In cryptography, many ways have been used to define this (random oracle model, universal composability ($\UC$)~\cite{Can01}\ldots) which give rise to stronger security guarantees.
If one may look for the strongest security for its construction, there are known impossibility results in strong models.
For instance, in the $\UC$ model, it is impossible to realize two-party computation~\cite{Yao86} without honest set-up~\cite{CKL06}, while it is possible in the standard model~\cite{LP07}.
The name ``reduction'' comes from computational complexity.
In this field of computer science, research focuses on defining equivalence classes for problems, based on the necessary amount of resources to solve them.
In order to define lower bound for the complexity of some problems, a classical way of doing this is to provide a construction that goes from an instance of a problem $A$ to an instance of problem $B$ such that if a solution of $B$ is found, then so is a solution of $A$ as well.
This amounts to say that problem $B$ is at least as hard as problem $A$ up to the complexity of the transformation.
For instance, Cook shown that satisfiability of Boolean formulas is at least as hard as every problem in $\NP$~\cite{Coo71} up to a polynomial-time transformation.
\item A finite set $\Gamma$, called the \textit{tape alphabet}, that contains symbols that the TM uses in its tapes. In particular, $\Gamma$ contains a \textit{blank symbol} ``$\square$'', and ``$\triangleright$'' that denotes the beginning of a tape.
\item A finite set $Q$ called the \textit{states} of the TM. It contains special states $q_{start}$, $q_{halt}$, called respectively the \textit{initial state} and the \textit{halt state}.
\item A function $\delta: (Q \backslash\{q_{halt}\})\times\Gamma^{k-1}\to Q \times\Gamma^{k-1}\times\{\leftarrow, \downarrow, \rightarrow\}^k$, called the \textit{transition function}, that describes the behaviour of the internal state of the machine and the TM heads.\\
\smallskip
Namely, $\delta(q, a_1, \ldots, a_{k-1})=(r, b_2, \ldots, b_k, m_1, \ldots, m_k)$ means that upon reading symbols $(a_1, \ldots, a_{k-1})$ on tapes $1$ to $k-1$ (where the first tape is the input tape, and the $k$-th tape is the output tape) on state $q$, the TM will move to state $r$, write $b_2, \ldots, b_k$ on tapes $2$ to $k$ and move its heads according to $m_1, \ldots, m_k$.
A TM $M$ is said to \emph{compute} a function $f: \Sigma^\star\to\Gamma^\star$, if for any finite input $x \in\Sigma^\star$ on tape $T_1$, blank tapes $T_2, \ldots, T_k$ with a beginning symbol $\triangleright$ and initial state $q_{start}$, $M$ halts in a finite number of steps with $f(x)$ written on its output tape $T_k$.
A TM $M$ is said to \emph{recognize} a language $L \subseteq\Sigma^\star$ if on a finite input $x \in\Sigma^\star$ written on its input tape $T_1$, blank tapes $T_2, \ldots, T_k$ with a beginning symbol $\triangleright$ and initial state $q_{start}$, the machine $M$ eventually ends on the state $q_{halt}$ with $1$ written on its output tape if and only if $x \in L$.
A TM $M$ is said to run in $T(n)$-time if, on any input $x$, it eventually stops within $T(|x|)$ steps.
A TM $M$ is said to run in $S(n)$-space if, on any input $x$, it eventually stops and had write at most $S(|x|)$ memory cells in its working tapes.
\end{definition}
Turing machines are a computational model that proved useful in complexity theory as it is convenient to evaluate the running time of a Turing machine, which amounts to bound the number of steps the machine can make.
Similarly, the working tapes works analogously to the memory of a program, and then counting the number of cells the machine uses is equivalent to evaluate the amount of memory the program requires.
From these considerations, it is possible to describe the time and space complexity of a program from the definition of Turing machines.
In our context, we will work with Turing machine that runs in polynomial-time and space, as polynomials benefit from good stability properties (sum, product, composition, \ldots{}).
