A First-Order DPA Attack Against AES in Counter Mode with Unknown Initial Counter

差分能量攻击样本选取方法摘要:为了解决差分能量攻击(dpa)中的样本选取问题，提出了一套样本选取方法。

方法从所使用的实验平台出发，通过理论分析提出样本选取方式和数量，然后进行实验验证。

以aes算法为例，分别进行了仿真实验和实测实验，验证了所提出的选取方法的准确性。

结果表明，仿真攻击的明文样本应该按顺序取，数量为一个全排列，而实测攻击应该直接采用大量随机数，两者对明文样本的要求存在较大差别。

关键词:差分能量攻击；样本选取；功耗曲线；高级加密标准中图分类号: tn492；tp309.2 文献标志码:aabstract: to resolve the problem with selecting the samples in the differential power attack (dpa), this paper proposed a set of samples selection method. based on the given experimental platform, the mode and amount of samples selection were proposed through theoretical analysis, and then were validated by experiments. for advanced encryption standard (aes), this paper put forward the samples selection methods for simulation test and practical experimentation, and proved that the proposed method was right. the results show that the simulation sample plaintext attack should betaken in sequence, with the quantity of a full array. and the attack should be measured directly using a large number of random numbers. there is a big difference in the explicit requirements of the sample.key words: differential power attack (dpa); samples selection; power trace; advanced encryption standard (aes) 0 引言能量攻击是应用最为广泛且最具威胁的旁道攻击技术之一，其基本思想是通过分析密码设备的能量消耗获得其密钥。

IntroductionThe concept of a pre-emptive strategy is deeply rooted in the realms of military tactics, business strategies, and international relations, often serving as a proactive measure to mitigate potential threats or exploit emerging opportunities. This approach involves taking decisive action before an adversary can do so, thereby gaining a strategic advantage. The application of this principle across various domains necessitates a thorough understanding of its dynamics and implications from multiple perspectives, especially when aiming for high-quality and high-standard decision-making.1. **Military Dimension**In the context of military strategy, a pre-emptive strike is a calculated offensive action undertaken to defeat an enemy's ability or intention to attack. This approach was notably employed in historical events such as the Six-Day War by Israel in 1967. From a high-quality, high-standard perspective, a successful pre-emptive military strategy requires meticulous intelligence gathering, advanced logistical planning, and precision execution. It must be backed by clear evidence of an imminent threat and align with ethical and legal frameworks to ensure it doesn't undermine global peace and stability.2. **Business and Economic Perspective**In the corporate world, a pre-emptive strategy might involve launching a new product, acquiring a competitor, or investing in innovative technology before rivals can. For instance, tech giants like Apple have often adopted a pre-emptive approach by continuously innovating and introducing products that disrupt markets before competitors can catch up. To execute such strategies at a high standard, businesses need to possess strong foresight, agile innovation capabilities, robust risk assessment, and a deep understanding of market dynamics. Quality here is measured by the effectiveness of the strategy in securing long-term competitive advantages and sustainable growth.3. **International Relations and Diplomacy**In international diplomacy, a pre-emptive strategy could mean diplomaticinitiatives to prevent conflicts, economic sanctions to deter aggressive behavior, or early negotiations to resolve disputes. The high standards lie in the ability to predict and defuse crises while maintaining respect for international law and norms. Quality in this realm means crafting smart policies that balance assertiveness with cooperation, promoting stability and mutual benefits over unilateral gains.4. **Environmental and Health Policy**Pre-emptive strategies also play a significant role in public health and environmental policy. Anticipatory measures such as vaccination campaigns before an epidemic spreads or preventative pollution control measures demonstrate this approach. Here, high quality and standards require scientific accuracy, swift response mechanisms, and equitable distribution of resources to protect the most vulnerable populations.5. **Legal and Regulatory Frameworks**In the legal field, pre-emptive legislation can anticipate future issues and set regulatory standards to prevent harm. For example, data privacy laws often pre-emptively address potential misuse of personal information. The challenge lies in striking the right balance between over-regulation and under-preparation, ensuring that the law is forward-thinking yet practical, and protective without stifling innovation – all hallmarks of a high-quality, high-standard legal framework.ConclusionIn summary, the adoption and execution of a pre-emptive strategy across different sectors require rigorous analysis, careful planning, and bold action. Its success is predicated on the ability to identify key indicators, forecast outcomes accurately, and act decisively within the confines of ethical, legal, and social norms. By adhering to these principles, organizations and governments can harness the power of a pre-emptive strategy to achieve high-quality and high-standard outcomes, whether it’s protecting national security, gaining market share, preserving global stability, safeguarding public health, orshaping regulatory landscapes. However, the complexity and unpredictability of human systems mean that even the best-laid plans may encounter unforeseen challenges; thus, continuous review, adaptation, and learning are crucial components of any effective pre-emptive strategy.While this overview has touched upon several dimensions, each context brings unique nuances that demand tailored approaches to meet the stringent criteria of high-quality, high-standard pre-emption. In essence, pre-emption is not merely about being first; it's about being right, responsible, and responsive in the face of uncertainty.。

