Sample or Random Security A Security Model for Segment-Based Visual - - PowerPoint PPT Presentation

Sample or Random Security – A Security Model for Segment-Based Visual Cryptography

Sebastian Pape

Dortmund Technical University

March 5th, 2014 Financial Cryptography and Data Security 2014

Sebastian Pape Sample or Random Security March 5th, FC14 1 / 24

Introduction SOR-CO Summary and Outlook

Overview

1

Introduction Visual Cryptography

2

Sample-Or-Random Security

3

Summary and Outlook

Sebastian Pape Sample or Random Security March 5th, FC14 2 / 24

Introduction SOR-CO Summary and Outlook

Scenario

Untrustworthy Hardware / Software

Sebastian Pape Sample or Random Security March 5th, FC14 3 / 24

Introduction SOR-CO Summary and Outlook

Visual Cryptography - Idea

(a) Transparencies side by side (b) Transparencies stacked

Sebastian Pape Sample or Random Security March 5th, FC14 4 / 24

Introduction SOR-CO Summary and Outlook

Pixel-based Visual Crypt. (Naor and Shamir, 1994)

+ =

Figure: Example Figure: Shares With 4 Sub-pixels in a 2x2 Matrix

Sebastian Pape Sample or Random Security March 5th, FC14 5 / 24

Introduction SOR-CO Summary and Outlook

Segment-based Visual Cryptography (Borchert, 2007)

(a) full (b) c1 (c) c2 (d) k (e) c1 ↔ k (f) c2 ↔ k

Top Layer Overlay Bottom Layer

Table: Contingency Table

Sebastian Pape Sample or Random Security March 5th, FC14 6 / 24

Introduction SOR-CO Summary and Outlook

Dice Codings (Doberitz, 2008)

Ciphertext

+

Key

=

Plaintext (5) Key Dec Cipher

Table: Contingency Table

Sebastian Pape Sample or Random Security March 5th, FC14 7 / 24

Introduction SOR-CO Summary and Outlook

Visual Cryptography - Application

Figure: Keypad of a cash machine Figure: Keypads in visual Cryptography (Borchert, 2007)

Sebastian Pape Sample or Random Security March 5th, FC14 8 / 24

Introduction SOR-CO Summary and Outlook

Reminder: Reusing Key-Transparencies

(1)

+

(2)

=

(1)

+

(3)

=

(2)

+

(3)

=

Figure: Combination of 3 transparencies

Sebastian Pape Sample or Random Security March 5th, FC14 9 / 24

Introduction SOR-CO Summary and Outlook

Overview

1

Introduction

2

Sample-Or-Random Security Real-Or-Random Security Sample-Or-Random Security Relation between ROR − CPA and SOR − CO Evaluation

3

Summary and Outlook

Sebastian Pape Sample or Random Security March 5th, FC14 10 / 24

Introduction SOR-CO Summary and Outlook

Real-Or-Random (ROR − CPA) Bellare et al. (1997)

Experiment Expror−cpa−b

A,Π

(n) = b′

k

←

GenKey(1n) Key generation b

∈R {0, 1}

Random choice of b b′

←

AORR(·,b) Adversary tries to determine b Adversary’s advantage Adv = Pr[correct] − Pr[false] Advror−cpa

A,Π

(n)

def

= Pr[Expror−cpa−1

A,Π

(n) = 1] − Pr[Expror−cpa−0

A,Π

(n) = 1]

Sebastian Pape Sample or Random Security March 5th, FC14 11 / 24

Introduction SOR-CO Summary and Outlook

Why Ciphertext-Only Securitymodel?

