安全定义
CPA-安全
定义实验 PubK A , Π eav ( n ) \text{PubK}^{\text{eav}}_{\mathcal{A}, \Pi}(n) PubKA,Πeav(n):
- ( p k , s k ) ← Gen ( 1 n ) (pk, sk) \leftarrow \text{Gen}(1^n) (pk,sk)←Gen(1n)
- 给敌手 A \mathcal{A} A 输入 p k pk pk,输出等长的明文 m 0 , m 1 m_0,m_1 m0,m1
- 选择随机的 b ∈ { 0 , 1 } b \in \{0,1\} b∈{0,1},计算密文 c ← Enc p k ( m b ) c \leftarrow \text{Enc}_{pk}(m_b) c←Encpk(mb) 并输出给 A \mathcal{A} A
- A \mathcal{A} A 输出 b ′ b' b′。 PubK A , Π eav ( n ) = 1 \text{PubK}^{\text{eav}}_{\mathcal{A}, \Pi}(n) = 1 PubKA,Πeav(n)=1 当且仅当 b = b ′ b = b' b=b′
公钥加密方案
Π
=
(
Gen, Enc, Dec
)
\Pi = (\text{Gen, Enc, Dec})
Π=(Gen, Enc, Dec) 是 CPA-安全当且仅当对任意多项式时间敌手
A
\mathcal{A}
A,
Pr
[
PubK
A
,
Π
eav
(
n
)
=
1
]
≤
1
2
+
negl
(
n
)
\Pr[\text{PubK}^{\text{eav}}_{\mathcal{A}, \Pi}(n) = 1] \le \frac 12 + \text{negl}(n)
Pr[PubKA,Πeav(n)=1]≤21+negl(n)
显然,不存在一个确定性加密算法,满足 CPA-安全。
多次加密 CPA-安全
设 LR p k , b ( m 0 , m 1 ) = Enc p k ( m b ) \text{LR}_{pk,b}(m_0,m_1) = \text{Enc}_{pk}(m_b) LRpk,b(m0,m1)=Encpk(mb)
定义实验 PubK A , Π LR-cpa ( n ) \text{PubK}_{\mathcal{A}, \Pi}^{\text{LR-cpa}}(n) PubKA,ΠLR-cpa(n):
- ( p k , s k ) ← Gen ( 1 n ) (pk, sk) \leftarrow \text{Gen}(1^n) (pk,sk)←Gen(1n)
- 选择随机的 b ∈ { 0 , 1 } b \in \{0,1\} b∈{0,1}
- 给敌手 A \mathcal{A} A 输入 p k pk pk, LR p k , b ( ⋅ , ⋅ ) \text{LR}_{pk,b}(\cdot,\cdot) LRpk,b(⋅,⋅)
- A \mathcal{A} A 输出 b ′ b' b′
- PubK A , Π LR-cpa ( n ) = 1 \text{PubK}_{\mathcal{A}, \Pi}^{\text{LR-cpa}}(n) = 1 PubKA,ΠLR-cpa(n)=1 当且仅当 b = b ′ b = b' b=b′
公钥加密方案
Π
=
(
Gen, Enc, Dec
)
\Pi = (\text{Gen, Enc, Dec})
Π=(Gen, Enc, Dec) 是多次加密 CPA-安全,当且仅当对任意多项式时间敌手
A
\mathcal{A}
A,
Pr
[
PubK
A
,
Π
LR-cpa
(
n
)
=
1
]
≤
1
2
+
negl
(
n
)
\Pr[\text{PubK}^{\text{LR-cpa}}_{\mathcal{A}, \Pi}(n) = 1] \le \frac 12 + \text{negl}(n)
Pr[PubKA,ΠLR-cpa(n)=1]≤21+negl(n)
与对称加密相同,公钥加密的多次加密 CPA-安全,与单次的 CPA-安全等价。
CCA-安全
定义实验 PubK A , Π cca ( n ) \text{PubK}^{\text{cca}}_{\mathcal{A}, \Pi}(n) PubKA,Πcca(n):
- ( p k , s k ) ← Gen ( 1 n ) (pk, sk) \leftarrow \text{Gen}(1^n) (pk,sk)←Gen(1n)
- 给敌手 A \mathcal{A} A 输入 p k pk pk, Dec s k ( ⋅ ) \text{Dec}_{sk}(\cdot) Decsk(⋅),输出等长的明文 m 0 , m 1 m_0,m_1 m0,m1
- 选择随机的 b ∈ { 0 , 1 } b \in \{0,1\} b∈{0,1},计算密文 c ← Enc p k ( m b ) c \leftarrow \text{Enc}_{pk}(m_b) c←Encpk(mb) 并输出给 A \mathcal{A} A
- A \mathcal{A} A 可以继续使用 Dec s k ( ⋅ ) \text{Dec}_{sk}(\cdot) Decsk(⋅),但不能查 Dec s k ( c ) \text{Dec}_{sk}(c) Decsk(c)。输出 b ′ b' b′。
