diff --git a/chap-proofs.tex b/chap-proofs.tex index 61e622b..e8787cb 100644 --- a/chap-proofs.tex +++ b/chap-proofs.tex @@ -2,12 +2,16 @@ Provable security is a subfield of cryptography where constructions are proven secure with regards to a security model. To illustrate this notion, let us take the example of public-key encryption schemes. -This primitive consists in three algorithms:~key generation, encryption and decryption. +This primitive consists in three algorithms:~\textit{key generation}, \textit{encryption} and \textit{decryption}. These algorithms acts according to their names. -Then, the question of ``how to define the security of this set of algorithms'' rises. +Naturally, the question of ``how to define the security of this set of algorithms'' rises. To answer this question, we have to define the power of the adversary, and its goal. -To model those two notions, cryptographers uses security games. +In cryptography, many ways have been used to define this (random oracle model, universal composability ($\UC$)~\cite{Can01}\ldots) which give rise to stronger security guarantees. +If one may look for the strongest security for its construction, there are known impossibility results in strong models. +For instance, in the $\UC$ model, it is impossible to realize two-party computation~\cite{Yao86} without honest set-up~\cite{CKL06}, while it is possible in the standard model~\cite{LP07}. +In this chapter, we will focus on the computational complexity elements we need to define properly the security models we will use in this thesis. +Then we will define these security models. %%%%%%%%%%%%%%%%%%%%%%% % Security Reductions % @@ -15,10 +19,26 @@ To model those two notions, cryptographers uses security games. \section{Security Reductions} Provable security focuses on providing constructions for which the security is guaranteed by a security proof, or security reduction. -These proofs consist in polynomial reductions from difficult problems: the hardness assumptions. -The quality of a proof depends on the security of the hardness assumption, and the tightness of the proof. +The name ``reduction'' comes from computational complexity. +In this field of computer science, research focuses on defining equivalence classes for problems, based on the necessary amount of resources to solve them. +In order to define lower bound for the complexity of some problems, a classical way of doing this is to provide a construction that goes from an instance of a problem $A$ to an instance of problem $B$ such that if a solution of $B$ is found, then so is a solution of $A$ as well. +This amounts to say that problem $B$ is at least as hard as problem $A$ up to the complexity of the transformation. +For instance, Cook shown that satisfiability of boolean formulas is at least as hard as every problem in $\NP$~\cite{Coo71} up to a polynomial-time transformation. +Let us now define more formally the notion of reduction, and the notion of computability \textit{via} Turing machines. + +\begin{definition}[Turing Machine] \label{de:turing-machine} + \newcommand\espace{\ensuremath{\square}\xspace} + A $k$-tape Turing Machine (TM) is described by a triple $M = (\Gamma, Q, \delta)$ containing: + \begin{itemize} + \item A finite set $\Gamma$, called the \textit{tape alphabet}, that contains symbols that the TM uses in its tapes. In particular, $\Gamma$ contains a \textit{blank symbol} ``\espace'', and ``$\triangleright$'' that denotes the beginning of a tape. + \item A finite set $Q$ called the \textit{states} of the TM. It contains special states $q_{start}$, $q_{halt}$, called respectively the \textit{initial state} and the \textit{halt state}. + \item A function $\delta: (Q \backslash \{q_{halt}\}) \times \Gamma^{k-1} \to Q \times \Gamma^{k-1} \times \{ \leftarrow, \downarrow, \rightarrow \}^k$, called the \textit{transition function}, that describes the behaviour of the internal state of the machine and the TM heads.\\ + \smallskip + Namely, $\delta(q, a_1, \ldots, a_{k-1}) = (r, b_2, \ldots, b_k, m_1, \ldots, m_k)$ means that upon reading symbols $(a_1, \ldots, a_{k-1})$ on tapes $1$ to $k-1$ (where the first tape is the input tape, and the $k$-th tape is the output tape) on state $q$, the TM will move to state $r$, write $b_2, \ldots, b_k$ on tapes $2$ to $k$ and move its heads according to $m_1, \ldots, m_k$. + \end{itemize} + + A TM $M$ is said to compute a function $f: \Sigma^\star \to \Gamma^\star$, if for any finite input $x \in \Sigma^\star$ on tape $T_1$, blank tapes $T_2, \ldots, T_k$ with a beginning symbol $\triangleright$ and initial state $q_{start}$, $M$ halts in a finite number of steps with $f(x)$ written on its output tape $T_k$. +\end{definition} - - -\section{Random-Oracle Model and Standard Model} +\section{Random-Oracle Model, Standard Model and Half-Simulatability} diff --git a/macros.tex b/macros.tex index bc49ba4..42ffcdb 100644 --- a/macros.tex +++ b/macros.tex @@ -1,3 +1,5 @@ +\usepackage{cryptocode} +\usepackage{complexity} % Abbreviations %% Usual \newcommand{\PPT}{\textsf{PPT}\xspace} @@ -16,6 +18,9 @@ \newcommand{\SIS}{\textsf{SIS}\xspace} \newcommand{\LWE}{\textsf{LWE}\xspace} \newcommand{\SIVP}{\ensuremath{\textsf{SIVP}_\gamma}\xspace} +%% Models +\newcommand{\UC}{\textrm{UC}\xspace} + % Operators diff --git a/symbols.tex b/symbols.tex index 54a5420..f60a05a 100644 --- a/symbols.tex +++ b/symbols.tex @@ -5,6 +5,7 @@ $\PPT$ & Probabilistic Polynomial Time \\ PKE & Public Key Encryption \\ ZK & Zero-Knowledge \\ + $\UC$ & Universal Composability \\ $\SIS$ & Short Integer Solution \\ $\LWE$ & Learning with Errors \\ $\SIVP$ & Shortest Independent Vectors Problem \\