debut relecture
This commit is contained in:
parent
28a7ff32bd
commit
fffce87917
111
chap-proofs.tex
111
chap-proofs.tex
@ -1,12 +1,12 @@
|
|||||||
Provable security is a subfield of cryptography where constructions are proven secure with regards to a security model.
|
Provable security is a subfield of cryptography where constructions are proven secure with respect to a security model.
|
||||||
To illustrate this notion, let us take the example of public-key encryption schemes.
|
To illustrate this notion, let us take the example of public-key encryption schemes.
|
||||||
This primitive consists in three algorithms:~\textit{key generation}, \textit{encryption} and \textit{decryption}.
|
This primitive consists in three algorithms:~\textit{key generation}, \textit{encryption} and \textit{decryption}.
|
||||||
These algorithms acts according to their names.
|
These algorithms acts according to their names.
|
||||||
Naturally, the question of ``how to define the security of this set of algorithms'' rises.
|
Naturally, the question of ``how to define the security of this set of algorithms'' arises.
|
||||||
To answer this question, we have to define the power of the adversary, and its goal.
|
To answer this question, we have to define the power of the adversary, and its goal.
|
||||||
In cryptography, many ways have been used to define this (random oracle model, universal composability ($\UC$)~\cite{Can01}\ldots) which give rise to stronger security guarantees.
|
In cryptography, many approaches have been used to define this (random oracle model, universal composability ($\UC$)~\cite{Can01}\ldots) which give rise to stronger security guarantees.
|
||||||
If one may look for the strongest security for its construction, there are known impossibility results in strong models.
|
If one aims at the strongest security for its construction, there are known impossibility results in strong models.
|
||||||
For instance, in the $\UC$ model, it is impossible to realize two-party computation~\cite{Yao86} without honest set-up~\cite{CKL06}, while it is possible in the standard model~\cite{LP07}.
|
For instance, in the $\UC$ model, it is impossible to realize two-party computation~\cite{Yao86} without trusted setup~\cite{CKL06}, while it is possible in the plain model~\cite{LP07}.
|
||||||
|
|
||||||
In this chapter, we will focus on the computational complexity elements we need to define properly the security models we will use in this thesis.
|
In this chapter, we will focus on the computational complexity elements we need to define properly the security models we will use in this thesis.
|
||||||
Then we will define these security models.
|
Then we will define these security models.
|
||||||
@ -17,39 +17,39 @@ Then we will define these security models.
|
|||||||
\section{Security Reductions}
|
\section{Security Reductions}
|
||||||
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Réductions de sécurité}
|
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Réductions de sécurité}
|
||||||
|
|
||||||
Provable security providing constructions for which the security is guaranteed by a security proof, or \emph{security reduction}.
|
Provable security provides constructions for which security is guaranteed by a security proof, or \emph{security reduction}.
|
||||||
The name ``reduction'' comes from computational complexity.
|
The name ``reduction'' comes from computational complexity.
|
||||||
In this field of computer science, research focuses on defining equivalence classes for problems, based on the necessary amount of resources to solve them.
|
In this field of computer science, research focuses on defining equivalence classes for problems or hierarchical relations between them, based on the necessary amount of resources to solve them.
|
||||||
In order to define lower bound for the complexity of some problems, a classical way of doing this is to provide a construction that goes from an instance of a problem $A$ to an instance of problem $B$ such that if a solution of $B$ is found, then so is a solution of $A$ as well.
|
In order to define lower bounds for the complexity of some problems, a classical approach is to provide a construction that goes from an instance of a problem $A$ to an instance of problem $B$ such that, if a solution of $B$ is found, then so is a solution of $A$.
|
||||||
This amounts to say that problem $B$ is at least as hard as problem $A$ up to the complexity of the transformation.
|
This amounts to saying that problem $B$ is at least as hard as problem $A$ up to the complexity of the transformation.
|
||||||
For instance, Cook shown that satisfiability of Boolean formulas is at least as hard as every problem in $\NP$~\cite{Coo71} up to a polynomial-time transformation.
|
For instance, Cook has shown that satisfiability of Boolean formulas is at least as hard as every problem in $\NP$~\cite{Coo71} up to a polynomial-time transformation.
