52 Things: Number 32: difference between game-based and simulation-based security definitions
52 Things: Number 32: difference between game-based and simulation-based security definitions
52 Things: Number 32: difference between game-based and simulation-based security definitions
52件事:數(shù)字32:基于游戲和基于模擬的安全定義之間的區(qū)別
This is the latest in a series of blog posts to address the list of '52 Things Every PhD Student Should Know to do Cryptography': a set of questions compiled to give PhD candidates a sense of what they should know by the end of their first year. In this post we outline the difference between a game-based and a simulation-based security definition.
這是一系列博客文章中的最新一篇,旨在解決“每個博士生在做密碼學時應該知道的52件事”:這是一組問題,旨在讓博士生在第一年結束時了解他們應該知道什么。在這篇文章中,我們概述了基于游戲和基于模擬的安全定義之間的區(qū)別。
In a game-based security definition the security is defined, unsurprisingly, by a game. This game revolves around some generic primitive and is usually played by a challenger and an adversary, where the challenger poses a challenge to the adversary with a certain 'goal' in mind. The adversary may further have access to some number of oracles and it is said to 'win' if it achieves its goal, which usually means it needs to provide some 'correct' output depending on the challenge. The advantage of an adversary is defined as a number that roughly corresponds to how much 'better' the adversary can do at the game than a trivial adversary that just guesses its output. E.g., if the adversary needs to output the value of an uniformly random bit, its advantage corresponds to how much better it can do than a success probability of one half. Now, a cryptographic scheme is said to satisfy this security definition if and only if all 'efficient' adversaries cannot achieve a substantial advantage when the generic primitive is instantiated by the scheme.
在基于游戲的安全性定義中,安全性是由游戲定義的,這并不奇怪。這個游戲圍繞著一些通用的原始游戲展開,通常由一個挑戰(zhàn)者和一個對手玩,挑戰(zhàn)者向?qū)κ痔岢鎏魬?zhàn),并考慮到某個“目標”。對手可能會進一步獲得一些神諭,如果達到目標,據(jù)說會“獲勝”,這通常意味著它需要根據(jù)挑戰(zhàn)提供一些“正確”的輸出。對手的優(yōu)勢被定義為一個數(shù)字,該數(shù)字大致對應于對手在游戲中比僅僅猜測其輸出的微不足道的對手能做得“更好”多少。例如,如果對手需要輸出一致隨機比特的值,其優(yōu)勢對應于它能比一半的成功概率做得更好。現(xiàn)在,當且僅當所有“有效”的對手在通用原語被密碼方案實例化時不能獲得實質(zhì)性優(yōu)勢時,密碼方案才被認為滿足該安全定義。
Informally, one may think of the challenger as a legitimate user that wants to use a cryptographic scheme and of the adversary as the bad guy that wants to achieve something against the wishes of the legitimate user, where this 'achievement' corresponds to the goal of the adversary. Generally, the challenger will have access to all secret parameters (think secret or signing key), whereas the adversary only has access to some oracles (think public hash functions or public key encryption) plus whatever it is given by the challenger during the game (think public parameters and the challenge).
非正式地,人們可能會將挑戰(zhàn)者視為想要使用加密方案的合法用戶,而將對手視為想要違背合法用戶意愿實現(xiàn)某些事情的壞人,其中這種“成就”對應于對手的目標。通常,挑戰(zhàn)者可以訪問所有秘密參數(shù)(想想秘密或簽名密鑰),而對手只能訪問一些預言機(想想公共哈希函數(shù)或公鑰加密)以及挑戰(zhàn)者在游戲中提供的任何信息(想想公共參數(shù)和挑戰(zhàn))。
Security proofs in this paradigm include two important concepts. To link security to computationally hard problems they use reductions, which lead to a statement of the following form: 'if an adversary wins the game with non-negligible advantage, it is possible to construct an algorithm that uses the adversary as a subroutine to solve some hard problem efficiently.' The other concept is game hopping through a sequence of games. Here, one takes the event of an adversary winning the game and relates it to events in a sequence of different games. Each subsequent game is close to the previous one in the sense that the adversary cannot tell the difference between two subsequent games unless it can solve some hard problem or alternatively something happens that has a negligible probability of happening.
