Guesswork and Variation Distance as Measures of Cipher Security
Absolute lower limits to the cost of cryptanalytic attacks are quantified, via a theory of guesswork. Conditional guesswork naturally expresses limits to known and chosen plaintext attacks. New inequalities are derived between various forms of guesswork and variation distance. The machinery thus offers a new technique for establishing the security of a cipher: When the work-factor of the optimal known or chosen plaintext attack against a cipher is bounded below by a prohibitively large number, then no practical attack against the cipher can succeed. As an example, we apply the technique to iterated cryptosystems, as the Markov property which results from an independent subkey assumption makes them particularly amenable to analysis.
KeywordsVariation Distance Block Cipher Provable Security Plaintext Attack Codeword Length
- 3.Christian Cachin. Entropy Measures and Unconditional Security in Cryptography. PhD thesis, ETH Zürich, 1997.Google Scholar
- 8.G. R. Grimmett and D. R. Stirzaker. Probability and Random Processes. Oxford University Press, Oxford, 2nd edition, 1992.Google Scholar
- 9.Xuejia Lai, James L. Massey, and Sean Murphy. Markov ciphers and differentical cryptanalysis. In D. W. Davies, editor, Advances in Cryptology-EUROCRYPT’ 91, pages 17–38, Berlin, 1991. Springer-Verlag.Google Scholar
- 10.M. O. Lorenz. Methods of measuring concentration of wealth. J. Amer. Statist. Assoc., 9:209–219, 1905.Google Scholar
- 11.Michael Luby and Charles Rackoff. How to construct pseudorandom permutations from pseudorandom functions. SIAM Jour. Comput., 75(2), 1988.Google Scholar
- 13.James L. Massey. Guessing and entropy. Proc. 1994 IEEE Int’l Symp. on Information Theory, page 204, 1994.Google Scholar
- 14.Alec Muffett. Crack Version 5.0a User Manual. URL: ftp://ftp.cert.org/pub/tools/crack/.
- 17.Luke O’Connor and Jovan Dj. Golić. A unified Markov approach to differential and linear cryptanalysis. In Josef Pieprzyk and Reihanah Safavi-Naini, editors, Advances in Cryptology-ASIACRYPT’ 94, pages 387–397, New York, 1994. Springer-Verlag.Google Scholar
- 18.John O. Pliam. Ciphers and their Products: Group Theory in Private Key Cryptography. PhD thesis, University of Minnesota, July 1999.Google Scholar
- 19.Joseph J. Rotman. An Introduction to the Theory of Groups. Wm. C. Brown, Dubuque, IA, 3rd edition, 1988.Google Scholar
- 21.Serge Vaudenay. Provable security for block ciphers by decorrelation. In STACS’ 98, pages 249–275, Berlin, 1998. Springer-Verlag.Google Scholar
- 22.Serge Vaudenay. The decorrelation technique, 1999. URL: http://www.dmi.ens.fr/~vaudenay/decorrelation.html.
- 23.Ralph Wernsdorf. The one-round functions of DES generate the alternating group. In R.A. Reuppel, editor, Advances in Cryptology-EUROCRYPT’ 92, pages 99–112, Berlin, 1993. Springer-Verlag.Google Scholar