Content uploaded by Sebastian Pape

Author content

All content in this area was uploaded by Sebastian Pape on Apr 12, 2016

Content may be subject to copyright.

Content uploaded by Sebastian Pape

Author content

All content in this area was uploaded by Sebastian Pape on Apr 12, 2016

Content may be subject to copyright.

Content uploaded by Sebastian Pape

Author content

All content in this area was uploaded by Sebastian Pape on Mar 23, 2016

Content may be subject to copyright.

Sample or Random Security – A Security Model

for Segment-Based Visual Cryptography

Sebastian Pape

Department of Computer Science, Technical University Dortmund,

Research Group: Software Engineering for Critical Systems,

Otto-Hahn Str. 14, 44225 Dortmund, Germany

Abstract.

In some scenarios, especially when visual cryptography [1]

is used, the attacker has no access to an encryption oracle, and thus

is not able to mount chosen-plaintext attacks. Based on the notion of

real-or-random security under chosen-plaintext attacks (ROR-CPA) given

by Bellare et al. [2], we propose the notion of sample-or-random security

under ciphertext-only attacks (SOR-CO). We prove that the notion of

SOR-CO is fundamentally weaker than the notion of ROR-CPA security

and demonstrate the usefulness of our notion by applying it to segment-

based visual cryptography [3]. An additional contribution of this paper is

the construction of a new segment-based visual encryption scheme with

noise based on work by Doberitz [4]. To our knowledge, this is the ﬁrst

visual encryption scheme which makes use of noise. We conjecture that it

is secure in the sense of SOR-CO security if the key is not used too often

and if the encryption schemes security parameters are chosen accordingly.

Keywords: authentication, visual cryptography, security model

1 Introduction

In online banking, many banks have come up with several approaches of authen-

tication derived from variations of transaction authentication numbers (TAN).

The user receives a list of TANs beforehand (e.g. by letter post) and has to

authenticate each transaction with one of the numbers from his list. This at least

ensures that an adversary cannot perform transactions by knowing the user’s login

and password. However, this attack is vulnerable to client side attacks such as

Trojan horses or phishing. There are various attempts of banks to overcome this,

such as indexed TANs (iTAN) where the user was asked for a speciﬁc TAN from

his list or mobile TANs (mTAN) where a single TAN is created from transaction

data and transmitted via a separate channel. In practice those variations helped

against phishing, but did not succeed against Trojan horses, since the assumption

that the user’s mobile phone is a trusted device did not hold due to sophisticated

Trojan horses which also aﬀected the mobile devices [5]. Other approaches include

special devices which are assumed to be trustworthy, but cause additional costs.

Furthermore, the adversary may try to gain also control over the trusted devices

by simulating to the user that the devices need to updated and connected to the

computer already taken over.

2 Sample or Random Security

Another proposal for secure authentication on untrusted computers is visual

cryptography. Visual cryptography was introduced by Naor and Shamir [1,6, 7]

and allows to encrypt a picture by splitting it into

n

shares in such a way that

someone with

k

shares is able to reconstruct the image, while

k−

1 shares reveal

no information about the original image. They proposed to print each share

on a transparency, so that its re-composition can be easily done by humans by

stacking their transparencies without the aid of computers. By using only two

shares, this approach could have one physical transparency which is put in front

of the display of a possibly compromised computer as shown in Fig. 1. By solving

transparencies side by side transparencies stacked

Fig. 1: Example for Visual Cryptography with a Transparency Displayed on a Monitor

and a Transparency which is Physically Put in front of the Monitor

a challenge which is only solvable seeing the composed image it is ensured that a

Trojan horse would only notice the points which the user clicked, but the malware

cannot associate any meaning with it. Speciﬁc approaches for online banking

were proposed by Greveler [8] and Bochert [3]. They propose to encrypt a virtual

keypad with visual cryptography. The user has to decrypt the keypad by aligning

a key-transparency on his screen and then has to input his TAN by clicking on

the digits of the virtual keypad.