财富战争第一季中英对照台词101你渴望接受调教对吗You're in need of correction,aren't you?是Yeah.可能会留下痕迹I might leave marks.这可不太好Not a great idea.这可不算拒绝That's not a no.烫得厉害吧That's got to burn.我来帮你缓解一下Let me fix it.纽约南区美国联邦检察官办公室迈克你要明白See,what you have to understand,Michael,这里他妈的是自由区is that this is a fucked up free zone.坐查克位子的人会成为市长Guys who sit in Chuck's chair become mayor.州长Governor.我们不能给别人落下口实We have to be beyond reproach.办公室里容不得一丝火星明白吗So no tinder at the goddamn office,okay?这些话像是我昨天才跟你说过It feels like yesterday I was telling you all this.是18个月前Mm,18months ago.还加了一些我自己的话Added some stuff of my own in there.对火星嘛我听到了Yeah.Tinder.I heard.来吧他在等着呢Come on.He's waiting.私下告诉你司法部长Well,off the record,the,uh,Attorney General's在任命联邦法官时always happy to take my recommendations总是愿意采纳我的建议on who to appoint to the federal bench.很好Very good.谢谢Thank you.长官Sir.好我们手头上有什么案子Okay,guys.What do we got on deck?两起公开调查案件的进度报告Progress report on two of the open investigations.证券交易委员会的阿里·斯派罗Ari Spyros from the S.E.C...等会儿回电话Call back.到了...is here.对不起长官他他不愿I'm sorry,sir.He...he wouldn't...没事金没事谢谢It's fine,Kim.It's okay.Thank you.斯派罗Well,Spyros.什么风把你吹来了What's the occasion?我们现在不是在面谈We're not interviewing right now.有意思这个Funny.Here.就是这东西让你尿裤子了This got your panties all sticky?湿透了Drenched.珀萨姆制药出现可疑交易模式Suspect trading pattern on Pepsum Pharmaceuticals.我一个手下幸运地One of my grunts riding the Midas发现了持续数日的买入高峰spotted a days-long buy spike.世纪资产老橡树投资贵格山脊我找斯派罗Yeah,get me Spyros.看看Take a look.你们可以尽可能地好好分析图表You can all study the charts,或者我也可以把调查结果告诉你们or I can give you the answers to the test.-请说-兰尼·博斯克老橡树投资-Please.-Lenny Bosco...Old Oaks Investments.皮特·德克尔贵格山脊金融Peter Decker...Quaker Ridge Financial.丹·马格里斯世纪资产Dan Margolis...Century Capital.这三家小公司These three small firms对股票买进卖出的时间点掌握得非常准确all knew exactly when to buy and when to sell the stock.他们有内部信息They had inside information.你们一定每天都能接收到这样的信息吧You must get pings like that every day.没错We do.所以呢找他们谈话向他们罚款啊So?Get them talking and fine them.事情没这么简单It's bigger than that.三家公司都与波比·阿克斯罗德有关All three firms have links to Bobby Axelrod.他娘的波比·阿克斯罗德出身平民Bobby fucking Axelrod.Man of the people.你只有在这儿才会露出这副表情You only have that exact look on your face when you're here.这儿的披萨真的好吃极了The pizza's just really fucking good.尝一口Take a bite.不错It's good.只是不错吗分明是美味Good?That is a thing of beauty.这就是我们从小住在这儿的原因That's why we lived in here when we were kids.各位我这儿早上一般不营业I don't usually open for breakfast,guys.还要一份吗You want another?要I do.全都要了We want'em all.全部All?我想加盟你I want to come in with you.合伙经营Partner up.小子你他妈跟他瞎说什么What the fuck did you tell him,kid?我不需要施舍I don't want no charity.我只是把实情告诉他了布鲁诺Look,all I told him was the truth,Bruno,okay?有人打电话跟我说That I got a call from a guy他要在这儿开一家沙拉三明治店who said he was coming in here with a falafel shop,问我能否承包室内改造and would I contract the rebuild.我问你这事的时候And when I asked you about it,你说你被新房东压榨you said that you were getting squeezed by a new landlord.我接到电话后就打了几通电话And when I got that call,I made a couple calls of my own.沙拉三明治店进驻商场Falafel shop goes in the mall.我们给你签了20年的租约We lock in you in on a20-year lease,超额部分我承担and I cover the overage.这这样好吗波比I-I-I don't know,Bobby.你还需要了解什么Come on.What is there to know?以前我每天放学后来你这儿You let me slide for weeks without paying一连几周不付钱你也由着我when I was coming in here every day after school.那是因为你是个好顾客That was just'cause you were a good customer.我想继续做个好顾客Which I want to keep being.一如当年Nothing changes.谢谢谢谢Thank you.Thank you.我想告诉你我早知道你长大后I'd love to tell you I knew you'd grow up会成为这样的人to become what you did,但老实说我真没想到but to be honest,I had no idea.我也一样That makes two of us.来Come here.谢谢Thanks.阿克斯资本康涅狄格州韦斯特波特市波比有个好机会我们准备下手Bobby,we are ready to roll on something sweet.我想你一定有兴趣参一脚I think you'll want to piggyback.什么情况What do you got?鲁姆瑟姆能源被电阳收购Lumetherm Power getting bought by Electric Sun.价格为41美元股票交易价格为35美元Price is$41.Stock's trading at$35.我们预期交易完成后的两周内We're looking at a17%bump股价将上涨17%in two weeks when the deal closes.按年计算就是442美元Annualized,that's$442...据我估算I'd love to size up.买两百万股就能成为主力资金Maybe you buy2million shares for the main fund. -听起来没什么问题-很好-Sounds about right.-Great.盛传斯科特·卡兹维兹是新任董事长Scott Kazawitz's name is being floated as the new chairman.卡兹维兹Kazawitz.这是新信息That's a new piece of information.你花钱聘我不就是为这个Well,that's what you pay me for.谁说这次交易快结束了Who said this deal is gonna close?本今天早上说的Ben said it would this morning.我吗大家都这么说Me?Everyone's saying it.这谁Who is this?我新请的分析师My new analyst.我们会雇用你你一定是个天才Well,if we hired you,you must be a genius.耶鲁毕业Yale?斯坦福然后去了沃顿商学院Stanford.Then Wharton.好斯坦福-沃顿高材生Okay,Stanford-Wharton.卡兹维兹控股电阳Electric Sun is controlled by Kazawitz.他也持有19.3%的鲁姆瑟姆股份He also owns19.3%of Lumetherm因为他和南方风能利害攸关才偷偷拿到的backdoored through his stake in Southern Wind.你知道上周四美林的那笔大宗交易吗You see that block trade last Thursday come out of Merrill?美国证券公司知道那是富塞视Yeah.That was Fortress想在并购前把资金短缺的部分套现cashing out their shorts before the merger.不是吗Wasn't it?交易是在12:52进行的那是午餐时间Trade was at12:52,when everyone was at lunch,也就意味着他们不想被他人知道which tells me they wanted it to be missed.可你们注意到了有点本事You guys caught it,which is something,I guess.但你们看待这个事情的方向不对But you're looking at it backward.电阳出的价是为了暂时支持鲁姆瑟姆Electric Sun's offer was just a ploy而耍的花招to temporarily prop up Lumetherm.典型的科兹维兹式背弃输家手段他很无情Typical Kazawitz play to bail on a loser.He's an animal.那笔大宗交易让科兹维兹摆脱南方风能The block trade was Kazawitz getting out of Southern Wind,摆脱鲁姆瑟姆getting out of Lumetherm.他操控全局现已置身事外He rode the story,now he's out,这意味着你得出来which means you need to be out.实际上要卖空In fact,short.股价将跌至32美元谈判破裂后还会变It'll slide to$32and change after word breaks.这一手真漂亮阿克斯That's a good catch,Axe.我的胆固醇够高了My cholesterol's high enough.别说这些腻歪我丹泽学聪明点Don't butter my ass,Danzig.Just get smarter.你对手头上的信息解读得不错Your read was good with the information you had.你还是新人会明白的You're new.You'll figure it out.否则就给我走人Or you'll be gone.老天爷啊Jesus Christ.对啊他念的是霍夫斯特拉大学Yeah.And he went to Hofstra.这事可闹大了是犯罪啊This is big.It's criminal.我也想抱波比·阿克斯罗德大腿了And I want to be a part of treeing Bobby Axelrod.我还想当宇航员呢Hey,I want to be an astronaut,可你得知道天气要是不好我也会晕机but,uh,you know,I get airsick in choppy weather.你的举证责任要轻一些Your burden of proof is lower.他们愿意和你谈They'll talk to you因为他们很乐意交完罚款然后接着干because they're happy to pay a fine and move on.我可是干活跑腿的一线员工I'm at the coalface.我真不想看到你在这儿溜达And I really don't appreciate you strolling in here教我如何调配我的资源and telling me how to deploy my resources因为你他妈的都没法自己立案because you can't build your own fucking case.我懂了你们是摇滚明星I get it.You guys are rock stars.对我们也懂了你也想加入Yeah,we get it.You want to be one,too.都无所谓了None of that matters.斯派罗你要是锁定了Uh,Spyros,if you've locked on to some trail of bread crumbs某些能指向波比·阿克斯罗德的线索that leads to Bobby Axelrod,那对大家而言可是共赢啊that could be a win for everyone.那么把你的东西留下我们会看的So,leave your stuff,we'll take a look,也会通知你案子是否严重到and we'll let you know if it rises to the level我们可以起诉的程度that we can prosecute,不会被驳回上诉one that won't be reversed on appeal.