• No se han encontrado resultados

7. Análisis del Plan de Investigación – Acción Participación

7.3. Etapa Tres: Exploración del videojuego como herramienta para el aprendizaje del inglés

7.3.1. Categorías de análisis

A

Definitions: Turing Machines

We recall the definition of a Turing machine (TM). A TMMis represented by the tuple(Q,Γ, β,Σ, δ, qst, F)

whereQis a finite set of states,Γis a finite alphabet,β ∈Γis the blank symbol,Σ⊆Γ\ {β}is the set of input symbols,qstis the start state,F ={qacc, qrej}whereqacc ∈Qis the accept state,qrej ∈Qis the reject state andδ :Q\F ×Γ→Q×Γ× {L, R}is the transition function (stored as a table). Upon inputw= (w1, . . . , wk)∈Σkfor some arbitrary polynomialk, the machineM accepts the input if and

only if given a tape initialised with the inputwand the head atw1, following the TM’s transition function

leads toqacc. We sayM(w) = 1iffM acceptswand0otherwise. We also denote the runtime of a TM M (i.e. number of steps the head takes) on an inputwbyruntime(M,w).

Oblivious Turing Machines

Our construction makes use of oblivious Turing machines.

Definition A.1(Oblivious Turing Machine [Imp]). An Oblivious Turing Machine (OTM) is a Turing Machine for which there exists a functiontsuch that, at every timestepithe machine head is at cellt(i)

Moreover there exist efficient transformations that convert any Turing machineM that takes timeT

to decide an input to an oblivious one that takes timeTlogT to decide the same input [PF79]. Here, we describe a simple transformation that incurs a quadratic blowup in running time.

Given a TMM, a simple OTM construction adds an additional marker for the head location. Now, to simulate stepiin the TM, the OTM, scans from cell1to celli, ensuring that it reads the current head location. Now, it moves back from cellito1, writing the correct symbol for the next step, while also updating the state. Once back at cell1, simulation of stepiis complete, and the OTM moves to a state simulateqi+1and ifqi+1is not an accepting or rejecting state, it moves to simulating stepi+ 1. Since in

stepi, we would need to scan at mosticells (as that is the farthermost the head could have moved), a

O(t)computation, now takesO(t2). Also, if we are willing to reveal the runtime of the given input on

the Turing Machine, then we can stop simulating after the last timestept. A more efficient transformation due to Pippenger-Fischer[PF79] reduces the time required toO(tlogt).

We note that a slightly different definition of OTMs [AB08] requires that the head movements are the same forallinputs of the same size, which would imply that the OTM runs in worst case time. However, if we are willing to reveal the running time of a machine on a given input, then the OTM can be made to halt once the input has been decided. In particular, ifruntime(M1,w1) =runtime(M2,w2), then the

head movements of the OTM corresponding toM1and the OTM corresponding toM2are exactly the

same.

In our construction, the OTM will be provided the input length of the message as an explicit input, and can use this to compute the head movements at any given time step.

B

Missing Details in Proof of Theorem3.1

Proof. In the following we argue that consecutive hybrids as defined in Section3.3are indistinguishable. Claim B.1. If1FE1is a secureCktFEscheme, then hybridsH(0)andH(1,1)are indistinguishable.

Proof. Given a PPT adversary A that distinguishes H(0) and H(1,1), we construct another PPT

adversaryBwho breaks the security of the1FE1scheme as follows.

1. Breceives 1FE1.PKfrom the1FE1 challenger and returns this to A. Additionally, it samples by itself (1FE2.PK,1FE2.MSK) ← 1FE2.Setup(1λ),salt ← {0,1}λ and two random strings ct1,ct2← CSKE, whereCSKEdenotes the ciphertext space of theSKEscheme.

2. When A outputs a pair of challenge distributions(D`

0,D1`) with supportΣ` for any arbitrary

`=poly(λ)and a function queryM obeying the admissibility criteria that∀b∈ {0,1},wb ← D`b, runtime(M,w0) =runtime(M,w1)andM(w0)

c

≈M(w1),Bdoes the following.

(a) To simulate the challenge ciphertext, it first samples a pair of challenge messages(w0,w1)←

(D`

0,D`1)such that{wb}b∈{0,1} = {(wb,1, . . . , wb,`)}b∈{0,1}. It also samples a root cPRF

keyK0←F.Setup(1λ).