The class \textsf{P} describes the set of languages that can be recognized by a Turing machine running in time $T(n)=\bigO(\poly)$.
\end{definition}
In theoretical computer science, the class \textsf{P} is often considered as the set of ``easy'' problems.
These problems are considered easy in the sense that the growth of the cost to solve them is asymptotically negligible in front of other functions such as exponential.
In this context, it is reasonable to consider the computational power of an adversary as polynomial (or quasi-polynomial) in time and space.
As cryptographic algorithms are not deterministic, we also have to consider the probabilistic version of the computation model.
A \emph{probabilistic Turing machine} is a Turing machine with two different transition functions $\delta_0$ and $\delta_1$, where at each step, a random coin is tossed to pick $\delta_0$ or $\delta_1$ with probability $1/2$ independently of all the previous choices.
The machine only outputs \texttt{accept} and \texttt{reject} depending on the content of the output tape at the end of the execution.
We denote by $M(x)$ the random variable corresponding to the value $M$ writes on its output tape at the end of its execution.
The class \textsf{PP} describes the set of languages $L \subseteq\Sigma^\star$ that a Turing machine $M$ recognizes such that the TM $M$ stops in time $\poly[|x|]$ on every input $x$ and
\[\begin{cases}
\Pr\left[ M(x) = 1 \mid x \in L \right] > \frac12\\
\Pr\left[ M(x) = 0 \mid x \notin L \right] > \frac12
\end{cases}. \]
In the following $\ppt$ stands for ``probabilistic polynomial time''.
\end{definition}
We defined complexity classes that corresponds to natural sets of programs that are of interest for us, but now how to work with it?
That's why we'll now define the principle of polynomial time reduction.
\begin{definition}[Polynomial time reduction] \label{de:pt-reduction}\index{Reduction!Polynomial time}
A language $A \subseteq\bit^\star$ is \emph{polynomial-time reducible to} a language $B \subseteq\bit^\star$, denoted by $A \redto B$, if there is a \emph{polynomial-time computable} function $f: \bit^\star\to\bit^\star$ such that for every $x \in\bit^\star$, $x \in A$ if and only if $f(x)\in B$.
In other words, a polynomial reduction from $A$ to $B$ is the description of a polynomial time algorithm (also called ``\emph{the reduction}''), that uses an algorithm for $B$ in a black-box manner to solve $A$.
A Turing Machine $M$ is said to have \textit{oracle access} to a function $O(\cdot)$ if it has access to the result of $O(x)$ for any input $x$ of its choice in constant time. We denote the output of $M$ on input $x$ with oracle $O$ by $M^O(x)$.
Namely, if a problem is easier than another problem in \textsf{P} (resp. \textsf{PP}), then the former problem is also in \textsf{P} (resp. \textsf{PP}).
Let $f : \NN\to[0,1]$ be a function. The function $f$ is said to be \emph{negligible} if $f(n)= n^{-\omega(1)}_{}$, and this is written $f(n)=\negl[n]$.\\
Non-negligible functions are also called \emph{noticeable} functions.\\
Finally, if $f =1-\negl[n]$, $f$ is said to be \emph{overwhelming}.
Given the tuple $\bigl(g, g_1^{}, g_2^{}, g_3^{}\bigr)=\bigl(g, g^a_{}, g^b{}, g^c_{}\bigr)\in\GG^4_{}$, the goal is to decide whether $c = ab$ or $c$ is sampled uniformly in $\GG$.
Indeed, if one is able to solve the discrete logarithm problem, then it suffices to compute the discrete logarithm of $g_1$, let us say $\alpha$, and then check whether $g_2^\alpha= g_3^{}$ or not.
Another criterion to evaluate the security of an assumption is to look if the assumption is ``simple'' or not.
It is harder to evaluate the security of an assumption as $q$-Strong Diffie-Hellman, which is a variant of $\DDH$ where the adversary is given the tuple $(g, g^a_{}, g^{a^2}_{}, \ldots, g^{a^q}_{})$ and has to devise $g^{a^{q+1}}$.