你知道我也理解你的为难之处You know,I understand the source of your reluctance.我也有妻子I have a wife,too.可这是你的工作...But it's your job...你得到答复了Hey,you got your answer.没什么好说的了We're done.我爱着也牢记你们每一个人的父亲I loved and remember each and every one of your fathers,你们将在今年秋季入学so I'm proud of all of you我以你们为傲who are ready to head off to school in the fall.到目前为止在纪念基金会的帮助下26of ours put through college我们有26人上完大学by the Memorial Foundation so far.今年的这批我们来认识一下And this year's group...so let's bring them up,为他们取得的成绩给予热烈的掌声and let's give them a round of applause for their achievement.弗雷迪·阿卡费诺考上了杜克大学Freddie Aquafino,off to Duke.弗雷迪弗雷迪Freddie,Freddie.我和你父亲曾是并肩打拼的商业伙伴I traded shoulder to shoulder with your father.他会为你今天取得的成绩骄傲He'd be so proud of you today.这是第一年的学费和食宿费First year's tuition and board.好过来All right,come here.各位这就是重点所在That's what this is all about,guys.不仅在于我们公司如何挺过了911Not only how our firm survived9/11,还在于我们没有放弃but how we didn't give up.在于我们如何向对方及我们的家人承诺How we committed to each other,to our family.今日能共富贵我甚为感动And I am so moved by how we've all flourishedtogether.有人比其他人更富贵Some flourishing more than others.站在那里的不应该是你It's just wrong that you're the one standing there.好了够了All right,that's enough.不不没事琼No,no.It's okay.June...我能体会I'd feel the same way.我懂I get it.你一定在想"他为何可以幸免于难You got to be thinking,"Why was he spared?而我丈夫遇难了"Why is my husband gone?"在飞机袭击后的几个月里For months after the planes hit,我能做的就是扪心自问all I could do was ask myself why.为何我是唯一幸存下来的人Why was I the only surviving partner?我当时为何没在那里Why wasn't I there?我本可以做点什么吗Could...could I have done something?为何我是那天上午Why was I the only one out of the office唯一出去开会的人on meetings that morning?我们永远无法得知答案We'll never know.所以我给了自己理由So I made up my own"Why."因为你们Because of you.你把一切都揽到了自己身上波比You put it all on your back,Bobby.我是世上最伟大的人吗Am I the greatest guy in the world?当然不是Hell,no.我只是做了已逝伙伴和好友们I just did what I knew the partners and friends I'd lost 也会为我家人做的事would've done for my family.你丈夫也会做的事琼What your husband would've done,June.你也知道我很难过And you know I'm sorry.因为我每天都在想念雷克'Cause I miss Rake every day...就像我美丽的妻子萝拉just as my beautiful wife,Lara,思念她英勇的哥哥迪恩一样misses her heroic brother Dean.波比·阿克斯罗德就像全盛期的麦克·泰森Bobby Axelrod is Mike Tyson in his prime.而你不会希望遭遇全盛时期的麦克·泰森And you do not want Mike Tyson in his prime.还记得当时和他对战的家伙们结局如何吗Remember what happened to the guys who fought him then?记得他们被打得面目全非Yeah,they got their faces pushed in.可最后他也被打败了But eventually he got beat.博斯特·道格拉斯把他打得很惨Buster Douglas knocked him on his ass.-没错-要番茄酱吗-Right.-Ketchup?关键词是"最后""Eventually"is the key word.泰森该退位的时候When Tyson was ready to go.我履职以来Since my appointment,我们办公室在金融起诉案上未尝一败this office is undefeated in financial prosecutions...81比081and0.那是因为我知道什么才是正确的时机And that's because I know when the time is right.我明白但是这可是起大案子I get it,but...this would be a big one.布莱恩今天早上的事你有什么看法Bryan,what do you think happened here this morning?我们得到了一条重大信息We got significant information.有可能也可能是斯派罗在给我们下套Maybe.Or maybe it was Spyros setting us up.如果我们先出手在刑事诉讼上输了Now,we go in first and lose in the criminal action,身处证交会的斯派罗仍然可以做民事起诉Spyros in the S.E.C.can still get him civilly.我们赢斯派罗获利我们要是输了Now,we win,Spyros wins.We lose...他妈的斯派罗还是获利Spyros still fucking wins.去他的番茄酱没了Damn.The ketchup's empty.我们这是在下三维国际象棋We've got to be playing three-dimensional chess.阿克斯是这个地方的民间英雄Axe is a folk hero in this town.这家伙去年向纽约市消防员基金会The guy gave the New York City Firefighter's Foundation捐了一亿美元$100million last year.警方在世贸大楼遗址给他立了个牌子Police gave him a plaque at Ground Zero他那破名字就写在上面with his goddamn name on it.以前公路标志牌上不也都是斯皮策州长的名字Spitzer's name was on all the highway signs,too.是牌子就会倒下Signs come down.所以我这么爱你啊That's why I love you,man.但是斗牛士不会杀一头刚出场的牛But a good matador doesn't try to kill a fresh bull.你得等牛被刺了几次之后再说You wait until he's been stuck a few times.我们需要一个切入的机会无论多小We need an opening,however small.等抓到了可乘之机再下手Then we get the guy the moment that he's gettable,就像对其他人一样just like the others.如果有输的可能就绝不动手But not if there's a chance we lose.那另一件事呢What about...the other issue?斯派罗提到的家里面的那位The one Spyros mentioned...home?他说对吗Was he right about that?不对No.对不起对不起I'm sorry.I'm sorry.我我不I-I don't...-我不知道-今天过得不容易-I don't know what...-You know what,it's a tough day大家都一样for everyone.只是Just...我才被逼无奈把遨享仕游艇卖掉I just had to sell the Oceanis.雷克超爱那艘船的Rake just loved that boat.我相信你这么难过就是因为这个I am sure that's why it upset you.其实我在和波比开始约会之前You know,me,I never set foot on a yacht从未上过游艇until I started dating Bobby.在因伍德这个地方长大In Inwood,growing up,我坐过的船只有史坦顿岛的渡轮the only boating we ever did was the Staten Island Ferry.爱尔兰大家庭兄弟姐妹五个Big Irish family.Five sibs.关系倒是不错Close,though.消防员警察护士Firemen,cops,nurses.我后来搬到这边Then,when I moved up here,在这里我看懂了每个人是如何看待我this world,I saw how everyone looked at me.我从来没有瞧不起你I never judged.当然没有Of course not.所以我努力打理自己So I got my act together.我现在已经很适应这样的生活And I'm comfortable in this life.但是在因伍德学到的一些事But certain things you learn in Inwood,从来不会忘却比如说they never leave you...you know,like the idea如果有人和你不愉快that if someone has a problem with you还亲自找上你and they come to you in person,你就要尽力解决这个问题you do what you can to take care of it.但是如果他们当着大家的面抱怨But if they take that beef public,按照我老家的人的作风场面就不可收拾了the ground just falls out from beneath them where I'm from.你会发现你只有孤身一人You find yourself all alone.你是在威胁我吗Are you threatening me?你说的真他妈对You're fucking right I am.我就是这么长大的It's how I grew up.先生打扰一下Excuse me,sir?什么事Yes?可能是我多嘴I may be speaking out of turn...当你们讨论艾克斯罗德的事的时候I probably shouldn't have even been in the room 我本来都不应该待在你办公室的where Axelrod was discussed...但是你们知道沙滩那边有个叫诺顿的地方吗but you know the Norton place out at the beach?-怎么-不是你们是美国检察官-Why would we?-Not you.The U.S.Attorney.他父亲的房子就在那码头附近His father's house is around the jetty.我知道那栋房子怎么了Yes,I know the house.What?我刚听说波比·艾克斯罗德想买下那栋房子I just heard Bobby Axelrod is trying to buy it.你从哪儿听说的Where did you hear that?书记员的表亲是房产经纪人的员工他说的Court clerk's cousin works for therealtor and mentioned it.-多少钱-8300万美元-How much?-$83million.真的吗Really?那一定会被大肆报道That would be widely reported.铺天盖地Widely.人们厌恶购买这类东西的人People hate guys who buy things like that.最近我的魔力都不知道丢哪儿了I just lost my mojo somewhere along the line.都他妈没了It's fucking gone.而你是魔力太太所以我预约了面谈And you're Mrs.Mojo,so I booked the appointment.是魔力医生It's Dr.Mojo.没错Right.我听说人到了这个岁数就会这样I hear it happens to guys my age.我可能是抑郁了Maybe I'm depressed.我可能需要吃点百忧解或者郁复伸什么的Maybe I should try some Prozac, Effexor...这个我们等会再说We'll get to that.你有保持按时吃饭睡觉锻炼吗Now,have you been eating,sleeping, exercising?有或多或少吧Yeah,more or less.可能睡得不多Maybe not so much with the sleeping.和你夫人相处呢And things with your wife?大部分时间还好Okay,mostly.性生活呢Sex?正常Normal.我结婚十年了所以I've been married10years,so...所以减少到每天一次了So down to just once a day.所以真的只是业绩的事吗So,it's really just the book?从年初至今I'm down4%...