Content uploaded by Sebastian Pape
Author content
All content in this area was uploaded by Sebastian Pape on Apr 12, 2016
Content may be subject to copyright.
Content uploaded by Sebastian Pape
Author content
All content in this area was uploaded by Sebastian Pape on Apr 12, 2016
Content may be subject to copyright.
Content uploaded by Sebastian Pape
Author content
All content in this area was uploaded by Sebastian Pape on Mar 23, 2016
Content may be subject to copyright.
Sample or Random Security – A Security Model
for SegmentBased Visual Cryptography
Sebastian Pape
Department of Computer Science, Technical University Dortmund,
Research Group: Software Engineering for Critical Systems,
OttoHahn Str. 14, 44225 Dortmund, Germany
Abstract.
In some scenarios, especially when visual cryptography [1]
is used, the attacker has no access to an encryption oracle, and thus
is not able to mount chosenplaintext attacks. Based on the notion of
realorrandom security under chosenplaintext attacks (RORCPA) given
by Bellare et al. [2], we propose the notion of sampleorrandom security
under ciphertextonly attacks (SORCO). We prove that the notion of
SORCO is fundamentally weaker than the notion of RORCPA security
and demonstrate the usefulness of our notion by applying it to segment
based visual cryptography [3]. An additional contribution of this paper is
the construction of a new segmentbased visual encryption scheme with
noise based on work by Doberitz [4]. To our knowledge, this is the ﬁrst
visual encryption scheme which makes use of noise. We conjecture that it
is secure in the sense of SORCO security if the key is not used too often
and if the encryption schemes security parameters are chosen accordingly.
Keywords: authentication, visual cryptography, security model
1 Introduction
In online banking, many banks have come up with several approaches of authen
tication derived from variations of transaction authentication numbers (TAN).
The user receives a list of TANs beforehand (e.g. by letter post) and has to
authenticate each transaction with one of the numbers from his list. This at least
ensures that an adversary cannot perform transactions by knowing the user’s login
and password. However, this attack is vulnerable to client side attacks such as
Trojan horses or phishing. There are various attempts of banks to overcome this,
such as indexed TANs (iTAN) where the user was asked for a speciﬁc TAN from
his list or mobile TANs (mTAN) where a single TAN is created from transaction
data and transmitted via a separate channel. In practice those variations helped
against phishing, but did not succeed against Trojan horses, since the assumption
that the user’s mobile phone is a trusted device did not hold due to sophisticated
Trojan horses which also aﬀected the mobile devices [5]. Other approaches include
special devices which are assumed to be trustworthy, but cause additional costs.
Furthermore, the adversary may try to gain also control over the trusted devices
by simulating to the user that the devices need to updated and connected to the
computer already taken over.
2 Sample or Random Security
Another proposal for secure authentication on untrusted computers is visual
cryptography. Visual cryptography was introduced by Naor and Shamir [1, 6, 7]
and allows to encrypt a picture by splitting it into
n
shares in such a way that
someone with
k
shares is able to reconstruct the image, while
k −
1 shares reveal
no information about the original image. They proposed to print each share
on a transparency, so that its recomposition can be easily done by humans by
stacking their transparencies without the aid of computers. By using only two
shares, this approach could have one physical transparency which is put in front
of the display of a possibly compromised computer as shown in Fig. 1. By solving
transparencies side by side transparencies stacked
Fig. 1: Example for Visual Cryptography with a Transparency Displayed on a Monitor
and a Transparency which is Physically Put in front of the Monitor
a challenge which is only solvable seeing the composed image it is ensured that a
Trojan horse would only notice the points which the user clicked, but the malware
cannot associate any meaning with it. Speciﬁc approaches for online banking
were proposed by Greveler [8] and Bochert [3]. They propose to encrypt a virtual
keypad with visual cryptography. The user has to decrypt the keypad by aligning
a keytransparency on his screen and then has to input his TAN by clicking on
the digits of the virtual keypad.
However, all existing approaches are closely related to encryptions based on
the XOR function which is due to humans not being able to do complex operations
“on the ﬂy”. Thus, for many approaches, the keytransparency may be used only
once in a secure manner. Although there are a number of schemes allowing to
reuse the keytransparency, a satisfying solution for real world scenarios has not
yet been found. Leaving the user in practice with plenty of keytransparencies
and the hassle of ﬁnding the appropriate one.