該范式中的安全性證明包括兩個重要概念。為了將安全性與計算難題聯(lián)系起來,他們使用了約簡,這導致了以下形式的陳述:“如果對手以不可忽略的優(yōu)勢贏得了比賽,那么就有可能構建一種算法,將對手作為子程序來有效地解決一些難題。”另一個概念是通過一系列游戲進行游戲跳躍。在這里,我們將對手贏得游戲的事件與一系列不同游戲中的事件聯(lián)系起來。每一個后續(xù)游戲都與前一個游戲接近,因為對手無法區(qū)分兩個后續(xù)游戲之間的區(qū)別,除非它能解決一些棘手的問題,或者發(fā)生一些可能性可以忽略不計的事情。
The previous five blog posts in this series contain four game-based security definitions and one example of a game-based proof with a sequence of games, so we will not consider any specific examples here.
本系列前面的五篇博客文章包含四個基于游戲的安全定義和一個基于游戲序列的證明示例,因此我們在此不考慮任何具體示例。
In a simulation-based security definition, security is defined by the existence of a simulator and some ideal 'functionality'. Consider a cryptographic scheme in the real world and now imagine how you would like this scheme to behave in an ideal world. E.g., in a voting scheme, it would be nice to have a trusted third party that has secure channels to all voters, takes in all the votes via these secure channels, and publishes the result and nothing else. A cryptographic scheme is now secure if, for any adversary against this scheme in the real world, there exists a simulator that provides the same output as the adversary in the real world, while interacting with the ideal 'functionality' in the ideal world. This means that any 'attack' possible in the real world can also be applied to the ideal functionality in the ideal world. Conversely, if the ideal functionality resists attacks in the ideal world, the real scheme resists these attacks in the real world as well.
在基于模擬的安全定義中,安全性是由模擬器的存在和一些理想的“功能”來定義的。考慮現(xiàn)實世界中的一個加密方案,現(xiàn)在想象一下你希望這個方案在理想世界中的表現(xiàn)。例如,在投票方案中,最好有一個值得信賴的第三方,它有安全的渠道與所有選民聯(lián)系,通過這些安全渠道獲得所有選票,并公布結果,而不公布其他內(nèi)容。如果對于現(xiàn)實世界中反對該方案的任何對手,存在一個模擬器,該模擬器在與理想世界中的理想“功能”交互的同時,提供與現(xiàn)實世界中的對手相同的輸出,那么該密碼方案現(xiàn)在是安全的。這意味著現(xiàn)實世界中任何可能的“攻擊”也可以應用于理想世界中的理想功能。相反,如果理想功能在理想世界中抵抗攻擊,那么真實方案在現(xiàn)實世界中也抵抗這些攻擊。
The notion first appears in a paper by Goldreich, Micali, and Widgerson, who show that you can play any game (which is some joint computation by multiple parties) such that at any step of the game, any group of less than half the players know nothing more than they would in an ideal execution of the game with a trusted party. More recently, the notion of simulation-based security appeared in the paper introducing Universal Composability by Ran Canetti. It is mostly used in settings of multi-party computation.
這個概念首次出現(xiàn)在Goldreich、Micali和Widgerson的一篇論文中,他們展示了你可以玩任何游戲(這是多方的聯(lián)合計算),這樣在游戲的任何一步,任何一組不到一半的玩家所知道的都比他們在與可信的一方理想執(zhí)行游戲時所知道的要多。最近,Ran Canetti在介紹通用可組合性的論文中提出了基于模擬的安全性的概念。它主要用于多方計算的設置中。
So what is the difference? In the game-based approach, each notion of security has its own game. If this notion correctly captures or models the real world attributes you would like your system to have, then you are done. If your scheme needs to satisfy various notions, you will need to play games for each one. However, there is a known hierarchy in some cases, e.g., IND-CCA security implying IND-CPA security.
那么有什么區(qū)別呢?在基于游戲的方法中,每個安全概念都有自己的游戲。如果這個概念正確地捕捉或建模了您希望系統(tǒng)具有的真實世界屬性,那么您就完成了。如果你的計劃需要滿足各種概念,你需要為每一個概念玩游戲。然而,在某些情況下存在已知的層次結構,例如,IND-CCA安全意味著IND-CPA安全。
Conversely, in the simulation-based approach, the security is modeled by the ideal functionality. Conceptually, your schemes will be secure from attacks that do not break the ideal functionality. This means that different security notions are captured by this model.
