52 Things: Number 32: difference between game-based and simulation-based security definitions
52 Things: Number 32: difference between game-based and simulation-based security definitions
52 Things: Number 32: difference between game-based and simulation-based security definitions
52件事:数字32:基于游戏和基于模拟的安全定义之间的区别
This is the latest in a series of blog posts to address the list of '52 Things Every PhD Student Should Know to do Cryptography': a set of questions compiled to give PhD candidates a sense of what they should know by the end of their first year. In this post we outline the difference between a game-based and a simulation-based security definition.
这是一系列博客文章中的最新一篇,旨在解决“每个博士生在做密码学时应该知道的52件事”:这是一组问题,旨在让博士生在第一年结束时了解他们应该知道什么。在这篇文章中,我们概述了基于游戏和基于模拟的安全定义之间的区别。
In a game-based security definition the security is defined, unsurprisingly, by a game. This game revolves around some generic primitive and is usually played by a challenger and an adversary, where the challenger poses a challenge to the adversary with a certain 'goal' in mind. The adversary may further have access to some number of oracles and it is said to 'win' if it achieves its goal, which usually means it needs to provide some 'correct' output depending on the challenge. The advantage of an adversary is defined as a number that roughly corresponds to how much 'better' the adversary can do at the game than a trivial adversary that just guesses its output. E.g., if the adversary needs to output the value of an uniformly random bit, its advantage corresponds to how much better it can do than a success probability of one half. Now, a cryptographic scheme is said to satisfy this security definition if and only if all 'efficient' adversaries cannot achieve a substantial advantage when the generic primitive is instantiated by the scheme.
在基于游戏的安全性定义中,安全性是由游戏定义的,这并不奇怪。这个游戏围绕着一些通用的原始游戏展开,通常由一个挑战者和一个对手玩,挑战者向对手提出挑战,并考虑到某个“目标”。对手可能会进一步获得一些神谕,如果达到目标,据说会“获胜”,这通常意味着它需要根据挑战提供一些“正确”的输出。对手的优势被定义为一个数字,该数字大致对应于对手在游戏中比仅仅猜测其输出的微不足道的对手能做得“更好”多少。例如,如果对手需要输出一致随机比特的值,其优势对应于它能比一半的成功概率做得更好。现在,当且仅当所有“有效”的对手在通用原语被密码方案实例化时不能获得实质性优势时,密码方案才被认为满足该安全定义。
Informally, one may think of the challenger as a legitimate user that wants to use a cryptographic scheme and of the adversary as the bad guy that wants to achieve something against the wishes of the legitimate user, where this 'achievement' corresponds to the goal of the adversary. Generally, the challenger will have access to all secret parameters (think secret or signing key), whereas the adversary only has access to some oracles (think public hash functions or public key encryption) plus whatever it is given by the challenger during the game (think public parameters and the challenge).
非正式地,人们可能会将挑战者视为想要使用加密方案的合法用户,而将对手视为想要违背合法用户意愿实现某些事情的坏人,其中这种“成就”对应于对手的目标。通常,挑战者可以访问所有秘密参数(想想秘密或签名密钥),而对手只能访问一些预言机(想想公共哈希函数或公钥加密)以及挑战者在游戏中提供的任何信息(想想公共参数和挑战)。
Security proofs in this paradigm include two important concepts. To link security to computationally hard problems they use reductions, which lead to a statement of the following form: 'if an adversary wins the game with non-negligible advantage, it is possible to construct an algorithm that uses the adversary as a subroutine to solve some hard problem efficiently.' The other concept is game hopping through a sequence of games. Here, one takes the event of an adversary winning the game and relates it to events in a sequence of different games. Each subsequent game is close to the previous one in the sense that the adversary cannot tell the difference between two subsequent games unless it can solve some hard problem or alternatively something happens that has a negligible probability of happening.
