\subsection{Digital Signature Scheme} A digital signature scheme is a method to ensure the authenticity of data. The signer, which is in the possession of a private key, generates a signature for specific message. The verifier then is able to verify the authenticity of this data using the public key and the generated signature. \begin{definition} A digital signature scheme SIG = (\keygen,\sign,\verify) is a tuple of algorithms. \begin{itemize}[label={}] \item \textbf{\keygen}: The key generation algorithm, which upon receiving the schema parameter as input outputs a matching tuple of public and private key. \item \textbf{\sign}: The signature algorithm, which upon receiving the secret key and the message outputs a signature for that message. \item \textbf{\verify}: The verification algorithm, which upon receiving the public key, the message and the signature decides whether the signature is valid for the specific set of input parameters. \end{itemize} For the digital signature scheme to be correct it is required that $\forall (\pubkey, \privkey) \in \keygen(par), \m \in \messagespace, \signature \in \sign(\privkey, \m): \verify(\pubkey, \m, \signature) = 1$ \end{definition} A common security notion for digital signature schemes is the existential unforgeability under chosen message attack security (EUF-CMA). It requires that no adversary is able to forge a signature, for a given key, on a message for which they have not been provided with a valid signature. A stronger notion that is often used is strong unforgeability under chosen message attack (SUF-CMA), which only requires the adversary to provide a message signature pair that has not been provided to the adversary. With this security notion, the adversary also wins if it is able to forge a new valid signature from an already valid one. Both of these notions are in the single-user setting. In the multi-user setting of these security notions, the adversary is supplied with $N$ public keys and had to forge a signature for one of those public keys. In the following, the multi-user definitions of the EUF-CMA and SUF-CMA security notions are defined, respectively MU-EUF-CMA and SUF-CMA. The single-user variant of these security notions can be seen as a special case of the multi-user definitions with $N=1$. \subsubsection{MU-EUF-CMA} \begin{definition}[MU-EUF-CMA] Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the MU-EUF-CMA game be defined in figure \ref{game:mu-euf-cma}. $SIG$ is MU-SUF-CMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{MU-EUF-CMA}}(\secparamter)$ is negligible in $\secparamter$. \[ \advantage{SIG,\adversary{A}}{\text{MU-EUF-CMA}}(\secparamter) \assign \prone{\text{MU-EUF-CMA}^{\adversary{A}}} \leq negl(\secparamter) \] \end{definition} \begin{figure}[h] \hrule \normalsize \vspace{1mm} \begin{algorithmic} \Statex \underline{\game $\text{MU-EUF-CMA}$} \State \textbf{for} $i \in \{1,2,...,N\}$ \State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$ \State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp, \inp)}(\pubkey_1, \pubkey_2, ..., \pubkey_n)$ \State \Return $\exists i \in \{1,2,...,N\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1 \wedge (\pubkey_i, \m^*) \notin M$ \end{algorithmic} \vspace{2mm} \begin{algorithmic}[1] \Statex \underline{\oracle \Osign($i \in \{1,2,...,n\}$, $\m \in \messagespace$)} \State $\signature \randomassign \sign(\privkey_i, \m)$ \State $M \assign M \cup \{(\pubkey_i, \m)\}$ \State \Return $\signature$ \end{algorithmic} \hrule \caption{MU-EUF-CMA Security Game} \label{game:mu-euf-cma} \end{figure} \subsubsection{MU-SUF-CMA} \begin{definition}[MU-SUF-CMA] Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the MU-SUF-CMA game be defined in figure \ref{game:mu-suf-cma}. $SIG$ is MU-SUF-CMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{MU-SUF-CMA}}(\secparamter)$ is negligible in $\secparamter$. \[ \advantage{SIG,\adversary{A}}{\text{MU-SUF-CMA}}(\secparamter) \assign \prone{\text{MU-SUF-CMA}^{\adversary{A}}} \leq negl(\secparamter) \] \end{definition} \begin{figure}[h] \hrule \normalsize \vspace{1mm} \begin{algorithmic} \Statex \underline{\game $\text{MU-SUF-CMA}$} \State \textbf{for} $i \in \{1,2,...,N\}$ \State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$ \State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp, \inp)}(\pubkey_1, \pubkey_2, ..., \pubkey_n)$ \State \Return $\exists i \in \{1,2,...,N\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1 \wedge (\pubkey_i, \m^*, \signature^*) \notin M$ \end{algorithmic} \vspace{2mm} \begin{algorithmic}[1] \Statex \underline{\oracle \Osign($i \in \{1,2,...,n\}$, $\m \in \messagespace$)} \State $\signature \randomassign \sign(\privkey_i, \m)$ \State $M \assign M \cup \{(\pubkey_i, \m, \signature)\}$ \State \Return $\signature$ \end{algorithmic} \hrule \caption{MU-SUF-CMA Security Game} \label{game:mu-suf-cma} \end{figure} \subsubsection{MU-UF-NMA} The MU-UF-NMA security game is similar to the MU-EUF-CMA game. The only difference is that the adversary does not has access to an oracle to obtain valid signatures for arbitrary messages. Again the UF-NMA security notation is a special case of the MU-UF-NMA security notation with $N=1$. \begin{definition}[MU-UF-NMA] Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $N$ be an integer. Let the MU-UF-NMA game be defined in figure \ref{game:mu-uf-nma}. $SIG$ is MU-UF-NMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{MU-UF-NMA}}(\secparamter)$ is negligible in $\secparamter$. \[ \advantage{SIG,\adversary{A}}{\text{MU-UF-NMA}}(\secparamter) \assign \prone{\text{MU-UF-NMA}^{\adversary{A}}} \leq negl(\secparamter) \] \end{definition} \begin{figure}[h] \hrule \vspace{1mm} \begin{algorithmic}[1] \State \underline{\game $\text{MU-UF-NMA}$} \State \textbf{for} $i \in \{1,2,...,N\}$ \State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$ \State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp)}(\pubkey_1, \pubkey_2, \pubkey_n)$ \State \Return $\exists i \in \{1,2,...,N\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1$ \end{algorithmic} \hrule \caption{MU-UF-NMA Security Game} \label{game:mu-uf-nma} \end{figure} \subsection{Security Assumptions} This thesis proves the security of the EdDSA signature scheme under two assumptions. The single-user security of EdDSA can be proved under the discrete logarithm assumption, while the multi-user security of EdDSA requires the stronger one-more discrete logarithm assumption. Both security assumptions are presented in this section. \subsubsection{Discrete Logarithm Problem} \begin{definition}[Discrete Logarithm Problem] Let $\group{G}$ be a cyclic group of order $L$ with a generator $\groupelement{B}$. Let the discrete logarithm game be defined in figure \ref{game:dlog}. The advantage of an adversary $\adversary{A}$ is defined by its ability to win the discrete logarithm game. \[ \advantage{\group{G}, \adversary{A}}{Dlog} \assign \prone{\text{Dlog}^{\adversary{A}}} \] \end{definition} \begin{figure}[h] \hrule \vspace{1mm} \begin{algorithmic}[1] \Statex \underline{\game Dlog} \State $a \randomsample \field{L}$ \State $\groupelement{A} \assign a \groupelement{B}$ \State $a' \randomassign \adversary{A}(\groupelement{A})$ \State \Return $a \test a'$ \end{algorithmic} \vspace{1mm} \hrule \caption{Dlog} \label{game:dlog} \end{figure} \subsubsection{One-More Discrete Logarithm} The one-more discrete logarithm assumption is stronger than the discrete logarithm assumption. In this assumption the adversary is supplied with $N$ group elements and an oracle to obtain the discrete logarithm of up to $N-1$ group elements. The task of the adversary is to output the discrete logarithm for all supplied group elements. \begin{definition}[One-More Discrete Logarithm Problem] Let $\group{G}$ be a cyclic group of order $L$ with a generator $\groupelement{B}$. Let the one-more discrete logarithm game be defined in figure \ref{game:om-dlog}. The advantage of an adversary $\adversary{A}$ is defined by its ability to win the one-more discrete logarithm game. \[ \advantage{\group{G}, \adversary{A}}{OM-Dlog} \assign \prone{\text{OM-Dlog}^{\adversary{A}}} \] \end{definition} \begin{figure}[h] \hrule \vspace{1mm} \begin{algorithmic}[1] \Statex \underline{\game OM-Dlog} \State \textbf{for} $i \in \{1,2,...,N\}$ \State \quad $a_i \randomsample \field{L}$ \State \quad $\groupelement{A_i} \assign a \groupelement{B}$ \State $\overset{\rightharpoonup}{a'} \randomassign \adversary{A}^{DL(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$ \State \Return $\forall i \in \{1,2,...,N\}: a_i \test a'_i$ \end{algorithmic} \vspace{1mm} \hrule \caption{One-More Discrete Logarithm} \label{game:om-dlog} \end{figure}