However, all existing approaches are closely related to encryptions based on

the XOR function which is due to humans not being able to do complex operations

“on the ﬂy”. Thus, for many approaches, the key-transparency may be used only

once in a secure manner. Although there are a number of schemes allowing to

reuse the key-transparency, a satisfying solution for real world scenarios has not

yet been found. Leaving the user in practice with plenty of key-transparencies

and the hassle of ﬁnding the appropriate one.

The general idea of this paper is to examine how key-transparencies for

segment-based visual cryptography can securely be used a couple of times. We

concentrate on the secure transmission of virtual keypads and do not consider

the further protocol for authentication.

Sample or Random Security 3

1.1 Related Work

Segment-Based Visual Cryptography

The idea of segment-based visual

cryptography was described by Borchert in 2007. He describes a variation of

visual cryptography, where – instead of pixels – segments of a 7-segment display

are encrypted [3]. The most signiﬁcant advantage of segment-based on pixel-based

visual cryptography is the easier alignment of the key-transparency. Borchert

also gives a more detailed comparison of both variants.

Real-or-Random Security

The idea of real-or-random security originates

from Bellare et al. [2]. The basic idea is that an oracle, the real-or-random

oracle, answers either the encryption of the queried message or an encryption

of a randomly chosen string of the same length. If the adversary is not able to

determine the oracles operation mode, it is assumed that she is not able to derive

any insights from observing encryptions and the encryption scheme is considered

to be secure in the sense of real-or-random security. The formal deﬁnition of

real-or-random security is heavily based on the original work of Bellare et al. [2].

Deﬁnition 1. (Real-or-Random Oracle ORR)

The real-or-random oracle

ORR

(

·, b

)takes as input a message

m

from the plaintext space

M

and depending

on

b

it returns either the encryption

Enc(m)

of the message

m

(if

b

= 1) or an

encryption Enc(r)of an equal-length randomly chosen string rR

← M (if b= 0).

It is understood that the oracle picks any coins that

Enc

might need if

Enc

is

randomized, or updates its state appropriately if Enc is stateful.

Deﬁnition 2. (ROR-CPA)

Let

Π

= (

GenKey,Enc,Dec

)be a symmetric en-

cryption scheme,

b∈ {

0

,

1

}

and

n∈N

. Let

Acpa

be an adversary with access to

the real-or-random oracle

ORR

(

·, b

). For the security parameter

n

the adversary’s

success probability is

Advror−cpa

Acpa,Π (n)def

=P r[Expror−cpa−1

Acpa,Π (n) = 1] −P r[Expror−cpa−0

Acpa,Π (n) = 1]

where the experiment Expror−atk−b

Acpa,Π (n) = b0for b∈ {0,1}is given as follows:

k←GenKey(1n)key-generation

b∈R{0,1}random selection of b

b0←AORR(·,b)

cpa adversary tries to determine b0

We deﬁne the advantage function of the scheme Πas follows:

Advror−cpa

Π(n, t, qe, µe)def

= max

Acpa nAdvror−cpa

Acpa,Π (n)o

where the maximum is over all

Acpa

with time complexity

t

, each making at most

qe

queries to the real-or-random oracle

ORR

(

·, b

), totaling at most

µe

bits. If

the success probability

Advror−cpa

Π

(

n

)for any polynomial (in

n

) bound adversary

is negligible in

n

, we say the encryption scheme

Π

is secure in the sense of

ROR −cpa.

4 Sample or Random Security

2 Sample-or-Random Security

The idea of sample-or-random security is based on real-or-random security and

thus also game-based and considering indistinguishability. Since the adversary

is not always capable of chosen-plaintext attacks, ciphertext-only attacks are

considered. It is only assumed that the encrypted messages follow a certain

format known to the adversary, e.g. a virtual keypad contains the digits from ’0’

to ’9’. The same idea as for real-or-random security applies. If the adversary is

not able to distinguish encryptions from samples and encryptions from random

strings, it is assumed that she is not able to derive any insights from observing

encryptions and the encryption scheme is considered to be secure in the sense of

sample-or-random security.

