From 47a1d3fd95e57435bfcd7fdb5bdc73c1660c5ea0 Mon Sep 17 00:00:00 2001 From: Fabrice Mouhartem Date: Thu, 8 Feb 2018 19:42:15 +0100 Subject: [PATCH] Security games --- chap-proofs.tex | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/chap-proofs.tex b/chap-proofs.tex index 1c47ac7..310477c 100644 --- a/chap-proofs.tex +++ b/chap-proofs.tex @@ -214,11 +214,11 @@ Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: t \fbox{ \procedure{$\Exp{\mathrm{EU-CMA}}{\adv}(\lambda)$}{ (vk,sk) \gets \Sigma.\mathsf{keygen}(1^\lambda)\\ - \mathsf{st} \gets \emptyset\\ - \pcwhile \adv(\texttt{query}, vk, \mathsf{st}, \mathcal O^{\mathsf{sign}}) \pcdo + \mathsf{st} \gets \emptyset; \ensemble{sign} = \emptyset\\ + \pcwhile \adv(\texttt{query}, vk, \mathsf{st}, \oracle{sign}{sk,\cdot} ) \pcdo ;\\ (m^\star, \sigma^\star) \gets \adv(\texttt{forge}, vk, \mathsf{st}) \\ - \pcreturn (m^\star, \sigma^\star) + \pcreturn (vk, \ensemble{sign} m^\star, \sigma^\star) }} } \caption{Some security games examples} \label{fig:sec-game-examples} @@ -227,7 +227,23 @@ Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: t \index{Reduction!Advantage} The \indcpa{} game is an \emph{indistinguishability} game. Meaning that the goal for the adversary $\mathcal A$ against this game is to distinguish between two messages from different distributions. To model this, for any adversary $\adv$, we define a notion of \emph{advantage} for the $\indcpa$ game as -\[ \advantage{\indcpa}{\adv}(\lambda) = \left| \Pr[ \Exp{\indcpa}{\adv,1}(\lambda) = 1 ] - \Pr[ \Exp{\indcpa}{\adv, 0}(\lambda) = 1] \right|.\] +\[ \advantage{\indcpa}{\adv}(\lambda) = \left| \Pr\left[ \Exp{\indcpa}{\adv,1}(\lambda) = 1 \right] - \Pr\left[ \Exp{\indcpa}{\adv, 0}(\lambda) = 1\right] \right|.\] We say that a $\PKE$ scheme is $\indcpa$ if for any $\ppt$ $\adv$, the advantage of $\mathcal A$ in the $\indcpa$ game is negligible with respect to $\lambda$. +This definition of advantages models the fact that the adversary is unable to distinguish whether the ciphertext $\mathsf{ct}$ comes from the experiment $\Exp{\indcpa}{\adv, 0}$ or the experiment $\Exp{\indcpa}{\adv, 1}$. +Which means that the adversary cannot get a single bit of information about the ciphertext. + +This kind of definition are also useful to mode anonymity. For instance in Part~\ref{pa:gs-ac}, the definition of anonymity for group signatures is defined in a similar fashion. + +On the other hand, the security definition for signature scheme is no more an indistinguishable game, but an unforgeability game. +The goal of the adversary is not to distinguish between two distributions, but to forge a new signature from what it learns \emph{via} signature queries. + +Those signature queries are provided by an oracle \oracle{sign}{sk,\cdot}, which on input $m$ returns the signature $\sigma = \Sigma.\mathsf{sign}(sk, m)$ and add $\sigma$ to $\ensemble{sign}$. The initialization of these sets and the behaviour of oracle may be omitted in the rest of this thesis for the sake of readability. + +For EU-CMA, the advantage of an adversary $\adv$ is defined as +\[ \advantage{\textrm{EU-CMA}}{\adv}(\lambda) = \Pr\left[ \Sigma.\mathsf{verif}(vk, m^\star, \sigma^\star) = \top~\land~ \sigma^\star \notin \ensemble{sign} \right]. \] + +And a signature scheme is considered unforgeable under chosen message attacks if for any $\ppt$ adversary $\adv$, the advantage of $\adv$ is negligible with respect to $\lambda$. + +Meaning that no one can create a new valid signature for any messages within reasonable time and reasonable luck.