Sample or Random Security – A Security Model for

Sample or Random Security – A Security Model for Segment-Based Visual Cryptography Sebastian Pape Dortmund Technical University

March 5th, 2014 Financial Cryptography and Data Security 2014

Sebastian Pape

Sample or Random Security

March 5th, FC14

1 / 24

Introduction

SOR-CO

Summary and Outlook

Overview

1

Introduction Visual Cryptography

2

Sample-Or-Random Security

3

Summary and Outlook

Sebastian Pape

Sample or Random Security

March 5th, FC14

2 / 24

Introduction

SOR-CO

Summary and Outlook

Scenario

Untrustworthy Hardware / Software

Sebastian Pape

Sample or Random Security

March 5th, FC14

3 / 24

Introduction

SOR-CO

Summary and Outlook

Visual Cryptography - Idea

(a) Transparencies side by side

Sebastian Pape

Sample or Random Security

(b) Transparencies stacked

March 5th, FC14

4 / 24

Introduction

SOR-CO

Summary and Outlook

Pixel-based Visual Crypt. (Naor and Shamir, 1994)

=

+ Figure: Example

Figure: Shares With 4 Sub-pixels in a 2x2 Matrix Sebastian Pape

Sample or Random Security

March 5th, FC14

5 / 24

Introduction

SOR-CO

Summary and Outlook

Segment-based Visual Cryptography (Borchert, 2007)

(b) c1

(a) full

(c) c2

Bottom Layer

O ve r

la y

Top Layer

Table: Contingency Table

(d) k

(e) c1 ↔ k (f) c2 ↔ k

Sebastian Pape

Sample or Random Security

March 5th, FC14

6 / 24

Introduction

SOR-CO

Summary and Outlook

Dice Codings (Doberitz, 2008)

Key

=

Key

ec D

Cipher

+

Ciphertext

Table: Contingency Table

Plaintext (5)

Sebastian Pape

Sample or Random Security

March 5th, FC14

7 / 24

Introduction

SOR-CO

Summary and Outlook

Visual Cryptography - Application

Figure: Keypad of a cash machine

Sebastian Pape

Figure: Keypads in visual Cryptography (Borchert, 2007)

Sample or Random Security

March 5th, FC14

8 / 24

Introduction

SOR-CO

Summary and Outlook

Reminder: Reusing Key-Transparencies

=

+ (1)

(2)

=

+ (1)

(3)

=

+ (2)

(3) Figure: Combination of 3 transparencies

Sebastian Pape

Sample or Random Security

March 5th, FC14

9 / 24

Introduction

SOR-CO

Summary and Outlook

Overview

1

Introduction

2

Sample-Or-Random Security Real-Or-Random Security Sample-Or-Random Security Relation between ROR − CPA and SOR − CO Evaluation

3

Summary and Outlook

Sebastian Pape

Sample or Random Security

March 5th, FC14

10 / 24

Introduction

SOR-CO

Summary and Outlook

Real-Or-Random (ROR − CPA )

Bellare et al. (1997)

ror −cpa −b

Experiment k b b0

ExpA ,Π

← ∈R ←

GenKey(1n ) {0, 1} A ORR (·,b )

Key generation Random choice of b Adversary tries to determine b Adv = Pr [correct ] − Pr [false ]

Adversary’s advantage def ror −cpa AdvA ,Π (n) = Sebastian Pape

(n) = b 0

ror −cpa −1 Pr [ExpA ,Π (n)

−cpa −0 = 1] − Pr [Expror (n) = 1] A ,Π

Sample or Random Security

March 5th, FC14

11 / 24

Introduction

SOR-CO

Summary and Outlook

Why Ciphertext-Only Securitymodel? CPA is not suitable for visual cryptography Adversary may not have access to an encryption oracle

CPA is too strong use of XOR allows determining the key e.g. encryptions of  or 8

Allow Trade-off: Weaker securitymodel vs. easier key handling

⇒ CO-Securitymodel Sample Structure

samplestruct

samplestruct returns a finite set of plaintexts following the pattern of struct. Example for Γ = {0, 1, . . . , n}

Π(0, 1, . . . , n)

samplekeypad ∈R {γ | γ = γ0 kγ1 k . . . kγn ∧ ∀i , j with 0 ≤ i , j ≤ n . γi , γj } Sebastian Pape

