fmouhart/thesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Security games

Browse Source
This commit is contained in:
Fabrice Mouhartem
2018-02-08 19:42:15 +01:00
parent 5751ba4032
commit 47a1d3fd95
1 changed files with 20 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
chap-proofs.tex
View File

@@ -214,11 +214,11 @@ Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: t
\fbox{
\procedure{$\Exp{\mathrm{EU-CMA}}{\adv}(\lambda)$}{
(vk,sk) \gets \Sigma.\mathsf{keygen}(1^\lambda)\\
\mathsf{st} \gets \emptyset\\
\pcwhile \adv(\texttt{query}, vk, \mathsf{st}, \mathcal O^{\mathsf{sign}}) \pcdo
\mathsf{st} \gets \emptyset; \ensemble{sign} = \emptyset\\
\pcwhile \adv(\texttt{query}, vk, \mathsf{st}, \oracle{sign}{sk,\cdot} ) \pcdo
;\\
(m^\star, \sigma^\star) \gets \adv(\texttt{forge}, vk, \mathsf{st}) \\
\pcreturn (m^\star, \sigma^\star)
\pcreturn (vk, \ensemble{sign} m^\star, \sigma^\star)
}}
}
\caption{Some security games examples} \label{fig:sec-game-examples}
@@ -227,7 +227,23 @@ Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: t
\index{Reduction!Advantage}
The \indcpa{} game is an \emph{indistinguishability} game. Meaning that the goal for the adversary $\mathcal A$ against this game is to distinguish between two messages from different distributions.
To model this, for any adversary $\adv$, we define a notion of \emph{advantage} for the $\indcpa$ game as
\[ \advantage{\indcpa}{\adv}(\lambda) = \left| \Pr[ \Exp{\indcpa}{\adv,1}(\lambda) = 1 ] - \Pr[ \Exp{\indcpa}{\adv, 0}(\lambda) = 1] \right|.\]
\[ \advantage{\indcpa}{\adv}(\lambda) = \left| \Pr\left[ \Exp{\indcpa}{\adv,1}(\lambda) = 1 \right] - \Pr\left[ \Exp{\indcpa}{\adv, 0}(\lambda) = 1\right] \right|.\]
We say that a $\PKE$ scheme is $\indcpa$ if for any $\ppt$ $\adv$, the advantage of $\mathcal A$ in the $\indcpa$ game is negligible with respect to $\lambda$.
This definition of advantages models the fact that the adversary is unable to distinguish whether the ciphertext $\mathsf{ct}$ comes from the experiment $\Exp{\indcpa}{\adv, 0}$ or the experiment $\Exp{\indcpa}{\adv, 1}$.
Which means that the adversary cannot get a single bit of information about the ciphertext.
This kind of definition are also useful to mode anonymity. For instance in Part~\ref{pa:gs-ac}, the definition of anonymity for group signatures is defined in a similar fashion.
On the other hand, the security definition for signature scheme is no more an indistinguishable game, but an unforgeability game.
The goal of the adversary is not to distinguish between two distributions, but to forge a new signature from what it learns \emph{via} signature queries.
Those signature queries are provided by an oracle \oracle{sign}{sk,\cdot}, which on input $m$ returns the signature $\sigma = \Sigma.\mathsf{sign}(sk, m)$ and add $\sigma$ to $\ensemble{sign}$. The initialization of these sets and the behaviour of oracle may be omitted in the rest of this thesis for the sake of readability.
For EU-CMA, the advantage of an adversary $\adv$ is defined as
\[ \advantage{\textrm{EU-CMA}}{\adv}(\lambda) = \Pr\left[ \Sigma.\mathsf{verif}(vk, m^\star, \sigma^\star) = \top~\land~ \sigma^\star \notin \ensemble{sign} \right]. \]
And a signature scheme is considered unforgeable under chosen message attacks if for any $\ppt$ adversary $\adv$, the advantage of $\adv$ is negligible with respect to $\lambda$.
Meaning that no one can create a new valid signature for any messages within reasonable time and reasonable luck.