Acknowledge
致敬Katz J, Lindell Y. Introduction to modern cryptography[M]. Chapman and Hall/CRC, 2014. 推薦該書正版。
3.1 Prove Proposition 3.6 .
看定義Definition 3.4 ,若函數f f f 爲可忽略函數,那麼對於任意多項式函數p ( ⋅ ) p(\cdot) p ( ⋅ ) ,存在一個整數N N N ,使得整數n > N n > N n > N 滿足f ( n ) < 1 / p ( n ) f(n) < 1 / p(n) f ( n ) < 1 / p ( n ) 。若n e g l 1 \mathsf{negl}_1 n e g l 1 和n e g l 2 \mathsf{negl}_2 n e g l 2 爲可忽略函數,那麼分別存在N 1 N_1 N 1 和N 2 N_2 N 2 ,對於任意多項式p ( ⋅ ) p(\cdot) p ( ⋅ ) ,總有n > N 1 n > N_1 n > N 1 滿足n e g l 1 ( n ) < 1 / p ( n ) \mathsf{negl}_1(n) < 1 / p(n) n e g l 1 ( n ) < 1 / p ( n ) ,且n > N 2 n > N_2 n > N 2 滿足n e g l 2 ( n ) < 1 / p ( n ) \mathsf{negl}_2(n) < 1 / p(n) n e g l 2 ( n ) < 1 / p ( n ) 。取N 1 N_1 N 1 和N 2 N_2 N 2 中的較大者N N N ,有n > N n > N n > N 滿足n e g l 1 + n e g l 2 < 2 / p ( n ) \mathsf{negl}_1 + \mathsf{negl}_2 < 2 / p(n) n e g l 1 + n e g l 2 < 2 / p ( n ) ,即可忽略函數加上可忽略函數仍然是可忽略函數。多項式除以多項式依舊是多項式,第二部分同樣易證。
3.3 Prove that Definition 3.8 cannot be satisfied if Π \Pi Π can encrypt arbitrary-length messages and the adversary is not restricted to output equal-length messages in experiment P r i v k A , Π e a v ( λ ) Privk^{eav}_{\mathcal{A}, \Pi}(\lambda) P r i v k A , Π e a v ( λ ) .
由於加密算法是公開的,查看代碼,推測Π \Pi Π 僅加密1比特消息時所產生的密文的長度上界p ( λ ) p(\lambda) p ( λ ) (假如加密明文0得到密文01101,加密明文1得到01001100,那麼p ( λ ) = 8 p(\lambda) = 8 p ( λ ) = 8 )。根據鴿巢原理,長度上界爲p ( λ ) p(\lambda) p ( λ ) 的密文最多容納
2 1 + 2 2 + ⋅ + 2 p ( λ ) = 2 ⋅ ( 1 − 2 p ( λ ) ) 1 − 2 = 2 p ( λ ) + 1 − 2
2^1+2^2 + \cdot + 2^{p(\lambda)}= \frac{ 2 \cdot (1 - 2^{p(\lambda)})}{1 -2} = 2^{p(\lambda) + 1} - 2
2 1 + 2 2 + ⋅ + 2 p ( λ ) = 1 − 2 2 ⋅ ( 1 − 2 p ( λ ) ) = 2 p ( λ ) + 1 − 2
個明文,根據加密算法的正確性,當明文數量超過此上限時,勢必需要使用長度大於p ( λ ) p(\lambda) p ( λ ) 的密文。在挑戰遊戲中,當A \mathcal{A} A 故意設置∣ m 0 ∣ = 1 |m_0|=1 ∣ m 0 ∣ = 1 ,∣ m 1 ∣ = p ( λ ) + 1 |m_1|=p(\lambda)+1 ∣ m 1 ∣ = p ( λ ) + 1 時,大概率有∣ c 0 ∣ ≤ p ( λ ) |c_0| \leq p(\lambda) ∣ c 0 ∣ ≤ p ( λ ) ,∣ c 1 ∣ > p ( λ ) |c_1| > p(\lambda) ∣ c 1 ∣ > p ( λ ) ,易判斷挑戰比特b b b 的值(當∣ m 1 ∣ |m_1| ∣ m 1 ∣ 繼續增大時更加明顯,概率請自行分析)。
通俗一點,若明文0和1被長度上界爲p ( λ ) p(\lambda) p ( λ ) 的明文包含,那麼A \mathcal{A} A 就設置∣ m 1 ∣ > p ( λ ) |m_1|>p(\lambda) ∣ m 1 ∣ > p ( λ ) ,可使得定義3.8不滿足。
3.4 Say Π = ( G e n , E n c , D e c ) \Pi = (Gen, Enc, Dec) Π = ( G e n , E n c , D e c ) is such that for k ∈ { 0 , 1 } n k \in \{ 0, 1\}^n k ∈ { 0 , 1 } n , algorithm E n c k Enc_k E n c k is only defined for messages of length at most ℓ ( n ) \ell(n) ℓ ( n ) (for some polynomial ℓ \ell ℓ ). Construct a scheme satisfying Definition 3.8 even when the adversary is not restricted to output equal-length messages in experiment P r i v K A , Π e a v ( λ ) PrivK^{eav}_{\mathcal{A}, \Pi}(\lambda) P r i v K A , Π e a v ( λ ) .
