fmouhart/thesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Uniformize math

Browse Source
This commit is contained in:
Fabrice Mouhartem 2018-04-14 11:06:00 +02:00
parent 9d478c72fc
commit 779f186db1
3 changed files with 17 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
chap-GS-background.tex
View File

@ -224,15 +224,16 @@ following oracles:
the prospective user in the join protocol. If this protocol successfully the prospective user in the join protocol. If this protocol successfully
ends, the interface increments $n$, updates $\mathsf{st}$ by inserting the new user ends, the interface increments $n$, updates $\mathsf{st}$ by inserting the new user
$n$ in both sets $\mathsf{st}_{users}$ and $U^a$. It also sets $n$ in both sets $\mathsf{st}_{users}$ and $U^a$. It also sets
$\mathsf{st}_{\trans}:=\mathsf{st}_{\trans} || \langle n, \transcript_n \rangle$. $\mathsf{st}_{\trans}:=\mathsf{st}_{\trans} || ( n, \transcript_n )$.
% %
\item $Q_{\bjoin}$: allows the adversary, acting as a corrupted group manager, \item $Q_{\bjoin}$: allows the adversary, acting as a corrupted group manager,
to introduce new honest group members of its choice. The interface to introduce new honest group members of its choice. The interface
triggers an execution of $[\join_{\user},\join_{\GM}]$ and runs $\join_{\user}$ in triggers an execution of $\langle \join_{\user},\join_{\GM} \rangle$ and runs $\join_{\user}$ in
interaction with the adversary who runs $\join_{\GM}$. If the protocol interaction with the adversary who runs $\join_{\GM}$. If the protocol
successfully completes, the interface increments $n$, adds user $n$ to successfully completes, the interface increments $n$, adds user $n$ to
$\mathsf{st}_{users}$ and $U^b$ and sets $\mathsf{st}_{\trans}:=\mathsf{st}_{\trans} || \langle n, $\mathsf{st}_{users}$ and $U^b$ and sets
\transcript_n \rangle$. It stores the membership certificate $\crt_{n }$ $\mathsf{st}_{\trans}:=\mathsf{st}_{\trans} || ( n, \transcript_n )$.
It stores the membership certificate $\crt_{n }$
and the membership secret $\scr_{n }$ in a \textit{private} part of and the membership secret $\scr_{n }$ in a \textit{private} part of
$\mathsf{state}_{\interface}$. $\mathsf{state}_{\interface}$.
% %

14
chap-ZK.tex
View File

@ -16,13 +16,13 @@ In this section, we first present the general principles and basic tools to hand
\begin{definition}[Zero-knowledge proofs and arguments] \begin{definition}[Zero-knowledge proofs and arguments]
\label{de:zk-proof} \index{Zero Knowledge!Proofs} \index{Zero Knowledge!Argument} \label{de:zk-proof} \index{Zero Knowledge!Proofs} \index{Zero Knowledge!Argument}
Let $R = \{ (x, w) \in \mathcal L \times \mathcal R \}$ be a binary relation. Let $R = \{ (x, w) \in \mathcal{L} \times \mathcal{R} \}$ be a binary relation.
A \textit{zero-knowledge proof} for a relation $R$ is an interactive protocol between a prover $P(x,w)$ and a verifier $V(x)$ where $V$ outputs a bit $b$ at the end of the interaction. A \textit{zero-knowledge proof} for a relation $R$ is an interactive protocol between a prover $P(x,w)$ and a verifier $V(x)$ where $V$ outputs a bit $b$ at the end of the interaction.
This is written as $\langle P(x,w) , V(x) \rangle = b$. This is written as $\langle P(x,w) , V(x) \rangle = b$.
