\documentclass{beamer} %Information to be included in the title page: \title{A formal Security Analysis of the EdDSA Signature Scheme} \author{Aaron Kaiser} \institute{Fakultät für Informatik} \date{2023} \usetheme[alternativetitlepage=bild]{Rub} \titlegraphic{curve.png} \usepackage[noend]{algpseudocodex} \usepackage{xcolor} \usepackage{tikz} \usepackage{multicol} \usepackage{tabularx} \usepackage[parfill]{parskip} \usepackage{float} \usepackage{xspace} \usepackage{mathtools} \usepackage[normalem]{ulem} \include{../thesis/macros} \begin{document} \frame{\titlepage} \begin{frame} \frametitle{Outline} \begin{enumerate} \item Overview \item Motivation \item Related work \item Preliminaries \item The EdDSA signature scheme \item Singe- and multi-user Proofs for EdDSA \item GGM proofs of the underlying assumptions \item Concrete security \end{enumerate} \end{frame} \begin{frame} \frametitle{Overview} \framesubtitle{What is this thesis about?} \begin{enumerate} \item Providing a tight security proof for the EdDSA signature scheme \item Showing the security level of concrete instantiations of EdDSA \end{enumerate} \end{frame} \begin{frame} \frametitle{Overview} \framesubtitle{Results} Results of this thesis: \begin{enumerate} \item EdDSA is tightly secure under Ed-DLog assumption in the single-user setting \item EdDSA is tightly secure under the N-Ed-DLog-Reveal assumption in the multi-user setting \item \textcolor{gray}{Ed25519 provides 125/124 bits of security in the single/multi-user setting} \item \textcolor{gray}{Ed448 provides 221/220 bits of security in the single/multi-user setting} \end{enumerate} \end{frame} \begin{frame} \frametitle{Overview} \framesubtitle{Results} Results of this thesis: \begin{enumerate} \item EdDSA is tightly secure under Ed-DLog assumption in the single-user setting \item EdDSA is tightly secure under the N-Ed-DLog-Reveal assumption in the multi-user setting \item Ed25519 provides 125/124 bits of security in the single/multi-user setting \item Ed448 provides 221/220 bits of security in the single/multi-user setting \end{enumerate} \end{frame} \begin{frame} \frametitle{Motivation} EdDSA is everywhere... \includegraphics[scale=0.9]{images/signal.png} \includegraphics[scale=0.1]{images/whatsapp.png} \includegraphics[scale=0.1]{images/wireguard.png} \includegraphics[scale=0.05]{images/SSH.png} \includegraphics[scale=0.1]{images/FIDO_logo_black_RGB.png} \end{frame} \begin{frame} \frametitle{Motivation} No existing tight security proof since publication in 2015 \end{frame} \begin{frame} \frametitle{Related Work} \begin{itemize} \item Brendel et al. 2021 \cite{SP:BCJZ21}: First security proof for Ed25519 \item Chalkias et al. 2020 \cite{EPRINT:ChaGarNik20}: Analysis of different EdDSA implementations \item Fuchsbauer et al. 2020 \cite{EC:FucPloSeu20}: Tight security proof for Schnorr Signatures using AGM \end{itemize} \end{frame} \begin{frame} \frametitle{Security Notions} \framesubtitle{Digital Signature Scheme} \begin{definition} A digital signature scheme SIG = (\keygen,\sign,\verify) is a tuple of algorithms. \begin{itemize} \item \textbf{\keygen}: The key generation algorithm, which upon receiving the security parameter as input outputs a matching tuple of public and private key. \item \textbf{\sign}: The signature algorithm, which upon receiving a secret key and a message, outputs a signature for that message. \item \textbf{\verify}: The verification algorithm, which upon receiving a public key, a message and a signature, outputs $1$ if the signature gets accepted and $0$ otherwise. \end{itemize} For the digital signature scheme to be correct, it is required that $\forall (\pubkey, \privkey) \in \keygen(par), \m \in \messagespace, \signature \in \sign(\privkey, \m): \verify(\pubkey, \m, \signature) = 1$ \end{definition} \end{frame} \begin{frame} \frametitle{Security Notions} \framesubtitle{$N\text{-MU-EUF-CMA}$} \begin{figure}[h] \hrule \normalsize \vspace{1mm} \begin{algorithmic} \Statex \underline{\game $N\text{-MU-EUF-CMA}$} \State \textbf{for} $i \in \{1,2,...,N\}$ \State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$ \State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp, \inp)}(\pubkey_1, \pubkey_2, ..., \pubkey_n)$ \State \Return $\exists i \in \{1,2,...,N\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1 \wedge (\pubkey_i, \m^*) \notin M$ \end{algorithmic} \vspace{2mm} \begin{algorithmic} \Statex \underline{\oracle \Osign($i \in \{1,2,...,n\}$, $\m \in \messagespace$)} \State $\signature \randomassign \sign(\privkey_i, \m)$ \State $M \assign M \cup \{(\pubkey_i, \m)\}$ \State \Return $\signature$ \end{algorithmic} \hrule \caption{$N$-MU-EUF-CMA