The general idea of this paper is to examine how keytransparencies for
segmentbased visual cryptography can securely be used a couple of times. We
concentrate on the secure transmission of virtual keypads and do not consider
the further protocol for authentication.
Sample or Random Security 3
1.1 Related Work
SegmentBased Visual Cryptography
The idea of segmentbased visual
cryptography was described by Borchert in 2007. He describes a variation of
visual cryptography, where – instead of pixels – segments of a 7segment display
are encrypted [3]. The most signiﬁcant advantage of segmentbased on pixelbased
visual cryptography is the easier alignment of the keytransparency. Borchert
also gives a more detailed comparison of both variants.
RealorRandom Security
The idea of realorrandom security originates
from Bellare et al. [2]. The basic idea is that an oracle, the realorrandom
oracle, answers either the encryption of the queried message or an encryption
of a randomly chosen string of the same length. If the adversary is not able to
determine the oracles operation mode, it is assumed that she is not able to derive
any insights from observing encryptions and the encryption scheme is considered
to be secure in the sense of realorrandom security. The formal deﬁnition of
realorrandom security is heavily based on the original work of Bellare et al. [2].
Deﬁnition 1. (RealorRandom Oracle O
RR
)
The realorrandom oracle
O
RR
(
·, b
) takes as input a message
m
from the plaintext space
M
and depending
on
b
it returns either the encryption
Enc(m)
of the message
m
(if
b
= 1) or an
encryption Enc(r) of an equallength randomly chosen string r
R
← M (if b = 0).
It is understood that the oracle picks any coins that
Enc
might need if
Enc
is
randomized, or updates its state appropriately if Enc is stateful.
Deﬁnition 2. (RORCPA)
Let
Π
= (
GenKey, Enc, Dec
) be a symmetric en
cryption scheme,
b ∈ {
0
,
1
}
and
n ∈ N
. Let
A
cpa
be an adversary with access to
the realorrandom oracle
O
RR
(
·, b
). For the security parameter
n
the adversary’s
success probability is
Adv
ror−cpa
A
cpa
,Π
(n)
def
= P r[Exp
ror−cpa−1
A
cpa
,Π
(n) = 1] − P r[Exp
ror−cpa−0
A
cpa
,Π
(n) = 1]
where the experiment Exp
ror−atk−b
A
cpa
,Π
(n) = b
0
for b ∈ {0, 1} is given as follows:
k ← GenKey(1
n
)
keygeneration
b ∈
R
{0, 1} random selection of b
b
0
← A
O
RR
(·,b)
cpa
adversary tries to determine b
0
We deﬁne the advantage function of the scheme Π as follows:
Adv
ror−cpa
Π
(n, t, q
e
, µ
e
)
def
= max
A
cpa
n
Adv
ror−cpa
A
cpa
,Π
(n)
o
where the maximum is over all
A
cpa
with time complexity
t
, each making at most
q
e
queries to the realorrandom oracle
O
RR
(
·, b
), totaling at most
µ
e
bits. If
the success probability
Adv
ror−cpa
Π
(
n
) for any polynomial (in
n
) bound adversary
is negligible in
n
, we say the encryption scheme
Π
is secure in the sense of
ROR − cpa.
4 Sample or Random Security
2 SampleorRandom Security
The idea of sampleorrandom security is based on realorrandom security and
thus also gamebased and considering indistinguishability. Since the adversary
is not always capable of chosenplaintext attacks, ciphertextonly attacks are
considered. It is only assumed that the encrypted messages follow a certain
format known to the adversary, e.g. a virtual keypad contains the digits from ’0’
to ’9’. The same idea as for realorrandom security applies. If the adversary is
not able to distinguish encryptions from samples and encryptions from random
strings, it is assumed that she is not able to derive any insights from observing
encryptions and the encryption scheme is considered to be secure in the sense of
sampleorrandom security.
