Definition of QANIZK + statistical equivalence

chap-ZK.tex

@@ -214,28 +214,59 @@ Quasi-adaptive \NIZK (\QANIZK)~\cite{JR13} are \NIZK where the common reference
   \index{Zero Knowledge!\QANIZK}
   \label{de:qa-nizk}
   A \textit{Quasi-Adaptive Non-Interactive Zero-Knowledge Argument} argument (or \textbf{\QANIZK}) over a collection of relations $\mathcal{R}=\{ R_\rho \}$ parametrized by a string $\rho$ consists in four $\ppt$ algorithms $(\mathsf{Gen}_0, \mathsf{Gen}_1, P, V)$.
-  There should also be a simulator $S$ for the entire class of languages.
 
-  The algorithms $\mathsf{Gen}_0$ and $\mathsf{Gen}_1$ both generate the $\crs$. $\mathsf{Gen}_0$ inputs $1^\lambda$ and outputs~$\Gamma$ the fixed part of the $\crs$ from which $\rho$ is sampled according to a distribution $\dst_\Gamma$, while $\mathsf{Gen}_1$ inputs $1^\lambda$ and $\Gamma$ to output a language-dependent part~$\psi$.
+  The algorithms $\mathsf{Gen}_0$ and $\mathsf{Gen}_1$ both generate the $\crs$. $\mathsf{Gen}_0$ inputs $1^\lambda$ and outputs~$\Gamma$ the fixed part of the $\crs$ from which $\rho$ is sampled according to a distribution $\dst_\Gamma$, while $\mathsf{Gen}_1$ inputs $\Gamma$ and $\rho$ to output a language-dependent part~$\psi$ (or directly the $\crs = (\Gamma, \psi, \rho)$).
     The prover $P$ and the verifier $V$ act as in~\cref{de:nizk-proofs} with the difference that, they also take as input the common reference string $\crs$.
 
-    Formally, a tuple $(\mathsf{Gen}_0, \mathsf{Gen}_1, P, V)$ of $\ppt$ algorithms is a \QANIZK proof system for $\mathcal{R}$ if, there exists a $\ppt$ simulator $S$ such thatthe following properties hold:
+    We consider proof systems where the prover and the verifier both take a label $\tau$ as additional input.
+    Formally, a tuple $(\mathsf{Gen}_0, \mathsf{Gen}_1, P, V)$ of $\ppt$ algorithms is a \QANIZK proof system for $\mathcal{R}$ if, there exists a $\ppt$ simulator $(S_1, S_2)$ such that for any $\ppt$ adversaries $\adv_1, \adv_2$ and $\adv_3$, the following properties hold:
 
