provable security · – x xe mod n easy (cubic) – y=xe mod n x difficult (without p or q) x = yd...
TRANSCRIPT
David PointchevalLIENS-CNRSEcole normale supérieure
Provable SecurityIntroduction
UCL - Louvain-la-Neuve
Monday, July 8th, 2002
Provable Security - Introduction - 2David Pointcheval
SummarySummary
• Introduction• Asymmetric Cryptography• Computational Assumptions• Security Proofs• Encryption and Signature• New Assumptions• New Formalism
Provable Security - Introduction - 3David Pointcheval
SummarySummary
• Introduction• Asymmetric Cryptography• Computational Assumptions• Security Proofs• Encryption and Signature• New Assumptions• New Formalism
Provable Security - Introduction - 4David Pointcheval
Cryptography: 3 GoalsCryptography: 3 Goals
• Integrity:Messages have not been altered
• Authenticity:Message - sender relation
• Secrecy:Message unknown to anybody else
Provable Security - Introduction - 5David Pointcheval
IntegrityIntegrity
To be sure that a messagehas not been modified(accidentally but intentionally too!)
Provable Security - Introduction - 6David Pointcheval
Authentication (1)Authentication (1)
Interactively prove his identity
Provable Security - Introduction - 7David Pointcheval
Authentication (2)Authentication (2)
• Non-interactively prove his identityas the sender of a message
• If this proof can even convincea third party: signature
Provable Security - Introduction - 8David Pointcheval
SecrecySecrecy
• Store a document
• Send a message
so that nobody else can learnany information about it
Provable Security - Introduction - 9David Pointcheval
Cryptography: 3 PeriodsCryptography: 3 Periods
• Ancient period: until 1918• Technical period: from 1919 until 1975• Paradoxical period : from 1976 until
Provable Security - Introduction - 10David Pointcheval
Ancient PeriodAncient Period
Substitutions and permutations
Security =Secrecy of the Mechanisms
Alberti’scipher disk
Jefferson’s wheel cipher
Provable Security - Introduction - 11David Pointcheval
Technical PeriodTechnical Period
Cipher Machines
Automatismof permutationsand substitutions
EnigmaBut no proof
of better security!
Provable Security - Introduction - 12David Pointcheval
Paradoxical PeriodParadoxical Period
• Symmetric Cryptography• Asymmetric Cryptography
One-way Functions
⇒ Security Proofs
Provable Security - Introduction - 13David Pointcheval
Kerckhoffs’Kerckhoffs’ Principles Principles
In 1883, in “La Cryptographie Militaire”Kerckhoffs wrote:
• the system should be, if not theoreticallyunbreakable, unbreakable in practice
• compromise of the system should notinconvenience the correspondents
• the key should be rememberable withoutnotes and should be easily changeable
• etc …
Provable Security - Introduction - 14David Pointcheval
Symmetric EncryptionSymmetric Encryption
kk
� �m c m
Encryption Algorithm, �Decryption Algorithm, �
Security = secrecy: impossible to recover m from c only (without k)
Security : heuristic
Provable Security - Introduction - 15David Pointcheval
SummarySummary
• Introduction• Asymmetric Cryptography• Computational Assumptions• Security Proofs• Encryption and Signature• New Assumptions• New Formalism
Provable Security - Introduction - 16David Pointcheval
Two Keys…Two Keys…
AsymmetricCryptography
Diffie-Hellman 1976
– A private key (decryption kd)to help him to decrypt
Alice Bobsecrecy
authenticity
Asymmetric Encryption:Bob owns two “keys”
– A public key (encryption ke)so that anybody can encrypt
a message for him⇒ known by everybody
(included Alice)
⇒ known by Bob only
Provable Security - Introduction - 17David Pointcheval
Encryption / decryptionEncryption / decryptionattackattackGranted Bob’s public key,
Alice can lock the safe,with the message inside
(encrypt the message)
Alice sends the safe to Bobno one can unlock it(impossible to break)
Excepted Bob,granted his private key(Bob can decrypt)
Provable Security - Introduction - 18David Pointcheval
Encryption SchemeEncryption Scheme
3 algorithms :• - key generation• - encryption• - decryption
(ke,kd)ω
kdke
rc mm
Provable Security - Introduction - 19David Pointcheval
Conditional SecrecyConditional Secrecy
The ciphertext comes from c = �ke(m;r)
• The encryption key ke is public
• A unique m satisfies the relation(with possibly several r)
Algorithmic assumptions
At least exhaustive search on m and rcan lead to m, maybe a better attack!
