Chapter status: in progress

TODO:

modify advantage notation to display the scheme

Games, Models, and Assumptions

This section presents how security assumptions and security properties of cryptographic schemes are formalized. It also gives a list of cryptographic assumptions relevant for this book (see also the ECRYPT II MAYA report).

Big-O Notation and Negligible Functions
Cryptographic Games
Idealized Models
Assumptions

Big-O Notation and Negligible Functions

In all the following, we consider functions from $N$ to $R^{+} = {x \in R ∣ x \geq 0}$ and we let $λ$ denote the variable.

A function $f$ is said to be negligible if $f \in λ^{- ω (1)}$ or equivalently if $\forall k \in N, \exists n \in N, \forall λ \geq n, f (λ) \leq λ^{- c} .$

In words, $f$ is negligible if it approaches zero faster than the inverse of any polynomial.

The set of all negligible functions is denoted $negl .$ We often write $f (λ) = negl (λ)$ in place of $f \in negl .$

Cryptographic Games

Game: Tentative Definition

A game consists of a main algorithm $GAME$ and a (potentially empty) finite tuple of oracle algorithms $O_{1}, \dots, O_{n} .$ Then main algorithm (to which we simply refer as the game from here) takes as input $1^{λ}$ where $λ \in N$ is an integer called security parameter and runs in three phases:

initialization: the game initializes variables and generates some input $in p;$
attack: the game invokes an algorithm $A$ called adversary on input $in p;$ the adversary has oracle access to $O_{1}, \dots, O_{n};$
finalization: when the adversary halts and returns some output $o u t,$ the game evaluates a predicate of $o u t$ and all variables and returns the truth value of this predicate.

To make this definition rigorous, the programming language used to write the game should be completely specified. Here, we will content ourselves with specifying games in pseudocode.

A very simple game called ADD drawing two random $λ$ -bit integers and returning $true$ if the adversary successfully adds them would look like this:

$\underline{Game ADD (1^{λ}) :} a, b \leftarrow_{$} {2^{λ - 1}, \dots, 2^{λ} - 1} c \leftarrow A (a, b) return (c = a + b)$

Notation and Conventions for Writing Games

Given a predicate $A,$ we use $assert A$ as a shorthand for $if \neg A then return false$
Games return $true$ by default, meaning if the end of the game code is reached and the game has not returned yet, then it returns $true .$ Finalization often consists in returning the truth vale of $A \land B \land C \land \dots .$ Under this convention, the following finalization code $return A \land B \land C$ is equivalent to $assert A assert B assert C$

Advantage

For each security parameter $λ,$ a game together with an adversary define a finite probability space specified by all random choices made by the game and the random coins of the adversary. This allows to define the probability of various events related to the execution of the game with a specific adversary.

In particular, given a game $GAME$ and an adversary $A,$ we write $GAME^{A} (1^{λ}) \Rightarrow b,$ or simply $GAME \Rightarrow b$ when the context is clear, for the event that an execution of $GAME$ with adversary $A$ for security parameter $λ$ returns $b .$ When the game returns $true$ we also say that the adversary "wins".

A game can be computational or decisional depending on how a quantity called advantage, measuring how well an adversary performs at winning the game, is defined.

The advantage of an adversary $A$ against a game $GAME$ is a function of the security parameter $λ \in N^{*}$ into $[0, 1]$ defined as $Adv_{A}^{game} (λ) : = Pr [GAME \Rightarrow true]$ if the game is computational and $Adv_{A}^{game} (λ) : = ∣ 2 Pr [GAME \Rightarrow true] - 1 ∣$ if the game is decisional. (We write the name of the game in small caps in the advantage superscript to lighten notation.)

We say that a game $GAME$ is computationally hard if for every probabilistic polynomial-time (ppt) algorithm $A,$ $Adv_{A}^{game} (λ) = negl (λ) .$ We say that a game $GAME$ is statistically hard (or information-theoretically hard or unconditionally hard) if for every algorithm $A$ (not necessarily polynomial-time), $Adv_{A}^{game} (λ) = negl (λ) .$ In the special case where the advantage of any algorithm is zero, one says that the game is perfectly hard (for example, a commitment scheme that can be perfectly hiding or perfectly binding).

