rixxc/masterthesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Some grammatical changes to ROM, AGM and GGM

Browse Source
This commit is contained in:
Aaron Kaiser
2023-05-16 16:19:52 +02:00
parent 374b3d907d
commit 782ed8028f
1 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
thesis/sections/preliminaries.tex
View File

@@ -104,23 +104,23 @@ The Schnorr signature scheme is a signature scheme which was introduced by Claus
\subsection{Random Oracle Model (ROM)}
\label{sec:rom}
Some of the following proofs are conducted in the random oracle model. The random oracle model was introduces by Bellare and Rogaway in 1993 \cite{CCS:BelRog93}. In the random oracle model some primitives (in this case hash functions) are modeled as public random oracles. Meaning that instead of calling the hash function the adversary has to call the random oracle supplied by the challenger. This random oracle has to behave like a truly random function.
Some of the following proofs are conducted in the random oracle model. The random oracle model was introduced by Bellare and Rogaway in 1993 \cite{CCS:BelRog93}. In the random oracle model some primitives (in this case hash functions) are modeled as public random oracles. This means that instead of calling the hash function, the adversary has to call the random oracle provided by the challenger. This random oracle must behave like a true random function.
To simulate a truly random function in polynomical time a process called "lazy-sampling" can be used. Lazy-sampling means that the challenger has a table which at the start is empty. When the adversary quries a value from the random oracle the challenger checks if that input is in the table. If the input is in the table the challenger returns the output value according to the table. Otherwise the challenger chooses an output value from a uniform random distribution and inserts it into the table for this specific input value. Then the challenger returns this value.
To simulate a truly random function in polynomial time, a process called "lazy-sampling" can be used. Lazy-sampling means that the challenger has a table that starts out empty. When the adversary queries a value from the random oracle, the challenger checks if that input is in the table. If the input is in the table, the challenger returns the output value according to the table. Otherwise, the challenger chooses an output value from a uniform random distribution and inserts it into the table for that particular input value. The challenger then returns that value.
This method allows observing and influencing the behavior of the adversary. Since the random oracle behaves like a truly random function the adversary has to query the random oracle to know the output value for an specific input value. Therefore the challenger can observe any input value to the random oracle. Also the challenger has the ability to program specific output values of the random oracle as long as it is correctly distributed and is consistent. Consistent meaning that the random oracle should at no time output two different values for the same input value.
This method allows the challenger to observe and influence the behavior of the adversary. Since the random oracle behaves like a truly random function, the adversary must query the random oracle to know the output value for a given input value. Therefore, the challenger can observe any input value to the random oracle. Also, the challenger has the ability to program specific output values of the random oracle, as long as it is correctly distributed and is consistent. Consistent means that at no time should the random oracle output two different values for the same input value.
%TODO: Kann man das so schreiben?
Especially the programmability of the random oracle will be used in the following proofs and should be kept in mind.
\subsection{Algebraic Group Model (AGM)}
The algebraic group model was introduced in 2018 by Fuchsbauer et al. \cite{C:FucKilLos18}. In the algebraic group model all adversaries are modeled as being algebraic. This means that the adversary has to know a representation for each group element regarding all group elements the adversary received from the challenger. This representation has to be provided to the challenger for every group element the adversary outputs or inputs as an oracle parameter. For example if the adversary receives the group elements $\groupelement{A}$ and $\groupelement{B}$ from the challenger and at one point outputs group element $\groupelement{C}$ the adversary also has to output a vector $\overset{\rightharpoonup}{c} = (c_1, c_2)$ which satisfies: $\groupelement{C} = c_1 \groupelement{A} + c_2 \groupelement{B}$. For the game proofs the group element $\groupelement{C}$ and its representation $\overset{\rightharpoonup}{c}$ is denoted as $\agmgroupelement{C}{c}$.
The algebraic group model was introduced in 2018 by Fuchsbauer et al. \cite{C:FucKilLos18}. In the algebraic group model, all adversaries are modeled as being algebraic. This means that the adversary has to know a representation for each group element regarding all group elements the adversary received from the challenger. This representation has to be provided to the challenger for every group element the adversary outputs or inputs as an oracle parameter. For example, if the adversary receives the group elements $\groupelement{A}$ and $\groupelement{B}$ from the challenger and at one point outputs group element $\groupelement{C}$ the adversary also has to output a vector $\overset{\rightharpoonup}{c} = (c_1, c_2)$ which satisfies: $\groupelement{C} = c_1 \groupelement{A} + c_2 \groupelement{B}$. For the game proofs the group element $\groupelement{C}$ and its representation $\overset{\rightharpoonup}{c}$ is denoted as $\agmgroupelement{C}{c}$.
\subsection{Generic Group Model (GGM)}
Unlike the random oracle model or the algebraic group model the generic group model is not used to build reductions from one to another problem. It is rather used to get information theoretic lower bound on the complexity of generic adversaries against a certain problem. Generic algorithms are algorithms that only perform the defined group actions on group elements and do not exploit group specific representations of the element.
Unlike the random oracle model or the algebraic group model the generic group model is not used to construct reductions from one problem to another. Rather, it is used to obtain an information-theoretic lower bound on the complexity of generic adversaries against a given problem. Generic algorithms are algorithms that perform only the defined group actions on group elements and do not exploit group-specific representations of the element.
The generic group model was first introduced by Shoup 1997 \cite{EC:Shoup97}. In this paper Shoup proved a information theoretic lower bound on the discrete logarithm problem. He archived that by replacing group elements by labels which are random bitstrings. This way he hid all group specific representations of the elements. Group actions are only able via oracles, which are provided to the adversary by the challenger. The only action the adversary can perform on its own is to compare elements for equality by comparing labels.
The generic group model was first introduced by Shoup in 1997 \cite{EC:Shoup97}. In this paper, Shoup proved an information-theoretic lower bound for the discrete logarithm problem. He did that by replacing group elements with labels that are random bit strings. In this way he hid all group-specific representations of the elements. Group actions are only possible via oracles, which are provided to the adversary by the challenger. The only action the adversary can perform on its own is to compare elements for equality by comparing labels.
In 2005 Maurer proposed an alternative proposed an alternative definition of the generic group model \cite{IMA:Maurer05}. The proofs conducted in this thesis will use the generic group model as defined by Shoup.
In 2005, Maurer proposed an alternative proposed an alternative definition of the generic group model \cite{IMA:Maurer05}. The proofs conducted in this thesis will use the generic group model as defined by Shoup.