From 961cadd35d5eb34b9a27c145d4402b0271406efa Mon Sep 17 00:00:00 2001 From: Fabrice Mouhartem Date: Sat, 16 Jun 2018 19:06:09 +0200 Subject: [PATCH] Definition of QANIZK + statistical equivalence --- chap-ZK.tex | 51 +++++++++++++++++++++++++++++++++++++++---------- chap-proofs.tex | 4 +++- symbols.tex | 1 + 3 files changed, 45 insertions(+), 11 deletions(-) diff --git a/chap-ZK.tex b/chap-ZK.tex index 01891cf..800936a 100644 --- a/chap-ZK.tex +++ b/chap-ZK.tex @@ -214,28 +214,59 @@ Quasi-adaptive \NIZK (\QANIZK)~\cite{JR13} are \NIZK where the common reference \index{Zero Knowledge!\QANIZK} \label{de:qa-nizk} A \textit{Quasi-Adaptive Non-Interactive Zero-Knowledge Argument} argument (or \textbf{\QANIZK}) over a collection of relations $\mathcal{R}=\{ R_\rho \}$ parametrized by a string $\rho$ consists in four $\ppt$ algorithms $(\mathsf{Gen}_0, \mathsf{Gen}_1, P, V)$. - There should also be a simulator $S$ for the entire class of languages. - The algorithms $\mathsf{Gen}_0$ and $\mathsf{Gen}_1$ both generate the $\crs$. $\mathsf{Gen}_0$ inputs $1^\lambda$ and outputs~$\Gamma$ the fixed part of the $\crs$ from which $\rho$ is sampled according to a distribution $\dst_\Gamma$, while $\mathsf{Gen}_1$ inputs $1^\lambda$ and $\Gamma$ to output a language-dependent part~$\psi$. + The algorithms $\mathsf{Gen}_0$ and $\mathsf{Gen}_1$ both generate the $\crs$. $\mathsf{Gen}_0$ inputs $1^\lambda$ and outputs~$\Gamma$ the fixed part of the $\crs$ from which $\rho$ is sampled according to a distribution $\dst_\Gamma$, while $\mathsf{Gen}_1$ inputs $\Gamma$ and $\rho$ to output a language-dependent part~$\psi$ (or directly the $\crs = (\Gamma, \psi, \rho)$). The prover $P$ and the verifier $V$ act as in~\cref{de:nizk-proofs} with the difference that, they also take as input the common reference string $\crs$. - Formally, a tuple $(\mathsf{Gen}_0, \mathsf{Gen}_1, P, V)$ of $\ppt$ algorithms is a \QANIZK proof system for $\mathcal{R}$ if, there exists a $\ppt$ simulator $S$ such thatthe following properties hold: + We consider proof systems where the prover and the verifier both take a label $\tau$ as additional input. + Formally, a tuple $(\mathsf{Gen}_0, \mathsf{Gen}_1, P, V)$ of $\ppt$ algorithms is a \QANIZK proof system for $\mathcal{R}$ if, there exists a $\ppt$ simulator $(S_1, S_2)$ such that for any $\ppt$ adversaries $\adv_1, \adv_2$ and $\adv_3$, the following properties hold: \begin{description} - \item[Quasi-Adaptive Completeness.] For all $\Gamma$ generated by $\mathsf{Gen}_0$, all $\rho$ output by $\dst_\Gamma$, all $(x,w) \in R_\rho$, we have - \[ \Pr\left[ V(\crs, x, \pi) = 1 \mid \crs \gets \mathsf{Gen}_1(\Gamma, \rho); \pi \gets P(\crs, x, w) \right] = 1. \] - \item[Quasi-Adaptive Soundness.] For all $\ppt$ adversary $\adv$, + \item[Quasi-Adaptive Completeness.] + \[ \Pr\left[ + \begin{array}{c} + V(\crs, x, \pi, \tau) = 1 \\ + \mbox{if } R_\rho(x, w) = 1 + \end{array} \left| + \begin{array}{c} + \Gamma \gets \mathsf{Gen}_0(1^\lambda); \rho \gets \dst_\Gamma;\\ + \crs \gets \mathsf{Gen}_1(\Gamma, \rho); (x,w,\tau) \gets \adv_1(\crs, \rho) \\ + \pi \gets P(\crs, x, w); + \end{array} + \right. + \right] = 1. \] + \item[Quasi-Adaptive Soundness.] \[ \Pr\left[\begin{array}{c} - (\forall w: (x^\star, w) \notin R_\rho) \\ - \land V(\crs, x^\star, \pi^\star) = 1 + (\forall w: (x, w) \notin R_\rho) \\ + \land V(\crs, x, \pi, \tau) = 1 \end{array} \left| \begin{array}{c} \Gamma \gets \mathsf{Gen}_0(1^\lambda); \rho \gets \dst_\Gamma; \\ - \crs \gets \mathsf{Gen}_1(\Gamma, \rho); (x^\star, \pi^\star) \gets \adv(\crs) + \crs \gets \mathsf{Gen}_1(\Gamma, \rho); (x, \pi, \tau) \gets \adv_2(\crs) \end{array} \right. \right] \leq \negl[\lambda] . \] -\item[Quasi-Adaptive Zero-Knowledge.] For all $\Gamma$ from $\mathsf{Gen}_0(1^\lambda)$, all $\rho$ sampled from $\dst_\Gamma$, all $\crs$ from $\mathsf{Gen}$, all $(x,w) \in R_\rho$, the probability ensembles $\{(x, P(\crs, x, w))\}$ and $\{S(\crs, x)\}$ are indistinguishable. +\item[Quasi-Adaptive Zero-Knowledge.] + \begin{multline*} + \Pr[\adv_3^{P(\psi, \cdot)}(\Gamma, \psi, \rho) = 1 + \mid \Gamma \gets \mathsf{Gen}_0(1^\lambda); \rho \gets \dst_\Gamma; \crs \gets \mathsf{Gen}_1(\Gamma, \rho) + ] \\ + \approx_s \Pr\left[ + \adv_3^{S(\psi, \tau_{sim}, \cdot)}(\Gamma, \psi, \rho) = 1 + \left| + \begin{array}{c} + \Gamma \gets \mathsf{Gen}_0(1^\lambda); \rho \gets \dst_\Gamma; \\ + (\psi, \tau_{sim}) \gets S_1(\Gamma, \rho) + \end{array} + \right. + \right] + \end{multline*} + Where + \begin{itemize} + \item $P(\psi, \cdot)$ emulates the actual prover. It inputs $(x, w, \tau)$ and outputs a proof $\pi$ if $(x, w) \in R_\rho$. Otherwise, it outputs $\bot$. + \item $S(\psi, \tau_{sim}, \cdot)$ is an oracle that takes as input $(x,w,\tau)$ and outputs a simulated proof $S_2(\psi, \tau_{sim}, x, \tau)$ if $(x,w) \in R_\rho$ and $\bot$ otherwise. + \end{itemize} + \end{description} \end{definition} diff --git a/chap-proofs.tex b/chap-proofs.tex index cfc2eb6..3663721 100644 --- a/chap-proofs.tex +++ b/chap-proofs.tex @@ -294,6 +294,8 @@ Two distributions are \textit{statistically close} if their statistical distance It is worth noticing that if two distributions are statistically close, then the advantage of an adversary in distinguishing between them is negligible. %Another property used in the so-called \textit{hybrid argument}\index{Hybrid argument} is the \textit{triangular equality} that follows from the fact that the statistical distance is a distance. +\scbf{Notation.} $P \approx_s Q$ means that $P$ is \textit{statistically close} to $Q$. + Another interesting metric, that will be used in the security proof of %TODO is the Rényi Divergence: @@ -313,7 +315,7 @@ is the Rényi Divergence: Bai, Langlois, Lepoint, Stehlé and Steinfeld~\cite{BLL+15} observed that the Rényi Divergence has a property similar to the \textit{triangular inequality} with respect to multiplication, and can be useful in the context of unforgeability game as we will explain it in the following paragraph. Prest further presented multiple uses of the Rényi Divergence in~\cite{Pre17}. We notice that security definitions for signature scheme are not indistinguishability-based experiments, but search experiments (i.e., the adversary has to output a string rather than distinguishing between two experiments by outputting a single bit). -The goal of the adversary is not to distinguish between two distributions, but to forge a new signature from what it learns \emph{via} signature queries. +The goal of the adversary is not to distinguish between two distributions, but to forge a new signature from what it learns via signature queries. Those signature queries are handled by an oracle \oracle{sign}{sk,\cdot}, which on input $m$ returns the signature $\sigma = \Sigma.\mathsf{sign}(sk, m)$ and add $\sigma$ to $\ensemble{sign}$. The initialization of these sets and the oracle's behavior may be omitted in the rest of this thesis for the sake of readability. diff --git a/symbols.tex b/symbols.tex index d498b8e..660f63e 100644 --- a/symbols.tex +++ b/symbols.tex @@ -15,6 +15,7 @@ $\U(S)$ & If $S$ is a finite set, $\U(S)$ denotes the uniform distribution over $S$\\ $\Supp(D)$ & If $D$ is a probability distribution, $\Supp(D)$ denotes the support of $D$ \\ $\Pr[E]$ & Probability that an event $E$ occurs \\ + $D \approx_s D'$ & $D$ is statistically close to $D'$ \\ [1ex] \multicolumn{2}{l}{\scbf{Usual sets}} \\ $\QQ$ & the set of rational numbers \\ $\RR$ & the set of real numbers \\