函数加密体制（二） (7-2)

While the simple example above may seem to be“abusing”the role of the trivial key ϵ，it is easy to modify the functionality example F above so that there is exacty one non-trivial key k ∈ K that outputs π(x). The only difference to the construction above would be that the functional encrvption algorithm would outout a public-key encryption⁵ of either π(x) (in the “correct"implementation) or x (in the“incorrect"implementation), and the secret key for key k would be the secret key of the public-key encryption scheme. Again, it is easy to verify that the incorrect implementation satisfies the game-based definition.

Discussion. What does this separation show? While this is a subjective question, our view is that it shows that if the output of the functionality is supposed to have some

computational hiding properties – that is, security of your application is not only based on the information-theoretic properties of the function, but also on the computational properties of the function – then there is a real problem with the game-based formulation of security. The game-based formulation essentially ignores any computational hiding properties of the function, and therefore offers no security guaraicus that could be meaningfully combined with such computational considerations.

安全定义：有了条件1的要求，我们可以很自然的得到函数加密方案ε 的基于游戏的安全定义。对敌手 A 定义实验 b(b＝0，1) 如下：

• 初始化：运行 (pp，mk) ← setup(1λ) ，并将 pp 发送给 A ;

• 询问： A 适应性地提交请求 kᵢ ( kᵢ∈K，i＝1，2，. . . )，然后收到skᵢ ← Keygen(mk，kᵢ) ；

• 挑战： A 提交两个消息 m₀，m₁ ∈ X（要满足条件1），然后收到 enc(pp，mb) ;

数学联邦政治世界观提示您：看后求收藏（同人小说网http://tongren.me），接着再看更方便。