The aforementioned protocol should also verify the following properties. The aforementioned protocol should also verify the following properties.
\begin{description} \begin{description}
\item[Completeness.] For any $(x, w) \in R$, $\Pr[ \langle P(x,w), V(x) \rangle = 1 ] \geq 1 - \negl[|\lambda|]$. \item[Completeness.] For any $(x, w) \in R$, $\Pr[ \langle P(x,w), V(x) \rangle = 1 ] \geq 1 - \negl[|\lambda|]$.
\item[Soundness.] For all $x \in \mathcal L$, for any $\bar w \in \mathcal R$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$, \item[Soundness.] For all $x \in \mathcal{L}$, for any $\bar w \in \mathcal{R}$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$,
$\Pr[\langle P^\star(x), V^\star(x) \rangle = 1] \leq s < 1 - \negl[|x|],$ $\Pr[\langle P^\star(x), V^\star(x) \rangle = 1] \leq s < 1 - \negl[|x|],$
where $s$ is called the \textit{soundness error}. where $s$ is called the \textit{soundness error}.
\item[Zero-Knowledge.] Let $\trans(\cdot, \cdot)$ be the transcript of the interaction during the proof. \item[Zero-Knowledge.] Let $\trans(\cdot, \cdot)$ be the transcript of the interaction during the proof.
@ -167,10 +167,10 @@ Another useful primitives are the non-interactive version of zero-knowledge proo
\begin{definition}[Non Interactive Zero Knowledge] \begin{definition}[Non Interactive Zero Knowledge]
\index{Zero Knowledge!NIZK} \index{Zero Knowledge!NIZK}
\label{de:nizk-proofs} \label{de:nizk-proofs}
A \textit{non-interactive zero-knowledge} proof (or \textbf{NIZK proof}) for a relation $R=\{(x,w) \in \mathcal L \times \mathcal R\}$ is a pair of $\ppt$ algorithms $(P, V)$ such that $P$ takes as inputs $x \in \mathcal L$ and $w \in \mathcal R$ and outputs a proof $\pi$, and V takes as inputs $x$ and $\pi$ and outputs a bit $b$. These algorithms should verify the following properties. A \textit{non-interactive zero-knowledge} proof (or \textbf{NIZK proof}) for a relation $R=\{(x,w) \in \mathcal{L} \times \mathcal{R}\}$ is a pair of $\ppt$ algorithms $(P, V)$ such that $P$ takes as inputs $x \in \mathcal{L}$ and $w \in \mathcal{R}$ and outputs a proof $\pi$, and V takes as inputs $x$ and $\pi$ and outputs a bit $b$. These algorithms should verify the following properties.
\begin{description} \begin{description}
\item[Completeness.] For any $(x, w) \in R$, $\Pr[ V(x, P(x, w)) = 1 ] \geq 1 - \negl[|x|]$. \item[Completeness.] For any $(x, w) \in R$, $\Pr[ V(x, P(x, w)) = 1 ] \geq 1 - \negl[|x|]$.
\item[Soundness.] For all $x \in \mathcal L$, for any $\bar w \in \mathcal R$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$, \item[Soundness.] For all $x \in \mathcal{L}$, for any $\bar w \in \mathcal{R}$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$,
$\Pr[V(x, P^\star(x)) = 1] < \negl[|x|].$ $\Pr[V(x, P^\star(x)) = 1] < \negl[|x|].$
\item[Zero-Knowledge.] There exists a $\ppt$ simulator $S$ such that the probability ensembles $\{(x, P(x, w)) \}_{(x,w) \in R}$ and $\{S(x)\}_{(x, w) \in R}$ are computationally indistinguishable. \item[Zero-Knowledge.] There exists a $\ppt$ simulator $S$ such that the probability ensembles $\{(x, P(x, w)) \}_{(x,w) \in R}$ and $\{S(x)\}_{(x, w) \in R}$ are computationally indistinguishable.