Deﬁnition 3. (SampleorRandom Oracle O
SR
)
The sampleorrandom or
acle
O
SR
(
b
) takes no input and depending on
b
returns either a set of encryptions
Enc(m
i
)
of the messages (
m
0
, . . . , m
j
)
← sample
struct
given by
sample
struct
(if
b
= 1) or an encryption
Enc(r
i
)
of an equalsize set of uniformly at random
chosen strings
r
i
R
← M
with the same length than the corresponding messages
m
i
(if b = 0).
Before we give the deﬁnition of sampleorrandom security, we introduce the
sample structure sample
kbd
, which represents a randomized virtual keypad:
Deﬁnition 4. (Sample Structure sample
kbd
)
Let
akb
denote the concatenation
of the strings
a
and
b
. We denote the sample composed of one plaintext message
m containing each character γ
i
of the alphabet Γ (with size Γ ) once with:
sample
kbd
∈
R
{m  m = γ
0
kγ
1
k . . . kγ
Γ 
∧ ∀i, j with 0 ≤ i, j ≤ Γ  . γ
i
6= γ
j
}
Deﬁnition 5. (SOR − CO)
Let
Π
=
(GenKey, Enc, Dec)
be a symmetric en
cryption scheme,
b ∈ {
0
,
1
}
and
n ∈ N
. Let
A
co
be an adversary with access to the
sampleorrandom oracle
O
SR
(
b
). Let
sample
struct
be a function which returns a
ﬁnite set of sample plaintexts following the underlying structure struct for each
invocation. For the security parameter n the adversary’s success probability is
Adv
sor−co
A
co
,Π
(n)
def
= P r[Exp
sor−co−1
A
co
,Π
(n) = 1] − P r[Exp
sor−co−0
A
co
,Π
(n) = 1]
where the experiment Exp
sor−co−b
A
co
,Π
(n) = b
0
for b ∈ {0, 1} is given as follows:
k ← GenKey(1
n
) keygeneration
b ∈
R
{0, 1} random selection of b
b
0
← A
O
SR
(b)
co
(struct) adversary tries to determine b
0
We deﬁne the advantage function of the scheme Π as follows:
Adv
sor−co
Π
(n, t, q
e
, µ
e
)
def
= max
A
co
Adv
sor−co
A
co
,Π
(n)
Sample or Random Security 5
where the maximum is over all
A
co
with time complexity
t
, each making at most
q
e
queries to the sampleorrandom oracle
O
SR
(
b
), totaling at most
µ
e
bits. If
the success probability
Adv
sor−co
Π
(
n
) for any polynomial (in
n
) bound adversary
is negligible in
n
, we say the encryption scheme
Π
is secure in the sense of
SOR − co given the sample structure struct.
3 Relation to RealorRandom Security
We prove that
SOR − CO
has a weaker notion of security than
ROR − CP A
by
showing that: On the one hand,
ROR − CP A
(see Def. 2) is at least as strong
as
SOR − CO
. On the other hand, given an encryption scheme
Π
secure in the
sense of
SOR − CO
we show how to construct an encryption scheme
Π
, which
is still secure in the sense of
SOR − CO
, but not in the sense of
ROR − CP A
.
The proofs are in general along the lines of the proofs given by Bellare et al. [2].
Corollary 1.
[
ROR−CP A ⇒ SOR−CO
] If
Π
is an encryption scheme, which
is secure in the sense of
ROR−CP A
, then
Π
is secure in the sense of
SOR−CO
.
Proof.
Let
m
be a plaintext message from the encryption system’s plaintext space
M
and
sample
struct
be the sample function which returns a set (
m
0
, . . . , m
j
) of
sample plaintexts following an underlying structure
struct
for each invocation
of the sampleorrandom oracle
O
SR
(
b
). With a realorrandom oracle
O
RR
(
·, b
)
the sampleorrandom oracle
O
SR
(
b
) may be simulated by producing a sample
of messages (
m
0
, . . . , m
j
)
← sample
struct
and then asking
O
RR
(
·, b
) for their
encryption. Thus, security in the sense of
ROR − CP A
can be seen as security
in the sense of SOR − CO with an additional realorrandom oracle available.
The more challenging part is to show that if there exist encryption schemes
which are secure in the sense of
SOR − CO
that these are not automatically
secure in the sense of
ROR − CP A
. To proof this we exploit that the adversaries
considered by
SOR − CO
are not able to choose the plaintexts for encryption.