Sample or Random Security

March 5th, FC14

12 / 24

Introduction

SOR-CO

Summary and Outlook

Sample-Or-Random (SOR − CO)

−co −b Expsor (n) = b 0 A ,Π

Experiment k b b0

← ∈R ←

GenKey(1n ) {0, 1} A OSR (struct )

Adversary’s advantage

Key generation Random choice of b Adversary tries to determine b Adv = Pr [correct ] − Pr [false ]

def

−co sor −co −1 −co −0 Advsor (n) = 1] − Pr [Expsor (n) = 1] A ,Π (n ) = Pr [ExpA ,Π A, Π Sebastian Pape

Sample or Random Security

March 5th, FC14

13 / 24

Introduction

SOR-CO

Summary and Outlook

Relation between ROR − CPA and SOR − CO

LOR-CPA Bellare et al. (1997)

ROR-CPA

?

SOR-CO

Figure: Relation between Securitymodels for Symmetric Encryption

Sebastian Pape

Sample or Random Security

March 5th, FC14

14 / 24

Introduction

SOR-CO

Summary and Outlook

Relation between ROR − CPA and SOR − CO

Theorem Notion of SOR − CO is weaker than ROR − CPA .

[ROR − CPA ⇒ SOR − CO ]

Lemma 1:

If an encryption scheme Π is secure in the sense of ROR − CPA , then Π is also secure in the sense of SOR − CO.

[SOR − CO ; ROR − CPA ]

Lemma 2:

If there exists an encryption scheme Π which is secure in the sense of SOR − CO, then there is an encryption scheme Π0 which is secure in the sense of SOR − CO but not ROR − CPA .

Sebastian Pape

Sample or Random Security

March 5th, FC14

15 / 24

Introduction

SOR-CO

Summary and Outlook

[SOR − CO ; ROR − CPA ] – Proof [SOR − CO ; ROR − CPA ]

Lemma 2:

If there exists an encryption scheme Π which is secure in the sense of SOR − CO, then there is an encryption scheme Π0 which is secure in the sense of SOR − CO but not ROR − CPA . Sketch of Proof Assumption: Π = (GenKey, Enc, Dec), SOR − CO-secure exists Derive Π0 = (GenKey0 , Enc0 , Dec0 ), Lemma 2a: SOR − CO-secure, Lemma 2b: but not ROR − CPA -secure Idea: ’mark ciphertexts’, to contradict ROR − CPA -security

Sebastian Pape

Sample or Random Security

March 5th, FC14

16 / 24

Introduction

SOR-CO

Summary and Outlook

[SOR − CO ; ROR − CPA ] – derived encryption scheme Sample struct

sample1

samplekeypad ∈R {γ | γ = γ0 kγ1 k . . . kγn ∧ ∀i , j with 0 ≤ i , j ≤ n . γi , γj } Algorithms Π0 = (GenKey0 , Enc0 , Dec0 ): Algorithm GenKey0 (1n ): k ← GenKey(1n ) return k

Sebastian Pape

Algorithm Enc0k (m): c ← Enck (c ) if m = 0 . . . 0 then c 0 := 0kc else c 0 := 1kc return c 0

Sample or Random Security

Algorithm Dec0k (c 0 ): c 0 = α1 kα2 k . . . kα|c 0 | c := α2 k . . . kα|c 0 | m := Deck (c ) return m

March 5th, FC14

17 / 24

Introduction

SOR-CO

Summary and Outlook

[SOR − CO ; ROR − CPA ] Lemma 2a - Details Lemma 2a:

Π0 = (GenKey0 , Enc0 , Dec0 ) is secure in the sense of SOR − CO given the sample structure sample1 . Proof. b = 0 (’sample mode’): No change, 0 . . . 0 never appears b = 1 (’random mode’): Negligible Adv] , Pr [0 . . . 0] = −co sor −co −1 Advsor (n) = 1] A ,Π0 (n ) = Pr [ExpA ,Π0

1 (n+1)n+1

−co −0 −Pr [Expsor (n) = 1] A, Π0

−co −0 ≤ Pr [ExpAsor,Π−co −1 (n) = 1] + Adv] −Pr [Expsor (n) = 1] A, Π −co = Advsor A ,Π (n ) + Adv]

 Sebastian Pape

Sample or Random Security

March 5th, FC14

18 / 24

Introduction

SOR-CO

Summary and Outlook

[SOR − CO ; ROR − CPA ] Lemma 2b - Details Lemma 2b:

Π0 = (GenKey0 , Enc0 , Dec0 ) is not secure in the sense of ROR − CPA . Proof. Adversary asks ORR (·, b ) for encryption of ’0 . . . 0’. If ORR → 0k . . .