- PubK A , Π cca ( n ) = 1 \text{PubK}^{\text{cca}}_{\mathcal{A}, \Pi}(n) = 1 PubKA,Πcca(n)=1 当且仅当 b = b ′ b = b' b=b′
公钥加密方案
Π
=
(
Gen, Enc, Dec
)
\Pi = (\text{Gen, Enc, Dec})
Π=(Gen, Enc, Dec) 是 CPA-安全当且仅当对任意多项式时间敌手
A
\mathcal{A}
A,
Pr
[
PubK
A
,
Π
cca
(
n
)
=
1
]
≤
1
2
+
negl
(
n
)
\Pr[\text{PubK}^{\text{cca}}_{\mathcal{A}, \Pi}(n) = 1] \le \frac 12 + \text{negl}(n)
Pr[PubKA,Πcca(n)=1]≤21+negl(n)
CPA-安全与多次加密 CPA-安全等价
对于 CPA-安全的加密方案 Π \Pi Π,下证其多次加密 CPA-安全。
设 LR p k i ( m 0 , m 1 ) \text{LR}_{pk}^i(m_0, m_1) LRpki(m0,m1) 表示对前 i i i 次询问,返回 Enc p k ( m 0 ) \text{Enc}_{pk}(m_0) Encpk(m0),之后都返回 Enc p k ( m 1 ) \text{Enc}_{pk}(m_1) Encpk(m1)。敌手查询 LR \text{LR} LR上界为 t t t。 那么,有
Pr [ PubK A , Π LR-cpa ( n ) = 1 ] = 1 2 Pr [ A LR p k t ( p k ) = 0 ] + 1 2 Pr [ A LR p k 0 ( p k ) = 1 ] \Pr[\text{PubK}^{\text{LR-cpa}}_{\mathcal{A}, \Pi}(n) = 1] = \frac{1}{2}\Pr[\mathcal{A}^{\text{LR}_{pk}^t}(pk)=0] + \frac{1}{2}\Pr[\mathcal{A}^{\text{LR}_{pk}^0}(pk)=1] Pr[PubKA,ΠLR-cpa(n)=1]=21Pr[ALRpkt(pk)=0]+21Pr[ALRpk0(pk)=1]
其中 A LR p k i ( p k ) \mathcal{A}^{\text{LR}_{pk}^i}(pk) ALRpki(pk) 表示给敌手 p k , LR p k i ( ⋅ , ⋅ ) pk,\text{LR}_{pk}^i(\cdot,\cdot) pk,LRpki(⋅,⋅),敌手的输出(不再给原先的 LR p k , b ( ⋅ , ⋅ ) \text{LR}_{pk, b}(\cdot,\cdot) LRpk,b(⋅,⋅),但是敌手仍然像原先那样查询、拿到返回值、输出)。
下面,只需证明
∣
Pr
[
A
LR
p
k
t
(
p
k
)
=
0
]
−
Pr
[
A
LR
p
k
0
(
p
k
)
=
1
]
∣
≤
negl
′
(
n
)
|\Pr[\mathcal{A}^{\text{LR}_{pk}^t}(pk)=0]-\Pr[\mathcal{A}^{\text{LR}_{pk}^0}(pk)=1]| \le \text{negl}'(n)
∣Pr[ALRpkt(pk)=0]−Pr[ALRpk0(pk)=1]∣≤negl′(n)
构造单次加密敌手 A ′ \mathcal{A}' A′:
- A ′ \mathcal{A}' A′ 输入 p k pk pk,输出随机的 i ∈ { 1 , . . . , t } i \in \{1, ..., t\} i∈{1,...,t}
-
A
′
\mathcal{A}'
A′ 运行
A
\mathcal{A}
A。对于
A
\mathcal{A}
A 的第
j
j
j 个询问
(
m
j
,
0
,
m
j
,
1
)
(m_{j,0},m_{j,1})
(mj,0,mj,1),
- 如果 j < i j < i j<i,返回 c j ← Enc p k ( m j , 0 ) c_j \leftarrow \text{Enc}_{pk}(m_{j,0}) cj←Encpk(mj,0)
- 如果 j = i j = i j=i, A ′ \mathcal{A}' A′ 输出 ( m j , 0 , m j , 1 ) (m_{j,0},m_{j,1}) (mj,0,mj,1) 并返回收到的密文
- 如果 j > i j > i j>i,返回 c j ← Enc p k ( m j , 1 ) c_j \leftarrow \text{Enc}_{pk}(m_{j,1}) cj←Encpk(mj,1)
- A ′ \mathcal{A}' A′ 输出 A \mathcal{A} A 输出的结果
不难发现,对
∀
j
≤
t
\forall j\le t
∀j≤t,
Pr
[
A
′
输出
1
∣
b
=
0
∧
i
=
j
]
=
Pr
[
A
LR
p
k
j
(
p
k
)
=
1
]
Pr
[
A
′
输出
1
∣
b
