Fixed security parameter

thesis/sections/security_of_eddsa/dlog'_implies_gamez.tex

@@ -11,7 +11,7 @@ The \sdlog game is a variant of the discrete logarithm game which represents the
 \begin{definition}[\sdlog]
 	For an adversary $\adversary{A}$ we define its advantage in the \sdlog game as following:
 	
-	\[ \advantage{\adversary{A}}{\sdlog}(k) \assign | \Pr[\sdlog^{\adversary{A}} \Rightarrow 1] | \].
+	\[ \advantage{\adversary{A}}{\sdlog}(\secparamter) \assign | \Pr[\sdlog^{\adversary{A}} \Rightarrow 1] | \].
 \end{definition}
 
 
@@ -34,7 +34,7 @@ The \sdlog game is a variant of the discrete logarithm game which represents the
 	\label{theorem:advgamez}
 	Let $\adversary{A}$ be an adversary against \igame with $\group{G}$ being a cyclic group of prime order $L$, making at most $\oraclequeries$ oracle queries. Then
 	
-	\[ \advantage{\group{G},\adversary{A}}{\igame}(k) \leq \advantage{\group{G},\adversary{B}}{\sdlog}(k) - \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
+	\[ \advantage{\group{G},\adversary{A}}{\igame}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\sdlog}(\secparamter) - \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
 \end{theorem}
 
 \paragraph{\underline{Proof Overview}}
@@ -97,7 +97,7 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
 	
 	\item \paragraph{\underline{$G_0$:}} Let $G_0$ be defined in figure \ref{fig:igamewithabort} by excluding all boxes and $G_0$ be \igame. By definition,
 	
-	\[ \advantage{\group{G},\adversary{A}}{\igame}(k) = \Pr[\igame^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
+	\[ \advantage{\group{G},\adversary{A}}{\igame}(\secparamter) = \Pr[\igame^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
 	
 	\item \paragraph{\underline{$G_1$:}} Game $G_1$ is exactly the same as $G_0$ with the only change being the bad flag being set inside an if condition. The bad flag is set if $2^c \ch_i = -r_2$. This represents cases where not all solutions from the adversary $\adversary{A}$ can be used to calculate the discrete logarithm of $\groupelement{A}$. This is just a conceptual change since the behavior of the game does not change whether the flag is set or not. Hence,
 	
@@ -111,7 +111,7 @@ The adversary has to call the \ioracle oracle with a commitment $\groupelement{R
 	\item Finally, Game $G_2$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
 	
 	\begin{align}
-		\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G},\adversary{B}}{\sdlog}(k) \label{eq:advbsdlog}
+		\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G},\adversary{B}}{\sdlog}(\secparamter) \label{eq:advbsdlog}
 	\end{align}.
 	
 	\begin{figure}

thesis/sections/security_of_eddsa/gamez_implies_uf-nma.tex

@@ -7,7 +7,7 @@ This section shows that \igame implies the UF-NMA security if the EdDSA signatur
 \begin{definition}[\igame]
 	For an adversary $\adversary{A}$ we define its advantage in the \igame game as following:
 	
-	\[ \advantage{\adversary{A}}{\igame}(k) \assign | \Pr[\igame^{\adversary{A}} \Rightarrow 1] | \].
+	\[ \advantage{\adversary{A}}{\igame}(\secparamter) \assign | \Pr[\igame^{\adversary{A}} \Rightarrow 1] | \].
 \end{definition}
 
 \begin{figure}
@@ -38,7 +38,7 @@ This section shows that \igame implies the UF-NMA security if the EdDSA signatur
 	\label{theorem:adv_igame}
 	Let $\adversary{A}$ be an adversary against $\text{UF-NMA}_{\text{EdDSA}}$. Then,
 	
-	\[ \advantage{\adversary{A}}{UF-NMA}(k) = \advantage{\adversary{B}}{\igame}(k) \].
+	\[ \advantage{\adversary{A}}{UF-NMA}(\secparamter) = \advantage{\adversary{B}}{\igame}(\secparamter) \].
 \end{theorem}
 
 \paragraph{\underline{Proof Overview}} The adversary has to query the random oracle to get the hash value $H(\encoded{R} | \encoded{A} | m)$. The programmability of the random oracle can be used to embed the challenge from the \ioracle oracle into the answer of the random oracle. This way a valid forgery of a signature also provides a valid solution for the \igame game.
@@ -70,12 +70,12 @@ This section shows that \igame implies the UF-NMA security if the EdDSA signatur
 \begin{proof}
 	\item \paragraph{\underline{$G_0$}} Let $G_0$ be defined in figure \ref{fig:igame_implies_uf-nma} and let $G_0$ be $\text{UF-NMA}_{\text{EdDSA}}$. By definition,
 	
-	\[ \advantage{\text{EdDSA}, \adversary{A}}{\text{UF-NMA}} = \Pr[\text{UF-NMA}_{\text{EdDSA}}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
+	\[ \advantage{\text{EdDSA}, \adversary{A}}{\text{UF-NMA}}(\secparamter) = \Pr[\text{UF-NMA}_{\text{EdDSA}}^{\adversary{A}} \Rightarrow 1 ] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
 	
 	\item $G_0$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
 	
 	\begin{align}
-		\Pr[G_0^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\igame}(k) \label{eq:adv_igame}
+		\Pr[G_0^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G}, \adversary{B}}{\igame}(\secparamter) \label{eq:adv_igame}
 	\end{align}.
 
 	\begin{figure}

thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex

@@ -7,7 +7,7 @@ This section shows that the \cma security of EdDSA signature scheme implies the
 	\label{theorem:adv_uf-nma}
 	Let $\adversary{A}$ be an adversary against $\cma_{\text{EdDSA}}$, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then,
 	
-	\[ \advantage{\adversary{A}}{\text{\cma}}(k) = \advantage{\adversary{B}}{\text{UF-NMA}}(k) - \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
+	\[ \advantage{\adversary{A}}{\text{\cma}}(\secparamter) = \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter) - \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
 \end{theorem}
 
 \paragraph{\underline{Proof Overview}} The UF-NMA security definition is close to the security definition of \cma but is missing the \Osign oracle. To show that UF-NMA security implies \cma security the reduction has to simulate the \Osign oracle without the knowledge of the private key. 
@@ -103,7 +103,7 @@ The proof starts by providing an algorithm which generates correctly distributed
 \begin{proof}
 	\item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:uf-nma_implies_suf-cma_games} by excluding all boxes except the gray filled one and let $G_0$ be $\text{\cma}_{\text{EdDSA}}$. By definition,
 	
-	\[ \advantage{\text{EdDSA},\adversary{A}}{\cma}(k) = \Pr[\text{\cma}_{\text{EdDSA}}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
+	\[ \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) = \Pr[\text{\cma}_{\text{EdDSA}}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1] \].
 	
 	\item \paragraph{\underline{$G_1:$}} $G_1$ is now defined by replacing the gray filled box with the blue one. This change inlines the call to the hash function and introduces a bad flag, which is set in the case that the hash value is already set. This change is only conceptual, since it does not alter the behavior of the oracle. Hence,
 	
@@ -118,7 +118,7 @@ The proof starts by providing an algorithm which generates correctly distributed
 	\item Finally, Game $G_3$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying
 	
 	\begin{align}
-		\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{UF-NMA}}(k) \label{eq:adv_uf-nma}
+		\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{UF-NMA}}(\secparamter) \label{eq:adv_uf-nma}
 	\end{align}.
 
 	\begin{figure}