\end{description} \end{description}
@ -180,12 +180,12 @@ In the random oracle model, it is possible to transform a ZK proof into an NIZK
\begin{definition}[Fiat-Shamir Transform~{\cite{FS86}}] \begin{definition}[Fiat-Shamir Transform~{\cite{FS86}}]
\index{Zero Knowledge!Fiat-Shamir Transform} \index{Zero Knowledge!Fiat-Shamir Transform}
Let $(P, V)$ be a three-move ZK proof system for relation $R = \{ (x, w) \}$ as in Figure~\ref{fig:sigma} and $\mathcal H$ be a cryptographic hash function. Let $(P, V)$ be a three-move ZK proof system for relation $R = \{ (x, w) \}$ as in Figure~\ref{fig:sigma} and $\mathcal{H}$ be a cryptographic hash function.
Let $\hat P$ be the following non-interactive prover that takes as inputs $x$ and $w$: Let $\hat P$ be the following non-interactive prover that takes as inputs $x$ and $w$:
\begin{enumerate} \begin{enumerate}
\item First run $P_1(x,w)$ to get a random commitment $\cmt$ and a state information $\mathsf{st}_P$; \item First run $P_1(x,w)$ to get a random commitment $\cmt$ and a state information $\mathsf{st}_P$;
\item Generate the challenge as $\chall \gets \mathcal H(x,\cmt)$; \item Generate the challenge as $\chall \gets \mathcal{H}(x,\cmt)$;
\item Run $\rsp \gets P_2(x, w, \chall, \mathsf{st}_P)$; \item Run $\rsp \gets P_2(x, w, \chall, \mathsf{st}_P)$;
\item Return the proof $\pi = (\cmt, \rsp)$. \item Return the proof $\pi = (\cmt, \rsp)$.
\end{enumerate} \end{enumerate}
@ -193,7 +193,7 @@ In the random oracle model, it is possible to transform a ZK proof into an NIZK
And let $\hat V$ be the following non-interactive verifier that takes as inputs $x$ and $\pi$: And let $\hat V$ be the following non-interactive verifier that takes as inputs $x$ and $\pi$:
\begin{enumerate} \begin{enumerate}
\item Parse $\pi$ as $(\cmt, \rsp)$; \item Parse $\pi$ as $(\cmt, \rsp)$;
\item Generate the challenge $\chall = \mathcal H(x, \cmt)$; \item Generate the challenge $\chall = \mathcal{H}(x, \cmt)$;
\item Return $V_2(x, \chall, \rsp, \emptyset)$. \item Return $V_2(x, \chall, \rsp, \emptyset)$.
\end{enumerate} \end{enumerate}

10
chap-proofs.tex
View File

@ -215,9 +215,9 @@ Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: t
\centering \centering
\subfloat[\indcpa{} game for \PKE]{ \subfloat[\indcpa{} game for \PKE]{
\fbox{\procedure{$\Exp{\indcpa}{\adv, b}(\lambda)$}{% \fbox{\procedure{$\Exp{\indcpa}{\adv, b}(\lambda)$}{%
(pk,sk) \gets \mathcal E.\mathsf{keygen}(1^\lambda)\\ (pk,sk) \gets \mathcal{E}.\mathsf{keygen}(1^\lambda)\\
(m_0, m_1) \gets \adv(pk, 1^\lambda)\\ (m_0, m_1) \gets \adv(pk, 1^\lambda)\\
\mathsf{ct} \gets \mathcal E.\mathsf{enc}(m_b)\\ \mathsf{ct} \gets \mathcal{E}.\mathsf{enc}(m_b)\\
b' \gets \adv(pk, 1^\lambda, \mathsf{ct})\\ b' \gets \adv(pk, 1^\lambda, \mathsf{ct})\\
\pcreturn b' \pcreturn b'
}} }}
@ -237,7 +237,7 @@ Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: t
\end{figure} \end{figure}
\index{Reduction!Advantage} \index{Encryption!IND-CPA} \index{Reduction!Advantage} \index{Encryption!IND-CPA}
The \indcpa{} game is an \emph{indistinguishability} game. Meaning that the goal for the adversary $\mathcal A$ against this game is to distinguish between two messages from different distributions. The \indcpa{} game is an \emph{indistinguishability} game. Meaning that the goal for the adversary $\mathcal{A}$ against this game is to distinguish between two messages from different distributions.
