Entropies, Guessing and Cryptography

1 ABSTRACT Arikan 2] has proved a lower bound on the th moment of the number of guesses required to determine X given Y; which uses the R enyi entropy of order 1=(1+): We give a randomized improvement of Arikan's lower bound. Baumer 5] has proved the relationship 1 1 ? 2 ?H(XjY) ; between 1 |the probability of error if the plaintext X is to be estimated (with one guess allowed) given the ciphertext Y |and H(XjY) the Shannon entropy of X given Y: We obtain the tighter upper bound 1 1? P y2Y P Y (y)2 ?H 2 (XjY =y) ; This new bound depends on the R enyi entropy of order 2 instead of the Shannon entropy. We conjecture that the new bound extends tò 1 ? ` P y2Y P Y (y)2 ?H 2 (XjY =y) ; for`jXj; wherè is the probability of error if the plaintext is to be estimated with`guesses allowed. We derive the related upper bound`1 ? ` P y2Y P Y (y)2 ?H 2 (XjY =y) ; where itself is closely related to the R enyi entropy of order 2: This upper bound can be adapted to yield a guarantee regarding the success probability of a cryptanalyst using the optimal sequence of guesses for X given Y; namely the bound P succ (`jY) P y2Y P Y (y) 2 ?H 2 (XjY =y) ? 1? logìog jXj : We discuss the application of this bound to authentication codes where it improves a lower bound of Simmons on deception probability. A suitable security measure for secret key cryptosystems subject to guessing attacks is the number of guesses required to determine X with probability : We discuss the relationship between this quantity (which is typically called thèwork factor' in the cryptography literature) and R enyi entropy. Speciically, we demonstrate that, in the context of guessing attacks, both the average number of guesses and the Shannon entropy can be misleading measures of security.