fmouhart/thesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Some corrects

Browse Source
This commit is contained in:
Fabrice Mouhartem 2018-02-10 17:29:14 +01:00
parent 51e3a4a7f8
commit 19440fa656
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
chap-proofs.tex
View File

@ -268,15 +268,17 @@ The security definition of $\indcpa$ is defined as an indistinguishability game.
The first security definition for $\PKE$ was although a simulation-based definition~\cite{GM84}. The first security definition for $\PKE$ was although a simulation-based definition~\cite{GM84}.
In this context, instead of distinguishing between two messages, the goal is to distinguish between two different environments. In this context, instead of distinguishing between two messages, the goal is to distinguish between two different environments.
In the following we will use the \emph{Real world}/\emph{Ideal world} paradigm~\cite{Can01} to describe those different environments. In the following we will use the \emph{Real world}/\emph{Ideal world} paradigm~\cite{Can01} to describe those different environments.
Namely, for $\PKE$, it means that for any $\ppt$ adversary~$\widehat{\adv}$ --- in the \emph{Real world} --- that interacts with a challenger $\cdv$ Namely, for $\PKE$, it means that for any $\ppt$ adversary~$\widehat{\adv}$ ---\,in the \emph{Real world}\,--- that interacts with a challenger $\cdv$
there exists a $\ppt$ \emph{simulator} $\widehat{\adv}'$ --- in the \emph{Ideal world} --- that interacts with the same challenger $\cdv'$ with the difference that the functionality $F$ in the \emph{Ideal word} is replaced by a trusted third party. there exists a $\ppt$ \emph{simulator} $\widehat{\adv}'$ ---\,in the \emph{Ideal world}\,--- that interacts with the same challenger $\cdv'$ with the difference that the functionality $F$ is replaced by a trusted third party in the \emph{Ideal word}.
In other words, it means that the information that $\widehat{\adv}$ obtains from its interaction with the challenger $\cdv$ does not allow $\widehat{\adv}$ to do more things that what it can do with blackbox accesses to the functionality. In other words, it means that the information that $\widehat{\adv}$ obtains from its interaction with the challenger $\cdv$ does not allow $\widehat{\adv}$ to do more things that what it can do with blackbox accesses to the functionality.
In the context of $\PKE$, the functionality is the access to the public key $pk$ as described in Line 2 of $\Exp{\indcpa}{\adv, b}(\lambda)$. In the context of $\PKE$, the functionality is the access to the public key $pk$ as described in Line 2 of $\Exp{\indcpa}{\adv, b}(\lambda)$.
Therefore, the existence of a simulator $\widehat{\adv}$ that does not use $pk$ shows that $\mathcal A$ does not learn anything from $pk$. Therefore, the existence of a simulator $\widehat{\adv}$ that does not use $pk$ shows that $\mathcal A$ does not learn anything from $pk$.
For $\PKE$, it appears that this definition is equivalent to the indistinguishability definition~\cite[Se. 5.2.3]{Gol04}. For $\PKE$, the simulation-based definition for chosen plaintext security is the same as the indistinguishability security~\cite[Se. 5.2.3]{Gol04}.
As indistinguishability based model are easier to manipulate, that's why this is the most common definition for security against chosen plaintext attacks for $\PKE$. As indistinguishability based model are easier to manipulate, that's why this is the most common definition for security against chosen plaintext attacks for $\PKE$.
For other primitives, such as Oblivious Transfer ($\OT$) described in Chapter~\ref{ch:ac-ot}, the simulation-based definitions are strictly stronger than indistinguishability definitions~\cite{CF01}. For other primitives, such as Oblivious Transfer ($\OT$) described in Chapter~\ref{ch:ac-ot}, the simulation-based definitions are strictly stronger than indistinguishability definitions~\cite{CF01}.
Therefore, it is preferable to have security proofs of stronger definitions if possible. Therefore, it is preferable to have security proofs of the strongest possible definitions in theoretical cryptography.