Intro security proofs
This commit is contained in:
parent
09f6772bc0
commit
1c0b51222a
@ -2,12 +2,16 @@
|
|||||||
|
|
||||||
Provable security is a subfield of cryptography where constructions are proven secure with regards to a security model.
|
Provable security is a subfield of cryptography where constructions are proven secure with regards to a security model.
|
||||||
To illustrate this notion, let us take the example of public-key encryption schemes.
|
To illustrate this notion, let us take the example of public-key encryption schemes.
|
||||||
This primitive consists in three algorithms:~key generation, encryption and decryption.
|
This primitive consists in three algorithms:~\textit{key generation}, \textit{encryption} and \textit{decryption}.
|
||||||
These algorithms acts according to their names.
|
These algorithms acts according to their names.
|
||||||
Then, the question of ``how to define the security of this set of algorithms'' rises.
|
Naturally, the question of ``how to define the security of this set of algorithms'' rises.
|
||||||
To answer this question, we have to define the power of the adversary, and its goal.
|
To answer this question, we have to define the power of the adversary, and its goal.
|
||||||
To model those two notions, cryptographers uses security games.
|
In cryptography, many ways have been used to define this (random oracle model, universal composability ($\UC$)~\cite{Can01}\ldots) which give rise to stronger security guarantees.
|
||||||
|
If one may look for the strongest security for its construction, there are known impossibility results in strong models.
|
||||||
|
For instance, in the $\UC$ model, it is impossible to realize two-party computation~\cite{Yao86} without honest set-up~\cite{CKL06}, while it is possible in the standard model~\cite{LP07}.
|
||||||
|
|
||||||
|
In this chapter, we will focus on the computational complexity elements we need to define properly the security models we will use in this thesis.
|
||||||
|
Then we will define these security models.
|
||||||
|
|
||||||
%%%%%%%%%%%%%%%%%%%%%%%
|
%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
% Security Reductions %
|
% Security Reductions %
|
||||||
@ -15,10 +19,26 @@ To model those two notions, cryptographers uses security games.
|
|||||||
\section{Security Reductions}
|
\section{Security Reductions}
|
||||||
|
|
||||||
Provable security focuses on providing constructions for which the security is guaranteed by a security proof, or security reduction.
|
Provable security focuses on providing constructions for which the security is guaranteed by a security proof, or security reduction.
|
||||||
These proofs consist in polynomial reductions from difficult problems: the hardness assumptions.
|
The name ``reduction'' comes from computational complexity.
|
||||||
The quality of a proof depends on the security of the hardness assumption, and the tightness of the proof.
|
In this field of computer science, research focuses on defining equivalence classes for problems, based on the necessary amount of resources to solve them.
|
||||||
|
In order to define lower bound for the complexity of some problems, a classical way of doing this is to provide a construction that goes from an instance of a problem $A$ to an instance of problem $B$ such that if a solution of $B$ is found, then so is a solution of $A$ as well.
|
||||||
|
This amounts to say that problem $B$ is at least as hard as problem $A$ up to the complexity of the transformation.
|
||||||
|
For instance, Cook shown that satisfiability of boolean formulas is at least as hard as every problem in $\NP$~\cite{Coo71} up to a polynomial-time transformation.
|
||||||
|
Let us now define more formally the notion of reduction, and the notion of computability \textit{via} Turing machines.
|
||||||
|
|
||||||
|
\begin{definition}[Turing Machine] \label{de:turing-machine}
|
||||||
|
\newcommand\espace{\ensuremath{\square}\xspace}
|
||||||
|
A $k$-tape Turing Machine (TM) is described by a triple $M = (\Gamma, Q, \delta)$ containing:
|
||||||
|
\begin{itemize}
|
||||||
|
\item A finite set $\Gamma$, called the \textit{tape alphabet}, that contains symbols that the TM uses in its tapes. In particular, $\Gamma$ contains a \textit{blank symbol} ``\espace'', and ``$\triangleright$'' that denotes the beginning of a tape.
