问题 :我们已经有了单比特 CPA 安全的 PKE,能否有多比特 CPA 安全的 PKE?
LorR-CPA 安全 . 允许敌手进行多项式次 CPA,但 b b b 只生成 1 次,敌手需要猜 b b b 。
Pr [ ( p k , s k ) ← Gen ( 1 κ ) ; b ← { 0 , 1 } ; b ′ ← A L o r R b ( { m 0 ( i ) } , { m 1 ( i ) } ) ( p k ) : b ′ = b ] = 1 2 ± negl ( κ ) \text{Pr}\left[\begin{matrix}(pk,sk) \leftarrow \text{Gen}(1^\kappa);b\leftarrow\{0,1\};\\b'\leftarrow\mathcal{A}^{LorR_b(\{m_0^{(i)}\},\{m_1^{(i)}\})}(pk)\end{matrix}:b'=b\right] = \frac{1}{2}\pm\text{negl}(\kappa) Pr [ ( p k , s k ) ← Gen ( 1 κ ) ; b ← { 0 , 1 } ; b ′ ← A L or R b ({ m 0 ( i ) } , { m 1 ( i ) }) ( p k ) : b ′ = b ] = 2 1 ± negl ( κ ) LorR-CPA Game .
C A ( p k , s k ) ← Gen ( 1 κ ) ⟶ p k b ← { 0 , 1 } choose m 0 ( i ) , m 1 ( i ) , i ∈ [ Q ( κ ) ] ⟵ ( m 0 ( i ) , m 1 ( i ) ) LorR oracle query Q ( κ ) times compute c ( i ) = Enc ( p k , m b ( i ) ) ⟶ { c ( i ) } A wins iff b ′ = b ⟵ b ′ compute b ′ \color{darkblue}\begin{matrix}\mathcal{C} & & \mathcal{A} \\ (pk,sk)\leftarrow\text{Gen}(1^\kappa) & \stackrel{pk}{\longrightarrow} & \\b\leftarrow \{0,1\}& \\ & & \text{choose } m_0^{(i)},m_1^{(i)},i\in[Q(\kappa)]\\ & \stackrel{(m_0^{(i)},m_1^{(i)})}{\longleftarrow} & \text{LorR oracle query }Q(\kappa) \text{ times} \\ \text{compute }c^{(i)}=\text{Enc}(pk,m_b^{(i)}) &\stackrel{\{c^{(i)}\}}{\longrightarrow} \\ \mathcal{A} \text{ wins iff }b'=b &\stackrel{b'}{\longleftarrow} & \text{compute } b' \end{matrix} C ( p k , s k ) ← Gen ( 1 κ ) b ← { 0 , 1 } compute c ( i ) = Enc ( p k , m b ( i ) ) A wins iff b ′ = b ⟶ p k ⟵ ( m 0 ( i ) , m 1 ( i ) ) ⟶ { c ( i ) } ⟵ b ′ A choose m 0 ( i ) , m 1 ( i ) , i ∈ [ Q ( κ )] LorR oracle query Q ( κ ) times compute b ′ 类似地,我们可以写出 LorR-CPA Game (Experiment),即 b b b 为提前给定参数的版本。那么,与 CPA Game 类似,我们可以将 LorR-CPA 安全的定义转化 advantage 形式。
Adv PKE , A LorR-CPA ( κ ) : = ∣ Pr [ Exp PKE , A LorR-CPA-1 ( κ ) = 1 ] − Pr [ Exp PKE , A LorR-CPA-0 ( κ ) = 1 ] ∣ \begin{aligned}\textbf{Adv}^{\text{LorR-CPA}}_{\text{PKE},\mathcal{A}}(\kappa):=\left|\text{Pr}[\textbf{Exp}_{\text{PKE},\mathcal{A}}^\text{LorR-CPA-1}(\kappa)=1]-\text{Pr}[\textbf{Exp}_{\text{PKE},\mathcal{A}}^\text{LorR-CPA-0}(\kappa)=1]\right|\end{aligned} Adv PKE , A LorR-CPA ( κ ) := ∣ ∣ Pr [ Exp PKE , A LorR-CPA-1 ( κ ) = 1 ] − Pr [ Exp PKE , A LorR-CPA-0 ( κ ) = 1 ] ∣ ∣ 💡
一个显然的事实是,如果我们有 LorR-CPA 安全性,就一定有 CPA 安全性 。等价于,如果有一个敌手能打破 CPA 安全性,就一定能打破 LorR 安全性。显然可以简单规约证明。
我们想要说明另一方向,即事实上 LorR-CPA 安全性和 CPA 安全性完全等价。
💡
Theorem . 如果一个 PKE 是 CPA 安全的,其一定是 LorR-CPA 安全的。
【证明】 利用一系列 games、相邻 games 之间的 advantage 以及三角不等式进行说明。
