Definition of QANIZK + statistical equivalence
This commit is contained in:
parent
00ad910d51
commit
961cadd35d
51
chap-ZK.tex
51
chap-ZK.tex
@ -214,28 +214,59 @@ Quasi-adaptive \NIZK (\QANIZK)~\cite{JR13} are \NIZK where the common reference
|
|||||||
\index{Zero Knowledge!\QANIZK}
|
\index{Zero Knowledge!\QANIZK}
|
||||||
\label{de:qa-nizk}
|
\label{de:qa-nizk}
|
||||||
A \textit{Quasi-Adaptive Non-Interactive Zero-Knowledge Argument} argument (or \textbf{\QANIZK}) over a collection of relations $\mathcal{R}=\{ R_\rho \}$ parametrized by a string $\rho$ consists in four $\ppt$ algorithms $(\mathsf{Gen}_0, \mathsf{Gen}_1, P, V)$.
|
A \textit{Quasi-Adaptive Non-Interactive Zero-Knowledge Argument} argument (or \textbf{\QANIZK}) over a collection of relations $\mathcal{R}=\{ R_\rho \}$ parametrized by a string $\rho$ consists in four $\ppt$ algorithms $(\mathsf{Gen}_0, \mathsf{Gen}_1, P, V)$.
|
||||||
There should also be a simulator $S$ for the entire class of languages.
|
|
||||||
|
|
||||||
The algorithms $\mathsf{Gen}_0$ and $\mathsf{Gen}_1$ both generate the $\crs$. $\mathsf{Gen}_0$ inputs $1^\lambda$ and outputs~$\Gamma$ the fixed part of the $\crs$ from which $\rho$ is sampled according to a distribution $\dst_\Gamma$, while $\mathsf{Gen}_1$ inputs $1^\lambda$ and $\Gamma$ to output a language-dependent part~$\psi$.
|
The algorithms $\mathsf{Gen}_0$ and $\mathsf{Gen}_1$ both generate the $\crs$. $\mathsf{Gen}_0$ inputs $1^\lambda$ and outputs~$\Gamma$ the fixed part of the $\crs$ from which $\rho$ is sampled according to a distribution $\dst_\Gamma$, while $\mathsf{Gen}_1$ inputs $\Gamma$ and $\rho$ to output a language-dependent part~$\psi$ (or directly the $\crs = (\Gamma, \psi, \rho)$).
|
||||||
The prover $P$ and the verifier $V$ act as in~\cref{de:nizk-proofs} with the difference that, they also take as input the common reference string $\crs$.
|
The prover $P$ and the verifier $V$ act as in~\cref{de:nizk-proofs} with the difference that, they also take as input the common reference string $\crs$.
|
||||||
|
|
||||||
Formally, a tuple $(\mathsf{Gen}_0, \mathsf{Gen}_1, P, V)$ of $\ppt$ algorithms is a \QANIZK proof system for $\mathcal{R}$ if, there exists a $\ppt$ simulator $S$ such thatthe following properties hold:
|
We consider proof systems where the prover and the verifier both take a label $\tau$ as additional input.
|
||||||
|
Formally, a tuple $(\mathsf{Gen}_0, \mathsf{Gen}_1, P, V)$ of $\ppt$ algorithms is a \QANIZK proof system for $\mathcal{R}$ if, there exists a $\ppt$ simulator $(S_1, S_2)$ such that for any $\ppt$ adversaries $\adv_1, \adv_2$ and $\adv_3$, the following properties hold:
|
||||||
|
|
||||||
\begin{description}
|
\begin{description}
|
||||||
\item[Quasi-Adaptive Completeness.] For all $\Gamma$ generated by $\mathsf{Gen}_0$, all $\rho$ output by $\dst_\Gamma$, all $(x,w) \in R_\rho$, we have
|
\item[Quasi-Adaptive Completeness.]
|
||||||
\[ \Pr\left[ V(\crs, x, \pi) = 1 \mid \crs \gets \mathsf{Gen}_1(\Gamma, \rho); \pi \gets P(\crs, x, w) \right] = 1. \]
|
\[ \Pr\left[
|
||||||
\item[Quasi-Adaptive Soundness.] For all $\ppt$ adversary $\adv$,
|
\begin{array}{c}
|
||||||
|
V(\crs, x, \pi, \tau) = 1 \\
|
||||||
|
\mbox{if } R_\rho(x, w) = 1
|
||||||
|
\end{array} \left|
|
||||||
|
\begin{array}{c}
|
||||||
|
\Gamma \gets \mathsf{Gen}_0(1^\lambda); \rho \gets \dst_\Gamma;\\
|
||||||
|
\crs \gets \mathsf{Gen}_1(\Gamma, \rho); (x,w,\tau) \gets \adv_1(\crs, \rho) \\
|
||||||
|
\pi \gets P(\crs, x, w);
|
||||||
|
\end{array}
|
||||||
|
\right.
