Security proof for CBC-MAC [3] 0/1 0/1 D D CBC AES RO D C B C A E S ≈ D R O ∆ E ( C B CA E S , R O ) ≈ 0 To show: ∆ E ( C O ) ≤ ∆ E ( C F )+ ∆ E ( C B CA E S , R B CA E S , C B CR B CR F , R O ) ∆ E ( C F ) = ∆ E C B C ( A B CA E S , C B CR E S , R F ) Absorption lemma : ∆ D ( CS , CT ) = ∆ DC ( S , T ) Proof: DCS = D ( CS ) = ( DC ) S
Security proof for CBC-MAC [3] 0/1 0/1 D D CBC AES RO D C B C A E S ≈ D R O ∆ E ( C B CA E S , R O ) ≈ 0 To show: ∆ E ( C O ) ≤ ∆ E ( C F )+ ∆ E ( C B CA E S , R B CA E S , C B CR B CR F , R O ) ∆ E ( C F ) = ∆ E C B C ( A B CA E S , C B CR E S , R F ) Non-expansion lemma: ⇒ ∆ D ( CS , CT ) ≤ ∆ D ( S , T ) D C ⊆ D
Security proof for CBC-MAC [3] 0/1 0/1 D D CBC AES RO D C B C A E S ≈ D R O ∆ E ( C B CA E S , R O ) ≈ 0 To show: ∆ E ( C O ) ≤ ∆ E ( C F )+ ∆ E ( C E C C ⊆ E B B CA E S , R B CA E S , C B CR B CR F , R O ) ∆ E ( C F ) = ∆ E C B C ( A B CA E S , C B CR E S , R F ) Non-expansion lemma: ⇒ ∆ D ( CS , CT ) ≤ ∆ D ( S , T ) D C ⊆ D
Security proof for CBC-MAC [3] 0/1 0/1 D D CBC AES RO D C B C A E S ≈ D R O ∆ E ( C B CA E S , R O ) ≈ 0 To show: ∆ E ( C O ) ≤ ∆ E ( C F )+ ∆ E ( C E C C ⊆ E B B CA E S , R B CA E S , C B CR B CR F , R O ) ∆ E ( C F ) = ∆ E C F ) ≤ ∆ E ( A B C ( A B CA E S , C B CR E S , R E S , R F ) Non-expansion lemma: ⇒ ∆ D ( CS , CT ) ≤ ∆ D ( S , T ) D C ⊆ D
Security proof for CBC-MAC [3] 0/1 0/1 D D CBC AES RO D C B C A E S ≈ D R O ∆ E ( C B CA E S , R O ) ≈ 0 To show: ∆ E ( C O ) ≤ ∆ E ( C F )+ ∆ E ( C B CA E S , R B CA E S , C B CR B CR F , R O ) ∆ E ( C F ) = ∆ E C F ) ≤ ∆ E ( A B C ( A B CA E S , C B CR E S , R E S , R F ) .
Security proof for CBC-MAC [3,4] 0/1 0/1 D D CBC AES RO D C B C A E S ≈ D R O ∆ E ( C B CA E S , R O ) ≈ 0 To show: ∆ E ( C O ) ≤ ∆ E ( C F )+ ∆ E ( C B CA E S , R B CA E S , C B CR B CR F , R O ) ∆ E ( C F ) = ∆ E C F ) ≤ ∆ E ( A B C ( A B CA E S , C B CR E S , R E S , R F ) O ) ≤ 1 2 ℓ 2 2 − n [4] ∆ ( C B CR F , R [BKR94,...]
Security proof for CBC-MAC [3,4] 0/1 0/1 D D CBC AES RO Note: Many security proofs can be phrased D C B C A E S ≈ D R O at this level of abstraction and become quite ∆ E ( C B CA E S , R O ) ≈ 0 To show: simple or even trivial. ∆ E ( C O ) ≤ ∆ E ( C F )+ ∆ E ( C B CA E S , R B CA E S , C B CR B CR F , R O ) ∆ E ( C F ) = ∆ E C F ) ≤ ∆ E ( A B C ( A B CA E S , C B CR E S , R E S , R F ) O ) ≤ 1 2 ℓ 2 2 − n [4] ∆ ( C B CR F , R [BKR94,...]