=
1
∧
i
=
j
]
=
Pr
[
A
LR
p
k
j
−
1
(
p
k
)
=
1
]
\begin{aligned} \Pr[\mathcal{A}' \text{输出} 1 | b = 0 \wedge i = j] &= \Pr[\mathcal{A}^{\text{LR}_{pk}^j}(pk)=1] \\ \Pr[\mathcal{A}' \text{输出} 1 | b = 1 \wedge i = j] &= \Pr[\mathcal{A}^{\text{LR}_{pk}^{j-1}}(pk)=1] \end{aligned}
Pr[A′输出1∣b=0∧i=j]Pr[A′输出1∣b=1∧i=j]=Pr[ALRpkj(pk)=1]=Pr[ALRpkj−1(pk)=1]
因为
b
=
0
b = 0
b=0 时,
A
′
\mathcal A'
A′ 在前
j
j
j 次返回
m
0
m_0
m0,之后返回
m
1
m_1
m1,
b
=
1
b = 1
b=1 时,
A
′
\mathcal A'
A′ 在前
j
−
1
j - 1
j−1 次返回
m
0
m_0
m0,之后返回
m
1
m_1
m1。
因此,有
Pr
[
A
′
输
出
1
∣
b
=
0
]
=
∑
j
=
1
t
Pr
[
i
=
j
]
Pr
[
A
′
输出
1
∣
b
=
0
∧
i
=
j
]
=
∑
j
=
1
t
1
t
Pr
[
A
LR
p
k
j
(
p
k
)
=
1
]
Pr
[
A
′
输
出
1
∣
b
=
1
]
=
∑
j
=
1
t
Pr
[
i
=
j
]
Pr
[
A
′
输出
1
∣
b
=
1
∧
i
=
j
]
=
∑
j
=
0
t
−
1
1
t
Pr
[
A
LR
p
k
j
(
p
k
)
=
1
]
\begin{aligned} \Pr[\mathcal{A}' 输出 1 | b = 0] &= \sum_{j = 1}^t\Pr[i = j]\Pr[\mathcal{A}' \text{输出} 1 | b = 0 \wedge i = j] \\ &= \sum_{j = 1}^t \frac{1}{t}\Pr[\mathcal{A}^{\text{LR}_{pk}^j}(pk)=1] \\ \Pr[\mathcal{A}' 输出 1 | b = 1] &= \sum_{j = 1}^t\Pr[i = j]\Pr[\mathcal{A}' \text{输出} 1 | b = 1 \wedge i = j] \\ &= \sum_{j = 0}^{t-1} \frac{1}{t}\Pr[\mathcal{A}^{\text{LR}_{pk}^j}(pk)=1] \\ \end{aligned}
Pr[A′输出1∣b=0]Pr[A′输出1∣b=1]=j=1∑tPr[i=j]Pr[A′输出1∣b=0∧i=j]=j=1∑tt1Pr[ALRpkj(pk)=1]=j=1∑tPr[i=j]Pr[A′输出1∣b=1∧i=j]=j=0∑t−1t1Pr[ALRpkj(pk)=1]
由于
Π
\Pi
Π 是 CPA-安全,因此有
∣
Pr
[
A
′
输
出
1
∣
b
=
0
]
−
Pr
[
A
′
输
出
1
∣
b
=
1
]
∣
≤
negl
(
n
)
|\Pr[\mathcal{A}' 输出 1 | b = 0]-\Pr[\mathcal{A}' 输出 1 | b = 1] | \le \text{negl}(n)
∣Pr[A′输出1∣b=0]−Pr[A′输出1∣b=1]∣≤negl(n)
因此,
negl
(
n
)
≥
∣
∑
j
=
1
t
1
t
Pr
[
A
LR
p
k
j
(
p
k
)
=
1
]
−
∑
j
=
0
t
−
1
1
t
Pr
[
A
LR
p
k
j
(
p
k
)
=
1
]
∣
=
1
t
∣
Pr
[
A
LR
p
k
t
(
p
k
)
=
1
]
−
Pr
[
A
LR
p
k
0
(
p
k
)
=
1
]
∣
\begin{aligned} \text{negl}(n) &\ge |\sum_{j = 1}^t \frac{1}{t}\Pr[\mathcal{A}^{\text{LR}_{pk}^j}(pk)=1]-\sum_{j = 0}^{t-1} \frac{1}{t}\Pr[\mathcal{A}^{\text{LR}_{pk}^j}(pk)=1]| \\ & = \frac{1}{t}|\Pr[\mathcal{A}^{\text{LR}_{pk}^t}(pk)=1]-\Pr[\mathcal{A}^{\text{LR}_{pk}^0}(pk)=1]| \end{aligned}
negl(n)≥∣j=1∑tt1Pr[ALRpkj(pk)=1]−j=0∑t−1t1Pr[ALRpkj(pk)=1]∣=t1∣Pr[ALRpkt(pk)=1]−Pr[ALRpk0(pk)=1]∣
∣
Pr
[
A
LR
p
k
t
(
p
k
)
=
1
]
−
Pr
[
A
LR
p
k
0
(
p
k
)
=
1
]
∣
≤
t
⋅
negl
(
n
)
|\Pr[\mathcal{A}^{\text{LR}_{pk}^t}(pk)=1]-\Pr[\mathcal{A}^{\text{LR}_{pk}^0}(pk)=1]| \le t \cdot \text{negl}(n)