|
||||||
|
\right] = 1. \]
|
||||||
|
\item[Quasi-Adaptive Soundness.]
|
||||||
\[ \Pr\left[\begin{array}{c}
|
\[ \Pr\left[\begin{array}{c}
|
||||||
(\forall w: (x^\star, w) \notin R_\rho) \\
|
(\forall w: (x, w) \notin R_\rho) \\
|
||||||
\land V(\crs, x^\star, \pi^\star) = 1
|
\land V(\crs, x, \pi, \tau) = 1
|
||||||
\end{array}
|
\end{array}
|
||||||
\left|
|
\left|
|
||||||
\begin{array}{c}
|
\begin{array}{c}
|
||||||
\Gamma \gets \mathsf{Gen}_0(1^\lambda); \rho \gets \dst_\Gamma; \\
|
\Gamma \gets \mathsf{Gen}_0(1^\lambda); \rho \gets \dst_\Gamma; \\
|
||||||
\crs \gets \mathsf{Gen}_1(\Gamma, \rho); (x^\star, \pi^\star) \gets \adv(\crs)
|
\crs \gets \mathsf{Gen}_1(\Gamma, \rho); (x, \pi, \tau) \gets \adv_2(\crs)
|
||||||
\end{array}
|
\end{array}
|
||||||
\right. \right] \leq \negl[\lambda] . \]
|
\right. \right] \leq \negl[\lambda] . \]
|
||||||
\item[Quasi-Adaptive Zero-Knowledge.] For all $\Gamma$ from $\mathsf{Gen}_0(1^\lambda)$, all $\rho$ sampled from $\dst_\Gamma$, all $\crs$ from $\mathsf{Gen}$, all $(x,w) \in R_\rho$, the probability ensembles $\{(x, P(\crs, x, w))\}$ and $\{S(\crs, x)\}$ are indistinguishable.
|
\item[Quasi-Adaptive Zero-Knowledge.]
|
||||||
|
\begin{multline*}
|
||||||
|
\Pr[\adv_3^{P(\psi, \cdot)}(\Gamma, \psi, \rho) = 1
|
||||||
|
\mid \Gamma \gets \mathsf{Gen}_0(1^\lambda); \rho \gets \dst_\Gamma; \crs \gets \mathsf{Gen}_1(\Gamma, \rho)
|
||||||
|
] \\
|
||||||
|
\approx_s \Pr\left[
|
||||||
|
\adv_3^{S(\psi, \tau_{sim}, \cdot)}(\Gamma, \psi, \rho) = 1
|
||||||
|
\left|
|
||||||
|
\begin{array}{c}
|
||||||
|
\Gamma \gets \mathsf{Gen}_0(1^\lambda); \rho \gets \dst_\Gamma; \\
|
||||||
|
(\psi, \tau_{sim}) \gets S_1(\Gamma, \rho)
|
||||||
|
\end{array}
|
||||||
|
\right.
|
||||||
|
\right]
|
||||||
|
\end{multline*}
|
||||||
|
Where
|
||||||
|
\begin{itemize}
|
||||||
|
\item $P(\psi, \cdot)$ emulates the actual prover. It inputs $(x, w, \tau)$ and outputs a proof $\pi$ if $(x, w) \in R_\rho$. Otherwise, it outputs $\bot$.
|
||||||
|
\item $S(\psi, \tau_{sim}, \cdot)$ is an oracle that takes as input $(x,w,\tau)$ and outputs a simulated proof $S_2(\psi, \tau_{sim}, x, \tau)$ if $(x,w) \in R_\rho$ and $\bot$ otherwise.