我亏损了4%year to date.别人都是两位数增长Everyone else is up double digits.我却亏了I'm down.-我完了-你不用吃药-I'm fucked.-You don't need meds.你不过是听从了错误的声音You're just listening to the wrong voice.你在听的那个声音正对着你You're tuned into the one yelling at you用大喇叭喊你真他妈笨over the loudspeaker that you're fucking stupid你的绩效一团糟and your performance blows.然而你忽略了你内心中那个安静的声音And you're ignoring the quiet one inside它告诉你男儿血性在哪telling you where the alpha is.就是那个声音让你来这Now,that's the voice that got you here.如果你愿意倾听那声音还在原地And it's still there if you're willing to listen.那个声音告诉你了什么What's that voice telling you?虽然我有小小的失败That even though I've stiffed a few但我非常的优秀that I'm pretty damn good.站起来Stand up.站起来Stand up.你去年拿下的记录是多少What'd you take down last year?720万$7.2million.720万$7.2million.720万...你感受一下$7.2mill...feel that.720万$7.2million.手拿近一点Bring it close.720万$7.2million.你心里那个声音是怎么说的So,what's it saying?-说我是奇才-这就对了-That I'm awesome.-There you go.还要对那个吵闹的只会冷言冷语的声音And what does it have to say back回敬一句什么呢to that loud,critical voice?回一句"滚你妈的"It's saying,"Fuck you."很好Good!坐下Sit down.现在回到你的彭博平台Now,I want you to go back to your Bloomberg斩掉那些亏损的仓位你清楚是哪些and cut bait on your losers...you know the ones.你一直在死扛着The ones you've been defending,希望它们会逆转hoping they'll come round,但私心里你知道它们永远不会but,secretly,you know never will.我要你保证I want you to just commit你准备好打持久战that you're in it for the long haul,你终将成功that you will succeed.当你那么做时新的思路And once you do that,the new ideas,盈利品种会自然地展现出来the winners,will present themselves因为你是个成功者because you are a winner.你身处特种部队You're in the Special Forces here.你是海豹突击队的队员You are a Navy SEAL.你能成为他们一员是有原因的And there's a reason for that.海豹突击队会签错你吗Did the S.E.A.L.S make a mistake signing you up?不他们不会No.They did not.海豹突击队从不犯错The S.E.A.L.S don't make mistakes.所以回去那边做该做的事So get out there and do what needs to be done.我们就聊到这里了We have to stop here.阿克斯资本小家伙们Hello,guys.-爸爸-你们过得怎么样-Daddy!-Oh,how are you?Hm?学校怎么样学了什么How was school?What'd you get up to?-好无聊-好无聊-It was boring.-It was boring.无聊很好钱花得值Boring.Fantastic.Money well spent.那些我们吃过晚饭再聊好吗Those go off after dinner,okay?好Okay!宝贝Hey,babe.亲爱的Hi,honey.你在忙些什么呢What are you working on?只是一些会议记录Just session notes.恋母情结泛滥导致他们举步维艰了吗Wall-to-wall Oedipal Complexes making them all go limp?你对人性的理解可真是透彻You have an amazing understanding of people.我们有什么喝的What are we drinking,here?老样子The usual.犯罪打击得如何How's crime fighting?老样子The usual.你对你的职位还满意吗You good with your situation?我知道你说这阵子可能过得有点无聊I know you said you might've been feeling bored a while back.我可不是这么说的That's not exactly what I said.你是说你不能肯定自己是否还在成长You said,uh,you weren't sure if you were still growing.为什么说这个What's this about?我和美国通用公司的首席法律顾问聊过了I was talking to the head counsel of G.E.,他们在招HR的老大and they're looking for a new head of H.R.如果你有兴趣我可以去打个招呼I can put in the word if you want it.是不是...Is there s...有什么原因导致我不能继续现在的工作is there some reason I can't keep doing my job?没有你这话什么意思No.What do you mean?我听别人说有职位空缺所以来告诉你I heard about a position,so I presented it.工作的时候在董事会里操控别人Don't you get enough of moving the pieces还不够吗around the board at work?好吧这个工作机会你不想听那就算了Okay.You don't want to hear about opportunities,fine.你准备起诉阿克斯公司里的谁吗Are you prosecuting somebody at Axe?怎么了查克What's going on,Chuck?第一个问题答案是没有First off,no.第二个你知道我们不能讨论And second,you know that we don't discuss that.所以赶紧把你那破工作辞了So quit your fucking job.凯文带你妹妹上楼Hey,Kev,will you take your sister upstairs把洗澡水打开and,uh,start the bath?我一会就上去好吗I'll be up in a minute,okay?谢谢Thank you.放松点儿Take it easy,okay?我他妈的是美国联邦检察官温蒂I'm the goddamn U.S.Attorney,Wendy.所以呢我们结婚之前我就在那上班了So?I've been working there since before we were married比你当职还早得多 and long before you were in office.并不是说我们那会儿Look,not that we're there,不过我们确实一直有讨论没准哪天but we did always discuss that the day might come就会发生冲突when there was a conflict.那是在我收入是你八倍之前讨论的That was before I was making eight times what you make.也在你让老查克开始玩这招之前And before you started making Chuck Sr.plays like this.别扯上他好么Leave him out of it.Okay?还有谁挣的钱多真的吗And who makes more money?Really?我们就这么教孩子们吗Is this,uh,what we're teaching the kids?那我们是要教孩子Oh,are we teaching them that Daddy's job爸爸的工作总是比妈妈的工作重要is always more important that Mommy's?我为公众利益而工作I work for the public good.不你为查克·罗兹的利益而工作No,you work for the good of Chuck Rhoades.只是也许某些时候这两个目的交叉了Maybe sometimes they intersect.我的天Oh,my God.你能收起你心理专家这套吗Would you turn off your fucking shrink switch?我们都冷静点Let's take this down a notch.好Yeah.我不知道这是刮哪门子的风I just...I don't know where all this is coming from,你也知道我讨厌别人对我指手画脚and you know I don't like to be manipulated.我没有对你指手画脚I'm not manipulating.并不是说你真这么做了Not that that's what you were doing,只是我就是这么觉得的but that's what I felt like.还有你的工作当然很重要And of course your job's important.你是位超级英雄You're a superhero.而且我为你深感自豪And I'm super proud of you.但是我的工作对我来说也很重要But my thing matters to me,too.当然Of course.你工作那么出色You're killing it.小心艾蒙Watch it,there,Elmo!不趴下乖狗狗No!Get down,boy!悠着点大家伙Easy,big guy.别管它别管它Ah,let him be.Hey,let him be.别管它没事让它随便跑吧Let him be.It's okay.Let him go free.这狗就跟上了发条似的He's a live wire,that one.没错它把定做的沙发都咬坏了Ooh,yeah.He chewed up a custom sofa.我们必须让它冷静下来We've got to calm him down.把它送去宠物训练学校Send him to obedience school.把它送给兽医好好修理一番He's going to the vet to get fixed.各位请享用Enjoy,guys.孩子们我们该向瑞恩主厨说什么All right,boys.What do we say to Chef Ryan?谢谢Thank you!孩子们孩子们看看看这个Boys,boys,look.Look.Look at this.看它在标记它的领地Look,look.He's marking his territory.它在家具上撒尿He's peeing on the furniture.对对但它是在告诉瑞恩谁是头Yeah.Yeah,but he's showing Ryan who's boss.所以两个男人抢夺地盘时That's why it's called a pissing contest会比赛尿尿when two men try and stake out their turf.我也不喜欢男人那样做I don't love it when men do that,either.艾蒙现在就出去Elmo,outside now!别这样可怜的家伙Come on.Poor guy.迪恩第七任总统是谁Dean,seventh president.提示门罗后两任Hint...two after Monroe.杰克逊安德鲁·杰克逊Jackson.Andrew Jackson.戈弟他是哪的人Gordie,where was he from?我们聊聊洋基队吧Let's talk Yankees.因为你不知道别想转移话题'Cause you don't know.Don't switch the subject.我知道I do know.那你说啊Prove it.西雅图Seattle?那时还没有西雅图呢笨蛋There was no Seattle back then,idiot.我打赌我再猜一个就能猜中I bet I'll get it on the next guess.-我赌你猜不着-赌多大-Bet you don't.-How much?十个俯卧撑10push-ups.成交Deal.卡罗莱纳州的边境地区Border areas near the Carolinas.你不能每次都上当迪恩You can't fall for that every time,Dean.他了解你给你下套了See,he knows his customer,and he sets you up.他是愿意扮猪吃老虎He's willing to look foolish short-term to win long-term.你得记住这点You got to remember that.戈弟别老耍你哥哥And,Gordie,don't sucker your brother.好了来吧输了做俯卧撑吧All right,come on.Pay your bet.我们可不赖账啊We don't welsh.让我们瞧瞧你的本事See what you got.一二One.Two.低点Lower.三Three.先生十分钟后进行宽大处理会议Sir?The leniency conference starts in10 minutes.下午好Afternoon.谢谢你愿意见我们Thank you for agreeing to see us.你在这做什么爸What the fuck are you doing here,Dad?想让我被取消资格吗Trying to get me disbarred?天啊你比你妈还小题大做Christ.You're more dramatic than your mother.我们没有违反任何规定We are not breaking any rules or regulations.。

