From d45bcef6c9771e6f2639268459a6a3ed8febb628 Mon Sep 17 00:00:00 2001
From: Aaron Kaiser <a_kaiser@posteo.de>
Date: Wed, 14 Jun 2023 09:52:01 +0200
Subject: [PATCH] =?UTF-8?q?Rewrote=20introduction=20to=20multi-user=20proo?=
 =?UTF-8?q?f=20and=20added=20info=20for=20Ehrenw=C3=B6rtliche=20Erkl=C3=A4?=
 =?UTF-8?q?rung?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 thesis/Abschlussarbeit.tex | 32 +++++++++++++++++++++++++-------
 1 file changed, 25 insertions(+), 7 deletions(-)

diff --git a/thesis/Abschlussarbeit.tex b/thesis/Abschlussarbeit.tex
index 67aad0c..3c710c5 100644
--- a/thesis/Abschlussarbeit.tex
+++ b/thesis/Abschlussarbeit.tex
@@ -106,16 +106,16 @@ abstract
 
 This section takes a closer look at the single-user security of the EdDSA signature scheme. This is done by sowing the SUF-CMA and EUF-CMA security of EdDSA with different styles of signature parsing. The security is under the \sdlog assumption. The \sdlog assumption is a variation of the original discrete logarithm problem, which takes the key clamping during the key generation algorithm of EdDSA into account.
 
-The two main theorems for the single user security of $\text{EdDSA}_{\text{sp}}$ and $\text{EdDSA}_{\text{lp}}$ are:
+The two main theorems for the single-user security of $\text{EdDSA}_{\text{sp}}$ and $\text{EdDSA}_{\text{lp}}$ are:
 
 \begin{theorem}[Security of EdDSA with strict parsing in the single-user setting]
-	Let $\adversary{A}$ be an adversary against the  SUF-CMA security of EdDSA with strict parsing, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ a group of prime order $L$. Then,
+	Let $\adversary{A}$ be an adversary against the  SUF-CMA security of EdDSA with strict parsing, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
 	
 	\[ \advantage{\group{G}, \adversary{A}}{\text{SUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
 \end{theorem}
 
 \begin{theorem}[Security of EdDSA with lax parsing in the single-user setting]
-	Let $\adversary{A}$ be an adversary against the  SUF-CMA security of EdDSA with lax parsing, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ a group of prime order $L$. Then,
+	Let $\adversary{A}$ be an adversary against the  SUF-CMA security of EdDSA with lax parsing, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
 	
 	\[ \advantage{\group{G}, \adversary{A}}{\text{EUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
 \end{theorem}
@@ -130,16 +130,31 @@ The chain of reductions can be depicted as:
 \input{sections/security_of_eddsa/gamez_implies_uf-nma}
 \input{sections/security_of_eddsa/dlog'_implies_gamez}
 
-
 \section{The Security of EdDSA in a Multi-User Setting}
 
-In this section the multi-user security of the EdDSA signature scheme will be analyzed. A common approach for Schnorr-like signature schemes is to show it via the Random Self-reducibility property of the canonical identification scheme as done in \cite{C:KilMasPan16}. This approach does not work with the EdDSA signature scheme, since the reduction is not able to rerandomize a public key in a way preserving the distribution of the key generation algorithm. This is due to the fact that valid public key always have to have the n-th bit set. Therefore, a similar approach to the single-user setting is used. It is not possible to reduce the \sdlog problem directly since the adversary gets multiple public keys and therefore might not provide a representation of the commitment looking like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A}$. For this reason a variant of the one-more discrete logarithm assumption (OMDL) has to be used as introduced in \cite{JC:BNPS03}.
+In this section the multi-user security of the EdDSA signature scheme will be analyzed. A common approach for Schnorr-like signature schemes is to show it via the Random Self-reducibility property of the canonical identification scheme as done in \cite{C:KilMasPan16}. This approach does not work with the EdDSA signature scheme, since the reduction is not able to rerandomize a public key in a way preserving the distribution of the key generation algorithm. This is due to the fact that valid public key always has to have the n-th bit set. 
+
+Therefore, a similar approach to the proof in the single-user setting is used. It is not possible to reduce the \sdlog problem directly since the adversary gets multiple public keys and therefore might not provide a representation of the commitment looking like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A}$, which was needed for the discrete logarithm of the public key to be calculated. For this reason a variant of the one-more discrete logarithm assumption (OMDL) has to be used, as introduced in \cite{JC:BNPS03}.
 
 The proof starts by showing that the MU-UF-NMA security of EdDSA implies MU-SUF-CMA security of EdDSA in the Random Oracle Model. Next an intermediate game is introduced onto which the MU-UF-NMA security of EdDSA is reduced. At last, the security of the intermediate game is reduced onto the security of the variant of the one-more discrete logarithm assumption.
 
+The two main theorems for the multi-user security of $\text{EdDSA}_{\text{sp}}$ and $\text{EdDSA}_{\text{lp}}$ are:
+
+\begin{theorem}[Security of EdDSA with strict parsing in the multi-user setting]
+	Let $\adversary{A}$ be an adversary against the  MU-SUF-CMA security of EdDSA with strict parsing, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
+	
+	\[ \advantage{\group{G}, \adversary{A}}{\text{MU-SUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
+\end{theorem}
+
+\begin{theorem}[Security of EdDSA with lax parsing in the multi-user setting]
+	Let $\adversary{A}$ be an adversary against the  MU-EUF-CMA security of EdDSA with lax parsing, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,
+	
+	\[ \advantage{\group{G}, \adversary{A}}{\text{MU-EUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \]
+\end{theorem}
+
 The chain of reductions can be depicted as:
 
-\[ \somdl \Rightarrow \text{MU-}\igame \Rightarrow \text{MU-UF-NMA} \Rightarrow \text{MU-SUF-CMA} \]
+\[ \somdl \overset{\text{AGM}}{\Rightarrow} \igame \overset{\text{ROM}}{\Rightarrow} \text{MU-UF-NMA} \overset{\text{ROM}}{\Rightarrow} MU-\cma_{\text{EdDSA sp}} / \text{MU-EUF-CMA}_{\text{EdDSA lp}} \]
 
 \input{sections/mu_security_of_eddsa/mu-uf-nma_implies_mu-suf-cma}
 \input{sections/mu_security_of_eddsa/mu-gamez_implies_mu-uf-nma}
@@ -171,9 +186,10 @@ The chain of reductions can be depicted as:
 \noindent
 Hiermit versichere ich, 
 %Name
+Aaron Kaiser
 wohnhaft 
 %Adresse
-dass ich die vorliegende Arbeit selbstständig verfasst und keine anderen als die angegebenen Quellen und Hilfsmittel benutzt habe,
+Universitätsstr. 110, 44799 Bochum, dass ich die vorliegende Arbeit selbstständig verfasst und keine anderen als die angegebenen Quellen und Hilfsmittel benutzt habe,
 dass alle Stellen der Arbeit, die wörtlich oder sinngemäß aus anderen Quellen übernommen wurden, als solche kenntlich gemacht sind und dass die Arbeit in gleicher 
 oder ähnlicher Form noch keiner Prüfungsbehörde vorgelegt wurde.
 
@@ -182,9 +198,11 @@ oder ähnlicher Form noch keiner Prüfungsbehörde vorgelegt wurde.
 
 \noindent
 %Ort
+Bochum,
 \today\hspace{5.19625cm}\underline{\hspace{5.9cm}}\\
 \phantom{\hspace{11.5cm}}{\small{
 %Name
+Aaron Kaiser
 }}
 
 \newpage\