\subsection{\somdl $\overset{\text{AGM}}{\Rightarrow}$ MU-\igame}

This section shows that \somdl implies MU-\igame using the Algebraic Group Model. The section starts by introducing a special variant of the one-more discrete logarithm problem followed by an intuition of the proof and at last giving a detailed security proof.

\paragraph{\underline{Introducing \somdl}} Similar to \sdlog being a variant of the discrete logarithm problem the \somdl is a variant of the one-more discrete logarithm problem which represents the special distribution of secret keys resulting from the key generation algorithm of the EdDSA signature scheme. The only difference to the original one-more discrete logarithm game as introduced in \cite{JC:BNPS03} is that the secret scalars are chosen from the set $\{2^{n-1}, 2^{n-1} + 8, ..., 2^{n} - 8\}$ which represents all valid secret scalars regarding the key generation algorithm. A lower bound on the hardness of the \somdl problem is further analyzed in section \ref{sec:somdl}. The \somdl game is depicted in figure \ref{fig:somdl}.

\begin{definition}[\somdl]
	Let $n$ and $N$ be positive integer. For an adversary $\adversary{A}$ we define its advantage in the \somdl game as following:
	
	\[ \advantage{\adversary{A}}{\text{\somdl}}(\secparamter) \assign | \Pr[\text{\somdl}^{\adversary{A}} \Rightarrow 1] |. \]
\end{definition}

\begin{figure}
	\hrule
	\vspace{1mm}
	\large
	\begin{algorithmic}[1]
		\Statex \underline{\game \somdl}
		\State \textbf{for} $i \in \{1,2,...,N\}$
		\State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$
		\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
		\State $I \assign 0$
		\State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{DL(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
		\State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N) \wedge I < N$
	\end{algorithmic}
	\vspace{2mm}
	\begin{algorithmic}[1]
		\Statex \underline{\oracle $DL(i \in \{1,2,...,N\})$}
		\vspace{1mm}
		\State $I \assign I + 1$
		\State \Return $a_i$
	\end{algorithmic}
	\vspace{1mm}
	\hrule
	\caption{\somdl}
	\label{fig:somdl}
\end{figure}

\begin{theorem}
	\label{theorem:adv_omdl'}
	Let $\adversary{A}$ be an adversary against \igame with $\group{G}$ being a cyclic group of prime order $L$, making at most $\oraclequeries$ oracle queries. Then
	
	\[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\somdl}(\secparamter) + \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \].
\end{theorem}

\paragraph{\underline{Proof Overview}} In the multi-user setting the adversary gets access to not only the generator $\groupelement{B}$ and one public key $\groupelement{A}$ but rather a set of public keys $\groupelement{A_1}$ to $\groupelement{A_N}$. For this reason the representation of a group element, the adversary has to provide looks the following: $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$. Since there are multiple group elements with unknown discrete logarithms it is not possible to directly calculate the discrete logarithm of one of the public keys given a valid forgery of a signature. Upon receiving a valid solution the \textit{DL} oracle can be used to get the discrete logarithm of all the public keys except the one for which the solution is valid. This way it again possible to construct a representation looking like $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_i}$. Then it is again possible to calculate the discrete logarithm of $\groupelement{A_i}$ and win the \somdl game.