(b) Bexecutes the oblivious TMMonw0to learn the (symbol, state) pairs(σT0−1,q0T−1)and

(σ0T2,q0T2) at time stepsT −1 and T −2 respectively. It also records the time steps

(T0, T −2)and(T00, T −3)when the individual components of these two (symbol, state) pairs are generated and then prepares a new pair of challenge distributions(Db`0,Db`1)for the 1FE1challenger as follows.

i. Forb= 0,Db`0 ={x0 = (x0,1, . . . , x0,`)}, where∀i∈[`]x0,i = (K0, i, `, w0,i,Trap0),

mode-real:⊥ key-id:salt val0:w0,i val1:w1,i SKE.K:⊥ ⊥

mode-trap1: 1 Target TS1:T−1 Sym TS1:T0 Sym val1:σ0T−1 ST TS1:T −2 ST val1:q0T−1

mode-trap2: 1 Target TS2:T−2 Sym TS2:T00 Sym val2:σ0T−2 ST TS2:T −3 ST val2:q0T−2

mode-trap3:⊥ Target TS:⊥ Sym TS:⊥ ⊥ ST TS:⊥ ⊥

Figure 11:Trap1configuration inH(1,1)

ii. Forb= 1,Db`1 ={x1 = (x1,1, . . . , x1,`)}, where∀i∈[`]x1,i = (K0, i, `, w0,i,Trap1),

with the modified fields inTrap1as shown in Figure11.

(c) It sends the distribution pair to the1FE1 challenger and relays the response back toA.

(d) To simulate a function key forM,Bfirst requests for a function key to the1FE1 challenger for the function ReRand1FE2.PK,salt,qst,⊥,⊥ and receives SKReRand. B computes by itself SKNext ← 1FE2.KeyGen(1FE2.MSK,Next1FE2.PK,salt,M,ct1,ct2)and returns a function key

forM asSKM = (SKReRand,SKNext)toA.

3. WhenAoutputs a guess,Bdoes the same.

Observe that for all time stepst /∈ {T0, T −2, T00, T −3}, the decryption outputs are exactly the same ciphertexts in both theH(0)andH(1,1), since these ciphertexts are computed according to the real world functionality of Next. At a time stept ∈ {T0, T −2, T00, T −3} in H(1,1), the decryption

mimicsthe real world decryption ofH(0)due to the execution paths in theNextfunction conditioned on

Trap1.mode-trap1 =Trap1.mode-trap2 = 1. Therefore,Bis an admissible adversary against the1FE1

challenger since the outputs for the two challenge message sets are exactly the same. Ifb= 0,Asees the distribution ofH(0), while ifb = 1,Asees the distribution ofH(1,1). Thus the advantage ofA translates to the advantage ofB.

Claim B.2. IfSKEis a secure symmetric-key encryption scheme, then hybridsH(1,1)andH(1,2)are indistinguishable.

Proof. Given aPPTadversaryAthat distinguishes H(1,1)andH(1,2), we construct anotherPPT

adversaryBwho breaks the security of theSKEscheme as follows.

1. Bsamples(1FE1.PK,1FE1.MSK)←1FE1.Setup(1λ),(1FE2.PK,1FE2.MSK)←1FE2.Setup(1λ)

andsalt← {0,1}λ. It sendsPK=1FE1.PKtoA.

2. When A outputs a pair of challenge distributions(D`

0,D1`) with supportΣ` for any arbitrary

`=poly(λ)and a function queryM obeying the admissibility criteria that∀b∈ {0,1},wb ← D`b, runtime(M,w0) =runtime(M,w1)andM(w0)

c

≈M(w1),Bdoes the following.

(a) To simulate the challenge ciphertext, it first samples a pair of challenge messages(w0,w1)←

(D`

0,D`1)such that{wb}b∈{0,1} = {(wb,1, . . . , wb,`)}b∈{0,1}. It also samples a root cPRF

keyK0←F.Setup(1λ).