有限定消息長度上界就好辦了,回顧題目3.3,假若密文長度上界爲p ( λ ) p(\lambda) p ( λ ) ,則限定消息長度上界爲p ( λ ) p(\lambda) p ( λ ) ,這樣A \mathscr{A} A 就無法挑起攻擊了。這道題思路很直接,既然消息長度不一樣,那麼我們就通過編碼補齊,使其消息長度一樣就行了,回顧計算機網絡的知識,類似的,這裏使用前綴0 ℓ − ∣ m ∣ − 1 1 0^{\ell - |m| - 1}1 0 ℓ − ∣ m ∣ − 1 1 來補齊,表示使用ℓ − ∣ m ∣ − 1 \ell - |m| - 1 ℓ − ∣ m ∣ − 1 個0和1個1,解密時去掉前綴就能得到真正的m m m 。具體來說,新方案構造如下:
假定Π ′ = ( G e n ′ , E n c ′ , D e c ′ ) \Pi' = (Gen', Enc', Dec') Π ′ = ( G e n ′ , E n c ′ , D e c ′ ) 是針對定長消息的加密方案,且滿足竊聽下不可區分性,
G e n ( 1 λ ) → k Gen(1^\lambda) \to k G e n ( 1 λ ) → k :運行k ← G e n ′ ( 1 λ ) k \gets Gen'(1^\lambda) k ← G e n ′ ( 1 λ ) ,直接輸出對稱密鑰k k k 。
E n c ( k , m ) → c Enc(k, m) \to c E n c ( k , m ) → c :進行補齊編碼m ′ = 0 ℓ − ∣ m ∣ − 1 1 ∣ ∣ m m' = 0^{\ell - |m| - 1}1 || m m ′ = 0 ℓ − ∣ m ∣ − 1 1 ∣ ∣ m ,計算c ′ ← E n c ′ ( k , m ′ ) c' \gets Enc'(k, m') c ′ ← E n c ′ ( k , m ′ ) ,輸出c : = c ′ c := c' c : = c ′ 。
D e c ( k , c ) → m Dec(k, c) \to m D e c ( k , c ) → m :計算m ′ : = D e c ′ ( k , c ) m' := Dec'(k, c) m ′ : = D e c ′ ( k , c ) ,刪除前綴0 ℓ − ∣ m ∣ − 1 1 0^{\ell - |m| - 1}1 0 ℓ − ∣ m ∣ − 1 1 得到m m m ,直接輸出m m m 。
利用規約,易證Π \Pi Π 的安全性(即使A \mathcal{A} A 可挑選任意長度的明文)。
3.7 Assuming the existence of a pseudorandom function, prove that there exists an encryption scheme that has indistinguishable multiple encryptions in the presence of an eavesdropper (i.e., is secure with respect to Definition 3.18 ), but is not CPA-secure (i.e., is not secure with respect to Definition 3.21 ).
