52 Things: Number 31: Game Hopping Proof
52件事:数字31:游戏跳跃证明
This is the latest in a series of blog posts to address the list of '52 Things Every PhD Student Should Know To Do Cryptography': a set of questions compiled to give PhD candidates a sense of what they should know by the end of their first year. In this post we give an example of a proof that uses the 'game hopping' technique.这是一系列博客文章中的最新一篇,旨在解决“每个博士生在做密码学时应该知道的52件事”:这是一组问题,旨在让博士生在第一年结束时了解他们应该知道什么。在这篇文章中,我们给出了一个使用“游戏跳跃”技术的证明例子。
Note, this blog post is based on Section 3.3 of 'An Introduction to Provable Security' by Douglas Stebila, downloadable via this link.
请注意,这篇博客文章基于Douglas Stebila的“可验证安全简介”第3.3节,可通过此链接下载。
Recall the definition of IND-CCA security for a public key encryption scheme, described by Ana here. If one removes the decryption oracle from the adversary, we obtain the IND-CPA (indistinguishability under chosen-plaintext attacks) security notion. Note that removing the encryption oracle does not change the adversary's view since it holds the public key and can therefore produce its own encryptions.
回想一下Ana在这里描述的公钥加密方案的IND-CCA安全性的定义。如果从对手那里移除解密预言符,我们就获得了IND-CPA(在选择的明文攻击下的不可区分性)安全概念。请注意,删除加密预言机不会改变对手的观点,因为它持有公钥,因此可以产生自己的加密。 In an earlier blog post, we described the Decisional Diffie-Hellman (DDH) problem. In this post, we are going to use a technique called 'game hopping' to show that the ElGamal encryption scheme is IND-CPA secure if DDH is hard. Loosely speaking, we will transform the IND-CPA game against ElGamal into a game against DDH and show that an adversary's advantage in the first game cannot be more than their advantage in the second. So if their advantage in the second game is negligible (which is the assumption that DDH is hard), the advantage in the first game must also be negligible (showing that the encryption scheme is IND-CPA secure).
在之前的一篇博客文章中,我们描述了决策Diffie-Hellman(DDH)问题。在这篇文章中,我们将使用一种名为“游戏跳跃”的技术来表明,如果DDH很难,ElGamal加密方案是IND-CPA安全的。不严格地说,我们将把IND-CPA与ElGamal的比赛转变为与DDH的比赛,并表明对手在第一场比赛中的优势不能超过他们在第二场比赛的优势。因此,如果他们在第二场比赛中的优势可以忽略不计(这是假设DDH是硬的),那么第一场比赛的优势也必须是可以忽略不计的(表明加密方案是IND-CPA安全的)。 Firstly, let's describe the ElGamal scheme. We work in a cyclic group G of prime order q with generator g. (Implicitly the selection of the group depends on a security parameter λ and when we say that a quantity is negligible, we mean a negligible function of λ, but we'll omit those details here.) Plaintexts and ciphertexts are group elements. The private key is a secret exponent x∈Zq and the public key is X=gx. To encrypt a message M∈G, one selects an exponent y∈Zq uniformly at random, computes c1=gy, c2=MXy and the ciphertext is the pair (c1,c2). To decrypt, notice that c2=MXy=M(gx)y=M(gy)x=Mcx1 so, with the private key x we just compute M=c2c−x1.
首先,让我们来描述ElGamal方案。我们在素数阶为 q 的循环群 G 中与生成器 g 一起工作。(隐含地说,组的选择取决于安全参数 λ ,当我们说一个量可以忽略不计时,我们指的是#4的一个可以忽略不计的函数,但我们在这里省略这些细节。)明文和密文是组元素。私钥是秘密指数 x∈Zq ,公钥是 X=gx 。为了加密消息 M∈G ,随机均匀地选择指数 y∈Zq ,计算 c1=gy 、 c2=MXy ,并且密文是对 (c1,c2) 。要解密,请注意 c2=MXy=M(gx)y=M(gy)x=Mcx1 ,因此,使用私钥 x ,我们只计算 M=c2c−x1 。 Now consider the following game Game0 played by a PPT adversary A.
现在考虑下面由PPT对手 A 玩的游戏 Game0 。
- x←$Zq,X←gx (generate the public, private key pair)
x←$Zq,X←gx (生成公钥、私钥对) - (M0,M1)←$A(X) (the adversary, in possession of the public key, produces a pair of challenge messages, possibly using a randomised process)
(M0,M1)←$A(X) (拥有公钥的对手可能使用随机过程生成一对挑战消息) - b←${0,1} (a random bit is chosen)
b←${0,1} (随机选择一位) - y←$Zq,c1←gy,Z←Xy,c2←MbZ (an encryption of message b is produced)
y←$Zq,c1←gy,Z←Xy,c2←MbZ (生成对消息 b 的加密) - b′←$A(c1,c2) (the adversary, in possession of the ciphertext, produces a bit, possibly using a randomised process)
b′←$A(c1,c2) (拥有密文的对手可能使用随机过程产生一个比特) - if b=b′ then return 1, else return 0.