该范式中的安全性证明包括两个重要概念。为了将安全性与计算难题联系起来,他们使用了约简,这导致了以下形式的陈述:“如果对手以不可忽略的优势赢得了比赛,那么就有可能构建一种算法,将对手作为子程序来有效地解决一些难题。”另一个概念是通过一系列游戏进行游戏跳跃。在这里,我们将对手赢得游戏的事件与一系列不同游戏中的事件联系起来。每一个后续游戏都与前一个游戏接近,因为对手无法区分两个后续游戏之间的区别,除非它能解决一些棘手的问题,或者发生一些可能性可以忽略不计的事情。
The previous five blog posts in this series contain four game-based security definitions and one example of a game-based proof with a sequence of games, so we will not consider any specific examples here.
本系列前面的五篇博客文章包含四个基于游戏的安全定义和一个基于游戏序列的证明示例,因此我们在此不考虑任何具体示例。
In a simulation-based security definition, security is defined by the existence of a simulator and some ideal 'functionality'. Consider a cryptographic scheme in the real world and now imagine how you would like this scheme to behave in an ideal world. E.g., in a voting scheme, it would be nice to have a trusted third party that has secure channels to all voters, takes in all the votes via these secure channels, and publishes the result and nothing else. A cryptographic scheme is now secure if, for any adversary against this scheme in the real world, there exists a simulator that provides the same output as the adversary in the real world, while interacting with the ideal 'functionality' in the ideal world. This means that any 'attack' possible in the real world can also be applied to the ideal functionality in the ideal world. Conversely, if the ideal functionality resists attacks in the ideal world, the real scheme resists these attacks in the real world as well.
在基于模拟的安全定义中,安全性是由模拟器的存在和一些理想的“功能”来定义的。考虑现实世界中的一个加密方案,现在想象一下你希望这个方案在理想世界中的表现。例如,在投票方案中,最好有一个值得信赖的第三方,它有安全的渠道与所有选民联系,通过这些安全渠道获得所有选票,并公布结果,而不公布其他内容。如果对于现实世界中反对该方案的任何对手,存在一个模拟器,该模拟器在与理想世界中的理想“功能”交互的同时,提供与现实世界中的对手相同的输出,那么该密码方案现在是安全的。这意味着现实世界中任何可能的“攻击”也可以应用于理想世界中的理想功能。相反,如果理想功能在理想世界中抵抗攻击,那么真实方案在现实世界中也抵抗这些攻击。
The notion first appears in a paper by Goldreich, Micali, and Widgerson, who show that you can play any game (which is some joint computation by multiple parties) such that at any step of the game, any group of less than half the players know nothing more than they would in an ideal execution of the game with a trusted party. More recently, the notion of simulation-based security appeared in the paper introducing Universal Composability by Ran Canetti. It is mostly used in settings of multi-party computation.
这个概念首次出现在Goldreich、Micali和Widgerson的一篇论文中,他们展示了你可以玩任何游戏(这是多方的联合计算),这样在游戏的任何一步,任何一组不到一半的玩家所知道的都比他们在与可信的一方理想执行游戏时所知道的要多。最近,Ran Canetti在介绍通用可组合性的论文中提出了基于模拟的安全性的概念。它主要用于多方计算的设置中。
So what is the difference? In the game-based approach, each notion of security has its own game. If this notion correctly captures or models the real world attributes you would like your system to have, then you are done. If your scheme needs to satisfy various notions, you will need to play games for each one. However, there is a known hierarchy in some cases, e.g., IND-CCA security implying IND-CPA security.
那么有什么区别呢?在基于游戏的方法中,每个安全概念都有自己的游戏。如果这个概念正确地捕捉或建模了您希望系统具有的真实世界属性,那么您就完成了。如果你的计划需要满足各种概念,你需要为每一个概念玩游戏。然而,在某些情况下存在已知的层次结构,例如,IND-CCA安全意味着IND-CPA安全。
Conversely, in the simulation-based approach, the security is modeled by the ideal functionality. Conceptually, your schemes will be secure from attacks that do not break the ideal functionality. This means that different security notions are captured by this model.