中美贸易关系1.Trade war 贸易战2.Tariff关税3.Import/export tariff 进/出口关税4.Impose tariff 征收关税5.Tariff barriers 关税壁垒6.Trade surplus贸易顺差7.Trade deficit 贸易逆差8.Retaliate 回击；报复9.Countermeasure 对策10. Lose-lose situation 两败俱伤“谈，大门敞开；打，奉陪到底。

”“If the U.S. wants to talk, the door is open; if they want to fight, we’ll fight till the end.”1. United States President Donald Trump has signed an order calling for up to $60 billion in new tariffs on Chinese imports.美国总统特朗普签署了一项命令，要求对中国进口产品征收高达600亿美元的关税。

2. The action also calls for restrictions on the transfer of technology to China.该举措还要求限制向中国转让技术。

3. China’s trade surplus with the U. S. last year was about $375billion.去年，中国对美国的贸易顺差为3750亿美元。

4.贸易战没有赢家, 只会给中美两国和世界经济带来灾难。

中国不希望打贸易战，也不会主动发起贸易战，但是我们能够应对任何挑战，坚决捍卫国家和人民的利益。

There is no winner in a trade war, and it just brings a disaster to both China and U.S., as well as the world economy. China doesn’t want to attend a trade war or launch a trade war. However, we can cope with any challenge and insist on defending the interests of the nation and people.5. 政府决定提高关税壁垒以抵制外国货The government decided to raise tariff walls against foreign goods.6. 从今天开始，美国和中国之间的贸易关系紧张。