考虑 Game 0 为 Exp PKE , A LorR-CPA-0 ( κ ) \textbf{Exp}_{\text{PKE},\mathcal{A}}^\text{LorR-CPA-0}(\kappa) Exp PKE , A LorR-CPA-0 ( κ ) ;Game i i i 为 Exp PKE , A LorR-CPA-0 ( κ ) \textbf{Exp}_{\text{PKE},\mathcal{A}}^\text{LorR-CPA-0}(\kappa) Exp PKE , A LorR-CPA-0 ( κ ) 的修改版(前 i i i 次 b = 1 b=1 b = 1 其余 b = 0 b=0 b = 0 );最终的 Game Q 为 Exp PKE , A LorR-CPA ( 1 ) \textbf{Exp}_{\text{PKE},\mathcal{A}}^\text{LorR-CPA}(1) Exp PKE , A LorR-CPA ( 1 ) 。于是,
Adv PKE , A LorR-CPA ( κ ) = ∣ Pr [ Exp PKE , A LorR-CPA-1 ( κ ) = 1 ] − Pr [ Exp PKE , A LorR-CPA-0 ( κ ) = 1 ] ∣ = ∣ Pr [ Game 0 = 1 ] − Pr [ Game Q = 1 ] ∣ = ∣ Pr [ Game 0 = 1 ] − Pr [ Game 1 = 1 ] + Pr [ Game 1 = 1 ] − Pr [ Game 2 = 1 ] + ⋯ − Pr [ Game Q = 1 ] ∣ ≤ ∑ i = 1 Q ∣ Pr [ Game i − 1 = 1 ] − Pr [ Game i = 1 ] ∣ \begin{aligned}\textbf{Adv}^{\text{LorR-CPA}}_{\text{PKE},\mathcal{A}}(\kappa)&=\left|\text{Pr}[\ \textbf{Exp}_{\text{PKE},\mathcal{A}}^\text{LorR-CPA-1}(\kappa)=1]-\text{Pr}[\textbf{Exp}_{\text{PKE},\mathcal{A}}^\text{LorR-CPA-0}(\kappa)=1]\right| \\&=\left|\text{Pr}[\textbf{Game }0=1]-\text{Pr}[\textbf{Game }Q=1]\right| \\ &=\left|\text{Pr}[\textbf{Game } 0=1]-\text{Pr}[\textbf{Game } 1=1]+\text{Pr}[\textbf{Game } 1=1]-\text{Pr}[\textbf{Game } 2=1]+\cdots-\text{Pr}[\textbf{Game }Q=1]\right|\\ &\leq\sum_{i=1}^Q|\text{Pr}[\textbf{Game } i-1=1]-\text{Pr}[\textbf{Game } i=1]|\end{aligned} Adv PKE , A LorR-CPA ( κ ) = ∣ ∣ Pr [ Exp PKE , A LorR-CPA-1 ( κ ) = 1 ] − Pr [ Exp PKE , A LorR-CPA-0 ( κ ) = 1 ] ∣ ∣ = ∣ Pr [ Game 0 = 1 ] − Pr [ Game Q = 1 ] ∣ = ∣ Pr [ Game 0 = 1 ] − Pr [ Game 1 = 1 ] + Pr [ Game 1 = 1 ] − Pr [ Game 2 = 1 ] + ⋯ − Pr [ Game Q = 1 ] ∣ ≤ i = 1 ∑ Q ∣ Pr [ Game i − 1 = 1 ] − Pr [ Game i = 1 ] ∣ 如果我们证明了 ∣ Pr [ Game i − 1 = 1 ] − Pr [ Game i = 1 ] ∣ = negl ( κ ) |\text{Pr}[\textbf{Game } i-1=1]-\text{Pr}[\textbf{Game } i=1]| =\text{negl}(\kappa) ∣ Pr [ Game i − 1 = 1 ] − Pr [ Game i = 1 ] ∣ = negl ( κ ) ,那么
Adv PKE , A LorR-CPA ( κ ) ≤ Q negl ( κ ) = negl ( κ ) \textbf{Adv}^{\text{LorR-CPA}}_{\text{PKE},\mathcal{A}}(\kappa) \leq Q\text{negl}(\kappa)=\text{negl}(\kappa) Adv PKE , A LorR-CPA ( κ ) ≤ Q negl ( κ ) = negl ( κ ) 即证明了其一定是 LorR-CPA 安全的。因此,我们需要证明
∣ Pr [ Game i − 1 = 1 ] − Pr [ Game i = 1 ] ∣ = negl ( κ ) \color{blue}|\text{Pr}[\textbf{Game } i-1=1]-\text{Pr}[\textbf{Game } i=1]| =\text{negl}(\kappa) ∣ Pr [ Game i − 1 = 1 ] − Pr [ Game i = 1 ] ∣ = negl ( κ ) 即,若有一个敌手能区分 Game i i i 和 Game i − 1 i-1 i − 1 ,那么这个 PKE 就不是 CPA 安全的。很容易利用这样的敌手构造可以赢得 (单比特)CPA game 的敌手(前 i − 1 i-1 i − 1 次使用 m 0 m_0 m 0 ;第 i i i 次使用挑战者生成的密文;后面均使用 m 1 m_1 m 1 ;通过敌手的区分结果判断第 i i i 次挑战者生成的随机数即可)。于是,不存在可以区分 Game i i i 和 Game i − 1 i-1 i − 1 的敌手,即上式成立。
多比特 PKE (无 CPA 安全版).
