thesis/chap-proofs.tex

45 lines
4.1 KiB
TeX

\chapter{Security Proofs in Cryptography}
Provable security is a subfield of cryptography where constructions are proven secure with regards to a security model.
To illustrate this notion, let us take the example of public-key encryption schemes.
This primitive consists in three algorithms:~\textit{key generation}, \textit{encryption} and \textit{decryption}.
These algorithms acts according to their names.
Naturally, the question of ``how to define the security of this set of algorithms'' rises.
To answer this question, we have to define the power of the adversary, and its goal.
In cryptography, many ways have been used to define this (random oracle model, universal composability ($\UC$)~\cite{Can01}\ldots) which give rise to stronger security guarantees.
If one may look for the strongest security for its construction, there are known impossibility results in strong models.
For instance, in the $\UC$ model, it is impossible to realize two-party computation~\cite{Yao86} without honest set-up~\cite{CKL06}, while it is possible in the standard model~\cite{LP07}.
In this chapter, we will focus on the computational complexity elements we need to define properly the security models we will use in this thesis.
Then we will define these security models.
%%%%%%%%%%%%%%%%%%%%%%%
% Security Reductions %
%%%%%%%%%%%%%%%%%%%%%%%
\section{Security Reductions}
Provable security focuses on providing constructions for which the security is guaranteed by a security proof, or security reduction.
The name ``reduction'' comes from computational complexity.
In this field of computer science, research focuses on defining equivalence classes for problems, based on the necessary amount of resources to solve them.
In order to define lower bound for the complexity of some problems, a classical way of doing this is to provide a construction that goes from an instance of a problem $A$ to an instance of problem $B$ such that if a solution of $B$ is found, then so is a solution of $A$ as well.
This amounts to say that problem $B$ is at least as hard as problem $A$ up to the complexity of the transformation.
For instance, Cook shown that satisfiability of boolean formulas is at least as hard as every problem in $\NP$~\cite{Coo71} up to a polynomial-time transformation.
Let us now define more formally the notion of reduction, and the notion of computability \textit{via} Turing machines.
\begin{definition}[Turing Machine] \label{de:turing-machine}
\newcommand\espace{\ensuremath{\square}\xspace}
A $k$-tape Turing Machine (TM) is described by a triple $M = (\Gamma, Q, \delta)$ containing:
\begin{itemize}
\item A finite set $\Gamma$, called the \textit{tape alphabet}, that contains symbols that the TM uses in its tapes. In particular, $\Gamma$ contains a \textit{blank symbol} ``\espace'', and ``$\triangleright$'' that denotes the beginning of a tape.
\item A finite set $Q$ called the \textit{states} of the TM. It contains special states $q_{start}$, $q_{halt}$, called respectively the \textit{initial state} and the \textit{halt state}.
\item A function $\delta: (Q \backslash \{q_{halt}\}) \times \Gamma^{k-1} \to Q \times \Gamma^{k-1} \times \{ \leftarrow, \downarrow, \rightarrow \}^k$, called the \textit{transition function}, that describes the behaviour of the internal state of the machine and the TM heads.\\
\smallskip
Namely, $\delta(q, a_1, \ldots, a_{k-1}) = (r, b_2, \ldots, b_k, m_1, \ldots, m_k)$ means that upon reading symbols $(a_1, \ldots, a_{k-1})$ on tapes $1$ to $k-1$ (where the first tape is the input tape, and the $k$-th tape is the output tape) on state $q$, the TM will move to state $r$, write $b_2, \ldots, b_k$ on tapes $2$ to $k$ and move its heads according to $m_1, \ldots, m_k$.
\end{itemize}
A TM $M$ is said to compute a function $f: \Sigma^\star \to \Gamma^\star$, if for any finite input $x \in \Sigma^\star$ on tape $T_1$, blank tapes $T_2, \ldots, T_k$ with a beginning symbol $\triangleright$ and initial state $q_{start}$, $M$ halts in a finite number of steps with $f(x)$ written on its output tape $T_k$.
\end{definition}
\section{Random-Oracle Model, Standard Model and Half-Simulatability}