|
||||||
|
|
||||||
Let us now define more formally the notions of reduction and computability using the computational model of Turing machines.
|
Let us now define more formally the notions of reduction and computability using the computational model of Turing machines.
|
||||||
|
|
||||||
\begin{definition}[Turing Machine] \label{de:turing-machine} \index{Turing machine}
|
\begin{definition}[Turing Machine] \label{de:turing-machine} \index{Turing machine}
|
||||||
A $k$-tape Turing Machine (TM) is described by a triple $M = (\Gamma, Q, \delta)$ containing:
|
A $k$-tape Turing Machine (TM) is described by a triple $M = (\Gamma, Q, \delta)$ containing:
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item A finite set $\Gamma$, called the \textit{tape alphabet}, that contains symbols that the TM uses in its tapes. In particular, $\Gamma$ contains a \textit{blank symbol} ``$\square$'', and ``$\triangleright$'' that denotes the beginning of a tape.
|
\item A finite set $\Gamma$, called the \textit{tape alphabet}, which contains symbols that the TM uses in its tapes. In particular, $\Gamma$ contains a \textit{blank symbol} ``$\square$'', and ``$\triangleright$'' that denotes the beginning of a tape.
|
||||||
\item A finite set $Q$ called the \textit{states} of the TM. It contains special states $q_{start}$, $q_{halt}$, called respectively the \textit{initial state} and the \textit{halt state}.
|
\item A finite set $Q$ called the \textit{states} of the TM. It contains special states $q_{start}$, $q_{halt}$, called respectively the \textit{initial state} and the \textit{halt state}.
|
||||||
\item A function $\delta: (Q \backslash \{q_{halt}\}) \times \Gamma^{k-1} \to Q \times \Gamma^{k-1} \times \{ \leftarrow, \downarrow, \rightarrow \}^k$, called the \textit{transition function}, that describes the behaviour of the internal state of the machine and the TM heads.\\
|
\item A function $\delta: (Q \backslash \{q_{halt}\}) \times \Gamma^{k-1} \to Q \times \Gamma^{k-1} \times \{ \leftarrow, \downarrow, \rightarrow \}^k$, called the \textit{transition function}, that describes the behaviour of the internal state of the machine and the TM heads.\\
|
||||||
\smallskip
|
\smallskip
|
||||||
Namely, $\delta(q, a_1, \ldots, a_{k-1}) = (r, b_2, \ldots, b_k, m_1, \ldots, m_k)$ means that upon reading symbols $(a_1, \ldots, a_{k-1})$ on tapes $1$ to $k-1$ (where the first tape is the input tape, and the $k$-th tape is the output tape) on state $q$, the TM will move to state $r$, write $b_2, \ldots, b_k$ on tapes $2$ to $k$ and move its heads according to $m_1, \ldots, m_k$.
|
Namely, $\delta(q, a_1, \ldots, a_{k-1}) = (r, b_2, \ldots, b_k, m_1, \ldots, m_k)$ means that upon reading symbols $(a_1, \ldots, a_{k-1})$ on tapes $1$ to $k-1$ (where the first tape is the input tape, and the $k$-th tape is the output tape) on state $q$, the TM will move to state $r$, write $b_2, \ldots, b_k$ on tapes $2$ to $k$ and move its heads as dictated by $m_1, \ldots, m_k$.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
A TM $M$ is said to \emph{compute} a function $f: \Sigma^\star \to \Gamma^\star$, if for any finite input $x \in \Sigma^\star$ on tape $T_1$, blank tapes $T_2, \ldots, T_k$ with a beginning symbol $\triangleright$ and initial state $q_{start}$, $M$ halts in a finite number of steps with $f(x)$ written on its output tape $T_k$.
|
A TM $M$ is said to \emph{compute} a function $f: \Sigma^\star \to \Gamma^\star$ if, for any finite input $x \in \Sigma^\star$ on tape $T_1$, blank tapes $T_2, \ldots, T_k$ with a beginning symbol $\triangleright$ and initial state $q_{start}$, $M$ halts in a finite number of steps with $f(x)$ written on its output tape $T_k$.
