Uniformize math
This commit is contained in:
parent
9d478c72fc
commit
779f186db1
|
|
@ -224,15 +224,16 @@ following oracles:
|
|||
the prospective user in the join protocol. If this protocol successfully
|
||||
ends, the interface increments $n$, updates $\mathsf{st}$ by inserting the new user
|
||||
$n$ in both sets $\mathsf{st}_{users}$ and $U^a$. It also sets
|
||||
$\mathsf{st}_{\trans}:=\mathsf{st}_{\trans} || \langle n, \transcript_n \rangle$.
|
||||
$\mathsf{st}_{\trans}:=\mathsf{st}_{\trans} || ( n, \transcript_n )$.
|
||||
%
|
||||
\item $Q_{\bjoin}$: allows the adversary, acting as a corrupted group manager,
|
||||
to introduce new honest group members of its choice. The interface
|
||||
triggers an execution of $[\join_{\user},\join_{\GM}]$ and runs $\join_{\user}$ in
|
||||
triggers an execution of $\langle \join_{\user},\join_{\GM} \rangle$ and runs $\join_{\user}$ in
|
||||
interaction with the adversary who runs $\join_{\GM}$. If the protocol
|
||||
successfully completes, the interface increments $n$, adds user $n$ to
|
||||
$\mathsf{st}_{users}$ and $U^b$ and sets $\mathsf{st}_{\trans}:=\mathsf{st}_{\trans} || \langle n,
|
||||
\transcript_n \rangle$. It stores the membership certificate $\crt_{n }$
|
||||
$\mathsf{st}_{users}$ and $U^b$ and sets
|
||||
$\mathsf{st}_{\trans}:=\mathsf{st}_{\trans} || ( n, \transcript_n )$.
|
||||
It stores the membership certificate $\crt_{n }$
|
||||
and the membership secret $\scr_{n }$ in a \textit{private} part of
|
||||
$\mathsf{state}_{\interface}$.
|
||||
%
|
||||
|
|
|
|||
14
chap-ZK.tex
14
chap-ZK.tex
|
|
@ -16,13 +16,13 @@ In this section, we first present the general principles and basic tools to hand
|
|||
|
||||
\begin{definition}[Zero-knowledge proofs and arguments]
|
||||
\label{de:zk-proof} \index{Zero Knowledge!Proofs} \index{Zero Knowledge!Argument}
|
||||
Let $R = \{ (x, w) \in \mathcal L \times \mathcal R \}$ be a binary relation.
|
||||
Let $R = \{ (x, w) \in \mathcal{L} \times \mathcal{R} \}$ be a binary relation.
|
||||
A \textit{zero-knowledge proof} for a relation $R$ is an interactive protocol between a prover $P(x,w)$ and a verifier $V(x)$ where $V$ outputs a bit $b$ at the end of the interaction.
|
||||
This is written as $\langle P(x,w) , V(x) \rangle = b$.
|
||||
The aforementioned protocol should also verify the following properties.
|
||||
\begin{description}
|
||||
\item[Completeness.] For any $(x, w) \in R$, $\Pr[ \langle P(x,w), V(x) \rangle = 1 ] \geq 1 - \negl[|\lambda|]$.
|
||||
\item[Soundness.] For all $x \in \mathcal L$, for any $\bar w \in \mathcal R$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$,
|
||||
\item[Soundness.] For all $x \in \mathcal{L}$, for any $\bar w \in \mathcal{R}$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$,
|
||||
$\Pr[\langle P^\star(x), V^\star(x) \rangle = 1] \leq s < 1 - \negl[|x|],$
|
||||
where $s$ is called the \textit{soundness error}.
|
||||
\item[Zero-Knowledge.] Let $\trans(\cdot, \cdot)$ be the transcript of the interaction during the proof.