⇒ unconditional secrecy impossible
Provable Security - Introduction - 20David Pointcheval
SummarySummary
• Introduction• Asymmetric Cryptography• Computational Assumptions• Security Proofs• Encryption and Signature• New Assumptions• New Formalism
Provable Security - Introduction - 21David Pointcheval
encryptiondifficult
to break decryption
Integer Factoring and RSAInteger Factoring and RSA
• Multiplication/Factorization :– p, q � n = p.q easy (quadratic)– n = p.q � p, q difficult (super-polynomial)
One-WayFunction
trapdoorkey
���������
• RSA Function, from n in n (with n=pq)for a fixed exponent e Rivest-Shamir-Adleman 1978
– x � xe mod n easy (cubic)
– y=xe mod n � x difficult (without p or q)x = yd mod n where d = e-1 mod ϕ(n)
Provable Security - Introduction - 22David Pointcheval
The RSA ProblemsThe RSA Problems
• Let n=pq where p and q are large primes• The RSA problem: for a fixed exponent e
[ ]xynxy e
yen
n
===∈
)(modPr)(Succ rsa, ��
��
• The Flexible RSA problem:
[ ]),()(modPr)(Succ rsa-fl exynxy e
yn
n
===∈
����
with the restriction for e to be prime
Provable Security - Introduction - 23David Pointcheval
The Discrete LogarithmThe Discrete Logarithm
• Let � = (<g>, ×) be any finite cyclic group• For any y∈�, one defines
Logg(y) = min{ x ≥ 0 | y = gx}• One-way function
– x → y = gx easy (cubic)– y = gx → x difficult (super-polynomial)
[ ]x
xg gyxy
q
===∈
)(Pr)(Succdl��
�
Provable Security - Introduction - 24David Pointcheval
Any Trapdoor …?Any Trapdoor …?
• The Discrete Logarithm is difficultand no information could help!
• The Diffie-Hellman Problem (1976):
• Given A=ga and B=gb
• Compute DH(A,B) = C=gab
Clearly CDH ≤ DL: with a=LoggA, C=Ba
[ ]abba
bag gCgBgACBA
q
=====∈
,,),(Pr)(Succ,
cdh��
�
Provable Security - Introduction - 25David Pointcheval
Another DL-based ProblemAnother DL-based Problem
The Decisional Diffie-Hellman Problem:
• Given A, B and C in <g>
• Decide whether C = DH(A,B)
Clearly DDH ≤ CDH ≤ DL
[ ][ ] ,,1),,(Pr
,,1),,(Pr)(Adv
,
,,ddhabba
ba
cba
cba
ggCgBgACBA
gCgBgACBA
q
q
====−
=====
∈
∈
�
�
��
�
Provable Security - Introduction - 26David Pointcheval
RecordAug 1999
20115681921491044096111662048803510245813512
Operations(en log2)
Mips-Year(log2)
Modulus(bits)
Complexity EstimatesComplexity Estimates
Estimates for integer factoring Lenstra-Verheul 2000
Can be used for RSA tooLower-bounds for DL in *
p�
Mile-stone
Provable Security - Introduction - 27David Pointcheval
SummarySummary
• Introduction• Asymmetric Cryptography• Computational Assumptions• Security Proofs• Encryption and Signature• New Assumptions• New Formalism
Provable Security - Introduction - 28David Pointcheval
Algorithmic AssumptionsAlgorithmic Assumptionsnecessarynecessary
• n=pq : public moduluse : public exponent
• d=e-1 mod ϕ(n) : private
RSA Encryption(m) = me mod n
(c) = cd mod n
If the RSA problem is easy,secrecy is not satisfied:anybody may recover m from c
Provable Security - Introduction - 29David Pointcheval
Algorithmic AssumptionsAlgorithmic Assumptionssufficient?sufficient?