We assume there is an encryption scheme
Π
= (
GenKey, Enc, Dec
) which is secure
in the sense of
SOR − CO
. Then, based on
Π
, we construct an encryption
scheme
Π
0
= (
GenKey
0
, Enc
0
, Dec
0
) which is also secure in the sense of
SOR−CO
,
but can easily be broken in the sense of
ROR − CP A
. For that purpose, we
construct
Enc
0
such that it marks the encryption of a particular message
m
0
.
This gives the adversary an advantage when asking the realorrandom oracle. To
ensure that
Π
0
is still secure in the sense of
SOR − CO
, the message
m
0
should
only occur very rarely if strings are chosen either randomly or by the sample
structure
struct
. Otherwise an adversary may get an additional advantage to
attack the encryption scheme which renders it insecure in the sense of
SOR − CO
.
We illustrate the idea by regarding the sample structure
sample
kbd
for which we
assume, that our alphabet
Γ
for plaintexts consists of
n
+1 characters represented
by numbers from 0 to
n
and that the ciphertexts’ alphabet includes ’0’ and ’1’.
We regard the following algorithms for
Π
0
= (
GenKey
0
, Enc
0
, Dec
0
), assumed
Π
= (
GenKey, Enc, Dec
) is secure in the sense of
SOR − CO
given the sample
structure sample
kbd
.
6 Sample or Random Security
Algorithm GenKey
0
(1
n
): Algorithm Enc
0
k
(m): Algorithm Dec
0
k
(c
0
):
k ← GenKey(1
n
) c ← Enc
k
(c) c
0
= α
1
kα
2
k . . . kα
c
0

return k if m = 0 . . . 0 c := α
2
k . . . kα
c
0

then c
0
:= 0kc m := Dec
k
(c)
else return m
c
0
:= 1kc
return c
0
Π
0
works almost like
Π
. When the encryption function is invoked with the
particular message
m
0
– here
n
+ 1 zeros – the decryption is preﬁxed with ’0’. The
encryption of all other messages is preﬁxed with ’1’. While this does almost not
eﬀect the security in the sense of
SOR − CO
, an adversary of the
ROR − CP A
security model is able to explicitly ask the encryption oracle for
m
0
and determine
the oracle’s operation mode. It remains to show the two emerging lemmas:
Lemma 1. Π
0
= (
GenKey
0
, Enc
0
, Dec
0
) is not secure in the sense of
ROR−CP A
.
Proof.
We exploit the builtin weakness of
Π
0
by asking the oracle for the
encryption of the message
m
0
. If the encryption is preﬁxed with ’0’ we conclude
that the oracle is in ’real mode’ otherwise we conclude it encrypts random strings.
If the encryption is preﬁxed with ’1’ we can be sure. However, if the encryption
is preﬁxed with ’0’, the oracle may nevertheless operate in random mode with a
probability of
1
(n+1)
n+1
. Thus, the resulting probabilities lead to the adversary’s
nonnegligible advantage and Π
0
is not secure in the sense of ROR − CP A:
Adv
ror−cpa
A
cpa
,Π
0
(n) = P r[Exp
ror−cpa−1
A
cpa
,Π
0
(n) = 1] − P r[Exp
ror−cpa−0
A
cpa
,Π
0
(n) = 1]
= 1 −
1
(n + 1)
n+1
− 0
Lemma 2. Π
0
= (
GenKey
0
, Enc
0
, Dec
0
) is secure in the sense of
SOR−CO
given
the sample structure sample
kbd
.
Proof.
