密码学归约证明——选择明文攻击下的不可区分性

1. 选择明文攻击 $CPA$ 不可区分性实验 $PrivK_{A,\Pi }^{cpa}\left ( n \right )$

   运行![Gen\left ( 1^{n} \right )](https://latex.codecogs.com/gif.latex?Gen%5Cleft%20%28%201%5E%7Bn%7D%20%5Cright%20%29)生成密钥![k](https://latex.codecogs.com/gif.latex?k) ；输出![\large 1^{n}](https://latex.codecogs.com/gif.latex?%5Cinline%20%5Clarge%201%5E%7Bn%7D)给敌手![\large A](https://latex.codecogs.com/gif.latex?%5Cinline%20%5Clarge%20A)，敌手![\large A](https://latex.codecogs.com/gif.latex?%5Cinline%20%5Clarge%20A)可以访问预言机![\large Enc_{k}\left ( \cdot \right )](https://latex.codecogs.com/gif.latex?%5Cinline%20%5Clarge%20Enc_%7Bk%7D%5Cleft%20%28%20%5Ccdot%20%5Cright%20%29)，并输出一对长度相等的消息![\large m_{0},m_{1}](https://latex.codecogs.com/gif.latex?%5Cinline%20%5Clarge%20m_%7B0%7D%2Cm_%7B1%7D)；选择一个随机比特![\large b\leftarrow \left \{ 0,1 \right \}](https://latex.codecogs.com/gif.latex?%5Cinline%20%5Clarge%20b%5Cleftarrow%20%5Cleft%20%5C%7B%200%2C1%20%5Cright%20%5C%7D) ，计算出挑战密文![\large c\leftarrow Enc _{k}\left ( m_{b} \right )](https://latex.codecogs.com/gif.latex?%5Cinline%20%5Clarge%20c%5Cleftarrow%20Enc%20_%7Bk%7D%5Cleft%20%28%20m_%7Bb%7D%20%5Cright%20%29)交给![\large A](https://latex.codecogs.com/gif.latex?%5Cinline%20%5Clarge%20A) ;敌手![\large A](https://latex.codecogs.com/gif.latex?%5Cinline%20%5Clarge%20A)继续访问预言机，输出一个比特![\large b'](https://latex.codecogs.com/gif.latex?%5Cinline%20%5Clarge%20b%27)；如果![\large b=b'](https://latex.codecogs.com/gif.latex?%5Cinline%20%5Clarge%20b%3Db%27) ，则![PrivK_{A,\Pi }^{cpa}\left ( n \right )=1](https://latex.codecogs.com/gif.latex?%5Cinline%20PrivK_%7BA%2C%5CPi%20%7D%5E%7Bcpa%7D%5Cleft%20%28%20n%20%5Cright%20%29%3D1)，![\large A](https://latex.codecogs.com/gif.latex?%5Cinline%20%5Clarge%20A)成功。

2. 选择明文攻击 $CPA$ 条件下的不可区分加密

   对称密钥加密方案![\Pi =\left ( Gen,Enc,Dec \right )](https://latex.codecogs.com/gif.latex?%5Cinline%20%5CPi%20%3D%5Cleft%20%28%20Gen%2CEnc%2CDec%20%5Cright%20%29)满足：如果对任意概率多项式敌手![\large A](https://latex.codecogs.com/gif.latex?%5Cinline%20%5Clarge%20A)，存在可忽略函数![negl](https://latex.codecogs.com/gif.latex?%5Cinline%20negl)，使

$Pr\left [ PrivK_{A,\Pi }^{cpa}\left ( n \right ) =1\right ]\leq \frac{1}{2}+negl\left ( n \right )$