相反,在基于模擬的方法中,安全性是由理想的功能建模的。從概念上講,您的方案將是安全的,不會受到破壞理想功能的攻擊。這意味著該模型捕獲了不同的安全概念。
這是一系列博客文章中的最新一篇,旨在解決“每個博士生在做密碼學時應該知道的52件事”:這是一組問題,旨在讓博士生在第一年結束時了解他們應該知道什么。在這篇文章中,我們概述了基于游戲和基于模擬的安全定義之間的區(qū)別。
In a game-based security definition the security is defined, unsurprisingly, by a game. This game revolves around some generic primitive and is usually played by a challenger and an adversary, where the challenger poses a challenge to the adversary with a certain 'goal' in mind. The adversary may further have access to some number of oracles and it is said to 'win' if it achieves its goal, which usually means it needs to provide some 'correct' output depending on the challenge. The advantage of an adversary is defined as a number that roughly corresponds to how much 'better' the adversary can do at the game than a trivial adversary that just guesses its output. E.g., if the adversary needs to output the value of an uniformly random bit, its advantage corresponds to how much better it can do than a success probability of one half. Now, a cryptographic scheme is said to satisfy this security definition if and only if all 'efficient' adversaries cannot achieve a substantial advantage when the generic primitive is instantiated by the scheme.
在基于游戲的安全性定義中,安全性是由游戲定義的,這并不奇怪。這個游戲圍繞著一些通用的原始游戲展開,通常由一個挑戰(zhàn)者和一個對手玩,挑戰(zhàn)者向?qū)κ痔岢鎏魬?zhàn),并考慮到某個“目標”。對手可能會進一步獲得一些神諭,如果達到目標,據(jù)說會“獲勝”,這通常意味著它需要根據(jù)挑戰(zhàn)提供一些“正確”的輸出。對手的優(yōu)勢被定義為一個數(shù)字,該數(shù)字大致對應于對手在游戲中比僅僅猜測其輸出的微不足道的對手能做得“更好”多少。例如,如果對手需要輸出一致隨機比特的值,其優(yōu)勢對應于它能比一半的成功概率做得更好。現(xiàn)在,當且僅當所有“有效”的對手在通用原語被密碼方案實例化時不能獲得實質(zhì)性優(yōu)勢時,密碼方案才被認為滿足該安全定義。
Informally, one may think of the challenger as a legitimate user that wants to use a cryptographic scheme and of the adversary as the bad guy that wants to achieve something against the wishes of the legitimate user, where this 'achievement' corresponds to the goal of the adversary. Generally, the challenger will have access to all secret parameters (think secret or signing key), whereas the adversary only has access to some oracles (think public hash functions or public key encryption) plus whatever it is given by the challenger during the game (think public parameters and the challenge).
非正式地,人們可能會將挑戰(zhàn)者視為想要使用加密方案的合法用戶,而將對手視為想要違背合法用戶意愿實現(xiàn)某些事情的壞人,其中這種“成就”對應于對手的目標。通常,挑戰(zhàn)者可以訪問所有秘密參數(shù)(想想秘密或簽名密鑰),而對手只能訪問一些預言機(想想公共哈希函數(shù)或公鑰加密)以及挑戰(zhàn)者在游戲中提供的任何信息(想想公共參數(shù)和挑戰(zhàn))。
Security proofs in this paradigm include two important concepts. To link security to computationally hard problems they use reductions, which lead to a statement of the following form: 'if an adversary wins the game with non-negligible advantage, it is possible to construct an algorithm that uses the adversary as a subroutine to solve some hard problem efficiently.' The other concept is game hopping through a sequence of games. Here, one takes the event of an adversary winning the game and relates it to events in a sequence of different games. Each subsequent game is close to the previous one in the sense that the adversary cannot tell the difference between two subsequent games unless it can solve some hard problem or alternatively something happens that has a negligible probability of happening.