Security Game} \label{game:mu-euf-cma} \end{figure} \end{frame} \begin{frame} \frametitle{Security Notions} \framesubtitle{$N\text{-MU-SUF-CMA}$} \begin{figure}[h] \hrule \normalsize \vspace{1mm} \begin{algorithmic} \Statex \underline{\game $N\text{-MU-SUF-CMA}$} \State \textbf{for} $i \in \{1,2,...,N\}$ \State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$ \State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp, \inp)}(\pubkey_1, \pubkey_2, ..., \pubkey_n)$ \State \Return $\exists i \in \{1,2,...,N\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1 \wedge (\pubkey_i, \m^*, \signature^*) \notin M$ \end{algorithmic} \vspace{2mm} \begin{algorithmic} \Statex \underline{\oracle \Osign($i \in \{1,2,...,n\}$, $\m \in \messagespace$)} \State $\signature \randomassign \sign(\privkey_i, \m)$ \State $M \assign M \cup \{(\pubkey_i, \m, \signature)\}$ \State \Return $\signature$ \end{algorithmic} \hrule \caption{$N$-MU-SUF-CMA Security Game} \end{figure} \end{frame} \begin{frame} \frametitle{Security Notions} \framesubtitle{$N\text{-MU-EUF-NMA}$} \begin{figure}[h] \hrule \vspace{1mm} \begin{algorithmic} \State \underline{\game $N\text{-MU-EUF-NMA}$} \State \textbf{for} $i \in \{1,2,...,N\}$ \State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$ \State $(\m^*, \signature^*) \randomassign \adversary{A}(\pubkey_1, \pubkey_2, \pubkey_n)$ \State \Return $\exists i \in \{1,2,...,N\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1$ \end{algorithmic} \hrule \caption{$N$-MU-EUF-NMA Security Game} \label{game:mu-uf-nma} \end{figure} \end{frame} \begin{frame} \frametitle{Random Oracle Model (ROM)} \begin{itemize} \item Hash functions are modeled as public oracle \item Oracle behaves like a true random function \item Challenger can observe all inputs \item Challenger can program the random oracle \end{itemize} \end{frame} \begin{frame} \frametitle{Algebraic Group Model (AGM)} \begin{itemize} \item Adversary has to provide a representation of all group elements \end{itemize} \end{frame} \begin{frame} \frametitle{Generic Group Model (GGM)} \begin{itemize} \item GGM hides all group-specific representation of group elements \item Adversary works with random labels instead of actual group elements \end{itemize} \end{frame} \begin{frame} \frametitle{Standards} \begin{itemize} \item Paper by Bernstein et al. \cite{CHES:BDLSY11,EPRINT:BJLSY15} \item RFC 8032 \cite{josefsson_edwards-curve_2017} \item FIPS 186-5 \cite{moody_digital_2023} \end{itemize} \end{frame} \begin{frame} \frametitle{The EdDSA Signature Scheme} \begin{table} \small \begin{tabularx}{\textwidth}{@{}lX@{}} \textbf{Parameter} & \textbf{Description} \\ \hline $q$ & An odd prime power $q$. EdDSA uses an elliptic curve over the finite field $\mathbb{F}_{q}$. \\ $b$ & An integer $b$ with $2^{b-1} > q$. The bit size of encoded points on the twisted Edwards curve. \\ $Enc(\inp)$ & A $(b-1)$-bit encoding of elements in the underlying finite field. \\ $H(\inp)$ & A cryptographic hash function producing $2b$-bit output. \\ $c$ & The cofactor of the twisted Edwards curve. \\ $n$ & The number of bits used for the secret scalar of the public key. \\ $a, d$ & The curve parameter of the twisted Edwards curve. \\ $\groupelement{B}$ & A generator point of the prime order subgroup of $E$. \\ $L$ & The order of the prime order subgroup. \\ $H'(\inp)$ & A prehash function applied to the message prior to applying the \sign or \verify procedure. \end{tabularx} \caption{Parameter of the EdDSA signature scheme} \end{table} \end{frame} \begin{frame} \frametitle{The EdDSA Signature Scheme} \begin{table} \small \begin{tabularx}{\textwidth}{@{}lX@{}} \textbf{Parameter} & \textbf{Description} \\ \hline $b$ & An integer $b$ with $2^{b-1} > q$. The bit size of encoded points on the twisted Edwards curve. \\ $H(\inp)$ & A cryptographic hash function producing $2b$-bit output. \\ $c$ & The cofactor of the twisted Edwards curve. \\ $n$ & The number of bits used for the secret scalar of the public key. \\ $\groupelement{B}$ & A generator point of the prime order subgroup of $E$. \\ $L$ & The order of the prime order subgroup. \\ \end{tabularx} \caption{Parameter of the EdDSA signature scheme} \end{table} \end{frame} \begin{frame} \frametitle{The EdDSA Signature Scheme} \begin{algorithmic} \State \underline{\textbf{\keygen}} \State $k \randomsample \{0,1\}^b$ \State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$ \State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$ \State $A \assign sB$ \State \Return (\encoded{$A$}, $k$) \end{algorithmic} \end{frame} \begin{frame} \frametitle{The EdDSA Signature Scheme} \begin{algorithmic} \Statex \underline{\textbf{\sign}($k$, $m$)} \State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$ \State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$ \State $(r'_0, r'_1, ..., r'_{2b-1}) \assign H(h_b | ... | h_{2b-1} | m)$ \State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$ \State $R \assign rB$ \State $\ch \assign H(\encoded{R} | \encoded{A} | m)$ \State $S \assign (r + \ch \cdot s) \pmod L$ \State \Return $\sigma \assign (\encoded{R}, S)$ \end{algorithmic} \end{frame} \begin{frame} \frametitle{The EdDSA Signature Scheme} \begin{algorithmic} \Statex \underline{\textbf{\sign}($k$, $m$)} \BeginBox[draw=red] \State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$ \Comment{Recover secret scalar} \State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$ \EndBox \State $(r'_0, r'_1, ..., r'_{2b-1}) \assign H(h_b | ... | h_{2b-1} | m)$ \State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$ \State $R \assign rB$ \State $\ch \assign H(\encoded{R} | \encoded{A} | m)$ \State $S \assign (r + \ch \cdot s) \pmod L$ \State \Return $\sigma \assign (\encoded{R}, S)$ \end{algorithmic} \end{frame} \begin{frame} \frametitle{The EdDSA Signature Scheme} \begin{algorithmic} \Statex \underline{\textbf{\sign}($k$, $m$)} \State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$ \State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$ \BeginBox[draw=red] \State $(r'_0, r'_1, ..., r'_{2b-1}) \assign H(h_b | ... | h_{2b-1} | m)$ \Comment{Calculate commitment} \State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$ \State $R \assign rB$ \EndBox \State $\ch \assign H(\encoded{R} | \encoded{A} | m)$ \State $S \assign (r + \ch \cdot s) \pmod L$ \State \Return $\sigma \assign (\encoded{R}, S)$ \end{algorithmic} \end{frame} \begin{frame} \frametitle{The EdDSA Signature Scheme} \begin{algorithmic} \Statex \underline{\textbf{\sign}($k$, $m$)} \State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$ \State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$ \State $(r'_0, r'_1, ..., r'_{2b-1}) \assign H(h_b | ... | h_{2b-1} | m)$ \State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$ \State $R \assign rB$ \BeginBox[draw=red] \State $\ch \assign H(\encoded{R} | \encoded{A} | m)$ \Comment{Calculate challenge} \EndBox \State $S \assign (r + \ch \cdot s) \pmod L$ \State \Return $\sigma \assign (\encoded{R}, S)$ \end{algorithmic} \end{frame} \begin{frame} \frametitle{The EdDSA Signature Scheme} \begin{algorithmic} \Statex \underline{\textbf{\sign}($k$, $m$)} \State $(h_0, h_1, ..., h_{2b-1}) \assign H(k)$ \State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$ \State $(r'_0, r'_1, ..., r'_{2b-1}) \assign H(h_b | ... | h_{2b-1} | m)$ \State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$ \State $R \assign rB$ \State $\ch \assign H(\encoded{R} | \encoded{A} | m)$ \BeginBox[draw=red] \State $S \assign (r + \ch \cdot s) \pmod L$ \Comment{Calculate response} \EndBox \State \Return $\sigma \assign (\encoded{R}, S)$ \end{algorithmic} \end{frame} \begin{frame} \frametitle{The EdDSA Signature Scheme} \begin{algorithmic} \Statex \underline{\textbf{\verify}($\encoded{A}, \sigma \assign (\encoded{R}, S), m$)} \State \Return $2^c SB \test 2^c R + 2^c H(\encoded{R} | \encoded{A} | m)A$ \end{algorithmic} \end{frame} \begin{frame} \frametitle{The EdDSA Signature Scheme} \framesubtitle{Signature Parsing} \begin{itemize} \item Strict parsing: Reject all bitstring representations of $S > L$ \item Lax parsing: Allow all bitstring representations of $S$ and work with $S \pmod L$ \end{itemize} \end{frame} \begin{frame} \frametitle{The EdDSA Signature Scheme} \framesubtitle{Encoding of Group Elements} \begin{itemize} \item Decoding function ensures that point is on curve \item Multiple bitstrings might map to the same point on the curve \end{itemize} \end{frame} \begin{frame} \frametitle{The EdDSA' Signature Scheme} \begin{figure} \hrule \begin{multicols}{2} \scriptsize \begin{algorithmic} \Statex \underline{\textbf{\keygen}} \State $(h_0, h_1, ..., h_{2b-1}) \randomsample \{0,1\}^{2b}$ \State $s \leftarrow 2^n + \sum_{i=c}^{n-1} 2^i h_i$ \State $A \assign sB$ \State \Return (\encoded{$A$}, $k \assign (s, h_b | ... | h_{2b-1})$) \end{algorithmic} \columnbreak \begin{algorithmic} \Statex \underline{\textbf{\sign}($k \assign (s, h_b | ... | h_{2b-1})$, $m$)} \State $(r'_0, r'_1, ..., r'_{2b-1}) \assign RF(h_b | ... | h_{2b-1} | m)$ \State $r \assign \sum_{i=0}^{2b-1} 2^i r'_i$ \State $R \assign rB$ \State $S \assign (r + sH(\encoded{R} | \encoded{A} | m)) \pmod L$ \State \Return $\sigma \assign (\encoded{R}, S)$ \end{algorithmic} \end{multicols} \hrule \caption{Generic description of the algorithms \keygen, \sign and \verify used by the EdDSA' signature scheme} \end{figure} \end{frame} \begin{frame} \frametitle{The EdDSA' Signature Scheme} \begin{theorem} \label{theorem:adveddsa'} Let $\adversary{A}$ be an adversary against SUF-CMA security of the EdDSA signature scheme. Then \[ \advantage{\text{EdDSA'},\adversary{A}}{\cma}(\secparamter) \leq \advantage{\text{EdDSA},\adversary{A}}{\cma}(\secparamter) + \frac{2 (\hashqueries + 1)}{2^b}. \] \end{theorem} \end{frame} \begin{frame} \frametitle{Single-User Security} \begin{theorem}[Security of EdDSA with strict parsing in the single-user setting] \label{theorem:eddsa_sp_su} Let $\adversary{A}$ be an adversary against the SUF-CMA security of EdDSA with strict parsing, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then, \[ \advantage{\group{G}, \adversary{A}}{\text{SUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \] \end{theorem} \end{frame} \begin{frame} \frametitle{Single-User Security} \begin{theorem}[Security of EdDSA with lax parsing in the single-user setting] \label{theorem:eddsa_lp_su} Let $\adversary{A}$ be an adversary against the EUF-CMA security of EdDSA with lax parsing, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then, \[ \advantage{\group{G}, \adversary{A}}{\text{EUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \] \end{theorem} \end{frame} \begin{frame} \frametitle{Single-User Security} \[ \sdlog \overset{\text{AGM}}{\Rightarrow} \igame \overset{\text{ROM}}{\Rightarrow} \text{EUF-NMA} \overset{\text{ROM}}{\Rightarrow} \cma_{\text{EdDSA sp}} \] \[ \sdlog \overset{\text{AGM}}{\Rightarrow} \igame \overset{\text{ROM}}{\Rightarrow} \text{EUF-NMA} \overset{\text{ROM}}{\Rightarrow} \text{EUF-CMA}_{\text{EdDSA lp}} \] \end{frame} \begin{frame} \frametitle{Single-User Security} \framesubtitle{$\text{EUF-NMA} \overset{\text{ROM}}{\Rightarrow} \cma_{\text{EdDSA sp}} / \text{EUF-CMA}_{\text{EdDSA lp}}$} \begin{theorem}[\cite{SP:BCJZ21}] Let $\adversary{A}$ be an adversary against $\cma$, making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and let $\group{G}$ be a group of prime order $L$. Then, \[ \advantage{\group{G}, \adversary{A}}{\text{\cma}}(\secparamter) \leq \advantage{\group{G}, \adversary{B}}{\text{EUF-NMA}}(\secparamter) + \frac{\oraclequeries \hashqueries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \] \end{theorem} \end{frame} \begin{frame} \frametitle{Single-User Security} \framesubtitle{$\text{EUF-NMA} \overset{\text{ROM}}{\Rightarrow} \cma_{\text{EdDSA sp}}$} Proof Idea: \begin{itemize} \item Simulate signatures without private key \begin{enumerate} \item Choose commitment and solution uniformly at random \item Calculate corresponding challenge \item Program random oracle to output that challenge for the signature \end{enumerate} \item Forward random oracle quries to challenger \item A valid signature forgery in the SUF-CMA game is also a valid forgery in the UF-NMA game \end{itemize} \end{frame} \begin{frame} \frametitle{Single-User Security} \framesubtitle{$\igame \overset{\text{ROM}}{\Rightarrow} \text{EUF-NMA}$} \begin{figure}[h] \hrule \begin{multicols}{2} \normalsize \begin{algorithmic} \Statex \underline{\game \igame} \State $a \randomsample \{2^{n-1}, 2^{n-1} + 2^c, ..., 2^n - 2^c\}$ \State $\groupelement{A} \assign a \groupelement{B}$ \State $s^* \randomsample \adversary{A}^{\ioracle(\inp)}(\groupelement{A})$ \State \Return $\exists (\groupelement{R}^*, \ch^*) \in \pset{Q}: \groupelement{R}^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A}$ \end{algorithmic} \columnbreak \begin{algorithmic} \Statex \underline{\oracle \ioracle($\groupelement{R_i} \in \group{G}$)} \State $\ch_i \randomsample \{0,1\}^{2b}$ \State $\pset{Q} \assign \pset{Q} \cup \{ (\groupelement{R}_i, \ch_i) \}$ \State \Return $\ch_i$ \end{algorithmic} \end{multicols} \hrule \caption{\igame} \end{figure} \end{frame} \begin{frame} \frametitle{Single-User Security} \framesubtitle{$\igame \overset{\text{ROM}}{\Rightarrow} \text{EUF-NMA}$} \begin{theorem} Let $\adversary{A}$ be an adversary against $\text{EUF-NMA}$. Then, \[ \advantage{\group{G}, \adversary{A}}{\text{EUF-NMA}}(\secparamter) = \advantage{\group{G}, \adversary{B}}{\text{\igame}}(\secparamter). \] \end{theorem} \end{frame} \begin{frame} \frametitle{Single-User Security} \framesubtitle{$\igame \overset{\text{ROM}}{\Rightarrow} \text{EUF-NMA}$} Proof Idea: \begin{itemize} \item Forward random oracle quries to \ioracle oracle \item A valid signature forgery provides a valid solution for \igame \end{itemize} \end{frame} \begin{frame} \frametitle{Single-User Security} \framesubtitle{$\sdlog \overset{\text{AGM}}{\Rightarrow} \igame$} \begin{figure}[h] \hrule \vspace{1mm} \begin{algorithmic} \Statex \underline{\game \sdlog} \State $a \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$ \State $\groupelement{A} \assign a \groupelement{B}$ \State $a' \randomassign \adversary{A}(\groupelement{A})$ \State \Return $a \test a'$ \end{algorithmic} \vspace{1mm} \hrule \caption{\sdlog} \end{figure} \end{frame} \begin{frame} \frametitle{Single-User Security} \framesubtitle{$\sdlog \overset{\text{AGM}}{\Rightarrow} \igame$} \begin{theorem} \label{theorem:advgamez} Let $\adversary{A}$ be an adversary against \igame with $\group{G}$ being a cyclic group of prime order $L$, making at most $\oraclequeries$ oracle queries. Then \[ \advantage{\group{G},\adversary{A}}{\igame}(\secparamter) \leq \advantage{\group{G},\adversary{B}}{\sdlog}(\secparamter) + \frac{\oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}. \] \end{theorem} \end{frame} \begin{frame} \frametitle{Single-User Security} \framesubtitle{$\sdlog \overset{\text{AGM}}{\Rightarrow} \igame$} Proof Idea: \begin{itemize} \item Adversary provides a valid solution: $R^* = 2^c s^* \groupelement{B} - 2^c \ch^* \groupelement{A}$ \item Adversary also provides: $\groupelement{R^*} = r_1 \groupelement{B} + r_2 \groupelement{A}$ \item Rewrite equations: $A = (2^c s^* - r_1)(r_2 + 2^c \ch^*)^{-1} B$ \end{itemize} \end{frame} \begin{frame} \frametitle{Multi-User Security} \begin{theorem}[Security of EdDSA with strict parsing in the multi-user setting] Let $\adversary{A}$ be an adversary against the $N$-MU-SUF-CMA security of EdDSA with strict parsing, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then, \[ \advantage{\group{G}, \adversary{A}}{\text{MU-SUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \] \end{theorem} \end{frame} \begin{frame} \frametitle{Multi-User Security} \begin{theorem}[Security of EdDSA with lax parsing in the multi-user setting] \label{theorem:eddsa_lp_mu} Let $\adversary{A}$ be an adversary against the MU-EUF-CMA security of EdDSA with lax parsing, receiving $N$ public keys and making at most $\hashqueries$ hash queries and $\oraclequeries$ oracle queries, and $\group{G}$ be a group of prime order $L$. Then, \[ \advantage{\group{G}, \adversary{A}}{\text{MU-EUF-CMA}}(\secparamter) \leq \advantage{\curve, n, c, L, \adversary{B}}{\somdl} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries N}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}} \] \end{theorem} \end{frame} \begin{frame} \frametitle{Multi-User Security} \[ \somdl \overset{\text{AGM}}{\Rightarrow} \igame \overset{\text{ROM}}{\Rightarrow} \text{MU-EUF-NMA} \overset{\text{ROM}}{\Rightarrow} \text{MU-\cma}_{\text{EdDSA sp}} \] \[ \somdl \overset{\text{AGM}}{\Rightarrow} \igame \overset{\text{ROM}}{\Rightarrow} \text{MU-EUF-NMA} \overset{\text{ROM}}{\Rightarrow} \text{MU-EUF-CMA}_{\text{EdDSA lp}} \] \end{frame} \begin{frame} \frametitle{Multi-User Security} \framesubtitle{$\somdl \overset{\text{AGM}}{\Rightarrow} \igame$} \begin{figure}[h] \hrule \vspace{1mm} \large \begin{algorithmic} \Statex \underline{\game \somdl} \State \textbf{for} $i \in \{1,2,...,N\}$ \State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$ \State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$ \State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{DL(\inp)}(\groupelement{A_1}, \groupelement{A_2}, ..., \groupelement{A_N})$ \State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N)$ \end{algorithmic} \vspace{2mm} \begin{algorithmic} \Statex \underline{\oracle $DL(j \in \{1,2,...,N\})$} \Comment{max. one query} \vspace{1mm} \State \Return $\{a_i|i \in \{1,2,...,N\}\backslash \{j\}\}$ \end{algorithmic} \vspace{1mm} \hrule \caption{\somdl} \label{fig:somdl} \end{figure} \end{frame} \begin{frame} \frametitle{Multi-User Security} \framesubtitle{$\somdl \overset{\text{AGM}}{\Rightarrow} \igame$} Proof Idea: \begin{itemize} \item Similar to single-user proof \item Query discrete logarithms of all but one challenge group element $A_i$ \item Construct a representation $\groupelement{R^*} = r_1 \groupelement{B} + r_2 \groupelement{A_i}$ \item Calculate discrete logarithm of $\groupelement{A_i}$ \end{itemize} \end{frame} \begin{frame} \frametitle{\sdlog} \begin{theorem} \label{theorem:sdlog_ggm} Let $n$ and $c$ be positive integers. Consider a twisted Edwards curve $\curve$ with a cofactor of $2^c$ and a generating set consisting of $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_m})$. Among these, let $\groupelement{B}$ be the generator of the largest prime order subgroup with an order of $L$. Let $\adversary{A}$ be a generic adversary making at most $\groupqueries$ group operations. Then, \[ \advantage{\curve, n, c, L, \adversary{A}}{\sdlog} \leq \frac{(\groupqueries + 3)^2 + 1}{2^{n-1-c}}. \] \end{theorem} \end{frame} \begin{frame} \frametitle{\somdl} \begin{theorem} \label{theorem:somdl_ggm} Let $n$, $N$, $c$ be positive integers. Consider a twisted Edwards curve $\curve$ with a cofactor of $2^c$ and a generating set consisting of $(\groupelement{B}, \groupelement{E_2}, ..., \groupelement{E_m})$. Among these, let $\groupelement{B}$ be the generator of the largest prime order subgroup with an order of $L$. Let $\adversary{A}$ be a generic adversary against \somdl receiving $N$ group elements as challenge and making at most $\groupqueries$ group operations queries. Then, \[ \advantage{\curve, n, c, L, \adversary{A}}{\somdl} \leq \frac{2(\groupqueries + N + 2)^2 + 1}{2^{n-1-c}}. \] \end{theorem} \end{frame} \begin{frame} \begin{lemma}[Schwartz-Zippel lemma \cite{schwartz_fast_1980}] Let $L$ be a prime number and $P \in \mathbb{F}_{L}[X_1, ..., X_n]$ be a non-zero polynomial of total degree $d \geq 0$ over a field $\mathbb{F}_{L}$. Let $S$ be a finite subset of $\mathbb{F}_{L}$ and let $x$ be selected uniformly at random from $S$. Then \[ \Pr[P(x) = 0] \leq \frac{d}{|S|}. \] \end{lemma} \end{frame} \begin{frame} \begin{figure}[H] \hrule \tiny \vspace{2mm} \begin{algorithmic} \Statex \underline{\game \textcolor{black}{$G_0$} / \textcolor{blue}{$G_1$} /\textcolor{red}{$G_2$} / \textcolor{green}{$G_3$} / \textcolor{orange}{$G_4$}} \State \textbf{for} $i \in \{1,2,...,N\}$ \State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$ \State \quad $\groupelement{A_i} \assign a_i \groupelement{B}$ \State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), DL(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$ \State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N)$ \end{algorithmic} \vspace{1mm} \begin{algorithmic} \Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)} \State \Return $\{a_i | i \in \{1,2,...,N\} \backslash \{j\}\}$ \end{algorithmic} \vspace{1mm} \begin{algorithmic} \Statex \underline{\oracle GOp($x, y \in \mathbf{S}, b \in \{0,1\}$)} \State \quad \Return $Enc(\sum^{-1}[x] + (-1)^b \sum^{-1}[y])$ \end{algorithmic} \vspace{1mm} \begin{algorithmic} \State \underline{\textbf{Procedure} Enc($\groupelement{X} \in \curve$)} \State \textbf{If } $\sum[\groupelement{X}] = \bot$ \textbf{ then} \State \quad $\sum[\groupelement{X}] \randomsample \{0,1\}^{\lceil log_2(|\curve|) \rceil} \backslash \pset{S}$ \State \quad $\mathbf{S} \assign \pset{S} \cup \{\sum[X]\}$ \State \Return $\sum[\groupelement{X}]$ \end{algorithmic} \hrule \caption{$G_0$} \end{figure} \end{frame} \begin{frame} \begin{figure}[H] \hrule \tiny \vspace{2mm} \begin{algorithmic} \Statex \underline{\game \textcolor{black}{$G_0$} / \textcolor{blue}{$G_1$} /\textcolor{red}{$G_2$} / \textcolor{green}{$G_3$} / \textcolor{orange}{$G_4$}} \State \textbf{for} $i \in \{1,2,...,N\}$ \State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$ \BeginBox[draw=blue] \State \quad $\groupelement{A_i} \assign (a_i, 0, ..., 0)$ \EndBox \State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), DL(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$ \State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N)$ \end{algorithmic} \vspace{1mm} \begin{algorithmic} \Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)} \State \Return $\{a_i | i \in \{1,2,...,N\} \backslash \{j\}\}$ \end{algorithmic} \vspace{1mm} \begin{algorithmic} \Statex \underline{\oracle GOp($x, y \in \mathbf{S}, b \in \{0,1\}$)} \State \quad \Return $Enc(\sum^{-1}[x] + (-1)^b \sum^{-1}[y])$ \end{algorithmic} \vspace{1mm} \begin{algorithmic} \BeginBox[draw=blue] \State \underline{\textbf{Procedure} Enc($\groupelement{X} \in \field{L} \times \field{ord(E_2)} \times ... \times \field{ord(E_n)}$)} \EndBox \State \textbf{If } $\sum[\groupelement{X}] = \bot$ \textbf{ then} \State \quad $\sum[\groupelement{X}] \randomsample \{0,1\}^{\lceil log_2(|\curve|) \rceil} \backslash \pset{S}$ \State \quad $\mathbf{S} \assign \pset{S} \cup \{\sum[X]\}$ \State \Return $\sum[\groupelement{X}]$ \end{algorithmic} \hrule \caption{$G_1$} \end{figure} \end{frame} \begin{frame} \begin{figure}[H] \hrule \tiny \vspace{2mm} \begin{algorithmic} \Statex \underline{\game \textcolor{black}{$G_0$} / \textcolor{blue}{$G_1$} /\textcolor{red}{$G_2$} / \textcolor{green}{$G_3$} / \textcolor{orange}{$G_4$}} \State \textbf{for} $i \in \{1,2,...,N\}$ \State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$ \BeginBox[draw=red] \State \quad $P_i \assign Z_i$ \State \quad $\groupelement{A_i} \assign (P_i, 0, ..., 0)$ \EndBox \State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), DL(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$ \State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N)$ \end{algorithmic} \vspace{1mm} \begin{algorithmic} \Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)} \State \Return $\{a_i | i \in \{1,2,...,N\} \backslash \{j\}\}$ \end{algorithmic} \vspace{1mm} \begin{algorithmic} \Statex \underline{\oracle GOp($x, y \in \mathbf{S}, b \in \{0,1\}$)} \State \quad \Return $Enc(\sum^{-1}[x] + (-1)^b \sum^{-1}[y])$ \end{algorithmic} \vspace{1mm} \begin{algorithmic} \BeginBox[draw=red] \State \underline{\textbf{Procedure} Enc($\groupelement{X} \in \field{L}[Z_1,...,Z_N] \times \field{ord(E_2)} \times ... \times \field{ord(E_n)}$)} \State Let $X = (P, x_2, ..., x_n)$ \State $\pset{P} = \pset{P} \cup \{P\}$ \State $X \assign (P(\overset{\rightharpoonup}{a}), x_2, ..., x_n)$ \EndBox \State \textbf{If } $\sum[\groupelement{X}] = \bot$ \textbf{ then} \State \quad $\sum[\groupelement{X}] \randomsample \{0,1\}^{\lceil log_2(|\curve|) \rceil} \backslash \pset{S}$ \State \quad $\mathbf{S} \assign \pset{S} \cup \{\sum[X]\}$ \State \Return $\sum[\groupelement{X}]$ \end{algorithmic} \hrule \caption{$G_2$} \end{figure} \end{frame} \begin{frame} \begin{figure}[H] \hrule \vspace{2mm} \begin{algorithmic} \Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)} \BeginBox[draw=green] \State \textbf{for } $P_i \in \pset{P}$ \Comment{$G_3$} \State \quad Let $P_i = R_i + S_i, R_i \in \field{L}[Z_1,...,Z_{j-1},Z_{j+1},...,Z_N], S_i \in \field{L}[Z_j]$ \State \quad $\pset{R} \assign \pset{R} \cup \{R_i\}$ \State \textbf{if } $\exists R_i, R_j \in \pset{R}: R_i(\overset{\rightharpoonup}{a}) = R_j(\overset{\rightharpoonup}{a}) \wedge R_i \neq R_j$ \State \quad $bad_1 \assign true$ \BeginBox[draw=orange,dashed] \State \quad abort \Comment{$G_4$} \EndBox \State \textbf{for } $P_i \in \pset{P}$ \State \quad $\sum[R_i(\overset{\rightharpoonup}{a}) + S_i] = \sum[P_i]$ \State \quad $P_i \assign R_i(\overset{\rightharpoonup}{a}) + S_i$ \EndBox \State \Return $\{a_i | i \in \{1,2,...,N\} \backslash \{j\}\}$ \end{algorithmic} \vspace{2mm} \hrule \caption{$G_3 - G_4$} \end{figure} \end{frame} \begin{frame} \begin{figure}[H] \hrule \tiny \vspace{2mm} \begin{algorithmic} \Statex \underline{\game \textcolor{black}{$G_4$} / \textcolor{blue}{$G_5$} /\textcolor{red}{$G_6$} / \textcolor{green}{$G_7$} / \textcolor{orange}{$G_8$}} \State \textbf{for} $i \in \{1,2,...,N\}$ \State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$ \State \quad $P_i \assign Z_i$ \State \quad $\groupelement{A_i} \assign (P_i, 0, ..., 0)$ \State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), DL(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$ \BeginBox[draw=blue] \State \textbf{if } $\exists P_i, P_j \in \pset{P}: P_i(\overset{\rightharpoonup}{a}) = P_j(\overset{\rightharpoonup}{a}) \wedge P_i \neq P_j$ \Comment{$G_5$} \State \quad $bad_2 \assign true$ \BeginBox[draw=red,dashed] \State \quad abort \Comment{$G_6$} \EndBox \EndBox \State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N)$ \end{algorithmic} \vspace{1mm} \begin{algorithmic} \Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)} \State ... \end{algorithmic} \vspace{1mm} \begin{algorithmic} \Statex \underline{\oracle GOp($x, y \in \mathbf{S}, b \in \{0,1\}$)} \State \quad \Return $Enc(\sum^{-1}[x] + (-1)^b \sum^{-1}[y])$ \end{algorithmic} \vspace{1mm} \begin{algorithmic} \State \underline{\textbf{Procedure} Enc($\groupelement{X} \in \field{L}[Z_1,...,Z_N] \times \field{ord(E_2)} \times ... \times \field{ord(E_n)}$)} \State Let $X = (P, x_2, ..., x_n)$ \State $\pset{P} = \pset{P} \cup \{P\}$ \State $X \assign (P(\overset{\rightharpoonup}{a}), x_2, ..., x_n)$ \State \textbf{If } $\sum[\groupelement{X}] = \bot$ \textbf{ then} \State \quad $\sum[\groupelement{X}] \randomsample \{0,1\}^{\lceil log_2(|\curve|) \rceil} \backslash \pset{S}$ \State \quad $\mathbf{S} \assign \pset{S} \cup \{\sum[X]\}$ \State \Return $\sum[\groupelement{X}]$ \end{algorithmic} \hrule \caption{$G_5 - G_6$} \end{figure} \end{frame} \begin{frame} \begin{figure}[H] \hrule \tiny \vspace{2mm} \begin{algorithmic} \Statex \underline{\game \textcolor{black}{$G_4$} / \textcolor{blue}{$G_5$} /\textcolor{red}{$G_6$} / \textcolor{green}{$G_7$} / \textcolor{orange}{$G_8$}} \State \textbf{for} $i \in \{1,2,...,N\}$ \State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$ \State \quad $P_i \assign Z_i$ \State \quad $\groupelement{A_i} \assign (P_i, 0, ..., 0)$ \State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), DL(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$ \State \textbf{if } $\exists P_i, P_j \in \pset{P}: P_i(\overset{\rightharpoonup}{a}) = P_j(\overset{\rightharpoonup}{a}) \wedge P_i \neq P_j$ \State \quad $bad_2 \assign true$ \State \quad abort \State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N)$ \end{algorithmic} \vspace{1mm} \begin{algorithmic} \Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)} \State ... \end{algorithmic} \vspace{1mm} \begin{algorithmic} \Statex \underline{\oracle GOp($x, y \in \mathbf{S}, b \in \{0,1\}$)} \State \quad \Return $Enc(\sum^{-1}[x] + (-1)^b \sum^{-1}[y])$ \end{algorithmic} \vspace{1mm} \begin{algorithmic} \State \underline{\textbf{Procedure} Enc($\groupelement{X} \in \field{L}[Z_1,...,Z_N] \times \field{ord(E_2)} \times ... \times \field{ord(E_n)}$)} \State Let $X = (P, x_2, ..., x_n)$ \State $\pset{P} = \pset{P} \cup \{P\}$ \State \sout{$X \assign (P(\overset{\rightharpoonup}{a}), x_2, ..., x_n)$} \State \textbf{If } $\sum[\groupelement{X}] = \bot$ \textbf{ then} \State \quad $\sum[\groupelement{X}] \randomsample \{0,1\}^{\lceil log_2(|\curve|) \rceil} \backslash \pset{S}$ \State \quad $\mathbf{S} \assign \pset{S} \cup \{\sum[X]\}$ \State \Return $\sum[\groupelement{X}]$ \end{algorithmic} \hrule \caption{$G_7$} \end{figure} \end{frame} \begin{frame} \begin{figure}[H] \hrule \tiny \vspace{2mm} \begin{algorithmic} \Statex \underline{\game \textcolor{black}{$G_4$} / \textcolor{blue}{$G_5$} /\textcolor{red}{$G_6$} / \textcolor{green}{$G_7$} / \textcolor{orange}{$G_8$}} \State \textbf{for} $i \in \{1,2,...,N\}$ \State \quad \sout{$a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$} \State \quad $P_i \assign Z_i$ \State \quad $\groupelement{A_i} \assign (P_i, 0, ..., 0)$ \State $(a'_1, a'_2, ..., a'_N) \randomassign \adversary{A}^{GOp(\inp, \inp, \inp), DL(\inp)}(Enc(\groupelement{B}), Enc(\groupelement{E_2}), ..., Enc(\groupelement{E_m}), Enc(\groupelement{A_1}), ..., Enc(\groupelement{A_N}))$ \BeginBox[draw=orange] \State \textbf{for } $i \in \{1,2,...,N\}$ \State \quad \textbf{if } $a_i = \bot$ \State \qquad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$ \EndBox \State \textbf{if } $\exists P_i, P_j \in \pset{P}: P_i(\overset{\rightharpoonup}{a}) = P_j(\overset{\rightharpoonup}{a}) \wedge P_i \neq P_j$ \State \quad $bad_2 \assign true$ \State \quad abort \State \Return $(a_1, a_2, ..., a_N) \test (a'_1, a'_2, ..., a'_N)$ \end{algorithmic} \vspace{1mm} \begin{algorithmic} \Statex \underline{\oracle DL($j \in \{1,2,...,N\}$)} \BeginBox[draw=orange] \State \textbf{for } $i \in \{1,2,...,N\} \backslash \{j\}$ \State \quad $a_i \randomsample \{ 2^{n-1}, 2^{n-1} + 2^c, ..., 2^{n} - 2^c \}$ \EndBox \State ... \end{algorithmic} \vspace{1mm} \begin{algorithmic} \Statex \underline{\oracle GOp($x, y \in \mathbf{S}, b \in \{0,1\}$)} \State \quad \Return $Enc(\sum^{-1}[x] + (-1)^b \sum^{-1}[y])$ \end{algorithmic} \vspace{1mm} \begin{algorithmic} \State \underline{\textbf{Procedure} Enc($\groupelement{X} \in \field{L}[Z_1,...,Z_N] \times \field{ord(E_2)} \times ... \times \field{ord(E_n)}$)} \State ... \end{algorithmic} \hrule \caption{$G_8$} \end{figure} \end{frame} \begin{frame} \frametitle{Concrete Security} \begin{definition}[Success Ratio \cite{AC:HofJagKil11}] Let adversary $\adversary{A}$ be an adversary with runtime Time($\adversary{A}$) and advantage $\advantage{\adversary{A}}{}$. Its success ratio is defined as following: \[ SR(\adversary{A}) = \frac{\advantage{\adversary{A}}{}}{Time(\adversary{A})}. \] \end{definition} \begin{definition}[Bit Security \cite{AC:HofJagKil11}] A cryptographic scheme has $\kappa$ bit security if the success ratio of all adversaries with a runtime $Time(\adversary{A}) \leq 2^\kappa$ is upper bounded by $2^{-\kappa}$. \end{definition} \end{frame} \begin{frame} \frametitle{Concrete Security} \framesubtitle{Ed25519} \begin{align*} SR(\adversary{A}) &\leq \frac{\advantage{\group{G}, \adversary{A}}{\text{SUF-CMA}}(\secparamter)}{Time(\adversary{A})} \\ &\leq \frac{\advantage{\curve, n, c, L, \adversary{B}}{\sdlog} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\ &\leq \frac{\frac{(\groupqueries + 3)^2 + 1}{2^{n-1-c}} + \frac{2(\hashqueries + 1)}{2^b} + \frac{\oraclequeries \hashqueries + \oraclequeries}{2^{-\log_2(\lceil \frac{2^{2b} - 1}{L} \rceil 2^{-2b})}}}{Time(\adversary{A})} \\ &\leq \frac{(2^{125} + 3)^2 + 1}{2^{250} 2^{125}} + \frac{2(2^{125} + 1)}{2^{256} 2^{125}} + \frac{2^{64} 2^{125} + 2^{64}}{2^{252} 2^{125}} \\ &\approx 2^{-125} + 2^{-316} + 2^{-189} \\ &\approx 2^{-125} \end{align*} \end{frame} \begin{frame} \huge \centering \textbf{Thank you!}\\ Questions? \end{frame} \begin{frame} \bibliographystyle{ieeetr} \bibliography{../thesis/cryptobib/abbrev0,../thesis/cryptobib/crypto,../thesis/citation} \end{frame} \end{document}