|
|
|
1 | (4) |
|
2 Notions, Definitions, and Models |
|
|
5 | (8) |
|
|
|
5 | (2) |
|
2.2 Public-Key Encryption |
|
|
7 | (2) |
|
2.3 Identity-Based Encryption |
|
|
9 | (2) |
|
|
|
11 | (2) |
|
3 Foundations of Group-Based Cryptography |
|
|
13 | (16) |
|
|
|
13 | (3) |
|
|
|
13 | (1) |
|
|
|
14 | (1) |
|
|
|
14 | (1) |
|
3.1.4 Computations over a Prime Field |
|
|
15 | (1) |
|
|
|
16 | (6) |
|
|
|
16 | (1) |
|
3.2.2 Cyclic Groups of Prime Order |
|
|
17 | (1) |
|
3.2.3 Group Exponentiations |
|
|
17 | (1) |
|
3.2.4 Discrete Logarithms |
|
|
18 | (1) |
|
3.2.5 Cyclic Groups from Finite Fields |
|
|
19 | (1) |
|
3.2.6 Group Choice 1: Multiplicative Groups |
|
|
19 | (1) |
|
3.2.7 Group Choice 2: Elliptic Curve Groups |
|
|
20 | (2) |
|
3.2.8 Computations over a Group |
|
|
22 | (1) |
|
|
|
22 | (3) |
|
|
|
23 | (1) |
|
|
|
24 | (1) |
|
3.3.3 Computations over a Pairing Group |
|
|
25 | (1) |
|
|
|
25 | (1) |
|
|
|
26 | (3) |
|
4 Foundations of Security Reduction |
|
|
29 | (118) |
|
4.1 Introduction to Basic Concepts |
|
|
29 | (8) |
|
4.1.1 Mathematical Primitives and Superstructures |
|
|
29 | (1) |
|
4.1.2 Mathematical Problems and Problem Instances |
|
|
30 | (1) |
|
4.1.3 Cryptography, Cryptosystems, and Schemes |
|
|
31 | (1) |
|
4.1.4 Algorithm Classification 1 |
|
|
31 | (1) |
|
4.1.5 Polynomial Time and Exponential Time |
|
|
32 | (1) |
|
4.1.6 Negligible and Non-negligible |
|
|
32 | (1) |
|
4.1.7 Insecure and Secure |
|
|
33 | (1) |
|
|
|
33 | (1) |
|
4.1.9 Algorithm Classification 2 |
|
|
34 | (1) |
|
4.1.10 Algorithms in Cryptography |
|
|
34 | (1) |
|
4.1.11 Hard Problems in Cryptography |
|
|
35 | (1) |
|
|
|
35 | (1) |
|
4.1.13 Hard Problems and Hardness Assumptions |
|
|
36 | (1) |
|
4.1.14 Security Reductions and Security Proofs |
|
|
36 | (1) |
|
4.2 An Overview of Easy/Hard Problems |
|
|
37 | (10) |
|
4.2.1 Computational Easy Problems |
|
|
37 | (5) |
|
4.2.2 Computational Hard Problems |
|
|
42 | (1) |
|
4.2.3 Decisional Easy Problems |
|
|
43 | (1) |
|
4.2.4 Decisional Hard Problems |
|
|
44 | (1) |
|
4.2.5 How to Prove New Hard Problems |
|
|
45 | (2) |
|
4.2.6 Weak Assumptions and Strong Assumptions |
|
|
47 | (1) |
|
4.3 An Overview of Security Reduction |
|
|
47 | (9) |
|
|
|
47 | (2) |
|
4.3.2 Weak Security Models and Strong Security Models |
|
|
49 | (1) |
|
|
|
49 | (1) |
|
4.3.4 Proof by Contradiction |
|
|
50 | (1) |
|
4.3.5 What Is Security Reduction? |
|
|
50 | (1) |
|
4.3.6 Real Scheme and Simulated Scheme |
|
|
51 | (1) |
|
4.3.7 Challenger and Simulator |
|
|
51 | (1) |
|
4.3.8 Real Attack and Simulation |
|
|
52 | (1) |
|
4.3.9 Attacks and Hard Problems |
|
|
52 | (1) |
|
4.3.10 Reduction Cost and Reduction Loss |
|
|
53 | (1) |
|
4.3.11 Loose Reduction and Tight Reduction |
|
|
53 | (1) |
|
4.3.12 Security Level Revisited |
|
|
54 | (1) |
|
4.3.13 Ideal Security Reduction |
|
|
55 | (1) |
|
4.4 An Overview of Correct Security Reduction |
|
|
56 | (5) |
|
4.4.1 What Should Bob Do? |
|
|
56 | (1) |
|
4.4.2 Understanding Security Reduction |
|
|
57 | (1) |
|
4.4.3 Successful Simulation and Indistinguishable Simulation |
|
|
57 | (1) |
|
4.4.4 Failed Attack and Successful Attack |
|
|
58 | (1) |
|
4.4.5 Useless Attack and Useful Attack |
|
|
59 | (1) |
|
4.4.6 Attack in Simulation |
|
|
59 | (1) |
|
