From b7cbdeb6628f1da4d667d3d1a97e03c14b593b83 Mon Sep 17 00:00:00 2001 From: Fabrice Mouhartem Date: Mon, 5 Feb 2018 18:27:07 +0100 Subject: [PATCH] Continue writing --- chap-proofs.tex | 28 ++++++++++++++++++++++++++-- sec-pairings.tex | 11 +++++------ 2 files changed, 31 insertions(+), 8 deletions(-) diff --git a/chap-proofs.tex b/chap-proofs.tex index c7df6cb..13813f4 100644 --- a/chap-proofs.tex +++ b/chap-proofs.tex @@ -102,10 +102,34 @@ In cryptology, it is also important to consider the success probability of algor an attack is successful if the probability that it succeed is noticeable. \index{Negligible function} -\textsc{Notation.} Let $f : \NN \to [0,1]$ be a function. The function $f$ is called \emph{negligible} if $f(n) = n^{-\omega(1)}$, and this is written $f(n) = \negl[n]$. Non-negligible functions are called \emph{noticeable} functions. And if $f = 1- \negl[n]$, $f$ is called \emph{overwhelming}. +\scbf{Notation.} Let $f : \NN \to [0,1]$ be a function. The function $f$ is called \emph{negligible} if $f(n) = n^{-\omega(1)}$, and this is written $f(n) = \negl[n]$. Non-negligible functions are called \emph{noticeable} functions. And if $f = 1- \negl[n]$, $f$ is called \emph{overwhelming}. Once that we define the notions related to the core of the proof, we have to define the objects on what we work on. -Namely, defining what we want to prove, and the hypotheses on which we rely. +Namely, defining what we want to prove, and the hypotheses on which we rely, also called ``hardness assumption''. + +The details of the hardness assumptions we use are given in Chapter~\ref{chap:structures}. Nevertheless, some notions are common to these and are evoked here. + +The amount of confidence one can put in a hardness assumption is given by many criteria. + +First of all, a weaker assumption is preferred to a stronger one if it is possible. +To illustrate this, let us consider the two following assumptions: + +\begin{definition}[Discrete logarithm] \label{de:DLP} + \index{Discrete Logarithm!Assumption} + \index{Discrete Logarithm!Problem} + The \emph{discrete algorithm problem} is defined as follows. Let $(\GG, \cdot)$ be a cyclic group of order $p$. + Given $g,h \in \GG$, the goal is to find an integer $a \in \Zp$ such that: $g^a = h$. + + The \textit{discrete logarithm assumption} is the intractability of this problem. +\end{definition} + +\begin{definition}[Decisional Diffie Hellman] \label{de:DDH} \index{Discrete Logarithm!Decisional Diffie-Hellman} + Let $\GG$ be a cyclic group of order $p$. The \emph{decisional Diffie-Hellman} ($\DDH$) problem is the following. + Given $(g, g_1, g_2, g_3) = (g, g^a, g^b, g^c) \in \GG^4$, the goal is to decide if $c = ab$ or if $c$ is sampled uniformly in $\GG$. + + The \textit{\DDH assumption} is the intractability of the problem for any $\ppt$ algorithm. +\end{definition} +The discrete logarithm assumption is implied by the decisional Diffie-Hellman assumption for instance. Indeed, if we can solve the discrete logarithm problem, then it suffices to compute the discrete logarithm of $g_1$, let say $a$, and then check whether $g_2^a = g_3$. Thus it is preferable to work with the discrete logarithm problem if it is possible. \section{Random-Oracle Model, Standard Model and Half-Simulatability} diff --git a/sec-pairings.tex b/sec-pairings.tex index 2ab620c..2d26d3f 100644 --- a/sec-pairings.tex +++ b/sec-pairings.tex @@ -23,18 +23,17 @@ In the following, we rely on the black-box definition of cryptographic pairings For cryptographic purpose, pairings are usually defined over elliptic curves, hence $\GT$ is a multiplicative subgroup of the multiplicative group of a finite field. Most standard assumptions over pairings are derived from the equivalent of the Diffie-Hellman assumptions from cyclic groups, -%defined in Definition~\ref{de:DDH}. -defined as follows. +defined in Definition~\ref{de:DDH} and recalled here. -\begin{definition}[$\DDH$] \label{de:DDH} \index{Discrete Logarithm!Decisional Diffie-Hellman} +\begin{definition}[$\DDH$ (recall)] \index{Discrete Logarithm!Decisional Diffie-Hellman} Let $\GG$ be a cyclic group of order $p$. The \emph{decisional Diffie-Hellman} ($\DDH$) problem is the following. Given $(g, g^a, g^b, g^c) \in \GG^4$, the goal is to decide if $c = ab$ or if $c$ is sampled uniformly in $\GG$. The DDH assumption is the intractability of the problem for any $\ppt$ algorithm. - Let us now define the $\DDH$ language as - $L_\DDH = \bigl\{ (g, g^a, g^b, g^{c}) \in \GG^4 \mid c = a \cdot b \bigr\}.$ - Thus the $\DDH$ problem is equivalently the question of whether $L_\DDH \in \mathsf{PP}$ or not. +% Let us now define the $\DDH$ language as +% $L_\DDH = \bigl\{ (g, g^a, g^b, g^{c}) \in \GG^4 \mid c = a \cdot b \bigr\}.$ +% Thus the $\DDH$ problem is equivalently the question of whether $L_\DDH \in \mathsf{PP}$ or not. \end{definition} This hypothesis, from which the Diffie-Hellman key exchange relies its security on, is then used to defined the $\SXDH$ assumption.