Continuation

This commit is contained in:
Fabrice Mouhartem 2018-02-08 19:12:22 +01:00
parent 4bd9fddadb
commit 5751ba4032

View File

@ -18,7 +18,7 @@ Then we will define these security models.
%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%
\section{Security Reductions} \section{Security Reductions}
Provable security focuses on providing constructions for which the security is guaranteed by a security proof, or security reduction. Provable security providing constructions for which the security is guaranteed by a security proof, or \emph{security reduction}.
The name ``reduction'' comes from computational complexity. The name ``reduction'' comes from computational complexity.
In this field of computer science, research focuses on defining equivalence classes for problems, based on the necessary amount of resources to solve them. In this field of computer science, research focuses on defining equivalence classes for problems, based on the necessary amount of resources to solve them.
In order to define lower bound for the complexity of some problems, a classical way of doing this is to provide a construction that goes from an instance of a problem $A$ to an instance of problem $B$ such that if a solution of $B$ is found, then so is a solution of $A$ as well. In order to define lower bound for the complexity of some problems, a classical way of doing this is to provide a construction that goes from an instance of a problem $A$ to an instance of problem $B$ such that if a solution of $B$ is found, then so is a solution of $A$ as well.
@ -88,10 +88,10 @@ That's why we'll now define the principle of polynomial time reduction.
\begin{figure} \begin{figure}
\centering \centering
\input fig-poly-red \input fig-poly-red
\caption{Illustration of a polynomial-time reduction~{\cite[Fig. 2.1]{AB09}}} \label{fig:poly-reduction} \caption{Illustration of a polynomial-time reduction~{\cite[Fig. 2.1]{AB09}}.} \label{fig:poly-reduction}
\end{figure} \end{figure}
In other words, a polynomial reduction from $A$ to $B$ is the description of a polynomial time algorithm (also called ``\emph{the reduction}''), that uses an algorithm for $B$ to solve $A$. In other words, a polynomial reduction from $A$ to $B$ is the description of a polynomial time algorithm (also called ``\emph{the reduction}''), that uses an algorithm for $B$ in a black-box manner to solve $A$.
This is illustrated in Figure~\ref{fig:poly-reduction}. This is illustrated in Figure~\ref{fig:poly-reduction}.
We can notice that \textsf{P} and \textsf{PP} are both closed under polynomial-time reduction. We can notice that \textsf{P} and \textsf{PP} are both closed under polynomial-time reduction.
@ -102,9 +102,9 @@ In cryptology, it is also important to consider the success probability of algor
an attack is successful if the probability that it succeed is noticeable. an attack is successful if the probability that it succeed is noticeable.
\index{Negligible function} \index{Negligible function}
\scbf{Notation.} Let $f : \NN \to [0,1]$ be a function. The function $f$ is called \emph{negligible} if $f(n) = n^{-\omega(1)}_{}$, and this is written $f(n) = \negl[n]$. \scbf{Notation.} Let $f : \NN \to [0,1]$ be a function. The function $f$ is said to be \emph{negligible} if $f(n) = n^{-\omega(1)}_{}$, and this is written $f(n) = \negl[n]$.
Non-negligible functions are called \emph{noticeable} functions. Non-negligible functions are also called \emph{noticeable} functions.
And if $f = 1- \negl[n]$, $f$ is called \emph{overwhelming}. And if $f = 1- \negl[n]$, $f$ is said to be \emph{overwhelming}.
Once that we define the notions related to the core of the proof, we have to define the objects on what we work on. Once that we define the notions related to the core of the proof, we have to define the objects on what we work on.
Namely, defining what we want to prove, and the hypotheses on which we rely, also called ``hardness assumption''. Namely, defining what we want to prove, and the hypotheses on which we rely, also called ``hardness assumption''.
@ -112,7 +112,7 @@ Namely, defining what we want to prove, and the hypotheses on which we rely, als
The details of the hardness assumptions we use are given in Chapter~\ref{chap:structures}. The details of the hardness assumptions we use are given in Chapter~\ref{chap:structures}.
Nevertheless, some notions are common to these and are evoked here. Nevertheless, some notions are common to these and are evoked here.
The amount of confidence one can put in a hardness assumption is given by many criteria. The confidence one can put in a hardness assumption depends on many criteria.
First of all, a weaker assumption is preferred to a stronger one if it is possible. First of all, a weaker assumption is preferred to a stronger one if it is possible.
To illustrate this, let us consider the two following assumptions: To illustrate this, let us consider the two following assumptions:
@ -147,13 +147,15 @@ There are also other kind of non-static assumptions, such as interactive assumpt
An example can be the ``\emph{$1$-more-\textsf{DL}}'' assumption. An example can be the ``\emph{$1$-more-\textsf{DL}}'' assumption.
Given oracle access to $n$ discrete logarithm queries ($n$ is not known in advance), the $1$-more-\textsf{DL} problem is to solve a $n+1$-th discrete logarithm. Given oracle access to $n$ discrete logarithm queries ($n$ is not known in advance), the $1$-more-\textsf{DL} problem is to solve a $n+1$-th discrete logarithm.
Non-interactive and constant-size assumptions are sometimes called ``\textit{standard}''.
The next step to study in a security proof is the \emph{security model}. The next step to study in a security proof is the \emph{security model}.
In other words, the context in which the proofs are made. In other words, the context in which the proofs are made.