When the oracle is in ’sample mode’ the modiﬁcation does not come to
play, since
m
0
is not part of the sample. Otherwise, we already concluded that
the probability that a ’random mode’ oracle preﬁxes an encryption with ’0’ is
1
(n+1)
n+1
. That means when the oracle is in ’random mode’, an adversary has an
additional chance of receiving
m
0
. However, since the probability is negligible and
the adversary is polynomially limited, her additional advantage
Adv
]
is negligible
which leads to the estimation:
Adv
sor−co
A
co
,Π
0
(n) = P r[Exp
sor−co−1
A
co
,Π
0
(n) = 1] − P r[Exp
sor−co−0
A
co
,Π
0
(n) = 1]
≤ P r[Exp
sor−co−1
A
co
,Π
(n) = 1] + Adv
]
− P r[Exp
sor−co−0
A
co
,Π
(n) = 1]
= Adv
sor−co
A
co
,Π
(n) + Adv
]
Due to the assumption that
Π
is secure in the sense of
SOR−CO
,
Adv
sor−co
A,Π
(
n
)
is negligible and so is
Adv
]
. Therefore,
Adv
sor−co
A,Π
0
(
n
) is also negligible and
Π
0
secure in the sense of SOR − CO given the sample structure sample
kbd
.
Sample or Random Security 7
The message
m
0
needs to be chosen depending on the given sample structure.
However, depending on the sample, it is not always possible to come back to
strings of a certain length. E.g. when the sample structure consists of a set of
messages. Then it is possible to add stages to the encryption function in such a
way that a special combination of plaintexts – which is not part of the sample –
triggers the oracle’s special answer.
Corollary 2.
[
SOR − CO ; ROR −CP A
] If there exists an encryption scheme
Π
which is secure in the sense of
SOR − CO
, then there exists an encryption
scheme
Π
0
which is secure in the sense of
SOR − CO
but not secure in the sense
of ROR − CP A.
Proof. Cor. 2 follows from Lem. 1 and Lem. 2.
Theorem 1.
Security in the sense of
SOR−CO
is a weaker notion than security
in the sense of ROR − CP A.
Proof. Th. 1 follows from Cor. 1 and Cor. 2.
Thus, we have shown that the two security models give diﬀerent notions of
security and SOR − CO is weaker than ROR − CP A.
4 Application of SampleorRandom Security to
Encryption Schemes
In this section we take a look at some segmentbased visual encryption schemes
and evaluate if the result from applying the sampleorrandom security model is
in agreement with the intuitive notion of security. We focus on the encryption of
virtual keypads with the corresponding sample sample
kbd
(cf. Def. 4).
4.1 7Segment Displays
Borchert [3] describes a variation of visual cryptography, where – instead of
pixels – segments of a 7segment display (cf. Fig. 2a) were encrypted. Each digit
can be displayed by switching the appropriate individual segments ’on’ and ’oﬀ’.
Applying visual cryptography, each segment has two representations (left/right
or lower/upper) and the segment is visible if the segment’s positions match on
cipher and key (cf. Fig. 2b). Figures 2c to 2e show a ciphertext, a key and the
corresponding plaintext message ’ ’ when stacking the slides on top of each other.
It is easy to see that if the plaintext message is ’ ’, key and ciphertext have to be
identical, e.g. both Fig. 2c or 2d. We denote this encryption scheme with
Π
7seg
.
Intuitive Notion of Security
Since there are only 10 possible digits, after
eavesdropping a valid ciphertext, an adversary is able to reduce the number of
possible keys from 128 (2
7
, the size of the key space) to 10 for each segment.
Decrypting with any other key would not result in a valid digit, because the
7segment coding is not a closed encoding scheme. Thus, as in pixelbased visual
cryptography it should not be secure to reuse a key twice.
8 Sample or Random Security
7segment
VC 7segment
Cipher c
+
Key k
=
Message m
Fig. 2: SegmentBased Visual Cryptography on 7segment Displays
SampleorRandom Security
We notice that when using the same key and
regarding the number of diﬀerent segments of two encryptions based on 7
segment displays of the sample structure
sample
kbd
they diﬀer in an even number
of positions:
Lemma 3.
Let
m
=
γ
0
, . . . , γ
n
and
m
0
=
γ
0
0
, . . . , γ
0
n
be two messages from the
sample structure
sample
kbd
and let
c
=
α
0
, . . . , α
n
respectively
c
0
=
α
0
0
, . . . , α
0
n
be their encryptions with
Π
7seg
. Then the number of diﬀerent segments of the
ciphertexts is always even:
P
n
i=0
α
i
⊕ α
0
i
= 0 mod 2.
Proof.
