Entropic security
From Wikipedia, the free encyclopedia
The introduction to this article provides insufficient context for those unfamiliar with the subject. Please help improve the article with a good introductory style. |
Entropic security is a security definition for encryption for specific message spaces. Standard security definitions such as semantic security permit the adversary a great deal of knowledge about the messages being encrypted--- for example, the adversary is often allowed to specify a two-element message space. It is well known that certain types of encryption algorithm cannot satisfy such a strong definition: for example, deterministic encryption algorithms cannot be semantically secure. Entropic security definitions relax these definitions to cases where the message space has substantial entropy (from an adversary's point of view). As a result, it is possible to satisfy this definition using e.g., deterministic encryption algorithms.
Note that in practice entropically-secure encryption algorithms are only "secure" provided that the message distribution possesses high entropy from any reasonable adversary's perspective. This is an unrealistic assumption for a general encryption scheme, and therefore stronger definitions (such as semantic security or indistinguishability under adaptive chosen ciphertext attack) are appropriate. However, there are special-purpose encryption schemes that can reasonably meet this requirement. For example, encryption schemes that encrypt only secret key material (e.g., key encapsulation or Key Wrap schemes) can be considered under an entropic security definition. A practical application of this result is the use of deterministic encryption algorithms for secure encryption of secret key material.
Russell and Wang formalized a definition of entropic security for encryption. Their definition resembles the semantic security definition when message spaces have highly-entropic distribution. In one formalization, the definition implies that an adversary given the ciphetext will be unable to compute any predicate on the ciphertext with (substantially) greater probability than an adversary who does not possess the ciphertext. Dodis and Smith later proposed alternate definitions and showed equivalence.
[edit] References
- A. Russell and Y. Wang. How to fool an unbounded adversary with a short key. Appeared at Advances in Cryptology -- Eurocrypt 2002.
- Y. Dodis and A. Smith. Entropic Security and the encryption of high-entropy messages. Appeared at the Theory of Cryptography Conference (TCC) 2005.