Deﬁnition 3. (Sample-or-Random Oracle OSR)

The sample-or-random or-

acle

OSR

(

b

)takes no input and depending on

b

returns either a set of encryptions

Enc(mi)

of the messages (

m0, . . . , mj

)

←samplestruct

given by

samplestruct

(if

b

= 1) or an encryption

Enc(ri)

of an equal-size set of uniformly at random

chosen strings

ri

R

← M

with the same length than the corresponding messages

mi(if b= 0).

Before we give the deﬁnition of sample-or-random security, we introduce the

sample structure samplekbd, which represents a randomized virtual keypad:

Deﬁnition 4. (Sample Structure samplekbd)

Let

akb

denote the concatenation

of the strings

a

and

b

. We denote the sample composed of one plaintext message

mcontaining each character γiof the alphabet Γ(with size |Γ|) once with:

samplekbd ∈R{m|m=γ0kγ1k. . . kγ|Γ|∧ ∀i, j with 0≤i, j ≤ |Γ|. γi6=γj}

Deﬁnition 5. (SOR −CO)

Let

Π

=

(GenKey,Enc,Dec)

be a symmetric en-

cryption scheme,

b∈ {

0

,

1

}

and

n∈N

. Let

Aco

be an adversary with access to the

sample-or-random oracle

OSR

(

b

). Let

samplestruct

be a function which returns a

ﬁnite set of sample plaintexts following the underlying structure struct for each

invocation. For the security parameter nthe adversary’s success probability is

Advsor−co

Aco,Π (n)def

=P r[Expsor−co−1

Aco,Π (n) = 1] −P r [Expsor−co−0

Aco,Π (n) = 1]

where the experiment Expsor−co−b

Aco,Π (n) = b0for b∈ {0,1}is given as follows:

k←GenKey(1n)key-generation

b∈R{0,1}random selection of b

b0←AOSR (b)

co (struct)adversary tries to determine b0

We deﬁne the advantage function of the scheme Πas follows:

Advsor−co

Π(n, t, qe, µe)def

= max

Aco Advsor−co

Aco,Π (n)

Sample or Random Security 5

where the maximum is over all

Aco

with time complexity

t

, each making at most

qe

queries to the sample-or-random oracle

OSR

(

b

), totaling at most

µe

bits. If

the success probability

Advsor−co

Π

(

n

)for any polynomial (in

n

) bound adversary

is negligible in

n

, we say the encryption scheme

Π

is secure in the sense of

SOR −co given the sample structure struct.

3 Relation to Real-or-Random Security

We prove that

SOR −CO

has a weaker notion of security than

ROR −C P A

by

showing that: On the one hand,

ROR −C P A

(see Def. 2) is at least as strong

as

SOR −CO

. On the other hand, given an encryption scheme

Π

secure in the

sense of

SOR −CO

we show how to construct an encryption scheme

Π

, which

is still secure in the sense of

SOR −CO

, but not in the sense of

ROR −C P A

.

The proofs are in general along the lines of the proofs given by Bellare et al. [2].

Corollary 1.

[

ROR −C P A ⇒SOR −C O

]If

Π

is an encryption scheme, which

is secure in the sense of

ROR−CP A

, then

Π

is secure in the sense of

SOR−C O

.

Proof.

Let

m

be a plaintext message from the encryption system’s plaintext space

M

and

samplestruct

be the sample function which returns a set (

m0, . . . , mj

) of

sample plaintexts following an underlying structure

struct

for each invocation

of the sample-or-random oracle

OSR

(

b

). With a real-or-random oracle

ORR

(

·, b

)

the sample-or-random oracle

OSR

(

b

) may be simulated by producing a sample

of messages (

m0, . . . , mj

)

←samplestruct

and then asking

ORR

(

·, b

) for their

encryption. Thus, security in the sense of

ROR −C P A

can be seen as security

in the sense of SOR −CO with an additional real-or-random oracle available.

The more challenging part is to show that if there exist encryption schemes

which are secure in the sense of

SOR −CO

that these are not automatically

secure in the sense of

ROR −C P A

. To proof this we exploit that the adversaries

considered by

SOR −CO

are not able to choose the plaintexts for encryption.

