Lightweight multimedia encryption: Algorithms and performance analysis.  Page 41 
Save page Remove page  Previous  41 of 126  Next 

small (250x250 max)
medium (500x500 max)
Large (1000x1000 max)
Extra Large
large ( > 500x500)
Full Resolution
All (PDF)

This page
All

to pseudorandomness of the KHS, the RECbased scheme is immune to the ciphertextonly attack, which is formally stated below. Theorem 1 Under the ciphertextonly attack, breaking the RECbased scheme is at least as difficult as breaking the underlying KHS generation algorithm, for which a bruteforce attack requires a computational complexity of min(2r,EL), where r is the bit length of seed s, E is the cardinality of ECP pool, and L is the length of the corresponding plaintext. Proof : By “breaking the REC model”, we mean that, based on a given RECencrypted ciphertext, an algorithm can be devised to yield the corresponding plaintext as its output. If such an algorithm exists, we conclude that it must know the KHS sequence to compute the correct plaintext due to the following arguments. In a ciphertextonly attack, the only information available to the cryptanalyst is the bit stream of a given ciphertext. According to Eq. (2.1), the ciphertext bit stream is a function of all ECP values ei used. Thus, the algorithm must depend on the knowledge of correct ei used in each encoding step to compute the plaintext. We can further argue that the algorithm must know the corresponding KHS in order to find out each correct ei. Starting from initial ciphertext B0, it is equally likely for e0 to take a value in the ECP pool since nothing is known about the first plaintext symbol p0 at this time. Thus, the algorithm has to know the KHS z0 to choose the correct e0 and decrypt p0. Next, let us assume plaintext symbols p0, p1 . . . up to pk have been decrypted. Since Proposition 1 says that the next plaintext pk+1 does not depend on pi, i = 0, 1, . . . k, the previously decrypted plaintext symbols do not help in decrypting the future plaintext due to the weak or no correlation property. This is exactly the same as to decrypt the first plaintext symbol p0. Since no additional hint about pk+1 is available, ek+1 can be any value in the ECP pool with 31
Object Description
Description
Title  Lightweight multimedia encryption: Algorithms and performance analysis.  Page 41 
Repository email  cisadmin@lib.usc.edu 
Full text  to pseudorandomness of the KHS, the RECbased scheme is immune to the ciphertextonly attack, which is formally stated below. Theorem 1 Under the ciphertextonly attack, breaking the RECbased scheme is at least as difficult as breaking the underlying KHS generation algorithm, for which a bruteforce attack requires a computational complexity of min(2r,EL), where r is the bit length of seed s, E is the cardinality of ECP pool, and L is the length of the corresponding plaintext. Proof : By “breaking the REC model”, we mean that, based on a given RECencrypted ciphertext, an algorithm can be devised to yield the corresponding plaintext as its output. If such an algorithm exists, we conclude that it must know the KHS sequence to compute the correct plaintext due to the following arguments. In a ciphertextonly attack, the only information available to the cryptanalyst is the bit stream of a given ciphertext. According to Eq. (2.1), the ciphertext bit stream is a function of all ECP values ei used. Thus, the algorithm must depend on the knowledge of correct ei used in each encoding step to compute the plaintext. We can further argue that the algorithm must know the corresponding KHS in order to find out each correct ei. Starting from initial ciphertext B0, it is equally likely for e0 to take a value in the ECP pool since nothing is known about the first plaintext symbol p0 at this time. Thus, the algorithm has to know the KHS z0 to choose the correct e0 and decrypt p0. Next, let us assume plaintext symbols p0, p1 . . . up to pk have been decrypted. Since Proposition 1 says that the next plaintext pk+1 does not depend on pi, i = 0, 1, . . . k, the previously decrypted plaintext symbols do not help in decrypting the future plaintext due to the weak or no correlation property. This is exactly the same as to decrypt the first plaintext symbol p0. Since no additional hint about pk+1 is available, ek+1 can be any value in the ECP pool with 31 