This is the topic of the next section. This is the topic of the next section.
\section{Random-Oracle Model and Standard Model} \label{se:models} \section{Random-Oracle Model and Standard Model} \label{se:models}
The most general model to do security proofs is the standard model. The most general model to do security proofs is the \textit{standard model}.
In this model, nothing special is assumed, and every assumptions are explicit. In this model, nothing special is assumed, and every assumptions are explicit.
For instance, cryptographic hash functions enjoy several different associated security notions~\cite{KL07}. For instance, cryptographic hash functions enjoy several different associated security notions~\cite{KL07}.
@ -168,10 +170,10 @@ This implies collision resistance (if the codomain of the hash function is large
In this model, hash function access are managed as oracle access (which then can be reprogrammed by the reduction). In this model, hash function access are managed as oracle access (which then can be reprogrammed by the reduction).
We can notice that this security model is unrealistic~\cite{CGH04}. Let us construct a \emph{counter-example}. We can notice that this security model is unrealistic~\cite{CGH04}. Let us construct a \emph{counter-example}.
Let $\pi$ be a secure signature scheme, and let $\pi_y^{}$ be the scheme that returns $\pi(m)$ as a signature if and only if $h(0) \neq y$ and $0$ as a signature otherwise. Let $\Sigma$ be a secure signature scheme, and let $\Sigma_y^{}$ be the scheme that returns $\Sigma(m)$ as a signature if and only if $h(0) \neq y$ and $0$ as a signature otherwise.
In the \ROM $h$ behaves as a random function. In the \ROM $h$ behaves as a random function.
Hence, the probability that $h(0) = y$ is negligible with respect to the security parameter for any fixed $y$. Hence, the probability that $h(0) = y$ is negligible with respect to the security parameter for any fixed $y$.
On the other hand, it appears that when $h$ is instantiated with a real world hash function, then $\pi_{h(0)}$ is completely insecure as a signature scheme. \hfill $\square$ On the other hand, it appears that when $h$ is instantiated with a real world hash function, then $\Sigma_{h(0)}$ is completely insecure as a signature scheme. \hfill $\square$
In this context, one may wonder why is the \ROM still used in cryptographic proofs~\cite{LMPY16,LLM+16}. In this context, one may wonder why is the \ROM still used in cryptographic proofs~\cite{LMPY16,LLM+16}.
One reason is that some constructions are not known to exist yet from the standard model. One reason is that some constructions are not known to exist yet from the standard model.
@ -185,4 +187,47 @@ Thus, for practical purpose, constructions in the \ROM are usually more efficien
For instance, the scheme we present in Chapter~\ref{ch:sigmasig} adapts the construction of dynamic group signature in the standard model from Libert, Peters and Yung~\cite{LPY15} in the \ROM. For instance, the scheme we present in Chapter~\ref{ch:sigmasig} adapts the construction of dynamic group signature in the standard model from Libert, Peters and Yung~\cite{LPY15} in the \ROM.
Doing this transform reduces the signature size from $32$ elements in $\GG$, $14$ elements in $\Gh$ and \textit{one} scalars in the standard model~\cite[App. J]{LPY15} down to $7$ elements in $\GG$ and $3$ scalars in the \ROM. Doing this transform reduces the signature size from $32$ elements in $\GG$, $14$ elements in $\Gh$ and \textit{one} scalars in the standard model~\cite[App. J]{LPY15} down to $7$ elements in $\GG$ and $3$ scalars in the \ROM.
We now have defined the security structure on which we are working on and the basic tools that allows security proofs.
The following section explains how to define the security of a cryptographic primitive.
\section{Security Games and Half-Simulatability}
Up to now, we defined the structure on which security proofs works. Let us now define what we are proving.
An example of what we are proving has been shown in Section~\ref{se:models} with cryptographic hash functions.
In order to define security properties, a common manner is to define security \emph{games} (or \emph{experiments})~\cite{GM84}.
Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: the \emph{indistinguishability under chosen-plaintext attacks} (\indcpa) for public-key encryption (\PKE) schemes and the \emph{existential unforgeability under chosen message attacks} (EU-CMA) for signature schemes.
\begin{figure}
\centering
\subfloat[\indcpa{} game for \PKE]{
\fbox{\procedure{$\Exp{\indcpa}{\adv, b}(\lambda)$}{%
(pk,sk) \gets \mathcal E.\mathsf{keygen}(1^\lambda)\\
(m_0, m_1) \gets \adv(pk, 1^\lambda)\\
\mathsf{ct} \gets \mathcal E.\mathsf{enc}(m_b)\\
b' \gets \adv(pk, 1^\lambda, \mathsf{ct})\\
\pcreturn b'
}}
} \hspace{1cm}
\subfloat[EU-CMA game for signatures]{
\fbox{
\procedure{$\Exp{\mathrm{EU-CMA}}{\adv}(\lambda)$}{
(vk,sk) \gets \Sigma.\mathsf{keygen}(1^\lambda)\\
\mathsf{st} \gets \emptyset\\
\pcwhile \adv(\texttt{query}, vk, \mathsf{st}, \mathcal O^{\mathsf{sign}}) \pcdo
;\\
(m^\star, \sigma^\star) \gets \adv(\texttt{forge}, vk, \mathsf{st}) \\
\pcreturn (m^\star, \sigma^\star)
}}
}
\caption{Some security games examples} \label{fig:sec-game-examples}
\end{figure}
\index{Reduction!Advantage}
The \indcpa{} game is an \emph{indistinguishability} game. Meaning that the goal for the adversary $\mathcal A$ against this game is to distinguish between two messages from different distributions.
To model this, for any adversary $\adv$, we define a notion of \emph{advantage} for the $\indcpa$ game as
\[ \advantage{\indcpa}{\adv}(\lambda) = \left| \Pr[ \Exp{\indcpa}{\adv,1}(\lambda) = 1 ] - \Pr[ \Exp{\indcpa}{\adv, 0}(\lambda) = 1] \right|.\]
We say that a $\PKE$ scheme is $\indcpa$ if for any $\ppt$ $\adv$, the advantage of $\mathcal A$ in the $\indcpa$ game is negligible with respect to $\lambda$.