( p k 1 , s k 1 ) ← Gen1 ( 1 κ ) (pk_1, sk_1) \leftarrow \text{Gen1}(1^\kappa) ( p k 1 , s k 1 ) ← Gen1 ( 1 κ ) : p k : = p k 1 ; s k : = s k 1 pk:=pk_1;sk:=sk_1 p k := p k 1 ; s k := s k 1 . Return ( p k , s k ) (pk,sk) ( p k , s k ) .Enc ( p k , m 1 ∣ ∣ m 2 ∣ ∣ ⋯ ∣ ∣ m l ) \text{Enc}(pk,m_1||m_2||\cdots||m_l) Enc ( p k , m 1 ∣∣ m 2 ∣∣ ⋯ ∣∣ m l ) : c i ← Enc1 ( p k 1 , m i ) c_i\leftarrow \text{Enc1}(pk_1,m_i) c i ← Enc1 ( p k 1 , m i ) for i ∈ [ l ] i\in[l] i ∈ [ l ] . Return ( c 1 ∣ ∣ c 2 ∣ ∣ ⋯ ∣ ∣ c l ) (c_1||c_2||\cdots||c_l) ( c 1 ∣∣ c 2 ∣∣ ⋯ ∣∣ c l ) .Dec ( s k , c 1 ∣ ∣ c 2 ∣ ∣ ⋯ ∣ ∣ c l ) \text{Dec}(sk,c_1||c_2||\cdots||c_l) Dec ( s k , c 1 ∣∣ c 2 ∣∣ ⋯ ∣∣ c l ) : m i ′ ← Dec1 ( s k 1 , c i ) m_i'\leftarrow\text{Dec1}(sk_1,c_i) m i ′ ← Dec1 ( s k 1 , c i ) for i ∈ [ l ] i\in[l] i ∈ [ l ] . Return ( m 1 ′ ∣ ∣ m 2 ′ ∣ ∣ ⋯ ∣ ∣ m l ′ ) (m_1'||m_2'||\cdots||m_l') ( m 1 ′ ∣∣ m 2 ′ ∣∣ ⋯ ∣∣ m l ′ ) .多比特 PKE (CPA 安全版,通过 TDP + hard-core bit 构造).