We assume there is an encryption scheme

Π

= (

GenKey,Enc,Dec

) which is secure

in the sense of

SOR −CO

. Then, based on

Π

, we construct an encryption

scheme

Π0

= (

GenKey0,Enc0,Dec0

) which is also secure in the sense of

SO R −CO

,

but can easily be broken in the sense of

ROR −C P A

. For that purpose, we

construct

Enc0

such that it marks the encryption of a particular message

m0

.

This gives the adversary an advantage when asking the real-or-random oracle. To

ensure that

Π0

is still secure in the sense of

SOR −CO

, the message

m0

should

only occur very rarely if strings are chosen either randomly or by the sample

structure

struct

. Otherwise an adversary may get an additional advantage to

attack the encryption scheme which renders it insecure in the sense of

SO R −CO

.

We illustrate the idea by regarding the sample structure

samplekbd

for which we

assume, that our alphabet

Γ

for plaintexts consists of

n

+1 characters represented

by numbers from 0 to

n

and that the ciphertexts’ alphabet includes ’0’ and ’1’.

We regard the following algorithms for

Π0

= (

GenKey0,Enc0,Dec0

), assumed

Π

= (

GenKey,Enc,Dec

) is secure in the sense of

SOR −CO

given the sample

structure samplekbd.

6 Sample or Random Security

Algorithm GenKey0(1n): Algorithm Enc0

k(m): Algorithm Dec0

k(c0):

k←GenKey(1n)c←Enck(c)c0=α1kα2k. . . kα|c0|

return kif m= 0 . . . 0c:= α2k. . . kα|c0|

then c0:= 0kc m := Deck(c)

else return m

c0:= 1kc

return c0

Π0

works almost like

Π

. When the encryption function is invoked with the

particular message

m0

– here

n

+ 1 zeros – the decryption is preﬁxed with ’0’. The

encryption of all other messages is preﬁxed with ’1’. While this does almost not

eﬀect the security in the sense of

SOR −CO

, an adversary of the

ROR −C P A

security model is able to explicitly ask the encryption oracle for

m0

and determine

the oracle’s operation mode. It remains to show the two emerging lemmas:

Lemma 1. Π0

= (

GenKey0,Enc0,Dec0

)is not secure in the sense of

ROR−CP A

.

Proof.

We exploit the built-in weakness of

Π0

by asking the oracle for the

encryption of the message

m0

. If the encryption is preﬁxed with ’0’ we conclude

that the oracle is in ’real mode’ otherwise we conclude it encrypts random strings.

If the encryption is preﬁxed with ’1’ we can be sure. However, if the encryption

is preﬁxed with ’0’, the oracle may nevertheless operate in random mode with a

probability of

1

(n+1)n+1

. Thus, the resulting probabilities lead to the adversary’s

non-negligible advantage and Π0is not secure in the sense of ROR −C P A:

Advror−cpa

Acpa,Π 0(n) = P r[Expror−cpa−1

Acpa,Π 0(n) = 1] −P r[Expror−cpa−0

Acpa,Π 0(n) = 1]

= 1 −1

(n+ 1)n+1 −0

Lemma 2. Π0

= (

GenKey0,Enc0,Dec0

)is secure in the sense of

SOR−C O

given

the sample structure samplekbd.

Proof.

When the oracle is in ’sample mode’ the modiﬁcation does not come to

play, since

m0

is not part of the sample. Otherwise, we already concluded that

the probability that a ’random mode’ oracle preﬁxes an encryption with ’0’ is

1

(n+1)n+1

. That means when the oracle is in ’random mode’, an adversary has an

additional chance of receiving

m0

. However, since the probability is negligible and

the adversary is polynomially limited, her additional advantage

Adv]

is negligible

which leads to the estimation:

Advsor−co

Aco,Π 0(n) = P r[Expsor−co−1

Aco,Π 0(n) = 1] −P r[Expsor−co−0

Aco,Π 0(n) = 1]

≤P r[Expsor−co−1

Aco,Π (n) = 1] + Adv]−P r[Expsor−co−0

Aco,Π (n) = 1]

=Advsor−co

Aco,Π (n) + Adv]

Due to the assumption that

Π

is secure in the sense of

SOR−C O

,

Advsor−co

A,Π

(

n

)

is negligible and so is

Adv]

. Therefore,

Advsor−co

A,Π0

(

n

) is also negligible and

Π0

secure in the sense of SOR −CO given the sample structure samplekbd .