Let
s
respectively
s
0
denote the 7segment encodings of the messages
m
respectively
m
0
and let
↔
denote the identity function. If both segments are
equal, the segment is visible. Obviously
c ⊕ c
0
=
(s ↔ K) ⊕ (s
0
↔ K)
=
s ⊕ s
0
holds. Thus, the diﬀerence of two ciphertexts encrypted with the same key is
independent of the key. Since each sample message contains the same encodings,
s
is a permutation of
s
0
. It can easily be seen that when changing the position
of two characters in
s
, for each segment switched oﬀ, another segment needs to
be switched on. Thus the diﬀerence’s parity of two messages from the sample
structure
sample
kbd
is independent of the character’s permutation of the message
and therefore always even.
Theorem 2.
The segmentbased visual encryption scheme based 7segment dis
plays is not secure in the sense of
SOR − CO
for two ciphertexts (
q
e
= 2) given
the sample structure sample
kbd
.
Proof.
The adversary succeeds with the following strategy. She asks the oracle
for two ciphertexts and determines the sum of segmental XORing them. If the
sum is even, she guesses that the oracle is in ’sample mode’, if it is odd she
guesses it is in ’random mode’. The corresponding probabilities are as follows:
If the oracle is in ’sample mode’ (
b
= 1), the sum will always be even and
thus the adversary will always be right (cf. Lem. 3).
If the oracle is in ’random mode’ (
b
= 0), the sum will be odd only in
half of the cases. Thus, the adversary’s guess is in half of the cases correct:
Adv
sor−co
A
co
,Π
7seg
(
n
) =
P r
[
Exp
sor−co−1
A
co
,Π
7seg
(
n
) = 1]
− P r
[
Exp
sor−co−0
A
co
,Π
7seg
(
n
) = 1] = 1
−
1
2
.
Sample or Random Security 9
Thus, her advantage is not negligible and appropriate to our intuition,
Π
7seg
is
not secure in the sense of SOR − CO given the sample structure sample
kbd
.
4.2 Encryptions Based on Dice Codings
Doberitz [4] describes a variation of segmentbased visual cryptography, where –
instead of a 7segment display – a coding based on dots is chosen. The user has
to count the number of visible dots – like counting dots from game dices, hence
the name dice coding. She also presented a user study showing that users get well
along with 9 dots. Since this allows us to build a virtual keypad, in the following
we regard dice codings with 9 dots. Figure 3a shows the full dot matrix. When the
principles of visual cryptography are applied, each dot has two representations
(left/right) and the dot is visible if the dot’s positions match on cipher and key
(cf. Fig. 3b). Figures 3c to 3e show a ciphertext, a key and the corresponding
plaintext message ’5’ when stacking the slides on top of each other. It is easy to
see that if the plaintext message is ’9’, key and ciphertext have to be identical,
e.g. both Fig. 3c or 3d. We denote this encryption scheme with Π
dice
.
9Dice
VC 9Dice
Cipher c
+
Key k
=
Message m
Fig. 3: SegmentBased Visual Cryptography Based on Dice Codings
Intuitive Notion of Security
The scheme based on dice codings is closed,
there are no undecodable plaintext results. However, the number of possible
encodings follows a binomial distribution, there is only one possibility to encode
’0’ or ’9’, but there are 126 possibilities to encode ’4’ or ’5’ (cf.
9
4
).
Moreover, if virtual keypads are regarded, the segments itself are still closed,
but since each segment has to be an encoding of a diﬀerent digit, the plaintext
message itself does not cover the complete message space. Therefore, for a virtual
keypad containing each digit from ’0’ to ’9’ once, 26 ciphertexts are suﬃcient to
reduce the number of possible keys to two [9].
SampleorRandom Security
In fact, it shows that it does not make a big
diﬀerence if the virtual keypad is encoded with a 7segment display or with a
9dice coding.
Lemma 4.
Let
m
and
m
0
be two messages from the sample structure
sample
kbd
and let
c
respectively
c
0
be their encryptions with
Π
DICE
. Then the number of
diﬀerent dots of the ciphertexts c and c
0
is always even.
10 Sample or Random Security
Proof. The proof essentially goes along the lines of the proof of Lem. 3.
Theorem 3.
