From ead86c9fb7cf4a198a337d145703c4ca51f868f2 Mon Sep 17 00:00:00 2001
From: Aaron Kaiser <a_kaiser@posteo.de>
Date: Thu, 13 Jul 2023 11:26:15 +0200
Subject: [PATCH] Add reference to theorem

---
 thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex b/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex
index 15b01ed..ddaf426 100644
--- a/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex
+++ b/thesis/sections/security_of_eddsa/uf-nma_implies_suf-cma.tex
@@ -2,7 +2,7 @@
 
 This section shows that the EUF-NMA security of EdDSA implies the \cma security of EdDSA with strict parsing using the random oracle model. The section begins with an intuition for the proof, followed by the detailed security proof.
 
-\begin{theorem}
+\begin{theorem}[\cite{SP:BCJZ21}]
 	\label{theorem:adv_uf-nma}
 	Let $\adversary{A}$ be an adversary against $\cma$, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and let $\group{G}$ be a group of prime order $L$. Then,
 	
@@ -183,7 +183,7 @@ This method of simulating the \Osign oracle and the resulting loss of advantage
 
 This section shows that the EUF-NMA security of EdDSA implies the EUF-CMA security of EdDSA with lax parsing using the random oracle model. This proof is very similar to the proof of the SUF-CMA security of EdDSA with strict parsing. The modification of the games is the same as in the proof above, with the only difference being the winning condition, which is $\verify(\groupelement{A}, \m^*,\signature^*) \wedge \m^* \notin \pset{Q}$. For this reason, this proof begins by showing the existence of an adversary $\adversary{B}$ who breaks EUF-NMA security. The SUF-CMA security cannot be proved because there may be multiple encodings of $S$ that map to the same $S \pmod L$, and therefore a new valid signature could be forged from an old one by simply choosing a different encoding of $S$, which would cause the output $H'(\encoded{R^*}|\encoded{A}|m^*)$ to be set by the reduction itself, and therefore the forged signature would not be a valid signature for the EUF-NMA challenger.
 
-\begin{theorem}
+\begin{theorem}[\cite{SP:BCJZ21}]
 	\label{theorem:adv2_uf-nma}
 	Let $\adversary{A}$ be an adversary against EUF-CMA, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then,