我們基於Construction 3.24 來構造這麼一個滿足多次加密竊聽不可區分性、卻不滿足CPA安全的加密方案Π \Pi Π 。
G e n ( 1 λ ) → k Gen(1^\lambda) \to k G e n ( 1 λ ) → k :輸入安全參數1 λ 1^\lambda 1 λ ,隨機挑選k 1 ← { 0 , 1 } λ k_1 \gets \{ 0, 1\}^\lambda k 1 ← { 0 , 1 } λ 和k 2 ← { 0 , 1 } λ k_2 \gets \{ 0, 1\}^\lambda k 2 ← { 0 , 1 } λ ,設置k = < k 1 , k 2 > k = \big<k_1, k_2\big> k = ⟨ k 1 , k 2 ⟩ 並輸出。
E n c ( k , m ) → c Enc(k, m) \to c E n c ( k , m ) → c :輸入對稱密鑰k = < k 1 , k 2 > k = \big<k_1, k_2\big> k = ⟨ k 1 , k 2 ⟩ 和消息m ∈ { 0 , 1 } λ m \in \{0, 1\}^\lambda m ∈ { 0 , 1 } λ ,隨機挑選r ← { 0 , 1 } λ r \gets \{0, 1\}^\lambda r ← { 0 , 1 } λ 計算
c : = { 1 , k 2 , r , F k 2 ( r ) ⊕ m , if m = k 1 0 , k 1 , r , F k 2 ( r ) ⊕ m , otherwise
c := \begin{cases}
1, k_2, r, F_{k_2}(r) \oplus m, ~ \text{if} ~ m = k_1 \\
0, k_1, r, F_{k_2}(r) \oplus m, ~ \text{otherwise}
\end{cases}
c : = { 1 , k 2 , r , F k 2 ( r ) ⊕ m , if m = k 1 0 , k 1 , r , F k 2 ( r ) ⊕ m , otherwise
D e c ( k , c ) → m Dec(k, c) \to m D e c ( k , c ) → m :輸入k = < k 1 , k 2 > k = \big<k_1, k_2\big> k = ⟨ k 1 , k 2 ⟩ 和c = < c 1 , c 2 , c 3 , c 4 > c = \big<c_1, c_2, c_3, c_4\big> c = ⟨ c 1 , c 2 , c 3 , c 4 ⟩ ,計算m : = F k 2 ( c 3 ) ⊕ c 4 m := F_{k_2}(c_3) \oplus c_4 m : = F k 2 ( c 3 ) ⊕ c 4 並輸出。
易證該方案不滿足CPA安全,敵手A \mathcal{A} A 的做法如下:隨機挑選m ← { 0 , 1 } λ m \gets \{ 0, 1\}^\lambda m ← { 0 , 1 } λ 交給加密諭言機O E n c ( ⋅ ) \mathcal{O}_{Enc}(\cdot) O E n c ( ⋅ ) 得到c = < c 1 , c 2 , c 3 , c 4 > c = \big<c_1, c_2, c_3, c_4\big> c = ⟨ c 1 , c 2 , c 3 , c 4 ⟩ ,接着自適應設置m ′ = c 2 m' = c_2 m ′ = c 2 交給加密諭言機得到c ′ = < c 1 ′ , c 2 ′ , c 3 ′ , c 4 ′ > c' = \big<c'_1, c'_2, c'_3, c'_4\big> c ′ = ⟨ c 1 ′ , c 2 ′ , c 3 ′ , c 4 ′ ⟩ ,此時A \mathcal{A} A 恢復出密鑰k : = < c 2 , c 2 ′ > k := \big<c_2, c'_2\big> k : = ⟨ c 2 , c 2 ′ ⟩ 或k : = < c 2 ′ , c 2 > k:= \big<c'_2, c_2 \big> k : = ⟨ c 2 ′ , c 2 ⟩ ,這裏根據c 1 = ? 0 c_1 \overset{?}{=} 0 c 1 = ? 0 做進一步判斷。
但是該方案滿足多次加密竊聽不可區分性,主要證明思路如下:嘗試攻破方案Π \Pi Π 的敵手A \mathcal{A} A 挑選了兩組消息m 0 = { m 0 0 , m 0 1 , ⋯ , m 0 q ( λ ) } \bm{m}_0 = \{ m^0_0, m^1_0, \cdots, m^{q(\lambda)}_0 \} m 0 = { m 0 0 , m 0 1 , ⋯ , m 0 q ( λ ) } 以及m 1 = { m 1 0 , m 1 1 , ⋯ , m 1 q ( λ ) } \bm{m}_1 = \{ m^0_1, m^1_1, \cdots, m^{q(\lambda)}_1 \} m 1 = { m 1 0 , m 1 1 , ⋯ , m 1 q ( λ ) } ,它贏得多次加密竊聽不可區分性挑戰遊戲的情形分爲2種:(1)恰巧k 1 ∈ m 0 ∪ m 1 k_1 \in \bm{m}_0 \cup \bm{m}_1 k 1 ∈ m 0 ∪ m 1 ,此時A \mathcal{A} A 可直接獲取k 2 k_2 k 2 ,該事件發生的概率爲2 q ( λ ) / 2 λ 2q(\lambda) / 2^\lambda 2 q ( λ ) / 2 λ ,是可忽略函數;(2)A \mathcal{A} A 可贏得Construction 3.24 的CPA安全挑戰遊戲,該事件發生的概率同樣是可忽略函數(注意0 , k 1 0,k_1 0 , k 1 不泄露任何關於m b m_b m b 的信息,熟知安全性規約的人可以很快地完成該證明,這裏不再詳細擴展)。
3.10 Let G G G be a pseudorandom generator and define G ′ ( s ) G'(s) G ′ ( s ) to be the output of G G G truncated to n n n bits (where ∣ s ∣ = n |s| = n ∣ s ∣ = n ). Prove that the function F k ( x ) = G ′ ( k ) ⊕ x F_k(x) = G'(k) \oplus x F k ( x ) = G ′ ( k ) ⊕ x is not pseudorandom.
