Continuation
This commit is contained in:
parent
4bd9fddadb
commit
5751ba4032
@ -18,7 +18,7 @@ Then we will define these security models.
|
|||||||
%%%%%%%%%%%%%%%%%%%%%%%
|
%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
\section{Security Reductions}
|
\section{Security Reductions}
|
||||||
|
|
||||||
Provable security focuses on providing constructions for which the security is guaranteed by a security proof, or security reduction.
|
Provable security providing constructions for which the security is guaranteed by a security proof, or \emph{security reduction}.
|
||||||
The name ``reduction'' comes from computational complexity.
|
The name ``reduction'' comes from computational complexity.
|
||||||
In this field of computer science, research focuses on defining equivalence classes for problems, based on the necessary amount of resources to solve them.
|
In this field of computer science, research focuses on defining equivalence classes for problems, based on the necessary amount of resources to solve them.
|
||||||
In order to define lower bound for the complexity of some problems, a classical way of doing this is to provide a construction that goes from an instance of a problem $A$ to an instance of problem $B$ such that if a solution of $B$ is found, then so is a solution of $A$ as well.
|
In order to define lower bound for the complexity of some problems, a classical way of doing this is to provide a construction that goes from an instance of a problem $A$ to an instance of problem $B$ such that if a solution of $B$ is found, then so is a solution of $A$ as well.
|
||||||
@ -88,10 +88,10 @@ That's why we'll now define the principle of polynomial time reduction.
|
|||||||
\begin{figure}
|
\begin{figure}
|
||||||
\centering
|
\centering
|
||||||
\input fig-poly-red
|
\input fig-poly-red
|
||||||
\caption{Illustration of a polynomial-time reduction~{\cite[Fig. 2.1]{AB09}}} \label{fig:poly-reduction}
|
\caption{Illustration of a polynomial-time reduction~{\cite[Fig. 2.1]{AB09}}.} \label{fig:poly-reduction}
|
||||||
\end{figure}
|
\end{figure}
|
||||||
|
|
||||||
In other words, a polynomial reduction from $A$ to $B$ is the description of a polynomial time algorithm (also called ``\emph{the reduction}''), that uses an algorithm for $B$ to solve $A$.
|
In other words, a polynomial reduction from $A$ to $B$ is the description of a polynomial time algorithm (also called ``\emph{the reduction}''), that uses an algorithm for $B$ in a black-box manner to solve $A$.
|
||||||
This is illustrated in Figure~\ref{fig:poly-reduction}.
|
This is illustrated in Figure~\ref{fig:poly-reduction}.
|
||||||
|
|
||||||
We can notice that \textsf{P} and \textsf{PP} are both closed under polynomial-time reduction.
|
We can notice that \textsf{P} and \textsf{PP} are both closed under polynomial-time reduction.
|
||||||
@ -102,9 +102,9 @@ In cryptology, it is also important to consider the success probability of algor
|
|||||||
an attack is successful if the probability that it succeed is noticeable.
|
an attack is successful if the probability that it succeed is noticeable.
|
||||||
|
|
||||||
\index{Negligible function}
|
\index{Negligible function}
|
||||||
\scbf{Notation.} Let $f : \NN \to [0,1]$ be a function. The function $f$ is called \emph{negligible} if $f(n) = n^{-\omega(1)}_{}$, and this is written $f(n) = \negl[n]$.
|
\scbf{Notation.} Let $f : \NN \to [0,1]$ be a function. The function $f$ is said to be \emph{negligible} if $f(n) = n^{-\omega(1)}_{}$, and this is written $f(n) = \negl[n]$.
|
||||||
Non-negligible functions are called \emph{noticeable} functions.
|
Non-negligible functions are also called \emph{noticeable} functions.
|
||||||
And if $f = 1- \negl[n]$, $f$ is called \emph{overwhelming}.
|
And if $f = 1- \negl[n]$, $f$ is said to be \emph{overwhelming}.
|
||||||
|
|
||||||
Once that we define the notions related to the core of the proof, we have to define the objects on what we work on.
|
Once that we define the notions related to the core of the proof, we have to define the objects on what we work on.
|
||||||
Namely, defining what we want to prove, and the hypotheses on which we rely, also called ``hardness assumption''.
|
Namely, defining what we want to prove, and the hypotheses on which we rely, also called ``hardness assumption''.
|
||||||
@ -112,7 +112,7 @@ Namely, defining what we want to prove, and the hypotheses on which we rely, als
|
|||||||
The details of the hardness assumptions we use are given in Chapter~\ref{chap:structures}.
|
The details of the hardness assumptions we use are given in Chapter~\ref{chap:structures}.