Levels of abstraction in cryptography # possible name concepts treated at this level 1. Reductions def. of (universal) composability 2. Abstract resources isomorphism 3. Abstract systems distinguisher, hybrid argument, secure reduction, compos. proof 4. Discrete systems games, equivalence, indistinguishability proofs 5. System implem. complexity, efficiency notion 6. Physical models timing, power, side-channels
Levels of abstraction in cryptography # possible name concepts treated at this level 1. Reductions def. of (universal) composability 2. Abstract resources isomorphism 3. Abstract systems distinguisher, hybrid argument, secure reduction, compos. proof 4. Discrete systems games, equivalence, indistinguishability proofs 5. System implem. complexity, efficiency notion 6. Physical models timing, power, side-channels
Efficient, infeasible, negligible [5] We need notions for • the complexity of system implementation • what is efficient (for the good guys) • what is infeasible (for the bad guys) • what is negligible
Efficient, infeasible, negligible [5] We need notions for • the complexity of system implementation • what is efficient (for the good guys) • what is infeasible (for the bad guys) • what is negligible E = set of efficiently impl. systems.
Efficient, infeasible, negligible [5,3] We need notions for • the complexity of system implementation • what is efficient (for the good guys) • what is infeasible (for the bad guys) • what is negligible E ◦ E ⊆ E , E||E ⊆ E E = set of efficiently impl. systems.
Efficient, infeasible, negligible [5,3] We need notions for • the complexity of system implementation • what is efficient (for the good guys) • what is infeasible (for the bad guys) • what is negligible E ◦ E ⊆ E , E||E ⊆ E E = set of efficiently impl. systems. F = set of feasibly impl. systems ( E ⊆ F )
Efficient, infeasible, negligible [5,3] We need notions for • the complexity of system implementation • what is efficient (for the good guys) • what is infeasible (for the bad guys) • what is negligible E ◦ E ⊆ E , E||E ⊆ E E = set of efficiently impl. systems. F ◦ F ⊆ F , F||F ⊆ F F = set of feasibly impl. systems ( E ⊆ F )
Efficient, infeasible, negligible [5,3] We need notions for • the complexity of system implementation • what is efficient (for the good guys) • what is infeasible (for the bad guys) • what is negligible E ◦ E ⊆ E , E||E ⊆ E E = set of efficiently impl. systems. F ◦ F ⊆ F , F||F ⊆ F F = set of feasibly impl. systems ( E ⊆ F ) No reason to set E = F !
Efficient, infeasible, negligible [5,3] We need notions for • the complexity of system implementation • what is efficient (for the good guys) • what is infeasible (for the bad guys) • what is negligible E ◦ E ⊆ E , E||E ⊆ E E = set of efficiently impl. systems. F ◦ F ⊆ F , F||F ⊆ F F = set of feasibly impl. systems ( E ⊆ F ) N = set of negligible functions
Efficient, infeasible, negligible [5,3] We need notions for • the complexity of system implementation • what is efficient (for the good guys) • what is infeasible (for the bad guys) • what is negligible E ◦ E ⊆ E , E||E ⊆ E E = set of efficiently impl. systems. F ◦ F ⊆ F , F||F ⊆ F F = set of feasibly impl. systems ( E ⊆ F ) N = set of negligible functions F · N ⊆ N
Efficient, infeasible, negligible [5,3] We need notions for The usual poly-time notions (i.e., n O (1) ) Note: • the complexity of system implementation are of course composable, but so are many other • what is efficient (for the good guys) notions, e.g. n O (log log n ) or n O ( √ log log log n ) . • what is infeasible (for the bad guys) • what is negligible E ◦ E ⊆ E , E||E ⊆ E E = set of efficiently impl. systems. F ◦ F ⊆ F , F||F ⊆ F F = set of feasibly impl. systems ( E ⊆ F ) N = set of negligible functions F · N ⊆ N
Levels of abstraction in cryptography # possible name concepts treated at this level 1. Reductions def. of (universal) composability 2. Abstract resources isomorphism 3. Abstract systems distinguisher, hybrid argument, secure reduction, compos. proof 4. Discrete systems games, equivalence, indistinguishability proofs 5. System implem. complexity, efficiency notion 6. Physical models timing, power, side-channels
Levels of abstraction in cryptography # possible name concepts treated at this level 1. Reductions def. of (universal) composability 2. Abstract resources isomorphism 3. Abstract systems distinguisher, hybrid argument, secure reduction, compos. proof 4. Discrete systems games, equivalence, indistinguishability proofs 5. System implem. complexity, efficiency notion 6. Physical models timing, power, side-channels
Discrete systems [4] X , X , ... Y , Y , ... 1 2 1 2 S
Discrete systems [4] X , X , ... Y , Y , ... 1 2 1 2 S Description of S : figure, pseudo-code, text, ...