Sample or Random Security 7

The message

m0

needs to be chosen depending on the given sample structure.

However, depending on the sample, it is not always possible to come back to

strings of a certain length. E.g. when the sample structure consists of a set of

messages. Then it is possible to add stages to the encryption function in such a

way that a special combination of plaintexts – which is not part of the sample –

triggers the oracle’s special answer.

Corollary 2.

[

SO R −CO ;ROR −C P A

]If there exists an encryption scheme

Π

which is secure in the sense of

SOR −CO

, then there exists an encryption

scheme

Π0

which is secure in the sense of

SOR −CO

but not secure in the sense

of ROR −C P A.

Proof. Cor. 2 follows from Lem. 1 and Lem. 2.

Theorem 1.

Security in the sense of

SOR−C O

is a weaker notion than security

in the sense of ROR −C P A.

Proof. Th. 1 follows from Cor. 1 and Cor. 2.

Thus, we have shown that the two security models give diﬀerent notions of

security and SOR −C O is weaker than ROR −CP A.

4 Application of Sample-or-Random Security to

Encryption Schemes

In this section we take a look at some segment-based visual encryption schemes

and evaluate if the result from applying the sample-or-random security model is

in agreement with the intuitive notion of security. We focus on the encryption of

virtual keypads with the corresponding sample samplekbd (cf. Def. 4).

4.1 7-Segment Displays

Borchert [3] describes a variation of visual cryptography, where – instead of

pixels – segments of a 7-segment display (cf. Fig. 2a) were encrypted. Each digit

can be displayed by switching the appropriate individual segments ’on’ and ’oﬀ’.

Applying visual cryptography, each segment has two representations (left/right

or lower/upper) and the segment is visible if the segment’s positions match on

cipher and key (cf. Fig. 2b). Figures 2c to 2e show a ciphertext, a key and the

corresponding plaintext message ’

1

’ when stacking the slides on top of each other.

It is easy to see that if the plaintext message is ’

8

’, key and ciphertext have to be

identical, e.g. both Fig. 2c or 2d. We denote this encryption scheme with

Π7seg

.

Intuitive Notion of Security

Since there are only 10 possible digits, after

eavesdropping a valid ciphertext, an adversary is able to reduce the number of

possible keys from 128 (2

7

, the size of the key space) to 10 for each segment.

Decrypting with any other key would not result in a valid digit, because the

7-segment coding is not a closed encoding scheme. Thus, as in pixel-based visual

cryptography it should not be secure to re-use a key twice.

8 Sample or Random Security

7-segment VC 7-segment Cipher c

+

Key k

=

Message m

Fig. 2: Segment-Based Visual Cryptography on 7-segment Displays

Sample-or-Random Security

We notice that when using the same key and

regarding the number of diﬀerent segments of two encryptions based on 7-

segment displays of the sample structure

samplekbd

they diﬀer in an even number

of positions:

Lemma 3.

Let

m

=

γ0, . . . , γn

and

m0

=

γ0

0, . . . , γ0

n

be two messages from the

sample structure

samplekbd

and let

c

=

α0, . . . , αn

respectively

c0

=

α0

0, . . . , α0

n

be their encryptions with

Π7seg

. Then the number of diﬀerent segments of the

ciphertexts is always even: Pn

i=0 αi⊕α0

i= 0 mod 2.

Proof.

