Add definitions for QA-NIZK

chap-proofs.tex

@@ -294,3 +294,10 @@ For $\PKE$, the simulation-based definition for chosen plaintext security is the
 As indistinguishability based model are easier to manipulate, that's why this is the most common definition for security against chosen plaintext attacks for $\PKE$.
 For other primitives, such as Oblivious Transfer ($\OT$) described in Chapter~\ref{ch:ac-ot}, the simulation-based definitions are strictly stronger than indistinguishability definitions~\cite{CF01}.
 Therefore, it is preferable to have security proofs of the strongest \emph{possible} definitions in theoretical cryptography.
+
+Even though, the question of which security model is the strongest remains a complex one, as it depends on many parameters. If some security models implies others, it's not necessary always the case. For instance, we know from the work of Canetti and Fischlin~\cite{CF01} that it is impossible to construct a $\UC$-secure bit commitment scheme\footnote{The definition of a commitment scheme is given in~\cref{de:commitment}. To put it short, it is the digital equivalent of a safe.} in the plain model, while the design of such a primitive is possible assuming a \textit{trusted setup}.
+Hence, the question of quantifying if a standard-model commitment scheme has a stronger security than an UC commitment scheme in the trusted setup setting under similar assumptions is not a trivial question. The answer mainly depends on the manner the scheme will be used as well as the adversarial model.
+
+\begin{definition}[The CRS model] \label{de:trusted-setup} \index{Universal Composability!Common Reference String}
+  In the \textit{trusted setup} model or \textit{common reference string} (\textsf{CRS}) model, all the participants are assumed to have access to a common string $\crs \in \{0,1\}^\star$ that is drawn from some specific distribution $D_\crs$.
+\end{definition}