Discrete systems [4] X , X , ... Y , Y , ... 1 2 1 2 S Description of S : figure, pseudo-code, text, ... What kind of mathematical object is the behavior of S ?
Discrete systems [4] X , X , ... Y , Y , ... 1 2 1 2 S Description of S : figure, pseudo-code, text, ... What kind of mathematical object is the behavior of S ? p S for i = 1 , 2 , . . . Characterized by: Y i | X i (where X i = ( X 1 , . . . , X i ) ) This abstraction is called a random system [Mau02].
Discrete systems [4] X , X , ... Y , Y , ... 1 2 1 2 S Description of S : figure, pseudo-code, text, ... What kind of mathematical object is the behavior of S ? p S for i = 1 , 2 , . . . Characterized by: Y i | X i (where X i = ( X 1 , . . . , X i ) ) This abstraction is called a random system [Mau02]. Equivalence of systems: S ≡ T if same behavior
Games [4] PRP-PRF switching lemma: S X , X , ... Y , Y , ... 1 2 1 2
Games [4] PRP-PRF switching lemma: monotone binary output (MBO) 1 0 i A , A , ... 1 2 S X , X , ... Y , Y , ... 1 2 1 2
Games [4] PRP-PRF switching lemma: monotone binary output (MBO) 1 0 i game won A , A , ... 1 2 S X , X , ... Y , Y , ... 1 2 1 2
Games [4] PRP-PRF switching lemma: monotone binary output (MBO) 1 0 i game won A , A , ... 1 2 S X , X , ... Y , Y , ... 1 2 1 2 p S for i = 1 , 2 , . . . Characterized by: Y i A i | X i
Games [4] PRP-PRF switching lemma: monotone binary output (MBO) 1 0 i game won A , A , ... 1 2 S X , X , ... Y , Y , ... 1 2 1 2 D p S for i = 1 , 2 , . . . Characterized by: Y i A i | X i
Games [4] PRP-PRF switching lemma: monotone binary output (MBO) 1 0 i game won A , A , ... 1 2 S X , X , ... Y , Y , ... 1 2 1 2 D p S for i = 1 , 2 , . . . Characterized by: Y i A i | X i Conditional equivalence: S |A ≡ T : ⇔ p S Y i | X i A i = p T Y i | X i
Games [4] PRP-PRF switching lemma: monotone binary output (MBO) 1 0 i game won A , A , ... 1 2 S X , X , ... Y , Y , ... 1 2 1 2 D p S for i = 1 , 2 , . . . Characterized by: Y i A i | X i Conditional equivalence: S |A ≡ T : ⇔ p S Y i | X i A i = p T Y i | X i S |A ≡ T ⇒ ∆ ( S , T ) ≤ optimal prob. of Lemma [M02]: provoking the MBO non-adaptively in S (same # of queries).
Games [4] PRP-PRF switching lemma: R Y , Y , ... X , X , ... 1 2 1 2 P Y , Y , ... X , X , ... 1 2 1 2 p S for i = 1 , 2 , . . . Characterized by: Y i A i | X i Conditional equivalence: S |A ≡ T : ⇔ p S Y i | X i A i = p T Y i | X i S |A ≡ T ⇒ ∆ ( S , T ) ≤ optimal prob. of Lemma [M02]: provoking the MBO non-adaptively in S (same # of queries).
Games [4] PRP-PRF switching lemma: collision detector A , A , ... 1 2 R Y , Y , ... X , X , ... 1 2 1 2 P Y , Y , ... X , X , ... 1 2 1 2 p S for i = 1 , 2 , . . . Characterized by: Y i A i | X i Conditional equivalence: S |A ≡ T : ⇔ p S Y i | X i A i = p T Y i | X i S |A ≡ T ⇒ ∆ ( S , T ) ≤ optimal prob. of Lemma [M02]: provoking the MBO non-adaptively in S (same # of queries).
Games [4] PRP-PRF switching lemma: collision detector A , A , ... 1 2 R Y , Y , ... X , X , ... 1 2 1 2 P Y , Y , ... X , X , ... 1 2 1 2 � k 2 − n � p S R |A ≡ P ⇒ ∆ k ( R , P ) ≤ for i = 1 , 2 , . . . Characterized by: k Y i A i | X i Conditional equivalence: S |A ≡ T : ⇔ p S Y i | X i A i = p T Y i | X i S |A ≡ T ⇒ ∆ ( S , T ) ≤ optimal prob. of Lemma [M02]: provoking the MBO non-adaptively in S (same # of queries).