|
||||
|
|
@ -167,10 +167,10 @@ Another useful primitives are the non-interactive version of zero-knowledge proo
|
|||
\begin{definition}[Non Interactive Zero Knowledge]
|
||||
\index{Zero Knowledge!NIZK}
|
||||
\label{de:nizk-proofs}
|
||||
A \textit{non-interactive zero-knowledge} proof (or \textbf{NIZK proof}) for a relation $R=\{(x,w) \in \mathcal L \times \mathcal R\}$ is a pair of $\ppt$ algorithms $(P, V)$ such that $P$ takes as inputs $x \in \mathcal L$ and $w \in \mathcal R$ and outputs a proof $\pi$, and V takes as inputs $x$ and $\pi$ and outputs a bit $b$. These algorithms should verify the following properties.
|
||||
A \textit{non-interactive zero-knowledge} proof (or \textbf{NIZK proof}) for a relation $R=\{(x,w) \in \mathcal{L} \times \mathcal{R}\}$ is a pair of $\ppt$ algorithms $(P, V)$ such that $P$ takes as inputs $x \in \mathcal{L}$ and $w \in \mathcal{R}$ and outputs a proof $\pi$, and V takes as inputs $x$ and $\pi$ and outputs a bit $b$. These algorithms should verify the following properties.
|
||||
\begin{description}
|
||||
\item[Completeness.] For any $(x, w) \in R$, $\Pr[ V(x, P(x, w)) = 1 ] \geq 1 - \negl[|x|]$.
|
||||
\item[Soundness.] For all $x \in \mathcal L$, for any $\bar w \in \mathcal R$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$,
|
||||
\item[Soundness.] For all $x \in \mathcal{L}$, for any $\bar w \in \mathcal{R}$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$,
|
||||
$\Pr[V(x, P^\star(x)) = 1] < \negl[|x|].$
|
||||
\item[Zero-Knowledge.] There exists a $\ppt$ simulator $S$ such that the probability ensembles $\{(x, P(x, w)) \}_{(x,w) \in R}$ and $\{S(x)\}_{(x, w) \in R}$ are computationally indistinguishable.
|
||||
\end{description}
|
||||
|
|
@ -180,12 +180,12 @@ In the random oracle model, it is possible to transform a ZK proof into an NIZK
|
|||
|
||||
\begin{definition}[Fiat-Shamir Transform~{\cite{FS86}}]
|
||||
\index{Zero Knowledge!Fiat-Shamir Transform}
|
||||
Let $(P, V)$ be a three-move ZK proof system for relation $R = \{ (x, w) \}$ as in Figure~\ref{fig:sigma} and $\mathcal H$ be a cryptographic hash function.
|
||||
Let $(P, V)$ be a three-move ZK proof system for relation $R = \{ (x, w) \}$ as in Figure~\ref{fig:sigma} and $\mathcal{H}$ be a cryptographic hash function.
|
||||
|
||||
Let $\hat P$ be the following non-interactive prover that takes as inputs $x$ and $w$:
|
||||
\begin{enumerate}
|
||||
\item First run $P_1(x,w)$ to get a random commitment $\cmt$ and a state information $\mathsf{st}_P$;
|
||||
\item Generate the challenge as $\chall \gets \mathcal H(x,\cmt)$;
|
||||
\item Generate the challenge as $\chall \gets \mathcal{H}(x,\cmt)$;
|
||||
\item Run $\rsp \gets P_2(x, w, \chall, \mathsf{st}_P)$;
|
||||
\item Return the proof $\pi = (\cmt, \rsp)$.
|
||||
\end{enumerate}
|
||||
|
|
@ -193,7 +193,7 @@ In the random oracle model, it is possible to transform a ZK proof into an NIZK
|
|||
And let $\hat V$ be the following non-interactive verifier that takes as inputs $x$ and $\pi$:
|
||||
\begin{enumerate}
|
||||
\item Parse $\pi$ as $(\cmt, \rsp)$;
|
||||
\item Generate the challenge $\chall = \mathcal H(x, \cmt)$;
|
||||
\item Generate the challenge $\chall = \mathcal{H}(x, \cmt)$;
|
||||
\item Return $V_2(x, \chall, \rsp, \emptyset)$.