∣Pr[ALRpkt(pk)=1]−Pr[ALRpk0(pk)=1]∣≤t⋅negl(n)
Hybrid 加密
通过公钥加密传输秘钥,对称加密传输具体密文。
秘钥包装过程
定义秘钥包装过程 (KEM) Π = ( Gen, Encaps, Decaps ) \Pi = (\text{Gen, Encaps, Decaps}) Π=(Gen, Encaps, Decaps):
- Gen:输入 1 n 1^n 1n,输出长度至少为 n n n 的公私钥对 ( p k , s k ) (pk, sk) (pk,sk)。
- Encaps:输入 1 n , p k 1^n, pk 1n,pk,生成对称加密秘钥 k ∈ { 0 , 1 } l ( n ) k \in \{0,1\}^{l(n)} k∈{0,1}l(n) ,输出其密文 c ← Enc p k ( k ) c \leftarrow \text{Enc}_{pk}(k) c←Encpk(k)。
- Decaps:输入 ( s k , c ) (sk, c) (sk,c),输出 k = Decaps s k ( c ) k = \text{Decaps}_{sk}(c) k=Decapssk(c)
Hybrid 加密
Π = ( Gen, Encaps, Decaps ) \Pi = (\text{Gen, Encaps, Decaps}) Π=(Gen, Encaps, Decaps) 是一个秘钥长度为 n n n 的 KEM, Π ′ = ( Gen ′ , Enc ′ , Dec ′ ) \Pi' = (\text{Gen}', \text{Enc}', \text{Dec}') Π′=(Gen′,Enc′,Dec′) 是对称加密方案。可以构造如下的对称加密方案 Π hy = ( Gen hy , Enc hy , Dec hy ) \Pi^{\text{hy}} = (\text{Gen}^{\text{hy}}, \text{Enc}^{\text{hy}}, \text{Dec}^{\text{hy}}) Πhy=(Genhy,Enchy,Dechy):
- Π hy \Pi^{\text{hy}} Πhy: ( p k , s k ) ← Gen ( 1 n ) (pk,sk) \leftarrow \text{Gen}(1^n) (pk,sk)←Gen(1n)
-
Enc
hy
\text{Enc}^{\text{hy}}
Enchy:输入
p
k
pk
pk,明文
m
∈
{
0
,
1
}
∗
m \in \{0,1\}^*
m∈{0,1}∗
- ( c , k ) ← Encaps p k ( 1 n ) (c,k) \leftarrow \text{Encaps}_{pk}(1^n) (c,k)←Encapspk(1n)
- c ′ ← Enc k ′ ( m ) c' \leftarrow \text{Enc}_k'(m) c′←Enck′(m)
- 输出 < c , c ′ > <c,c'> <c,c′>
-
Dec
hy
\text{Dec}^{\text{hy}}
Dechy:输入
s
k
,
<
c
,
c
′
>
sk,<c, c'>
sk,<c,c′>
- k ← Decaps s k ( c ) k \leftarrow \text{Decaps}_{sk}(c) k←Decapssk(c)
- 输出 m ← Dec k ′ ( c ′ ) m \leftarrow \text{Dec}_k'(c') m←Deck′(c′)
安全性
对私钥包装方案 Π = ( Gen, Encaps, Decaps ) \Pi = (\text{Gen, Encaps, Decaps}) Π=(Gen, Encaps, Decaps) 定义实验 KEM A , Π cpa ( n ) \text{KEM}^{\text{cpa}}_{\mathcal{A},\Pi}(n) KEMA,Πcpa(n):
- ( p k , s k ) ← Gen ( 1 n ) (pk,sk) \leftarrow \text{Gen}(1^n) (pk,sk)←Gen(1n), ( c , k ) ← Encaps p k ( 1 n ) (c,k) \leftarrow \text{Encaps}_{pk}(1^n) (c,k)←Encapspk(1n)
- 随机选择 b ∈ { 0 , 1 } b \in \{0,1\} b∈{0,1}。如果 b = 0 b = 0 b=0, k ^ : = k \hat k := k k^:=k,否则随机选择 k ^ ∈ { 0 , 1 } n \hat k \in \{0,1\}^n k^∈{0,1}n
- 向 A \mathcal{A} A 输入 ( p k , c , k ^ ) (pk,c,\hat k) (pk,c,k^),输出 b ′ b' b′。 KEM A , Π cpa ( n ) = 1 \text{KEM}^{\text{cpa}}_{\mathcal{A},\Pi}(n)=1 KEMA,Πcpa(n)=1 当且仅当 b = b ′ b=b' b=b′
Π
\Pi
Π 是 CPA-安全私钥包装方案,当且仅当对任意多项式时间敌手
A