分辨器D \mathcal{D} D 挑選兩個不同的輸入x x x 跟x ′ x' x ′ 提交給諭言機,得到y y y 跟y ′ y' y ′ ,通過判斷x ⊕ x ′ = ? y ⊕ y ′ x \oplus x' \overset{?}{=} y \oplus y' x ⊕ x ′ = ? y ⊕ y ′ 來判斷是否是隨機數生成器。當O \mathcal{O} O 是隨機數生成器時,x ⊕ x ′ = y ⊕ y ′ x \oplus x' = y \oplus y' x ⊕ x ′ = y ⊕ y ′ 的概率爲1 / 2 λ 1 / 2^\lambda 1 / 2 λ ;當O \mathcal{O} O 是F k ( ⋅ ) F_k(\cdot) F k ( ⋅ ) 時,x ⊕ x ′ = y ⊕ y ′ x \oplus x' = y \oplus y' x ⊕ x ′ = y ⊕ y ′ 的概率爲1。
3.14 Let F F F be a pseudorandom permutation, and define a fixed-length encryption scheme ( G e n , E n c , D e c ) (Gen, Enc, Dec) ( G e n , E n c , D e c ) as follows: On input m ∈ { 0 , 1 } n / 2 m \in \{0, 1\}^{n/2} m ∈ { 0 , 1 } n / 2 and key k ∈ { 0 , 1 } n k \in \{0, 1\}^n k ∈ { 0 , 1 } n , algorithm E n c Enc E n c chooses a random string r ← { 0 , 1 } n / 2 r \gets \{0, 1\}^{n/2} r ← { 0 , 1 } n / 2 of length n / 2 n/2 n / 2 and computes c : = F k ( r ∣ ∣ m ) c := F_k(r || m) c : = F k ( r ∣ ∣ m ) . Show how to decrypt, and prove that this scheme is CPA-secure for messages of length n / 2 n/2 n / 2 . (If you are looking for a real challenge, prove that this scheme is CCA-secure if F F F is a strong pseudorandom permutation.) What are the advantages and disadvantages of this construction as compared to Construction 3.24 ?