Security proofs give the guarantee thatthe assumption is enough for secrecy:
• if an adversary can break the secrecy• one can break the assumption
⇒ “reductionist” proof
Provable Security - Introduction - 30David Pointcheval
Proof by ReductionProof by Reduction
Reduction of a problem ��to an attack Atk:
• Let be an adversary that breaks the scheme
Instance� of �
� intractable ⇒ scheme unbreakable
Solutionof �
then can be used to solve �
Provable Security - Introduction - 31David Pointcheval
Provably Secure SchemeProvably Secure Scheme
To prove the security of a cryptographicscheme, one has to make precise
• the algorithmic assumptions• the security notions to be guaranteed• a reduction:
an adversary can helpto break the assumption
Provable Security - Introduction - 32David Pointcheval
Practical SecurityPractical Security
• Complexity theory: T polynomial• Exact Security: T explicit• Practical Security: T small (linear)Eg : t’ = 4t
intractable within less than 280 operations⇒ scheme unbreakable
within less than 278 operations
Adversarywithin t
Algorithmagainst
within t’ = T (t)
Provable Security - Introduction - 33David Pointcheval
Security NotionsSecurity Notions
According to the needs, one defines• the goals of an adversary• the means of an adversary,
i.e. the available information
Provable Security - Introduction - 34David Pointcheval
SummarySummary
• Introduction• Asymmetric Cryptography• Computational Assumptions• Security Proofs• Encryption and Signature• New Assumptions• New Formalism
Provable Security - Introduction - 35David Pointcheval
Asymmetric EncryptionAsymmetric Encryption
• Formal Security Model• Examples• Provable Security
Provable Security - Introduction - 36David Pointcheval
Asymmetric EncryptionAsymmetric Encryption
• Formal Security Model• Examples• Provable Security
Provable Security - Introduction - 37David Pointcheval
Asymmetric EncryptionAsymmetric Encryption
kdke
� �m c m
Security = secrecy: impossibleto recover m from public information(i.e from c, but without kd)
• Encryption Algorithm, �• Decryption Algorithm, �
Provable Security - Introduction - 38David Pointcheval
Basic SecrecyBasic Secrecy
• One-Wayness (OW) :without the private key, it is computationally
impossible to recover the plaintext
[ ])(),(Pr)(Succ,
m;rcmcrm
ow === ek
Not enough if one already has someinformation about m :
• “Subject: XXXXX”
• “My answer is XXX” (XXX = Yes/No)
Provable Security - Introduction - 39David Pointcheval
Strong SecrecyStrong Secrecy
• Semantic Security (IND - Indistinguishability) :GM 1984
the ciphertext reveals no more informationabout the plaintext to a polynomial adversary
1Pr2 ),(
)(),,(),,,( 110
102,
−
←←
=rmc
smmbscmm
bbr
ek
=)(Advind
Provable Security - Introduction - 40David Pointcheval
Non-MalleabilityNon-Malleability
• Non-Malleability (NM):DDN 1991
No polynomial adversary can derive, from aciphertext c= (m;r), a second one c’= (m’ ;r’ )so that the plaintexts m and m’ are meaningfullyrelated
non-malleability⇓
semantic security⇓
one-wayness
Provable Security - Introduction - 41David Pointcheval
Basic AttacksBasic Attacks
• Chosen-Plaintext Attacks (CPA)In public-key cryptography setting,
the adversary can encrypt any messageof his choice, granted the public key
⇒ the basic attack
Provable Security - Introduction - 42David Pointcheval
Improved AttacksImproved Attacks
• More information: oracle access– reaction attacks
oracle which answers, on c,whether the ciphertext c is valid or not
– plaintext-checking attacksoracle which answers, on a pair (m,c),whether the plaintext m is reallyencrypted in c or not (whether m = (c))
Provable Security - Introduction - 43David Pointcheval
StrongStrong Attacks Attacks
• Chosen-Ciphertext Attacks (CCA)The adversary has access to the strongest oracle:
the decryption oracle (with the natural restrictionnot to use it on the challenge ciphertext)
The adversary can obtain the plaintext of anyciphertext of his choice (excepted the challenge)
– non-adaptive (CCA1) NY 1990
only before receiving the challenge– adaptive (CCA2) RS 1991
unlimited oracle access
Provable Security - Introduction - 44David Pointcheval
RelationsRelations BDPR C-1998BDPR C-1998
Implications and separations
NM-CPA ⇐ NM-CCA1 ⇐ NM-CCA2⇓ ⇓
IND-CPA ⇐ IND-CCA1⇐ IND-CCA2
strong security: CCA
minimalsecurity
weak security
⇓OW-CPA
Provable Security - Introduction - 45David Pointcheval
Asymmetric EncryptionAsymmetric Encryption