CPA is not suitable for visual cryptography

Adversary may not have access to an encryption oracle

CPA is too strong

use of XOR allows determining the key e.g. encryptions of or ✽

Allow Trade-off: Weaker securitymodel vs. easier key handling

⇒ CO-Securitymodel

Sample Structure samplestruct samplestruct returns a finite set of plaintexts following the pattern of struct. Example for Γ = {0, 1, . . . , n}

Π(0, 1, . . . , n)

samplekeypad ∈R {γ | γ = γ0γ1 . . . γn ∧ ∀i, j with 0 ≤ i, j ≤ n . γi γj}

Sebastian Pape Sample or Random Security March 5th, FC14 12 / 24

Introduction SOR-CO Summary and Outlook

Sample-Or-Random (SOR − CO)

Experiment Expsor−co−b

A,Π

(n) = b′

k

←

GenKey(1n) Key generation b

∈R {0, 1}

Random choice of b b′

←

AOSR(struct) Adversary tries to determine b Adversary’s advantage Adv = Pr[correct] − Pr[false] Advsor−co

A,Π

(n)

def

= Pr[Expsor−co−1

A,Π

(n) = 1] − Pr[Expsor−co−0

A,Π

(n) = 1]

Sebastian Pape Sample or Random Security March 5th, FC14 13 / 24

Introduction SOR-CO Summary and Outlook

Relation between ROR − CPA and SOR − CO

ROR-CPA LOR-CPA SOR-CO

? Bellare et al. (1997)

Figure: Relation between Securitymodels for Symmetric Encryption

Sebastian Pape Sample or Random Security March 5th, FC14 14 / 24

Introduction SOR-CO Summary and Outlook

Relation between ROR − CPA and SOR − CO

Theorem Notion of SOR − CO is weaker than ROR − CPA. Lemma 1:

[ROR − CPA ⇒ SOR − CO]

If an encryption scheme Π is secure in the sense of ROR − CPA, then Π is also secure in the sense of SOR − CO. Lemma 2:

[SOR − CO ROR − CPA]

If there exists an encryption scheme Π which is secure in the sense of SOR − CO, then there is an encryption scheme Π′ which is secure in the sense of SOR − CO but not ROR − CPA.

Sebastian Pape Sample or Random Security March 5th, FC14 15 / 24

Introduction SOR-CO Summary and Outlook

[SOR − CO ROR − CPA] – Proof

Lemma 2:

[SOR − CO ROR − CPA]

If there exists an encryption scheme Π which is secure in the sense of SOR − CO, then there is an encryption scheme Π′ which is secure in the sense of SOR − CO but not ROR − CPA. Sketch of Proof Assumption: Π = (GenKey, Enc, Dec), SOR − CO-secure exists Derive Π′ = (GenKey′, Enc′, Dec′), Lemma 2a: SOR − CO-secure, Lemma 2b: but not ROR − CPA-secure Idea: ’mark ciphertexts’, to contradict ROR − CPA-security

Sebastian Pape Sample or Random Security March 5th, FC14 16 / 24

Introduction SOR-CO Summary and Outlook

[SOR − CO ROR − CPA] – derived encryption scheme

Sample struct sample1 samplekeypad ∈R {γ | γ = γ0γ1 . . . γn ∧ ∀i, j with 0 ≤ i, j ≤ n . γi γj} Algorithms Π′ = (GenKey′, Enc′, Dec′): Algorithm GenKey′(1n): Algorithm Enc′

k(m):

Algorithm Dec′

k(c′):

k ← GenKey(1n) c ← Enck(c) c′ = α1α2 . . . α|c′| return k if m = 0 . . . 0 c := α2 . . . α|c′| then c′ := 0c m := Deck(c) else return m c′ := 1c return c′

Sebastian Pape Sample or Random Security March 5th, FC14 17 / 24

Introduction SOR-CO Summary and Outlook

[SOR − CO ROR − CPA] Lemma 2a - Details

Lemma 2a:

Π′ = (GenKey′, Enc′, Dec′) is secure in the sense of SOR − CO given the

sample structure sample1. Proof. b = 0 (’sample mode’): No change, 0 . . . 0 never appears b = 1 (’random mode’): Negligible Adv♯, Pr[0 . . . 0] =

1 (n+1)n+1

Advsor−co

A,Π′

(n) = Pr[Expsor−co−1

A,Π′

(n) = 1] −Pr[Expsor−co−0

A,Π′

(n) = 1] ≤ Pr[Expsor−co−1

A,Π

(n) = 1] + Adv♯ −Pr[Expsor−co−0

A,Π

(n) = 1] = Advsor−co

A,Π

(n) + Adv♯

• Sebastian Pape

Sample or Random Security March 5th, FC14 18 / 24

Introduction SOR-CO Summary and Outlook

[SOR − CO ROR − CPA] Lemma 2b - Details

Lemma 2b:

Π′ = (GenKey′, Enc′, Dec′) is not secure in the sense of ROR − CPA.

