45 lines
4.1 KiB
TeX
45 lines
4.1 KiB
TeX
\chapter{Security Proofs in Cryptography}
|
|
|
|
Provable security is a subfield of cryptography where constructions are proven secure with regards to a security model.
|
|
To illustrate this notion, let us take the example of public-key encryption schemes.
|
|
This primitive consists in three algorithms:~\textit{key generation}, \textit{encryption} and \textit{decryption}.
|
|
These algorithms acts according to their names.
|
|
Naturally, the question of ``how to define the security of this set of algorithms'' rises.
|
|
To answer this question, we have to define the power of the adversary, and its goal.
|
|
In cryptography, many ways have been used to define this (random oracle model, universal composability ($\UC$)~\cite{Can01}\ldots) which give rise to stronger security guarantees.
|
|
If one may look for the strongest security for its construction, there are known impossibility results in strong models.
|
|
For instance, in the $\UC$ model, it is impossible to realize two-party computation~\cite{Yao86} without honest set-up~\cite{CKL06}, while it is possible in the standard model~\cite{LP07}.
|
|
|
|
In this chapter, we will focus on the computational complexity elements we need to define properly the security models we will use in this thesis.
|
|
Then we will define these security models.
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%
|
|
% Security Reductions %
|
|
%%%%%%%%%%%%%%%%%%%%%%%
|
|
\section{Security Reductions}
|
|
|
|
Provable security focuses on providing constructions for which the security is guaranteed by a security proof, or security reduction.
|
|
The name ``reduction'' comes from computational complexity.
|
|
In this field of computer science, research focuses on defining equivalence classes for problems, based on the necessary amount of resources to solve them.
|
|
In order to define lower bound for the complexity of some problems, a classical way of doing this is to provide a construction that goes from an instance of a problem $A$ to an instance of problem $B$ such that if a solution of $B$ is found, then so is a solution of $A$ as well.
|
|
This amounts to say that problem $B$ is at least as hard as problem $A$ up to the complexity of the transformation.
|
|
For instance, Cook shown that satisfiability of boolean formulas is at least as hard as every problem in $\NP$~\cite{Coo71} up to a polynomial-time transformation.
|
|
Let us now define more formally the notion of reduction, and the notion of computability \textit{via} Turing machines.
|
|
|
|
\begin{definition}[Turing Machine] \label{de:turing-machine}
|
|
\newcommand\espace{\ensuremath{\square}\xspace}
|
|
A $k$-tape Turing Machine (TM) is described by a triple $M = (\Gamma, Q, \delta)$ containing:
|
|
\begin{itemize}
|
|
\item A finite set $\Gamma$, called the \textit{tape alphabet}, that contains symbols that the TM uses in its tapes. In particular, $\Gamma$ contains a \textit{blank symbol} ``\espace'', and ``$\triangleright$'' that denotes the beginning of a tape.
|
|
\item A finite set $Q$ called the \textit{states} of the TM. It contains special states $q_{start}$, $q_{halt}$, called respectively the \textit{initial state} and the \textit{halt state}.
|
|
\item A function $\delta: (Q \backslash \{q_{halt}\}) \times \Gamma^{k-1} \to Q \times \Gamma^{k-1} \times \{ \leftarrow, \downarrow, \rightarrow \}^k$, called the \textit{transition function}, that describes the behaviour of the internal state of the machine and the TM heads.\\
|
|
\smallskip
|
|
Namely, $\delta(q, a_1, \ldots, a_{k-1}) = (r, b_2, \ldots, b_k, m_1, \ldots, m_k)$ means that upon reading symbols $(a_1, \ldots, a_{k-1})$ on tapes $1$ to $k-1$ (where the first tape is the input tape, and the $k$-th tape is the output tape) on state $q$, the TM will move to state $r$, write $b_2, \ldots, b_k$ on tapes $2$ to $k$ and move its heads according to $m_1, \ldots, m_k$.
|
|
\end{itemize}
|
|
|
|
A TM $M$ is said to compute a function $f: \Sigma^\star \to \Gamma^\star$, if for any finite input $x \in \Sigma^\star$ on tape $T_1$, blank tapes $T_2, \ldots, T_k$ with a beginning symbol $\triangleright$ and initial state $q_{start}$, $M$ halts in a finite number of steps with $f(x)$ written on its output tape $T_k$.
|
|
\end{definition}
|
|
|
|
|
|
\section{Random-Oracle Model, Standard Model and Half-Simulatability}
|