⇒

b = 0 (’real mode’)

If ORR → 1k . . .

⇒

b = 1 (’random mode’)

ror −cpa

AdvA

cpa ,Π

0

−1 (n) = Pr [ExpArorcpa−cpa (n) = 1] ,Π0

=1−

1 (n + 1)n+1

−cpa −0 −Pr [Expror (n) = 1] Acpa ,Π0

−0 

Sebastian Pape

Sample or Random Security

March 5th, FC14

19 / 24

Introduction

SOR-CO

Summary and Outlook

Relation between ROR − CPA und SOR − CO [SOR − CO ; ROR − CPA ]

⇒ Lemma 2:

If there exists an encryption scheme Π which is secure in the sense of SOR − CO, then there is an encryption scheme Π0 which is secure in the sense of SOR − CO but not ROR − CPA . Theorem SOR − CO is weaker than ROR − CPA . LOR-CPA Bellare et al. (1997)

SOR-CO

ROR-CPA Sebastian Pape

Sample or Random Security

March 5th, FC14

20 / 24

Introduction

SOR-CO

Summary and Outlook

Evaluation: SOR − CO at 7-Segment / Dice Codings Difference of 2 “KeypadCiphertexts” is even Adversary asks for 2 ciphertexts if difference is even ⇒ b = 0 (’sample mode’) if difference is odd ⇒ b = 1 (’random mode’) −co sor −co −1 Advsor (n) = 1] A ,Π0 (n ) = Pr [ExpA ,Π0

= Pr [A = rand |O = rand ] =

1 2

−co −0 −Pr [Expsor (n) = 1] A, Π0

−Pr [A = rand |O = samp ] −0

Idea for countermeasure: add noise to the ciphertexts Sebastian Pape

Sample or Random Security

March 5th, FC14

21 / 24

Introduction

SOR-CO

Summary and Outlook

Dice Codings with Noise

=

+ Ciphertext

Key

Plaintext (4)

Figure: Visualization for n = 9 and ν = 7

Cipher

D ec

Key

Table: Contingency Table Sebastian Pape

Sample or Random Security

March 5th, FC14

22 / 24

Introduction

SOR-CO

Summary and Outlook

Overview

1

Introduction

2

Sample-Or-Random Security

3

Summary and Outlook

Sebastian Pape

Sample or Random Security

March 5th, FC14

23 / 24

Introduction

SOR-CO

Summary and Outlook

Summary and Open Questions SOR − CO Securitymodel Relation to ROR − CPA Visual encryption scheme making use of noise Conjecture: SOR-CO-secure if parameters chosen accordingly

SOR − CO-security Is Random-or-Sample Security a sufficient choice SampleA-or-SampleB Security? What about active adversaries?

Dice codings with noise Given n and ν for how many ciphertexts is the scheme SOR-CO-secure?

Sebastian Pape

Sample or Random Security

March 5th, FC14

24 / 24

References

References

References I

M. Bellare, A. Desai, E. Jokipii, and P. Rogaway. A concrete security treatment of symmetric encryption. In Proceedings of 38th Annual Symposium on Foundations of Computer Science (FOCS 97), pages 394–403, 1997. ¨ Informatik, Tubingen, ¨ B. Borchert. Segment-based visual cryptography. Technical Report WSI-2007-04, Wilhelm-Schickard-Institut fur 2007. ¨ Bochum, Germany, D. Doberitz. Visual cryptography protocols and their deployment against malware. Master’s thesis, Ruhr-Universitat 2008. M. Naor and A. Shamir. Visual cryptography. In A. D. Santis, editor, EUROCRYPT, volume 950 of Lecture Notes in Computer Science, pages 1–12. Springer, 1994. ISBN 3-540-60176-7.

Sebastian Pape

Sample or Random Security

March 5th, FC14

25 / 24