9 lines
2.6 KiB
TeX
9 lines
2.6 KiB
TeX
\subsection{Notation}
|
|
|
|
\subsubsection{General Notation}
|
|
|
|
For an integer n, $\field{n}$ is defined as the residual ring $\mathbb{Z}/n\mathbb{Z}$. $a \randomsample A$ denotes sampling the element $a$ from a non-empty finite set $A$ uniformly at random. $\assign$ denotes a deterministic assignment of a variable. $\{0,1\}^n$ is the set of all bitstrings of length n, while $\{0,1\}^*$ denotes the set of finite bitstring of arbitrary length. $(x,y)$ is a tuple of the two elements $x$ and $y$. $\{x,y\}$ is a set of the elements $x$ and $y$. At the beginning of a game a set is initialized to be the empty set $\{\}$. $\sum$ denotes a table and $\sum[x]$ denotes the value of the table at position $x$. Each position of the table is uninitialized at the beginning of a game. An uninitialized position in the table is denoted with the bottom symbol $\bot$. A function $f: \mathbb{N} \rightarrow \mathbb{R}$ is called negligible if for all polynomials $p$ there exists a $N \in \mathbb{N}$ so that $\forall n \geq N: f(n) < \frac{1}{p(n)}$ is true. $\pset{S} \in f(x)$ denotes the set $\pset{S}$ of outputs of $f$ given $x$ as input. All algorithms are probabilistic polynomial time (ppt) unless stated otherwise. $o \randomassign \adversary{A}(I)$ denotes running the algorithm $\adversary{A}$ with input $I$ with uniform random coins and $o$ describing its output. If $\adversary{A}$ has additionally access to an oracle $O$ this is denoted as $o \randomassign \adversary{A}^{O(\inp)}(I)$. A security game consists of a main procedure and optionally some oracle procedures. When a game is played, the main procedure is run and adversary $\adversary{A}$ is given some inputs and access to the oracle procedures. Based on the output of the adversary $\adversary{A}$ and its oracle calls, the main procedure outputs $1$ or $0$ depending on whether the adversary $\adversary{A}$ won the game. The message space of the signature scheme is defined as $\messagespace$.
|
|
|
|
\subsubsection{Algebraic Notation}
|
|
|
|
A group description is denoted as a tuple $\mathbf{G} = (L, \mathbb{G}, \groupelement{B})$ with $\mathbb{G}$ being a cyclic group of prime order $L$ generated by group element $\groupelement{B}$. The group uses additive notation for its group law and group elements are denoted by uppercase letters $\groupelement{A}$. Encoded group elements are denoted by underlining $\encoded{A}$. Further information on the encoding of group elements can be found in section \ref{sec:eddsa}. It is assumed that there exists a group generation algorithm that, upon inputting $1^\secparamter$, outputs a group description $\mathbf{G}$ with $L$ being $\secparamter$ bits in length. |