(b) B executes the oblivious TM M on w0 to learn the (symbol, state) pairs (σT0−1,q0T−1)

and (σ0T2,q0T2) at time steps T −1 and T −2 respectively. It also records the time steps(T0, T −2)and(T00, T −3)when the individual components of these two (symbol, state) pairs are generated. It then simulates the encryption oracle by computing CTi = 1FE1.Enc(1FE1.PK, x1,i), where∀i∈[`], x1,i = (K0, i, `, w0,i,Trap1)andTrap1is as per

Figure11. It returns the ciphertextCT={CTi}i∈[`]toA.

i. It first computesSKReRand ←1FE1.KeyGen(1FE1.MSK,ReRand1FE2.PK,salt,qst,⊥,⊥).

ii. It then computes1FE2encodings of(σT01,q0T1)as follows.

• Compute a delegated cPRF key KT = F.KeyDel(K0, fT) and generate the

encryption randomness for time stepT −1asrT−1=F.Eval(K0,(T −1ksalt)). • Compute the1FE2symbolciphertext to be given as output at time stepT0 for the

future time step T −1 as CT0sym,T1 = 1FE2.Enc(1FE2.PK1,z01;rT−1), where

z10= (SYM,salt,KT, T −1, `, σT0−1,Trap1)andTrap1is as per Figure11. • Compute the 1FE2 stateciphertext to be given as output at time stepT −2 for

the future time stepT −1asCT0st,T1 =1FE2.Enc(1FE2.PK2,z02;rT−1), where

z0

2= (ST,q0T−1).

iii. It sends the1FE2ciphertextsCT0sym,T−1,CT0st,T−1to the challenger of theSKEscheme

and gets backct1,ct2.

iv. Bthen computes SKNext ← 1FE2.KeyGen(1FE2.MSK,Next1FE2.PK,salt,M,ct1,ct2) and

returns a function key forMasSKM = (SKReRand,SKNext)toA.

3. WhenAoutputs a guess,Bdoes the same.

Note that the only difference between the two hybrids is that theSKEencryptions programmed in the function key is random inH(1,1)and are validSKEencryptions of(CTsym0 ,T−1,CT0st,T−1)encoding the

(symbol, state) pair for time stepT−1inH(1,2). Hence the advantage of an adversary who distinguishes between the two hybrids translates to an advantage of an adversary against theSKEscheme.

Claim B.3. If1FE1is a secureCktFEscheme, then hybridsH(1,2)andH(1,3)are indistinguishable.

Proof. Given a PPT adversaryA that distinguishes H(1,2)and (1,3), we construct anotherPPT

adversaryBwho breaks the security of the1FE1scheme as follows.

1. B receives 1FE1.PK from the 1FE1 challenger and returns this to A. Additionally, it

samples by itself(1FE2.PK,1FE2.MSK) ← 1FE2.Setup(1λ),salt ← {0,1}λ and a key K ← SKE.KeyGen(1λ).

2. When A outputs a pair of challenge distributions(D`

0,D1`) with supportΣ` for any arbitrary

`=poly(λ)and a function queryM obeying the admissibility criteria that∀b∈ {0,1},wb ← D`b, runtime(M,w0) =runtime(M,w1)andM(w0)

c

≈M(w1),Bdoes the following.

(a) To simulate the challenge ciphertext, it first samples a pair of challenge messages(w0,w1)←

(D`

0,D`1)such that{wb}b∈{0,1} = {(wb,1, . . . , wb,`)}b∈{0,1}. It also samples a root cPRF

keyK0←F.Setup(1λ).

(b) Bexecutes the oblivious TMMonw0to learn the (symbol, state) pairs(σT0−1,q0T−1)and

(σ0T2,q0T2) at time stepsT −1 and T −2 respectively. It also records the time steps

(T0, T −2)and(T00, T −3)when the individual components of these two (symbol, state) pairs are generated and then prepares a new pair of challenge distributions(Db`0,Db`1)for the 1FE1challenger as follows.

i. Forb= 0,Db`0 ={x0 = (x0,1, . . . , x0,`)}, where∀i∈ [`]x0,i = (K0, i, `, w0,i,Trap0)

with the fields ofTrap0being same as that of inTrap1inH(1,2)as per Figure11. ii. Forb= 1,Db`1 ={x1 = (x1,1, . . . , x1,`)}, where∀i∈[`]x1,i = (K0, i, `, w0,i,Trap1),

mode-real:⊥ key-id:salt val0:w0,i val1:w1,i SKE.K:K ⊥ mode-trap1:⊥ Target TS1:⊥ Sym TS1:⊥ Sym val1:⊥ ST TS1:⊥ ST val1:⊥

mode-trap2: 1 Target TS2:T−2 Sym TS2:T00 Sym val2:σ0T−2 ST TS2:T −3 ST val2:q0T−2

mode-trap3: 1 Target TS:T−1 Sym TS:T0 ⊥ ST TS:T−2 ⊥ Figure 12:Trap1configuration inH(1,3)

(c) It sends the distribution pair to the1FE1 challenger and relays the response back toA.