Games [4] PRP-PRF switching lemma: collision detector A , A , ... 1 2 R Y , Y , ... X , X , ... 1 2 1 2 P Y , Y , ... X , X , ... 1 2 1 2 � k 2 − n � p S R |A ≡ P ⇒ ∆ k ( R , P ) ≤ for i = 1 , 2 , . . . Characterized by: k Y i A i | X i Similarly simple proof of CBC-MAC security: Conditional equivalence: S |A ≡ T : ⇔ p S Y i | X i A i = p T Y i | X i 2 ℓ 2 2 − n O ) ≤ 1 F ) |A ≡ R O ⇒ ∆ ( C ( C B CR B CR F , R S |A ≡ T ⇒ ∆ ( S , T ) ≤ optimal prob. of Lemma [M02]: provoking the MBO non-adaptively in S (same # of queries).
Levels of abstraction in cryptography # possible name concepts treated at this level 1. Reductions def. of (universal) composability 2. Abstract resources isomorphism 3. Abstract systems distinguisher, hybrid argument, secure reduction, compos. proof 4. Discrete systems games, equivalence, indistinguishability proofs 5. System implem. complexity, efficiency notion 6. Physical models timing, power, side-channels
Levels of abstraction in cryptography # possible name concepts treated at this level 1. Reductions def. of (universal) composability 2. Abstract resources isomorphism 3. Abstract systems distinguisher, hybrid argument, secure reduction, compos. proof 4. Discrete systems games, equivalence, indistinguishability proofs 5. System implem. complexity, efficiency notion 6. Physical models timing, power, side-channels
Abstract Cryptography (with Renato Renner) [1-3]
Abstract Cryptography (with Renato Renner) [1-3] Goals: • capture the constructive security paradigm at high(est) abstraction level
Abstract Cryptography (with Renato Renner) [1-3] Goals: • capture the constructive security paradigm at high(est) abstraction level • define strongest possible reduction between resources
Abstract Cryptography (with Renato Renner) [1-3] Goals: • capture the constructive security paradigm at high(est) abstraction level • define strongest possible reduction between resources • see other frameworks as special cases – universal composability (UC) by Canetti – reactive simulatability by Pfitzmann/Waidner/Backes – indifferentiability [MRH04]
Abstract Cryptography (with Renato Renner) [1-3] Goals: • capture the constructive security paradigm at high(est) abstraction level • define strongest possible reduction between resources • see other frameworks as special cases – universal composability (UC) by Canetti – reactive simulatability by Pfitzmann/Waidner/Backes – indifferentiability [MRH04] • capture scenarios that could previously not be modeled.
Resources and isomorphisms [2] Alice Bob 1 2 3 8 8 7 {1,2} 1 {1,2,3} 2 5 5 3 payout
Resources and isomorphisms [2] Alice Bob 1 2 3 8 8 7 {1,2} 1 {1,2,3} 2 5 5 3 payout 1 2 3 5 7 8 {1,2} 1 {1,2,3} 2 3 7 3 payout
Resources and isomorphisms [2] Alice Bob 1 2 3 8 8 7 {1,2} 1 {1,2,3} 2 5 5 3 payout ~ ? = 1 2 3 5 7 8 {1,2} 1 {1,2,3} 2 3 7 3 payout
Resources and isomorphisms [2] Alice Bob 1 2 3 8 8 7 {1,2} 1 {1,2,3} 2 5 5 3 payout
Resources and isomorphisms [2] Alice Bob 1 2 3 8 8 7 {1,2} 1 {1,2,3} 2 5 5 3 payout 1 2 3 5 {a,b,c} a {1,2} 8 b 7 c 3 5 payout
Resources and isomorphisms [2] Alice Bob 1 2 3 8 8 7 {1,2} 1 {1,2,3} 2 5 5 3 payout 1 2 3 5 {a,b,c} a {1,2} 8 b 7 c 3 5 payout
Resources and isomorphisms [2] Alice Bob 1 2 3 8 8 7 {1,2} 1 {1,2,3} 2 5 5 3 payout ~ = 1 2 3 5 {a,b,c} a {1,2} 8 b 7 c 3 5 payout
Resources and isomorphisms [2] Alice Bob 1 2 3 8 8 7 {1,2} 1 {1,2,3} 2 5 5 3 payout Complete local relations ~ = 1 2 3 5 {a,b,c} a {1,2} 8 b 7 c 3 5 payout
Abstract multi-party setting [3] 4 1 3 R 2
Recommend
More recommend