Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
Introduction Game and Advantage Security Analysis Conclusion
On Hiding Message Length in Symmetric-keyCryptography
Cihangir TezcanSupervisor: Prof. Serge Vaudenay
January 10, 2011
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
Outline
1 Introduction
2 Game and Advantage
3 Security Analysis
4 Conclusion
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
Introduction
Encryption does not hide plaintext length
Plaintext length may give some information away
One way of hiding the plaintext length is randompadding
Our aim is to find the information leakage when randompadding is used
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
Introduction
Encryption does not hide plaintext length
Plaintext length may give some information away
One way of hiding the plaintext length is randompadding
Our aim is to find the information leakage when randompadding is used
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
∆− IND − CPA Game
We define the ∆− IND − CPA game as follows:
[∆− IND − CPA] Game
1: Challenger selects a key at random2: Adversary selects plaintexts p0 and p1 where ||p0| − |p1|| ≤ ∆3: Challenger selects a bit b, encrypts pb → c using randompadding and sends c back to the adversary4: Adversary guesses b
′and wins if b
′= b
The difference with the standard IND − CPA game is that we donot restrict to |p0| = |p1| in the ∆− IND − CPA game.
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
Distribution for Padding Length
We assume that the challenger pads a random bit string of length ito the plaintext P before the encryption. The followingassumptions can be made to define the behavior of the randompadding:
A1: i depends only on |P| and independent random coins
A2: i is independent from P
A3: Pr[i ≤ n − 1] = 1
Note that the assumption A2 is stronger than the assumption A1.
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
Distribution for Padding Length
Throughout this work, we assume that the padded bit stringof length i is independent from P and Pr[i ≤ n − 1] = 1.
In other words, we assume that A2 and A3 hold. Hence, if c isthe ciphertext for the plaintext p, we have |c | = |p|+ i wherei ∈ [0, n − 1].
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
Advantage
Definition
We say that a cryptosystem is ∆− IND − CPA ε-secure if thewinning chances of every adversary is less than or equal to 1
2 + ε2 .
Definition (Advantage)
Let a and b be non-negative integers with a < b. For a set A ofintegers, we define DA(X ) = 1X∈A and we use DA to distinguisha + N from b + N where N is a random variable. The advantagewe obtain is
AdvDA(a, b) = Pr[a + N ∈ A]− Pr[b + N ∈ A].
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
Advantage
Definition
We say that a cryptosystem is ∆− IND − CPA ε-secure if thewinning chances of every adversary is less than or equal to 1
2 + ε2 .
Definition (Advantage)
Let a and b be non-negative integers with a < b. For a set A ofintegers, we define DA(X ) = 1X∈A and we use DA to distinguisha + N from b + N where N is a random variable. The advantagewe obtain is
AdvDA(a, b) = Pr[a + N ∈ A]− Pr[b + N ∈ A].
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
Our Aim
Thus, our aim is to find the optimal distribution that defines thelength of the random padding which minimizes
max|b−a|≤∆
maxA
AdvDA(a, b)
for the ∆− IND − CPA game where a and b are the lengths of thechosen plaintexts.
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
An Example
Example
Let n = 11 and N be the binomial distribution with parameters 10and 1
2 .
Let the lengths of the two chosen plaintexts for the∆− IND − CPA game be a = 25 and b = 28.
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
An Example
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0 2 4 6 8 10
Prob
abili
ty
Padding Length
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
An Example
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
24 26 28 30 32 34 36 38 40
Prob
abili
ty
Ciphertext Length
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
An Observation
Lemma
We have Pr[N < b − a] ≤ maxA AdvDA(a, b) and equality holds if
and only if Pr[N = x + b − a] ≤ Pr[N = x ] for all x ≥ 0.
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
Analysis
Theorem
If b − a = 1, then maxA AdvDA(a, b) ≥ 1
n and equality holds if andonly if N is uniform.
Proof
Let ε = maxA AdvDA(a, b).
Case 1: Assume Pr[N = 0] > 1n . Then for A = {a} we have
AdvDA(a, b) = Pr[N = 0]. Hence, ε ≥ Pr[N = 0] > 1
n .
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
Analysis
Theorem
If b − a = 1, then maxA AdvDA(a, b) ≥ 1
n and equality holds if andonly if N is uniform.
Proof
Let ε = maxA AdvDA(a, b).
Case 1: Assume Pr[N = 0] > 1n . Then for A = {a} we have
AdvDA(a, b) = Pr[N = 0]. Hence, ε ≥ Pr[N = 0] > 1
n .