KeyGen ( 1 κ ) \text{KeyGen}(1^\kappa) KeyGen ( 1 κ ) : ( f , f − 1 ) ← Gen ( 1 κ ) ; r ← { 0 , 1 } κ ; p k = ( f , h κ , r ) , s k = f − 1 (f,f^{-1})\leftarrow\text{Gen}(1^\kappa);r \leftarrow \{0,1\}^\kappa;pk=(f,h_\kappa,r),sk=f^{-1} ( f , f − 1 ) ← Gen ( 1 κ ) ; r ← { 0 , 1 } κ ; p k = ( f , h κ , r ) , s k = f − 1 . Return ( p k , s k ) (pk,sk) ( p k , s k ) .Enc ( p k , m 1 ∣ ∣ m 2 ∣ ∣ ⋯ ∣ ∣ m l ) \text{Enc}(pk,m_1||m_2||\cdots||m_l) Enc ( p k , m 1 ∣∣ m 2 ∣∣ ⋯ ∣∣ m l ) : x i ← { 0 , 1 } κ ; c i ← ( c i 1 : = f ( x i ) , c i 2 : = h G L ( x i , r ) ⊕ m i ) x_i\leftarrow \{0,1\}^\kappa;c_i\leftarrow (c_{i1}:=f(x_i),c_{i2}:=h_{GL}(x_i,r)\oplus m_i) x i ← { 0 , 1 } κ ; c i ← ( c i 1 := f ( x i ) , c i 2 := h G L ( x i , r ) ⊕ m i ) for i ∈ [ l ] i\in[l] i ∈ [ l ] . Return ( c 1 ∣ ∣ c 2 ∣ ∣ ⋯ ∣ ∣ c l ) (c_1||c_2||\cdots||c_l) ( c 1 ∣∣ c 2 ∣∣ ⋯ ∣∣ c l ) .Dec ( s k , c 1 ∣ ∣ c 2 ∣ ∣ ⋯ ∣ ∣ c l ) \text{Dec}(sk,c_1||c_2||\cdots||c_l) Dec ( s k , c 1 ∣∣ c 2 ∣∣ ⋯ ∣∣ c l ) : m i ′ ← h G L ( f − 1 ( c i 1 ) , r ) ⊕ c i 2 m_i'\leftarrow h_{GL}(f^{-1}(c_{i1}),r)\oplus c_{i2} m i ′ ← h G L ( f − 1 ( c i 1 ) , r ) ⊕ c i 2 for i ∈ [ l ] i\in[l] i ∈ [ l ] . Return ( m 1 ′ ∣ ∣ m 2 ′ ∣ ∣ ⋯ ∣ ∣ m l ′ ) (m_1'||m_2'||\cdots||m_l') ( m 1 ′ ∣∣ m 2 ′ ∣∣ ⋯ ∣∣ m l ′ ) .💡
Theorem . 该版本多比特 PKE 也是 CPA 安全的。
【证明】通过 LorR-CPA 安全进行规约。1 比特 PKE 是 CPA 安全的,因此是 LorR-CPA 安全的。因此我们反证,假设有敌手 A \mathcal{A} A 能打破多比特 PKE 的 CPA 安全性,其就能打破 1 比特 PKE 的 LorR-CPA 安全性。
C ′ A ′ / C A ( f , f − 1 ) ← Gen ( 1 κ ) r ← { 0 , 1 } κ b ← { 0 , 1 } ⟶ ( f , r ) ⟶ ( f , r ) ⟵ ( m 0 ( i ) , m 1 ( i ) ) l queries ⟵ ( m 0 , m 1 ) choose m 0 , m 1 x i ← { 0 , 1 } κ c 1 ( i ) : = f ( x i ) c 2 ( i ) : = h G L ( x i , r ) ⊕ m b ( i ) c ( i ) : = ( c 1 ( i ) , c 2 ( i ) ) ⟶ c ( i ) c ← { c ( i ) } ⟶ c ⟵ b ′ ⟵ b ′ compute b ′ \color{darkblue}\begin{matrix}\mathcal{C'} & & \mathcal{A'}/\mathcal{C} & & \mathcal{A}\\ (f,f^{-1}) \leftarrow\text{Gen}(1^\kappa) \\ r\leftarrow\{0,1\}^\kappa\\b\leftarrow \{0,1\}& \stackrel{(f,r)}{\longrightarrow} && \stackrel{(f,r)}{\longrightarrow}
\\ & \stackrel{(m_0^{(i)},m_1^{(i)})}{\longleftarrow}& l\text{ queries} & \stackrel{(m_0,m_1)}{\longleftarrow}& \text{choose } m_0,m_1 \\ x_i\leftarrow\{0,1\}^\kappa\\c^{(i)}_1:= f(x_i)\\c_2^{(i)}:=h_{GL}(x_i,r)\oplus m_b^{(i)}\\c^{(i)}:=(c_1^{(i)},c_2^{(i)}) & \stackrel{c^{(i)}}{\longrightarrow}& c\leftarrow\{c^{(i)}\}&\stackrel{c}{\longrightarrow}\\ & \stackrel{b'}{\longleftarrow}& & \stackrel{b'}{\longleftarrow}& \text{compute }b'\end{matrix} C ′ ( f , f − 1 ) ← Gen ( 1 κ ) r ← { 0 , 1 } κ b ← { 0 , 1 } x i ← { 0 , 1 } κ c 1 ( i ) := f ( x i ) c 2 ( i ) := h G L ( x i , r ) ⊕ m b ( i ) c ( i ) := ( c 1 ( i ) , c 2 ( i ) ) ⟶ ( f , r ) ⟵ ( m 0 ( i ) , m 1 ( i ) ) ⟶ c ( i ) ⟵ b ′ A ′ / C l queries c ← { c ( i ) } ⟶ ( f , r ) ⟵ ( m 0 , m 1 ) ⟶ c ⟵ b ′ A choose m 0 , m 1 compute b ′ 于是,
Pr [ A ′ wins ] = Pr [ b = b ′ ] = Pr [ A wins ] \text{Pr}[\mathcal{A'} \text{ wins}]=\text{Pr}[b=b']=\text{Pr}[\mathcal{A} \text{ wins}] Pr [ A ′ wins ] = Pr [ b = b ′ ] = Pr [ A wins ] 即该版本多比特 PKE 也是 CPA 安全的。
Efficient 多比特 PKE . 复用 y i = f ( x i ) y_i=f(x_i) y i = f ( x i ) 作为下一轮的 x i + 1 x_{i+1} x i + 1 .