相反,在基于模拟的方法中,安全性是由理想的功能建模的。从概念上讲,您的方案将是安全的,不会受到破坏理想功能的攻击。这意味着该模型捕获了不同的安全概念。
这是一系列博客文章中的最新一篇,旨在解决“每个博士生在做密码学时应该知道的52件事”:这是一组问题,旨在让博士生在第一年结束时了解他们应该知道什么。在这篇文章中,我们概述了基于游戏和基于模拟的安全定义之间的区别。
In a game-based security definition the security is defined, unsurprisingly, by a game. This game revolves around some generic primitive and is usually played by a challenger and an adversary, where the challenger poses a challenge to the adversary with a certain 'goal' in mind. The adversary may further have access to some number of oracles and it is said to 'win' if it achieves its goal, which usually means it needs to provide some 'correct' output depending on the challenge. The advantage of an adversary is defined as a number that roughly corresponds to how much 'better' the adversary can do at the game than a trivial adversary that just guesses its output. E.g., if the adversary needs to output the value of an uniformly random bit, its advantage corresponds to how much better it can do than a success probability of one half. Now, a cryptographic scheme is said to satisfy this security definition if and only if all 'efficient' adversaries cannot achieve a substantial advantage when the generic primitive is instantiated by the scheme.
在基于游戏的安全性定义中,安全性是由游戏定义的,这并不奇怪。这个游戏围绕着一些通用的原始游戏展开,通常由一个挑战者和一个对手玩,挑战者向对手提出挑战,并考虑到某个“目标”。对手可能会进一步获得一些神谕,如果达到目标,据说会“获胜”,这通常意味着它需要根据挑战提供一些“正确”的输出。对手的优势被定义为一个数字,该数字大致对应于对手在游戏中比仅仅猜测其输出的微不足道的对手能做得“更好”多少。例如,如果对手需要输出一致随机比特的值,其优势对应于它能比一半的成功概率做得更好。现在,当且仅当所有“有效”的对手在通用原语被密码方案实例化时不能获得实质性优势时,密码方案才被认为满足该安全定义。
Informally, one may think of the challenger as a legitimate user that wants to use a cryptographic scheme and of the adversary as the bad guy that wants to achieve something against the wishes of the legitimate user, where this 'achievement' corresponds to the goal of the adversary. Generally, the challenger will have access to all secret parameters (think secret or signing key), whereas the adversary only has access to some oracles (think public hash functions or public key encryption) plus whatever it is given by the challenger during the game (think public parameters and the challenge).
非正式地,人们可能会将挑战者视为想要使用加密方案的合法用户,而将对手视为想要违背合法用户意愿实现某些事情的坏人,其中这种“成就”对应于对手的目标。通常,挑战者可以访问所有秘密参数(想想秘密或签名密钥),而对手只能访问一些预言机(想想公共哈希函数或公钥加密)以及挑战者在游戏中提供的任何信息(想想公共参数和挑战)。
Security proofs in this paradigm include two important concepts. To link security to computationally hard problems they use reductions, which lead to a statement of the following form: 'if an adversary wins the game with non-negligible advantage, it is possible to construct an algorithm that uses the adversary as a subroutine to solve some hard problem efficiently.' The other concept is game hopping through a sequence of games. Here, one takes the event of an adversary winning the game and relates it to events in a sequence of different games. Each subsequent game is close to the previous one in the sense that the adversary cannot tell the difference between two subsequent games unless it can solve some hard problem or alternatively something happens that has a negligible probability of happening.
该范式中的安全性证明包括两个重要概念。为了将安全性与计算难题联系起来,他们使用了约简,这导致了以下形式的陈述:“如果对手以不可忽略的优势赢得了比赛,那么就有可能构建一种算法,将对手作为子程序来有效地解决一些难题。”另一个概念是通过一系列游戏进行游戏跳跃。在这里,我们将对手赢得游戏的事件与一系列不同游戏中的事件联系起来。每一个后续游戏都与前一个游戏接近,因为对手无法区分两个后续游戏之间的区别,除非它能解决一些棘手的问题,或者发生一些可能性可以忽略不计的事情。
The previous five blog posts in this series contain four game-based security definitions and one example of a game-based proof with a sequence of games, so we will not consider any specific examples here.