When we simply say that a game is hard, it usually means computationally hard (but this should always be clear from the context).

Hence, for a computationally, resp. statistically hard game, every ppt, resp. unbounded adversary "wins" with probability negligible close to 0 for a computational game and with probability negligibly close to $1/2$ for a decisional game.

Reductions

Given two games $X$ and $Y,$ we say that $X$ reduces to $Y,$ denoted $X ≦ Y,$ if there exists a probabilistic polynomial-time algorithm $B$ (called reduction) with access to an oracle such that for every algorithm $A$ solving $Y$ with non-negligible advantage, $B^{A}$ solves $X$ with non-negligible advantage.

If $X$ reduces to $Y$ and $Y$ reduces to $X,$ we say that $X$ and $Y$ are equivalent, denoted $X \equiv Y .$

Proposition 13.1. Assume that $X$ reduces to $Y .$ Then $X$ being hard implies $Y$ being hard.

Proof

Contraposing, assume that $Y$ is not hard, which by definition means that there exists a ppt algorithm $A$ such that $Adv_{A}^{Y} (λ) \neq = negl (λ) .$ Consider the reduction $B$ from $X$ to $Y .$ Since $A$ and $B$ both run in polynomial time, $B^{A}$ runs in polynomial time as well. Moreover, by definition of a reduction, $Adv_{B^{A}}^{X} (λ) \neq = negl (λ) .$ Hence, $X$ is not hard.

Thus, $X ≦ Y$ can be read as " $X$ is not harder than $Y$ " or $Y$ is at least as hard as $X$ ".

In cryptography, we are constantly making assumptions of the form "X is hard". Proposition 13.1 can be used to compare the strength of various assumptions. Indeed, assuming we proved that $X ≦ Y,$ then the assumption that $X$ is hard implies that $Y$ is hard too. If, in addition, there are some indications that $Y ≦ X$ does not hold, then the assumption that $X$ is hard is stronger than the assumption that $Y$ is hard. Indeed, if $X ≦ Y$ but $Y ≦ X$ is not known to hold, then it might be that $Y$ is hard yet $X$ is easy.

For example, consider the discrete logarithm (DL) problem on one hand (given a group $G$ and group elements $G$ and $X = x G,$ compute $x)$ and the Computational Diffie-Hellman (CDH) problem on the other hand (given a group $G$ and group elements $G,$ $X = x G,$ and $Y,$ compute $x Y) .$ One can easily prove that CDH $≦$ DL (CDH reduces to DL) by constructing a reduction from CDH to DL: given an algorithm solving DL, one can solve CDH by first computing the discrete logarithm $x$ of $X$ and then computing $x Y .$ However, there is no proof that DL $≦$ CDH (except in very specific situations). Hence, the assumption that CDH is hard is (for most groups) stronger than the assumption that DL is hard.

Another way Proposition 13.1 is often used in cryptography is for security proofs. Here, $X$ is some hardness assumption such as DL and $Y$ is a security game, say unforgeability (in the precise sense of EUF-CMA security in the random oracle model) of Schnorr signatures. Then, a security proof for Schnorr signatures consists in proving that $X$ reduces to $Y,$ i.e., the DL problem reduces to the EUF-CMA security of Schnorr signatures in the ROM. By Proposition 13.1, if DL is hard, then Schnorr signatures are EUF-CMA secure in the ROM.

Idealized Models

The Random Oracle Model

The Generic Group Model

The Algebraic Group Model

Assumptions

Group Setup Algorithms

A standard group setup algorithm is an algorithm $GroupSetup$ which on input the security parameter $1^{λ}$ returns a pair $(G, p)$ where $p$ is a $2 λ$ -bit prime and $G$ is a cyclic group of order $p .$

A pairing group setup algorithm is an algorithm $PairingSetup$ which on input the security parameter $1^{λ}$ returns a tuple $(G_{1}, G_{2}, G_{t}, r, e)$ where $r$ is a $2 λ$ -bit prime, $G_{1},$ $G_{2},$ and $G_{t}$ are cyclic groups of order $r,$ and $e : G_{1} \times G_{2} \to G_{t}$ is an efficiently computable pairing.