|
||||||
|
|
||||||
A TM $M$ is said to \emph{recognize} a language $L \subseteq \Sigma^\star$ if on a finite input $x \in \Sigma^\star$ written on its input tape $T_1$, blank tapes $T_2, \ldots, T_k$ with a beginning symbol $\triangleright$ and initial state $q_{start}$, the machine $M$ eventually ends on the state $q_{halt}$ with $1$ written on its output tape if and only if $x \in L$.
|
A TM $M$ is said to \emph{recognize} a language $L \subseteq \Sigma^\star$ if, on a finite input $x \in \Sigma^\star$ written on its input tape $T_1$, blank tapes $T_2, \ldots, T_k$ with a beginning symbol $\triangleright$ and initial state $q_{start}$, the machine $M$ eventually ends on the state $q_{halt}$ with $1$ written on its output tape if and only if $x \in L$.
|
||||||
|
|
||||||
A TM $M$ is said to run in $T(n)$-time if, on any input $x$, it eventually stops within $T(|x|)$ steps.
|
A TM $M$ is said to run in $T(n)$-time if, on any input $x$, it eventually stops within $T(|x|)$ steps.
|
||||||
|
|
||||||
A TM $M$ is said to run in $S(n)$-space if, on any input $x$, it eventually stops and had write at most $S(|x|)$ memory cells in its working tapes.
|
A TM $M$ is said to run in $S(n)$-space if, on any input $x$, it eventually stops after having written at most $S(|x|)$ memory cells in its working tapes.
|
||||||
\end{definition}
|
\end{definition}
|
||||||
|
|
||||||
Turing machines are a computational model that proved useful in complexity theory as it is convenient to evaluate the running time of a Turing machine, which amounts to bound the number of steps the machine can make.
|
Turing machines are a computational model that proved useful in complexity theory as it is convenient to evaluate the running time of a Turing machine, which amounts to bounding the number of steps the machine can take.
|
||||||
Similarly, the working tapes works analogously to the memory of a program, and then counting the number of cells the machine uses is equivalent to evaluate the amount of memory the program requires.
|
Similarly, the working tapes works analogously to the memory of a program, and then counting the number of cells the machine uses is equivalent to evaluating the amount of memory the program requires.
|
||||||
|
|
||||||
From these considerations, it is possible to describe the time and space complexity of a program from the definition of Turing machines.
|
From these considerations, it is possible to describe the time and space complexity of a program from the definition of Turing machines.
|
||||||
In our context, we will work with Turing machine that runs in polynomial-time and space, as polynomials benefit from good stability properties (sum, product, composition, \ldots{}).
|
In our context, we will work with Turing machines that run in polynomial-time and space, as polynomials benefit from good stability properties (sum, product, composition, \ldots{}).
|
||||||
|
|
||||||
\begin{definition}[\textsf{P}~\cite{Rab60}] \index{Complexity classes!P@\textsf{P}}
|
\begin{definition}[\textsf{P}~\cite{Rab60}] \index{Complexity classes!P@\textsf{P}}
|
||||||
The class \textsf{P} describes the set of languages that can be recognized by a Turing machine running in time $T(n) = \bigO(\poly)$.
|
The class \textsf{P} describes the set of languages that can be recognized by a Turing machine running in time $T(n) = \bigO(\poly)$.
|
||||||
@ -61,7 +61,7 @@ In this context, it is reasonable to consider the computational power of an adve
|
|||||||
As cryptographic algorithms are not deterministic, we also have to consider the probabilistic version of the computation model.
|
As cryptographic algorithms are not deterministic, we also have to consider the probabilistic version of the computation model.
|
||||||
|
|
||||||
\begin{definition}[Probabilistic Turing machine] \label{de:probabilistic-tm} \index{Turing machine!Probabilistic Turing machine}
|
\begin{definition}[Probabilistic Turing machine] \label{de:probabilistic-tm} \index{Turing machine!Probabilistic Turing machine}
|
||||||
A \emph{probabilistic Turing machine} is a Turing machine with two different transition functions $\delta_0$ and $\delta_1$, where at each step, a random coin is tossed to pick $\delta_0$ or $\delta_1$ with probability $1/2$ independently of all the previous choices.