KeyGen ( 1 κ ) \text{KeyGen}(1^\kappa) KeyGen ( 1 κ ) : ( f , f − 1 ) ← Gen ( 1 κ ) ; r = { 0 , 1 } κ ; p k = ( f , h κ , r ) , s k = f − 1 (f,f^{-1})\leftarrow\text{Gen}(1^\kappa);r = \{0,1\}^\kappa;pk=(f,h_\kappa,r),sk=f^{-1} ( f , f − 1 ) ← Gen ( 1 κ ) ; r = { 0 , 1 } κ ; p k = ( f , h κ , r ) , s k = f − 1 . Return ( p k , s k ) (pk,sk) ( p k , s k ) .Enc ( p k , m 1 ∣ ∣ m 2 ∣ ∣ ⋯ ∣ ∣ m l ) \text{Enc}(pk,m_1||m_2||\cdots||m_l) Enc ( p k , m 1 ∣∣ m 2 ∣∣ ⋯ ∣∣ m l ) : x 0 ← { 0 , 1 } κ ; x i = f ( x i − 1 ) ; c i ← h κ ( x i , r ) ⊕ m i x_0\leftarrow \{0,1\}^\kappa;x_i=f(x_{i-1});c_i\leftarrow h_\kappa(x_i,r)\oplus m_i x 0 ← { 0 , 1 } κ ; x i = f ( x i − 1 ) ; c i ← h κ ( x i , r ) ⊕ m i for i = 1 , 2 , ⋯ , l i=1,2,\cdots,l i = 1 , 2 , ⋯ , l . Return ( x l , c 1 ∣ ∣ c 2 ∣ ∣ ⋯ ∣ ∣ c l ) (x_l,c_1||c_2||\cdots||c_l) ( x l , c 1 ∣∣ c 2 ∣∣ ⋯ ∣∣ c l ) .Dec ( s k , c 1 ∣ ∣ c 2 ∣ ∣ ⋯ ∣ ∣ c l ) \text{Dec}(sk,c_1||c_2||\cdots||c_l) Dec ( s k , c 1 ∣∣ c 2 ∣∣ ⋯ ∣∣ c l ) : x i − 1 ← f − 1 ( x i ) ; m i ′ ← h κ ( x i − 1 , r ) ⊕ c i x_{i-1}\leftarrow f^{-1}(x_i);m_i'\leftarrow h_\kappa(x_{i-1},r)\oplus c_i x i − 1 ← f − 1 ( x i ) ; m i ′ ← h κ ( x i − 1 , r ) ⊕ c i for i = l , l − 1 , ⋯ , 1 i=l,l-1,\cdots,1 i = l , l − 1 , ⋯ , 1 . Return ( m 1 ′ ∣ ∣ m 2 ′ ∣ ∣ ⋯ ∣ ∣ m l ′ ) (m_1'||m_2'||\cdots||m_l') ( m 1 ′ ∣∣ m 2 ′ ∣∣ ⋯ ∣∣ m l ′ ) .Hard-Core 的等价定义 2 . 挑战者抛硬币决定是发送 hard-core bit 给敌手还是发送随机数给敌手;敌手猜挑战者抛硬币的结果(收到的结果是随机数还是 hard-core bit)。对应的 Hard-Core Game 2 如下:
C A ( f , f − 1 ) ← Gen ( 1 κ ) x ← { 0 , 1 } κ ; y ← f ( x ) β ← { 0 , 1 } if β = 1 then T ← h κ ( x ) else T ← { 0 , 1 } ⟶ f , y , T A wins iff β ′ = β ⟵ β ′ Compute β ′ \color{darkblue}\begin{matrix}\mathcal{C} & & \mathcal{A} \\ (f,f^{-1}) \leftarrow\text{Gen}(1^\kappa) \\x\leftarrow \{0,1\}^\kappa;y\leftarrow f(x)\\\beta\leftarrow \{0,1\}\\\text{if }\beta=1 \text{ then } T\leftarrow h_\kappa(x) \text{ else } T\leftarrow\{0,1\}& \stackrel{f,y,T}{\longrightarrow} & \\ \mathcal{A} \text{ wins iff }\beta'=\beta & \stackrel{\beta'}{\longleftarrow}& \text{Compute } \beta'\end{matrix} C ( f , f − 1 ) ← Gen ( 1 κ ) x ← { 0 , 1 } κ ; y ← f ( x ) β ← { 0 , 1 } if β = 1 then T ← h κ ( x ) else T ← { 0 , 1 } A wins iff β ′ = β ⟶ f , y , T ⟵ β ′ A Compute β ′ Hard-Core 的等价定义 3 . 挑战者抛硬币决定是发送 hard-core bit 给敌手还发送 1 - hard-core bit 给敌手;敌手猜挑战者抛硬币的结果(收到的结果是随机数还是 hard-core bit)。对应的 Hard-Core Game 3 如下:
C A ( f , f − 1 ) ← Gen ( 1 κ ) x ← { 0 , 1 } κ ; y ← f ( x ) β ← { 0 , 1 } if β = 1 then T ← h κ ( x ) else T ← 1 − h κ ( x ) ⟶ f , y , T A wins iff β ′ = β ⟵ β ′ Compute β ′ \color{darkblue}\begin{matrix}\mathcal{C} & & \mathcal{A} \\ (f,f^{-1}) \leftarrow\text{Gen}(1^\kappa) \\x\leftarrow \{0,1\}^\kappa;y\leftarrow f(x)\\\beta\leftarrow \{0,1\}\\\text{if }\beta=1 \text{ then } T\leftarrow h_\kappa(x) \text{ else } T\leftarrow 1-h_\kappa(x)& \stackrel{f,y,T}{\longrightarrow} & \\ \mathcal{A} \text{ wins iff }\beta'=\beta & \stackrel{\beta'}{\longleftarrow}& \text{Compute } \beta'\end{matrix} C ( f , f − 1 ) ← Gen ( 1 κ ) x ← { 0 , 1 } κ ; y ← f ( x ) β ← { 0 , 1 } if β = 1 then T ← h κ ( x ) else T ← 1 − h κ ( x ) A wins iff β ′ = β ⟶ f , y , T ⟵ β ′ A Compute β ′ 💡
Theorem . Hard-Core Game 2 和 Hard-Core Game 3 等价。
【证明】
我们首先列出一些可能会用到的概率:
Pr [ β = 1 , T = h κ ( x ) ] = 1 2 , Pr [ β = 1 , T = 1 − h κ ( x ) ] = 0 , Pr [ β = 0 , T = h κ ( x ) ] = Pr [ β = 0 , T = 1 − h κ ( x ) ] = 1 4 , Pr [ β = 1 ] = Pr [ β = 0 ] = 1 2 , Pr [ T = h κ ( x ) ] = 3 4 , Pr [ T = 1 − h κ ( x ) ] = 1 4 \text{Pr}[\beta=1,T=h_\kappa(x)] = \frac{1}{2},\text{Pr}[\beta=1,T=1-h_\kappa(x)] = 0, \\ \text{Pr}[\beta=0,T=h_\kappa(x)]=\text{Pr}[\beta=0,T=1-h_\kappa(x)]=\frac{1}{4},\\\text{Pr}[\beta=1] = \text{Pr}[\beta=0]=\frac{1}{2},\\\text{Pr}[T=h_\kappa(x)] = \frac{3}{4},\text{Pr}[T=1-h_\kappa(x)]=\frac{1}{4} Pr [ β = 1 , T = h κ ( x )] = 2 1 , Pr [ β = 1 , T = 1 − h κ ( x )] = 0 , Pr [ β = 0 , T = h κ ( x )] = Pr [ β = 0 , T = 1 − h κ ( x )] = 4 1 , Pr [ β = 1 ] = Pr [ β = 0 ] = 2 1 , Pr [ T = h κ ( x )] = 4 3 , Pr [ T = 1 − h κ ( x )] = 4 1 由于这两个 Game 中敌手看到的信息完全相同,我们分别计算两个 Game 中敌手的 advantage,然后进行比较。
