Sample or Random Security A Security Model for Segment-Based Visual - PowerPoint PPT Presentation

Sample or Random Security – A Security Model for Segment-Based Visual Cryptography Sebastian Pape Dortmund Technical University March 5th, 2014 Financial Cryptography and Data Security 2014 Sebastian Pape Sample or Random Security March 5th, FC14 1 / 24

Introduction SOR-CO Summary and Outlook Overview Introduction 1 Visual Cryptography Sample-Or-Random Security 2 Summary and Outlook 3 Sebastian Pape Sample or Random Security March 5th, FC14 2 / 24

Introduction SOR-CO Summary and Outlook Scenario Untrustworthy Hardware / Software Sebastian Pape Sample or Random Security March 5th, FC14 3 / 24

Introduction SOR-CO Summary and Outlook Visual Cryptography - Idea (a) Transparencies side by side (b) Transparencies stacked Sebastian Pape Sample or Random Security March 5th, FC14 4 / 24

Introduction SOR-CO Summary and Outlook Pixel-based Visual Crypt. (Naor and Shamir, 1994) + = Figure: Example Figure: Shares With 4 Sub-pixels in a 2x2 Matrix Sebastian Pape Sample or Random Security March 5th, FC14 5 / 24

Introduction SOR-CO Summary and Outlook Segment-based Visual Cryptography (Borchert, 2007) Top Layer Overlay Bottom Layer (a) full (b) c 1 (c) c 2 Table: Contingency Table (d) k (e) c 1 ↔ k (f) c 2 ↔ k Sebastian Pape Sample or Random Security March 5th, FC14 6 / 24

Introduction SOR-CO Summary and Outlook Dice Codings (Doberitz, 2008) Key Dec Ciphertext + Cipher Key = Table: Contingency Table Plaintext (5) Sebastian Pape Sample or Random Security March 5th, FC14 7 / 24

Introduction SOR-CO Summary and Outlook Visual Cryptography - Application Figure: Keypads in visual Figure: Keypad of a cash machine Cryptography (Borchert, 2007) Sebastian Pape Sample or Random Security March 5th, FC14 8 / 24

Introduction SOR-CO Summary and Outlook Reminder: Reusing Key-Transparencies + = (1) (2) = + (1) (3) + = (2) (3) Figure: Combination of 3 transparencies Sebastian Pape Sample or Random Security March 5th, FC14 9 / 24

Introduction SOR-CO Summary and Outlook Overview Introduction 1 Sample-Or-Random Security 2 Real-Or-Random Security Sample-Or-Random Security Relation between ROR − CPA and SOR − CO Evaluation 3 Summary and Outlook Sebastian Pape Sample or Random Security March 5th, FC14 10 / 24

Introduction SOR-CO Summary and Outlook Real-Or-Random ( ROR − CPA ) Bellare et al. (1997) Exp ror − cpa − b ( n ) = b ′ Experiment A , Π GenKey ( 1 n ) k ← Key generation { 0 , 1 } b ∈ R Random choice of b A O RR ( · , b ) b ′ ← Adversary tries to determine b Adversary’s advantage Adv = Pr [ correct ] − Pr [ false ] def Adv ror − cpa = Pr [ Exp ror − cpa − 1 ( n ) = 1 ] − Pr [ Exp ror − cpa − 0 ( n ) ( n ) = 1 ] A , Π A , Π A , Π Sebastian Pape Sample or Random Security March 5th, FC14 11 / 24

Introduction SOR-CO Summary and Outlook Why Ciphertext-Only Securitymodel? CPA is not suitable for visual cryptography Adversary may not have access to an encryption oracle CPA is too strong use of XOR allows determining the key e.g. encryptions of � or ✽ Allow Trade-off: Weaker securitymodel vs. easier key handling ⇒ CO -Securitymodel Sample Structure sample struct sample struct returns a finite set of plaintexts following the pattern of struct . Example for Γ = { 0 , 1 , . . . , n } Π( 0 , 1 , . . . , n ) sample keypad ∈ R { γ | γ = γ 0 � γ 1 � . . . � γ n ∧ ∀ i , j with 0 ≤ i , j ≤ n . γ i � γ j } Sebastian Pape Sample or Random Security March 5th, FC14 12 / 24

Introduction SOR-CO Summary and Outlook Sample-Or-Random ( SOR − CO ) Exp sor − co − b ( n ) = b ′ Experiment A , Π GenKey ( 1 n ) k ← Key generation b ∈ R { 0 , 1 } Random choice of b b ′ A O SR ( struct ) ← Adversary tries to determine b Adv = Pr [ correct ] − Pr [ false ] Adversary’s advantage def Adv sor − co = Pr [ Exp sor − co − 1 ( n ) = 1 ] − Pr [ Exp sor − co − 0 ( n ) ( n ) = 1 ] A , Π A , Π A , Π Sebastian Pape Sample or Random Security March 5th, FC14 13 / 24

Introduction SOR-CO Summary and Outlook Relation between ROR − CPA and SOR − CO LOR-CPA Bellare et al. (1997) ? ROR-CPA SOR-CO Figure: Relation between Securitymodels for Symmetric Encryption Sebastian Pape Sample or Random Security March 5th, FC14 14 / 24

Introduction SOR-CO Summary and Outlook Relation between ROR − CPA and SOR − CO Theorem Notion of SOR − CO is weaker than ROR − CPA . Lemma 1: [ ROR − CPA ⇒ SOR − CO ] If an encryption scheme Π is secure in the sense of ROR − CPA , then Π is also secure in the sense of SOR − CO . Lemma 2: [ SOR − CO � ROR − CPA ] If there exists an encryption scheme Π which is secure in the sense of SOR − CO , then there is an encryption scheme Π ′ which is secure in the sense of SOR − CO but not ROR − CPA . Sebastian Pape Sample or Random Security March 5th, FC14 15 / 24

