Questions tagged [distinguisher]

A distinguisher describes an adversary's advantage. In cryptography, an adversary's advantage is a measure of how successfully it can attack a cryptographic algorithm, by distinguishing it from an idealized version of that type of algorithm.

A distinguishing attack is any form of cryptanalysis on data encrypted by a cipher that allows an attacker to distinguish the encrypted data from random data.

To prove that a cryptographic function is safe, it is often compared to a random oracle. If a function would be a random oracle, then an attacker is not able to predict any of the output of the function. If a function is distinguishable from a random oracle, it has non-random properties. That is, there exists a relation between different outputs, or between input and output, which can be used by an attacker for example to find (a part of) the input.

This information might then reveal the encryption method used, some information about the encrypted message, or refine the potential key space.

87 questions

votes

4 answers

What is the effect of the different AES key lengths?

How does a changing key length affects the ciphertext, not only in case of AES, but in general? I know that the key spaces become much larger and the number of rounds in case of AES changes, but is security really that much enhanced that if I choose…

asked Aug 23 '12 at 15:57

tom

votes

1 answer

Distinguishing x25519 public keys from random?

I recently read a piece of protocol that avoided sending ephemeral x25519 keys in the clear as an effort to foil deep-packet inspection. I understand that x25519 public keys are effectively 255 bits, which must be serialized as 256 bits, leaving one…

distinguisher x25519

asked Aug 26 '18 at 16:52

Jonas

votes

2 answers

A website that identifies an RNG from its output

This happened during a discussion of RNG entropy, and the difficulty of verifying the level of entropy in a long sequence of bits (e.g. a private key.) A colleague of mine told me about a website that, given a sufficient quantity of output from an…

random-number-generator randomness pseudo-random-generator entropy distinguisher

asked Mar 31 '20 at 12:15

AJM

votes

4 answers

Are any of the major asymmetric ciphers distinguishable (EG, RSA, ECC)?

Related to "Is it possible to derive the encryption method from encrypted text?". Given ciphertexts generated by any of the major asymmetric ciphers (RSA, ElGamal, ECC, etc..) can these ciphertexts be distinguished from random noise? Justify why,…

rsa public-key elliptic-curves elgamal-encryption distinguisher

asked Jul 19 '11 at 23:07

Ethan Heilman

2,326
2
20
40

votes

3 answers

Is it possible to distinguish a securely-encrypted ciphertext from random noise?

Say I have a bunch of data encrypted with a secure block cipher (such as AES). An attacker has unlimited access to this encrypted data. The attacker doesn't know whether the data is encrypted or if it's just purely random bits. Is it possible (even…

aes distinguisher

asked Jan 12 '12 at 12:19

M8R-390pv1

votes

1 answer

What is it meant by a "hybrid argument"?

Can anyone explain (or point to a reference for) what a hybrid argument is in a security proof, and when it's convenient or preferable to use it? Among some of the places where I've seen it mentioned, there is the paper Boneh, Sahai, Waters -…

provable-security terminology distinguisher

asked Sep 06 '13 at 13:41

LRM

1,406
12
24

votes

2 answers

Is RC4 a problem for password-based authentication?

This is a follow-up question to Does TLS use RC4-drop[n]?. As mentioned in section 6 of RFC4345, there are weak distinguishers for RC4 keystreams available that even work for keystreams that originate from different keys, and regardless of the…

tls rc4 distinguisher

asked Aug 04 '12 at 09:20

lxgr

1,798
1
13
22

votes

2 answers

Statistical closeness implies computational indistinguishability

This is so trivial that authors usually don't bother to give an explicit proof. But for me there is some vagueness. We say that two ensembles $X_n$ and $Y_n$ are statistically close, if $$ \Delta(n) = 1/2 \sum_{\alpha}|\mathbb{P}[X_n = \alpha] -…

provable-security distinguisher probability

asked Sep 06 '19 at 13:23

Kirill Tsar.

votes

1 answer

Can a proof be constructed to show there is no distinguisher?

Let's assume a simple algorithm like the Skein hash function. Is it possible, given the algorithm, to construct a proof that it does not have a particular distinguisher, something like: $P(xyz)$ is the probability that $xyz$ is truly random over…

hash distinguisher

asked Feb 12 '11 at 05:34

Vanwaril

votes

0 answers

Does the bias in RC4 drop asymptotically further in the keystream?

It's well-known that the RC4 keystream has significant biases that become less prominent later in the keystream. The most severe bias is in the second byte, which has a 128-1 bias towards zero. Other biases remain, and it's typically recommended to…

stream-cipher rc4 distinguisher

asked Aug 03 '19 at 08:44

forest

15,626
2
49
103

votes

2 answers

Is there a formal definition of what a distinguisher is?

I've often been reading about (polynomially bounded) distinguishers in books or papers. Although by name and intuition it is somewhat clear what a distinguisher is and does, but i am asking myself whether there is a concrete formal definition.…

distinguisher

asked Aug 17 '15 at 15:49

foobar

votes

0 answers

Is this PRG secure?

$G$ is a secure PRG in range $\{0,1\}^n\rightarrow\{0,1\}^{n+1}$. Let us define $G'(S)=G(S\oplus G(S)_{1,...,n})$, s.t. $G(S)_{1,...,n}$ is the first n bits of $G(S)$. Is $G'(S)$ a secure PRG? Intuition I'd like to say that since $G(S)$ is a secure…

cryptanalysis pseudo-random-generator distinguisher

asked May 10 '16 at 20:48

Jjang

votes

1 answer

Designing Secure Multi-Party Computation Sub-Protocols Based on Homomorphic Encryption

When designing SMPC protocols using secret-sharing, it is a common approach to compose a protocol from several sub-protocols (each proven secure under the formal definition of security w.r.t. semi-honest or malicious adversaries) by applying the…

homomorphic-encryption provable-security multiparty-computation distinguisher semantic-security

asked Oct 20 '15 at 12:21

Zalander

votes

4 answers

Computation indistinguishability questions

The definition I have is: Two probability ensembles $X = \{X_n\}_{n \in \mathbf{N}}$ and $X = \{Y_n\}_{n \in \mathbf{N}}$ are computationally indistinguishable if for every probabilistic polynomial-time algorithm $D$, every positive polynomial…

distinguisher

asked Nov 25 '14 at 20:58

Dramal

votes

1 answer

Computationaly efficient distinguisher for a PRP generator

Let $n$ be an integer (the motivating context had $n\approx2^{27}$). All other lowercase variables are non-negative integers less than $n$ (elements of $\mathbb Z_n$). All uppercase variables are vectors of $n$ distinct such elements, or…

pseudo-random-permutation distinguisher

asked Oct 14 '16 at 17:49

fgrieu

149,326
13
324
622

2 3 4 5 6 Next