We adopt the convention that group/pairing setup algorithms do not return generators of the groups. They will be explicitly sampled in the games.

One usually distinguishes three types of pairing group setup algorithms [GPS08]:

a type-1 pairing group setup algorithm (also called symmetric pairing setup algorithm) is such that $G_{1} = G_{2};$
a type-2 pairing group setup algorithm is such that $G_{1} \neq = G_{2}$ and there exists an efficiently computable isomorphism $ψ : G_{2} \to G_{1};$
a type-3 pairing group setup algorithm is such that $G_{1} \neq = G_{2}$ an no efficiently computable isomorphism $ψ : G_{2} \to G_{1}$ is known.

Type-2 and type-3 pairing group setup algorithms are called asymmetric.

In all the following, we simply talk about "type-1/2/3 pairings" rather than "type-1/2/3 pairing group setup algorithms".

Assumptions in Standard Groups

Discrete Logarithm (DL)

type: computational
interactive: no
falsifiable: yes
references:
notes:

$\underline{Game DL:} p a r \leftarrow GroupSetup (1^{λ}) (G, p) ↞ p a r G \leftarrow_{$} G ∖ {0} X \leftarrow_{$} G x \leftarrow A (p a r, G, X) assert (X = x G)$

Computational Diffie-Hellman (CDH)

type: computational
interactive: no
falsifiable: yes
references:
notes: CDH $≦$ DL

$\underline{Game CDH:} p a r \leftarrow GroupSetup (1^{λ}) (G, p) ↞ p a r G \leftarrow_{$} G ∖ {0} x \leftarrow_{$} Z_{p}; X : = x G Y \leftarrow_{$} G Z \leftarrow A (p a r, G, X, Y) assert (Z = x Y)$

Decisional Diffie-Hellman (DDH)

type: decisional
interactive: no
falsifiable: yes
references:
notes: DDH $≦$ CDH

$\underline{Game DDH:} p a r \leftarrow GroupSetup (1^{λ}) (G, p) ↞ p a r b \leftarrow_{$} {0, 1} G \leftarrow_{$} G ∖ {0} x \leftarrow_{$} Z_{p}; X : = x G Y \leftarrow_{$} G Z_{0} : = x Y; Z_{1} \leftarrow_{$} G b^{'} \leftarrow A (p a r, G, X, Y, Z_{b}) assert (b = b^{'})$

$q$ -Discrete Logarithm ( $q$ -DL)

type: computational
interactive: no
falsifiable: yes
references: [Che10, Lip10, FKL18, Rot22]
notes:
- sometimes called $q$ -strong DL or DL with $q$ auxiliary inputs
- 1-Dl = DL
- $(q + 1)$ -DL $≦$ $q$ -DL

$\underline{Game q -DL:} p a r \leftarrow GroupSetup (1^{λ}) (G, p) ↞ p a r G \leftarrow_{$} G ∖ {0} x \leftarrow_{$} Z_{p} x^{'} \leftarrow A (p a r, G, x G, x^{2} G, \dots, x^{q} G) assert (x = x^{'})$

Assumptions in Product Groups

The assumptions listed in this section are defined for a pair of groups $(G_{1}, G_{2})$ of equal order $r .$ They are usually applied to groups returned by a pairing group setup algorithm $PairingSetup$ but don't make use of the group $G_{t}$ nor the pairing $e .$ For this reason, we simply write $(G_{1}, G_{2}, r) ↞ p a r$ when parsing the parameters $p a r$ returned by $PairingSetup .$

$(q_{1}, q_{2})$ -co-Discrete Logarithm ( $(q_{1}, q_{2})$ -co-DL)

type: computational
interactive: no
falsifiable: yes
references: [Che10, Lip10, FKL18, Rot22]
notes:

$\underline{Game (q_{1}, q_{2}) -co-DL:} p a r \leftarrow PairingSetup (1^{λ}) (G_{1}, G_{2}, r) ↞ p a r G_{1} \leftarrow_{$} G_{1} ∖ {0} G_{2} \leftarrow_{$} G_{2} ∖ {0} x \leftarrow_{$} Z_{r} x^{'} \leftarrow A (p a r, G_{1}, x G_{1}, \dots, x^{q_{1}} G_{1}, G_{2}, x G_{2}, \dots, x^{q_{2}} G_{2}) assert (x = x^{'})$

Computational co-Diffie-Hellman (co-CDH)

type: computational
interactive: no
falsifiable: yes
references: [BLS04]
notes:
- co-CDH $≦$ DL in $G_{2}$
- co-CDH $\equiv$ CDH in $G_{1} = G_{2}$ for type-1 pairings
- co-CDH $≦$ CDH in $G_{1}$ for type-2 pairings (see Proposition 17.3)

$\underline{Game co-CDH:} p a r \leftarrow PairingSetup (1^{λ}) (G_{1}, G_{2}, r) ↞ p a r G_{2} \leftarrow_{$} G_{2} ∖ {0} x \leftarrow_{$} Z_{r}; X : = x G_{2} Y \leftarrow_{$} G_{1} Z \leftarrow A (p a r, G_{2}, X, Y) assert (Z = x Y)$

Computational co-Diffie-Hellman* (co-CDH*)

type: computational
interactive: no
falsifiable: yes
references: [CHKM10]
notes:
- sometimes simply called (confusingly) co-CDH (e.g. [BDN18])
- co-CDH $^{*}$ $≦$ CDH in $G_{1}$
- co-CDH $^{*}$ $≦$ DL in $G_{2}$
- co-CDH $^{*}$ $≦$ co-CDH
- co-CDH $^{*}$ $\equiv$ CDH in $G_{1} = G_{2}$ for type-1 pairings (see Proposition 17.1)
- co-CDH $^{*}$ $\equiv$ co-CDH for type-2 pairings (see Proposition 17.2)

$\underline{Game co-CDH^{*} :} p a r \leftarrow PairingSetup (1^{λ}) (G_{1}, G_{2}, r) ↞ p a r G_{1} \leftarrow_{$} G_{1} ∖ {0} G_{2} \leftarrow_{$} G_{2} ∖ {0} x \leftarrow_{$} Z_{r}; X_{1} : = x G_{1}; X_{2} : = x G_{2} Y \leftarrow_{$} G_{1} Z \leftarrow A (p a r, G_{1}, X_{1}, G_{2}, X_{2}, Y) assert (Z = x Y)$

Computational $ψ$ -co-Diffie-Hellman ( $ψ$ -co-CDH)

type: computational
interactive: yes
falsifiable: no (for type-3 pairings)
references: [SV07, BDN18]
notes:
- $ψ$ -co-CDH $≦$ CDH in $G_{1}$
- $ψ$ -co-CDH $≦$ DL in $G_{2}$
- $ψ$ -co-CDH $≦$ co-CDH $^{*}$ $≦$ co-CDH
- $ψ$ -co-CDH $\equiv$ co-CDH for type-2 pairings (the isomorphism $ψ$ enables to compute $SolveCoCDH (U)$ efficiently as $ψ (U),$ assuming $ψ (G_{2}) = G_{1})$

$\underline{Game ψ -co-CDH:} p a r \leftarrow PairingSetup (1^{λ}) (G_{1}, G_{2}, r) ↞ p a r G_{1} \leftarrow_{$} G_{1} ∖ {0} G_{2} \leftarrow_{$} G_{2} ∖ {0} x \leftarrow_{$} Z_{r}; X_{1} : = x G_{1}; X_{2} : = x G_{2} Y \leftarrow_{$} G_{1} Z \leftarrow A^{SolveCoCDH} (p a r, G_{1}, X_{1}, G_{2}, X_{2}, Y) assert (Z = x Y) \underline{Oracle SolveCoCDH (U) :} / / solves co-CDH for (G_{2}, U, G_{1}) assert U \in G_{2} for u \in Z_{r} do if u G_{2} = U then return u G_{1}$

