fmouhart/thesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Some corrects

Browse Source
This commit is contained in:
Fabrice Mouhartem 2018-02-10 17:29:14 +01:00
parent 51e3a4a7f8
commit 19440fa656
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
chap-proofs.tex
View File

@ -268,15 +268,17 @@ The security definition of $\indcpa$ is defined as an indistinguishability game.
The first security definition for $\PKE$ was although a simulation-based definition~\cite{GM84}.
In this context, instead of distinguishing between two messages, the goal is to distinguish between two different environments.
In the following we will use the \emph{Real world}/\emph{Ideal world} paradigm~\cite{Can01} to describe those different environments.
Namely, for $\PKE$, it means that for any $\ppt$ adversary~$\widehat{\adv}$ --- in the \emph{Real world} --- that interacts with a challenger $\cdv$
there exists a $\ppt$ \emph{simulator} $\widehat{\adv}'$ --- in the \emph{Ideal world} --- that interacts with the same challenger $\cdv'$ with the difference that the functionality $F$ in the \emph{Ideal word} is replaced by a trusted third party.
Namely, for $\PKE$, it means that for any $\ppt$ adversary~$\widehat{\adv}$ ---\,in the \emph{Real world}\,--- that interacts with a challenger $\cdv$
there exists a $\ppt$ \emph{simulator} $\widehat{\adv}'$ ---\,in the \emph{Ideal world}\,--- that interacts with the same challenger $\cdv'$ with the difference that the functionality $F$ is replaced by a trusted third party in the \emph{Ideal word}.
In other words, it means that the information that $\widehat{\adv}$ obtains from its interaction with the challenger $\cdv$ does not allow $\widehat{\adv}$ to do more things that what it can do with blackbox accesses to the functionality.
In the context of $\PKE$, the functionality is the access to the public key $pk$ as described in Line 2 of $\Exp{\indcpa}{\adv, b}(\lambda)$.
Therefore, the existence of a simulator $\widehat{\adv}$ that does not use $pk$ shows that $\mathcal A$ does not learn anything from $pk$.
For $\PKE$, it appears that this definition is equivalent to the indistinguishability definition~\cite[Se. 5.2.3]{Gol04}.
For $\PKE$, the simulation-based definition for chosen plaintext security is the same as the indistinguishability security~\cite[Se. 5.2.3]{Gol04}.
As indistinguishability based model are easier to manipulate, that's why this is the most common definition for security against chosen plaintext attacks for $\PKE$.
For other primitives, such as Oblivious Transfer ($\OT$) described in Chapter~\ref{ch:ac-ot}, the simulation-based definitions are strictly stronger than indistinguishability definitions~\cite{CF01}.
Therefore, it is preferable to have security proofs of stronger definitions if possible.
Therefore, it is preferable to have security proofs of the strongest possible definitions in theoretical cryptography.