Let

s

respectively

s0

denote the 7-segment encodings of the messages

m

respectively

m0

and let

↔

denote the identity function. If both segments are

equal, the segment is visible. Obviously

c⊕c0

=

(s↔K)⊕(s0↔K)

=

s⊕s0

holds. Thus, the diﬀerence of two ciphertexts encrypted with the same key is

independent of the key. Since each sample message contains the same encodings,

s

is a permutation of

s0

. It can easily be seen that when changing the position

of two characters in

s

, for each segment switched oﬀ, another segment needs to

be switched on. Thus the diﬀerence’s parity of two messages from the sample

structure

samplekbd

is independent of the character’s permutation of the message

and therefore always even.

Theorem 2.

The segment-based visual encryption scheme based 7-segment dis-

plays is not secure in the sense of

SOR −CO

for two ciphertexts (

qe

= 2) given

the sample structure samplekbd.

Proof.

The adversary succeeds with the following strategy. She asks the oracle

for two ciphertexts and determines the sum of segmental XORing them. If the

sum is even, she guesses that the oracle is in ’sample mode’, if it is odd she

guesses it is in ’random mode’. The corresponding probabilities are as follows:

If the oracle is in ’sample mode’ (

b

= 1), the sum will always be even and

thus the adversary will always be right (cf. Lem. 3).

If the oracle is in ’random mode’ (

b

= 0), the sum will be odd only in

half of the cases. Thus, the adversary’s guess is in half of the cases correct:

Advsor−co

Aco,Π7seg

(

n

) =

P r

[

Expsor−co−1

Aco,Π7seg

(

n

) = 1]

−P r

[

Expsor−co−0

Aco,Π7seg

(

n

) = 1] = 1

−1

2

.

Sample or Random Security 9

Thus, her advantage is not negligible and appropriate to our intuition,

Π7seg

is

not secure in the sense of SOR −CO given the sample structure samplekbd .

4.2 Encryptions Based on Dice Codings

Doberitz [4] describes a variation of segment-based visual cryptography, where –

instead of a 7-segment display – a coding based on dots is chosen. The user has

to count the number of visible dots – like counting dots from game dices, hence

the name dice coding. She also presented a user study showing that users get well

along with 9 dots. Since this allows us to build a virtual keypad, in the following

we regard dice codings with 9 dots. Figure 3a shows the full dot matrix. When the

principles of visual cryptography are applied, each dot has two representations

(left/right) and the dot is visible if the dot’s positions match on cipher and key

(cf. Fig. 3b). Figures 3c to 3e show a ciphertext, a key and the corresponding

plaintext message ’5’ when stacking the slides on top of each other. It is easy to

see that if the plaintext message is ’9’, key and ciphertext have to be identical,

e.g. both Fig. 3c or 3d. We denote this encryption scheme with Πdice.

9-Dice VC 9-Dice Cipher c

+

Key k

=

Message m

Fig. 3: Segment-Based Visual Cryptography Based on Dice Codings

Intuitive Notion of Security

The scheme based on dice codings is closed,

there are no undecodable plaintext results. However, the number of possible

encodings follows a binomial distribution, there is only one possibility to encode

’0’ or ’9’, but there are 126 possibilities to encode ’4’ or ’5’ (cf. 9

4).

Moreover, if virtual keypads are regarded, the segments itself are still closed,

but since each segment has to be an encoding of a diﬀerent digit, the plaintext

message itself does not cover the complete message space. Therefore, for a virtual

keypad containing each digit from ’0’ to ’9’ once, 26 ciphertexts are suﬃcient to

reduce the number of possible keys to two [9].

Sample-or-Random Security

In fact, it shows that it does not make a big

diﬀerence if the virtual keypad is encoded with a 7-segment display or with a

9-dice coding.

Lemma 4.

Let

m

and

m0

be two messages from the sample structure

samplekbd

and let

c

respectively

c0

be their encryptions with

ΠDICE

. Then the number of

diﬀerent dots of the ciphertexts cand c0is always even.

10 Sample or Random Security

Proof. The proof essentially goes along the lines of the proof of Lem. 3.

Theorem 3.

The segment-based visual encryption scheme based on dice codings

ΠDICE

is not secure in the sense of

SOR −CO

for two ciphertexts (

qe

= 2) given

the sample structure samplekbd.

Proof. The proof is analog to the proof of The. 2.

