\subsection{MU-UF-NMA $\Rightarrow$ MU-SUF-CMA (ROM)} This section shows that the MU-UF-NMA security of the EdDSA signature scheme implies the MU-SUF-CMA security of the EdDSA signature scheme using the Random Oracle Model. The section starts with providing an intuition of the proof followed by the detailed security proof. \begin{theorem} \label{theorem:adv_mu-uf-nma} Let $n$ and $N$ be positive integer and $\adversary{A}$ an adversary against MU-SUF-CMA, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries. Then, \[ \advantage{\adversary{A}}{\text{MU-\cma}}(\secparamter) = \advantage{\adversary{B}}{\text{MU-UF-NMA}}(\secparamter) - \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \] \end{theorem} \paragraph{\underline{Proof Overview}} This proof follows closely the proof in section \ref{proof:uf-nma_implies_suf-cma}. The only difference of both security notions is the missing \Osign oracle in MU-UF-NMA. For this reason the reduction has to simulate the \Osign oracle without the knowledge of the private keys. Again the programmability of the random oracle together with the \simalg algorithm is used to generate valid signatures. The different games are depicted in figure \ref{fig:mu-uf-nma_implies_mu-suf-cma_games}. \paragraph{\underline{Formal Proof}} \begin{figure} \hrule \begin{multicols}{2} \large \begin{algorithmic}[1] \Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$} / \textcolor{green}{$G_3$}} \State \textbf{for} $j \in \{1,2,...,N\}$ \State \quad $(h_{j_0}, h_{j_1}, ..., h_{j_{2b-1}}) \randomsample \{0,1\}^{2b}$ \State \quad $s_j \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_{j_i}$ \State \quad $\groupelement{A_j} \assign s_j \groupelement{B}$ \State $(\m^*, \signature^*) \randomassign \adversary{A}^{H(\inp), \sign(\inp, \inp)}(\groupelement{A_1}, \groupelement{A_2},...,\groupelement{A_N})$ \State \Return $\exists j \in \{1,2,...,N\}: \verify(\groupelement{A_j}, \m^*,\signature^*) \wedge (\groupelement{A_j}, \m^*, \signature^*) \notin Q$ \end{algorithmic} \columnbreak \begin{algorithmic}[1] \Statex \underline{\oracle \sign($j \in \{1,2,...,N\}$, $\m \in \messagespace$)} \Comment{$G_0 - G_2$} \State $(r'_0, r'_1, ..., r'_{2b-1}) = RF(h_{j_b} | ... | h_{j_{2b-1}} | \m)$ \State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$ \State $R \assign rB$ \BeginBox[draw=black] \State $S \assign (r + sH(\encoded{R} | \encoded{A_j} | \m)) \pmod L$ \Comment{$G_0$} \EndBox \BeginBox[draw=blue] \State $\textbf{if } \sum[\encoded{R} | \encoded{A_j} | \m] \neq \bot \textbf{ then}$ \Comment{$G_1 - G_2$} \State \quad $bad \assign true$ \BeginBox[draw=red,dashed] \State \quad $abort$ \Comment{$G_2$} \EndBox \State $\textbf{if } \sum[\encoded{R} | \encoded{A_j} | \m] = \bot \textbf{ then}$ \State \quad $\sum[\encoded{R} | \encoded{A_j} | \m] \randomsample \{0,1\}^{2b}$ \State $S \assign (r + s\sum[\encoded{R} | \encoded{A_j} | \m]) \pmod L$ \EndBox \State $\signature \assign (\encoded{R}, S)$ \State $Q \assign Q \cup \{(\groupelement{A_j}, \m, \signature)\}$ \State \Return $\signature$ \end{algorithmic} \end{multicols} \begin{multicols}{2} \begin{algorithmic}[1] \Statex \underline{\oracle $H(\m \in \{0,1\}^*)$} \State $\textbf{if } \sum[\m] = \bot \textbf{ then}$ \State \quad $\sum[\m] \randomsample \{0,1\}^{2b}$ \State \Return $\sum[\m]$ \end{algorithmic} \columnbreak \begin{algorithmic}[1] %TODO: Nummer vor Oracle \BeginBox[draw=green] \State \underline{\oracle \sign($j \in \{1,2,...,N\}$, $\m \in \messagespace$)} \Comment{$G_3$} \State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A_j})$ \State $\textbf{if } \sum[\encoded{R} | \encoded{A_j} | \m] \neq \bot \textbf{ then}$ \State \quad $bad \assign true$ \State \quad $abort$ \State $\sum[\encoded{R} | \encoded{A_j} | \m] = \textbf{ch}$ \State $\signature \assign (\encoded{R}, S)$ \State $Q \assign Q \cup \{(\groupelement{A_j}, \m, \signature)\}$ \State \Return $\signature$ \EndBox \end{algorithmic} \end{multicols} \hrule \caption{Games $G_0 - G_3$} \label{fig:mu-uf-nma_implies_mu-suf-cma_games} \end{figure} \begin{proof} \item \paragraph{\underline{$G_0:$}} Let $G_0$ be defined in figure \ref{fig:mu-uf-nma_implies_mu-suf-cma_games} by excluding all boxes except the black one and $G_0$ be MU-SUF-CMA. By definition, \[ \advantage{\text{EdDSA},\adversary{A}}{\text{MU-}\cma}(\secparamter) = \Pr[\text{\text{MU-}\cma}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \] \item \paragraph{\underline{$G_1:$}} $G_1$ now is defined by replacing the black box with the blue one. This change inlines the call to the hash function and introduces a bad flag, which is set if the hash value is already set. This change is