Advantage (cryptography)
   HOME

TheInfoList



Click Here for Items Related To - Advantage (cryptography)
OR:
Advantage (cryptography) on:   [Wikipedia]   [Google]   [Amazon]

In
cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adve ...
, an adversary's advantage is a measure of how successfully it can attack a cryptographic
algorithm In mathematics and computer science, an algorithm () is a finite sequence of rigorous instructions, typically used to solve a class of specific problems or to perform a computation. Algorithms are used as specifications for performing ...
, by distinguishing it from an idealized version of that type of algorithm. Note that in this context, the "
adversary An adversary is generally considered to be a person, group, or force that opposes and/or attacks. Adversary may also refer to: * Satan ("adversary" in Hebrew), in Judeo-Christian religion Entertainment Fiction * Adversary (comics), villain fr ...
" is itself an algorithm and not a
person A person (plural, : people) is a being that has certain capacities or attributes such as reason, morality, consciousness or self-consciousness, and being a part of a culturally established form of social relations such as kinship, ownership of pr ...
. A cryptographic algorithm is considered secure if no adversary has a non-negligible advantage, subject to specified bounds on the adversary's computational resources (see
concrete security In cryptography, concrete security or exact security is a practice-oriented approach that aims to give more precise estimates of the computational complexities of adversarial tasks than polynomial equivalence would allow. It quantifies the securi ...
). "Negligible" usually means "within O(2−p)" where p is a
security parameter In cryptography, a security parameter is a way of measuring of how "hard" it is for an adversary to break a cryptographic scheme. There are two main types of security parameter: ''computational'' and ''statistical'', often denoted by \kappa and \ ...
associated with the algorithm. For example, p might be the number of bits in a block cipher's
key Key or The Key may refer to: Common meanings * Key (cryptography), a piece of information that controls the operation of a cryptography algorithm * Key (lock), device used to control access to places or facilities restricted by a lock * Key (ma ...
.


Description of concept

Let F be an
oracle An oracle is a person or agency considered to provide wise and insightful counsel or prophetic predictions, most notably including precognition of the future, inspired by deities. As such, it is a form of divination. Description The wor ...
for the function being studied, and let G be an oracle for an idealized function of that type. The adversary A is a probabilistic algorithm, given F or G as input, and which outputs 1 or 0. A's job is to distinguish F from G, based on making queries to the oracle that it's given. We say: Adv(A) = , \Pr (F)=1- \Pr (G)=1


Examples

Let F be a random instance of the DES
block cipher In cryptography, a block cipher is a deterministic algorithm operating on fixed-length groups of bits, called ''blocks''. Block ciphers are specified cryptographic primitive, elementary components in the design of many cryptographic protocols and ...
. This cipher has 64-bit blocks and a 56-bit key. The key therefore selects one of a family of 256
permutation In mathematics, a permutation of a set is, loosely speaking, an arrangement of its members into a sequence or linear order, or if the set is already ordered, a rearrangement of its elements. The word "permutation" also refers to the act or p ...
s on the 264 possible 64-bit blocks. A "random DES instance" means our oracle F computes DES using some key K (which is unknown to the adversary) where K is selected from the 256 possible keys with equal probability. We want to compare the DES instance with an
ideal Ideal may refer to: Philosophy * Ideal (ethics), values that one actively pursues as goals * Platonic ideal, a philosophical idea of trueness of form, associated with Plato Mathematics * Ideal (ring theory), special subsets of a ring considere ...
ized 64-bit block cipher, meaning a permutation selected at random from the (264) ! possible permutations on 64-bit blocks. Call this randomly selected permutation G. Note from
Stirling's approximation In mathematics, Stirling's approximation (or Stirling's formula) is an approximation for factorials. It is a good approximation, leading to accurate results even for small values of n. It is named after James Stirling, though a related but less p ...
that (264)! is around 10^, so even specifying which permutation is selected requires writing down a number too large to represent exactly in any real computer. Viewed another way, G is an instance of a "cipher" whose "key length" is about 1021 bits, which again is too large to fit in a computer. (We can, however, implement G with storage space proportional to the number of queries, using a
random oracle In cryptography, a random oracle is an oracle (a theoretical black box) that responds to every ''unique query'' with a (truly) random response chosen uniformly from its output domain. If a query is repeated, it responds the same way every time tha ...
). Note that because the oracles were given encrypt plaintext of our choosing, we're modelling a
chosen-plaintext attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which presumes that the attacker can obtain the ciphertexts for arbitrary plaintexts.Ross Anderson, ''Security Engineering: A Guide to Building Dependable Distributed Systems''. ...
or CPA, and the advantage we're calculating can be called the CPA-advantage of a given adversary. If we also had decryption oracles available, we'd be doing a
chosen-ciphertext attack A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis where the cryptanalyst can gather information by obtaining the decryptions of chosen ciphertexts. From these pieces of information the adversary can attempt to recover the hidden ...
or CCA and finding the CCA-advantage of the adversary.


