Honey Encryption

Honey Encryption is a symmetrical encryption method that decrypts a ciphertext under every possible key to a plausible plaintext . It was presented in May 2014 by Ari Juels and Thomas Ristenpart at the Eurocrypt cryptography conference .

idea

With conventional symmetrical encryption methods, plain text is converted into ciphertext using a secret key. An attacker would now try to identify the correct key with the help of a brute force attack . He does this by decrypting the ciphertext at hand with every possible key and checking the plausibility of the resulting plain text. In the case of known information, such as that it is an encrypted file with a certain structure, this is very easy to achieve.

The idea of Honey Encryption is to make this plausibility check more difficult for the attacker by decrypting the ciphertext under each key to a plausible plain text. In the event of a brute force attack , an attacker would no longer be able to distinguish whether a tried key is the right one or not.

functionality

A distinction is made between three sets: the set of all messages (message space), the set of all keys (key space) and the set of so-called seeds (seed space). The latter is a representation of the messages that is switched before the actual encryption. ${\ displaystyle {\ mathcal {M}}}$ ${\ displaystyle {\ mathcal {K}}}$ ${\ displaystyle {\ mathcal {S}}}$

With Honey Encryption, encryption and decryption are divided into two different sections. During encryption, plain text is mapped to a seed using a DTE (Distribution Transforming Encoder) and then converted into ciphertext using a conventional encryption method under the selected key. During decryption, after decoding, a seed is again obtained under the key, which is mapped to the correct message by the DTE.

If the key is wrong, the ciphertext is mapped to another seed and thus decrypted into a wrong message.

DTE

The DTE (Distribution Transforming Encoder) represents the essential part of the Honey Encryption . It consists of the two algorithms encode and decode . encode maps from a message to a seed, decode from a seed to a message. Several seeds can be assigned to a message, but only one message to each seed. If several seeds are possible for a message, exactly one seed is selected by chance in the encode algorithm. So this algorithm is randomized , while the decode algorithm is deterministic .

The DTE is secure if a number of seeds can be assigned to a message according to its probability. The relative number of seeds belonging to a message should therefore correspond to all seeds as closely as possible to the probability of the message. In order to create a DTE, the probability distribution of the messages must be known.

Encryption

The encryption is a conventional symmetrical encryption method and can therefore be selected very flexibly. All that is required of it is that it maps to the seed space under every possible key during decryption so that the DTE can then convert the seed into a plausible message.

example

A visualization of the example

The preferred RGB color component should be encrypted - therefore r (red), g (green) and b (blue) are the possible messages. The distribution of the messages is known, namely blue is chosen with 50% probability and the other two messages with 25% each. The DTE (on the right in the figure) maps a selected message onto a seed (center). In the figure, the green seed 01 is assigned to the message to be encrypted . The key 10 is now XOR-linked with this seed :

${\ displaystyle 01 \ oplus 10 = 11}$

11 is the ciphertext. During decryption, the ciphertext is again XORed with the key:

${\ displaystyle 11 \ oplus 10 = 01}$

This is again the seed, which is then mapped onto the original message by the DTE. The message is decrypted again.

If an attacker tries a key, for example 00, he links the ciphertext with this key and receives what is decoded to blue . The attacker cannot tell whether this is the correct message or the wrong message. ${\ displaystyle 11 \ oplus 00 = 11}$

safety

Even if Honey Encryption always generates plausible plain text during decryption, an attacker can use other information, for example parts of the plain text known to him, to check the decrypted text and thus the key for plausibility. To do this, however, he has to try out all possible keys, which is like a brute force attack . Thus, honey encryption least as secure as the encryption used.

If the attacker does not know any further information and if the DTE is well chosen, the attacker cannot identify any key as the correct one.

Individual evidence

↑ ^a ^b ^c ^d ^e Ari Juels and Thomas Ristenpart: Honey Encryption - Security Beyond the Brute - Force Bound. In Eurocrypt 2014, Copenhagen, Denmark, May 2014.
↑ Ari Juels and Thomas Ristenpart: Honey Encryption: Security Beyond the Brute-force Bound. http://ec14.compute.dtu.dk/talks/19.pdf . Retrieved December 16, 2014.
↑ Ari Juels. The Password That Never Was. http://crcs.seas.harvard.edu/event/ari-juels-the-password-that-never-was . Retrieved October 27, 2014.
^ Ari Juels and Thomas Ristenpart: Honey Encryption - Encryption beyond the Brute - Force Barrier. IEEE Security & Privacy, 12 (4): 59-62, April 2014.

[eurocrypt-1] Ari Juels and Thomas Ristenpart: Honey Encryption - Security Beyond the Brute - Force Bound. In Eurocrypt 2014, Copenhagen, Denmark, May 2014.

[2] Ari Juels and Thomas Ristenpart: Honey Encryption: Security Beyond the Brute-force Bound. http://ec14.compute.dtu.dk/talks/19.pdf . Retrieved December 16, 2014.

[3] Ari Juels. The Password That Never Was. http://crcs.seas.harvard.edu/event/ari-juels-the-password-that-never-was . Retrieved October 27, 2014.

[4] Ari Juels and Thomas Ristenpart: Honey Encryption - Encryption beyond the Brute - Force Barrier. IEEE Security & Privacy, 12 (4): 59-62, April 2014.