The security of this assumption inherently depends on the parameter $q$ of the assumption.
And Cheon proved that for large values of $q$, this assumption is no more trustworthy~\cite{Che06}.
These parameterized assumptions are called \emph{$q$-type assumptions}.
There are also other kind of non-static assumptions, such as interactive assumptions.
An example can be the ``\emph{$1$-more-\textsf{DL}}'' assumption.
Given oracle access to $n$ discrete logarithm queries ($n$ is not known in advance), the $1$-more-\textsf{DL} problem is to solve a $n+1$-th discrete logarithm.
In this model, nothing special is assumed, and every assumptions are explicit.
For instance, cryptographic hash functions enjoy several different associated security notions~\cite{KL07}.
The weakest is the collision resistance, that states that it is intractable to find two strings that maps to the same digest.
A stronger notion is the second pre-image resistance, that states that given $x \in\bit^\star_{}$, it is not possible for a $\ppt$ algorithm to find $\tilde{x}\in\bit^\star_{}$ such that $h(x)= h(\tilde{x})$.
Similarly to what we saw in the previous section about $\DDH$ and $\DLP$, we can see that collision resistance implies second pre-image resistance.
Indeed, if there is an attacker against second pre-image, then one can choose a string $x \in\bit^\star_{}$ and obtains from this attacker another string $\tilde{x}\neq x \in\bit^\star_{}$ such that $h(x)= h(\tilde{x})$. So a hash function that is collision resistant is also second pre-image resistant.
The \textit{random oracle model}~\cite{FS86,BR93}, or \ROM, is an idealized security model where hash functions are assumed to behave as a truly random function.
This implies collision resistance (if the codomain of the hash function is large enough, which should be the case for a cryptographic hash function) and other security notions related to hash functions.
In this model, hash function access are managed as oracle access (which then can be reprogrammed by the reduction).
We can notice that this security model is unrealistic~\cite{CGH04}. Let us construct a \emph{counter-example}.
Let $\Sigma$ be a secure signature scheme, and let $\Sigma_y^{}$ be the scheme that returns $\Sigma(m)$ as a signature if and only if $h(0)\neq y$ and $0$ as a signature otherwise.
On the other hand, it appears that when $h$ is instantiated with a real world hash function, then $\Sigma_{h(0)}$ is the null function, and therefore completely insecure as a signature scheme. \hfill$\square$
In this context, one may wonder why is the \ROM still used in cryptographic proofs~\cite{LMPY16,LLM+16}.
One reason is that some constructions are not known to exist yet from the standard model.
One example is non-interactive zero-knowledge (\NIZK) proofs from lattice assumptions~\cite{Ste96,Lyu08}.
\NIZK proofs form an elementary building block for privacy-based cryptography, and forbid the use of the \ROM may slow down research in this direction~\cite{LLM+16}.
Another reason to use the \ROM in cryptography, is that it is a sufficient guarantee in real-world cryptography~\cite{BR93}.
The example we built earlier is artificial, and in practice there is no known attacks against the \ROM.
This consequence comes also from the fact that the \ROM is implied by the standard model.
As a consequence, constructions in the \ROM are at least as efficient as in the standard model.
Thus, for practical purpose, constructions in the \ROM are usually more efficient.
For instance, the scheme we present in Chapter~\ref{ch:sigmasig} adapts the construction of dynamic group signature in the standard model from Libert, Peters and Yung~\cite{LPY15} in the \ROM.
Doing this transform reduces the signature size from $32$ elements in $\GG$, $14$ elements in $\Gh$ and \textit{one} scalars in the standard model~\cite[App. J]{LPY15} down to $7$ elements in $\GG$ and $3$ scalars in the \ROM.
Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: the \emph{indistinguishability under chosen-plaintext attacks} (\indcpa) for public-key encryption (\PKE) schemes and the \emph{existential unforgeability under chosen message attacks} (EU-CMA) for signature schemes.
