|
|
| (One intermediate revision by one other user not shown) |
| Line 1: |
Line 1: |
| {{Cleanup|date=March 2008}}
| | Claude is her title and she totally digs that name. My house is now in Kansas. She is currently a cashier but soon she'll be on her own. Bottle tops collecting is the only pastime his spouse doesn't approve of.<br><br>Feel free to visit my site :: extended car warranty ([http://Www.gettingtherefromhere.info/User-Profile/userId/13851 click through the up coming page]) |
| In [[cryptography]], an adversary's '''advantage''' is a measure of how successfully it can attack a cryptographic [[algorithm]], by distinguishing it from an idealized version of that type of algorithm. Note that in this context, the "[[Adversary (cryptography)|adversary]]" is itself an algorithm and not a [[person]]. A cryptographic algorithm is considered secure if no adversary has a non-[[negligible]] advantage, subject to specified bounds on the adversary's computational resources (see [[concrete security]]). "Negligible" usually means "within [[Big O notation|O]](2<sup>-p</sup>)" where p is a [[security parameter]] associated with the algorithm. For example, p might be the number of bits in a block cipher's [[key (cryptography)|key]].
| |
| | |
| == Description of concept ==
| |
| | |
| Let F be an [[oracle machine|oracle]] for the function being studied, and let G be an oracle for an idealized function of that type. The adversary A is a probabilistic algorithm given F or G as input and which outputs 1 or 0. A's job is to distinguish F from G based on making queries to the oracle that it's given. We say:
| |
| <math>Adv(A) = |\Pr[A(F)=1] - \Pr[A(G)=1]|</math>
| |
| | |
| == Examples ==
| |
| Let F be a random instance of the [[Data Encryption Standard|DES]] [[block cipher]]. This cipher has 64-bit blocks and a 56-bit key. The key therefore selects one of a family of 2<sup>56</sup> [[permutation]]s on the 2<sup>64</sup> possible 64-bit blocks. A "random DES instance" means our oracle F computes DES using some key K (which is unknown to the adversary) where K is selected from the 2<sup>56</sup> possible keys with equal probability.
| |
| | |
| We want to compare the DES instance with an [[Platonic ideal|ideal]]ized 64-bit block cipher, meaning a permutation selected at random from the (2<sup>64</sup>)[[factorial|!]] possible permutations on 64-bit blocks. Call this randomly selected permutation G. Note from [[Stirling's approximation]] that (2<sup>64</sup>)! is around <math>10^{3.47\times 10^{20}}</math>, so even specifying which permutation is selected requires writing down a number too large to represent exactly in any real computer. Viewed another way, G is an instance of a "cipher" whose "key length" is about 10<sup>21</sup> bits, which again is too large to fit in a computer. (We can, however, implement G with storage space proportional to the number of queries, using a [[random oracle]]).
| |
| | |
| Note that because the oracles we're given encrypt plaintext of our choosing, we're modelling a [[chosen-plaintext attack]] or '''CPA''', and the advantage we're calculating can be called the CPA-advantage of a given adversary. If we also had decryption oracles available, we'd be doing a [[chosen-ciphertext attack]] or '''CCA''' and finding the CCA-advantage of the adversary.
| |
| | |
| | |
| | |
| ===Example 1: Guess at random===
| |
| Call this adversary A<sub>0</sub>. It simply flips a coin and returns 1 or 0 with equal probability and without making any oracle calls. Thus, Pr[A<sub>0</sub>(F)=1] and Pr[A<sub>0</sub>(G)=1] are both 0.5. The difference between these probabilities is zero, so Adv(A<sub>0</sub>) is zero. The same thing applies if we always return 0, or always return 1: the probability is the same for both F and G, so the advantage is zero. This adversary can't tell F and G apart. If we're cipher designers, our desire (maybe not achievable) is to make it so that it's [[Computational complexity theory#Intractability|computationally infeasible]] for ''any'' adversary to do significantly better than this. We will have succeeded if we can make a cipher for which there's no distinguisher faster than brute force search.
| |
| | |
| ===Example 2: Brute force search===
| |
| This adversary (call it A<sub>1</sub>) will attempt to cryptanalyze its input by [[brute force attack|brute force]]. It has its own DES implementation. It gives a single query to its oracle, asking for the 64-bit string of all zeroes to be encrypted. Call the resulting ciphertext E<sub>0</sub>. It then runs an exhaustive key search.
| |
| The algorithm looks like this:
| |
| | |
| E<sub>0</sub> = oracle_query(0)
| |
| for k in 0,1,...,2<sup>56</sup>-1:
| |
| if DES<sub>k</sub>(0) == E<sub>0</sub>:
| |
| return 1
| |
| return 0
| |
| | |
| This searches the entire 56-bit DES keyspace and returns "1" if it probably finds a matching key. In practice, several plaintexts are required to confirm the key, as two different keys can result in one or more matching plaintext-ciphertext pairs. If no key is found, it returns 0.
| |
| | |
| If the input oracle is DES, this exhaustive search is certain to find the key, so Pr[A<sub>1</sub>(F)=1] = 1. If the input oracle is a random permutation, there are 2<sup>64</sup> possible values of E<sub>0</sub>, and at most 2<sup>56</sup> of them will get examined in the DES keysearch. So the probability of A<sub>1</sub> returning 1 is at most 2<sup>-8</sup>. That is:
| |
| | |
| Pr[A<sub>1</sub>(G)=1] <= 2<sup>-8</sup>, so
| |
| | |
| Adv(A<sub>1</sub>) = |Pr[A<sub>1</sub>(F)=1] - Pr[A<sub>1</sub>(G)=1]| >= 1 - 2<sup>-8</sup>
| |
| | |
| so the advantage is at least about 0.996. This is a near-certain distinguisher, but it's not a security failure because it's no faster than brute force search, after all, it ''is'' the brute force search.
| |
| | |
| ==See also==
| |
| *[[Pseudorandom-function advantage]]
| |
| *[[Key-recovery advantage]]
| |
| *[[PR-CPA advantage]]
| |
| | |
| == References ==
| |
| [[Phillip Rogaway]] and [[Mihir Bellare]], [http://www-cse.ucsd.edu/~mihir/cse207/classnotes.html Introduction to Modern Cryptography]
| |
| | |
| Oded Goldreich, [http://theory.lcs.mit.edu/~oded/frag.html Foundations of Cryptography (Fragments of a Book)]
| |
| | |
| [[Category:Theory of cryptography]]
| |
Claude is her title and she totally digs that name. My house is now in Kansas. She is currently a cashier but soon she'll be on her own. Bottle tops collecting is the only pastime his spouse doesn't approve of.
Feel free to visit my site :: extended car warranty (click through the up coming page)