Example 1: Guess at random

Call this adversary A0. It simply flips a coin and returns 1 or 0 with equal probability and without making any oracle calls. Thus, Pr 0(F)=1and Pr 0(G)=1are both 0.5. The difference between these probabilities is zero, so Adv(A0) is zero. The same thing applies if we always return 0, or always return 1: the probability is the same for both F and G, so the advantage is zero. This adversary can't tell F and G apart. If we're cipher designers, our desire (maybe not achievable) is to make it so that it's computationally infeasible for ''any'' adversary to do significantly better than this. We will have succeeded if we can make a cipher for which there's no distinguisher faster than brute force search.


Example 2:

Brute force search In computer science, brute-force search or exhaustive search, also known as generate and test, is a very general problem-solving technique and algorithmic paradigm that consists of systematically enumerating all possible candidates for the soluti ...

This adversary (call it A1) will attempt to cryptanalyze its input by
brute force Brute Force or brute force may refer to: Techniques * Brute force method or proof by exhaustion, a method of mathematical proof * Brute-force attack, a cryptanalytic attack * Brute-force search, a computer problem-solving technique People * Brut ...
. It has its own DES implementation. It gives a single query to its oracle, asking for the 64-bit string of all zeroes to be encrypted. Call the resulting ciphertext E0. It then runs an exhaustive key search. The algorithm looks like this: E0 = oracle_query(0) for k in 0,1,...,256-1: if DESk(0)

E0: return 1 return 0 This searches the entire 56-bit DES keyspace and returns "1" if it probably finds a matching key. In practice, several plaintexts are required to confirm the key, as two different keys can result in one or more matching plaintext-ciphertext pairs. If no key is found, it returns 0. If the input oracle is DES, this exhaustive search is certain to find the key, so Pr 1(F)=1= 1. If the input oracle is a random permutation, there are 264 possible values of E0, and at most 256 of them will get examined in the DES keysearch. So the probability of A1 returning 1 is at most 2−8. That is: Pr _1(G)=1\leq 2^, so Adv(A_1) = , Pr
_1(F)=1 1 (one, unit, unity) is a number representing a single or the only entity. 1 is also a numerical digit and represents a single unit of counting or measurement. For example, a line segment of ''unit length'' is a line segment of length  ...
- Pr _1(G)=1 \geq 1 - 2^ so the advantage is at least about 0.996. This is a near-certain distinguisher, but it's not a security failure because it's no faster than brute force search, after all, it ''is'' the brute force search.


See also

* Pseudorandom-function advantage * Key-recovery advantage * PR-CPA advantage


References

{{page numbers needed, date=January 2015 *
Phillip Rogaway Phillip Rogaway is a professor of computer science at the University of California, Davis. He graduated from Beverly Hills High School, and later earned a BA in computer science from UC Berkeley and completed his PhD in cryptography at MIT, in ...
and
Mihir Bellare Mihir Bellare is a cryptographer and professor at the University of California San Diego. He has published several seminal papers in the field of cryptography (notably in the area of provable security), many of which were co-written with Phillip R ...

Introduction to Modern Cryptography
* Oded Goldreich

Theory of cryptography