To model this, for any adversary $\adv$, we define a notion of \emph{advantage} for the $\indcpa$ game as To model this, for any adversary $\adv$, we define a notion of \emph{advantage} for the $\indcpa$ game as
\[ \[
\advantage{\indcpa}{\adv}(\lambda) \advantage{\indcpa}{\adv}(\lambda)
@ -245,7 +245,7 @@ To model this, for any adversary $\adv$, we define a notion of \emph{advantage}
\left| \Pr\left[ \Exp{\indcpa}{\adv,1}(\lambda) = 1 \right] - \Pr\left[ \Exp{\indcpa}{\adv, 0}(\lambda) = 1\right] \right|. \left| \Pr\left[ \Exp{\indcpa}{\adv,1}(\lambda) = 1 \right] - \Pr\left[ \Exp{\indcpa}{\adv, 0}(\lambda) = 1\right] \right|.
\] \]
We say that a $\PKE$ scheme is $\indcpa$ if for any $\ppt$ $\adv$, the advantage of $\mathcal A$ in the $\indcpa$ game is negligible with respect to $\lambda$. We say that a $\PKE$ scheme is $\indcpa$ if for any $\ppt$ $\adv$, the advantage of $\mathcal{A}$ in the $\indcpa$ game is negligible with respect to $\lambda$.
This definition of advantages models the fact that the adversary is unable to distinguish whether the ciphertext $\mathsf{ct}$ comes from the experiment $\Exp{\indcpa}{\adv, 0}$ or the experiment $\Exp{\indcpa}{\adv, 1}$. This definition of advantages models the fact that the adversary is unable to distinguish whether the ciphertext $\mathsf{ct}$ comes from the experiment $\Exp{\indcpa}{\adv, 0}$ or the experiment $\Exp{\indcpa}{\adv, 1}$.
Which means that the adversary cannot get a single bit of information about the ciphertext. Which means that the adversary cannot get a single bit of information about the ciphertext.
@ -288,7 +288,7 @@ there exists a $\ppt$ \emph{simulator} $\widehat{\adv}'$ --\,in the \emph{Ideal
In other words, it means that the information that $\widehat{\adv}$ obtains from its interaction with the challenger $\cdv$ does not allow $\widehat{\adv}$ to do more things that what it can do with blackbox accesses to the functionality. In other words, it means that the information that $\widehat{\adv}$ obtains from its interaction with the challenger $\cdv$ does not allow $\widehat{\adv}$ to do more things that what it can do with blackbox accesses to the functionality.
In the context of $\PKE$, the functionality is the access to the public key $pk$ as described in Line 2 of $\Exp{\indcpa}{\adv, b}(\lambda)$. In the context of $\PKE$, the functionality is the access to the public key $pk$ as described in Line 2 of $\Exp{\indcpa}{\adv, b}(\lambda)$.
Therefore, the existence of a simulator $\widehat{\adv}$ that does not use $pk$ shows that $\mathcal A$ does not learn anything from $pk$. Therefore, the existence of a simulator $\widehat{\adv}$ that does not use $pk$ shows that $\mathcal{A}$ does not learn anything from $pk$.
For $\PKE$, the simulation-based definition for chosen plaintext security is the same as the indistinguishability security~\cite[Se. 5.2.3]{Gol04}. For $\PKE$, the simulation-based definition for chosen plaintext security is the same as the indistinguishability security~\cite[Se. 5.2.3]{Gol04}.
As indistinguishability based model are easier to manipulate, that's why this is the most common definition for security against chosen plaintext attacks for $\PKE$. As indistinguishability based model are easier to manipulate, that's why this is the most common definition for security against chosen plaintext attacks for $\PKE$.