$(q_{1}, q_{2})$ -Strong Diffie-Hellman ( $(q_{1}, q_{2})$ -SDH)

type: computational
interactive: no
falsifiable: yes
references: [BB08]
notes:
- $(q, 1)$ -SDH usually called $q$ -SDH
- not to be confused with another assumption named SDH introduced in [ABR01]
- $(q_{1} + 1, q_{2})$ -SDH $≦$ $(q_{1}, q_{2})$ -SDH
- $(q_{1}, q_{2} + 1)$ -SDH $≦$ $(q_{1}, q_{2})$ -SDH

$\underline{Game (q_{1}, q_{2}) -SDH:} p a r \leftarrow PairingSetup (1^{λ}) (G_{1}, G_{2}, r) ↞ p a r G_{1} \leftarrow_{$} G_{1} ∖ {0} G_{2} \leftarrow_{$} G_{2} ∖ {0} x \leftarrow_{$} Z_{r} (a, Y) \leftarrow A (p a r, G_{1}, x G_{1}, \dots, x^{q_{1}} G_{1}, G_{2}, x G_{2}, \dots, x^{q_{2}} G_{2}) assert (Y = \frac{1}{x + a} G_{1})$

Assumptions in Pairing Groups

$(q_{1}, q_{2})$ -Bilinear Diffie-Hellman Inversion ( $(q_{1}, q_{2})$ -BDHI)

type: computational
interactive: no
falsifiable: yes
references: [BB04]
notes:
- $(q_{1} + 1, q_{2})$ -BDHI $≦$ $(q_{1}, q_{2})$ -BDHI
- $(q_{1}, q_{2} + 1)$ -BDHI $≦$ $(q_{1}, q_{2})$ -BDHI

$\underline{Game (q_{1}, q_{2}) -BSDH:} p a r \leftarrow PairingSetup (1^{λ}) (G_{1}, G_{2}, G_{t}, r, e) ↞ p a r G_{1} \leftarrow_{$} G_{1} ∖ {0} G_{2} \leftarrow_{$} G_{2} ∖ {0} x \leftarrow_{$} Z_{r} Y \leftarrow A (p a r, G_{1}, x G_{1}, \dots, x^{q_{1}} G_{1}, G_{2}, x G_{2}, \dots, x^{q_{2}} G_{2}) assert (Y = e (G_{1}, G_{2})^{\frac{1}{x}})$

$(q_{1}, q_{2})$ -Bilinear Strong Diffie-Hellman ( $(q_{1}, q_{2})$ -BSDH)

type: computational
interactive: no
falsifiable: yes
references: [KZG10a]
notes:
- $(q, 1)$ -BSDH is usually simply called $q$ -BSDH
- $(q_{1} + 1, q_{2})$ -BSDH $≦$ $(q_{1}, q_{2})$ -BSDH
- $(q_{1}, q_{2} + 1)$ -BSDH $≦$ $(q_{1}, q_{2})$ -BSDH
- $(q_{1}, q_{2})$ -BSDH $≦$ $(q_{1}, q_{2})$ -SDH
- $(q_{1}, q_{2})$ -BSDH $≦$ $(q_{1}, q_{2})$ -BDHI

$\underline{Game (q_{1}, q_{2}) -BSDH:} p a r \leftarrow PairingSetup (1^{λ}) (G_{1}, G_{2}, G_{t}, r, e) ↞ p a r G_{1} \leftarrow_{$} G_{1} ∖ {0} G_{2} \leftarrow_{$} G_{2} ∖ {0} x \leftarrow_{$} Z_{r} (a, Y) \leftarrow A (p a r, G_{1}, x G_{1}, \dots, x^{q_{1}} G_{1}, G_{2}, x G_{2}, \dots, x^{q_{2}} G_{2}) assert (Y = e (G_{1}, G_{2})^{\frac{1}{x + a}})$

Crypto Book (Work in Progress)