如果敌手的输入输出相同,可以考虑直接计算 advantage 进行比较,则不用设计规约。 Adv PKE , A Hard-Core 2 ( κ ) = ∣ Pr [ β ′ = 1 ∣ β = 1 ] − Pr [ β ′ = 1 ∣ β = 0 ] ∣ = ∣ Pr [ β ′ = 1 ∣ β = 1 , T = h κ ( x ) ] − Pr [ β ′ = 1 , T = h κ ( x ) ∣ β = 0 ] − Pr [ β ′ = 1 , T = 1 − h κ ( x ) ∣ β = 0 ] ∣ = ∣ Pr [ β ′ = 1 ∣ β = 1 , T = h κ ( x ) ] − Pr [ T = h κ ( x ) ∣ β = 0 ] Pr [ β ′ = 1 ∣ β = 0 , T = h κ ( x ) ] − Pr [ T = 1 − h κ ( x ) ∣ β = 0 ] Pr [ β ′ = 1 ∣ β = 0 , T = 1 − h κ ( x ) ] ∣ = ∣ Pr [ β ′ = 1 ∣ β = 1 , T = h κ ( x ) ] − 1 2 Pr [ β ′ = 1 ∣ β = 0 , T = h κ ( x ) ] − 1 2 Pr [ β ′ = 1 ∣ β = 0 , T = 1 − h κ ( x ) ] ∣ \small\begin{aligned}&\textbf{Adv}_{\text{PKE},\mathcal{A}}^{\text{Hard-Core 2}}(\kappa) \\=\ & \left|\text{Pr}[\beta'=1|\beta=1] - \text{Pr}[\beta'=1|\beta=0]\right| \\ =\ &|\text{Pr}[\beta'=1|\beta=1,T=h_\kappa(x)] - \text{Pr}[\beta'=1,T=h_\kappa(x)|\beta=0]\\& - \text{Pr}[\beta'=1,T=1-h_\kappa(x)|\beta=0]| \\ =\ &|\text{Pr}[\beta'=1|\beta=1,T=h_\kappa(x)] - \text{Pr}[T=h_\kappa(x)|\beta=0]\text{Pr}[\beta'=1|\beta=0,T=h_\kappa(x)] \\&- \text{Pr}[T=1-h_\kappa(x)|\beta=0]\text{Pr}[\beta'=1|\beta=0, T=1-h_\kappa(x)]|\\ =\ & |\text{Pr}[\beta'=1|\beta=1,T=h_\kappa(x)] - \frac{1}{2}\text{Pr}[\beta'=1|\beta=0,T=h_\kappa(x)] \\&- \frac{1}{2}\text{Pr}[\beta'=1|\beta=0, T=1-h_\kappa(x)]|\end{aligned} = = = = Adv PKE , A Hard-Core 2 ( κ ) ∣ Pr [ β ′ = 1∣ β = 1 ] − Pr [ β ′ = 1∣ β = 0 ] ∣ ∣ Pr [ β ′ = 1∣ β = 1 , T = h κ ( x )] − Pr [ β ′ = 1 , T = h κ ( x ) ∣ β = 0 ] − Pr [ β ′ = 1 , T = 1 − h κ ( x ) ∣ β = 0 ] ∣ ∣ Pr [ β ′ = 1∣ β = 1 , T = h κ ( x )] − Pr [ T = h κ ( x ) ∣ β = 0 ] Pr [ β ′ = 1∣ β = 0 , T = h κ ( x )] − Pr [ T = 1 − h κ ( x ) ∣ β = 0 ] Pr [ β ′ = 1∣ β = 0 , T = 1 − h κ ( x )] ∣ ∣ Pr [ β ′ = 1∣ β = 1 , T = h κ ( x )] − 2 1 Pr [ β ′ = 1∣ β = 0 , T = h κ ( x )] − 2 1 Pr [ β ′ = 1∣ β = 0 , T = 1 − h κ ( x )] ∣ Adv PKE , A Hard-Core 3 ( κ ) = ∣ Pr [ β ′ = 1 ∣ β = 1 ] − Pr [ β ′ = 1 ∣ β = 0 ] ∣ = ∣ Pr [ β ′ = 1 ∣ β = 1 , T = h κ ( x ) ] − Pr [ β ′ = 1 ∣ β = 0 , T = 1 − h κ ( x ) ] ∣ = ∣ Pr [ β ′ = 1 ∣ T = h κ ( x ) ] − Pr [ β ′ = 1 ∣ T = 1 − h κ ( x ) ] ∣ \small\begin{aligned}&\textbf{Adv}_{\text{PKE},\mathcal{A}}^{\text{Hard-Core 3}}(\kappa)\\ =\ & \left|\text{Pr}[\beta'=1|\beta=1] - \text{Pr}[\beta'=1|\beta=0]\right| \\ =\ & \left|\text{Pr}[\beta'=1|\beta=1,T=h_\kappa(x)] - \text{Pr}[\beta'=1|\beta=0,T=1-h_\kappa(x)]\right|\\=\ &\left|\text{Pr}[\beta'=1|T=h_\kappa(x)] - \text{Pr}[\beta'=1|T=1-h_\kappa(x)]\right|\end{aligned} = = = Adv