Sequences of Games:A Tool for Taming Complexity in Security Proofs∗Victor Shoup†January18,2006AbstractThis paper is brief tutorial on a technique for structuring security proofs as sequences games.1IntroductionSecurity proofs in cryptography may sometimes be organized as sequences of games.In certain circumstances,this can be a useful tool in taming the complexity of security proofs that might otherwise become so messy,complicated,and subtle as to be nearly impossible to verify.This technique appears in the literature in various styles,and with various degrees of rigor and formality.This paper is meant to serve as a brief tutorial on one particular“style”of employing this technique,which seems to achieve a reasonable level of mathematical rigor and clarity,while not getting bogged down with too much formalism or overly restrictive rules.We do not make any particular claims of originality—it is simply hoped that others might profit from some of the ideas discussed here in reasoning about security.At the outset,it should be noted that this technique is certainly not applicable to all security proofs.Moreover,even when this technique is applicable,it is only a tool for organizing a proof—the actual ideas for a cryptographic construction and security analysis must come from elsewhere.1.1The Basic IdeaSecurity for cryptograptic primitives is typically defined as an attack game played between an adversary and some benign entity,which we call the challenger.Both adversary and challenger are probabilstic processes that communicate with each other,and so we can model the game as a probability space.Typically,the definition of security is tied to some particular event S.Security means that for every“efficient”adversary,the probability that event S occurs is“very close to”some specified“target probabilty”:typically,either0, 1/2,or the probability of some event T in some other game in which the same adversary is interacting with a different challenger.∗First public version:Nov.30,2004†Computer Science Dept.NYU.shoup@In the formal definitions,there is a security parameter:an integer tending to infinity,and in the previous paragraph,“efficient”means time bounded by a polynomial in the security parameter,and“very close to”means the difference is smaller than the inverse of any polynomial in the security parameter,for sufficiently large values of the security parameter. The term of art is negligibly close to,and a quantity that is negliglibly close to zero is just called negligible.For simplicity,we shall for the most part avoid any further discussion of the security parameter,and it shall be assumed that all algorithms,adversaries,etc.,take this value as an implicit input.Now,to prove security using the sequence-of-games approach,one prodceeds as follows. One constructs a sequence of games,Game0,Game1,...,Game n,where Game0is the original attack game with respect to a given adversary and cryptographic primitive.Let S0 be the event S,and for i=1,...,n,the construction defines an event S i in Game i,usually in a way naturally related to the definition of S.The proof shows that Pr[S i]is negligibly close to Pr[S i+1]for i=0,...,n−1,and that Pr[S n]is equal(or negligibly close)to the “target probability.”From this,and the fact that n is a constant,it follows that Pr[S]is negligibly close to the“target probability,”and security is proved.That is the general framework of such a proof.However,in constructing such proofs, it is desirable that the changes between succesive games are very small,so that analyzing the change is as simple as possible.From experience,it seems that transitions between successive games can be restricted to one of three types:Transitions based on indistinguishability.In such a transition,a small change is made that,if detected by the adversary,would imply an efficient method of distinguishing be-tween two distributions that are indistinguishable(either statistically or computationally). For example,suppose P1and P2are assumed to be computationally indistinguishable dis-tributions.To prove that|Pr[S i]−Pr[S i+1]|is negligible,one argues that there exists a distinguishing algorithm D that“interpolates”between Game i and Game i+1,so that when given an element drawn from distribution P1as input,D outputs1with probability Pr[S i], and when given an element drawn from distribution P2as input,D outputs1with prob-abilty Pr[S i+1].The indistinguishability assumption then implies that|Pr[S i]−Pr[S i+1]| is ually,the construction of D is obvious,provided the changes made in the transition are minimal.Typically,one designs the two games so that they could easily be rewritten as a single“hybrid”game that takes an auxilliary input—if the auxiallary input is drawn from P1,you get Game i,and if drawn from P2,you get Game i+1.The distinguisher then simply runs this single hybrid game with its input,and outputs1if the appropriate event occurs.Transitions based on failure events.In such a transition,one argues that Games i and i+1proceed identically unless a certain“failure event”F occurs.To make this type of argument as cleanly as possible,it is best if the two games are defined on the same underlying probability space—the only differences between the two games are the rules for computing certain random variables.When done this way,saying that the two games proceed identically unless F occurs is equivalent to saying thatS i∧¬F⇐⇒S i+1∧¬F,that is,the events S i∧¬F and S i+1∧¬F are the same.If this is true,then we can use thefollowing fact,which is completely trivial,yet is so often used in these types of proofs that it deserves a name:Lemma1(Difference Lemma).Let A,B,F be events defined in some probability dis-tribution,and suppose that A∧¬F⇐⇒B∧¬F.Then|Pr[A]−Pr[B]|≤Pr[F]. Proof.This is a simple calculation.We have|Pr[A]−Pr[B]|=|Pr[A∧F]+Pr[A∧¬F]−Pr[B∧F]−Pr[B∧¬F]|=|Pr[A∧F]−Pr[B∧F]|≤Pr[F].The second equality follows from the assumption that A∧¬F⇐⇒B∧¬F,and so in particular,Pr[A∧¬F]=Pr[B∧¬F].Thefinal inequality follows from the fact that both Pr[A∧F]and Pr[B∧F]are numbers between0and Pr[F].2So to prove that Pr[S i]is negligibly close to Pr[S i+1],it suffices to prove that Pr[F]is negligible.Sometimes,this is done using a security assumption(i.e.,when F occurs,the adversary has found a collision in a hash function,or forged a MAC),while at other times, it can be done using a purely information-theoretic argument.Usually,the event F is defined and analyzed in terms of the random variables of one of the two adjacent games.The choice is arbitrary,but typically,one of the games will be more suitable than the other in terms of allowing a clear proof.In some particularly challenging circumstances,it may be difficult to analyze the event F in either game.In fact,the analysis of F may require its own sequence of games sprouting offin a different direction,or the sequence of games for F may coincide with the sequence of games for S,so that Pr[F]finally gets pinned down in Game j for j>i+1.This technique is sometimes crucial in side-stepping potential circularities.Bridging steps.The third type of transition introduces a bridging step,which is typically a way of restating how certain quantities can be computed in a completely equivalent way. The change is purely conceptual,and Pr[S i]=Pr[S i+1].The reason for doing this is to prepare the ground for a transition of one of the above two types.While in principle,such a bridging step may seem unnecessary,without it,the proof would be much harder to follow.As mentioned above,in a transition based on a failure event,it is best if the two successive games are understood to be defined on the same underlying probability space. This is an important point,which we repeat here for emphasis—it seems that proofs are easiest to understand if one does not need to compare“corresponding”events across distinct and(by design)quite different probability spaces.Actually,it is good practice to simply have all the games in the sequence defined on the same underlying probability space.However,the Difference Lemma generalizes in the obvious way as follows:if A, B,F1and F2are events such that Pr[A∧¬F1]=Pr[B∧¬F2]and Pr[F1]=Pr[F2],then |Pr[A]−Pr[B]|≤Pr[F1].With this generalized version,one may(if one wishes)analyze transitions based on failure events when the underlying probability spaces are not the same.1.2Some Historical Remarks“Hybrid arguments”have been used extensively in cryptography for many years.Such an argument is essentially a sequence of transitions based on indistinguishability.An early example that clearly illustrates this technique is Goldreich,Goldwasser,and Micali’s paper [GGM86]on constructing pseudo-random functions(although this is by no means the ear-liest application of a hybrid argument).Note that in some applications,such as[GGM86], one in fact makes a non-constant number of transitions,which requires an additional,prob-abilistic argument.Although some might use the term“hybrid argument”to include proofs that use transi-tions based on both indistinguishability and failure events,that seems to be somewhat of a stretch of terminology.An early example of a proof that is clearly structured as a sequence of games that involves transitions based on both indistinguishability and failure events is Bellare and Goldwasser’s paper[BG89].Kilian and Rogaway’s paper[KR96]on DESX initiates a somewhat more formal ap-proach to sequences of games.That paper essentially uses the Difference Lemma,specialized to their particular setting.Subsequently,Rogaway has refined and applied this technique in numerous works with several co-authors.We refer the reader to the paper[BR04]by Bellare and Rogaway that gives a detailed introduction to the methodology,as well as references to papers where it has been used.However,we comment briefly on some of the differences between the technique discussed in this paper,and that advocated in[BR04]:•In Bellare and Rogaway’s approach,games are programs and are treated as purely syntactic objects subject to formal manipulation.In contrast,we view games as probability spaces and random variables defined over them,and do not insist on any particular syntactic formalism beyond that convenient to make a rigorous mathemat-ical argument.