\mathcal A
A,
Pr
[
KEM
A
,
Π
cpa
(
n
)
=
1
]
≤
1
2
+
negl
(
n
)
\Pr[\text{KEM}^{\text{cpa}}_{\mathcal{A},\Pi}(n)=1] \le \frac 12 + \text{negl}(n)
Pr[KEMA,Πcpa(n)=1]≤21+negl(n)
如果 Π \Pi Π 是 CPA-安全, Π ′ \Pi' Π′ 是多次加密 EAV-安全,则 Π hy \Pi^{\text{hy}} Πhy 是 CPA-安全。
证明
设
Encaps
p
k
(
1
)
(
1
n
)
\text{Encaps}^{(1)}_{pk}(1^n)
Encapspk(1)(1n) 表示 Encaps 生成的第一个参数
c
c
c,
Encaps
p
k
(
2
)
(
1
n
)
\text{Encaps}^{(2)}_{pk}(1^n)
Encapspk(2)(1n) 表示 Encaps 生成的第二个参数
k
k
k。
Pr
[
PubK
A
hy
,
Π
hy
eav
(
n
)
=
1
]
=
1
2
Pr
[
A
hy
(
p
k
,
Encaps
p
k
(
1
)
(
1
n
)
,
Enc
k
′
(
m
0
)
)
=
0
]
+
1
2
Pr
[
A
hy
(
p
k
,
Encaps
p
k
(
1
)
(
1
n
)
,
Enc
k
′
(
m
1
)
)
=
1
]
\begin{aligned} & \Pr[\text{PubK}^{\text{eav}}_{\mathcal{A}^{\text{hy}}, \Pi^{\text{hy}}}(n)=1]\\ = & \frac 12\Pr[\mathcal{A}^{\text{hy}}(pk,\text{Encaps}^{(1)}_{pk}(1^n),\text{Enc}_k'(m_0))=0] \\ +& \frac 12\Pr[\mathcal{A}^{\text{hy}}(pk,\text{Encaps}^{(1)}_{pk}(1^n),\text{Enc}_k'(m_1))=1] \end{aligned}
=+Pr[PubKAhy,Πhyeav(n)=1]21Pr[Ahy(pk,Encapspk(1)(1n),Enck′(m0))=0]21Pr[Ahy(pk,Encapspk(1)(1n),Enck′(m1))=1]
构造攻击
Π
\Pi
Π 的敌手
A
1
\mathcal{A}_1
A1:
- 输入 ( p k , c , k ^ ) (pk,c,\hat{k}) (pk,c,k^)
- 运行 A hy ( p k ) \mathcal{A}^{\text{hy}}(pk) Ahy(pk),得到 m 0 , m 1 m_0,m_1 m0,m1。 A 1 \mathcal{A}_1 A1 计算 c ′ ← Enc k ^ ′ ( m 0 ) c' \leftarrow \text{Enc}_{\hat{k}}'(m_0) c′←Enck^′(m0),将 < c , c ′ > <c,c'> <c,c′> 返回给 A hy \mathcal{A}^{\text{hy}} Ahy。输出 A hy \mathcal{A}^{\text{hy}} Ahy 输出的 b ′ b' b′
Pr
[
A
1
输
出
0
∣
b
=
0
]
=
Pr
[
A
hy
(
p
k
,
Encaps
p
k
(
1
)
(
1
n
)
,
Enc
k
′
(
m
0
)
)
=
0
]
Pr
[
A
1
输
出
1
∣
b
=
1
]
=
Pr
[
A
hy
(
p
k
,
Encaps
p
k
(
1
)
(
1
n
)
,
Enc
k
^
′
(
m
0
)
)
=
1
]
\begin{aligned} \Pr[\mathcal{A}_1 输出 0|b = 0] = \Pr[\mathcal{A}^{\text{hy}}(pk,\text{Encaps}^{(1)}_{pk}(1^n),\text{Enc}_k'(m_0))=0] \\ \Pr[\mathcal{A}_1 输出 1|b = 1] = \Pr[\mathcal{A}^{\text{hy}}(pk,\text{Encaps}^{(1)}_{pk}(1^n),\text{Enc}_{\hat k}'(m_0))=1] \end{aligned}
Pr[A1输出0∣b=0]=Pr[Ahy(pk,Encapspk(1)(1n),Enck′(m0))=0]Pr[A1输出1∣b=1]=Pr[Ahy(pk,Encapspk(1)(1n),Enck^′(m0))=1]
其中
k
^
\hat k
k^ 是随机的秘钥。因为
Π
\Pi
Π 是 CPA-安全,所以有
1
2
+
negl
1
(
n
)
≥
Pr
[
KEM
A
1
,
Π
cpa
(
n
)
=
1
]
=
1
2
Pr
[
A
′
输
出
0
∣
b
=
0
]
+
1
2
Pr
[
A
′
输
出
1
∣
b
=
1
]
=
1
2
Pr
[
A
hy
(
p
k
,
Encaps
p
k
(
1
)
(
1
n
)
,
Enc
k
′
(
m
0
)
)
=
0
]
+
1
2
Pr
[
A
hy
(
p
k
,
Encaps
p
k
(
1