如果 b=b′ ,则返回1,否则返回0。
如果游戏返回1,我们说 A 赢得 Game0 。根据Ana博客中的定义,应该清楚的是,#2相对于ElGamal的IND-CPA安全性(参数为#3、#4和 g )的优势是 2|Pr[AwinsGame0]−1/2| (1)。 Next, consider a new game Game1. This game is exactly as above, except that in Step 4, we replace the command
接下来,考虑一个新游戏 Game1 。这个游戏和上面完全一样,只是在步骤4中,我们替换了命令 Z←Xy by z←$Zq,Z←gz. So the new ciphertext is (c1,c2)=(gy,Mbgz) instead of (c1,c2)=(gy,Mbgxy).
所以新的密文是 (c1,c2)=(gy,Mbgz) 而不是 (c1,c2)=(gy,Mbgxy) 。 Again we say A wins this game if it returns 1. What is the probability that this happens? Note that Z is now a totally random group element by the randomness of z∈Zq. So c2 is also a random group element, independent of X, c1 and b. So the adversary gains no information about b from (c1,c2), meaning it outputs the correct bit and wins the game with probability exactly 1/2 (2).
我们再说一次,如果它返回1, A 将赢得这场比赛。发生这种情况的可能性有多大?注意, Z 现在是一个完全随机的组元素,其随机性为 z∈Zq 。所以#3也是一个随机群元素,独立于#4、 c1 和 b 。因此,对手没有从 (c1,c2) 中获得关于 b 的信息,这意味着它输出了正确的比特,并以恰好1/2(2)的概率赢得了游戏。 Now we bound the difference in probability for an adversary to win each of the games. Since the only difference in the two games is that the group element gxy is replaced by a random group element gz, it is easy to see how this relates to the DDH problem, where an adversary must distinguish between the triples (gx,gy,gxy) and (gx,gy,gz) for a random exponent z∈Zq. To make the link between the games precise, we use the adversary A to build an adversary B against DDH as follows:
现在我们确定了对手赢得每一场比赛的概率差异。由于这两个游戏中唯一的区别是组元素 gxy 被随机组元素 gz 取代,因此很容易看出这与DDH问题有何关系,其中对手必须区分随机指数#4的三元组#2和#3。为了使游戏之间的联系更加精确,我们使用对手 A 来构建一个对抗DDH的对手 B ,如下所示:
- On input (X,Y,Z), run A on input X to receive a challenge pair (M0,M1)
在输入 (X,Y,Z) 上,在输入#2上运行 A 以接收挑战对 (M0,M1) - Select a bit b uniformly at random and compute mbZ
随机均匀选择一个比特 b 并计算 mbZ - Give the 'ciphertext' (Y,mbZ) to the A and receive a bit b′
将“密文” (Y,mbZ) 提供给 A ,并接收比特 b′ - If b=b′, guess that Z=gxy and return 1, else guess Z is random so return 0.
如果 b=b′ ,则猜测 Z=gxy 并返回1,否则猜测 Z 是随机的,则返回0。
如果 B 被给予真实的Diffie-Hellman三元组 (gx,gy,gxy) ,则上述是#2玩#3的完美模拟,并且如果#4被给予伪三元组 (gx,gy,gz) ,则其是 A 玩 Game1 的完美模拟。因此, A 赢得 Game0 和 A 赢得 Game1 的概率之间的差正是 B 在输入 (gx,gy,gxy) 上输出1和在输入 (gx,gy,gz) 上输出1的概率之间之差,这正是 B 对抗DDH的优势。 Combining the above with facts (1) and (2) (and using the triangle inequality to take care of the modulus signs), we can easily obtain that the advantage of A against the IND-CPA security of ElGamal is no greater than the advantage of B against DDH. So if DDH is hard for all polynomial time adversaries (meaning their advantage is negligible), ElGamal must be IND-CPA secure.
将以上内容与事实(1)和(2)相结合(并使用三角不等式来处理模符号),我们可以很容易地获得 A 对抗ElGamal的IND-CPA安全性的优势不大于 B 对抗DDH的优势。因此,如果DDH对所有多项式时间的对手都很难(意味着他们的优势可以忽略不计),那么ElGamal必须是IND-CPA安全的。 标签:Hopping,Things,31,gy,gx,DDH,IND,c2,c1 From: https://www.cnblogs.com/3cH0-Nu1L/p/18107493