假設F F F 是一個高效的 、帶密鑰的置換函數,那麼存在概率多項式時間算法可以分別計算F k ( x ) F_k(x) F k ( x ) 的值,以及F k − 1 ( y ) F_k^{-1}(y) F k − 1 ( y ) 的值。上述題目加密方案具體設計如下:
G e n ( 1 λ ) → k Gen(1^\lambda) \to k G e n ( 1 λ ) → k :輸入安全參數1 λ 1^\lambda 1 λ ,隨機挑選k ← { 0 , 1 } λ k \gets \{0, 1\}^\lambda k ← { 0 , 1 } λ 並輸出。
E n c ( k , m ) → c Enc(k, m) \to c E n c ( k , m ) → c :輸入密鑰k k k 和消息m ∈ { 0 , 1 } λ / 2 m \in \{ 0, 1\}^{\lambda / 2} m ∈ { 0 , 1 } λ / 2 ,隨機挑選r ← { 0 , 1 } λ / 2 r \gets \{ 0, 1\}^{\lambda / 2} r ← { 0 , 1 } λ / 2 ,計算c : = F k ( r ∣ ∣ m ) c := F_k(r || m) c : = F k ( r ∣ ∣ m ) 並輸出。
D e c ( k , c ) → m Dec(k ,c) \to m D e c ( k , c ) → m :輸入密鑰k k k 和密文c c c ,進行置換求逆得到x : = F k − 1 ( c ) x := F^{-1}_k(c) x : = F k − 1 ( c ) ,丟棄前λ / 2 \lambda / 2 λ / 2 比特得到消息m m m 。
(定理) 若F F F 是僞隨機置換,則上述方案滿足CPA安全性。
證明. 記上述加密方案爲Π \Pi Π ,若它不滿足CPA安全性,那麼存在一個針對該方案的敵手A \mathcal{A} A ,它以可觀概率ε ( λ ) \varepsilon(\lambda) ε ( λ ) 贏得上述方案對應的CPA挑戰遊戲。
現引入一個證明用的加密方案Π ~ = ( G e n ~ , E n c ~ , D e c ~ ) \widetilde{\Pi} = (\widetilde{Gen}, \widetilde{Enc}, \widetilde{Dec}) Π = ( G e n , E n c , D e c ) ,構造如下:
G e n ~ ( 1 λ ) → k \widetilde{Gen}(1^\lambda) \to k G e n ( 1 λ ) → k :輸入安全參數1 λ 1^\lambda 1 λ ,隨機挑選k ← { 0 , 1 } λ k \gets \{0, 1\}^\lambda k ← { 0 , 1 } λ 並輸出。
E n c ~ ( k , m ) → c \widetilde{Enc}(k, m) \to c E n c ( k , m ) → c :輸入密鑰k k k 和消息m ∈ { 0 , 1 } λ / 2 m \in \{ 0, 1\}^{\lambda / 2} m ∈ { 0 , 1 } λ / 2 ,隨機挑選r ← { 0 , 1 } λ / 2 r \gets \{ 0, 1\}^{\lambda / 2} r ← { 0 , 1 } λ / 2 ,計算c : = f ( r ∣ ∣ m ) c := f(r || m) c : = f ( r ∣ ∣ m ) 並輸出,其中f f f 是隨機挑選的置換函數。
D e c ~ ( k , c ) → m \widetilde{Dec}(k, c) \to m D e c ( k , c ) → m :無解密算法(解密者不知道加密者隨機挑選了哪一條置換函數f f f ,故也不知道f − 1 f^{-1} f − 1 的編碼)。
當f f f 是隨機挑選的置換函數時,密文c c c 無異於是隨機挑選的比特串,將c c c 交給A \mathcal{A} A ,它贏得Π ~ \widetilde{\Pi} Π 對應的CPA挑戰遊戲的概率爲1 / 2 1 / 2 1 / 2 。
注意到ε ( λ ) \varepsilon(\lambda) ε ( λ ) 與1 / 2 1/2 1 / 2 的差別,可編寫如下辨別器D \mathcal{D} D 用於區分僞隨機置換F k F_k F k 和真隨機置換f f f :
當A \mathcal{A} A 提交m m m 給加密諭言機時,隨機挑選r ← { 0 , 1 } λ / 2 r \gets \{0, 1\}^{\lambda/2} r ← { 0 , 1 } λ / 2 ,將m ∣ ∣ r m || r m ∣ ∣ r 提交給自身的諭言機O F k / f \mathcal{O}_{F_k / f} O F k / f ,得到c c c 並返回給A \mathcal{A} A 。
當A \mathcal{A} A 提交m 0 , m 1 m_0, m_1 m 0 , m 1 時,隨機挑選一比特b ← { 0 , 1 } b \gets \{0, 1\} b ← { 0 , 1 } ,隨機挑選r ← { 0 , 1 } λ / 2 r \gets \{0, 1\}^{\lambda / 2} r ← { 0 , 1 } λ / 2 ,將r ∣ ∣ m b r || m_b r ∣ ∣ m b 提交給自身的挑戰者C F k / f \mathcal{C}_{F_k / f} C F k / f ,得到挑戰密文c c c 並返回給A \mathcal{A} A 。
