Notations

This commit is contained in:
Fabrice Mouhartem 2018-02-08 22:14:12 +01:00
parent 47a1d3fd95
commit 4289c4331c

View File

@ -218,7 +218,7 @@ Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: t
\pcwhile \adv(\texttt{query}, vk, \mathsf{st}, \oracle{sign}{sk,\cdot} ) \pcdo \pcwhile \adv(\texttt{query}, vk, \mathsf{st}, \oracle{sign}{sk,\cdot} ) \pcdo
;\\ ;\\
(m^\star, \sigma^\star) \gets \adv(\texttt{forge}, vk, \mathsf{st}) \\ (m^\star, \sigma^\star) \gets \adv(\texttt{forge}, vk, \mathsf{st}) \\
\pcreturn (vk, \ensemble{sign} m^\star, \sigma^\star) \pcreturn (vk, \ensemble{sign}, m^\star, \sigma^\star)
}} }}
} }
\caption{Some security games examples} \label{fig:sec-game-examples} \caption{Some security games examples} \label{fig:sec-game-examples}
@ -227,7 +227,11 @@ Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: t
\index{Reduction!Advantage} \index{Reduction!Advantage}
The \indcpa{} game is an \emph{indistinguishability} game. Meaning that the goal for the adversary $\mathcal A$ against this game is to distinguish between two messages from different distributions. The \indcpa{} game is an \emph{indistinguishability} game. Meaning that the goal for the adversary $\mathcal A$ against this game is to distinguish between two messages from different distributions.
To model this, for any adversary $\adv$, we define a notion of \emph{advantage} for the $\indcpa$ game as To model this, for any adversary $\adv$, we define a notion of \emph{advantage} for the $\indcpa$ game as
\[ \advantage{\indcpa}{\adv}(\lambda) = \left| \Pr\left[ \Exp{\indcpa}{\adv,1}(\lambda) = 1 \right] - \Pr\left[ \Exp{\indcpa}{\adv, 0}(\lambda) = 1\right] \right|.\] \[
\advantage{\indcpa}{\adv}(\lambda)
\triangleq
\left| \Pr\left[ \Exp{\indcpa}{\adv,1}(\lambda) = 1 \right] - \Pr\left[ \Exp{\indcpa}{\adv, 0}(\lambda) = 1\right] \right|.
\]
We say that a $\PKE$ scheme is $\indcpa$ if for any $\ppt$ $\adv$, the advantage of $\mathcal A$ in the $\indcpa$ game is negligible with respect to $\lambda$. We say that a $\PKE$ scheme is $\indcpa$ if for any $\ppt$ $\adv$, the advantage of $\mathcal A$ in the $\indcpa$ game is negligible with respect to $\lambda$.
@ -242,7 +246,11 @@ The goal of the adversary is not to distinguish between two distributions, but t
Those signature queries are provided by an oracle \oracle{sign}{sk,\cdot}, which on input $m$ returns the signature $\sigma = \Sigma.\mathsf{sign}(sk, m)$ and add $\sigma$ to $\ensemble{sign}$. The initialization of these sets and the behaviour of oracle may be omitted in the rest of this thesis for the sake of readability. Those signature queries are provided by an oracle \oracle{sign}{sk,\cdot}, which on input $m$ returns the signature $\sigma = \Sigma.\mathsf{sign}(sk, m)$ and add $\sigma$ to $\ensemble{sign}$. The initialization of these sets and the behaviour of oracle may be omitted in the rest of this thesis for the sake of readability.
For EU-CMA, the advantage of an adversary $\adv$ is defined as For EU-CMA, the advantage of an adversary $\adv$ is defined as
\[ \advantage{\textrm{EU-CMA}}{\adv}(\lambda) = \Pr\left[ \Sigma.\mathsf{verif}(vk, m^\star, \sigma^\star) = \top~\land~ \sigma^\star \notin \ensemble{sign} \right]. \] \[
\advantage{\textrm{EU-CMA}}{\adv}(\lambda)
\triangleq
\Pr\left[ \Sigma.\mathsf{verif}(vk, m^\star, \sigma^\star) = \top~\land~ \sigma^\star \notin \ensemble{sign} \right].
\]
And a signature scheme is considered unforgeable under chosen message attacks if for any $\ppt$ adversary $\adv$, the advantage of $\adv$ is negligible with respect to $\lambda$. And a signature scheme is considered unforgeable under chosen message attacks if for any $\ppt$ adversary $\adv$, the advantage of $\adv$ is negligible with respect to $\lambda$.