函数加密体制（二） (7-4)

明显地，密文c 泄露了 F(kᵢ，x)，i＝1，. . .，s 的比特长度。因此为了保证这个结构的安全性，我们必须假定空功能 F(ϵ，·) 已经泄露了这个信息，也就是说 |F(kᵢ，x)|，i＝1，. . .，s 包含在了 F(ϵ，x) 内。我们说 F 泄露了功能的比特长度。

定理1：设 F 是一个泄露功能比特长度的函数。若 (G，E，D) 是语义安全的公钥加密方案，则实现功能 F 蛮力构造的函数方案是安全的。

证明（证明框架）：证明方法是对挑战密文的s 个部分进行标准混合论证。

We briefly show that any functionality F where the key space K has polynomial size can be easily realized. Write s＝|K| – 1 and K＝{ϵ，k₁，. . .，kₛ). In this brute force construction, the size of public parameters, secret key,and ciphertext are all propor- tional to s. A closely related construction is given in [BW07].

The brute force FE scheme realizing F uses a semantically secure public-key en-cryption scheme (G，E，D) and works as follows：

– setup(1λ)：for i＝1，. . .，s run (pp，mkᵢ) ← G(1λ).

output：pp：＝(ppᵢ，. . .，ppₛ) and mk：＝(mk₁，. . .，mkₛ)

– keygen(mk，kᵢ)：output skᵢ：＝mkᵢ.

– enc(pp，x)：output c：=，＝(F(ϵ，x)，E(pp，F(kᵢ，x))，. . .，E(ppₛ，F(kₛ，x))).

– dec(skᵢ，c):output c₀ if skᵢ＝ϵ，and output D(skᵢ，cᵢ) otherwise.

Clearly, a ciphertext c leaks the bit lengths of F(kᵢ，x) for i＝1，. . .，s. Therefore，for this construction to be secure we must assume that this information is already leaked by the empty functionality F(ϵ，·)，namely that |F(kᵢ， x)| for i＝1，. . .，s is contained in F(ϵ，x). If so then we say that F'reveals functional bit lengths.

Theorem 1.Let F be α functionαlity thαt reνeαls functionαl bit lengths. If (G，E，D) is α semαnticαlly secure public-key encryption scheme then the brute force FE system implementing F is secure.

数学联邦政治世界观提示您：看后求收藏（同人小说网http://tongren.me），接着再看更方便。