4.4.7 Successful/Correct Security Reduction |
|
|
60 | (1) |
|
4.4.8 Components of a Security Proof |
|
|
60 | (1) |
|
4.5 An Overview of the Adversary |
|
|
61 | (8) |
|
4.5.1 Black-Box Adversary |
|
|
61 | (1) |
|
4.5.2 What Is an Adaptive Attack? |
|
|
61 | (1) |
|
4.5.3 Malicious Adversary |
|
|
62 | (1) |
|
4.5.4 The Adversary in a Toy Game |
|
|
63 | (1) |
|
4.5.5 Adversary's Successful Attack and Its Probability |
|
|
63 | (1) |
|
4.5.6 Adversary's Computational Ability |
|
|
64 | (1) |
|
4.5.7 The Adversary's Computational Ability in a Reduction |
|
|
64 | (2) |
|
4.5.8 The Adversary in a Reduction |
|
|
66 | (1) |
|
4.5.9 What the Adversary Knows |
|
|
66 | (1) |
|
4.5.10 What the Adversary Never Knows |
|
|
67 | (1) |
|
4.5.11 How to Distinguish the Given Scheme |
|
|
67 | (1) |
|
4.5.12 How to Generate a Useless Attack |
|
|
68 | (1) |
|
4.5.13 Summary of Adversary |
|
|
69 | (1) |
|
4.6 An Overview of Probability and Advantage |
|
|
69 | (6) |
|
4.6.1 Definitions of Probability |
|
|
69 | (2) |
|
4.6.2 Definitions of Advantage |
|
|
71 | (2) |
|
4.6.3 Malicious Adversary Revisited |
|
|
73 | (1) |
|
4.6.4 Adaptive Choice Revisited |
|
|
73 | (1) |
|
4.6.5 Useless, Useful, Loose, and Tight Revisited |
|
|
74 | (1) |
|
4.6.6 Important Probability Formulas |
|
|
74 | (1) |
|
4.7 An Overview of Random and Independent |
|
|
75 | (8) |
|
4.7.1 What Are Random and Independent? |
|
|
76 | (1) |
|
4.7.2 Randomness Simulation with a General Function |
|
|
76 | (3) |
|
4.7.3 Randomness Simulation with a Linear System |
|
|
79 | (2) |
|
4.7.4 Randomness Simulation with a Polynomial |
|
|
81 | (1) |
|
4.7.5 Indistinguishable Simulation and Useful Attack Together |
|
|
82 | (1) |
|
4.7.6 Advantage and Probability in Absolutely Hard Problems |
|
|
83 | (1) |
|
4.8 An Overview of Random Oracles |
|
|
83 | (6) |
|
4.8.1 Security Proof with Random Oracles |
|
|
84 | (1) |
|
4.8.2 Hash Functions vs Random Oracles |
|
|
84 | (1) |
|
|
|
85 | (1) |
|
4.8.4 How to Program Security Reductions with Random Oracles |
|
|
86 | (1) |
|
4.8.5 Oracle Response and Its Probability Analysis |
|
|
86 | (2) |
|
4.8.6 Summary of Using Random Oracles |
|
|
88 | (1) |
|
4.9 Security Proofs for Digital Signatures |
|
|
89 | (5) |
|
|
|
89 | (1) |
|
4.9.2 Advantage Calculation |
|
|
90 | (1) |
|
4.9.3 Simulatable and Reducible |
|
|
91 | (1) |
|
4.9.4 Simulation of Secret Key |
|
|
91 | (1) |
|
|
|
92 | (1) |
|
4.9.6 Tight Reduction and Loose Reduction Revisited |
|
|
92 | (1) |
|
4.9.7 Summary of Correct Security Reduction |
|
|
93 | (1) |
|
4.10 Security Proofs for Encryption Under Decisional Assumptions |
|
|
94 | (15) |
|
|
|
94 | (1) |
|
4.10.2 Classification of Ciphertexts |
|
|
95 | (1) |
|
4.10.3 Classification of the Challenge Ciphertext |
|
|
96 | (1) |
|
4.10.4 Simulation of the Challenge Ciphertext |
|
|
96 | (1) |
|
4.10.5 Advantage Calculation 1 |
|
|
97 | (1) |
|
4.10.6 Probability PT of Breaking the True Challenge Ciphertext |
|
|
98 | (1) |
|
4.10.7 Probability PF of Breaking the False Challenge Ciphertext |
|
|
98 | (1) |
|
4.10.8 Advantage Calculation 2 |
|
|
99 | (1) |
|
4.10.9 Definition of One-Time Pad |
|
|
100 | (1) |
|
4.10.10 Examples of One-Time Pad |
|
|
101 | (2) |
|
4.10.11 Analysis of One-Time Pad |
|
|
103 | (1) |
|
4.10.12 Simulation of Decryption |
|
|
103 | (1) |