4.3 Encryptions Based on Dice Codings with Noise

The enhanced version of a visual encryption scheme based on dice codings aims

to enlarge the amount of information an adversary needs to recover information

from eavesdropped ciphertexts. The basic idea is to add noise to the ciphertexts.

If both possible positions of a dot are covered by the key, noise is taken out.

Since the adversary does not know which of the dots is noise, this renders an

additional diﬃculty for her. To our knowledge, this is the ﬁrst visual encryption

scheme which makes use of noise.

The full dot matrix for the encoding stays unchanged (cf. Fig. 3a). Figure 4a

shows the enlarged matrix which is the basis for constructing ciphertexts and

keys. Figures 4b to 4d show a ciphertext, a key and the corresponding plaintext

message ’4’ when stacking the slides on top of each other. The ciphertext still

consists of a dot at each pair of positions. The key still contains dots with two

representations (left/right), but additional contains blackened blocks without

any dots. When deciphering, the dot is visible if the key does not contain a

blackened block at the considered position and the dot’s positions match on

cipher and key. If the plaintext message is ’9’, key and ciphertext have to be

identical for all positions where the key contains dots. For the blackened blocks,

the ciphertext may contain a dot either on the left or the right position. We

denote this encryption scheme with

Π?

dice

, the maximum number of visible dots

with the encoding parameter

n

, and the number of blackened blocks with the

security parameter ν.

VC 9-dice + Cipher c

+

Key k

=

Message m

Fig. 4: Segment-Based Visual Cryptography Based on Dice Codings with Noise for

n= 9 and ν= 7

Intuitive Notion of Security

The security of the segment-based visual en-

cryption scheme based on dice codings with noise

Π?

DICE

(

ν

) strongly depends on

the amount of noise added. If

ν

= 0 no noise is added and thus

ΠDICE

=

Π?

DICE

(0).

For all other values of

ν

, the noise additionally stretches the binomial distribution

Sample or Random Security 11

of the diﬀerent encodings by the factor 2

ν

(e.g. for digit

d

to

9

d·

2

ν

). Since the

number of possible encodings of all digits are multiplied, this does not concern

its ratio, but makes it more diﬃcult to discover encryptions of ’0’ and ’9’.

Sample-or-Random Security

If the security parameter

ν >

0, the attack of

considering the parity of changed dots does not work anymore. Assumed

ν

= 1

then the parity is ﬂipped if the noise dots of the ciphertexts do not match, which

is true in half of the cases. Thus, if the oracle is in ’sample mode’ (

b

= 1), the

sum will be even in half of the cases and be odd in the other half of the cases.

If the oracle is in ’random mode’ (

b

= 0), the sum will still be in half of the

cases odd and half of the cases even. Therefore, the adversary has no advantage

following the described attack. However, for a formal proof, it would be necessary

to regard all possible attacks. Therefore, we conclude with a conjecture.

Conjecture 1.

Let

Π?

DICE

(

ν

) be a segment-based visual encryption scheme based

on dice codings with noise with the encoding parameter

n

and the security

parameter

ν

, let

qe

be a number of ciphertexts and let

samplestruct

be a sample

function. Then there exists a

N

so that

∀ν≥N

the encryption scheme

Π?

DICE

(

ν

)

is secure for qeciphertexts in the sense of SOR −CO security.

It is reasonable to assume the conjecture is true, because even for a sample which

consists of a ﬁxed message string

m

, the adversary has to determine where in the

ciphertext the corresponding encryption of this string is located. The probability

to determine the noise, when the dots containing the encryption of the message

are ﬁxed, depends on the number of ciphertexts

qe

and the security parameter

ν

. If

qe

is ﬁxed, there is a certain point

N

and for all

ν≥N

the position of the

noise is indeterminable.

Remark 1.

Assume an application for

Π?

DICE

, such as online banking. Then

N

denotes how much noise one has to add to securely use the key transparency

qe

times. After the key transparency is used that often, it is thrown away and a new

one is used for the next

qe

ciphertexts. The usability of the scheme for

ν≥N

is

unconsidered here. However, given a certain amount of noise

ν

, one may derive

the closely related question how often a key transparency may securely reused.