該范式中的安全性證明包括兩個重要概念。為了將安全性與計算難題聯(lián)系起來,他們使用了約簡,這導致了以下形式的陳述:“如果對手以不可忽略的優(yōu)勢贏得了比賽,那么就有可能構建一種算法,將對手作為子程序來有效地解決一些難題。”另一個概念是通過一系列游戲進行游戲跳躍。在這里,我們將對手贏得游戲的事件與一系列不同游戲中的事件聯(lián)系起來。每一個后續(xù)游戲都與前一個游戲接近,因為對手無法區(qū)分兩個后續(xù)游戲之間的區(qū)別,除非它能解決一些棘手的問題,或者發(fā)生一些可能性可以忽略不計的事情。
The previous five blog posts in this series contain four game-based security definitions and one example of a game-based proof with a sequence of games, so we will not consider any specific examples here.
本系列前面的五篇博客文章包含四個基于游戲的安全定義和一個基于游戲序列的證明示例,因此我們在此不考慮任何具體示例。
In a simulation-based security definition, security is defined by the existence of a simulator and some ideal 'functionality'. Consider a cryptographic scheme in the real world and now imagine how you would like this scheme to behave in an ideal world. E.g., in a voting scheme, it would be nice to have a trusted third party that has secure channels to all voters, takes in all the votes via these secure channels, and publishes the result and nothing else. A cryptographic scheme is now secure if, for any adversary against this scheme in the real world, there exists a simulator that provides the same output as the adversary in the real world, while interacting with the ideal 'functionality' in the ideal world. This means that any 'attack' possible in the real world can also be applied to the ideal functionality in the ideal world. Conversely, if the ideal functionality resists attacks in the ideal world, the real scheme resists these attacks in the real world as well.
在基于模擬的安全定義中,安全性是由模擬器的存在和一些理想的“功能”來定義的。考慮現(xiàn)實世界中的一個加密方案,現(xiàn)在想象一下你希望這個方案在理想世界中的表現(xiàn)。例如,在投票方案中,最好有一個值得信賴的第三方,它有安全的渠道與所有選民聯(lián)系,通過這些安全渠道獲得所有選票,并公布結果,而不公布其他內(nèi)容。如果對于現(xiàn)實世界中反對該方案的任何對手,存在一個模擬器,該模擬器在與理想世界中的理想“功能”交互的同時,提供與現(xiàn)實世界中的對手相同的輸出,那么該密碼方案現(xiàn)在是安全的。這意味著現(xiàn)實世界中任何可能的“攻擊”也可以應用于理想世界中的理想功能。相反,如果理想功能在理想世界中抵抗攻擊,那么真實方案在現(xiàn)實世界中也抵抗這些攻擊。
The notion first appears in a paper by Goldreich, Micali, and Widgerson, who show that you can play any game (which is some joint computation by multiple parties) such that at any step of the game, any group of less than half the players know nothing more than they would in an ideal execution of the game with a trusted party. More recently, the notion of simulation-based security appeared in the paper introducing Universal Composability by Ran Canetti. It is mostly used in settings of multi-party computation.
這個概念首次出現(xiàn)在Goldreich、Micali和Widgerson的一篇論文中,他們展示了你可以玩任何游戲(這是多方的聯(lián)合計算),這樣在游戲的任何一步,任何一組不到一半的玩家所知道的都比他們在與可信的一方理想執(zhí)行游戲時所知道的要多。最近,Ran Canetti在介紹通用可組合性的論文中提出了基于模擬的安全性的概念。它主要用于多方計算的設置中。
So what is the difference? In the game-based approach, each notion of security has its own game. If this notion correctly captures or models the real world attributes you would like your system to have, then you are done. If your scheme needs to satisfy various notions, you will need to play games for each one. However, there is a known hierarchy in some cases, e.g., IND-CCA security implying IND-CPA security.
那么有什么區(qū)別呢?在基于游戲的方法中,每個安全概念都有自己的游戲。如果這個概念正確地捕捉或建模了您希望系統(tǒng)具有的真實世界屬性,那么您就完成了。如果你的計劃需要滿足各種概念,你需要為每一個概念玩游戲。然而,在某些情況下存在已知的層次結構,例如,IND-CCA安全意味著IND-CPA安全。
Conversely, in the simulation-based approach, the security is modeled by the ideal functionality. Conceptually, your schemes will be secure from attacks that do not break the ideal functionality. This means that different security notions are captured by this model.
相反,在基于模擬的方法中,安全性是由理想的功能建模的。從概念上講,您的方案將是安全的,不會受到破壞理想功能的攻擊。這意味著該模型捕獲了不同的安全概念。
The Working Class Must Lead!
浙公網(wǎng)安備 33010602011771號