|
4.10.13 Simulation of Challenge Decryption Key |
|
|
104 | (1) |
|
4.10.14 Probability Analysis for PF |
|
|
105 | (1) |
|
4.10.15 Examples of Advantage Results for AK/F and AI/F |
|
|
106 | (2) |
|
4.10.16 Advantage Calculation 3 |
|
|
108 | (1) |
|
4.10.17 Summary of Correct Security Reduction |
|
|
109 | (1) |
|
4.11 Security Proofs for Encryption Under Computational Assumptions |
|
|
109 | (10) |
|
4.11.1 Random and Independent Revisited |
|
|
109 | (1) |
|
4.11.2 One-Time Pad Revisited |
|
|
110 | (1) |
|
4.11.3 Solution to Hard Problem Revisited |
|
|
110 | (1) |
|
4.11.4 Simulation of Challenge Ciphertext |
|
|
111 | (1) |
|
|
|
112 | (1) |
|
4.11.6 Challenge Ciphertext and Challenge Hash Query |
|
|
113 | (1) |
|
4.11.7 Advantage Calculation |
|
|
114 | (1) |
|
4.11.8 Analysis of No Advantage |
|
|
115 | (1) |
|
4.11.9 Requirements of Decryption Simulation |
|
|
116 | (1) |
|
4.11.10 An Example of Decryption Simulation |
|
|
116 | (2) |
|
4.11.11 Summary of Correct Security Reduction |
|
|
118 | (1) |
|
4.12 Simulatable and Reducible with Random Oracles |
|
|
119 | (4) |
|
4.12.1 H-Type: Hashing to Group |
|
|
119 | (2) |
|
4.12.2 C-Type: Commutative |
|
|
121 | (1) |
|
4.12.3 I-Type: Inverse of Group Exponent |
|
|
122 | (1) |
|
4.13 Examples of Incorrect Security Reductions |
|
|
123 | (7) |
|
4.13.1 Example 1: Distinguishable |
|
|
124 | (2) |
|
4.13.2 Example 2: Useless Attack by Public Key |
|
|
126 | (2) |
|
4.13.3 Example 3: Useless Attack by Signature |
|
|
128 | (2) |
|
4.14 Examples of Correct Security Reductions |
|
|
130 | (9) |
|
4.14.1 One-Time Signature with Random Oracles |
|
|
130 | (3) |
|
4.14.2 One-Time Signature Without Random Oracles |
|
|
133 | (3) |
|
4.14.3 One-Time Signature with Indistinguishable Partition |
|
|
136 | (3) |
|
|
|
139 | (8) |
|
4.15.1 Concepts Related to Proof |
|
|
139 | (1) |
|
4.15.2 Preliminaries and Proof by Contradiction |
|
|
140 | (1) |
|
4.15.3 Security Reduction and Its Difficulty |
|
|
141 | (1) |
|
4.15.4 Simulation and Its Requirements |
|
|
142 | (2) |
|
4.15.5 Towards a Correct Security Reduction |
|
|
144 | (2) |
|
4.15.6 Other Confusing Concepts |
|
|
146 | (1) |
|
5 Digital Signatures with Random Oracles |
|
|
147 | (26) |
|
|
|
147 | (2) |
|
|
|
149 | (3) |
|
|
|
152 | (3) |
|
|
|
155 | (2) |
|
|
|
157 | (3) |
|
|
|
160 | (2) |
|
|
|
162 | (3) |
|
|
|
165 | (8) |
|
6 Digital Signatures Without Random Oracles |
|
|
173 | (20) |
|
|
|
173 | (4) |
|
|
|
177 | (3) |
|
|
|
180 | (5) |
|
|
|
185 | (4) |
|
6.5 Hohenberger-Waters Scheme |
|
|
189 | (4) |
|
7 Public-Key Encryption with Random Oracles |
|
|
193 | (16) |
|
7.1 Hashed ElGamal Scheme |
|
|
193 | (2) |
|
7.2 Twin Hashed ElGamal Scheme |
|
|
195 | (3) |
|
7.3 Iterated Hashed ElGamal Scheme |
|
|
198 | (4) |
|
7.4 Fujisaki-Okamoto Hashed ElGamal Scheme |
|
|
202 | (7) |
|
8 Public-Key Encryption Without Random Oracles |
|
|
209 | (6) |
|
|
|
209 | (2) |
|
|
|
211 | (4) |
|
9 Identity-Based Encryption with Random Oracles |
|
|
215 | (14) |
|
9.1 Boneh-Franklin Scheme |
|
|
215 | (3) |
|
|
|
218 | (3) |
|
|
|
221 | (3) |
|
9.4 Sakai-Kasahara Scheme |
|
|
224 | (5) |
|
10 Identity-Based Encryption Without Random Oracles |
|
|
229 | (20) |
|
|
|
229 | (4) |
|
|
|
233 | (4) |
|
|
|
237 | (5) |
|
|
|
242 | (7) |
| References |
|
249 | |