|
A \emph{probabilistic Turing machine} is a Turing machine with two different transition functions $\delta_0$ and $\delta_1$ where, at each step, a random coin is tossed to pick $\delta_0$ or $\delta_1$ with probability $1/2$ independently of all the previous choices.
|
||||||
|
|
||||||
The machine only outputs \texttt{accept} and \texttt{reject} depending on the content of the output tape at the end of the execution.
|
The machine only outputs \texttt{accept} and \texttt{reject} depending on the content of the output tape at the end of the execution.
|
||||||
We denote by $M(x)$ the random variable corresponding to the value $M$ writes on its output tape at the end of its execution.
|
We denote by $M(x)$ the random variable corresponding to the value $M$ writes on its output tape at the end of its execution.
|
||||||
@ -71,14 +71,14 @@ As cryptographic algorithms are not deterministic, we also have to consider the
|
|||||||
The class \textsf{PP} describes the set of languages $L \subseteq \Sigma^\star$ that a Turing machine $M$ recognizes such that the TM $M$ stops in time $\poly[|x|]$ on every input $x$ and
|
The class \textsf{PP} describes the set of languages $L \subseteq \Sigma^\star$ that a Turing machine $M$ recognizes such that the TM $M$ stops in time $\poly[|x|]$ on every input $x$ and
|
||||||
\[ \begin{cases}
|
\[ \begin{cases}
|
||||||
\Pr\left[ M(x) = 1 \mid x \in L \right] > \frac12\\
|
\Pr\left[ M(x) = 1 \mid x \in L \right] > \frac12\\
|
||||||
\Pr\left[ M(x) = 0 \mid x \notin L \right] > \frac12
|
\Pr\left[ M(x) = 0 \mid x \notin L \right] \leq \frac12
|
||||||
\end{cases}. \]
|
\end{cases}. \]
|
||||||
|
|
||||||
In the following $\ppt$ stands for ``probabilistic polynomial time''.
|
In the following $\ppt$ stands for ``probabilistic polynomial time''.
|
||||||
\end{definition}
|
\end{definition}
|
||||||
|
|
||||||
We defined complexity classes that corresponds to natural sets of programs that are of interest for us, but now how to work with it?
|
We defined complexity classes that corresponds to natural sets of programs that are of interest to us.
|
||||||
That's why we'll now define the principle of polynomial time reduction.
|
In order to work with them, we will define the principle of polynomial time reduction.
|
||||||
|
|
||||||
\begin{definition}[Polynomial time reduction] \label{de:pt-reduction} \index{Reduction!Polynomial time}
|
\begin{definition}[Polynomial time reduction] \label{de:pt-reduction} \index{Reduction!Polynomial time}
|
||||||
A language $A \subseteq \bit^\star$ is \emph{polynomial-time reducible to} a language $B \subseteq \bit^\star$, denoted by $A \redto B$, if there is a \emph{polynomial-time computable} function $f: \bit^\star \to \bit^\star$ such that for every $x \in \bit^\star$, $x \in A$ if and only if $f(x) \in B$.
|
A language $A \subseteq \bit^\star$ is \emph{polynomial-time reducible to} a language $B \subseteq \bit^\star$, denoted by $A \redto B$, if there is a \emph{polynomial-time computable} function $f: \bit^\star \to \bit^\star$ such that for every $x \in \bit^\star$, $x \in A$ if and only if $f(x) \in B$.
|
||||||
@ -93,7 +93,7 @@ That's why we'll now define the principle of polynomial time reduction.
|
|||||||
In other words, a polynomial reduction from $A$ to $B$ is the description of a polynomial time algorithm (also called ``\emph{the reduction}''), that uses an algorithm for $B$ in a black-box manner to solve $A$.
|
In other words, a polynomial reduction from $A$ to $B$ is the description of a polynomial time algorithm (also called ``\emph{the reduction}''), that uses an algorithm for $B$ in a black-box manner to solve $A$.
|
||||||
This is illustrated in Figure~\ref{fig:poly-reduction}.