   \begin{description}
-    \item[Quasi-Adaptive Completeness.] For all $\Gamma$ generated by $\mathsf{Gen}_0$, all $\rho$ output by $\dst_\Gamma$, all $(x,w) \in R_\rho$, we have
-      \[ \Pr\left[ V(\crs, x, \pi) = 1 \mid \crs \gets \mathsf{Gen}_1(\Gamma, \rho); \pi \gets P(\crs, x, w) \right] = 1. \]
-    \item[Quasi-Adaptive Soundness.] For all $\ppt$ adversary $\adv$,
+    \item[Quasi-Adaptive Completeness.] 
+      \[ \Pr\left[
+          \begin{array}{c}
+           V(\crs, x, \pi, \tau) = 1  \\
+           \mbox{if } R_\rho(x, w) = 1
+        \end{array} \left|
+          \begin{array}{c}
+            \Gamma \gets \mathsf{Gen}_0(1^\lambda); \rho \gets \dst_\Gamma;\\
+            \crs \gets \mathsf{Gen}_1(\Gamma, \rho); (x,w,\tau) \gets \adv_1(\crs, \rho) \\
+            \pi \gets P(\crs, x, w);
+          \end{array}
+        \right.
+       \right] = 1. \]
+    \item[Quasi-Adaptive Soundness.]
       \[ \Pr\left[\begin{array}{c}
-            (\forall w: (x^\star, w) \notin R_\rho) \\
-            \land V(\crs, x^\star, \pi^\star) = 1
+            (\forall w: (x, w) \notin R_\rho) \\
+            \land V(\crs, x, \pi, \tau) = 1
       \end{array}
         \left|
         \begin{array}{c}
           \Gamma \gets \mathsf{Gen}_0(1^\lambda); \rho \gets \dst_\Gamma; \\ 
-          \crs \gets \mathsf{Gen}_1(\Gamma, \rho); (x^\star, \pi^\star) \gets \adv(\crs)
+          \crs \gets \mathsf{Gen}_1(\Gamma, \rho); (x, \pi, \tau) \gets \adv_2(\crs)
         \end{array}
   \right. \right] \leq \negl[\lambda] . \]
-\item[Quasi-Adaptive Zero-Knowledge.] For all $\Gamma$ from $\mathsf{Gen}_0(1^\lambda)$, all $\rho$ sampled from $\dst_\Gamma$, all $\crs$ from $\mathsf{Gen}$, all $(x,w) \in R_\rho$, the probability ensembles $\{(x, P(\crs, x, w))\}$ and $\{S(\crs, x)\}$ are indistinguishable.
+\item[Quasi-Adaptive Zero-Knowledge.] 
+  \begin{multline*}
+      \Pr[\adv_3^{P(\psi, \cdot)}(\Gamma, \psi, \rho) = 1
+        \mid \Gamma \gets \mathsf{Gen}_0(1^\lambda); \rho \gets \dst_\Gamma; \crs \gets \mathsf{Gen}_1(\Gamma, \rho)
+      ] \\
+      \approx_s \Pr\left[
+        \adv_3^{S(\psi, \tau_{sim}, \cdot)}(\Gamma, \psi, \rho) = 1
+        \left|
+        \begin{array}{c}
+          \Gamma \gets \mathsf{Gen}_0(1^\lambda); \rho \gets \dst_\Gamma; \\
+          (\psi, \tau_{sim}) \gets S_1(\Gamma, \rho)
+        \end{array}
+      \right.
+    \right]
+  \end{multline*}
+  Where
+  \begin{itemize}
+    \item $P(\psi, \cdot)$ emulates the actual prover. It inputs $(x, w, \tau)$ and outputs a proof $\pi$ if $(x, w) \in R_\rho$. Otherwise, it outputs $\bot$.
+    \item $S(\psi, \tau_{sim}, \cdot)$ is an oracle that takes as input $(x,w,\tau)$ and outputs a simulated proof $S_2(\psi, \tau_{sim}, x, \tau)$ if $(x,w) \in R_\rho$ and $\bot$ otherwise.
+  \end{itemize}
+
   \end{description}
 \end{definition}
 

chap-proofs.tex

@@ -294,6 +294,8 @@ Two distributions are \textit{statistically close} if their statistical distance
 It is worth noticing that if two distributions are statistically close, then the advantage of an adversary in distinguishing between them is negligible.
 %Another property used in the so-called \textit{hybrid argument}\index{Hybrid argument} is the \textit{triangular equality} that follows from the fact that the statistical distance is a distance.
 
+\scbf{Notation.} $P \approx_s Q$ means that $P$ is \textit{statistically close} to $Q$.
+
 Another interesting metric, that will be used in the security proof of %TODO
 is the Rényi Divergence:
 
@@ -313,7 +315,7 @@ is the Rényi Divergence:
 Bai, Langlois, Lepoint, Stehlé and Steinfeld~\cite{BLL+15} observed that the Rényi Divergence has a property similar to the \textit{triangular inequality} with respect to multiplication, and can be useful in the context of unforgeability game as we will explain it in the following paragraph. Prest further presented multiple uses of the Rényi Divergence in~\cite{Pre17}.
 
 We notice that security definitions for signature scheme are not indistinguishability-based experiments, but search experiments (i.e., the adversary has to output a string rather than distinguishing between two experiments by outputting a single bit).
-The goal of the adversary is not to distinguish between two distributions, but to forge a new signature from what it learns \emph{via} signature queries.
+The goal of the adversary is not to distinguish between two distributions, but to forge a new signature from what it learns via signature queries.
 
 Those signature queries are handled by an oracle \oracle{sign}{sk,\cdot}, which on input $m$ returns the signature $\sigma = \Sigma.\mathsf{sign}(sk, m)$ and add $\sigma$ to $\ensemble{sign}$. The initialization of these sets and the oracle's behavior may be omitted in the rest of this thesis for the sake of readability.
 

symbols.tex

@@ -15,6 +15,7 @@
   $\U(S)$                             & If $S$ is a finite set, $\U(S)$ denotes the uniform distribution over $S$\\
   $\Supp(D)$ & If $D$ is a probability distribution, $\Supp(D)$ denotes the support of $D$ \\
   $\Pr[E]$ & Probability that an event $E$ occurs \\
+  $D \approx_s D'$ & $D$ is statistically close to $D'$ \\
   [1ex] \multicolumn{2}{l}{\scbf{Usual sets}}                                                              \\
   $\QQ$                     & the set of rational numbers                                                  \\
   $\RR$                     & the set of real numbers                                                      \\