The \indcpa{} game is an \emph{indistinguishability} game. Meaning that the goal for the adversary $\mathcal{A}$ against this game is to distinguish between two messages from different distributions.
We say that a $\PKE$ scheme is $\indcpa$ if for any $\ppt$$\adv$, the advantage of $\mathcal{A}$ in the $\indcpa$ game is negligible with respect to $\lambda$.
This definition of advantages models the fact that the adversary is unable to distinguish whether the ciphertext $\mathsf{ct}$ comes from the experiment $\Exp{\indcpa}{\adv, 0}$ or the experiment $\Exp{\indcpa}{\adv, 1}$.
Which means that the adversary cannot get a single bit of information about the ciphertext.
The goal of the adversary is not to distinguish between two distributions, but to forge a new signature from what it learns \emph{via} signature queries.
Those signature queries are provided by an oracle \oracle{sign}{sk,\cdot}, which on input $m$ returns the signature $\sigma=\Sigma.\mathsf{sign}(sk, m)$ and add $\sigma$ to $\ensemble{sign}$. The initialization of these sets and the behaviour of oracle may be omitted in the rest of this thesis for the sake of readability.
And a signature scheme is considered unforgeable under chosen message attacks if for any $\ppt$ adversary $\adv$, the advantage of $\adv$ is negligible with respect to $\lambda$.
This means that within reasonable expected time, no one can create a new valid signature without the signing key ($sk$). This kind of definitions are mostly used in the case of authentication primitives.
To follow the example of group signatures in Part~\ref{pa:gs-ac}, the \emph{security against misidentification attacks} (or \emph{traceability}) experiment follow the same structure.
This security notion illustrates that no malicious collusions of users and the authority that delivers the secret keys can provide valid signatures that opens on an honest user, or does not open to a valid registered user.
Namely, for $\PKE$, it means that for any $\ppt$ adversary~$\widehat{\adv}$ --\,in the \emph{Real world}\,-- that interacts with a challenger $\cdv$
there exists a $\ppt$\emph{simulator}$\widehat{\adv}'$ --\,in the \emph{Ideal world}\,-- that interacts with the same challenger $\cdv'$ with the difference that the functionality $F$ is replaced by a trusted third party in the \emph{Ideal word}.
In other words, it means that the information that $\widehat{\adv}$ obtains from its interaction with the challenger $\cdv$ does not allow $\widehat{\adv}$ to do more things that what it can do with blackbox accesses to the functionality.
In the context of $\PKE$, the functionality is the access to the public key $pk$ as described in Line 2 of $\Exp{\indcpa}{\adv, b}(\lambda)$.
As indistinguishability based model are easier to manipulate, that's why this is the most common definition for security against chosen plaintext attacks for $\PKE$.
For other primitives, such as Oblivious Transfer ($\OT$) described in Chapter~\ref{ch:ac-ot}, the simulation-based definitions are strictly stronger than indistinguishability definitions~\cite{CF01}.
Even though, the question of which security model is the strongest remains a complex one, as it depends on many parameters. If some security models implies others, it's not necessary always the case. For instance, we know from the work of Canetti and Fischlin~\cite{CF01} that it is impossible to construct a $\UC$-secure bit commitment scheme\footnote{The definition of a commitment scheme is given in~\cref{de:commitment}. To put it short, it is the digital equivalent of a safe.} in the plain model, while the design of such a primitive is possible assuming a \textit{trusted setup}.
Hence, the question of quantifying if a standard-model commitment scheme has a stronger security than an UC commitment scheme in the trusted setup setting under similar assumptions is not a trivial question. The answer mainly depends on the manner the scheme will be used as well as the adversarial model.
In the \textit{trusted setup} model or \textit{common reference string} (\textsf{CRS}) model, all the participants are assumed to have access to a common string $\crs\in\{0,1\}^\star$ that is drawn from some specific distribution $D_\crs$.