The segmentbased visual encryption scheme based on dice codings
Π
DICE
is not secure in the sense of
SOR − CO
for two ciphertexts (
q
e
= 2) given
the sample structure sample
kbd
.
Proof. The proof is analog to the proof of The. 2.
4.3 Encryptions Based on Dice Codings with Noise
The enhanced version of a visual encryption scheme based on dice codings aims
to enlarge the amount of information an adversary needs to recover information
from eavesdropped ciphertexts. The basic idea is to add noise to the ciphertexts.
If both possible positions of a dot are covered by the key, noise is taken out.
Since the adversary does not know which of the dots is noise, this renders an
additional diﬃculty for her. To our knowledge, this is the ﬁrst visual encryption
scheme which makes use of noise.
The full dot matrix for the encoding stays unchanged (cf. Fig. 3a). Figure 4a
shows the enlarged matrix which is the basis for constructing ciphertexts and
keys. Figures 4b to 4d show a ciphertext, a key and the corresponding plaintext
message ’4’ when stacking the slides on top of each other. The ciphertext still
consists of a dot at each pair of positions. The key still contains dots with two
representations (left/right), but additional contains blackened blocks without
any dots. When deciphering, the dot is visible if the key does not contain a
blackened block at the considered position and the dot’s positions match on
cipher and key. If the plaintext message is ’9’, key and ciphertext have to be
identical for all positions where the key contains dots. For the blackened blocks,
the ciphertext may contain a dot either on the left or the right position. We
denote this encryption scheme with
Π
?
dice
, the maximum number of visible dots
with the encoding parameter
n
, and the number of blackened blocks with the
security parameter ν.
VC 9dice +
Cipher c
+
Key k
=
Message m
Fig. 4: SegmentBased Visual Cryptography Based on Dice Codings with Noise for
n = 9 and ν = 7
Intuitive Notion of Security
The security of the segmentbased visual en
cryption scheme based on dice codings with noise
Π
?
DICE
(
ν
) strongly depends on
the amount of noise added. If
ν
= 0 no noise is added and thus
Π
DICE
=
Π
?
DICE
(0).
For all other values of
ν
, the noise additionally stretches the binomial distribution
Sample or Random Security 11
of the diﬀerent encodings by the factor 2
ν
(e.g. for digit
d
to
9
d
·
2
ν
). Since the
number of possible encodings of all digits are multiplied, this does not concern
its ratio, but makes it more diﬃcult to discover encryptions of ’0’ and ’9’.
SampleorRandom Security
If the security parameter
ν >
0, the attack of
considering the parity of changed dots does not work anymore. Assumed
ν
= 1
then the parity is ﬂipped if the noise dots of the ciphertexts do not match, which
is true in half of the cases. Thus, if the oracle is in ’sample mode’ (
b
= 1), the
sum will be even in half of the cases and be odd in the other half of the cases.
If the oracle is in ’random mode’ (
b
= 0), the sum will still be in half of the
cases odd and half of the cases even. Therefore, the adversary has no advantage
following the described attack. However, for a formal proof, it would be necessary
to regard all possible attacks. Therefore, we conclude with a conjecture.
Conjecture 1.
Let
Π
?
DICE
(
ν
) be a segmentbased visual encryption scheme based
on dice codings with noise with the encoding parameter
n
and the security
parameter
ν
, let
q
e
be a number of ciphertexts and let
sample
struct
be a sample
function. Then there exists a
N
so that
∀ν ≥ N
the encryption scheme
Π
?
DICE
(
ν
)
is secure for q
e
ciphertexts in the sense of SOR − CO security.
It is reasonable to assume the conjecture is true, because even for a sample which
consists of a ﬁxed message string
m
, the adversary has to determine where in the
ciphertext the corresponding encryption of this string is located. The probability
to determine the noise, when the dots containing the encryption of the message
are ﬁxed, depends on the number of ciphertexts
q
e
and the security parameter
ν
. If
q
e
is ﬁxed, there is a certain point
N
and for all
ν ≥ N
the position of the
noise is indeterminable.
Remark 1.
Assume an application for
Π
?
