Continue writing

This commit is contained in:
Fabrice Mouhartem 2018-02-05 18:27:07 +01:00
parent 0cfc230237
commit b7cbdeb662
2 changed files with 31 additions and 8 deletions

View File

@ -102,10 +102,34 @@ In cryptology, it is also important to consider the success probability of algor
an attack is successful if the probability that it succeed is noticeable. an attack is successful if the probability that it succeed is noticeable.
\index{Negligible function} \index{Negligible function}
\textsc{Notation.} Let $f : \NN \to [0,1]$ be a function. The function $f$ is called \emph{negligible} if $f(n) = n^{-\omega(1)}$, and this is written $f(n) = \negl[n]$. Non-negligible functions are called \emph{noticeable} functions. And if $f = 1- \negl[n]$, $f$ is called \emph{overwhelming}. \scbf{Notation.} Let $f : \NN \to [0,1]$ be a function. The function $f$ is called \emph{negligible} if $f(n) = n^{-\omega(1)}$, and this is written $f(n) = \negl[n]$. Non-negligible functions are called \emph{noticeable} functions. And if $f = 1- \negl[n]$, $f$ is called \emph{overwhelming}.
Once that we define the notions related to the core of the proof, we have to define the objects on what we work on. Once that we define the notions related to the core of the proof, we have to define the objects on what we work on.
Namely, defining what we want to prove, and the hypotheses on which we rely. Namely, defining what we want to prove, and the hypotheses on which we rely, also called ``hardness assumption''.
The details of the hardness assumptions we use are given in Chapter~\ref{chap:structures}. Nevertheless, some notions are common to these and are evoked here.
The amount of confidence one can put in a hardness assumption is given by many criteria.
First of all, a weaker assumption is preferred to a stronger one if it is possible.
To illustrate this, let us consider the two following assumptions:
\begin{definition}[Discrete logarithm] \label{de:DLP}
\index{Discrete Logarithm!Assumption}
\index{Discrete Logarithm!Problem}
The \emph{discrete algorithm problem} is defined as follows. Let $(\GG, \cdot)$ be a cyclic group of order $p$.
Given $g,h \in \GG$, the goal is to find an integer $a \in \Zp$ such that: $g^a = h$.
The \textit{discrete logarithm assumption} is the intractability of this problem.
\end{definition}
\begin{definition}[Decisional Diffie Hellman] \label{de:DDH} \index{Discrete Logarithm!Decisional Diffie-Hellman}
Let $\GG$ be a cyclic group of order $p$. The \emph{decisional Diffie-Hellman} ($\DDH$) problem is the following.
Given $(g, g_1, g_2, g_3) = (g, g^a, g^b, g^c) \in \GG^4$, the goal is to decide if $c = ab$ or if $c$ is sampled uniformly in $\GG$.
The \textit{\DDH assumption} is the intractability of the problem for any $\ppt$ algorithm.
\end{definition}
The discrete logarithm assumption is implied by the decisional Diffie-Hellman assumption for instance. Indeed, if we can solve the discrete logarithm problem, then it suffices to compute the discrete logarithm of $g_1$, let say $a$, and then check whether $g_2^a = g_3$. Thus it is preferable to work with the discrete logarithm problem if it is possible.
\section{Random-Oracle Model, Standard Model and Half-Simulatability} \section{Random-Oracle Model, Standard Model and Half-Simulatability}

View File

@ -23,18 +23,17 @@ In the following, we rely on the black-box definition of cryptographic pairings
For cryptographic purpose, pairings are usually defined over elliptic curves, hence $\GT$ is a multiplicative subgroup of the multiplicative group of a finite field. For cryptographic purpose, pairings are usually defined over elliptic curves, hence $\GT$ is a multiplicative subgroup of the multiplicative group of a finite field.
Most standard assumptions over pairings are derived from the equivalent of the Diffie-Hellman assumptions from cyclic groups, Most standard assumptions over pairings are derived from the equivalent of the Diffie-Hellman assumptions from cyclic groups,
%defined in Definition~\ref{de:DDH}. defined in Definition~\ref{de:DDH} and recalled here.
defined as follows.
\begin{definition}[$\DDH$] \label{de:DDH} \index{Discrete Logarithm!Decisional Diffie-Hellman} \begin{definition}[$\DDH$ (recall)] \index{Discrete Logarithm!Decisional Diffie-Hellman}
Let $\GG$ be a cyclic group of order $p$. The \emph{decisional Diffie-Hellman} ($\DDH$) problem is the following. Let $\GG$ be a cyclic group of order $p$. The \emph{decisional Diffie-Hellman} ($\DDH$) problem is the following.
Given $(g, g^a, g^b, g^c) \in \GG^4$, the goal is to decide if $c = ab$ or if $c$ is sampled uniformly in $\GG$. Given $(g, g^a, g^b, g^c) \in \GG^4$, the goal is to decide if $c = ab$ or if $c$ is sampled uniformly in $\GG$.
The DDH assumption is the intractability of the problem for any $\ppt$ algorithm. The DDH assumption is the intractability of the problem for any $\ppt$ algorithm.
Let us now define the $\DDH$ language as % Let us now define the $\DDH$ language as
$L_\DDH = \bigl\{ (g, g^a, g^b, g^{c}) \in \GG^4 \mid c = a \cdot b \bigr\}.$ % $L_\DDH = \bigl\{ (g, g^a, g^b, g^{c}) \in \GG^4 \mid c = a \cdot b \bigr\}.$
Thus the $\DDH$ problem is equivalently the question of whether $L_\DDH \in \mathsf{PP}$ or not. % Thus the $\DDH$ problem is equivalently the question of whether $L_\DDH \in \mathsf{PP}$ or not.
\end{definition} \end{definition}
This hypothesis, from which the Diffie-Hellman key exchange relies its security on, is then used to defined the $\SXDH$ assumption. This hypothesis, from which the Diffie-Hellman key exchange relies its security on, is then used to defined the $\SXDH$ assumption.