From 184bb30f27e9eeb7ff1c1aaa3804f9d5083d5920 Mon Sep 17 00:00:00 2001 From: Fabrice Mouhartem Date: Fri, 6 Apr 2018 15:46:29 +0200 Subject: [PATCH] Indistinguishability --- chap-proofs.tex | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/chap-proofs.tex b/chap-proofs.tex index f6d90bb..b95723a 100644 --- a/chap-proofs.tex +++ b/chap-proofs.tex @@ -202,7 +202,7 @@ The following section explains how to define the security of a cryptographic pri Up to now, we defined the structure on which security proofs works. Let us now define what we are proving. An example of what we are proving has been shown in Section~\ref{se:models} with cryptographic hash functions. -In order to define security properties, a common manner is to define security \emph{games} (or \emph{experiments})~\cite{GM84}. +In order to define security properties, a common manner is to define security \emph{games} (or \emph{experiments})~\cite{GM84,Sho06}. Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: the \emph{indistinguishability under chosen-plaintext attacks} (\indcpa) for public-key encryption (\PKE) schemes and the \emph{existential unforgeability under chosen message attacks} (EU-CMA) for signature schemes. @@ -245,9 +245,10 @@ We say that a $\PKE$ scheme is $\indcpa$ if for any $\ppt$ $\adv$, the advantage This definition of advantages models the fact that the adversary is unable to distinguish whether the ciphertext $\mathsf{ct}$ comes from the experiment $\Exp{\indcpa}{\adv, 0}$ or the experiment $\Exp{\indcpa}{\adv, 1}$. Which means that the adversary cannot get a single bit of information about the ciphertext. -This kind of definition are also useful to model anonymity. For instance in Part~\ref{pa:gs-ac}, the definition of anonymity for group signatures is defined in a similar fashion. +This kind of definition are also useful to model anonymity. +For instance in Part~\ref{pa:gs-ac}, the definition of anonymity for group signatures is defined in a similar fashion. -On the other hand, the security definition for signature scheme is no more an indistinguishable game, but an unforgeability game. +On the other hand, the security definition for signature scheme is no more an indistinguishability game, but an unforgeability game. The goal of the adversary is not to distinguish between two distributions, but to forge a new signature from what it learns \emph{via} signature queries. Those signature queries are provided by an oracle \oracle{sign}{sk,\cdot}, which on input $m$ returns the signature $\sigma = \Sigma.\mathsf{sign}(sk, m)$ and add $\sigma$ to $\ensemble{sign}$. The initialization of these sets and the behaviour of oracle may be omitted in the rest of this thesis for the sake of readability.