Identity-Based-Encryption

CPA安全IBE中攻擊者的優勢

  • July 14, 2016

在 CPA 安全 IBE 系統中,攻擊者 (A) 的優勢定義為

$$ Pr[b=b^{’}]-\frac{1}{2} $$ 有人可以用幾句話向我解釋一下嗎?這個絕對值究竟是從哪裡來的?這種優勢在密碼學領域有多普遍?含義:一般多久考慮一次攻擊者優勢?

有時,為了更容易理解,將優勢乘以 2: $ Adv = 2|\Pr[b’ = b] - 1/2| $ .

請注意,當對手在破壞協議方面沒有優勢時,他/她唯一能做的就是猜測 $ b’ $ at random. In this case, $ \Pr[b’ = b] = 1/2 $ and thus $ Adv = 0 $ .

When the adversary always correctly finds the value of $ b’ $ , we have $ \Pr[b’=b] = 1 $ and thus $ Adv = 1 $ .

Similarly, when the adversary always incorrectly guesses the value of $ b’ $ , we have $ \Pr[b’=b] = 0 $ and thus $ Adv = 1 $ . Note that such an adversary is as powerful that an adversary who always guesses the correct the value. It suffices to flip the result to get the same answer.

To sum up, the advantage is a value between 0 and 1 (or 0 and 1/2 with your definition). The higher the value is, the more powerful the adversary is.

In practice, typically, a cryptographic construction is said IND-CPA secure if $ Adv < 2^{-128} $ .

引用自:https://crypto.stackexchange.com/questions/37708