)
(
1
n
)
,
Enc
k
^
′
(
m
0
)
)
=
1
]
\begin{aligned} \frac 12 + \text{negl}_1(n) \ge& \Pr[\text{KEM}^{\text{cpa}}_{\mathcal{A}_1,\Pi}(n)=1] \\ =& \frac 12\Pr[\mathcal A' 输出 0 | b = 0] + \frac 12 \Pr[\mathcal A'输出 1| b= 1]\\ =& \frac 12 \Pr[\mathcal{A}^{\text{hy}}(pk,\text{Encaps}^{(1)}_{pk}(1^n),\text{Enc}_k'(m_0))=0] \\ &+\frac 12 \Pr[\mathcal{A}^{\text{hy}}(pk,\text{Encaps}^{(1)}_{pk}(1^n),\text{Enc}_{\hat k}'(m_0))=1] \end{aligned}
21+negl1(n)≥==Pr[KEMA1,Πcpa(n)=1]21Pr[A′输出0∣b=0]+21Pr[A′输出1∣b=1]21Pr[Ahy(pk,Encapspk(1)(1n),Enck′(m0))=0]+21Pr[Ahy(pk,Encapspk(1)(1n),Enck^′(m0))=1]
同理,将
A
1
\mathcal A_1
A1 加密的
m
0
m_0
m0 换成
m
1
m_1
m1,有
1
2
+
negl
2
(
n
)
≥
1
2
Pr
[
A
hy
(
p
k
,
Encaps
p
k
(
1
)
(
1
n
)
,
Enc
k
′
(
m
1
)
)
=
1
]
+
1
2
Pr
[
A
hy
(
p
k
,
Encaps
p
k
(
1
)
(
1
n
)
,
Enc
k
^
′
(
m
1
)
)
=
0
]
\begin{aligned} \frac 12 + \text{negl}_2(n) \ge& \frac 12 \Pr[\mathcal{A}^{\text{hy}}(pk,\text{Encaps}^{(1)}_{pk}(1^n),\text{Enc}_k'(m_1))=1] \\ &+\frac 12 \Pr[\mathcal{A}^{\text{hy}}(pk,\text{Encaps}^{(1)}_{pk}(1^n),\text{Enc}_{\hat k}'(m_1))=0] \end{aligned}
21+negl2(n)≥21Pr[Ahy(pk,Encapspk(1)(1n),Enck′(m1))=1]+21Pr[Ahy(pk,Encapspk(1)(1n),Enck^′(m1))=0]
构造攻击
Π
′
\Pi'
Π′ 的敌手
A
′
\mathcal{A}'
A′:
- ( p k , s k ) ← Gen ( 1 n ) (pk, sk) \leftarrow \text{Gen}(1^n) (pk,sk)←Gen(1n), c ← Encaps p k ( 1 ) ( 1 n ) c \leftarrow \text{Encaps}_{pk}^{(1)}(1^n) c←Encapspk(1)(1n)
- A ′ \mathcal A' A′ 运行 A hy ( p k ) \mathcal A^{\text{hy}}(pk) Ahy(pk),获得 m 0 , m 1 m_0,m_1 m0,m1。输出 m 0 , m 1 m_0, m_1 m0,m1,得到密文 c ′ c' c′
- 将 < c , c ′ > <c,c'> <c,c′> 传给 A hy \mathcal A^{\text{hy}} Ahy,并输出 A hy \mathcal A^{\text{hy}} Ahy 输出的 b ′ b' b′
在这次攻击中,秘钥
k
^
\hat k
k^ 是完全随机的。
Pr
[
A
′
输
出
0
∣
b
=
0
]
=
Pr
[
A
hy
(
p
k
,
Encaps
p
k
(
1
)
(
1
n
)
,
Enc
k
^
′
(
m
0
)
)
=
0
]
Pr
[
A
′
输
出
1
∣
b
=
1
]
=
Pr
[
A
hy
(
p
k
,
Encaps
p
k
(
1
)
(
1
n
)
,
Enc
k
^
′
(
m
1
)
)
=
1
]
\begin{aligned} \Pr[\mathcal{A}' 输出 0|b = 0] = \Pr[\mathcal{A}^{\text{hy}}(pk,\text{Encaps}^{(1)}_{pk}(1^n),\text{Enc}_{\hat k}'(m_0))=0] \\ \Pr[\mathcal{A}' 输出 1|b = 1] = \Pr[\mathcal{A}^{\text{hy}}(pk,\text{Encaps}^{(1)}_{pk}(1^n),\text{Enc}_{\hat k}'(m_1))=1] \end{aligned}
Pr[A′输出0∣b=0]=Pr[Ahy(pk,Encapspk(1)(1n),Enck^′(m0))=0]Pr[A′输出1∣b=1]=Pr[Ahy(pk,Encapspk(1)(1n),Enck^′(m1))=1]
由于
Π
′
\Pi'
Π′ 是 EAV-安全,因此
1
2
+