   则满足选择明文攻击![CPA](https://latex.codecogs.com/gif.latex?CPA)条件下的不可区分加密。

3. 伪随机函数构造 $CPA$ 安全的构造方法 $\large \Pi$

   令![\large F](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20F)是伪随机函数，定义一个消息长度为![\large n](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20n)的对称密钥加密方案如下：
  ![\large Gen](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20Gen)：输入![\large 1^{n}](https://latex.codecogs.com/gif.latex?%5Cinline%20%5Clarge%201%5E%7Bn%7D)，均匀随机地选择密钥![\large \large k\leftarrow \left \{ 0,1 \right \}^{n}](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20%5Clarge%20k%5Cleftarrow%20%5Cleft%20%5C%7B%200%2C1%20%5Cright%20%5C%7D%5E%7Bn%7D)
  ![\large Enc](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20Enc)：输入密钥![\large k](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20k)和消息![\large m\in \left \{ 0,1 \right \}^{n}](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20m%5Cin%20%5Cleft%20%5C%7B%200%2C1%20%5Cright%20%5C%7D%5E%7Bn%7D)，均匀随机选择![\large r\leftarrow \left \{ 0,1 \right \}^{n}](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20r%5Cleftarrow%20%5Cleft%20%5C%7B%200%2C1%20%5Cright%20%5C%7D%5E%7Bn%7D)，输出密文![\large c:= \left \langle r,F_{k}\left ( r\right ) \oplus m\right \rangle](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20c%3A%3D%20%5Cleft%20%5Clangle%20r%2CF_%7Bk%7D%5Cleft%20%28%20r%5Cright%20%29%20%5Coplus%20m%5Cright%20%5Crangle)
  ![\large Dec](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20Dec)：输入密钥![\large k](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20k)和密文![\large c=\left \langle r,s \right \rangle](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20c%3D%5Cleft%20%5Clangle%20r%2Cs%20%5Cright%20%5Crangle)，输出明文![\large m:= F_{k}\left ( r\right ) \oplus s](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20m%3A%3D%20F_%7Bk%7D%5Cleft%20%28%20r%5Cright%20%29%20%5Coplus%20s)

4. 伪随机函数 $\large PRF$

   令![\large F:\left \{ 0,1 \right \}^{*}\times \left \{ 0,1 \right \}^{*}\rightarrow \left \{ 0,1 \right \}^{*}](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20F%3A%5Cleft%20%5C%7B%200%2C1%20%5Cright%20%5C%7D%5E%7B*%7D%5Ctimes%20%5Cleft%20%5C%7B%200%2C1%20%5Cright%20%5C%7D%5E%7B*%7D%5Crightarrow%20%5Cleft%20%5C%7B%200%2C1%20%5Cright%20%5C%7D%5E%7B*%7D)是有效的、长度保留的、带密钥的函数。如果对于所有多项式时间的区分器![\large D](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20D)，存在可忽略函数![\large negl](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20negl)，满足

$\large \left | Pr\left [ D^{F_{k}\left ( \cdot \right )}\left ( 1^{n} \right )=1 \right ] -Pr\left [ D^{f\left ( \cdot \right )}\left ( 1^{n} \right )=1 \right ]\right |\leq negl\left ( n \right )$ ，

   则![\large F](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20F)是一个伪随机函数，其中![\large k\leftarrow \left \{ 0,1 \right \}^{n}](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20k%5Cleftarrow%20%5Cleft%20%5C%7B%200%2C1%20%5Cright%20%5C%7D%5E%7Bn%7D)是随机均匀选择的，![\large f\left ( \cdot \right )](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20f%5Cleft%20%28%20%5Ccdot%20%5Cright%20%29)是将![\large n](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20n)比特字符串映射到![\large n](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20n)比特字符串的函数集合中均匀随机选择出来的。

5. 选择明文攻击下的不可区分性

   如果![\large F](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20F)是伪随机函数，则上述构造方法**![\large \Pi](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20%5CPi)**为消息长度为![\large n](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20n)的定长对称密钥加密方案，在选择明文攻击下不可区分。
   书《现代密码学——原理与协议》中针对此类型的归约给出了通用思路：首先在理想的世界中分析方案的安全性，即用真正的随机函数![\large f](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20f)来取代![\large F_{k}](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20F_%7Bk%7D)，然后说明此时的安全性；然后当![\large F_{k}](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20F_%7Bk%7D)被使用时，如果该方案不是安全的，则意味着将![\large F_{k}](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20F_%7Bk%7D)从真正的随机函数中区分出来是可能的。
   分别创建两个情景：

敌手 $\large D$ 攻击其对应的挑战者 $\large C$

 挑战者![\large C](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20C)有两种方式使用函数来输出![\large t](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20t)：真随机函数![\large f](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20f)和伪随机函数![\large F_{k}](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20F_%7Bk%7D)。![\large C](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20C)随机地选择![\large t](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20t)交给敌手![D](https://latex.codecogs.com/gif.latex?%5Cinline%20D)来判断该![\large t](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20t)是随机的还是伪随机的。若![D](https://latex.codecogs.com/gif.latex?%5Cinline%20D)输出![b'](https://latex.codecogs.com/gif.latex?%5Cinline%20b%27)满足![b'=b](https://latex.codecogs.com/gif.latex?%5Cinline%20b%27%3Db)，则敌手![D](https://latex.codecogs.com/gif.latex?%5Cinline%20D)成功。
  如果![\large b=0](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20b%3D0)，则敌手![D](https://latex.codecogs.com/gif.latex?%5Cinline%20D)成功的概率为

$\large Pr\left [ D^{F_{k}\left ( \cdot \right )}\left ( 1^{n} \right )=1 \right ]$

   如果![\large b=1](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20b%3D1)，则敌手![D](https://latex.codecogs.com/gif.latex?%5Cinline%20D)成功的概率为

