\subsection{Security Notions} \subsubsection{Identical-Until-Bad Games} \subsubsection{Digital Signature Scheme} \subsubsection{\cma} Strong Existential Unforgeability against Chosen Message Attack (\cma) is a security notion for digital signature schemes. In this game the adversary is given access to a \Osign oracle, which generates valid signatures for arbitrary messages. The adversary wins the game if he is able to provide a message signature pair which is valid and was not generated by the \Osign oracle. The security game is depicted in figure \ref{game:cma}. \begin{definition}[\cma] Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme. $SIG$ is \cma secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{\cma}}(\secparamter)$ is negligible in $\secparamter$. \[ \advantage{SIG,\adversary{A}}{\text{\cma}}(\secparamter) \assign \prone{\text{\cma}^{\adversary{A}}} \leq \epsilon \] \end{definition} \begin{figure} \hrule \begin{multicols}{2} \normalsize \begin{algorithmic}[1] \Statex \underline{\game $\text{\cma}$} \State $(\pubkey, \privkey) \randomassign \keygen(1^\secparamter)$ \State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp)}(\pubkey)$ \State \Return $\verify(\pubkey, \m^*, \signature^*) \test 1 \wedge (\m^*, \signature^*) \notin M$ \end{algorithmic} \columnbreak \begin{algorithmic}[1] \Statex \underline{\oracle \Osign($\m \in \messagespace$)} \State $\signature \randomassign \sign(\privkey, \m)$ \State $M \assign M \cup \{(\m, \signature)\}$ \State \Return $\signature$ \end{algorithmic} \end{multicols} \hrule \caption{\cma Security Game} \label{game:cma} \end{figure} \subsubsection{UF-NMA} Unforgeability against No Message Attack (UF-NMA) is a security notion for digital signature schemes. The difference to the \cma game is that the adversary does not get access to an \Osign oracle, which provides it with valid signatures for arbitrary messages. Like in the \cma setting the adversary is tasked to provide a valid signature for an arbitrary message. The game is depicted in figure \ref{game:uf-nma}. \begin{definition}[UF-NMA] Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme. $SIG$ is UF-NMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{UF-NMA}}(\secparamter)$ is negligible in $\secparamter$. \[ \advantage{SIG,\adversary{A}}{\text{UF-NMA}}(\secparamter) \assign \prone{\text{UF-NMA}^{\adversary{A}}} \leq \epsilon \] \end{definition} \begin{figure} \hrule \vspace{1mm} \begin{algorithmic}[1] \State \underline{\game $\text{UF-NMA}$} \State $(\pubkey, \privkey) \randomassign \keygen(1^\secparamter)$ \State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp)}(\pubkey)$ \State \Return $\verify(\pubkey, \m^*, \signature^*) \test 1$ \end{algorithmic} \hrule \caption{UF-NMA Security Game} \label{game:uf-nma} \end{figure} \subsubsection{MU-SUF-CMA} MU-SUF-CMA is the multi-user variant of the SUF-CMA security notion. Instead of one public key the attacker gets $n$ public keys and is able to query signatures for arbitrary messages for any of the public keys. The goal of the adversary is to forge a signature for any of the public keys. The game is depicted in figure \ref{game:mu-suf-cma}. %TODO: Parameter in definition (e.g. n-MU_SUF-CMA) \begin{definition}[MU-SUF-CMA] Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $n$ be an integer. $SIG$ is n-MU-SUF-CMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{MU-SUF-CMA}}(\secparamter)$ is negligible in $\secparamter$. \[ \advantage{SIG,\adversary{A}}{\text{MU-SUF-CMA}}(\secparamter) \assign \prone{\text{MU-SUF-CMA}^{\adversary{A}}} \leq \epsilon \] \end{definition} \begin{figure} \hrule \begin{multicols}{2} \normalsize \begin{algorithmic}[1] \Statex \underline{\game $\text{MU-SUF-CMA}$} \State \textbf{for} $i \in \{1,2,...,n\}$ \State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$ \State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp, \inp)}(\pubkey_1, \pubkey_2, ..., \pubkey_n)$ \State \Return $\exists i \in \{1,2,...,n\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1 \wedge (\pubkey_i, \m^*, \signature^*) \notin M$ % TODO: Fix formatation \end{algorithmic} \columnbreak \begin{algorithmic}[1] \Statex \underline{\oracle \Osign($i \in \{1,2,...,n\}$, $\m \in \messagespace$)} \State $\signature \randomassign \sign(\privkey_i, \m)$ \State $M \assign M \cup \{(\pubkey_i, \m, \signature)\}$ \State \Return $\signature$ \end{algorithmic} \end{multicols} \hrule \caption{MU-SUF-CMA Security Game} \label{game:mu-suf-cma} \end{figure} \subsubsection{MU-UF-NMA} MU-UF-NMA is the multi-user variant of the UF-NMA security notion. Instead of one public key the adversary gets access to $n$ public keys and has to forge a signature for any of the public keys. Unlike the MU-SUF-CMA the adversary does not get access to a signing oracle. The game is depicted in figure \ref{game:mu-uf-nma}. \begin{definition}[MU-UF-NMA] Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $n$ be an integer. $SIG$ is n-MU-UF-NMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{MU-UF-NMA}}(\secparamter)$ is negligible in $\secparamter$. \[ \advantage{SIG,\adversary{A}}{\text{MU-UF-NMA}}(\secparamter) \assign \prone{\text{MU-UF-NMA}^{\adversary{A}}} \leq \epsilon \] \end{definition} \begin{figure} \hrule \vspace{1mm} \begin{algorithmic}[1] \State \underline{\game $\text{MU-UF-NMA}$} \State \textbf{for} $i \in \{1,2,...,n\}$ \State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$ \State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp)}(\pubkey_1, \pubkey_2, \pubkey_n)$ \State \Return $\exists i \in \{1,2,...,n\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1$ \end{algorithmic} \hrule \caption{MU-UF-NMA Security Game} \label{game:mu-uf-nma} \end{figure}