•In Bellare and Rogaway’s approach,transitions based on failure events are restricted to events in which an executing program explicitly sets a particular boolean variable to true.In contrast,we do not suggest that events need to be explicitly“announced.”•In Bellare and Rogaway’s approach,when the execution behaviors of two games are compared,two distinct probability spaces are involved,and probabilities of“corre-sponding”events across probability spaces must be compared.In contrast,we sug-gest that games should be defined on a common probability space,so that when discussing,say,a particular failure event F,there is literally just one event,not a pair of corresponding events in two different probability spaces.In the end,we think that the choice between the style advocated in[BR04]and that suggested here is mainly a matter of taste and convenience.The author has used proofs organized as sequences of games extensively in his own work [Sho00,SS00,Sho01,Sho02,CS02,CS03b,CS03a,GS04]and has found them to be an indispensable tool—while some of the proofs in these papers could be structured differently, it is hard to imagine how most of them could be done in a more clear and convincing way without sequences of games(note that all but thefirst two papers above adhere to the rule suggested here of defining games to operate on the same probability space).Other authorshave also been using very similar proof styles recently[AFP04,BK04,BCP02a,BCP02b, BCP03,CPP04,DF03,DFKY03,DFJW04,Den03,FOPS04,GaPMV03,KD04,PP03, SWP04].Also,Pointcheval[Poi04]has a very nice introductory manuscript on public-key cryptography that illustrates this proof style on a number of particular examples.The author has also been using the sequence-of-games technique extensively in teaching courses in cryptography.Many“classical”results in cryptography can be fruitfully analyzed using this technique.Generally speaking,it seems that the students enjoy this approach, and easily learn to use and apply it themselves.Also,by using a consistent framework for analysis,as an instructor,one can more easily focus on the ideas that are unique to any specific application.1.3Outline of the Rest of the PaperAfter recalling some fairly standard notation in the next section,the following sections illustrate the use of the sequence-of-games technique in the analysis of a number of classical cryptographic pared to many of the more technically involved examples in the literature of this technique(mentioned above),the applications below are really just “toy”examples.Nevertheless,they serve to illustrate the technique in a concrete way,and moreover,we believe that the proofs of these results are at least as easy to follow as any other proof,if not more so.All of the examples,except the last two(in§§7-8),are presented at an extreme level of detail;indeed,for these examples,we give complete,detailed descriptions of each and every game.More typically,to produce a more compact proof,one might simply describe the differences between games,rather than describing each game in its entirety(as is done in§§7-8).These examples are based mainly on lectures in courses on cryptography taught by the author.2NotationWe make use of fairly standard notation in what follows.In describing probabilistic processes,we writex c|←Xto denote the action of assigning to the variable x a value sampled according to the dis-tribution X.If S is afinite set,we simply write s c|←S to denote assignment to s of an element sampled from the uniform distribution on S.If A is a probabilistic algorithm and x an input,then A(x)denotes the output distribution of A on input x.Thus,we write y c|←A(x)to denote the action of running algorithm A on input x and assigning the output to the variable y.We shall writePr[x1c|←X1,x2c|←X2(x1),...,x n c|←X n(x1,...,x n−1):φ(x1,...,x n)]to denote the probability that when x1is drawn from a certain distribution X1,and x2is drawn from a certain distribution X2(x1),possibly depending on the particular choice ofx1,and so on,all the way to x n,the predicateφ(x1,...,x n)is true.We allow the predicate φto involve the execution of probabilistic algorithms.If X is a probability distribution on a sample space X,then[X]denotes the subset of elements of X that occur with non-zero probability.3ElGamal Encryption3.1Basic DefinitionsWefirst recall the basic definition of a public-key encryption scheme,and the notion of semantic security.A public-key encryption scheme is a triple of probabilistic algorithms(KeyGen,E,D). The key generation algorithm KeyGen takes no input(other than an implied security pa-rameter,and perhaps other system parameters),and outputs a public-key/secret-key pair (pk,sk).The encryption algorithm E takes as input a public key pk and a message m, selected from a message space M,and outputs a ciphertextψ.The decryption algorithm takes as input a secret key sk and ciphertextψ,and outputs a message m.The basic correctness requirement is that decryption“undoes”encryption.That is,for all m∈M,all(pk,sk)∈[KeyGen()],allψ∈[E(pk,m)],and all m ∈[D(sk,ψ)],we have m=m .This definition can be relaxed in a number of ways;for example,we may only insist that it is computationally infeasible tofind a message for which decryption does not “undo”its encryption.The notion of semantic security intuitively says that an adversary cannot effectively dis-tinguish between the encryption of two messages of his choosing(this definition comes from [GM84],where is called polynomial indistinguishability,and semantic security is actually the name of a syntactically different,but equivalent,characterization).This is formally defined via a game between an adversary and a challenger.•The challenger computes(pk,sk)c|←KeyGen(),and gives pk to the adversary.•The adversary chooses two messages m0,m1∈M,and gives these to the challenger.•The challenger computesb c|←{0,1},ψc|←E(pk,m b)and gives the“target ciphertext”ψto the adversary.•The adversary outputsˆb∈{0,1}.We define the SS-advantage of the adversary to be|Pr[b=ˆb]−1/2|.Semantic security means that any efficient adversary’s SS-advantage is negligible.3.2The ElGamal Encryption SchemeWe next recall ElGamal encryption.Let G be a group of prime order q,and letγ∈G be a generator(we view the descriptions of G andγ,including the value q,to be part of a set of implied system parameters).The key generation algorithm computes(pk,sk)as follows:x c|←Z q,α←γx,pk←α,sk←x.The message space for the algorithm is G.To encrypt a message m∈G,the encryption algorithm computes a ciphertextψas follows:y c|←Z q,β←γy,δ←αy,ζ←δ·m,ψ←(β,ζ).The decryption algorithm takes as input a ciphertext(β,ζ),and computes m as follows:m←ζ/βx.It is clear that decryption“undoes”encryption.Indeed,ifβ=γy andζ=αy·m,then ζ/βx=αy m/βx=(γx)y m/(γy)x=γxy m/γxy=m.3.3Security AnalysisElGamal encryption is semantically secure under the Decisional Diffie-Hellman(DDH) assumption.This is the assumption that it is hard to distinguish triples of the form (γx,γy,γxy)from triples of the form(γx,γy,γz),where x,y,and z are random elements of Z q.The DDH assumption is more precisely formulated as follows.Let D be an algorithm that takes as input triples of group elements,and outputs a bit.We define the DDH-advantage of D to be|Pr[x,y c|←Z q:D(γx,γy,γxy)=1]−Pr[x,y,z c|←Z q:D(γx,γy,γz)=1]|.The DDH assumption(for G)is the assumption that any efficient algorithm’s DDH-advantage is negligible.We now give a proof of the semantic security of ElGamal encryption under the DDH assumption,using a sequence of games.Game0.Fix an efficient adversary A.Let us define Game0to be the attack game against A in the definition of semantic security.To make things more precise and more concrete, we may describe the attack game algorithmically as follows:x c|←Z q,α←γxr c|←R,(m0,m1)←A(r,α)b c|←{0,1},y c|←Z q,β←γy,δ←αy,ζ←δ·m bˆb←A(r,α,β,ζ)In the above,we have modeled the adversary A is a deterministic algorithm that takes as input“random coins”r sampled uniformly from some set R.It should be evident that this algorithm faithfully represents the attack game.If we define S0to be the event that b=ˆb,then the adversary’s SS-advantage is|Pr[S0]−1/2|.Game1.