$\large Pr\left [ D^{f\left ( \cdot \right )}\left ( 1^{n} \right )=1 \right ]$

   且伪随机函数![\large F_{k}](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20F_%7Bk%7D)满足

$\large \left | Pr\left [ D^{F_{k}\left ( \cdot \right )}\left ( 1^{n} \right )=1 \right ] -Pr\left [ D^{f\left ( \cdot \right )}\left ( 1^{n} \right )=1 \right ]\right |\leq negl\left ( n \right )$

   图解：

敌手 $\large A$ 攻击 $\large \Pi$

 ![\large A](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20A)生成两个长度相等的字符串![\large m_{0}](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20m_%7B0%7D)和![\large m_{1}](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20m_%7B1%7D)。![\large \Pi](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20%5CPi)随机选择![\large m](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20m)，计算密文![\large c](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20c)交给![\large A](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20A)来判断![\large c](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20c)来自![\large m_{0}](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20m_%7B0%7D)还是![\large m_{1}](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20m_%7B1%7D)。若![\large A](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20A)输出![\large b'=b](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20b%27%3Db)，则成功。
 如果![\large t](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20t)来自随机函数，令加密方案![\large \widetilde{\Pi }](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20%5Cwidetilde%7B%5CPi%20%7D)：用真正的随机函数![\large f](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20f)来代替伪随机函数![\large F_{k}](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20F_%7Bk%7D)，其他与![\large \Pi](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20%5CPi)相同。每个敌手![\large A](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20A)最多向它的加密预言机问询多项式![\large q\left ( n \right )](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20q%5Cleft%20%28%20n%20%5Cright%20%29)次，有

$\large Pr\left [ PrivK_{A,\widetilde{\Pi }}^{cpa} \left ( n\right )=1\right ]\leq \frac{1}{2}+\frac{q\left ( n \right )}{2^{n}}$

  * 下面证明此命题：*

  令![\large r_{c}](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20r_%7Bc%7D)表示生成挑战密文![\large c=\left \langle r_{c},f\left ( r_{c}\oplus m_{b} \right ) \right \rangle](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20c%3D%5Cleft%20%5Clangle%20r_%7Bc%7D%2Cf%5Cleft%20%28%20r_%7Bc%7D%5Coplus%20m_%7Bb%7D%20%5Cright%20%29%20%5Cright%20%5Crangle)时生成的随机字符串。有两种情况：*

  值![\large r_{c}](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20r_%7Bc%7D)被加密预言机使用来回答至少一个![\large A](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20A)的问询：*

  无论何时加密预言机返回一个密文![\large \left \langle r,s \right \rangle](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20%5Cleft%20%5Clangle%20r%2Cs%20%5Cright%20%5Crangle)来回应加密消息![\large m](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20m)的请求，敌手由![\large f\left ( r \right )=s\oplus m](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20f%5Cleft%20%28%20r%20%5Cright%20%29%3Ds%5Coplus%20m)掌握了值![\large f\left ( r \right )](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20f%5Cleft%20%28%20r%20%5Cright%20%29)。此时，![\large A](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20A)可能轻易地判断出哪一个消息被加密。因为![\large A](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20A)最多向预言机问询![\large q\left ( n \right )](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20q%5Cleft%20%28%20n%20%5Cright%20%29)次，并且每次预言机回答它的问询都是使用一个均匀选择的![\large r](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20r)，所以该事件发生的概率最多为![\large \frac{q\left ( n \right )}{2^{n}}](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20%5Cfrac%7Bq%5Cleft%20%28%20n%20%5Cright%20%29%7D%7B2%5E%7Bn%7D%7D)。*

  值![\large r_{c}](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20r_%7Bc%7D)没有被加密预言机用来回答![\large A](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20A)的问询：*

  这种情况下，![\large A](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20A)在和加密预言机的交互过程中，没有掌握任何关于![\large f\left ( r_{c} \right )](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20f%5Cleft%20%28%20r_%7Bc%7D%20%5Cright%20%29)值的信息。在这种情况下，输出![b'=b](https://latex.codecogs.com/gif.latex?%5Cinline%20b%27%3Db)的概率刚好是![\large \frac{1}{2}](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20%5Cfrac%7B1%7D%7B2%7D)（类似于“一次一密”）。*

  令![\large Repeat](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20Repeat)表示值![\large r_{c}](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20r_%7Bc%7D)被加密预言机使用来回答至少一个![\large A](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20A)的问询的事件。则有*

$\large Pr\left [ PrivK_{A,\widetilde{\Pi }}^{cpa} \left ( n \right )=1\right ]$

$\large =Pr\left [ PrivK_{A,\widetilde{\Pi }}^{cpa} \left ( n \right )=1\wedge Repeat \right ]+Pr\left [ PrivK_{A,\widetilde{\Pi }}^{cpa} \left ( n \right )=1\wedge \overline{Repeat}\right ]$