• Formal Security Model• Examples• Provable Security
Provable Security - Introduction - 46David Pointcheval
RSA EncryptionRSA Encryption
• n = pq, product of large primes
• e, relatively prime to ϕ(n) = (p-1)(q-1)
• n, e : public key• d = e-1 mod ϕ(n) : private key
nmm e mod)( = ncc d mod)( =
OW-CPA = RSA problem
Nothing to prove = definition
Provable Security - Introduction - 47David Pointcheval
• = (<g>, ×) group of order q• x : private key• y=gx : public key
),(),();( dcmygam aa →= xcddc /),( =
OW-CPA = CDH AssumptionIND-CPA = DDH Assumption
To be proven to see the restrictions
ElEl Gamal Gamal Encryption Encryption
Provable Security - Introduction - 48David Pointcheval
Asymmetric EncryptionAsymmetric Encryption
• Formal Security Model• Examples• Provable Security
Provable Security - Introduction - 49David Pointcheval
� is given as input � = (<g>, ×) and (A,B)• y ← A and c ← B• choose a random value d : � (y,(c,d)) → m• output d/m If m is correct, DH(A,B)=d/m
Succcdh (�) = Succow(� )
),(),();( dcmygam aa →=�xcddc /),( =�
[ ])(),()),(,(Pr)(Succ,
m;adcmdcyrm
ow�=== ��
ElEl Gamal Gamal: OW-CPA: OW-CPA
Provable Security - Introduction - 50David Pointcheval
� is given as input�� = (<g>, ×) and (A, B, C)• y ← A and c ← B: � � (y) → (m0, m1)• b ∈{0,1} and d ← C mb: � 2(c,d) → b’• output β = (b=b’ )
Let us assume that m0, m1 ∈ �:– If C=DH(A,B), Pr[b=b’ ] = Pr[ � (c,d) = b]– If C≠DH(A,B), Pr[b=b’ ] = 1/2
ElEl Gamal Gamal: IND-CPA: IND-CPA
1Pr2)(Adv );(),(
)(),,( )),,(,,( 110
102,
−=
←←
=amdc
ysmmbsdcmmind
bba �
���
Provable Security - Introduction - 51David Pointcheval
If the messages are encoded into :– If C=DH(A,B), Pr[b=b’ ] = Pr[�(c,d) = b]– If C≠DH(A,B), Pr[b=b’ ] = 1/2
ElEl Gamal Gamal: IND-CPA (: IND-CPA (Cnt’dCnt’d))
[ ][ ] [ ][ ] [ ][ ] [ ]0 1'Pr1 1'Pr
0 'Pr1 'Pr
10 'Pr1 'Pr
1'Pr2)(Adv
==−====≠−===
−==+===−==
bbbb
bbbbbb
bbbbbb
bb�
[ ] [ ][ ] )(Adv
2
1
2
1 'Pr
),(CDH 1Pr),(CDH 1Pr)(Advddh
�
�
indbb
BACBAC
=−==
≠=−===
Thus,Advind(t) ≤ 2 Advddh (t’ )
Provable Security - Introduction - 52David Pointcheval
Signature SchemesSignature Schemes
• Formal Security Model• Examples
Provable Security - Introduction - 53David Pointcheval
Signature SchemesSignature Schemes
• Formal Security Model• Examples
Provable Security - Introduction - 54David Pointcheval
AuthenticationAuthentication
• Signature Algorithm, �• Verification Algorithm, �
kvks
��
m σ0/1
m
Security: impossible to forgea valid σ without ks
Provable Security - Introduction - 55David Pointcheval
Basic GoalBasic Goal
• Existential Forgery:without the private key,
it is computationally impossible to forgea valid message-signature pair
[ ]),()(1),(Pr)(Succ mmef === vk
Provable Security - Introduction - 56David Pointcheval
Basic AttacksBasic Attacks
• No-Message AttacksIn the public-key cryptography setting,
the adversary knows the verification key,and can thus verify any signature
• Known-Message Attacks (KMA)Message-signature pairs are aimed
to be published: the adversary has thusaccess to a list of message-signature pairs
⇒ the basic attack
Provable Security - Introduction - 57David Pointcheval
Chosen-Message AttacksChosen-Message Attacks
• Chosen-Message Attacks (CMA)In the list of message-signature pairs,
the messages are adaptively chosenby the adversary
⇒ the strongest attack
Provable Security - Introduction - 58David Pointcheval
Probabilistic SignaturesProbabilistic Signatures
• With probabilistic schemes,several signatures may be associatedto a given message
• Existential Forgery: produce a signature σfor a new message m (not in the list Λ)
• Malleability: produce a new pair (m,σ)∉Λ maybe for an already signed message
((m,σ’) is in Λ for some σ’ ≠ σ)Non-malleability
⇒ resistance to existential forgeries
Provable Security - Introduction - 59David Pointcheval
Probabilistic Signatures (Probabilistic Signatures (Cnt’dCnt’d))
• Chosen-Message Attacks (CMA)the adversary can ask any message of his
choice, maybe the same several times(this may give more information
with probabilistic schemes)
• Single-OccurrenceChosen-Message Attacks (SO-CMA)
each message can be asked at most once
Provable Security - Introduction - 60David Pointcheval
Signature SchemesSignature Schemes
• Formal Security Model• Examples
Provable Security - Introduction - 61David Pointcheval
RSA SignatureRSA Signature
• n = pq, product of large primes
• e, relatively prime to ϕ(n) = (p-1)(q-1)
• n, e : public key• d = e-1 mod ϕ(n) : private key
)mod(),(?