(d) To simulate a function key forM,Bdoes the following.

i. It requests for a function key forReRand1FE2.PK,salt,qst,⊥,⊥to the1FE1challenger and

receivesSKReRand.

ii. It then computes1FE2encodings of(σT01,q0T1)as follows.

• Compute a delegated cPRF key KT = F.KeyDel(K0, fT) and generate the

encryption randomness for time stepT −1asrT−1=F.Eval(K0,(T −1ksalt)). • Compute the1FE2symbolciphertext to be given as output at time stepT0 for the

future time step T −1 as CT0sym,T−1 = 1FE2.Enc(1FE2.PK1,z01;rT−1), where

z10= (SYM,salt,KT, T −1, `, σT0−1,Trap1)andTrap1is as per Figure12now. • Compute the 1FE2 stateciphertext to be given as output at time stepT −2 for

the future time stepT −1asCT0st,T−1 =1FE2.Enc(1FE2.PK2,z02;rT−1), where

z02= (ST,q0T1).

iii. Once it has generated the two1FE2ciphertextsCT0sym,T−1andCT0st,T−1, it computes

twoSKEciphertextsct1 =SKE.Enc(K,CT0sym,T−1)andct2 =SKE.Enc(K,CT0st,T−1).

iv. Finally, it computes SKNext ← 1FE2.KeyGen(1FE2.MSK,Next1FE2.PK,salt,M,ct1,ct2)

and returns a function key forM asSKM = (SKReRand,SKNext)toA.

3. WhenAoutputs a guess,Bdoes the same.

Observe that for all time stepst /∈ {T0, T −2}, the decryption outputs are exactly the same ciphertexts in bothH(1,2)andH(1,3). At time stept∈ {T0, T−2}inH(1,2),Trap0.mode-trap1= 1(in Figure11) dictates the decryption to output two decomposed components of a single1FE2ciphertext, one component encodingTrap0.Sym val1=σT0−1at time stepT0 and the other encodingTrap0.ST val1 =q0T−1 at time

stepT −2. Alternatively inH(1,3),Trap1.mode-trap3 = 1(in Figure12) dictates the decryption to firstly useTrap1.SKE.K=Kto decrypt the hardwired ciphertextct1and outputCT0sym,T−1at time step

T0(respectively,ct2 and outputCT0st,T−1at time stepT −2). In both the hybrids, these symbol and state

ciphertext pieces are computed for target time stepT −1. ThusBis an admissible1FE1adversary. If b= 0,Asees the distribution ofH(1,2), while ifb= 1,Asees the distribution ofH(1,3). Hence the advantage ofAtranslates to the advantage ofB.

Claim B.4. If1FE1is a secureCktFEscheme, then hybridsH(1,3)andH(1,4)are indistinguishable.

Proof. Given aPPTadversaryAthat distinguishes H(1,3)andH(1,4), we construct anotherPPT

adversaryBwho breaks the security of the1FE1scheme as follows.

1. B receives 1FE1.PK from the 1FE1 challenger and returns this to A. Additionally, it

samples by itself(1FE2.PK,1FE2.MSK) ← 1FE2.Setup(1λ),salt ← {0,1}λ and a key K SKE.KeyGen(1λ).

2. When A outputs a pair of challenge distributions(D`

0,D1`) with supportΣ` for any arbitrary

`=poly(λ)and a function queryM obeying the admissibility criteria that∀b∈ {0,1},wb ← D`b, runtime(M,w0) =runtime(M,w1)andM(w0)

c

≈M(w1),Bdoes the following.

(a) To simulate the challenge ciphertext, it first samples a pair of challenge messages(w0,w1)←

(D`

0,D`1)such that{wb}b∈{0,1} = {(wb,1, . . . , wb,`)}b∈{0,1}. It also samples a root cPRF

keyK0←F.Setup(1λ).

