52 Things: Number 28: What is the IND-CCA security definition for public key encryption?
52件事:第28件:公钥加密的IND-CCA安全定义是什么?
This is the latest in a series of blog posts to address the list of '52 Things Every PhD Student Should Know' to do Cryptography: a set of questions compiled to give PhD candidates a sense of what they should know by the end of their first year. We discuss IND-CCA security for public key encryption.这是一系列博客文章中的最新一篇,旨在解决“每个博士生都应该知道的52件事”做密码学:这是一组问题,旨在让博士生在第一年结束时了解他们应该知道什么。我们讨论了公钥加密的IND-CCA安全性。
IND-CCA security stands for Indistinguishable Chosen Ciphertext Attack. The idea behind it is that in a secure encryption scheme, given a ciphertext, an adversary should not be able to tell what message the given ciphertext encrypts. In this model, the adversary is allowed to call the encryption and decryption oracles both before and after steps 3 and 4 below. The find-then-guess security game for public key IND-CCA is the following.
IND-CCA安全性代表不可区分的选择密码文本攻击。其背后的想法是,在一个安全的加密方案中,给定一个密文,对手不应该知道给定的密文加密了什么消息。在该模型中,允许对手在以下步骤3和4之前和之后调用加密和解密预言机。公钥IND-CCA的发现然后猜测安全游戏如下。
1. Generate the public and secret keys (pk,sk). The adversary A has access to the public key pk
1.生成公钥和私钥 (pk,sk) 。对手A有权访问公钥 pk
2. Assign b←{0,1} privately
2.私配 b←{0,1}
3. A is allowed to query the decryption oracle Decsk and the encryption oracle Encpk
3.允许A查询解密预言机 Decsk 和加密预言机 Encpk
4. A then outputs a pair of messages (m0,m1)
4.A然后输出一对消息 (m0,m1)
5. We output the encryption c=Encpk(mb)
5.我们输出加密 c=Encpk(mb)
6. The adversary is allowed to enquire for more encryptions or decryptions, as in step 3, but he is not allowed to ask for the decryption of c
6.允许对手询问更多的加密或解密,如步骤3所示,但不允许他要求#0的解密#
7. A outputs b′∈{0,1}. A wins if b=b′
7.A输出 b′∈{0,1} 。如果#1,A获胜#
We say the advantage of A is Adv(A)=2∣Pr[A wins]−1/2∣. A scheme is said to be IND-CCA secure if the said advantage is negligible.
我们说A的优势是 Adv(A)=2∣Pr[A 赢得 ]−1/2∣ 。如果所述优点可忽略不计,则称方案是IND-CCA安全的。
There is a different version of IND-CCA, real-or-random, mentioned by Gareth in last week's post. The difference is at step 5 above, where instead of outputting the encryption of the message m A asks for every time, we output an encryption of a random m′ of length ∣m∣ if b=0, and an encryption of m otherwise. A must then distinguish if he is in the "real" or "random" world. Advantage and security are defined similarly.
加雷斯在上周的帖子中提到了IND-CCA的另一个版本,无论是真实的还是随机的。不同之处在于,在上面的步骤5中,不是每次输出消息 m A请求的加密,而是如果#3,则输出长度为#2的随机 m′ 的加密,否则输出#4的加密。然后,A必须区分他是在“真实”还是“随机”的世界中。优势和安全的定义相似。
The two definitions are equivalent in the sense that if a scheme is IND-CCA secure in the real-or-random sense against an adversary A, we can construct an adversary B for the find-and-guess such that both advantages are equal. Similarly, if a scheme is find-and-guess secure against an adversary A, we can construct an adversary B such that Advfind−and−guess(A)=2⋅Advreal−or−random(B).
这两个定义是等价的,因为如果一个方案在真实或随机意义上对对手a是IND-CCA安全的,我们可以为查找和猜测构建对手B,从而使两个优势相等。类似地,如果一个方案对对手a是发现和猜测安全的,我们可以构造对手B,使得 Advfind−and−guess(A)=2⋅Advreal−or−random(B) 。 标签:definition,What,加密,encryption,Things,IND,security,adversary,CCA From: https://www.cnblogs.com/3cH0-Nu1L/p/18107478