\paragraph{\underline{Formal Proof}}

% TODO: clarify encoding of c
\begin{figure}
	\hrule
	\large
	\vspace{1mm}
	\begin{algorithmic}[1]
		\Statex \underline{\game $G_0$ / \textcolor{blue}{$G_1$} / \textcolor{red}{$G_2$}}
		\State \textbf{for} $i \in \{1,2,...,N\}$
		\State \quad $a_i \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$
		\State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$
		\State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
		\State \Return $\exists (\groupelement{R}^*, \ch^*) \in \pset{Q}, i \in \{1,2,...,N\}: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$		
	\end{algorithmic}
	\vspace{2mm}
	\begin{algorithmic}[1] 
		\Statex \underline{\oracle \ioracle($\agmgroupelement{R}{r} \in \group{G}$)}
		\State Let $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$
		\State $\ch \randomsample \{0,1\}^{2b}$
		\BeginBox[draw=blue]
		\State \textbf{If} $\exists i \in \{2,3,...,N+1\}: 2^c \ch \equiv -r_i \pmod L$ \textbf{then}
		\Comment{$G_1 - G_2$}
		\State \quad $bad \assign true$
		\BeginBox[draw=red,dashed]
		\State \quad $abort$
		\Comment{$G_2$}
		\EndBox
		\EndBox
		\State $\pset{Q} \assign \pset{Q} \cup \{ (\groupelement{R}, \ch) \}$
		\State \Return $\ch$
	\end{algorithmic}
	\hrule
	\caption{Games $G_0 - G_2$}
	\label{fig:omdl'_implies_mu-igame}
\end{figure}

\begin{proof}
	\item \paragraph{\underline{$G_0$:}} Let $G_0$ be defined in figure \ref{fig:omdl'_implies_mu-igame} by excluding all boxes and $G_0$ be MU-\igame. By definition,
	
	\[ \advantage{\group{G},\adversary{A}}{\text{MU-\igame}}(\secparamter) = \Pr[\text{MU-\igame}^{\adversary{A}} \Rightarrow 1] = \Pr[G_0^{\adversary{A}} \Rightarrow 1]. \]
	
	\item \paragraph{\underline{$G_1$:}} $G_1$ is defined by including the if condition in the blue box setting a bad flag if the randomly chosen value $\ch$ fulfills $2^c \ch \equiv - r_i \pmod L$ for any $i \in \{2,3,...,N+1\}$. This represents challenges $\ch$ to which the solution might not be usable to break the discrete logarithm of one of the public keys due to $(r_i + 2^c \ch)$ not being invertible in $\field{L}$. Since only the bad flag being introduced this change does not influence the behavior of the game and is therefore only conceptual.
	
	\[ \Pr[G_0^{\adversary{A}} \Rightarrow 1] = \Pr[G_1^{\adversary{A}} \Rightarrow 1]. \]
	
	\item \paragraph{\underline{$G_2:$}} $G_2$ also includes the abort instruction in the red box. The abort is triggered if the bad flag is set to true. For each individual \ioracle oracle query the bad flag is set with a probability of $\frac{N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. With $2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}$ being the min-entropy of $\ch$ and $N$ being the number of $r_i$ with which the equation $2^c \ch \equiv - r_i \pmod L$ could evaluate to true. By the Union bound over all $\oraclequeries$ oracle quries we obtain $\Pr[bad] \leq \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}$. Since $G_1$ and $G_2$ are identical-until-bad games, we have
	
	\[ |\Pr[G_1^{\adversary{A}} \Rightarrow 1] - \Pr[G_2^{\adversary{A}} \Rightarrow 1]| \leq \Pr[bad] \leq \frac{\oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \]
	
	\item Finally, Game $G_2$ is well-prepared to show that there exists an adversary $\adversary{B}$ satisfying
	
	\begin{align}
		\Pr[G_2^{\adversary{A}} \Rightarrow 1] = \advantage{\group{G},\adversary{B}}{\somdl}(\secparamter). \label{eq:adv_omdl'}
	\end{align}
	
