Indistinguishability

This commit is contained in:
Fabrice Mouhartem 2018-04-06 15:46:29 +02:00
parent ee1bc8c41d
commit 184bb30f27

View File

@ -202,7 +202,7 @@ The following section explains how to define the security of a cryptographic pri
Up to now, we defined the structure on which security proofs works. Let us now define what we are proving. Up to now, we defined the structure on which security proofs works. Let us now define what we are proving.
An example of what we are proving has been shown in Section~\ref{se:models} with cryptographic hash functions. An example of what we are proving has been shown in Section~\ref{se:models} with cryptographic hash functions.
In order to define security properties, a common manner is to define security \emph{games} (or \emph{experiments})~\cite{GM84}. In order to define security properties, a common manner is to define security \emph{games} (or \emph{experiments})~\cite{GM84,Sho06}.
Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: the \emph{indistinguishability under chosen-plaintext attacks} (\indcpa) for public-key encryption (\PKE) schemes and the \emph{existential unforgeability under chosen message attacks} (EU-CMA) for signature schemes. Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: the \emph{indistinguishability under chosen-plaintext attacks} (\indcpa) for public-key encryption (\PKE) schemes and the \emph{existential unforgeability under chosen message attacks} (EU-CMA) for signature schemes.
@ -245,9 +245,10 @@ We say that a $\PKE$ scheme is $\indcpa$ if for any $\ppt$ $\adv$, the advantage
This definition of advantages models the fact that the adversary is unable to distinguish whether the ciphertext $\mathsf{ct}$ comes from the experiment $\Exp{\indcpa}{\adv, 0}$ or the experiment $\Exp{\indcpa}{\adv, 1}$. This definition of advantages models the fact that the adversary is unable to distinguish whether the ciphertext $\mathsf{ct}$ comes from the experiment $\Exp{\indcpa}{\adv, 0}$ or the experiment $\Exp{\indcpa}{\adv, 1}$.
Which means that the adversary cannot get a single bit of information about the ciphertext. Which means that the adversary cannot get a single bit of information about the ciphertext.
This kind of definition are also useful to model anonymity. For instance in Part~\ref{pa:gs-ac}, the definition of anonymity for group signatures is defined in a similar fashion. This kind of definition are also useful to model anonymity.
For instance in Part~\ref{pa:gs-ac}, the definition of anonymity for group signatures is defined in a similar fashion.
On the other hand, the security definition for signature scheme is no more an indistinguishable game, but an unforgeability game. On the other hand, the security definition for signature scheme is no more an indistinguishability game, but an unforgeability game.
The goal of the adversary is not to distinguish between two distributions, but to forge a new signature from what it learns \emph{via} signature queries. The goal of the adversary is not to distinguish between two distributions, but to forge a new signature from what it learns \emph{via} signature queries.
Those signature queries are provided by an oracle \oracle{sign}{sk,\cdot}, which on input $m$ returns the signature $\sigma = \Sigma.\mathsf{sign}(sk, m)$ and add $\sigma$ to $\ensemble{sign}$. The initialization of these sets and the behaviour of oracle may be omitted in the rest of this thesis for the sake of readability. Those signature queries are provided by an oracle \oracle{sign}{sk,\cdot}, which on input $m$ returns the signature $\sigma = \Sigma.\mathsf{sign}(sk, m)$ and add $\sigma$ to $\ensemble{sign}$. The initialization of these sets and the behaviour of oracle may be omitted in the rest of this thesis for the sake of readability.