DICE
, such as online banking. Then
N
denotes how much noise one has to add to securely use the key transparency
q
e
times. After the key transparency is used that often, it is thrown away and a new
one is used for the next
q
e
ciphertexts. The usability of the scheme for
ν ≥ N
is
unconsidered here. However, given a certain amount of noise
ν
, one may derive
the closely related question how often a key transparency may securely reused.
5 Conclusion and Future Work
Based on the observation that existing gamebased security models for indistin
guishability are too strong and do not suit the requirements for visual encryption
schemes, we deﬁned the notion of sampleorrandom ciphertextonly (
SOR − CO
)
security. We also showed that the
SOR−CO
security model gives a weaker notion
of security than the realorrandom under chosenplaintext attacks (
ROR−CP A
)
security model. Another security model which comes to mind is to require the
attacker to distinguish two diﬀerent sample structures. Then sampleorrandom
security may be seen as a special case of sampleAorsampleB security. Thus, an
12 Sample or Random Security
open question is whether there are other notions of security when CPAsecurity
seems to be out of reach and which of them is the ’most meaningful’.
Another open question is, whether the notion of
SOR − CO
security may be
useful for pixelbased cryptography. Since it is diﬃcult to formally model the
representation of symbols by pixels, it is unclear whether a more formal notion
of security may be useful.
It would also be desirable, given a sample structure
sample
struct
to have a
proof for all
n, ν, q
e
that encryption schemes from the class of segmentbased
visual encryption schemes based on dice codings with noise are secure/insecure in
the sense of sampleorrandom ciphertextonly indistinguishability (
SOR − CO
).
Where
n
is the encoding parameter (maximum number of visible dots),
ν
is the
the security parameter (number of noise dots), and the number
q
e
represents the
number of samples available to the adversary.
Another interesting question is whether there are displays similar to the 7
segment display which only have meaningful conﬁgurations. A more userfriendly
encoding scheme would ease the user’s task. However, it is unclear how to
construct such a display without the need that the user has to learn new symbols.
Further research is needed, when embedding the encrypted virtual keypad
in secure protocols. For example, if the last account numbers and the transfer’s
amount are encrypted, the adversary may not be able to mount a chosenplaintext
attack, but may have plaintext/ciphertext pairs for certain parts of the ciphertext.
Thus, an extended security model may be necessary to judge on the full protocol.
References
1.
M. Naor and A. Shamir, “Visual cryptography,” in EUROCRYPT (A. D. Santis,
ed.), vol. 950 of LNCS, pp. 1–12, Springer, 1994.
2.
M. Bellare, A. Desai, E. Jokipii, and P. Rogaway, “A concrete security treatment of
symmetric encryption,” in Proceedings of 38th Annual Symposium on Foundations
of Computer Science (FOCS 97) , pp. 394–403, 1997.
3.
B. Borchert, “Segmentbased visual cryptography,” Tech. Rep. WSI200704,
WilhelmSchickardInstitut f¨ur Informatik, T¨ubingen, 2007.
4.
D. Doberitz, “Visual cryptography protocols and their deployment against malware,”
Master’s thesis, RuhrUniversit¨at Bochum, Germany, 2008.
5.
R. Unucheck, “The most sophisticated Android trojan.”
https://www.securelist.
com/en/blog/8106/The_most_sophisticated_Android_Trojan
, June 2013. last ac
cess 2013/06/10.
6.
M. Naor and A. Shamir, “Visual cryptography ii: Improving the contrast via the
cover base,” in Security Protocols Workshop (T. M. A. Lomas, ed.), vol. 1189 of
LNCS, pp. 197–202, Springer, 1996.
7.
M. Naor and B. Pinkas, “Visual authentication and identiﬁcation,” in CRYPTO
(B. S. Kaliski Jr., ed.), vol. 1294 of LNCS, pp. 322–336, Springer, 1997.
8.
U. Greveler, “VTANs  Eine Anwendung visueller Kryptographie in der Online
Sicherheit,” in GI Jahrestagung (2) (R. Koschke, O. Herzog, K.H. R¨odiger, and
M. Ronthaler, eds.), vol. 110 of LNI, pp. 210–214, GI, 2007.
9.
S. Pape, The Challenge of Authentication in Insecure Environments. PhD thesis,
Universit¨at Kassel, 2013. (defended, September 2nd, 2013).