|
|
| Line 1: |
Line 1: |
| {{Cleanup|date=March 2008}}
| | The writer's name is Andera and she thinks it sounds quite good. What me and my family adore is bungee leaping but I've been using on new things recently. My spouse and I live in Mississippi but now I'm contemplating other options. Office supervising is exactly where her primary income comes from.<br><br>My blog post ... [http://203.250.78.160/zbxe/?document_srl=1792908 free psychic] |
| In [[cryptography]], an adversary's '''advantage''' is a measure of how successfully it can attack a cryptographic [[algorithm]], by distinguishing it from an idealized version of that type of algorithm. Note that in this context, the "[[Adversary (cryptography)|adversary]]" is itself an algorithm and not a [[person]]. A cryptographic algorithm is considered secure if no adversary has a non-[[negligible]] advantage, subject to specified bounds on the adversary's computational resources (see [[concrete security]]). "Negligible" usually means "within [[Big O notation|O]](2<sup>-p</sup>)" where p is a [[security parameter]] associated with the algorithm. For example, p might be the number of bits in a block cipher's [[key (cryptography)|key]].
| |
| | |
| == Description of concept ==
| |
| | |
| Let F be an [[oracle machine|oracle]] for the function being studied, and let G be an oracle for an idealized function of that type. The adversary A is a probabilistic algorithm given F or G as input and which outputs 1 or 0. A's job is to distinguish F from G based on making queries to the oracle that it's given. We say:
| |
| <math>Adv(A) = |\Pr[A(F)=1] - \Pr[A(G)=1]|</math>
| |
| | |
| == Examples ==
| |
| Let F be a random instance of the [[Data Encryption Standard|DES]] [[block cipher]]. This cipher has 64-bit blocks and a 56-bit key. The key therefore selects one of a family of 2<sup>56</sup> [[permutation]]s on the 2<sup>64</sup> possible 64-bit blocks. A "random DES instance" means our oracle F computes DES using some key K (which is unknown to the adversary) where K is selected from the 2<sup>56</sup> possible keys with equal probability.
| |
| | |
| We want to compare the DES instance with an [[Platonic ideal|ideal]]ized 64-bit block cipher, meaning a permutation selected at random from the (2<sup>64</sup>)[[factorial|!]] possible permutations on 64-bit blocks. Call this randomly selected permutation G. Note from [[Stirling's approximation]] that (2<sup>64</sup>)! is around <math>10^{3.47\times 10^{20}}</math>, so even specifying which permutation is selected requires writing down a number too large to represent exactly in any real computer. Viewed another way, G is an instance of a "cipher" whose "key length" is about 10<sup>21</sup> bits, which again is too large to fit in a computer. (We can, however, implement G with storage space proportional to the number of queries, using a [[random oracle]]).
| |
| | |
| Note that because the oracles we're given encrypt plaintext of our choosing, we're modelling a [[chosen-plaintext attack]] or '''CPA''', and the advantage we're calculating can be called the CPA-advantage of a given adversary. If we also had decryption oracles available, we'd be doing a [[chosen-ciphertext attack]] or '''CCA''' and finding the CCA-advantage of the adversary.
| |
| | |
| | |
| | |
| ===Example 1: Guess at random===
| |
| Call this adversary A<sub>0</sub>. It simply flips a coin and returns 1 or 0 with equal probability and without making any oracle calls. Thus, Pr[A<sub>0</sub>(F)=1] and Pr[A<sub>0</sub>(G)=1] are both 0.5. The difference between these probabilities is zero, so Adv(A<sub>0</sub>) is zero. The same thing applies if we always return 0, or always return 1: the probability is the same for both F and G, so the advantage is zero. This adversary can't tell F and G apart. If we're cipher designers, our desire (maybe not achievable) is to make it so that it's [[Computational complexity theory#Intractability|computationally infeasible]] for ''any'' adversary to do significantly better than this. We will have succeeded if we can make a cipher for which there's no distinguisher faster than brute force search.
| |
| | |
| ===Example 2: Brute force search===
| |
| This adversary (call it A<sub>1</sub>) will attempt to cryptanalyze its input by [[brute force attack|brute force]]. It has its own DES implementation. It gives a single query to its oracle, asking for the 64-bit string of all zeroes to be encrypted. Call the resulting ciphertext E<sub>0</sub>. It then runs an exhaustive key search.
| |
| The algorithm looks like this:
| |
| | |
| E<sub>0</sub> = oracle_query(0)
| |
| for k in 0,1,...,2<sup>56</sup>-1:
| |
| if DES<sub>k</sub>(0) == E<sub>0</sub>:
| |
| return 1
| |
| return 0
| |
| | |
| This searches the entire 56-bit DES keyspace and returns "1" if it probably finds a matching key. In practice, several plaintexts are required to confirm the key, as two different keys can result in one or more matching plaintext-ciphertext pairs. If no key is found, it returns 0.
| |
| | |
| If the input oracle is DES, this exhaustive search is certain to find the key, so Pr[A<sub>1</sub>(F)=1] = 1. If the input oracle is a random permutation, there are 2<sup>64</sup> possible values of E<sub>0</sub>, and at most 2<sup>56</sup> of them will get examined in the DES keysearch. So the probability of A<sub>1</sub> returning 1 is at most 2<sup>-8</sup>. That is:
| |
| | |
| Pr[A<sub>1</sub>(G)=1] <= 2<sup>-8</sup>, so
| |
| | |
| Adv(A<sub>1</sub>) = |Pr[A<sub>1</sub>(F)=1] - Pr[A<sub>1</sub>(G)=1]| >= 1 - 2<sup>-8</sup>
| |
| | |
| so the advantage is at least about 0.996. This is a near-certain distinguisher, but it's not a security failure because it's no faster than brute force search, after all, it ''is'' the brute force search.
| |
| | |
| ==See also==
| |
| *[[Pseudorandom-function advantage]]
| |
| *[[Key-recovery advantage]]
| |
| *[[PR-CPA advantage]]
| |
| | |
| == References ==
| |
| [[Phillip Rogaway]] and [[Mihir Bellare]], [http://www-cse.ucsd.edu/~mihir/cse207/classnotes.html Introduction to Modern Cryptography]
| |
| | |
| Oded Goldreich, [http://theory.lcs.mit.edu/~oded/frag.html Foundations of Cryptography (Fragments of a Book)]
| |
| | |
| [[Category:Theory of cryptography]]
| |
The writer's name is Andera and she thinks it sounds quite good. What me and my family adore is bungee leaping but I've been using on new things recently. My spouse and I live in Mississippi but now I'm contemplating other options. Office supervising is exactly where her primary income comes from.
My blog post ... free psychic