA security of the EdDSA signatur \Leftrightarrow \groupelement{R}' &= 2^c S \groupelement{B} - 2^c \ioracle(\groupelement{R}') \groupelement{A} \end{align*} - Therefore $S$ is a valid solution for the \igame game. + Therefore, $S$ is a valid solution for the \igame game. + + \item The runtime of adversary $\adversary{B}$ is clearly ppt, since it just outputs the solution of adversary $\adversary{A}$, and in the random oracle it either calls the \ioracle oracle or samples a value uniformly at random. \item This proves theorem \ref{theorem:adv_igame}. \end{proof} \ No newline at end of file diff --git a/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex b/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex index 64d5581..04bd2ce 100644 --- a/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex +++ b/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex @@ -4,7 +4,7 @@ This section shows that the UF-NMA security of EdDSA implies the \cma security o \begin{theorem} \label{theorem:adv_uf-nma} - Let $\adversary{A}$ be an adversary against $\cma$, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then, + Let $\adversary{A}$ be an adversary against $\cma$, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and let $\group{G}$ be a group of prime order $L$. Then, \[ \advantage{\group{G}, \adversary{A}}{\text{\cma}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\text{UF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \] \end{theorem} @@ -111,7 +111,7 @@ This method of simulating the \Osign oracle and the resulting loss of advantage \item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:uf-nma_implies_suf-cma_games} by excluding all boxes except the black one. Clearly $G_0$ is the game $\text{\cma}$ for EdDSA. By definition, - \[ \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) = \Pr[\text{\cma}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \] + \[ \advantage{\group{G},\adversary{A}}{\cma}(\secparamter) = \Pr[\text{\cma}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \] \item \paragraph{\underline{$G_1:$}} $G_1$ is now defined by replacing the black box with the blue one. This change inlines the call to the hash function and introduces a bad flag in the \Osign oracle, which is set in case the hash value for the challenge is already set before the \Osign oracle is called. This change is only conceptual, since it does not change the behavior of the oracle and only changes internal variables of the game. Therefore, @@ -196,7 +196,7 @@ This section shows that the UF-NMA security of EdDSA implies the EUF-CMA securit \begin{proof} \item \begin{align} - \prone{G_3^{\adversary{A}}} = \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter). \label{eq:adv2_uf-nma} + \prone{G_3^{\adversary{A}}} = \advantage{\group{G}, \adversary{B}}{\text{UF-NMA}}(\secparamter). \label{eq:adv2_uf-nma} \end{align} \begin{figure} @@ -243,7 +243,7 @@ This section shows that the UF-NMA security of EdDSA implies the EUF-CMA securit This means that the forged signature of the adversary $\adversary{A}$ is also a valid signature in the UF-NMA game. - \item Since the adversary $\adversary{B}$ is the same as in the proof above the runtime is also the ppt. + \item Since the adversary $\adversary{B}$ is the same as in the proof above the runtime is also ppt. \item This proves theorem \ref{theorem:adv2_uf-nma}. \end{proof} \ No newline at end of file