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
Proof (cont’d)
Case 2: Assume Pr[N = 0] = 1n . If there exists an integer j 6= a
with Pr[N = j − a] > Pr[N = j − b], then A = {a, j} makesε ≥ AdvDA
(a, b) = Pr[N = 0] + Pr[N = j − a]−Pr[N = j − b] > 1n .
If such a j does not exist, then Pr[N = x + b − a] ≤ Pr[N = x ] forall x ≥ 0 and by the previous Lemma we obtainε = Pr[N = 0] = 1
n . When Pr[N = x + b − a] = Pr[N = x ] for allx ≥ 0, N becomes uniform and ε = 1
n . Note that we cannot havePr[N = x + 1] < Pr[N = x ] for some x because this would maken−1∑i=0
Pr[N = i ] < 1, which contradicts the fact that N is a random
variable.
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
Proof (cont’d)
Case 3: Let us assume that Pr[N = 0] < 1n . Then
1n − Pr[N = 0] = δ for some δ > 0. Letn−1∑i=1
(Pr[N = i ]− Pr[N = i − 1]) ≤ δ. Then Pr[N = i ] ≤ 1n − δ + δ
for all i ∈ [1, n − 1]. Therefore,n−1∑i=0
Pr[n = i ] ≤ 1
n− δ + (n − 1)
1
n= 1− δ which is not possible.
So we must haven−1∑i=1
(Pr[N = i ]− Pr[N = i − 1]) > δ. Since
Pr[N = 0] = 1n − δ, we get ε > 1
n .
Thus, in all of the cases ε ≥ 1n and equality holds if and only if N
is uniform.
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
Theorem
If b − a = ∆ and n is divisible by ∆, then maxA AdvDA(a, b) ≥ ∆
n
and equality holds if and only if Pr[N < b − a] = ∆n and Pr[N = i ]
is periodic over [0, . . . , n − 1] with period ∆.
Remark
If b − a = ∆ and n is not divisible by ∆, ε can be less than ∆n .
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
Theorem
If b − a = ∆ and n is divisible by ∆, then maxA AdvDA(a, b) ≥ ∆
n
and equality holds if and only if Pr[N < b − a] = ∆n and Pr[N = i ]
is periodic over [0, . . . , n − 1] with period ∆.
Remark
If b − a = ∆ and n is not divisible by ∆, ε can be less than ∆n .
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
Example
Let b − a = ∆ = 2 and n = 5. We define N as follows:
Pr[N = 0] = Pr[N = 2] = Pr[N = 4] = 0.22Pr[N = 1] = Pr[N = 3] = 0.17
Therefore, ε = Pr[N = 0] + Pr[N = 1] = 0.39 which is less than0.4. However, if we keep this N and reduce ∆ to 1, we getε = Pr[N = 0] + Pr[N = 2] + Pr[N = 4]− Pr[N = 1]− Pr[N =3] = 0.32.
Thus, for ∆ = 1 and ∆ = 2, we have ε = 0.32 and ε = 0.39,respectively. Note that when N is uniform, for ∆ = 1 and ∆ = 2we have ε = 0.2 and ε = 0.4, respectively.
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
Corollary
If b − a = ∆, then
maxA
AdvDA(a, b) ≥ 1⌈
n∆
⌉ .
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
Example
For any given n and ∆, note that the following distribution alwayssatisfies the minimum advantage 1
d n∆e
that is given in Corollary.
Let Pr[N = 0] = 1
d n∆e
, Pr[N = 1] = . . . = Pr[N = ∆− 1] = 0 and
let Pr[N = i ] be periodic over [0, . . . , n − 1] with period ∆. Thenn−1∑i=0
Pr[N = i ] =⌈ n
∆
⌉· 1⌈
n∆
⌉ = 1 and
maxA AdvDA(a, b) = Pr[N = 0] = 1
d n∆e
.
However, max|b−a|=1 maxA AdvDA(a, b) = 1 for this construction
because of A = {a, a + ∆, a + 2∆ . . .}. Therefore, Corollaryprovides the lower bound 1
d n∆e
for max|b−a|≤∆ maxA AdvDA(a, b)
but this lower bound may not be achievable.
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
Theorem
For b − a ≤ ∆, if n is divisible by ∆ then for the optimaldistribution max|b−a|≤∆ maxA AdvDA
(a, b) = ∆n . Otherwise
∆
n≥ max|b−a|≤∆
maxA
AdvDA(a, b) ≥ 1⌈
n∆
⌉ .