[This is a transition based on indistinguishability.]We now make one small change to the above ly,instead of computingδasαy,we compute it asγz for randomly chosen z∈Z q.We can describe the resulting game algorithmically as follows: x c|←Z q,α←γxr c|←R,(m0,m1)←A(r,α)b c|←{0,1},y c|←Z q,β←γy,z c|←Z q,δ←γz,ζ←δ·m bˆb←A(r,α,β,ζ)Let S1be the event that b=ˆb in Game1.Claim1.Pr[S1]=1/2.This follows from the fact that in Game2,δis effectively a one-time pad,and as such,the adversary’s outputˆb is independent of the hidden bit b.To prove this more rigorously,it will suffice to show that b,r,α,β,ζare mutually independent, since from this,it follows that b andˆb=A(r,α,β,ζ)are independent.First observe that by construction,b,r,α,β,δare mutually independent.It will suffice to show that conditioned on anyfixed values of b,r,α,β,the conditional distribution ofζis the uniform distribution over G.Now,if b,r,α,βarefixed,then so are m0,m1,since they are determined by r,α; moreover,by independence,the conditional distribution ofδis the uniform distribution on G,and hence from this,one sees that the conditional distribution ofζ=δ·m b is the uniform distribution on G.Claim2.|Pr[S0]−Pr[S1]|= ddh,where ddh is the DDH-advantage of some efficient algorithm(and hence negligible under the DDH assumption).The proof of this is essentially the observation that in Game0,the triple(α,β,δ)is of the form(γx,γy,γxy),while in Game1,it is of the form(γx,γy,γz),and so the adversary should not notice the difference,under the DDH assumption.To be more precise,our distinguishing algorithm D works as follows:Algorithm D(α,β,δ)r c|←R,(m0,m1)←A(r,α)b c|←{0,1},ζ←δ·m bˆb←A(r,α,β,ζ)if b=ˆbthen output1else output0Algorithm D effectively“interpolates”between Games0and1.If the input to D is of the form(γx,γy,γxy),then computation proceeds just as in Game0,and thereforePr[x,y c|←Z q:D(γx,γy,γxy)=1]=Pr[S0].If the input to D is of the form(γx,γy,γz),then computation proceeds just as in Game1, and thereforePr[x,y,z c|←Z q:D(γx,γy,γz)=1]=Pr[S1].From this,it follows that the DDH-advantage of D is equal to|Pr[S0]−Pr[S1]|.That completes the proof of Claim2.Combining Claim1and Claim2,we see that|Pr[S0]−1/2|= ddh,and this is negligible.That completes the proof of security of ElGamal encryption.3.4Hashed ElGamalFor a number of reasons,it is convenient to work with messages that are bit strings,say,of length ,rather than group elements.Because of this,one may choose to use a“hashed”version of the ElGamal encryption scheme.This scheme makes use of a family of keyed“hash”functions H:={H k}k∈K,where each H k is a function mapping G to{0,1} .The key generation algorithm computes(pk,sk)as follows:x c|←Z q,k c|←K,α←γx,pk←(α,k),sk←(x,k).To encrypt a message m∈{0,1} ,the encryption algorithm computes a ciphertextψas follows:y c|←Z q,β←γy,δ←αy,h←H k(δ),v←h⊕m,ψ←(β,v).The decryption algorithm takes as input a ciphertext(β,v),and computes m as follows:m←H k(βx)⊕v.The reader may easily verify that decryption“undoes”encryption.As for semantic security,this can be proven under the DDH assumption and the as-sumption that the family of hash functions H is“entropy smoothing.”Loosely speaking, this means that it is hard to distinguish(k,H k(δ))from(k,h),where k is a random element of K,δis a random element of G,and h is a random element of{0,1} .More formally, let D be an algorithm that takes as input an element of K and an element of{0,1} ,and outputs a bit.We define the ES-advantage of D to be|Pr[k c|←K,δc|←G:D(k,H k(δ))=1]−Pr[k c|←K,h c|←{0,1} :D(k,h)=1]|.We say H is entropy smoothing if every efficient algorithm’s ES-advantage is negligible.It is in fact possible to construct entropy smoothing hash function families without ad-ditional hypothesis(the Leftover Hash Lemma may be used for this[IZ89]).However,these may be somewhat less practical than ad hoc hash function families for which the entropy smoothing property is only a(perfectly reasonable)conjecture;moreover,our definition also allows entropy smoothers that use pseudo-random bit generation techniques as well.We now sketch the proof of semantic security of hashed ElGamal encryption,under the DDH assumption and the assumption that H is entropy smoothing.Game0.This is the original attack game,which we can state algorithmically as follows:x c|←Z q,k c|←K,α←γxr c|←R,(m0,m1)←A(r,α,k)b c|←{0,1},y c|←Z q,β←γy,δ←αy,h←H k(δ),v←h⊕m bˆb←A(r,α,k,β,v)We define S0to be the event that b=ˆb in Game0.Game1.[This is a transition based on indistinguishability.]Now we transform Game0 into Game1,computingδasγz for random z∈Z q.We can state Game1algorithmically as follows:x c|←Z q,k c|←K,α←γxr c|←R,(m0,m1)←A(r,α,k)b c|←{0,1},y c|←Z q,β←γy,z c|←Z q,δ←γz,h←H k(δ),v←h⊕m bˆb←A(r,α,k,β,v)Let S1be the event that b=ˆb in Game1.We claim that|Pr[S0]−Pr[S1]|= ddh,(1) where ddh is the DDH-advantage of some efficient algorithm(which is negligible under the DDH assumption).The proof of this is almost identical to the proof of the corresponding claim for“plain”ElGamal.Indeed,the following algorithm D“interpolates”between Game0and Game1, and so has DDH-advantage equal to|Pr[S0]−Pr[S1]|:Algorithm D(α,β,δ)k c|←Kr c|←R,(m0,m1)←A(r,α,k)b c|←{0,1},h←H k(δ),v←h⊕m bˆb←A(r,α,k,β,v)if b=ˆbthen output1else output0Game 2.[This is also a transition based on indistinguishability.]We now transform Game1into Game2,computing h by simply choosing it at random,rather than as a hash. Algorithmically,Game2looks like this:x c|←Z q,k c|←K,α←γxr c|←R,(m0,m1)←A(r,α,k)b c|←{0,1},y c|←Z q,β←γy,z c|←Z q,δ←γz,h c|←{0,1} ,v←h⊕m bˆb←A(r,α,k,β,v)Observe thatδplays no role in Game2.Let S2be the event that b=ˆb in Game2.We claim that|Pr[S1]−Pr[S2]|= es,(2) where es the ES-advantage of some efficient algorithm(which is negligible assuming H is entropy smoothing).This is proved using the same idea as before:any difference between Pr[S1]and Pr[S2] can be parlayed into a corresponding ES-advantage.Indeed,it is easy to see that the fol-lowing algorithm D “interpolates”between Game1and Game2,and so has ES-advantage equal to|Pr[S1]−Pr[S2]|:Algorithm D (k,h)x c|←Z q,α←γxr c|←R,(m0,m1)←A(r,α,k)b c|←{0,1},y c|←Z q,β←γy,v←h⊕m bˆb←A(r,α,k,β,v)if b=ˆbthen output1else output0Finally,as h acts like a one-time pad in Game2,it is evident thatPr[S2]=1/2.(3) Combining(1),(2),and(3),we obtain|Pr[S0]−1/2|≤ ddh+ es,which is negligible,since both ddh and es are negligible.This proof illustrates how one can utilize more than one intractability assumption in a proof of security in a clean and simple way.4Pseudo-Random Functions4.1Basic DefinitionsLet 1and 2be positive integers(which are actually polynomially bounded functions in a security parameter).Let F:={F s}s∈S be a family of keyed functions,where each functionF s maps{0,1} 1to{0,1} 2.LetΓ1, 2denote the set of all functions from{0,1} 1to{0,1} 2.Informally,we say that F is pseudo-random if it is hard to distinguish a random functiondrawn from F from a random function drawn fromΓ1, 2,given black box access to such afunction(this notion was introduced in[GGM86]).More formally,consider an adversary A that has oracle access to a function inΓ1, 2,and suppose that A always outputs a bit.Define the PRF-advantage of A to be|Pr[s c|←S:A F s()=1]−Pr[f c|←Γ1, 2:A f()]=1|.We say that F is pseudo-random if any efficient adversary’s PRF-advantage is negligible.4.2Extending the Input Length with a Universal Hash FunctionWe now present one construction that allows one to stretch the input length of a pseudo-random family of functions.Let be a positive integer with > 1.Let H:={H k}k∈K be a family of keyed hash functions,where each H k maps{0,1} to{0,1} 1.Let us assume that H is an uh-universal family of hash functions,where uh is negligible.This means that for all w,w ∈{0,1} with w=w ,we havePr[k c|←K:H k(w)=H k(w )]≤ uh.There are many ways to construct such families of hash functions.Now define the family of functionsF :={F k,s}(k,s)∈K×S,where each Fk,s is the function from{0,1} into{0,1} 2that sends w∈{0,1} to F s(H k(w)).We shall now prove that if F is pseudo-random,then F is pseudo-random.Game0.This game represents the computation of an adversary given oracle access to a function drawn at random from F .Without loss of generality,we may assume that the adversary makes exactly q queries to its oracle,and never repeats any queries(regardless of the oracle responses).We may present this computation algorithmically as follows: k c|←K,s c|←Sr c|←Rfor i←1...q dow i←A(r,y1,...,y i−1)∈{0,1}x i←H k(w i)∈{0,1} 1y i←F s(x i)∈{0,1} 2b←A(r,y1,...,y q)∈{0,1}output bThe idea behind our notation is that the adversary is modeled as a deterministic al-gorithm A,and we supply its random coins r∈R as input,and in loop iteration i,the adversary computes its next query w i as a function of its coins and the results y1,...,y i−1 of its previous queries w1,...,w i−1.We are assuming that A operates in such a way that the values w1,...,w q are always distinct.Let S0be the event that the output b=1in Game0.Our goal is to transform this game into a game that is equivalent to the computation of the adversary given oracle access to a random element ofΓ ,2,so that the probability that b=1in the latter game is negligibly close to Pr[S0].Game1.[This is a transition based on indistinguishability.]We now modify Game0so that we use a truly random function from 1bits to 2bits,in place of F s.Intuitively, the pseudo-randomness property of F should guarantee that this modification has only a negligible effect on the behavior of the adversary.Algorithmically,Game1looks like this:。