On Hiding Message Length in Symmetric-key Cryptographycihangir.forgottenlance.com/presentations/message_hiding.pdf · Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message

Introduction Game and Advantage Security Analysis Conclusion

On Hiding Message Length in Symmetric-keyCryptography

Cihangir TezcanSupervisor: Prof. Serge Vaudenay

January 10, 2011

Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message Length in Symmetric-key Cryptography


Outline

1 Introduction

2 Game and Advantage

3 Security Analysis

4 Conclusion



Introduction

Encryption does not hide plaintext length

Plaintext length may give some information away

One way of hiding the plaintext length is randompadding

Our aim is to find the information leakage when randompadding is used



Introduction

Encryption does not hide plaintext length

Plaintext length may give some information away

One way of hiding the plaintext length is randompadding

Our aim is to find the information leakage when randompadding is used



∆− IND − CPA Game

We define the ∆− IND − CPA game as follows:

[∆− IND − CPA] Game

1: Challenger selects a key at random2: Adversary selects plaintexts p0 and p1 where ||p0| − |p1|| ≤ ∆3: Challenger selects a bit b, encrypts pb → c using randompadding and sends c back to the adversary4: Adversary guesses b

′and wins if b

′= b

The difference with the standard IND − CPA game is that we donot restrict to |p0| = |p1| in the ∆− IND − CPA game.



Distribution for Padding Length

We assume that the challenger pads a random bit string of length ito the plaintext P before the encryption. The followingassumptions can be made to define the behavior of the randompadding:

A1: i depends only on |P| and independent random coins

A2: i is independent from P

A3: Pr[i ≤ n − 1] = 1

Note that the assumption A2 is stronger than the assumption A1.



Distribution for Padding Length

Throughout this work, we assume that the padded bit stringof length i is independent from P and Pr[i ≤ n − 1] = 1.

In other words, we assume that A2 and A3 hold. Hence, if c isthe ciphertext for the plaintext p, we have |c | = |p|+ i wherei ∈ [0, n − 1].



Advantage

Definition

We say that a cryptosystem is ∆− IND − CPA ε-secure if thewinning chances of every adversary is less than or equal to 1

2 + ε2 .

Definition (Advantage)

Let a and b be non-negative integers with a < b. For a set A ofintegers, we define DA(X ) = 1X∈A and we use DA to distinguisha + N from b + N where N is a random variable. The advantagewe obtain is

AdvDA(a, b) = Pr[a + N ∈ A]− Pr[b + N ∈ A].



Advantage

Definition

We say that a cryptosystem is ∆− IND − CPA ε-secure if thewinning chances of every adversary is less than or equal to 1

2 + ε2 .

Definition (Advantage)

Let a and b be non-negative integers with a < b. For a set A ofintegers, we define DA(X ) = 1X∈A and we use DA to distinguisha + N from b + N where N is a random variable. The advantagewe obtain is

AdvDA(a, b) = Pr[a + N ∈ A]− Pr[b + N ∈ A].



Our Aim

Thus, our aim is to find the optimal distribution that defines thelength of the random padding which minimizes

max|b−a|≤∆

maxA

AdvDA(a, b)

for the ∆− IND − CPA game where a and b are the lengths of thechosen plaintexts.



An Example

Example

Let n = 11 and N be the binomial distribution with parameters 10and 1

2 .

Let the lengths of the two chosen plaintexts for the∆− IND − CPA game be a = 25 and b = 28.



An Example

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

0 2 4 6 8 10

Prob

abili

ty

Padding Length



An Example

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

24 26 28 30 32 34 36 38 40

Prob

abili

ty

Ciphertext Length



An Observation

Lemma

We have Pr[N < b − a] ≤ maxA AdvDA(a, b) and equality holds if

and only if Pr[N = x + b − a] ≤ Pr[N = x ] for all x ≥ 0.



Analysis

Theorem

If b − a = 1, then maxA AdvDA(a, b) ≥ 1

n and equality holds if andonly if N is uniform.

Proof

Let ε = maxA AdvDA(a, b).

Case 1: Assume Pr[N = 0] > 1n . Then for A = {a} we have

AdvDA(a, b) = Pr[N = 0]. Hence, ε ≥ Pr[N = 0] > 1

n .