	\begin{figure}
		\hrule
		\large
		\vspace{1mm}
		\begin{algorithmic}[1]
			\Statex \underline{\textbf{Adversary} $\adversary{B}^{\textit{DL}(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$}
			\State $s^* \randomassign \adversary{A}^{\ioracle(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$
			\State \textbf{If} $\nexists (\agmgroupelement{R^*}{r^*}, \ch^*) \in Q, i \in \{1,2,...,N\}: \groupelement{R^*} = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$  \textbf{then}
			\State \quad $abort$
			\State Let $\groupelement{R^*} = r^*_1 \groupelement{B} + r^*_2 \groupelement{A_1} + ... + r^*_{N+1} \groupelement{A_N}$
			\State $r_b \assign r_1$
			\State \textbf{for} $j \in \{1,2,...,N\} \backslash \{i\}$
			\State \quad $a_j \assign \textit{DL}(\groupelement{A_j})$
			\Comment{$\groupelement{A_j} = a_j \groupelement{B}$}
			\State \quad $r_b \assign r_b + r_{j+1} a_j$
			\State $a_i \assign (2^c s^* - r_b)(r_i + 2^c \ch^*)^{-1}$
			\Comment{$\groupelement{R^*} = r_b \groupelement{B} + r_i \groupelement{A_i}$}
			\State \Return $(a_1, a_2, ..., a_N)$
		\end{algorithmic}
		\vspace{2mm}
		\begin{algorithmic}[1] 
			\Statex \underline{\oracle \ioracle($\agmgroupelement{R}{r} \in \group{G}$)}
			\vspace{1mm}
			\State Let $\groupelement{R} = r_1 \groupelement{B} + r_2 \groupelement{A_1} + ... + r_{N+1} \groupelement{A_N}$
			\State $\ch \randomsample \{0,1\}^{2b}$
			\State \textbf{If} $\exists i \in \{2,3,...,N+1\}: 2^c \ch \equiv -r_i \pmod L$ \textbf{then}
			\State \quad $bad \assign true$
			\State \quad $abort$
			\State $\pset{Q} \assign \pset{Q} \cup \{ (\groupelement{R}, \ch) \}$
			\State \Return $\ch$
		\end{algorithmic}
		\hrule
		\caption{Adversary $\adversary{B}$ breaking \somdl}
		\label{fig:adversary_omdl'}
	\end{figure}
	
	To prove (\ref{eq:adv_omdl'}), we define an adversary $\adversary{B}$ attacking \somdl that simulates $\adversary{A}$'s view in $G_2$. Adversary $\adversary{B}$ formally defined in figure \ref{fig:adversary_omdl'} is run in the \somdl game and adversary $\adversary{B}$ simulates \ioracle for adversary $\adversary{A}$. \ioracle is simulated perfectly.
	
	Finally, consider $\adversary{A}$'s output $s^*$. It is known that $\groupelement{R^*} = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i}$ for one of the public keys and one tuple $(R^*, \ch^*)$ generated by the \ioracle oracle. Using the \textit{DL} oracle we can get the discrete logarithms of all public keys but the one for which $s^*$ is a valid solution in the MU-\igame game. This way the \textit{DL} oracle gets called exactly $N-1$ times which is smaller than $N$ which is required by the \somdl game. Together with the representation of $R^*$ provided during the \ioracle oracle call and the discrete logarithms of the public keys we are able to generate a representation of $R^*$ looking like $\groupelement{R^*} = r_b \groupelement{B} + r_i \groupelement{A_i}$. By equating both equations we get:
	
	\begin{align*}
		r_b \groupelement{B} + r_i \groupelement{A_i} &= 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A_i} \\
		\Leftrightarrow (r_i + 2^c \ch^*) \groupelement{A} &= (2^c s^* - r_b) \groupelement{B} \\
		\Leftrightarrow \groupelement{A} &= (2^c s^* - r_b)(r_i + 2^c \ch^*)^{-1} \groupelement{B}
	\end{align*}
	
	Assuming that $r_i + 2^c \ch^*$ is invertible in $\field{L}$ (i.e., not equal to 0), which is ensured by the abort in $G_2$ for all $i$, both equations can be used to calculate the discrete logarithm of $A_i$. Together with the discrete logarithms of the other public keys, which were obtained by the \textit{DL} oracle, the adversary $\adversary{B}$ is able to craft a valid solution for the \somdl challenger.
	
	\item This proves theorem \ref{theorem:adv_omdl'}.
\end{proof}