fmouhart/thesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Cleaning the code

Browse Source
This commit is contained in:
Fabrice Mouhartem
2018-04-30 16:12:03 +02:00
parent 46e0240867
commit b295212aac
7 changed files with 145 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
chap-proofs.tex
View File

@ -253,8 +253,40 @@ Which means that the adversary cannot get a single bit of information about the
This kind of definition are also useful to model anonymity.
For instance in \cref{sec:RGSdefsecAnon}, the definition of anonymity for group signatures is defined in a similar fashion (\cref{def:anon}).
On the other hand, the security definition for signature scheme is no more an indistinguishability game, but an unforgeability game.
The goal of the adversary is not to distinguish between two distributions, but to forge a new signature from what it learns \emph{via} signature queries.
To manipulate indistinguishability between distributions, it is useful to quantify the distance between two distributions.
In this context, we define the statistical distance as follows.
\begin{definition}[Statistical Distance] \index{Probability!Statistical Distance}
Let $P$ and $Q$ be two distributions. The \textit{statistical distance} $\Delta(P, Q)$ between $P$ and $Q$ is defined as
\[ \Delta(P, Q) \triangleq \frac{1}{2} \sum_{x \in \Supp(P) \cup \Supp(Q)} | P(x) - Q(x)|. \]
\end{definition}
Two distributions are \textit{statistically close} if their statistical distance is negligible with respect to the security parameter.
It is worth noticing that if two distributions are statistically close, then the advantage of an adversary in distinguishing between them is negligible.
Another property used in the so-called \textit{hybrid argument}\index{Hybrid argument} is the \textit{triangular equality} that follows from the fact that the statistical distance is a distance.
Another interesting metric, that will be used in the security proof of %TODO
is the Rényi Divergence:
\begin{restatable}[Rényi divergence]{definition}{defRenyi}
\label{def:renyi} \index{Probability!Rényi Divergence}
For any two discrete distributions $P$ and $Q$ such that $\Supp(P) \subseteq
\Supp(Q)$, and $a \in ]1, +\infty[$, we define the \emph{R\'enyi divergence} of order $a$ by:
\[ R_a(P||Q) = \left( \sum_{x \in \Supp(P)} \frac{P(x)^a}{Q(x)^{a-1}} \right)^{\frac{1}{a-1}}. \]
We define the R\'enyi divergences of orders $1$ and $+\infty$ by:
\[ R_1(P||Q) = \exp\left( \sum_{x \in \Supp(P)} P(x) \log \frac{P(x)}{Q(x)} \right) \mbox{ and } R_\infty (P||Q) = \max_{x \in \Supp(P)} \frac{P(x)}{Q(x)}. \]
The divergence $R_1$ is the (exponential) of the Kullback-Leibler divergence.
\end{restatable}
Bai, Langlois, Lepoint, Stehlé and Steinfeld~\cite{BLL+15} noticed that the Rényi Divergence has similar property with respect to multiplication, and can be useful in the context of unforgeability game as we will explain it in the following paragraph. Prest further presented multiple uses of the Rényi Divergence in~\cite{Pre17}.
We can notice that security definitions for signature scheme are no more indistinguishability-based games, but unforgeability games.
The goal of the adversary is no more to distinguish between two distributions, but to forge a new signature from what it learns \emph{via} signature queries.
Those signature queries are provided by an oracle \oracle{sign}{sk,\cdot}, which on input $m$ returns the signature $\sigma = \Sigma.\mathsf{sign}(sk, m)$ and add $\sigma$ to $\ensemble{sign}$. The initialization of these sets and the behaviour of oracle may be omitted in the rest of this thesis for the sake of readability.