fmouhart/thesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Notations

Browse Source
This commit is contained in:
Fabrice Mouhartem
2018-02-08 22:14:12 +01:00
parent 47a1d3fd95
commit 4289c4331c
1 changed files with 11 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
chap-proofs.tex
View File

@@ -218,7 +218,7 @@ Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: t
\pcwhile \adv(\texttt{query}, vk, \mathsf{st}, \oracle{sign}{sk,\cdot} ) \pcdo
;\\
(m^\star, \sigma^\star) \gets \adv(\texttt{forge}, vk, \mathsf{st}) \\
\pcreturn (vk, \ensemble{sign} m^\star, \sigma^\star)
\pcreturn (vk, \ensemble{sign}, m^\star, \sigma^\star)
}}
}
\caption{Some security games examples} \label{fig:sec-game-examples}
@@ -227,7 +227,11 @@ Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: t
\index{Reduction!Advantage}
The \indcpa{} game is an \emph{indistinguishability} game. Meaning that the goal for the adversary $\mathcal A$ against this game is to distinguish between two messages from different distributions.
To model this, for any adversary $\adv$, we define a notion of \emph{advantage} for the $\indcpa$ game as
\[ \advantage{\indcpa}{\adv}(\lambda) = \left| \Pr\left[ \Exp{\indcpa}{\adv,1}(\lambda) = 1 \right] - \Pr\left[ \Exp{\indcpa}{\adv, 0}(\lambda) = 1\right] \right|.\]
\[
\advantage{\indcpa}{\adv}(\lambda)
\triangleq
\left| \Pr\left[ \Exp{\indcpa}{\adv,1}(\lambda) = 1 \right] - \Pr\left[ \Exp{\indcpa}{\adv, 0}(\lambda) = 1\right] \right|.
\]
We say that a $\PKE$ scheme is $\indcpa$ if for any $\ppt$ $\adv$, the advantage of $\mathcal A$ in the $\indcpa$ game is negligible with respect to $\lambda$.
@@ -242,7 +246,11 @@ The goal of the adversary is not to distinguish between two distributions, but t
Those signature queries are provided by an oracle \oracle{sign}{sk,\cdot}, which on input $m$ returns the signature $\sigma = \Sigma.\mathsf{sign}(sk, m)$ and add $\sigma$ to $\ensemble{sign}$. The initialization of these sets and the behaviour of oracle may be omitted in the rest of this thesis for the sake of readability.
For EU-CMA, the advantage of an adversary $\adv$ is defined as
\[ \advantage{\textrm{EU-CMA}}{\adv}(\lambda) = \Pr\left[ \Sigma.\mathsf{verif}(vk, m^\star, \sigma^\star) = \top~\land~ \sigma^\star \notin \ensemble{sign} \right]. \]
\[
\advantage{\textrm{EU-CMA}}{\adv}(\lambda)
\triangleq
\Pr\left[ \Sigma.\mathsf{verif}(vk, m^\star, \sigma^\star) = \top~\land~ \sigma^\star \notin \ensemble{sign} \right].
\]
And a signature scheme is considered unforgeable under chosen message attacks if for any $\ppt$ adversary $\adv$, the advantage of $\adv$ is negligible with respect to $\lambda$.