|
||||||
|
\item A finite set $Q$ called the \textit{states} of the TM. It contains special states $q_{start}$, $q_{halt}$, called respectively the \textit{initial state} and the \textit{halt state}.
|
||||||
|
\item A function $\delta: (Q \backslash \{q_{halt}\}) \times \Gamma^{k-1} \to Q \times \Gamma^{k-1} \times \{ \leftarrow, \downarrow, \rightarrow \}^k$, called the \textit{transition function}, that describes the behaviour of the internal state of the machine and the TM heads.\\
|
||||||
|
\smallskip
|
||||||
|
Namely, $\delta(q, a_1, \ldots, a_{k-1}) = (r, b_2, \ldots, b_k, m_1, \ldots, m_k)$ means that upon reading symbols $(a_1, \ldots, a_{k-1})$ on tapes $1$ to $k-1$ (where the first tape is the input tape, and the $k$-th tape is the output tape) on state $q$, the TM will move to state $r$, write $b_2, \ldots, b_k$ on tapes $2$ to $k$ and move its heads according to $m_1, \ldots, m_k$.
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
|
A TM $M$ is said to compute a function $f: \Sigma^\star \to \Gamma^\star$, if for any finite input $x \in \Sigma^\star$ on tape $T_1$, blank tapes $T_2, \ldots, T_k$ with a beginning symbol $\triangleright$ and initial state $q_{start}$, $M$ halts in a finite number of steps with $f(x)$ written on its output tape $T_k$.
|
||||||
|
\end{definition}
|
||||||
|
|
||||||
|
|
||||||
|
\section{Random-Oracle Model, Standard Model and Half-Simulatability}
|
||||||
|
|
||||||
\section{Random-Oracle Model and Standard Model}
|
|
||||||
|
@ -1,3 +1,5 @@
|
|||||||
|
\usepackage{cryptocode}
|
||||||
|
\usepackage{complexity}
|
||||||
% Abbreviations
|
% Abbreviations
|
||||||
%% Usual
|
%% Usual
|
||||||
\newcommand{\PPT}{\textsf{PPT}\xspace}
|
\newcommand{\PPT}{\textsf{PPT}\xspace}
|
||||||
@ -16,6 +18,9 @@
|
|||||||
\newcommand{\SIS}{\textsf{SIS}\xspace}
|
\newcommand{\SIS}{\textsf{SIS}\xspace}
|
||||||
\newcommand{\LWE}{\textsf{LWE}\xspace}
|
\newcommand{\LWE}{\textsf{LWE}\xspace}
|
||||||
\newcommand{\SIVP}{\ensuremath{\textsf{SIVP}_\gamma}\xspace}
|
\newcommand{\SIVP}{\ensuremath{\textsf{SIVP}_\gamma}\xspace}
|
||||||
|
%% Models
|
||||||
|
\newcommand{\UC}{\textrm{UC}\xspace}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
% Operators
|
% Operators
|
||||||
|
@ -5,6 +5,7 @@
|
|||||||
$\PPT$ & Probabilistic Polynomial Time \\
|
$\PPT$ & Probabilistic Polynomial Time \\
|
||||||
PKE & Public Key Encryption \\
|
PKE & Public Key Encryption \\
|
||||||
ZK & Zero-Knowledge \\
|
ZK & Zero-Knowledge \\
|
||||||
|
$\UC$ & Universal Composability \\
|
||||||
$\SIS$ & Short Integer Solution \\
|
$\SIS$ & Short Integer Solution \\
|
||||||
$\LWE$ & Learning with Errors \\
|
$\LWE$ & Learning with Errors \\
|
||||||
$\SIVP$ & Shortest Independent Vectors Problem \\
|
$\SIVP$ & Shortest Independent Vectors Problem \\
|
||||||
|
Loading…
Reference in New Issue
Block a user