|
||||||
Nevertheless, some notions are common to these and are evoked here.
|
Nevertheless, some notions are common to these and are evoked here.
|
||||||
|
|
||||||
The amount of confidence one can put in a hardness assumption is given by many criteria.
|
The confidence one can put in a hardness assumption depends on many criteria.
|
||||||
|
|
||||||
First of all, a weaker assumption is preferred to a stronger one if it is possible.
|
First of all, a weaker assumption is preferred to a stronger one if it is possible.
|
||||||
To illustrate this, let us consider the two following assumptions:
|
To illustrate this, let us consider the two following assumptions:
|
||||||
@ -147,13 +147,15 @@ There are also other kind of non-static assumptions, such as interactive assumpt
|
|||||||
An example can be the ``\emph{$1$-more-\textsf{DL}}'' assumption.
|
An example can be the ``\emph{$1$-more-\textsf{DL}}'' assumption.
|
||||||
Given oracle access to $n$ discrete logarithm queries ($n$ is not known in advance), the $1$-more-\textsf{DL} problem is to solve a $n+1$-th discrete logarithm.
|
Given oracle access to $n$ discrete logarithm queries ($n$ is not known in advance), the $1$-more-\textsf{DL} problem is to solve a $n+1$-th discrete logarithm.
|
||||||
|
|
||||||
|
Non-interactive and constant-size assumptions are sometimes called ``\textit{standard}''.
|
||||||
|
|
||||||
The next step to study in a security proof is the \emph{security model}.
|
The next step to study in a security proof is the \emph{security model}.
|
||||||
In other words, the context in which the proofs are made.
|
In other words, the context in which the proofs are made.
|
||||||
This is the topic of the next section.
|
This is the topic of the next section.
|
||||||
|
|
||||||
\section{Random-Oracle Model and Standard Model} \label{se:models}
|
\section{Random-Oracle Model and Standard Model} \label{se:models}
|
||||||
|
|
||||||
The most general model to do security proofs is the standard model.
|
The most general model to do security proofs is the \textit{standard model}.
|
||||||
In this model, nothing special is assumed, and every assumptions are explicit.
|
In this model, nothing special is assumed, and every assumptions are explicit.
|
||||||
|
|
||||||
For instance, cryptographic hash functions enjoy several different associated security notions~\cite{KL07}.
|
For instance, cryptographic hash functions enjoy several different associated security notions~\cite{KL07}.
|
||||||
@ -168,10 +170,10 @@ This implies collision resistance (if the codomain of the hash function is large
|
|||||||
In this model, hash function access are managed as oracle access (which then can be reprogrammed by the reduction).
|
In this model, hash function access are managed as oracle access (which then can be reprogrammed by the reduction).
|
||||||
|
|
||||||
We can notice that this security model is unrealistic~\cite{CGH04}. Let us construct a \emph{counter-example}.
|
We can notice that this security model is unrealistic~\cite{CGH04}. Let us construct a \emph{counter-example}.
|
||||||
Let $\pi$ be a secure signature scheme, and let $\pi_y^{}$ be the scheme that returns $\pi(m)$ as a signature if and only if $h(0) \neq y$ and $0$ as a signature otherwise.
|
Let $\Sigma$ be a secure signature scheme, and let $\Sigma_y^{}$ be the scheme that returns $\Sigma(m)$ as a signature if and only if $h(0) \neq y$ and $0$ as a signature otherwise.
|
||||||
In the \ROM $h$ behaves as a random function.
|
In the \ROM $h$ behaves as a random function.
|
||||||
Hence, the probability that $h(0) = y$ is negligible with respect to the security parameter for any fixed $y$.
|
Hence, the probability that $h(0) = y$ is negligible with respect to the security parameter for any fixed $y$.
|
||||||
On the other hand, it appears that when $h$ is instantiated with a real world hash function, then $\pi_{h(0)}$ is completely insecure as a signature scheme. \hfill $\square$
|
On the other hand, it appears that when $h$ is instantiated with a real world hash function, then $\Sigma_{h(0)}$ is completely insecure as a signature scheme. \hfill $\square$
|
||||||
|
|
||||||
In this context, one may wonder why is the \ROM still used in cryptographic proofs~\cite{LMPY16,LLM+16}.
|
In this context, one may wonder why is the \ROM still used in cryptographic proofs~\cite{LMPY16,LLM+16}.
|
||||||
One reason is that some constructions are not known to exist yet from the standard model.
|
One reason is that some constructions are not known to exist yet from the standard model.