nmm e ==�nmm d mod)( =�
Existential Forgery = easy!
Provable Security - Introduction - 62David Pointcheval
GHR SignatureGHR Signature
• n = pq, product of large primes• y ∈ n
*
• n, y : public key• p,q or ϕ(n) : private key
)mod()(?
nyxm,e,x e ==)mod,()( nyem d=
If p function from into primes
Existential Forgery = Flexible RSA Problem
p, functione=p(m)d=e-1 mod ϕ(n)
Provable Security - Introduction - 63David Pointcheval
SummarySummary
• Introduction• Asymmetric Cryptography• Computational Assumptions• Security Proofs• Encryption and Signature• New Assumptions• New Formalism
Provable Security - Introduction - 64David Pointcheval
Strong Security NotionsStrong Security Notions
Signature: difficult to obtain securityagainst existential forgeries
Encryption: difficult to reach CCA securityMaybe possible, but with inefficient schemesInefficient schemes are unuseful in practice:
Everybody wants security,but only if it is transparent
Provable Security - Introduction - 65David Pointcheval
Ideal ModelsIdeal Models
⇒ one makes some ideal assumptions:– ideal random hash function:
random oracle model
– ideal symmetric encryption:ideal cipher model
– ideal group:generic model (generic adversaries)
Provable Security - Introduction - 66David Pointcheval
The Random Oracle ModelThe Random Oracle Model
• Introduced by Bellare-Rogaway ACM-CCS ‘93
• The most admitted model• It consists in considering some functions
as perfectly random functions,or replacing them by random oracles:
– each new query is returned a random answer– a same query asked twice receives twice
the same answer
Provable Security - Introduction - 67David Pointcheval
Modeling a Random OracleModeling a Random Oracle
A usual way to model a random oracle His to maintain a list ΛH which containsall the query-answers (x,ρ):
• ΛH is initially set to an empty list• A query x to H is answered the following way
– if for some ρ, (x,ρ) ∈ ΛH, ρ is returned– otherwise,
sa random ρ is drawn from the appropriate ranges(x,ρ) is appended to ΛH
sρ is returned
Provable Security - Introduction - 68David Pointcheval
The Generic ModelThe Generic Model
• It consists in considering the underlyinggroup as a generic one: (�,+) ≈ (� q,+)
• But the adversary has accessto the encoding of elements: �(Q)
• If one assumes that � = <P>,we define σ(x) = �(x.P)
σ(x ± y) = �((x ± y).P) = �(x.P ± y.P)
• Generic group: the encoding is random
Provable Security - Introduction - 69David Pointcheval
Modeling a Generic GroupModeling a Generic GroupA usual way to model a generic group is to
maintain a list Λ which contains all (x, σ(x)):• Λ is initially set to ((1, σ(1)), (x, σ(x))): P and Y• A query σ1 ± σ2 to the group law is answered:
– First, because of the randomness of the encoding,there exist x1, x2, such that (x1, σ1), (x2, σ2) ∈ Λ
– If (x1 ± x2, σ) ∈ Λ for some σ, σ is returned– otherwise,
sa new random σ is drawns(x1 ± x2, σ) is appended to Λsσ is returned
Provable Security - Introduction - 70David Pointcheval
Proofs in the Generic ModelProofs in the Generic Model
• Λ ← ((P1, σ1), (P2, σ2)):– (P1, σ1) = (1, σ1) encodes P, the generator– (P2, σ2) = (X, σ2) encodes Y, a random point