Introduction SOR-CO Summary and Outlook [ SOR − CO � ROR − CPA ] – Proof [ SOR − CO � ROR − CPA ] Lemma 2: If there exists an encryption scheme Π which is secure in the sense of SOR − CO , then there is an encryption scheme Π ′ which is secure in the sense of SOR − CO but not ROR − CPA . Sketch of Proof Assumption: Π = ( GenKey , Enc , Dec ) , SOR − CO -secure exists Derive Π ′ = ( GenKey ′ , Enc ′ , Dec ′ ) , Lemma 2a: SOR − CO -secure, Lemma 2b: but not ROR − CPA -secure Idea: ’mark ciphertexts’, to contradict ROR − CPA -security Sebastian Pape Sample or Random Security March 5th, FC14 16 / 24

Introduction SOR-CO Summary and Outlook [ SOR − CO � ROR − CPA ] – derived encryption scheme Sample struct sample 1 sample keypad ∈ R { γ | γ = γ 0 � γ 1 � . . . � γ n ∧ ∀ i , j with 0 ≤ i , j ≤ n . γ i � γ j } Algorithms Π ′ = ( GenKey ′ , Enc ′ , Dec ′ ) : Algorithm GenKey ′ ( 1 n ) : Algorithm Enc ′ Algorithm Dec ′ k ( c ′ ) : k ( m ) : c ′ = α 1 � α 2 � . . . � α | c ′ | k ← GenKey ( 1 n ) c ← Enc k ( c ) return k if m = 0 . . . 0 c := α 2 � . . . � α | c ′ | then c ′ := 0 � c m := Dec k ( c ) else return m c ′ := 1 � c return c ′ Sebastian Pape Sample or Random Security March 5th, FC14 17 / 24

Introduction SOR-CO Summary and Outlook [ SOR − CO � ROR − CPA ] Lemma 2a - Details Lemma 2a: Π ′ = ( GenKey ′ , Enc ′ , Dec ′ ) is secure in the sense of SOR − CO given the sample structure sample 1 . Proof. b = 0 (’sample mode’): No change, 0 . . . 0 never appears 1 b = 1 (’random mode’): Negligible Adv ♯ , Pr [ 0 . . . 0 ] = ( n + 1 ) n + 1 Adv sor − co ( n ) = Pr [ Exp sor − co − 1 − Pr [ Exp sor − co − 0 ( n ) = 1 ] ( n ) = 1 ] A , Π ′ A , Π ′ A , Π ′ ≤ Pr [ Exp sor − co − 1 − Pr [ Exp sor − co − 0 ( n ) = 1 ] + Adv ♯ ( n ) = 1 ] A , Π A , Π = Adv sor − co ( n ) + Adv ♯ A , Π � Sebastian Pape Sample or Random Security March 5th, FC14 18 / 24

Introduction SOR-CO Summary and Outlook [ SOR − CO � ROR − CPA ] Lemma 2b - Details Lemma 2b: Π ′ = ( GenKey ′ , Enc ′ , Dec ′ ) is not secure in the sense of ROR − CPA . Proof. Adversary asks O RR ( · , b ) for encryption of ’0 . . . 0’. If O RR → 0 � . . . ⇒ b = 0 (’real mode’) If O RR → 1 � . . . b = 1 (’random mode’) ⇒ Adv ror − cpa A cpa , Π ′ ( n ) = Pr [ Exp ror − cpa − 1 − Pr [ Exp ror − cpa − 0 ( n ) = 1 ] ( n ) = 1 ] A cpa , Π ′ A cpa , Π ′ 1 = 1 − − 0 ( n + 1 ) n + 1 � Sebastian Pape Sample or Random Security March 5th, FC14 19 / 24

Introduction SOR-CO Summary and Outlook Relation between ROR − CPA und SOR − CO ⇒ Lemma 2: [ SOR − CO � ROR − CPA ] If there exists an encryption scheme Π which is secure in the sense of SOR − CO , then there is an encryption scheme Π ′ which is secure in the sense of SOR − CO but not ROR − CPA . Theorem SOR − CO is weaker than ROR − CPA . LOR-CPA Bellare et al. (1997) ROR-CPA SOR-CO Sebastian Pape Sample or Random Security March 5th, FC14 20 / 24 Figure: Relations between securitymodels for symmetric encryption

Introduction SOR-CO Summary and Outlook Evaluation: SOR − CO at 7-Segment / Dice Codings Difference of 2 “Keypad- Ciphertexts” is even Adversary asks for 2 ciphertexts if difference is even ⇒ b = 0 (’sample mode’) if difference is odd ⇒ b = 1 (’random mode’) Adv sor − co ( n ) = Pr [ Exp sor − co − 1 − Pr [ Exp sor − co − 0 ( n ) = 1 ] ( n ) = 1 ] A , Π ′ A , Π ′ A , Π ′ = Pr [ A = rand | O = rand ] − Pr [ A = rand | O = samp ] = 1 − 0 2 Idea for countermeasure: add noise to the ciphertexts Sebastian Pape Sample or Random Security March 5th, FC14 21 / 24

Introduction SOR-CO Summary and Outlook Dice Codings with Noise + = Ciphertext Key Plaintext (4) Figure: Visualization for n = 9 and ν = 7 Key Dec Cipher Table: Contingency Table Sebastian Pape Sample or Random Security March 5th, FC14 22 / 24

Introduction SOR-CO Summary and Outlook Overview Introduction 1 Sample-Or-Random Security 2 Summary and Outlook 3 Sebastian Pape Sample or Random Security March 5th, FC14 23 / 24