|
This is illustrated in Figure~\ref{fig:poly-reduction}.
|
||||||
|
|
||||||
To write down that a TM has black-box access to a TM $M_O$ that computes function $O$, we sometimes use the \textit{oracle} terminology.
|
To write down that a TM has black-box access to a TM $M^O$ that computes function $O$, we sometimes use the \textit{oracle} terminology.
|
||||||
|
|
||||||
\begin{definition}[Oracle machine] \index{Turing machine!Oracle machine}
|
\begin{definition}[Oracle machine] \index{Turing machine!Oracle machine}
|
||||||
A Turing Machine $M$ is said to have \textit{oracle access} to a function $O(\cdot)$ if it has access to the result of $O(x)$ for any input $x$ of its choice in constant time. We denote the output of $M$ on input $x$ with oracle $O$ by $M^O(x)$.
|
A Turing Machine $M$ is said to have \textit{oracle access} to a function $O(\cdot)$ if it has access to the result of $O(x)$ for any input $x$ of its choice in constant time. We denote the output of $M$ on input $x$ with oracle $O$ by $M^O(x)$.
|
||||||
@ -114,23 +114,24 @@ an attack is successful if the probability that it succeed is noticeable.
|
|||||||
Finally, if $f = 1- \negl[n]$, $f$ is said to be \emph{overwhelming}.
|
Finally, if $f = 1- \negl[n]$, $f$ is said to be \emph{overwhelming}.
|
||||||
\end{definition}
|
\end{definition}
|
||||||
|
|
||||||
Once we defined these notions related to the core of the proof, we have to define the objects on what we work on.
|
Now, we have to define two more notions to be able to work on security proofs.
|
||||||
Namely, defining \textit{what we want to prove}, and the hypotheses on which we rely, also called ``\textit{hardness assumptions}''.
|
Namely, the \textit{security notions} and the \textit{hardness assumptions}.
|
||||||
\index{Hardness assumptions}
|
The former are the statements we need to prove, and the latter are the hypotheses on which we rely.
|
||||||
|
\index{Hardness assumptions} \index{Security notions}
|
||||||
|
|
||||||
The details of the hardness assumptions we use are given in Chapter~\ref{ch:structures}.
|
The details of the hardness assumptions we use are given in Chapter~\ref{ch:structures}.
|
||||||
Nevertheless, some notions are common to these and are evoked here.
|
Nevertheless, some notions are common to these and are evoked here.
|
||||||
|
|
||||||
The confidence one can put in a hardness assumption depends on many criteria.
|
The confidence one can put in a hardness assumption depends on many criteria.
|
||||||
|
|
||||||
First of all, a weaker assumption is preferred to a stronger one if it is possible.
|
First of all, a weaker assumption is preferred to a stronger one.
|
||||||
To illustrate this, let us consider the two following assumptions:
|
To illustrate this, let us consider the two following assumptions:
|
||||||
|
|
||||||
\begin{definition}[Discrete logarithm] \label{de:DLP}
|
\begin{definition}[Discrete logarithm] \label{de:DLP}
|
||||||
\index{Discrete Logarithm!Assumption}
|
\index{Discrete Logarithm!Assumption}
|
||||||
\index{Discrete Logarithm!Problem}
|
\index{Discrete Logarithm!Problem}
|
||||||
The \emph{discrete algorithm problem} is defined as follows. Let $(\GG, \cdot)$ be a cyclic group of order $p$.
|
The \emph{discrete algorithm problem} is defined as follows. Let $(\GG, \cdot)$ be a cyclic group of order $p$.
|
||||||
Given $g,h \in \GG$, the goal is to find an integer $a \in \Zp^{}$ such that: $g^a_{} = h$.
|
Given $g,h \in \GG$, the goal is to find the integer $a \in \Zp^{}$ such that: $g^a_{} = h$.
|
||||||
|
|
||||||
The \textit{discrete logarithm assumption} is the intractability of this problem for any \ppt{} algorithm with noticeable probability.
|
The \textit{discrete logarithm assumption} is the intractability of this problem for any \ppt{} algorithm with noticeable probability.