本系列前面的五篇博客文章包含四个基于游戏的安全定义和一个基于游戏序列的证明示例,因此我们在此不考虑任何具体示例。
In a simulation-based security definition, security is defined by the existence of a simulator and some ideal 'functionality'. Consider a cryptographic scheme in the real world and now imagine how you would like this scheme to behave in an ideal world. E.g., in a voting scheme, it would be nice to have a trusted third party that has secure channels to all voters, takes in all the votes via these secure channels, and publishes the result and nothing else. A cryptographic scheme is now secure if, for any adversary against this scheme in the real world, there exists a simulator that provides the same output as the adversary in the real world, while interacting with the ideal 'functionality' in the ideal world. This means that any 'attack' possible in the real world can also be applied to the ideal functionality in the ideal world. Conversely, if the ideal functionality resists attacks in the ideal world, the real scheme resists these attacks in the real world as well.
在基于模拟的安全定义中,安全性是由模拟器的存在和一些理想的“功能”来定义的。考虑现实世界中的一个加密方案,现在想象一下你希望这个方案在理想世界中的表现。例如,在投票方案中,最好有一个值得信赖的第三方,它有安全的渠道与所有选民联系,通过这些安全渠道获得所有选票,并公布结果,而不公布其他内容。如果对于现实世界中反对该方案的任何对手,存在一个模拟器,该模拟器在与理想世界中的理想“功能”交互的同时,提供与现实世界中的对手相同的输出,那么该密码方案现在是安全的。这意味着现实世界中任何可能的“攻击”也可以应用于理想世界中的理想功能。相反,如果理想功能在理想世界中抵抗攻击,那么真实方案在现实世界中也抵抗这些攻击。
The notion first appears in a paper by Goldreich, Micali, and Widgerson, who show that you can play any game (which is some joint computation by multiple parties) such that at any step of the game, any group of less than half the players know nothing more than they would in an ideal execution of the game with a trusted party. More recently, the notion of simulation-based security appeared in the paper introducing Universal Composability by Ran Canetti. It is mostly used in settings of multi-party computation.
这个概念首次出现在Goldreich、Micali和Widgerson的一篇论文中,他们展示了你可以玩任何游戏(这是多方的联合计算),这样在游戏的任何一步,任何一组不到一半的玩家所知道的都比他们在与可信的一方理想执行游戏时所知道的要多。最近,Ran Canetti在介绍通用可组合性的论文中提出了基于模拟的安全性的概念。它主要用于多方计算的设置中。
So what is the difference? In the game-based approach, each notion of security has its own game. If this notion correctly captures or models the real world attributes you would like your system to have, then you are done. If your scheme needs to satisfy various notions, you will need to play games for each one. However, there is a known hierarchy in some cases, e.g., IND-CCA security implying IND-CPA security.
那么有什么区别呢?在基于游戏的方法中,每个安全概念都有自己的游戏。如果这个概念正确地捕捉或建模了您希望系统具有的真实世界属性,那么您就完成了。如果你的计划需要满足各种概念,你需要为每一个概念玩游戏。然而,在某些情况下存在已知的层次结构,例如,IND-CCA安全意味着IND-CPA安全。
Conversely, in the simulation-based approach, the security is modeled by the ideal functionality. Conceptually, your schemes will be secure from attacks that do not break the ideal functionality. This means that different security notions are captured by this model.
相反,在基于模拟的方法中,安全性是由理想的功能建模的。从概念上讲,您的方案将是安全的,不会受到破坏理想功能的攻击。这意味着该模型捕获了不同的安全概念。
The Working Class Must Lead!