|
||||
\end{enumerate}
|
||||
|
||||
|
|
|
|||
|
|
@ -215,9 +215,9 @@ Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: t
|
|||
\centering
|
||||
\subfloat[\indcpa{} game for \PKE]{
|
||||
\fbox{\procedure{$\Exp{\indcpa}{\adv, b}(\lambda)$}{%
|
||||
(pk,sk) \gets \mathcal E.\mathsf{keygen}(1^\lambda)\\
|
||||
(pk,sk) \gets \mathcal{E}.\mathsf{keygen}(1^\lambda)\\
|
||||
(m_0, m_1) \gets \adv(pk, 1^\lambda)\\
|
||||
\mathsf{ct} \gets \mathcal E.\mathsf{enc}(m_b)\\
|
||||
\mathsf{ct} \gets \mathcal{E}.\mathsf{enc}(m_b)\\
|
||||
b' \gets \adv(pk, 1^\lambda, \mathsf{ct})\\
|
||||
\pcreturn b'
|
||||
}}
|
||||
|
|
@ -237,7 +237,7 @@ Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: t
|
|||
\end{figure}
|
||||
|
||||
\index{Reduction!Advantage} \index{Encryption!IND-CPA}
|
||||
The \indcpa{} game is an \emph{indistinguishability} game. Meaning that the goal for the adversary $\mathcal A$ against this game is to distinguish between two messages from different distributions.
|
||||
The \indcpa{} game is an \emph{indistinguishability} game. Meaning that the goal for the adversary $\mathcal{A}$ against this game is to distinguish between two messages from different distributions.
|
||||
To model this, for any adversary $\adv$, we define a notion of \emph{advantage} for the $\indcpa$ game as
|
||||
\[
|
||||
\advantage{\indcpa}{\adv}(\lambda)
|
||||
|
|
@ -245,7 +245,7 @@ To model this, for any adversary $\adv$, we define a notion of \emph{advantage}
|
|||
\left| \Pr\left[ \Exp{\indcpa}{\adv,1}(\lambda) = 1 \right] - \Pr\left[ \Exp{\indcpa}{\adv, 0}(\lambda) = 1\right] \right|.
|
||||
\]
|
||||
|
||||
We say that a $\PKE$ scheme is $\indcpa$ if for any $\ppt$ $\adv$, the advantage of $\mathcal A$ in the $\indcpa$ game is negligible with respect to $\lambda$.
|
||||
We say that a $\PKE$ scheme is $\indcpa$ if for any $\ppt$ $\adv$, the advantage of $\mathcal{A}$ in the $\indcpa$ game is negligible with respect to $\lambda$.
|
||||
|
||||
This definition of advantages models the fact that the adversary is unable to distinguish whether the ciphertext $\mathsf{ct}$ comes from the experiment $\Exp{\indcpa}{\adv, 0}$ or the experiment $\Exp{\indcpa}{\adv, 1}$.
|
||||
Which means that the adversary cannot get a single bit of information about the ciphertext.
|
||||
|
|
@ -288,7 +288,7 @@ there exists a $\ppt$ \emph{simulator} $\widehat{\adv}'$ --\,in the \emph{Ideal
|
|||
In other words, it means that the information that $\widehat{\adv}$ obtains from its interaction with the challenger $\cdv$ does not allow $\widehat{\adv}$ to do more things that what it can do with blackbox accesses to the functionality.
|
||||
|
||||
In the context of $\PKE$, the functionality is the access to the public key $pk$ as described in Line 2 of $\Exp{\indcpa}{\adv, b}(\lambda)$.
|
||||
Therefore, the existence of a simulator $\widehat{\adv}$ that does not use $pk$ shows that $\mathcal A$ does not learn anything from $pk$.
|
||||
Therefore, the existence of a simulator $\widehat{\adv}$ that does not use $pk$ shows that $\mathcal{A}$ does not learn anything from $pk$.
|
||||
|
||||
For $\PKE$, the simulation-based definition for chosen plaintext security is the same as the indistinguishability security~\cite[Se. 5.2.3]{Gol04}.
|
||||
As indistinguishability based model are easier to manipulate, that's why this is the most common definition for security against chosen plaintext attacks for $\PKE$.
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user