negl
′
(
n
)
≥
Pr
[
PrivK
A
′
,
Π
′
eav
(
n
)
=
1
]
=
1
2
Pr
[
A
′
输
出
0
∣
b
=
0
]
+
1
2
Pr
[
A
′
输
出
1
∣
b
=
1
]
=
1
2
Pr
[
A
hy
(
p
k
,
Encaps
p
k
(
1
)
(
1
n
)
,
Enc
k
^
′
(
m
0
)
)
=
0
]
+
1
2
Pr
[
A
hy
(
p
k
,
Encaps
p
k
(
1
)
(
1
n
)
,
Enc
k
^
′
(
m
1
)
)
=
1
]
\begin{aligned} \frac 12 + \text{negl}'(n) \ge & \Pr[\text{PrivK}_{\mathcal A', \Pi'}^{\text{eav}}(n)=1] \\ = & \frac 12 \Pr[\mathcal A' 输出 0 | b = 0] + \frac 12 \Pr[\mathcal A' 输出 1 | b = 1] \\ = & \frac 12 \Pr[\mathcal A^{\text{hy}}(pk,\text{Encaps}_{pk}^{(1)}(1^n),\text{Enc}_{\hat k}'(m_0))=0] \\ & + \frac 12 \Pr[\mathcal A^{\text{hy}}(pk,\text{Encaps}_{pk}^{(1)}(1^n),\text{Enc}_{\hat k}'(m_1))=1] \end{aligned}
21+negl′(n)≥==Pr[PrivKA′,Π′eav(n)=1]21Pr[A′输出0∣b=0]+21Pr[A′输出1∣b=1]21Pr[Ahy(pk,Encapspk(1)(1n),Enck^′(m0))=0]+21Pr[Ahy(pk,Encapspk(1)(1n),Enck^′(m1))=1]
三个式子累加,得
3
2
+
negl
(
n
)
≥
1
2
⋅
(
Pr
[
A
hy
(
p
k
,
Encaps
p
k
(
1
)
(
1
n
)
,
Enc
k
′
(
m
0
)
)
=
0
]
+
Pr
[
A
hy
(
p
k
,
Encaps
p
k
(
1
)
(
1
n
)
,
Enc
k
^
′
(
m
0
)
)
=
1
]
+
Pr
[
A
hy
(
p
k
,
Encaps
p
k
(
1
)
(
1
n
)
,
Enc
k
′
(
m
1
)
)
=
1
]
+
Pr
[
A
hy
(
p
k
,
Encaps
p
k
(
1
)
(
1
n
)
,
Enc
k
^
′
(
m
1
)
)
=
0
]
+
Pr
[
A
hy
(
p
k
,
Encaps
p
k
(
1
)
(
1
n
)
,
Enc
k
^
′
(
m
0
)
)
=
0
]
+
Pr
[
A
hy
(
p
k
,
Encaps
p
k
(
1
)
(
1
n
)
,
Enc
k
^
′
(
m
1
)
)
=
1
]
)
\begin{aligned} \frac 32 + \text{negl}(n) \ge& \\ \frac 12 \cdot ( &\Pr[\mathcal{A}^{\text{hy}}(pk,\text{Encaps}^{(1)}_{pk}(1^n),\text{Enc}_k'(m_0))=0] \\ +& \Pr[\mathcal{A}^{\text{hy}}(pk,\text{Encaps}^{(1)}_{pk}(1^n),\text{Enc}_{\hat k}'(m_0))=1]\\ +& \Pr[\mathcal{A}^{\text{hy}}(pk,\text{Encaps}^{(1)}_{pk}(1^n),\text{Enc}_k'(m_1))=1] \\ +& \Pr[\mathcal{A}^{\text{hy}}(pk,\text{Encaps}^{(1)}_{pk}(1^n),\text{Enc}_{\hat k}'(m_1))=0] \\ +& \Pr[\mathcal A^{\text{hy}}(pk,\text{Encaps}_{pk}^{(1)}(1^n),\text{Enc}_{\hat k}'(m_0))=0] \\ +& \Pr[\mathcal A^{\text{hy}}(pk,\text{Encaps}_{pk}^{(1)}(1^n),\text{Enc}_{\hat k}'(m_1))=1]) \end{aligned}
23+negl(n)≥21⋅(+++++Pr[Ahy(pk,Encapspk(1)(1n),Enck′(m0))=0]Pr[Ahy(pk,Encapspk(1)(1n),Enck^′(m0))=1]Pr[Ahy(pk,Encapspk(1)(1n),Enck′(m1))=1]Pr[Ahy(pk,Encapspk(1)(1n),Enck^′(m1))=0]Pr[Ahy(pk,Encapspk(1)(1n),Enck^′(m0))=0]Pr[Ahy(pk,Encapspk(1)(1n),Enck^′(m1))=1])
因为
Pr
[
A
hy
(
p
k
,
Encaps
p
k
(
1
)
(
1
n
)
,
Enc
k
^
′
(
m
0
)
)
=
0
]
+
Pr
[
A
hy
(
p
k
,
Encaps
p
k
(
1
)
(
1
n
)
,
Enc
k
^
′
(
m
0
)
)
=
1
]
=
1
Pr
[
A
hy
(
p
k
,
Encaps
p
k
(
1
)
(
1
n
)
,
Enc
k
^
′
(
m
1
)
)
=
0
]
+
Pr
[
A
hy
(
p
k
,
Encaps
p
k
(
1
)
(
1
n
)
,
Enc
k
^
′
(
m
1
)
)
=
1
]
=
1
\begin{aligned} \Pr[\mathcal A^{\text{hy}}(pk,\text{Encaps}_{pk}^{(1)}(1^n),\text{Enc}_{\hat k}'(m_0))=0]+\Pr[\mathcal{A}^{\text{hy}}(pk,\text{Encaps}^{(1)}_{pk}(1^n),\text{Enc}_{\hat k}'(m_0))=1]=1\\ \Pr[\mathcal A^{\text{hy}}(pk,\text{Encaps}_{pk}^{(1)}(1^n),\text{Enc}_{\hat k}'(m_1))=0]+\Pr[\mathcal{A}^{\text{hy}}(pk,\text{Encaps}^{(1)}_{pk}(1^n),\text{Enc}_{\hat k}'(m_1))=1]=1 \end{aligned}
Pr[Ahy(pk,Encapspk(1)(1n),Enck^′(m0))=0]+Pr[Ahy(pk,Encapspk(1)(1n),Enck^′(m0))=1]=1Pr[Ahy(pk,Encapspk(1)(1n),Enck^′(m1))=0]+Pr[Ahy(pk,Encapspk(1)(1n),Enck^′(m1))=1]=1
所以,
1
2
+
negl
(
n
)
≥
1
2
⋅
(
Pr
[
A
hy
(
p
k
,
Encaps
p
k
(
1
)
(
1
n
)
,
Enc
k
′
(
m
0
)
)
=
0
]
+
Pr
[
A
hy
(
p
k
,
Encaps
p
k
(
1
)
(
1
n
)
,
Enc
k
′
(
m
1
)
)
=
0
]
)
=
Pr
[
PubK
A
hy
,
Π
hy
eav
(
n
)
=
1
]
\begin{aligned} \frac 12 +\text{negl}(n) \ge& \frac 12 \cdot ( \Pr[\mathcal{A}^{\text{hy}}(pk,\text{Encaps}^{(1)}_{pk}(1^n),\text{Enc}_k'(m_0))=0] \\ &+ \Pr[\mathcal{A}^{\text{hy}}(pk,\text{Encaps}^{(1)}_{pk}(1^n),\text{Enc}_k'(m_1))=0] ) \\ =& \Pr[\text{PubK}^{\text{eav}}_{\mathcal A^{\text{hy}},\Pi^{\text{hy}}}(n)=1] \end{aligned}
21+negl(n)≥=21⋅(Pr[Ahy(pk,Encapspk(1)(1n),Enck′(m0))=0]+Pr[Ahy(pk,Encapspk(1)(1n),Enck′(m1))=0])Pr[PubKAhy,Πhyeav(n)=1]
ElGamal 加密
加密方案
G ( 1 n ) \mathcal G(1^n) G(1n) 是一个多项式时间生成阶数为 q q q 的群 G \mathbb G G 的算法,其中 ∣ ∣ q ∣ ∣ = n ||q||=n ∣∣q∣∣=n。
加密方案 Π = ( Gen, Enc, Dec ) \Pi = (\text{Gen, Enc, Dec}) Π=(Gen, Enc, Dec) 定义如下:
- Gen: ( G , q , g ) ← G ( 1 n ) (\mathbb G,q,g)\leftarrow \mathcal G(1^n) (G,q,g)←G(1n)。随机选择 x ∈ Z q x \in \mathbb Z_q x∈Zq,计算 h = g x h = g^x h=gx。公钥是 < G , q , g , h > <\mathbb G, q, g, h> <G,q,g,h>,私钥是 < G , q , g , x > <\mathbb G,q,g,x> <G,q,g,x>。明文空间是 G \mathbb G G。
- Enc:输入公钥 p k = < G , q , g , h > pk = <\mathbb G, q, g, h> pk=<G,q,g,h>,明文 m ∈ G m \in \mathbb G m∈G,随机选择 y ∈ Z q y \in \mathbb Z_q y∈Zq,并输出密文 < g y , h y ⋅ m > <g^y,h^y \cdot m> <gy,hy⋅m>
- Dec:输入秘钥 s k = < G , q , g , x > sk = <\mathbb G,q,g,x> sk=<G,q,g,x> 和密文 < c 1 , c 2 > <c_1,c_2> <c1,c2>,输出 m = c 2 / c 1 x m = c_2/c_1^x m=c2/c1x
安全性证明
比较显然,ElGamal 加密可以规约到 DDH 难题。