5 Conclusion and Future Work

Based on the observation that existing game-based security models for indistin-

guishability are too strong and do not suit the requirements for visual encryption

schemes, we deﬁned the notion of sample-or-random ciphertext-only (

SO R −CO

)

security. We also showed that the

SOR−C O

security model gives a weaker notion

of security than the real-or-random under chosen-plaintext attacks (

ROR −C P A

)

security model. Another security model which comes to mind is to require the

attacker to distinguish two diﬀerent sample structures. Then sample-or-random

security may be seen as a special case of sampleA-or-sampleB security. Thus, an

12 Sample or Random Security

open question is whether there are other notions of security when CPA-security

seems to be out of reach and which of them is the ’most meaningful’.

Another open question is, whether the notion of

SOR −CO

security may be

useful for pixel-based cryptography. Since it is diﬃcult to formally model the

representation of symbols by pixels, it is unclear whether a more formal notion

of security may be useful.

It would also be desirable, given a sample structure

samplestruct

to have a

proof for all

n, ν, qe

that encryption schemes from the class of segment-based

visual encryption schemes based on dice codings with noise are secure/insecure in

the sense of sample-or-random ciphertext-only indistinguishability (

SOR −CO

).

Where

n

is the encoding parameter (maximum number of visible dots),

ν

is the

the security parameter (number of noise dots), and the number

qe

represents the

number of samples available to the adversary.

Another interesting question is whether there are displays similar to the 7-

segment display which only have meaningful conﬁgurations. A more user-friendly

encoding scheme would ease the user’s task. However, it is unclear how to

construct such a display without the need that the user has to learn new symbols.

Further research is needed, when embedding the encrypted virtual keypad

in secure protocols. For example, if the last account numbers and the transfer’s

amount are encrypted, the adversary may not be able to mount a chosen-plaintext

attack, but may have plaintext/ciphertext pairs for certain parts of the ciphertext.

Thus, an extended security model may be necessary to judge on the full protocol.

References

1.

M. Naor and A. Shamir, “Visual cryptography,” in EUROCRYPT (A. D. Santis,

ed.), vol. 950 of LNCS, pp. 1–12, Springer, 1994.

2.

M. Bellare, A. Desai, E. Jokipii, and P. Rogaway, “A concrete security treatment of

symmetric encryption,” in Proceedings of 38th Annual Symposium on Foundations

of Computer Science (FOCS 97), pp. 394–403, 1997.

3.

B. Borchert, “Segment-based visual cryptography,” Tech. Rep. WSI-2007-04,

Wilhelm-Schickard-Institut f¨ur Informatik, T¨ubingen, 2007.

4.

D. Doberitz, “Visual cryptography protocols and their deployment against malware,”

Master’s thesis, Ruhr-Universit¨at Bochum, Germany, 2008.

5.

R. Unucheck, “The most sophisticated Android trojan.”

https://www.securelist.

com/en/blog/8106/The_most_sophisticated_Android_Trojan

, June 2013. last ac-

cess 2013/06/10.

6.

M. Naor and A. Shamir, “Visual cryptography ii: Improving the contrast via the

cover base,” in Security Protocols Workshop (T. M. A. Lomas, ed.), vol. 1189 of

LNCS, pp. 197–202, Springer, 1996.

7.

M. Naor and B. Pinkas, “Visual authentication and identiﬁcation,” in CRYPTO

(B. S. Kaliski Jr., ed.), vol. 1294 of LNCS, pp. 322–336, Springer, 1997.

8.

U. Greveler, “VTANs - Eine Anwendung visueller Kryptographie in der Online-

Sicherheit,” in GI Jahrestagung (2) (R. Koschke, O. Herzog, K.-H. R¨odiger, and

M. Ronthaler, eds.), vol. 110 of LNI, pp. 210–214, GI, 2007.

9.

S. Pape, The Challenge of Authentication in Insecure Environments. PhD thesis,

Universit¨at Kassel, 2013. (defended, September 2nd, 2013).