Proof. Adversary asks ORR(·, b) for encryption of ’0 . . . 0’. If ORR → 0 . . .

⇒

b = 0 (’real mode’) If ORR → 1 . . .

⇒

b = 1 (’random mode’) Advror−cpa

Acpa,Π′ (n) = Pr[Expror−cpa−1 Acpa,Π′

(n) = 1] −Pr[Expror−cpa−0

Acpa,Π′

(n) = 1] = 1 −

1

(n + 1)n+1 −0

• Sebastian Pape

Sample or Random Security March 5th, FC14 19 / 24

Introduction SOR-CO Summary and Outlook

Relation between ROR − CPA und SOR − CO

⇒ Lemma 2: [SOR − CO ROR − CPA]

If there exists an encryption scheme Π which is secure in the sense of SOR − CO, then there is an encryption scheme Π′ which is secure in the sense of SOR − CO but not ROR − CPA. Theorem SOR − CO is weaker than ROR − CPA. ROR-CPA LOR-CPA SOR-CO

Bellare et al. (1997)

Figure: Relations between securitymodels for symmetric encryption

Sebastian Pape Sample or Random Security March 5th, FC14 20 / 24

Introduction SOR-CO Summary and Outlook

Evaluation: SOR − CO at 7-Segment / Dice Codings

Difference of 2 “Keypad- Ciphertexts” is even Adversary

asks for 2 ciphertexts if difference is even ⇒ b = 0 (’sample mode’) if difference is odd ⇒ b = 1 (’random mode’)

Advsor−co

A,Π′

(n) = Pr[Expsor−co−1

A,Π′

(n) = 1] −Pr[Expsor−co−0

A,Π′

(n) = 1] = Pr[A = rand|O = rand] −Pr[A = rand|O = samp] = 1

2

−0

Idea for countermeasure: add noise to the ciphertexts

Sebastian Pape Sample or Random Security March 5th, FC14 21 / 24

Introduction SOR-CO Summary and Outlook

Dice Codings with Noise

+ =

Ciphertext Key Plaintext (4)

Figure: Visualization for n = 9 and ν = 7

Key Dec Cipher

Table: Contingency Table

Sebastian Pape Sample or Random Security March 5th, FC14 22 / 24

Introduction SOR-CO Summary and Outlook

Overview

1

Introduction

2

Sample-Or-Random Security

3

Summary and Outlook

Sebastian Pape Sample or Random Security March 5th, FC14 23 / 24

Introduction SOR-CO Summary and Outlook

Summary and Open Questions

SOR − CO Securitymodel

Relation to ROR − CPA

Visual encryption scheme making use of noise

Conjecture: SOR-CO-secure if parameters chosen accordingly

SOR − CO-security

Is Random-or-Sample Security a sufficient choice SampleA-or-SampleB Security? What about active adversaries?

Dice codings with noise

Given n and ν for how many ciphertexts is the scheme SOR-CO-secure?

Sebastian Pape Sample or Random Security March 5th, FC14 24 / 24

References References

References I

• M. Bellare, A. Desai, E. Jokipii, and P

. Rogaway. A concrete security treatment of symmetric encryption. In Proceedings of 38th Annual Symposium on Foundations of Computer Science (FOCS 97), pages 394–403, 1997.

• B. Borchert. Segment-based visual cryptography. Technical Report WSI-2007-04, Wilhelm-Schickard-Institut f¨

ur Informatik, T¨ ubingen, 2007.

• D. Doberitz. Visual cryptography protocols and their deployment against malware. Master’s thesis, Ruhr-Universit¨

at Bochum, Germany, 2008.

• M. Naor and A. Shamir. Visual cryptography. In A. D. Santis, editor, EUROCRYPT, volume 950 of Lecture Notes in Computer Science,

pages 1–12. Springer, 1994. ISBN 3-540-60176-7. Sebastian Pape Sample or Random Security March 5th, FC14 25 / 24