Some corrects
This commit is contained in:
parent
51e3a4a7f8
commit
19440fa656
@ -268,15 +268,17 @@ The security definition of $\indcpa$ is defined as an indistinguishability game.
|
||||
The first security definition for $\PKE$ was although a simulation-based definition~\cite{GM84}.
|
||||
In this context, instead of distinguishing between two messages, the goal is to distinguish between two different environments.
|
||||
In the following we will use the \emph{Real world}/\emph{Ideal world} paradigm~\cite{Can01} to describe those different environments.
|
||||
Namely, for $\PKE$, it means that for any $\ppt$ adversary~$\widehat{\adv}$ --- in the \emph{Real world} --- that interacts with a challenger $\cdv$
|
||||
there exists a $\ppt$ \emph{simulator} $\widehat{\adv}'$ --- in the \emph{Ideal world} --- that interacts with the same challenger $\cdv'$ with the difference that the functionality $F$ in the \emph{Ideal word} is replaced by a trusted third party.
|
||||
Namely, for $\PKE$, it means that for any $\ppt$ adversary~$\widehat{\adv}$ ---\,in the \emph{Real world}\,--- that interacts with a challenger $\cdv$
|
||||
there exists a $\ppt$ \emph{simulator} $\widehat{\adv}'$ ---\,in the \emph{Ideal world}\,--- that interacts with the same challenger $\cdv'$ with the difference that the functionality $F$ is replaced by a trusted third party in the \emph{Ideal word}.
|
||||
|
||||
In other words, it means that the information that $\widehat{\adv}$ obtains from its interaction with the challenger $\cdv$ does not allow $\widehat{\adv}$ to do more things that what it can do with blackbox accesses to the functionality.
|
||||
|
||||
In the context of $\PKE$, the functionality is the access to the public key $pk$ as described in Line 2 of $\Exp{\indcpa}{\adv, b}(\lambda)$.
|
||||
Therefore, the existence of a simulator $\widehat{\adv}$ that does not use $pk$ shows that $\mathcal A$ does not learn anything from $pk$.
|
||||
|
||||
For $\PKE$, it appears that this definition is equivalent to the indistinguishability definition~\cite[Se. 5.2.3]{Gol04}.
|
||||
For $\PKE$, the simulation-based definition for chosen plaintext security is the same as the indistinguishability security~\cite[Se. 5.2.3]{Gol04}.
|
||||
As indistinguishability based model are easier to manipulate, that's why this is the most common definition for security against chosen plaintext attacks for $\PKE$.
|
||||
For other primitives, such as Oblivious Transfer ($\OT$) described in Chapter~\ref{ch:ac-ot}, the simulation-based definitions are strictly stronger than indistinguishability definitions~\cite{CF01}.
|
||||
Therefore, it is preferable to have security proofs of stronger definitions if possible.
|
||||
Therefore, it is preferable to have security proofs of the strongest possible definitions in theoretical cryptography.
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user