Analysis

Theorem

If b − a = 1, then maxA AdvDA(a, b) ≥ 1

n and equality holds if andonly if N is uniform.

Proof

Let ε = maxA AdvDA(a, b).

Case 1: Assume Pr[N = 0] > 1n . Then for A = {a} we have

AdvDA(a, b) = Pr[N = 0]. Hence, ε ≥ Pr[N = 0] > 1

n .



Proof (cont’d)

Case 2: Assume Pr[N = 0] = 1n . If there exists an integer j 6= a

with Pr[N = j − a] > Pr[N = j − b], then A = {a, j} makesε ≥ AdvDA

(a, b) = Pr[N = 0] + Pr[N = j − a]−Pr[N = j − b] > 1n .

If such a j does not exist, then Pr[N = x + b − a] ≤ Pr[N = x ] forall x ≥ 0 and by the previous Lemma we obtainε = Pr[N = 0] = 1

n . When Pr[N = x + b − a] = Pr[N = x ] for allx ≥ 0, N becomes uniform and ε = 1

n . Note that we cannot havePr[N = x + 1] < Pr[N = x ] for some x because this would maken−1∑i=0

Pr[N = i ] < 1, which contradicts the fact that N is a random

variable.



Proof (cont’d)

Case 3: Let us assume that Pr[N = 0] < 1n . Then

1n − Pr[N = 0] = δ for some δ > 0. Letn−1∑i=1

(Pr[N = i ]− Pr[N = i − 1]) ≤ δ. Then Pr[N = i ] ≤ 1n − δ + δ

for all i ∈ [1, n − 1]. Therefore,n−1∑i=0

Pr[n = i ] ≤ 1

n− δ + (n − 1)

1

n= 1− δ which is not possible.

So we must haven−1∑i=1

(Pr[N = i ]− Pr[N = i − 1]) > δ. Since

Pr[N = 0] = 1n − δ, we get ε > 1

n .

Thus, in all of the cases ε ≥ 1n and equality holds if and only if N

is uniform.



Theorem

If b − a = ∆ and n is divisible by ∆, then maxA AdvDA(a, b) ≥ ∆

n

and equality holds if and only if Pr[N < b − a] = ∆n and Pr[N = i ]

is periodic over [0, . . . , n − 1] with period ∆.

Remark

If b − a = ∆ and n is not divisible by ∆, ε can be less than ∆n .



Theorem

If b − a = ∆ and n is divisible by ∆, then maxA AdvDA(a, b) ≥ ∆

n

and equality holds if and only if Pr[N < b − a] = ∆n and Pr[N = i ]

is periodic over [0, . . . , n − 1] with period ∆.

Remark

If b − a = ∆ and n is not divisible by ∆, ε can be less than ∆n .



Example

Let b − a = ∆ = 2 and n = 5. We define N as follows:

Pr[N = 0] = Pr[N = 2] = Pr[N = 4] = 0.22Pr[N = 1] = Pr[N = 3] = 0.17

Therefore, ε = Pr[N = 0] + Pr[N = 1] = 0.39 which is less than0.4. However, if we keep this N and reduce ∆ to 1, we getε = Pr[N = 0] + Pr[N = 2] + Pr[N = 4]− Pr[N = 1]− Pr[N =3] = 0.32.

Thus, for ∆ = 1 and ∆ = 2, we have ε = 0.32 and ε = 0.39,respectively. Note that when N is uniform, for ∆ = 1 and ∆ = 2we have ε = 0.2 and ε = 0.4, respectively.



Corollary

If b − a = ∆, then

maxA

AdvDA(a, b) ≥ 1⌈

n∆

⌉ .



Example

For any given n and ∆, note that the following distribution alwayssatisfies the minimum advantage 1

d n∆e

that is given in Corollary.

Let Pr[N = 0] = 1

d n∆e

, Pr[N = 1] = . . . = Pr[N = ∆− 1] = 0 and

let Pr[N = i ] be periodic over [0, . . . , n − 1] with period ∆. Thenn−1∑i=0

Pr[N = i ] =⌈ n

∆

⌉· 1⌈

n∆

⌉ = 1 and

maxA AdvDA(a, b) = Pr[N = 0] = 1

d n∆e

.