PKE , A Hard-Core 3 ( κ ) ∣ Pr [ β ′ = 1∣ β = 1 ] − Pr [ β ′ = 1∣ β = 0 ] ∣ ∣ Pr [ β ′ = 1∣ β = 1 , T = h κ ( x )] − Pr [ β ′ = 1∣ β = 0 , T = 1 − h κ ( x )] ∣ ∣ Pr [ β ′ = 1∣ T = h κ ( x )] − Pr [ β ′ = 1∣ T = 1 − h κ ( x )] ∣ 从敌手的角度来看,无论是 Hard-Core Game 2 还是 Hard-Core Game 3,它只能关注到 f , y , T f,y,T f , y , T ,然后根据 f , y , T f,y,T f , y , T 来计算 β ′ \beta' β ′ 。因此从敌手的角度来说,条件里的 β \beta β 和它无关,即
Pr [ β ′ = 1 ∣ β , T = h κ ( x ) ] = Pr [ β ′ = 1 ∣ T = h κ ( x ) ] \text{Pr}[\beta'=1|\beta,T=h_\kappa(x)]=\text{Pr}[\beta'=1|T=h_\kappa(x)] Pr [ β ′ = 1∣ β , T = h κ ( x )] = Pr [ β ′ = 1∣ T = h κ ( x )] Adv PKE , A Hard-Core 2 ( κ ) = ∣ Pr [ β ′ = 1 ∣ T = h κ ( x ) ] − 1 2 Pr [ β ′ = 1 ∣ T = h κ ( x ) ] − 1 2 Pr [ β ′ = 1 ∣ β = 0 , T = 1 − h κ ( x ) ] ∣ = ∣ 1 2 Pr [ β ′ = 1 ∣ T = h κ ( x ) ] − 1 2 Pr [ β ′ = 1 ∣ T = 1 − h κ ( x ) ] ∣ \small\begin{aligned}\textbf{Adv}_{\text{PKE},\mathcal{A}}^{\text{Hard-Core 2}}(\kappa) &= |\text{Pr}[\beta'=1|T=h_\kappa(x)] - \frac{1}{2}\text{Pr}[\beta'=1|T=h_\kappa(x)] \\&\quad- \frac{1}{2}\text{Pr}[\beta'=1|\beta=0, T=1-h_\kappa(x)]| \\ &= \left|\frac{1}{2}\text{Pr}[\beta'=1|T=h_\kappa(x)] - \frac{1}{2}\text{Pr}[\beta'=1|T=1-h_\kappa(x)]\right|\end{aligned} Adv PKE , A Hard-Core 2 ( κ ) = ∣ Pr [ β ′ = 1∣ T = h κ ( x )] − 2 1 Pr [ β ′ = 1∣ T = h κ ( x )] − 2 1 Pr [ β ′ = 1∣ β = 0 , T = 1 − h κ ( x )] ∣ = ∣ ∣ 2 1 Pr [ β ′ = 1∣ T = h κ ( x )] − 2 1 Pr [ β ′ = 1∣ T = 1 − h κ ( x )] ∣ ∣ 于是,我们得出
Adv PKE , A Hard-Core 3 ( κ ) = 2 Adv PKE , A Hard-Core 2 ( κ ) \textbf{Adv}_{\text{PKE},\mathcal{A}}^{\text{Hard-Core 3}}(\kappa) = 2\textbf{Adv}_{\text{PKE},\mathcal{A}}^{\text{Hard-Core 2}}(\kappa) Adv PKE , A Hard-Core 3 ( κ ) = 2 Adv PKE , A Hard-Core 2 ( κ ) 于是,其中任意一个是可忽略的情况下,另一个一定是可忽略的,于是两个 Game 等价。
💡
Theorem . Hard-Core Game 3 和 Hard Core Game 等价。
【证明】 可以设计中间人互相规约,较为简单。一方面,直接把收到的 f , y , T f,y,T f , y , T 发送给有能力的敌手,得到 h κ ( x ) h_\kappa(x) h κ ( x ) 后与 T T T 比较即可;另一方面,随机取 T ← { 0 , 1 } T\leftarrow \{0,1\} T ← { 0 , 1 } 后发给有能力的敌手,得到 β \beta β 后,若 β = 1 \beta=1 β = 1 则返回 h κ ( x ) = T h_\kappa(x)=T h κ ( x ) = T ;否则 h κ ( x ) = 1 − T h_\kappa(x)=1-T h κ ( x ) = 1 − T 。
因此,综上所述,三个 Hard-Core Game (Hard-Core 的定义)互相等价 。