(Y = x.P),thus x is replaced by the unknown X
• For a query σi ± σj, one looks for(Pi, σi), (Pj, σj) ∈ Λ
– If (Pi ± Pj, σ) ∈ Λ for some σ, σ is returned
– Otherwise, Pk = Pi ± Pj, a new σ is drawn
(Pk, σ) is appended to Λ and σ is returned
Provable Security - Introduction - 71David Pointcheval
Bad SimulationBad Simulation
• Λ ← ((P1 = 1, σ1), (P2 = X, σ2)): (P, Y = x.P)• For a query σi ± σj, one looks for
(Pi, σi), (Pj, σj) ∈ Λ– If (Pi ± Pj, σ) ∈ Λ for some σ, it is returned
– Otherwise, Pk = Pi ± Pj, a new σ is drawn
A problem arises if P ≠ P’ while P(x) = P’ (x)
But Q = P - P’ ≠ 0 is affine,then Pr[Q(x) = 0] ≤ 1/q
Provable Security - Introduction - 72David Pointcheval
Bad Simulation (Bad Simulation (Cnt’dCnt’d))
• After n queries to the group law oracle,at most n+2 polynomials have been defined.
• The probability that a problem arisesis less than (n+1)(n+2)/2q
Provable Security - Introduction - 73David Pointcheval
SummarySummary
• Introduction• Asymmetric Cryptography• Computational Assumptions• Security Proofs• Encryption and Signature• New Assumptions• New Formalism
Provable Security - Introduction - 74David Pointcheval
ReductionReduction
Several problems 1, 2, 3, ... may be reducedto a given attack Atk:
• Let be an adversary that breaks the scheme,with probability ε on a probability space,defined by the internal coins, the externalones, the keys and the random oracles.
• We successively modify the probability space
Provable Security - Introduction - 75David Pointcheval
ModificationsModifications
The modifications of the probability space mayimpact the success probability: ε = Pr[S]
• probability space unchanged⇒ the success probability is unchanged
• unchanged unless a bad event E happens– S is independent of E: ε’ ≥ ε × Pr[¬E]
ε’ = Pr[S’ ] = Pr[S’ ∧ E] + Pr[S’ ∧ ¬E]≥ Pr[S’ ∧ ¬E] = Pr[S’ | ¬E] Pr[¬E]≥ Pr[S] Pr[¬E] = ε × Pr[¬E]
Provable Security - Introduction - 76David Pointcheval
Shoup’sShoup’s Lemma Lemma
The modifications of the probability space mayimpact the success probability: ε = Pr[S]
• unchanged unless a bad event E happens– S is not independent of E: | ε’ - ε | ≤ Pr[E]
| ε’ - ε | = | Pr[S’ ] - Pr[S] |= | Pr[S’ ∧E] + Pr[S’ ∧¬E]
- Pr[S’ ∧E] - Pr[S’ ∧¬E] |= | Pr[S’ | E] Pr[E] + Pr[S’ | ¬E] Pr[¬E]
- Pr[S| E] Pr[E] - Pr[S| ¬E] Pr[¬E] |= | Pr[S’ | E] - Pr[S| E] | × Pr[E] ≤ Pr[E]
Provable Security - Introduction - 77David Pointcheval
We thus define a sequence of games:• Game 0 - the original attack - Pr[S0] = ε• Game 1 - relation between Pr[S0] and Pr[S1]
�
• Game i: which differs from Game i-1only if event E happens
Event E happens = problem � is broken⇒ Pr[E] ≤ Succ�(t’ )
where t’ is the running time of Game i⇒ relation between Pr[Si-1], Pr[Si], Succ�(t’ )
GamesGames
Provable Security - Introduction - 78David Pointcheval
• Game n: the success probability is easyto determine
typically: Pr[Sn] = 0 or Pr[Sn] = 1/2or also Pr[Sn] ≤ q/2k
⇒ one gets an upper-bound on ε = Pr[S0]
Final GameFinal Game
Provable Security - Introduction - 79David Pointcheval
• Such a kind of proof clearly points outcrucial points: the bad events to cancel
• The proof is easy to check/follow
ConclusionConclusion