(b) B executes the oblivious TM M on w0 to learn the (symbol, state) pairs (σT0−1,q0T−1)

and (σ0T2,q0T2) at time steps T −1 and T −2 respectively. It also records the time steps(T0, T −2)and(T00, T −3)when the individual components of these two (symbol, state) pairs are generated. It then computes a root key punctured at point (T −1ksalt)

as KT0−1 = F.Constrain(K0,(T − 1ksalt)) and then prepares a new pair of challenge

distributions(Db0`,Db1`)for the1FE1challenger as follows.

i. Forb= 0,Db`0 ={x0 = (x0,1, . . . , x0,`)}, where∀i∈ [`]x0,i = (K0, i, `, w0,i,Trap1)

with the fields ofTrap1being same as that of inTrap1inH(1,3)as per Figure12. ii. Forb= 1,Db`1={x1= (x1,1, . . . , x1,`)}, where∀i∈[`]x1,i = (K0T−1, i, `, w0,i,Trap1),

withTrap1as per Figure12.

(c) It sends the distribution pair to the1FE1 challenger and relays the response back toA.

(d) To simulate a function key forM,Bdoes the following.

i. It requests for a function key forReRand1FE2.PK,salt,qst,⊥,⊥to the1FE1challenger and

receivesSKReRand.

ii. It then computes1FE2encodings of(σT0−1,q0T−1), as follows.

• Compute a punctured, delegated keyKTT−1 =F.KeyDel(KT0−1, fT)and generate the encryption randomness for time stepT−1asrT−1 =F.Eval(K0,(T−1ksalt)). • Compute the1FE2symbolciphertext to be given as output at time stepT0 for the

future time step T −1 as CT0sym,T−1 = 1FE2.Enc(1FE2.PK1,z01;rT−1), where

z01= (SYM,salt,KTT−1, T −1, `, σT01,Trap1)andTrap1 is as per Figure12. • Compute the 1FE2 stateciphertext to be given as output at time stepT −2 for

future time stepT −1asCT0st,T−1 =1FE2.Enc(1FE2.PK2,z02;rT−1), wherez02=

(ST,q0T1).

iii. Once it has generated the two1FE2ciphertextsCT0sym,T−1andCT0st,T−1, it computes

twoSKEciphertextsct1 =SKE.Enc(K,CT0sym,T−1)andct2 =SKE.Enc(K,CT0st,T−1).

iv. Finally, it computes SKNext ← 1FE2.KeyGen(1FE2.MSK,Next1FE2.PK,salt,M,ct1,ct2)

and returns a function key forM asSKM = (SKReRand,SKNext)toA.

3. WhenAoutputs a guess,Bdoes the same.

Note that the only difference inH(1,3)andH(1,4)is the replacement of the rootcPRFkeyK0with a

punctured root keyKT0−1 at point(T−1ksalt)in time stepT−1in the1FE1ciphertext. Moreover, in

both the hybrids, the fieldTrap1.mode-trap3= 1dictates the output at time stept∈ {T0, T −2}to be a ciphertext component for time stepT −1as argued in ClaimB.3. Thus, thecPRFkey is only required to compute randomness at points6= (T−1ksalt)for which the punctured root key suffices. Further, it evaluates to the same value as the normal key on all such points in both the hybrids. As a consequence, the decryption values are exactly the same for all the time steps proving the admissibility ofB. Thus if

b= 0,Asees the distribution ofH(1,3), while ifb= 1,Asees the distribution ofH(1,4). Hence the advantage ofAtranslates to the advantage ofB.

Claim B.5. IfFis a secure punctured, delegatablecPRFscheme, then hybridsH(1,4)andH(1,5)are indistinguishable.

Proof. Given aPPTadversaryAthat distinguishes H(1,4)andH(1,5), we construct anotherPPT

adversaryBwho breaks the security of the punctured, delegatablecPRFschemeFas follows.

1. Bsamples(1FE1.PK,1FE1.MSK)←1FE1.Setup(1λ),(1FE2.PK,1FE2.MSK)←1FE2.Setup(1λ),

salt← {0,1}λ andKSKE.KeyGen(1λ). It sendsPK=1FE

1.PKtoA.

