Indistinguishability
This commit is contained in:
parent
ee1bc8c41d
commit
184bb30f27
@ -202,7 +202,7 @@ The following section explains how to define the security of a cryptographic pri
|
|||||||
Up to now, we defined the structure on which security proofs works. Let us now define what we are proving.
|
Up to now, we defined the structure on which security proofs works. Let us now define what we are proving.
|
||||||
An example of what we are proving has been shown in Section~\ref{se:models} with cryptographic hash functions.
|
An example of what we are proving has been shown in Section~\ref{se:models} with cryptographic hash functions.
|
||||||
|
|
||||||
In order to define security properties, a common manner is to define security \emph{games} (or \emph{experiments})~\cite{GM84}.
|
In order to define security properties, a common manner is to define security \emph{games} (or \emph{experiments})~\cite{GM84,Sho06}.
|
||||||
|
|
||||||
Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: the \emph{indistinguishability under chosen-plaintext attacks} (\indcpa) for public-key encryption (\PKE) schemes and the \emph{existential unforgeability under chosen message attacks} (EU-CMA) for signature schemes.
|
Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: the \emph{indistinguishability under chosen-plaintext attacks} (\indcpa) for public-key encryption (\PKE) schemes and the \emph{existential unforgeability under chosen message attacks} (EU-CMA) for signature schemes.
|
||||||
|
|
||||||
@ -245,9 +245,10 @@ We say that a $\PKE$ scheme is $\indcpa$ if for any $\ppt$ $\adv$, the advantage
|
|||||||
This definition of advantages models the fact that the adversary is unable to distinguish whether the ciphertext $\mathsf{ct}$ comes from the experiment $\Exp{\indcpa}{\adv, 0}$ or the experiment $\Exp{\indcpa}{\adv, 1}$.
|
This definition of advantages models the fact that the adversary is unable to distinguish whether the ciphertext $\mathsf{ct}$ comes from the experiment $\Exp{\indcpa}{\adv, 0}$ or the experiment $\Exp{\indcpa}{\adv, 1}$.
|
||||||
Which means that the adversary cannot get a single bit of information about the ciphertext.
|
Which means that the adversary cannot get a single bit of information about the ciphertext.
|
||||||
|
|
||||||
This kind of definition are also useful to model anonymity. For instance in Part~\ref{pa:gs-ac}, the definition of anonymity for group signatures is defined in a similar fashion.
|
This kind of definition are also useful to model anonymity.
|
||||||
|
For instance in Part~\ref{pa:gs-ac}, the definition of anonymity for group signatures is defined in a similar fashion.
|
||||||
|
|
||||||
On the other hand, the security definition for signature scheme is no more an indistinguishable game, but an unforgeability game.
|
On the other hand, the security definition for signature scheme is no more an indistinguishability game, but an unforgeability game.
|
||||||
The goal of the adversary is not to distinguish between two distributions, but to forge a new signature from what it learns \emph{via} signature queries.
|
The goal of the adversary is not to distinguish between two distributions, but to forge a new signature from what it learns \emph{via} signature queries.
|
||||||
|
|
||||||
Those signature queries are provided by an oracle \oracle{sign}{sk,\cdot}, which on input $m$ returns the signature $\sigma = \Sigma.\mathsf{sign}(sk, m)$ and add $\sigma$ to $\ensemble{sign}$. The initialization of these sets and the behaviour of oracle may be omitted in the rest of this thesis for the sake of readability.
|
Those signature queries are provided by an oracle \oracle{sign}{sk,\cdot}, which on input $m$ returns the signature $\sigma = \Sigma.\mathsf{sign}(sk, m)$ and add $\sigma$ to $\ensemble{sign}$. The initialization of these sets and the behaviour of oracle may be omitted in the rest of this thesis for the sake of readability.
|
||||||
|
Loading…
Reference in New Issue
Block a user