only conceptual, since it does not alter the behavior of the oracle. Therefore, \[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1]. \] \item \paragraph{\underline{$G_2:$}} $G_2$ is defined by also introducing the abort instruction in the red box. Again without loss of generality it is assumed that the adversary only quries each public key message pair only once since the signatures are deterministic and the attacker would not gain any additional information by querying the \Osign oracle multiple times with the same input. Since the commitment $\groupelement{R}$ is the only unknown input to the hash function the probability of the bad flag being set for each individual \Osign query is at most $\frac{\hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. By the Union bound over all oracle queries $\oraclequeries$ we obtain $\Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have \[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \] \item \paragraph{\underline{$G_3:$}} In $G_3$ the \Osign oracle is replaced by the \Osign oracle in the green box. Instead of calculating the response using the secret key the \simalg algorithm is used to generate a tuple of commitment, challenge and response. Then the random oracle is programmed to output the specific challenge given $\encoded{R} | \encoded{A_j} | \m$ as an input. This change is only conceptual, since \simalg outputs a correctly distributed set and it was ruled out in earlier games that the random oracle was previously queries with this input. Hence, \[ \Pr[G_2^{\adversary{A}} \Rightarrow 1] = \Pr[G_3^{\adversary{A}} \Rightarrow 1]. \] \item Finally, Game $G_3$ is well prepared to show that there exists an adversary $\adversary{B}$ satisfying \begin{align} \Pr[G_3^{\adversary{A}} \Rightarrow 1] = \advantage{\adversary{B}}{\text{MU-UF-NMA}}(\secparamter). \label{eq:adv_mu-uf-nma} \end{align} \begin{figure} \hrule \begin{multicols}{2} \large \begin{algorithmic}[1] \Statex \underline{\textbf{Adversary} $\adversary{B}^{H(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$} \State $(\m^*, \signature^*) \randomassign \adversary{A}^{H'(\inp), \sign(\inp, \inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$ \State \Return $(\m^*, \signature^*)$ \end{algorithmic} \columnbreak \begin{algorithmic}[1] \Statex \underline{\oracle \sign($j \in \{1,2,...,N\}$, $\m \in \messagespace$)} \State $(R,\textbf{ch},S) \randomassign \simalg(\groupelement{A_j})$ \State $\textbf{if } \sum[\encoded{R} | \encoded{A_j} | m] \neq \bot \textbf{ then}$ \State \quad $bad \assign true$ \State \quad $abort$ \State $\sum[\encoded{R} | \encoded{A_j} | m] = \textbf{ch}$ \State $\signature \assign (\encoded{R}, S)$ \State $Q \assign Q \cup \{(\groupelement{A_j}, \m, \signature)\}$ \State \Return $\signature$ \end{algorithmic} \end{multicols} \begin{algorithmic}[1] \Statex \underline{\oracle $H'(m \in \{0,1\}^*)$} \State $\textbf{if } \sum[m] = \bot \textbf{ then}$ \State \quad $\sum[m] \assign H(m)$ \State \Return $\sum[m]$ \end{algorithmic} \hrule \caption{Adversary $\adversary{B}$ breaking $\text{MU-UF-NMA}$} \label{fig:adversaryb_mu-uf-nma} \end{figure} To prove (\ref{eq:adv_mu-uf-nma}), we define an adversary $\adversary{B}$ attacking $\text{MU-UF-NMA}$ that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversaryb_mu-uf-nma} is run in the $\text{MU-UF-NMA}$ game and adversary $\adversary{B}$ simulates \Osign for adversary $\adversary{A}$. \Osign is simulated perfectly. Finally, consider $\adversary{A}$ output $(\m^*, \signature^* \assign (\encoded{R}, S))$. Every valid signature outputted by adversary $\adversary{A}$ has to fulfill following equation for one public key $\groupelement{A_i}$: $2^c S \groupelement{B} = 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i}$. For the signature to be valid in the \cma game the signature for this message and public key must have not been queried via the \Osign oracle. Therefore the output of $H'(\encoded{R}|\encoded{A_i}|m)$ has not been set by adversary $\adversary{B}$ but was forwarded from the MU-UF-NMA challenger. Meaning $H'(\encoded{R}|\encoded{A_i}|m) = H(\encoded{R}|\encoded{A_i}|m)$. Hence, \begin{align*} 2^c S \groupelement{B} &= 2^c R + 2^c H'(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i} \\ \Leftrightarrow 2^c S \groupelement{B} &= 2^c R + 2^c H(\encoded{R}|\encoded{A_i}|m) \groupelement{A_i} \end{align*} Since the public keys and the results of the hash queries are forwarded from the MU-UF-NMA challenger the forged signature from $\adversary{A}$ in the MU-\cma game is also valid for the MU-UF-NMA challenger. \item This proves theorem \ref{theorem:adv_mu-uf-nma}. \end{proof}