2. When A outputs a pair of challenge distributions(D`

0,D1`) with supportΣ` for any arbitrary

`=poly(λ)and a function queryM obeying the admissibility criteria that∀b∈ {0,1},wb ← D`b, runtime(M,w0) =runtime(M,w1)andM(w0)

c

≈M(w1),Bdoes the following.

(a) To simulate the challenge ciphertext, it first samples a pair of challenge messages(w0,w1)←

(D`

0,D`1)such that{wb}b∈{0,1} ={(wb,1, . . . , wb,`)}b∈{0,1}. It receivesKT0−1on querying

for a punctured key at the point(T −1ksalt)to thecPRFchallenger forF.

(b) B executes the oblivious TM M on w0 to learn the (symbol, state) pairs (σT0−1,q0T−1)

and (σ0T2,q0T2) at time steps T −1 and T −2 respectively. It also records the time steps(T0, T −2)and(T00, T −3)when the individual components of these two (symbol, state) pairs are generated. It then simulates the encryption oracle by computing CTi = 1FE1.Enc(1FE1.PK, x1,i), where∀i ∈[`], x1,i = (KT0−1, i, `, w0,i,Trap1)andTrap1 is as

per Figure12. It returns the ciphertextCT={CTi}i∈[`]toA.

(c) To simulate a function key forM,Bdoes the following.

i. It first computesSKReRand ←1FE1.KeyGen(1FE1.MSK,ReRand1FE2.PK,salt,qst,⊥,⊥).

ii. It then computes1FE2encodings of(σT01,q0T1), as follows.

• Compute a delegated key from the punctured root key asKTT−1 =F.KeyDel(KT0−1, fT). • Query thecPRFchallenger at point(T−1ksalt)to receive an encryption randomness

RE for time stepT −1.

• Compute the 1FE2 symbol ciphertext to be given as output at time step T0 for

the future time stepT −1asCT0sym,T−1 =1FE2.Enc(1FE2.PK1,z01;RE), where

z01= (SYM,salt,KTT−1, T −1, `, σT01,Trap1)andTrap1 is as per Figure12. • Compute the 1FE2 stateciphertext to be given as output at time stepT −2 for

the future time step T −1as CT0st,T−1 = 1FE2.Enc(1FE2.PK2,z02;RE), where

z02= (ST,q0T1).

iii. Once it has generated the two1FE2ciphertextsCT0sym,T−1andCT0st,T−1, it computes

twoSKEciphertextsct1 =SKE.Enc(K,CT0sym,T−1)andct2 =SKE.Enc(K,CT0st,T−1).

iv. Finally, it computes SKNext ← 1FE2.KeyGen(1FE2.MSK,Next1FE2.PK,salt,M,ct1,ct2)

and returns a function key forM asSKM = (SKReRand,SKNext)toA.

3. WhenAoutputs a guess,Bdoes the same.

Note that whenRE is computed using K0 as a pseudorandom value,A’s view is identical to that of H(1,4), and whenREis sampled uniformly at random,A’s view is identical to that ofH(1,5). Hence

the advantage ofAin distinguishingH(1,4)andH(1,5)translates to the advantage ofBin breaking the security of the punctured, delegatablecPRFF.

Proof. Given aPPTadversaryAthat distinguishes H(1,5)andH(1,6), we construct anotherPPT

adversaryBwho breaks the security of the1FE2scheme as follows.

1. Bsamples(1FE1.PK,1FE1.MSK)←1FE1.Setup(1λ),salt← {0,1}λandKSKE.KeyGen(1λ)

and gets1FE2.PKfrom the1FE2challenger. It sendsPK=1FE1.PKtoA. 2. When A outputs a pair of challenge distributions(D`

0,D1`) with supportΣ` for any arbitrary

`=poly(λ)and a function queryM obeying the admissibility criteria that∀b∈ {0,1},wb ← D`b, runtime(M,w0) =runtime(M,w1)andM(w0)

c

≈M(w1),Bdoes the following.

(a) To simulate the challenge ciphertext, it first samples a pair of challenge messages(w0,w1)←

(D`

0,D`1)such that{wb}b∈{0,1} = {(wb,1, . . . , wb,`)}b∈{0,1}. It also samples a root cPRF

keyK0←F.Setup(1λ).

(b) Bexecutes the oblivious TMM onbothw0andw1 to learn the two (symbol, state) pairs