與A \mathcal{A} A 繼續交互。最終,A \mathcal{A} A 提交猜測比特b ′ b' b ′ ,若b = b ′ b = b' b = b ′ ,則向C F k / f \mathcal{C}_{F_k / f} C F k / f 輸出1 1 1 ;否則,則向C F k / f \mathcal{C}_{F_k / f} C F k / f 輸出0 0 0 。
注意,Π \Pi Π 的密文與Π ~ \widetilde{\Pi} Π 的密文計算不可區分(否則,意味着A \mathcal{A} A 可以直接判斷F k / f F_k / f F k / f ,這與F k F_k F k 的定義矛盾),概率多項式時間算法A \mathcal{A} A 拿到挑戰密文後照常工作並輸出猜測比特b ′ b' b ′ (若A \mathcal{A} A 意識到這是非Π \Pi Π 密文,有可能拒絕輸出猜測比特b ′ b' b ′ )。當O F k / f \mathcal{O}_{F_k / f} O F k / f 對應F k F_k F k 時,A \mathcal{A} A 的視圖是Π \Pi Π ;當O F k / f \mathcal{O}_{F_k / f} O F k / f 對應f f f 時,A \mathcal{A} A 的視圖是Π ~ \widetilde{\Pi} Π ,有
∣ 1 2 − ε ( λ ) ∣ > n e g l ( λ ) ,
\Big| \frac{1}{2} - \varepsilon(\lambda) \Big| > negl(\lambda),
∣ ∣ ∣ 2 1 − ε ( λ ) ∣ ∣ ∣ > n e g l ( λ ) ,
這與F k F_k F k 的定義矛盾,故關於Π \Pi Π 是非CPA安全的假設不成立。
要證明CCA安全,就需要開放解密諭言機,注意強僞隨機置換 的定義,
∣ P r [ D F k ( ⋅ ) , F k − 1 ( ⋅ ) ( 1 λ ) = 1 ] − P r [ D f ( ⋅ ) , f − 1 ( ⋅ ) ( 1 λ ) = 1 ] ∣ ≤ n e g l ( λ ) ,
\Big| Pr [\mathcal{D}^{F_k(\cdot), F^{-1}_k(\cdot)}(1^\lambda) = 1] - Pr [\mathcal{D}^{f(\cdot), f^{-1}(\cdot)}(1^\lambda) = 1] \Big| \leq negl(\lambda),
∣ ∣ ∣ P r [ D F k ( ⋅ ) , F k − 1 ( ⋅ ) ( 1 λ ) = 1 ] − P r [ D f ( ⋅ ) , f − 1 ( ⋅ ) ( 1 λ ) = 1 ] ∣ ∣ ∣ ≤ n e g l ( λ ) ,
而置換是one-to-one,不難編碼出解密諭言機,這裏不再擴展。
3.16 Consider a variant of CBC-mode encryption where the sender simply increments the I V IV I V by 1 1 1 each time a message is encrypted (rather than choosing I V IV I V at random each time). Show that the resulting scheme is not CPA-secure.
這裏假設I V IV I V 初始值爲0000 0000 0 0 0 0 (易擴展至任意初始值),A \mathcal{A} A 在問詢加密諭言機階段挑選m = 0000 m = 0000 m = 0 0 0 0 ,那麼I V ⊕ m = 0000 IV \oplus m = 0000 I V ⊕ m = 0 0 0 0 ,得到c = F k ( 0 ) c = F_k(0) c = F k ( 0 ) ,接着,I V = 0001 IV = 0001 I V = 0 0 0 1 ,A \mathcal{A} A 刻意挑選m 0 = 0001 m_0 = 0001 m 0 = 0 0 0 1 與m 1 = 0000 m_1 = 0000 m 1 = 0 0 0 0 ,得到挑戰密文c b c_b c b ,若c = c b c = c_b c = c b 則輸出b ′ = 0 b' = 0 b ′ = 0 ,否則輸出b ′ = 1 b' = 1 b ′ = 1 ,從而以百分百概率贏得CPA挑戰遊戲(這裏方案證明不過去是因爲F k ( r ) F_k(r) F k ( r ) 中的r r r 以概率1重複了)。
3.21 Let Π 1 = ( G e n 1 , E n c 1 , D e c 1 ) \Pi_1 = (Gen_1, Enc_1, Dec_1) Π 1 = ( G e n 1 , E n c 1 , D e c 1 ) and Π 2 = ( G e n 2 , E n c 2 , D e c 2 ) \Pi_2 = (Gen_2, Enc_2, Dec_2) Π 2 = ( G e n 2 , E n c 2 , D e c 2 ) be two encryption schemes for which it is known that at least one is CPA-secure. The problem is that you don’t know which one is CPA-secure and which one may not be. Show how to construct an encryption scheme Π \Pi Π that is guaranteed to be CPA-secure as long as at least one of Π 1 \Pi_1 Π 1 or Π 2 \Pi_2 Π 2 is CPA-secure. Try to provide a full proof of your answer.
