Security games
This commit is contained in:
parent
5751ba4032
commit
47a1d3fd95
@ -214,11 +214,11 @@ Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: t
|
||||
\fbox{
|
||||
\procedure{$\Exp{\mathrm{EU-CMA}}{\adv}(\lambda)$}{
|
||||
(vk,sk) \gets \Sigma.\mathsf{keygen}(1^\lambda)\\
|
||||
\mathsf{st} \gets \emptyset\\
|
||||
\pcwhile \adv(\texttt{query}, vk, \mathsf{st}, \mathcal O^{\mathsf{sign}}) \pcdo
|
||||
\mathsf{st} \gets \emptyset; \ensemble{sign} = \emptyset\\
|
||||
\pcwhile \adv(\texttt{query}, vk, \mathsf{st}, \oracle{sign}{sk,\cdot} ) \pcdo
|
||||
;\\
|
||||
(m^\star, \sigma^\star) \gets \adv(\texttt{forge}, vk, \mathsf{st}) \\
|
||||
\pcreturn (m^\star, \sigma^\star)
|
||||
\pcreturn (vk, \ensemble{sign} m^\star, \sigma^\star)
|
||||
}}
|
||||
}
|
||||
\caption{Some security games examples} \label{fig:sec-game-examples}
|
||||
@ -227,7 +227,23 @@ Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: t
|
||||
\index{Reduction!Advantage}
|
||||
The \indcpa{} game is an \emph{indistinguishability} game. Meaning that the goal for the adversary $\mathcal A$ against this game is to distinguish between two messages from different distributions.
|
||||
To model this, for any adversary $\adv$, we define a notion of \emph{advantage} for the $\indcpa$ game as
|
||||
\[ \advantage{\indcpa}{\adv}(\lambda) = \left| \Pr[ \Exp{\indcpa}{\adv,1}(\lambda) = 1 ] - \Pr[ \Exp{\indcpa}{\adv, 0}(\lambda) = 1] \right|.\]
|
||||
\[ \advantage{\indcpa}{\adv}(\lambda) = \left| \Pr\left[ \Exp{\indcpa}{\adv,1}(\lambda) = 1 \right] - \Pr\left[ \Exp{\indcpa}{\adv, 0}(\lambda) = 1\right] \right|.\]
|
||||
|
||||
We say that a $\PKE$ scheme is $\indcpa$ if for any $\ppt$ $\adv$, the advantage of $\mathcal A$ in the $\indcpa$ game is negligible with respect to $\lambda$.
|
||||
|
||||
This definition of advantages models the fact that the adversary is unable to distinguish whether the ciphertext $\mathsf{ct}$ comes from the experiment $\Exp{\indcpa}{\adv, 0}$ or the experiment $\Exp{\indcpa}{\adv, 1}$.
|
||||
Which means that the adversary cannot get a single bit of information about the ciphertext.
|
||||
|
||||
This kind of definition are also useful to mode anonymity. For instance in Part~\ref{pa:gs-ac}, the definition of anonymity for group signatures is defined in a similar fashion.
|
||||
|
||||
On the other hand, the security definition for signature scheme is no more an indistinguishable game, but an unforgeability game.
|
||||
The goal of the adversary is not to distinguish between two distributions, but to forge a new signature from what it learns \emph{via} signature queries.
|
||||
|
||||
Those signature queries are provided by an oracle \oracle{sign}{sk,\cdot}, which on input $m$ returns the signature $\sigma = \Sigma.\mathsf{sign}(sk, m)$ and add $\sigma$ to $\ensemble{sign}$. The initialization of these sets and the behaviour of oracle may be omitted in the rest of this thesis for the sake of readability.
|
||||
|
||||
For EU-CMA, the advantage of an adversary $\adv$ is defined as
|
||||
\[ \advantage{\textrm{EU-CMA}}{\adv}(\lambda) = \Pr\left[ \Sigma.\mathsf{verif}(vk, m^\star, \sigma^\star) = \top~\land~ \sigma^\star \notin \ensemble{sign} \right]. \]
|
||||
|
||||
And a signature scheme is considered unforgeable under chosen message attacks if for any $\ppt$ adversary $\adv$, the advantage of $\adv$ is negligible with respect to $\lambda$.
|
||||
|
||||
Meaning that no one can create a new valid signature for any messages within reasonable time and reasonable luck.
|
||||
|
Loading…
Reference in New Issue
Block a user