However, max|b−a|=1 maxA AdvDA(a, b) = 1 for this construction

because of A = {a, a + ∆, a + 2∆ . . .}. Therefore, Corollaryprovides the lower bound 1

d n∆e

for max|b−a|≤∆ maxA AdvDA(a, b)

but this lower bound may not be achievable.



Theorem

For b − a ≤ ∆, if n is divisible by ∆ then for the optimaldistribution max|b−a|≤∆ maxA AdvDA

(a, b) = ∆n . Otherwise

∆

n≥ max|b−a|≤∆

maxA

AdvDA(a, b) ≥ 1⌈

n∆

⌉ .



Theorem

If b − a ≤ 2 and n is odd, then for the optimal distribution

max|b−a|<2

maxA

AdvDA(a, b) =

2n

n2 + 1.

This theorem shows that when b − a ≤ 2 and n is odd, the lowerbound 1

d n2e

for the maximum advantage is not achievable. Results

of these two theorems for the case when ∆ = 2 and n is odd areprovided in the following Table for small values of n.



Table: Comparison of the bounds and the best achievable advantagewhen ∆ = 2 and n is odd

n Upper bound Best Achievable Lower Bound3 0.666666666666667 0.6 0.55 0.4 0.384615384615385 0.3333333333333337 0.285714285714286 0.28 0.259 0.222222222222222 0.219512195121951 0.211 0.181818181818182 0.180327868852459 0.16666666666666713 0.153846153846154 0.152941176470588 0.14285714285714315 0.133333333333333 0.132743362831858 0.12517 0.117647058823529 0.117241379310345 0.11111111111111119 0.105263157894737 0.104972375690608 0.121 0.0952380952380952 0.0950226244343891 0.090909090909090923 0.0869565217391304 0.0867924528301887 0.083333333333333325 0.08 0.0798722044728434 0.076923076923076927 0.0740740740740741 0.073972602739726 0.071428571428571429 0.0689655172413793 0.0688836104513064 0.066666666666666731 0.0645161290322581 0.0644490644490645 0.062533 0.0606060606060606 0.0605504587155963 0.058823529411764735 0.0571428571428571 0.0570962479608483 0.0555555555555556



Summary

We investigated the security of the ∆− IND − CPA gameunder the assumptions A2 and A3 and showed that when theupper bound for the padding length n is divisible by ∆, thebest security we can have is ε = ∆

n . Moreover, we showedthat this ε-security can be obtained when the random variableN that defines the padding length is chosen as the uniformdistribution.

Furthermore, when n is not divisible by ∆, we showed that forthe optimal distribution the game is ε-secure where∆n ≥ ε ≥

1

d n∆e

. The upper bound can always be achieved by

selecting N as the uniform distribution but it may not bepossible to obtain the lower bound.



Summary

We investigated the security of the ∆− IND − CPA gameunder the assumptions A2 and A3 and showed that when theupper bound for the padding length n is divisible by ∆, thebest security we can have is ε = ∆

n . Moreover, we showedthat this ε-security can be obtained when the random variableN that defines the padding length is chosen as the uniformdistribution.

Furthermore, when n is not divisible by ∆, we showed that forthe optimal distribution the game is ε-secure where∆n ≥ ε ≥

1

d n∆e

. The upper bound can always be achieved by

selecting N as the uniform distribution but it may not bepossible to obtain the lower bound.



Summary

Finally, for ∆ = 2 and n is odd, we showed that ε = 2nn2+1

forthe optimal distribution which also shows that the lowerbound 1

d n∆e

is unachievable for this case.



Future Work

Although we found tight bounds for the case when n is notdivisible by ∆, we do not know the optimal distribution andthe corresponding best achievable advantage for this case.

Moreover, we assumed that the assumption A2 holdsthroughout this work and A2 is stronger than the assumptionA1. Hence, one can further minimize the maximum advantageby replacing the assumption A2 with A1.

Protocols that require message length to be hidden can beexamined in terms of our secrecy notion.



Future Work






Future Work






Conclusion

THANK YOU FOR YOURATTENTION


Documents

On Hiding Message Length in Symmetric-key Cryptographycihangir.forgottenlance.com/presentations/message_hiding.pdf · Cihangir Tezcan Supervisor: Prof. Serge Vaudenay On Hiding Message