|
||||||
\end{definition}
|
\end{definition}
|
||||||
@ -144,61 +145,61 @@ To illustrate this, let us consider the two following assumptions:
|
|||||||
\end{restatable}
|
\end{restatable}
|
||||||
|
|
||||||
The discrete logarithm assumption is implied by the decisional Diffie-Hellman assumption for instance.
|
The discrete logarithm assumption is implied by the decisional Diffie-Hellman assumption for instance.
|
||||||
Indeed, if one is able to solve the discrete logarithm problem, then it suffices to compute the discrete logarithm of $g_1$, let us say $\alpha$, and then check whether $g_2^\alpha = g_3^{}$ or not.
|
|
||||||
This is why it is preferable to work with the discrete logarithm assumption if it is possible.
|
This is why it is preferable to work with the discrete logarithm assumption if it is possible.
|
||||||
For instance, there is no security proofs for the El Gamal encryption scheme from DLP.
|
For instance, there is no security proofs for the El Gamal encryption scheme from DLP.
|
||||||
|
|
||||||
Another criterion to evaluate the security of an assumption is to look if the assumption is ``simple'' or not.
|
Another criterion to evaluate the security of an assumption is to look if the assumption is ``simple to state'' or not.
|
||||||
|
This observation is buttressed by the statement of~\cite[p.25]{KL07}:~``\ldots\textit{there is a general preference for assumptions that are simpler to state, since such assumptions are easier to study and to refute.}''.
|
||||||
|
|
||||||
It is harder to evaluate the security of an assumption as $q$-Strong Diffie-Hellman, which is a variant of $\DDH$ where the adversary is given the tuple $(g, g^a_{}, g^{a^2}_{}, \ldots, g^{a^q}_{})$ and has to devise $g^{a^{q+1}}$.
|
It is harder to evaluate the security of an assumption as $q$-Strong Diffie-Hellman, which is a variant of $\DDH$ where the adversary is given the tuple $(g, g^a_{}, g^{a^2}_{}, \ldots, g^{a^q}_{})$ and has to devise $g^{a^{q+1}}$.
|
||||||
The security of this assumption inherently depends on the parameter $q$ of the assumption.
|
The security of this assumption inherently depends on the parameter $q$ of the assumption.
|
||||||
And Cheon proved that for large values of $q$, this assumption is no more trustworthy~\cite{Che06}.
|
Cheon also proved that for large values of $q$, this assumption is no more trustworthy~\cite{Che06}.
|
||||||
These parameterized assumptions are called \emph{$q$-type assumptions}.
|
These parameterized assumptions are called \emph{$q$-type assumptions}.
|
||||||
There are also other kind of non-static assumptions, such as interactive assumptions.
|
There also exist other kinds of non-static assumptions, such as interactive assumptions.
|
||||||
An example can be the ``\emph{$1$-more-\textsf{DL}}'' assumption.
|
An example can be the ``\emph{$1$-more-\textsf{DL}}'' assumption.
|
||||||
Given oracle access to $n$ discrete logarithm queries ($n$ is not known in advance), the $1$-more-\textsf{DL} problem is to solve a $n+1$-th discrete logarithm.
|
Given oracle access to $n$ discrete logarithm queries ($n$ is not known in advance), the $1$-more-\textsf{DL} problem is to solve a $n+1$-th discrete logarithm.
|
||||||
|
These non-interactive assumptions are furthermore \textit{non-falsifiable} according to the definition of Naor~\cite{Nao03}.
|
||||||
Non-interactive and constant-size assumptions are sometimes called ``\textit{standard}''.
|
Non-interactive and constant-size assumptions are sometimes called ``\textit{standard}''.
|
||||||
|
|
||||||
The next step to study in a security proof is the \emph{security model}.
|
The next important aspect of a security proof is the model in which it takes place.
|
||||||
In other words, the context in which the proofs are made.
|
This is the purpose of the next section.
|
||||||
This is the topic of the next section.
|
|
||||||
|
|
||||||
\section{Random-Oracle Model and Standard Model} \label{se:models}
|
\section{Random-Oracle Model and Standard Model} \label{se:models}
|
||||||
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Modèle de l'oracle aléatoire et modèle standard}
|
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Modèle de l'oracle aléatoire et modèle standard}
|
||||||
|
|
||||||
The most general model to do security proofs is the \textit{standard model}.
|
Security proofs should preferably stand in the \textit{standard model} of computation, where no idealization is assumed on behalf of the building blocks.
|
||||||
In this model, nothing special is assumed, and every assumptions are explicit.
|
In this model, no implicit assumptions are assumed.
|
||||||
|
|
||||||
For instance, cryptographic hash functions enjoy several different associated security notions~\cite{KL07}.
|
For instance, cryptographic hash functions enjoy several different associated security notions~\cite{KL07}.
|
||||||
The weakest is the collision resistance, that states that it is intractable to find two strings that maps to the same digest.
|
On of the weakest is the collision resistance, that states that it is intractable to find two strings that map to the same digest.
|
||||||
A stronger notion is the second pre-image resistance, that states that given $x \in \bit^\star_{}$, it is not possible for a $\ppt$ algorithm to find $\tilde{x} \in \bit^\star_{}$ such that $h(x) = h(\tilde{x})$.
|
A stronger notion is the second pre-image resistance, that states that given $x \in \bit^\star_{}$, it is not possible for a $\ppt$ algorithm to find an $\tilde{x} \in \bit^\star_{}$ such that $h(x) = h(\tilde{x})$.
|
||||||
Similarly to what we saw in the previous section about $\DDH$ and $\DLP$, we can see that collision resistance implies second pre-image resistance.
|
Similarly to what we saw in the previous section about $\DDH$ and $\DLP$, we can see that collision resistance implies second pre-image resistance.
|
||||||
Indeed, if there is an attacker against second pre-image, then one can choose a string $x \in \bit^\star_{}$ and obtains from this attacker another string $\tilde{x} \neq x \in \bit^\star_{}$ such that $h(x) = h(\tilde{x})$. So a hash function that is collision resistant is also second pre-image resistant.
|
Indeed, if there is an attacker against second pre-image, then one can choose a string $x \in \bit^\star_{}$ and obtains from this attacker another string $\tilde{x} \neq x \in \bit^\star_{}$ such that $h(x) = h(\tilde{x})$. Hence, a hash function that is collision resistant is also second pre-image resistant.
|
||||||
|
|
||||||
\index{Random Oracle Model}
|
\index{Random Oracle Model}
|
||||||
The \textit{random oracle model}~\cite{FS86,BR93}, or \ROM, is an idealized security model where hash functions are assumed to behave as a truly random function.
|
The \textit{random oracle model}~\cite{FS86,BR93}, or \ROM, is an idealized security model where hash functions are assumed to behave as a truly random function.
|
||||||
This implies collision resistance (if the codomain of the hash function is large enough, which should be the case for a cryptographic hash function) and other security notions related to hash functions.
|
This implies collision resistance (if the codomain of the hash function is large enough) and other security notions related to hash functions.
|
||||||
In this model, hash function access are managed as oracle access (which then can be reprogrammed by the reduction).
|
In this model, hash functions are modeled as oracles in the view of the adversary.
|
||||||
|
These oracles are controlled by the reduction, meaning that the reduction can program the hash function as it likes as long as the responses look random and independent.
|
||||||
|
Moreover, the reduction has access to the conversation between the adversary and the random oracle. It thus eventually knows all inputs for which the adversary chose to evaluate the function.
|
||||||
|
|
||||||
We can notice that this security model is unrealistic~\cite{CGH04}. Let us construct a \emph{counter-example}.
|
We can notice that this computation model is unrealistic~\cite{CGH98}. Let us construct a \emph{counter-example}.
|
||||||
Let $\Sigma$ be a secure signature scheme, and let $\Sigma_y^{}$ be the scheme that returns $\Sigma(m)$ as a signature if and only if $h(0) \neq y$ and $0$ as a signature otherwise.
|
Let $\Sigma$ be a secure signature scheme, and let $\Sigma_y^{}$ be the scheme that returns $\Sigma(m)$ as a signature if and only if $h(0) \neq y$ and $0$ as a signature otherwise.
|
||||||
In the \ROM $h$ behaves as a random function.
