Included Feedback from last session

thesis/Abschlussarbeit.tex

@@ -101,6 +101,8 @@ TODO
 \newpage
 \section{Related Work}
 
+\section{Notation}
+
 \section{Preliminaries}
 
 \subsection{Schnorr Signatures}
@@ -135,7 +137,7 @@ Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme. $SIG$ is \c
 		\begin{algorithmic}[1] 
 			\Procedure{Sign}{$\m$}
 			\State $\signature \randomassign \sign(\privkey, \m)$
-			\State $M \assign M \cup {(\m, \signature)}$
+			\State $M \assign M \cup \{(\m, \signature)\}$
 			\State \Return $\signature$
 			\EndProcedure
 		\end{algorithmic}
@@ -149,8 +151,6 @@ Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme. $SIG$ is \c
 
 \subsection{Generic Group Model (GGM)}
 
-\section{Notation}
-
 \newpage
 \section{EdDSA Signatures}
 
@@ -162,8 +162,7 @@ This work will take a closer look at the \cma security of the EdDSA signature sc
 
 In the prehashing variant of EdDSA the signature is calculated on the hash value of the message. The message is used twice during the generation of the signature. Thus the message needs to be buffered or transmitted twice during the generation of the signature. Therefore the prehashing variant offers an performance advantage on memory and bandwidth constraint devices. The context is an additional input parameter which has to be equal during generation and verification of the signature and is used to bind the signature to a given context.
 
-Figure \ref{fig:eddsa} defines the EdDSA signature scheme. In this version the prehashing of the message is ommited since the main security proof will focus on the EdDSA version without prehashing. In this case the prehash function $H'(\cdot)$ is the identity function. After proofing the security of the EdDSA signature scheme without prehashing I will show that EdDSA with prehashing is equally as secure assuming collision resistence of the prehash function $H'(\cdot)$. 
-%TODO: Ichform?
+Figure \ref{fig:eddsa} defines the EdDSA signature scheme. In this version the prehashing of the message is ommited since the main security proof will focus on the EdDSA version without prehashing. In this case the prehash function $H'(\cdot)$ is the identity function. After proofing the security of the EdDSA signature scheme without prehashing it will be shown that EdDSA with prehashing is equally as secure assuming collision resistence of the prehash function $H'(\cdot)$. 
 
 \subsection{EdDSA Parameter}
 
@@ -251,7 +250,7 @@ The EdDSA signature scheme is defined using a twisted Edwards curve. Twisted Edw
 
 \subsection{Replacing Hash Function Calls}
 
-To make working with the random oracle easier in the following proofs I will replace some calls to the hash function with calls to a pseudo random generator and a pseudo random function. I then show that the advantage winning the \cma game of both versions of the EdDSA signature scheme is roughly the same.
+To make working with the random oracle easier in the following proofs some calls to the hash function are being replaced with calls to a pseudo random generator and a pseudo random function. After that it will be shown that the advantage winning the \cma game of both versions of the signature scheme is roughly the same.
 
 
 \newpage
@@ -260,10 +259,8 @@ To make working with the random oracle easier in the following proofs I will rep
 
 This section takes a look at the single-user security of EdDSA. This is done by showing the \cma security of EdDSA assuming the security of a special version of the DLog problem. This special version is derived from the key generation procedure. Section \ref{sec:dlog'} provides a concrete bound on the security of this version of the DLog problem.
 
-% TODO: Ichform?
 % TODO: richtige Richtung?
-% TODO: "onto which I will reduce the UF-NMA security" kann man das so schreiben?
-The proof starts by showing that the UF-NMA security of EdDSA implies \cma security of EdDSA in the Random Oracle Model. Next I  introduce an intermediate game on which I will reduce the UF-NMA security. At last, I will show that this intermediate game implies security regarding the special version of the DLog problem.
+The proof starts by showing that the UF-NMA security of EdDSA implies \cma security of EdDSA in the Random Oracle Model. Next a intermediate game is introduced onto which the UF-NMA securtiy of EdDSA is reduced. At last, the security of the intermediate game is reduced onto the security of a special version of DLog, which is a result of the special key generation algorithm used by EdDSA.
 
 The chain of reductions can be depicted as:
 
@@ -277,7 +274,7 @@ In this section I will show that the \cma security of EdDSA signature scheme imp
 
 The EdDSA signature scheme is based on the Schnorr signature scheme which basis is a canonical identification scheme onto which the Fiat-Shamir transformation is applied. This means EdDSA roughly follows the scheme by first calculating a commitment $R$, calculating a challenge $h$ using the hash function and then calculating the response $S$ based on commitment and challenge. The signature is the tuple of commitment and response. 
 
-To generate a signature without the knowledge of the private key I choose the challenge and the response randomly, calculate the commitment based on the choosen challenge and response and then program the random oracle to output the challenge given the commitment and the message as input. This way the resulting tuple of commitment and response is a valid signature for this message.
+To generate a signature without the knowledge of the private key the challenge and the response are choosen randomly and the commitment is calculated based on the choosen challenge and response. The random oracle is then programmed to output the challenge given the commitment and the message as input. This way the resulting tuple of commitment and response is a valid signature for the given message.
 
 \paragraph{Formal Proof}