From 19440fa6562246a5aa486932aba1258587bed764 Mon Sep 17 00:00:00 2001 From: Fabrice Mouhartem Date: Sat, 10 Feb 2018 17:29:14 +0100 Subject: [PATCH] Some corrects --- chap-proofs.tex | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/chap-proofs.tex b/chap-proofs.tex index 897c7ec..3d8de13 100644 --- a/chap-proofs.tex +++ b/chap-proofs.tex @@ -268,15 +268,17 @@ The security definition of $\indcpa$ is defined as an indistinguishability game. The first security definition for $\PKE$ was although a simulation-based definition~\cite{GM84}. In this context, instead of distinguishing between two messages, the goal is to distinguish between two different environments. In the following we will use the \emph{Real world}/\emph{Ideal world} paradigm~\cite{Can01} to describe those different environments. -Namely, for $\PKE$, it means that for any $\ppt$ adversary~$\widehat{\adv}$ --- in the \emph{Real world} --- that interacts with a challenger $\cdv$ -there exists a $\ppt$ \emph{simulator} $\widehat{\adv}'$ --- in the \emph{Ideal world} --- that interacts with the same challenger $\cdv'$ with the difference that the functionality $F$ in the \emph{Ideal word} is replaced by a trusted third party. +Namely, for $\PKE$, it means that for any $\ppt$ adversary~$\widehat{\adv}$ ---\,in the \emph{Real world}\,--- that interacts with a challenger $\cdv$ +there exists a $\ppt$ \emph{simulator} $\widehat{\adv}'$ ---\,in the \emph{Ideal world}\,--- that interacts with the same challenger $\cdv'$ with the difference that the functionality $F$ is replaced by a trusted third party in the \emph{Ideal word}. In other words, it means that the information that $\widehat{\adv}$ obtains from its interaction with the challenger $\cdv$ does not allow $\widehat{\adv}$ to do more things that what it can do with blackbox accesses to the functionality. In the context of $\PKE$, the functionality is the access to the public key $pk$ as described in Line 2 of $\Exp{\indcpa}{\adv, b}(\lambda)$. Therefore, the existence of a simulator $\widehat{\adv}$ that does not use $pk$ shows that $\mathcal A$ does not learn anything from $pk$. -For $\PKE$, it appears that this definition is equivalent to the indistinguishability definition~\cite[Se. 5.2.3]{Gol04}. +For $\PKE$, the simulation-based definition for chosen plaintext security is the same as the indistinguishability security~\cite[Se. 5.2.3]{Gol04}. As indistinguishability based model are easier to manipulate, that's why this is the most common definition for security against chosen plaintext attacks for $\PKE$. For other primitives, such as Oblivious Transfer ($\OT$) described in Chapter~\ref{ch:ac-ot}, the simulation-based definitions are strictly stronger than indistinguishability definitions~\cite{CF01}. -Therefore, it is preferable to have security proofs of stronger definitions if possible. +Therefore, it is preferable to have security proofs of the strongest possible definitions in theoretical cryptography. + +