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
Theorem
If b − a ≤ 2 and n is odd, then for the optimal distribution
max|b−a|<2
maxA
AdvDA(a, b) =
2n
n2 + 1.
This theorem shows that when b − a ≤ 2 and n is odd, the lowerbound 1
d n2e
for the maximum advantage is not achievable. Results
of these two theorems for the case when ∆ = 2 and n is odd areprovided in the following Table for small values of n.
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
Table: Comparison of the bounds and the best achievable advantagewhen ∆ = 2 and n is odd
n Upper bound Best Achievable Lower Bound3 0.666666666666667 0.6 0.55 0.4 0.384615384615385 0.3333333333333337 0.285714285714286 0.28 0.259 0.222222222222222 0.219512195121951 0.211 0.181818181818182 0.180327868852459 0.16666666666666713 0.153846153846154 0.152941176470588 0.14285714285714315 0.133333333333333 0.132743362831858 0.12517 0.117647058823529 0.117241379310345 0.11111111111111119 0.105263157894737 0.104972375690608 0.121 0.0952380952380952 0.0950226244343891 0.090909090909090923 0.0869565217391304 0.0867924528301887 0.083333333333333325 0.08 0.0798722044728434 0.076923076923076927 0.0740740740740741 0.073972602739726 0.071428571428571429 0.0689655172413793 0.0688836104513064 0.066666666666666731 0.0645161290322581 0.0644490644490645 0.062533 0.0606060606060606 0.0605504587155963 0.058823529411764735 0.0571428571428571 0.0570962479608483 0.0555555555555556
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
Summary
We investigated the security of the ∆− IND − CPA gameunder the assumptions A2 and A3 and showed that when theupper bound for the padding length n is divisible by ∆, thebest security we can have is ε = ∆
n . Moreover, we showedthat this ε-security can be obtained when the random variableN that defines the padding length is chosen as the uniformdistribution.
Furthermore, when n is not divisible by ∆, we showed that forthe optimal distribution the game is ε-secure where∆n ≥ ε ≥
1
d n∆e
. The upper bound can always be achieved by
selecting N as the uniform distribution but it may not bepossible to obtain the lower bound.
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
Summary
We investigated the security of the ∆− IND − CPA gameunder the assumptions A2 and A3 and showed that when theupper bound for the padding length n is divisible by ∆, thebest security we can have is ε = ∆
n . Moreover, we showedthat this ε-security can be obtained when the random variableN that defines the padding length is chosen as the uniformdistribution.
Furthermore, when n is not divisible by ∆, we showed that forthe optimal distribution the game is ε-secure where∆n ≥ ε ≥
1
d n∆e
. The upper bound can always be achieved by
selecting N as the uniform distribution but it may not bepossible to obtain the lower bound.
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
Summary
Finally, for ∆ = 2 and n is odd, we showed that ε = 2nn2+1
forthe optimal distribution which also shows that the lowerbound 1
d n∆e
is unachievable for this case.
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
Future Work
Although we found tight bounds for the case when n is notdivisible by ∆, we do not know the optimal distribution andthe corresponding best achievable advantage for this case.
Moreover, we assumed that the assumption A2 holdsthroughout this work and A2 is stronger than the assumptionA1. Hence, one can further minimize the maximum advantageby replacing the assumption A2 with A1.
Protocols that require message length to be hidden can beexamined in terms of our secrecy notion.
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
Future Work
Although we found tight bounds for the case when n is notdivisible by ∆, we do not know the optimal distribution andthe corresponding best achievable advantage for this case.
Moreover, we assumed that the assumption A2 holdsthroughout this work and A2 is stronger than the assumptionA1. Hence, one can further minimize the maximum advantageby replacing the assumption A2 with A1.
Protocols that require message length to be hidden can beexamined in terms of our secrecy notion.
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
Future Work
Although we found tight bounds for the case when n is notdivisible by ∆, we do not know the optimal distribution andthe corresponding best achievable advantage for this case.
Moreover, we assumed that the assumption A2 holdsthroughout this work and A2 is stronger than the assumptionA1. Hence, one can further minimize the maximum advantageby replacing the assumption A2 with A1.
Protocols that require message length to be hidden can beexamined in terms of our secrecy notion.
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography
Introduction Game and Advantage Security Analysis Conclusion
Conclusion
THANK YOU FOR YOURATTENTION
Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography