Continue writing
This commit is contained in:
parent
3054c4681c
commit
9ad53d419b
@ -134,7 +134,7 @@ To illustrate this, let us consider the two following assumptions:
|
||||
\end{definition}
|
||||
|
||||
The discrete logarithm assumption is implied by the decisional Diffie-Hellman assumption for instance.
|
||||
Indeed, if one is able to solve the discrete logarithm problem, then it suffices to compute the discrete logarithm of $g_1$, let say $\alpha$, and then check whether $g_2^\alpha = g_3^{}$.
|
||||
Indeed, if one is able to solve the discrete logarithm problem, then it suffices to compute the discrete logarithm of $g_1$, let us say $\alpha$, and then check whether $g_2^\alpha = g_3^{}$ or not.
|
||||
This is why it is preferable to work with the discrete logarithm assumption if it is possible.
|
||||
For instance, there is no security proofs for the El Gamal encryption scheme from DLP.
|
||||
|
||||
@ -173,7 +173,7 @@ We can notice that this security model is unrealistic~\cite{CGH04}. Let us const
|
||||
Let $\Sigma$ be a secure signature scheme, and let $\Sigma_y^{}$ be the scheme that returns $\Sigma(m)$ as a signature if and only if $h(0) \neq y$ and $0$ as a signature otherwise.
|
||||
In the \ROM $h$ behaves as a random function.
|
||||
Hence, the probability that $h(0) = y$ is negligible with respect to the security parameter for any fixed $y$.
|
||||
On the other hand, it appears that when $h$ is instantiated with a real world hash function, then $\Sigma_{h(0)}$ is completely insecure as a signature scheme. \hfill $\square$
|
||||
On the other hand, it appears that when $h$ is instantiated with a real world hash function, then $\Sigma_{h(0)}$ is the null function, and therefore completely insecure as a signature scheme. \hfill $\square$
|
||||
|
||||
In this context, one may wonder why is the \ROM still used in cryptographic proofs~\cite{LMPY16,LLM+16}.
|
||||
One reason is that some constructions are not known to exist yet from the standard model.
|
||||
@ -190,7 +190,7 @@ Doing this transform reduces the signature size from $32$ elements in $\GG$, $14
|
||||
We now have defined the security structure on which we are working on and the basic tools that allows security proofs.
|
||||
The following section explains how to define the security of a cryptographic primitive.
|
||||
|
||||
\section{Security Games and Half-Simulatability}
|
||||
\section{Security Games and Simulation-Based Security} \label{se:games-sim}
|
||||
|
||||
Up to now, we defined the structure on which security proofs works. Let us now define what we are proving.
|
||||
An example of what we are proving has been shown in Section~\ref{se:models} with cryptographic hash functions.
|
||||
@ -238,7 +238,7 @@ We say that a $\PKE$ scheme is $\indcpa$ if for any $\ppt$ $\adv$, the advantage
|
||||
This definition of advantages models the fact that the adversary is unable to distinguish whether the ciphertext $\mathsf{ct}$ comes from the experiment $\Exp{\indcpa}{\adv, 0}$ or the experiment $\Exp{\indcpa}{\adv, 1}$.
|
||||
Which means that the adversary cannot get a single bit of information about the ciphertext.
|
||||
|
||||
This kind of definition are also useful to mode anonymity. For instance in Part~\ref{pa:gs-ac}, the definition of anonymity for group signatures is defined in a similar fashion.
|
||||
This kind of definition are also useful to model anonymity. For instance in Part~\ref{pa:gs-ac}, the definition of anonymity for group signatures is defined in a similar fashion.
|
||||
|
||||
On the other hand, the security definition for signature scheme is no more an indistinguishable game, but an unforgeability game.
|
||||
The goal of the adversary is not to distinguish between two distributions, but to forge a new signature from what it learns \emph{via} signature queries.
|
||||
@ -254,4 +254,29 @@ For EU-CMA, the advantage of an adversary $\adv$ is defined as
|
||||
|
||||
And a signature scheme is considered unforgeable under chosen message attacks if for any $\ppt$ adversary $\adv$, the advantage of $\adv$ is negligible with respect to $\lambda$.
|
||||
|
||||
Meaning that no one can create a new valid signature for any messages within reasonable time and reasonable luck.
|
||||
This means that within reasonable expected time, no one can create a new valid signature without the signing key ($sk$). This kind of definitions are mostly used in the case of authentication primitives.
|
||||
To follow the example of group signatures in Part~\ref{pa:gs-ac}, the \emph{security against misidentification attacks} (or \emph{traceability}) experiment follow the same structure.
|
||||
This security notion illustrates that no malicious collusions of users and the authority that delivers the secret keys can provide valid signatures that opens on an honest user, or does not open to a valid registered user.
|
||||
|
||||
\begin{figure}
|
||||
\centering
|
||||
\input fig-uc
|
||||
\caption{Simulation-based cryptography.} \label{fig:sim-crypto}
|
||||
\end{figure}
|
||||
|
||||
The security definition of $\indcpa$ is defined as an indistinguishability game.
|
||||
The first security definition for $\PKE$ was although a simulation-based definition~\cite{GM84}.
|
||||
In this context, instead of distinguishing between two messages, the goal is to distinguish between two different environments.
|
||||
In the following we will use the \emph{Real world}/\emph{Ideal world} paradigm~\cite{Can01} to describe those different environments.
|
||||
Namely, for $\PKE$, it means that for any $\ppt$ adversary~$\widehat{\adv}$ --- in the \emph{Real world} --- that interacts with a challenger $\cdv$
|
||||
there exists a $\ppt$ \emph{simulator} $\widehat{\adv}'$ --- in the \emph{Ideal world} --- that interacts with the same challenger $\cdv'$ with the difference that the functionality $F$ in the \emph{Ideal word} is replaced by a trusted third party.
|
||||
|
||||
In other words, it means that the information that $\widehat{\adv}$ obtains from its interaction with the challenger $\cdv$ does not allow $\widehat{\adv}$ to do more things that what it can do with blackbox accesses to the functionality.
|
||||
|
||||
In the context of $\PKE$, the functionality is the access to the public key $pk$ as described in Line 2 of $\Exp{\indcpa}{\adv, b}(\lambda)$.
|
||||
Therefore, the existence of a simulator $\widehat{\adv}$ that does not use $pk$ shows that $\mathcal A$ does not learn anything from $pk$.
|
||||
|
||||
For $\PKE$, it appears that this definition is equivalent to the indistinguishability definition~\cite[Se. 5.2.3]{Gol04}.
|
||||
As indistinguishability based model are easier to manipulate, that's why this is the most common definition for security against chosen plaintext attacks for $\PKE$.
|
||||
For other primitives, such as Oblivious Transfer ($\OT$) described in Chapter~\ref{ch:ac-ot}, the simulation-based definitions are strictly stronger than indistinguishability definitions~\cite{CF01}.
|
||||
Therefore, it is preferable to have security proofs of stronger definitions if possible.
|
||||
|
Loading…
Reference in New Issue
Block a user