|
||||||
@ -185,4 +187,47 @@ Thus, for practical purpose, constructions in the \ROM are usually more efficien
|
|||||||
For instance, the scheme we present in Chapter~\ref{ch:sigmasig} adapts the construction of dynamic group signature in the standard model from Libert, Peters and Yung~\cite{LPY15} in the \ROM.
|
For instance, the scheme we present in Chapter~\ref{ch:sigmasig} adapts the construction of dynamic group signature in the standard model from Libert, Peters and Yung~\cite{LPY15} in the \ROM.
|
||||||
Doing this transform reduces the signature size from $32$ elements in $\GG$, $14$ elements in $\Gh$ and \textit{one} scalars in the standard model~\cite[App. J]{LPY15} down to $7$ elements in $\GG$ and $3$ scalars in the \ROM.
|
Doing this transform reduces the signature size from $32$ elements in $\GG$, $14$ elements in $\Gh$ and \textit{one} scalars in the standard model~\cite[App. J]{LPY15} down to $7$ elements in $\GG$ and $3$ scalars in the \ROM.
|
||||||
|
|
||||||
|
We now have defined the security structure on which we are working on and the basic tools that allows security proofs.
|
||||||
|
The following section explains how to define the security of a cryptographic primitive.
|
||||||
|
|
||||||
|
\section{Security Games and Half-Simulatability}
|
||||||
|
|
||||||
|
Up to now, we defined the structure on which security proofs works. Let us now define what we are proving.
|
||||||
|
An example of what we are proving has been shown in Section~\ref{se:models} with cryptographic hash functions.
|
||||||
|
|
||||||
|
In order to define security properties, a common manner is to define security \emph{games} (or \emph{experiments})~\cite{GM84}.
|
||||||
|
|
||||||
|
Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: the \emph{indistinguishability under chosen-plaintext attacks} (\indcpa) for public-key encryption (\PKE) schemes and the \emph{existential unforgeability under chosen message attacks} (EU-CMA) for signature schemes.
|
||||||
|
|
||||||
|
\begin{figure}
|
||||||
|
\centering
|
||||||
|
\subfloat[\indcpa{} game for \PKE]{
|
||||||
|
\fbox{\procedure{$\Exp{\indcpa}{\adv, b}(\lambda)$}{%
|
||||||
|
(pk,sk) \gets \mathcal E.\mathsf{keygen}(1^\lambda)\\
|
||||||
|
(m_0, m_1) \gets \adv(pk, 1^\lambda)\\
|
||||||
|
\mathsf{ct} \gets \mathcal E.\mathsf{enc}(m_b)\\
|
||||||
|
b' \gets \adv(pk, 1^\lambda, \mathsf{ct})\\
|
||||||
|
\pcreturn b'
|
||||||
|
}}
|
||||||
|
} \hspace{1cm}
|
||||||
|
\subfloat[EU-CMA game for signatures]{
|
||||||
|
\fbox{
|
||||||
|
\procedure{$\Exp{\mathrm{EU-CMA}}{\adv}(\lambda)$}{
|
||||||
|
(vk,sk) \gets \Sigma.\mathsf{keygen}(1^\lambda)\\
|
||||||
|
\mathsf{st} \gets \emptyset\\
|
||||||
|
\pcwhile \adv(\texttt{query}, vk, \mathsf{st}, \mathcal O^{\mathsf{sign}}) \pcdo
|
||||||
|
;\\
|
||||||
|
(m^\star, \sigma^\star) \gets \adv(\texttt{forge}, vk, \mathsf{st}) \\
|
||||||
|
\pcreturn (m^\star, \sigma^\star)
|
||||||
|
}}
|
||||||
|
}
|
||||||
|
\caption{Some security games examples} \label{fig:sec-game-examples}
|
||||||
|
\end{figure}
|
||||||
|
|
||||||
|
\index{Reduction!Advantage}
|
||||||
|
The \indcpa{} game is an \emph{indistinguishability} game. Meaning that the goal for the adversary $\mathcal A$ against this game is to distinguish between two messages from different distributions.
|
||||||
|
To model this, for any adversary $\adv$, we define a notion of \emph{advantage} for the $\indcpa$ game as
|
||||||
|
\[ \advantage{\indcpa}{\adv}(\lambda) = \left| \Pr[ \Exp{\indcpa}{\adv,1}(\lambda) = 1 ] - \Pr[ \Exp{\indcpa}{\adv, 0}(\lambda) = 1] \right|.\]
|
||||||
|
|
||||||
|
We say that a $\PKE$ scheme is $\indcpa$ if for any $\ppt$ $\adv$, the advantage of $\mathcal A$ in the $\indcpa$ game is negligible with respect to $\lambda$.
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user