|
In the \ROM $h$ behaves as a random function.
|
||||||
Hence, the probability that $h(0) = y$ is negligible with respect to the security parameter for any fixed $y$.
|
Hence, the probability that $h(0) = y$ is negligible with respect to the security parameter for any fixed $y$.
|
||||||
On the other hand, it appears that when $h$ is instantiated with a real world hash function, then $\Sigma_{h(0)}$ is the null function, and therefore completely insecure as a signature scheme. \hfill $\square$
|
On the other hand, it appears that when $h$ is instantiated with a real-world hash function, then $\Sigma_{h(0)}$ is the null function, and therefore completely insecure as a signature scheme. \hfill $\square$
|
||||||
|
|
||||||
In this context, one may wonder why is the \ROM still used in cryptographic proofs~\cite{LMPY16,LLM+16}.
|
In this context, one may wonder why is the \ROM still used in cryptographic proofs~\cite{LMPY16,LLM+16}.
|
||||||
One reason is that some constructions are not known to exist yet from the standard model.
|
One reason is that some constructions are not known to exist yet from the standard model.
|
||||||
One example is non-interactive zero-knowledge (\NIZK) proofs from lattice assumptions~\cite{Ste96,Lyu08}.
|
For instance, non-interactive zero-knowledge (\NIZK) proofs for all $\NP$ languages is not known to follow solely from lattice assumptions~\cite{Ste96,Lyu08}.
|
||||||
\NIZK proofs form an elementary building block for privacy-based cryptography, and forbid the use of the \ROM may slow down research in this direction~\cite{LLM+16}.
|
\NIZK proofs form an elementary building block for privacy-based cryptography. In the lattice setting, we do not have much better options that using random oracles~\cite{LLM+16}.
|
||||||
Another reason to use the \ROM in cryptography, is that it is a sufficient guarantee in real-world cryptography~\cite{BR93}.
|
Another reason to use the \ROM in cryptography, is because it enables much more efficient constructions and we have no example of a failure in the random oracle methodology for a natural cryptographic construction~\cite{BR93}.
|
||||||
The example we built earlier is artificial, and in practice there is no known attacks against the \ROM.
|
The example we built earlier is artificial, and in practice there is no known attacks against the \ROM for a natural scheme used in real-life applications.
|
||||||
This consequence comes also from the fact that the \ROM is implied by the standard model.
|
Thus, for practical purposes, constructions in the \ROM are usually more efficient.
|
||||||
As a consequence, constructions in the \ROM are at least as efficient as in the standard model.
|
For instance, the scheme we present in Chapter~\ref{ch:sigmasig} adapts the construction of dynamic group signature in the standard model from Libert, Peters and Yung~\cite{LPY15} to the \ROM.
|
||||||
Thus, for practical purpose, constructions in the \ROM are usually more efficient.
|
Doing this transform reduces the signature size from $32$ elements in $\GG$, $14$ elements in $\Gh$ and \textit{one} scalar in the standard model~\cite[App. J]{LPY15} down to $7$ elements in $\GG$ and $3$ scalars in the \ROM.
|
||||||
For instance, the scheme we present in Chapter~\ref{ch:sigmasig} adapts the construction of dynamic group signature in the standard model from Libert, Peters and Yung~\cite{LPY15} in the \ROM.
|
|
||||||
Doing this transform reduces the signature size from $32$ elements in $\GG$, $14$ elements in $\Gh$ and \textit{one} scalars in the standard model~\cite[App. J]{LPY15} down to $7$ elements in $\GG$ and $3$ scalars in the \ROM.
|
|
||||||
|
|
||||||
We now have defined the security structure on which we are working on and the basic tools that allows security proofs.
|
We now have defined the context we are working on and the base tools that allows security proofs.
|
||||||
The following section explains how to define the security of a cryptographic primitive.
|
The following section explains how to define the security of a cryptographic primitive.
|
||||||
|
|
||||||
\section{Security Games and Simulation-Based Security} \label{se:games-sim}
|
\section{Security Games and Simulation-Based Security} \label{se:games-sim}
|
||||||
|
Loading…
Reference in New Issue
Block a user