$\large \leq Pr\left [ Repeat \right ]+Pr\left [ PrivK_{A,\widetilde{\Pi }}^{cpa} \left ( n \right )=1| \overline{Repeat}\right ]\leq \frac{1}{2}+\frac{q\left ( n \right )}{2^{n}}$

  得证。*
 如果![\large t](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20t)来自伪随机函数，则敌手![\large A](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20A)成功的概率被表示为

$\large Pr\left [ PrivK_{A,\Pi }^{cpa}\left ( n \right ) =1\right ]$

   如果下面不等式成立，就可以说明加密协议![\large \Pi](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20%5CPi)是安全的：

$\large \left | Pr\left [ D^{F_{k}\left ( \cdot \right )}\left ( 1^{n} \right )=1 \right ] -Pr\left [ D^{f\left ( \cdot \right )}\left ( 1^{n} \right )=1 \right ]\right |\leq negl\left ( n \right )$

   图解：

证明：根据上面所述的情景，正式说明逻辑命题等价式表示为：

$\large Pr\left [ PrivK_{A,\Pi }^{cpa}\left ( n \right ) =1\right ]\leq \frac{1}{2}+negl\left ( n \right )$

   令区分器![\large D](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20D)使用![\large A](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20A)作为子程序，来模拟![\large CPA](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20CPA)不可区分实验。

   如果![\large D](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20D)的预言机是一个伪随机函数，那么当![\large A](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20A)被![\large D](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20D)作为一个子程序运行时的所见视图分布，与在实验![PrivK_{A,\Pi }^{cpa}\left ( n \right )](https://latex.codecogs.com/gif.latex?PrivK_%7BA%2C%5CPi%20%7D%5E%7Bcpa%7D%5Cleft%20%28%20n%20%5Cright%20%29)中![\large A](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20A)所见的视图分布是相同的。则

$\large Pr\left [ D^{F_{k}\left ( \cdot \right )}\left ( 1^{n} \right )=1 \right ]=Pr\left [ PrivK_{A,\Pi }^{cpa}\left ( n \right ) =1\right ]$

   如果![\large D](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20D)的预言机是一个随机函数，那么当![\large A](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20A)被![\large D](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20D)作为一个子程序运行时的所见视图分布，与在实验![\large PrivK_{A,\widetilde{\Pi }}^{cpa} \left ( n \right )](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20PrivK_%7BA%2C%5Cwidetilde%7B%5CPi%20%7D%7D%5E%7Bcpa%7D%20%5Cleft%20%28%20n%20%5Cright%20%29)中![\large A](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20A)所见的视图分布是相同的。则

$\large Pr\left [ D^{f\left ( \cdot \right )}\left ( 1^{n} \right )=1 \right ]=Pr\left [ PrivK_{A,\widetilde{\Pi }}^{cpa} \left ( n \right )=1\right ]$

   根据不等式![\large \left | Pr\left [ D^{F_{k}\left ( \cdot \right )}\left ( 1^{n} \right )=1 \right ] -Pr\left [ D^{f\left ( \cdot \right )}\left ( 1^{n} \right )=1 \right ]\right |\leq negl\left ( n \right )](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20%5Cleft%20%7C%20Pr%5Cleft%20%5B%20D%5E%7BF_%7Bk%7D%5Cleft%20%28%20%5Ccdot%20%5Cright%20%29%7D%5Cleft%20%28%201%5E%7Bn%7D%20%5Cright%20%29%3D1%20%5Cright%20%5D%20-Pr%5Cleft%20%5B%20D%5E%7Bf%5Cleft%20%28%20%5Ccdot%20%5Cright%20%29%7D%5Cleft%20%28%201%5E%7Bn%7D%20%5Cright%20%29%3D1%20%5Cright%20%5D%5Cright%20%7C%5Cleq%20negl%5Cleft%20%28%20n%20%5Cright%20%29)有

$\large Pr\left [ PrivK_{A,\Pi }^{cpa}\left ( n \right ) =1\right ]$ 相关于 $\large negl\left ( n \right )+ \frac{1}{2}+\frac{q\left ( n \right )}{2^{n}}$

   由于![\large \frac{q\left ( n \right )}{2^{n}}](https://latex.codecogs.com/gif.latex?%5Cdpi%7B80%7D%20%5Clarge%20%5Cfrac%7Bq%5Cleft%20%28%20n%20%5Cright%20%29%7D%7B2%5E%7Bn%7D%7D)满足多项式，得证。

6. 参考文献

   乔纳森.卡茨，耶胡达.林德尔著，任伟译，现代密码学——原理与协议，国防工业出版社，2017年第一版第4次印刷.

标签：安全

本文转载自: https://blog.csdn.net/weixin_65617488/article/details/126859473
版权归原作者 皮皮罴 所有，如有侵权，请联系我们删除。