加密方案Π \Pi Π 構造如下:
G e n ( 1 λ ) → k Gen(1^\lambda) \to k G e n ( 1 λ ) → k :運行k 1 ← G e n 1 ( 1 λ ) k_1 \gets Gen_1(1^\lambda) k 1 ← G e n 1 ( 1 λ ) 和k 2 ← G e n 2 ( 1 λ ) k_2 \gets Gen_2(1^\lambda) k 2 ← G e n 2 ( 1 λ ) ,設置k : = ( k 1 , k 2 ) k := (k_1, k_2) k : = ( k 1 , k 2 ) 並輸出。
E n c ( k , m ) → c Enc(k, m) \to c E n c ( k , m ) → c :計算c ′ ← E n c 1 ( k 1 , m ) c' \gets Enc_1(k_1, m) c ′ ← E n c 1 ( k 1 , m ) ,再計算c ← E n c 2 ( k 2 , c ′ ) c \gets Enc_2(k_2, c') c ← E n c 2 ( k 2 , c ′ ) 並輸出。
D e c ( k , c ) → m Dec(k, c) \to m D e c ( k , c ) → m :計算m : = D e c 1 ( k 1 , D e c 2 ( k 2 , c ) ) m := Dec_1(k_1, Dec_2(k_2, c)) m : = D e c 1 ( k 1 , D e c 2 ( k 2 , c ) ) 並輸出。
易知,P r [ A wins ] ≤ P r [ A wins ∧ ( Π 1 is CPA-secure ) ] + P r [ A wins ∧ ( Π 2 is CPA-secure ) ] Pr[\mathcal{A} ~ \text{wins}] \leq Pr[\mathcal{A} ~ \text{wins} \land (\Pi_1 ~ \text{is CPA-secure})] + Pr[\mathcal{A} ~ \text{wins} \land (\Pi_2 ~ \text{is CPA-secure})] P r [ A wins ] ≤ P r [ A wins ∧ ( Π 1 is CPA-secure ) ] + P r [ A wins ∧ ( Π 2 is CPA-secure ) ] ,熟知規約 的人能夠很快地寫出安全性證明,這裏不再擴展。
3.22 Show that the CBC, OFB, and counter modes of encryption do not yield CCA-secure encryption schemes (regardless of F).
書中已經給出解釋:
Specifically, any encryption scheme that allows ciphertexts to be manipulated in any logical way cannot be CCA-secure.
直覺上,這些方案不能達到CPA安全是因爲解密諭言機造不出來(規約時無法使用邏輯方式 模擬出解密算法)。這裏詳細分析爲何這些方案不能達到CPA安全:
在CBC模式中,A \mathcal{A} A 提交m 0 = 0 λ m_0 = 0^\lambda m 0 = 0 λ 和m 1 = 1 λ m_1 = 1^\lambda m 1 = 1 λ 從而得到c b c_b c b ,翻轉c b c_b c b 中I V IV I V 最後1比特得到c ′ c' c ′ ,將c ′ c' c ′ 提交給解密諭言機,得到的m ′ m' m ′ 要麼是0 λ − 1 ∣ ∣ 1 0^{\lambda-1} || 1 0 λ − 1 ∣ ∣ 1 要麼是1 λ − 1 ∣ ∣ 0 1^{\lambda-1} || 0 1 λ − 1 ∣ ∣ 0 。
在OFB和CTR模式中,A \mathcal{A} A 則翻轉c b ( 1 ) c_b^{(1)} c b ( 1 ) 的最後1比特。
回顧題目3.14 的加密方案,它能夠達到CCA安全,注意翻轉c c c 的1比特,所解密出來的明文會發生巨大變化,與原明文沒有任何“邏輯”關係。在第四章 中,則是通過引入消息鑑別碼(HMAC)來阻止敵手manipulates the ciphertexts in a logical way,從而使得方案達到CCA安全。