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
\end{description}
|
\end{description}
|
||||||
\end{definition}
|
\end{definition}
|
||||||
|
|
||||||
|
@ -294,6 +294,8 @@ Two distributions are \textit{statistically close} if their statistical distance
|
|||||||
It is worth noticing that if two distributions are statistically close, then the advantage of an adversary in distinguishing between them is negligible.
|
It is worth noticing that if two distributions are statistically close, then the advantage of an adversary in distinguishing between them is negligible.
|
||||||
%Another property used in the so-called \textit{hybrid argument}\index{Hybrid argument} is the \textit{triangular equality} that follows from the fact that the statistical distance is a distance.
|
%Another property used in the so-called \textit{hybrid argument}\index{Hybrid argument} is the \textit{triangular equality} that follows from the fact that the statistical distance is a distance.
|
||||||
|
|
||||||
|
\scbf{Notation.} $P \approx_s Q$ means that $P$ is \textit{statistically close} to $Q$.
|
||||||
|
|
||||||
Another interesting metric, that will be used in the security proof of %TODO
|
Another interesting metric, that will be used in the security proof of %TODO
|
||||||
is the Rényi Divergence:
|
is the Rényi Divergence:
|
||||||
|
|
||||||
@ -313,7 +315,7 @@ is the Rényi Divergence:
|
|||||||
Bai, Langlois, Lepoint, Stehlé and Steinfeld~\cite{BLL+15} observed that the Rényi Divergence has a property similar to the \textit{triangular inequality} with respect to multiplication, and can be useful in the context of unforgeability game as we will explain it in the following paragraph. Prest further presented multiple uses of the Rényi Divergence in~\cite{Pre17}.
|
Bai, Langlois, Lepoint, Stehlé and Steinfeld~\cite{BLL+15} observed that the Rényi Divergence has a property similar to the \textit{triangular inequality} with respect to multiplication, and can be useful in the context of unforgeability game as we will explain it in the following paragraph. Prest further presented multiple uses of the Rényi Divergence in~\cite{Pre17}.
|
||||||
|
|
||||||
We notice that security definitions for signature scheme are not indistinguishability-based experiments, but search experiments (i.e., the adversary has to output a string rather than distinguishing between two experiments by outputting a single bit).
|
We notice that security definitions for signature scheme are not indistinguishability-based experiments, but search experiments (i.e., the adversary has to output a string rather than distinguishing between two experiments by outputting a single bit).
|
||||||
The goal of the adversary is not to distinguish between two distributions, but to forge a new signature from what it learns \emph{via} signature queries.
|
The goal of the adversary is not to distinguish between two distributions, but to forge a new signature from what it learns via signature queries.
|
||||||
|
|
||||||
Those signature queries are handled by an oracle \oracle{sign}{sk,\cdot}, which on input $m$ returns the signature $\sigma = \Sigma.\mathsf{sign}(sk, m)$ and add $\sigma$ to $\ensemble{sign}$. The initialization of these sets and the oracle's behavior may be omitted in the rest of this thesis for the sake of readability.
|
Those signature queries are handled by an oracle \oracle{sign}{sk,\cdot}, which on input $m$ returns the signature $\sigma = \Sigma.\mathsf{sign}(sk, m)$ and add $\sigma$ to $\ensemble{sign}$. The initialization of these sets and the oracle's behavior may be omitted in the rest of this thesis for the sake of readability.
|
||||||
|
|
||||||
|
@ -15,6 +15,7 @@
|
|||||||
$\U(S)$ & If $S$ is a finite set, $\U(S)$ denotes the uniform distribution over $S$\\
|
$\U(S)$ & If $S$ is a finite set, $\U(S)$ denotes the uniform distribution over $S$\\
|
||||||
$\Supp(D)$ & If $D$ is a probability distribution, $\Supp(D)$ denotes the support of $D$ \\
|
$\Supp(D)$ & If $D$ is a probability distribution, $\Supp(D)$ denotes the support of $D$ \\
|
||||||
$\Pr[E]$ & Probability that an event $E$ occurs \\
|
$\Pr[E]$ & Probability that an event $E$ occurs \\
|
||||||
|
$D \approx_s D'$ & $D$ is statistically close to $D'$ \\
|
||||||
[1ex] \multicolumn{2}{l}{\scbf{Usual sets}} \\
|
[1ex] \multicolumn{2}{l}{\scbf{Usual sets}} \\
|
||||||
$\QQ$ & the set of rational numbers \\
|
$\QQ$ & the set of rational numbers \\
|
||||||
$\RR$ & the set of real numbers \\
|
$\RR$ & the set of real numbers \\
|
||||||
|
Loading…
Reference in New Issue
Block a user