abstraction in cryptography
play

Abstraction in Cryptography Ueli Maurer ETH Zurich CRYPTO 2009, - PowerPoint PPT Presentation

Abstraction in Cryptography Ueli Maurer ETH Zurich CRYPTO 2009, August 19, 2009 Abstraction in Cryptography I can only understand simple things. J AMES M ASSEY Ueli Maurer ETH Zurich CRYPTO 2009, August 19, 2009 Abstraction


  1. Security proof for CBC-MAC [3] 0/1 0/1 D D CBC AES RO D C B C A E S ≈ D R O ∆ E ( C B CA E S , R O ) ≈ 0 To show: ∆ E ( C O ) ≤ ∆ E ( C F )+ ∆ E ( C B CA E S , R B CA E S , C B CR B CR F , R O ) ∆ E ( C F ) = ∆ E C B C ( A B CA E S , C B CR E S , R F ) Absorption lemma : ∆ D ( CS , CT ) = ∆ DC ( S , T ) Proof: DCS = D ( CS ) = ( DC ) S

  2. Security proof for CBC-MAC [3] 0/1 0/1 D D CBC AES RO D C B C A E S ≈ D R O ∆ E ( C B CA E S , R O ) ≈ 0 To show: ∆ E ( C O ) ≤ ∆ E ( C F )+ ∆ E ( C B CA E S , R B CA E S , C B CR B CR F , R O ) ∆ E ( C F ) = ∆ E C B C ( A B CA E S , C B CR E S , R F ) Non-expansion lemma: ⇒ ∆ D ( CS , CT ) ≤ ∆ D ( S , T ) D C ⊆ D

  3. Security proof for CBC-MAC [3] 0/1 0/1 D D CBC AES RO D C B C A E S ≈ D R O ∆ E ( C B CA E S , R O ) ≈ 0 To show: ∆ E ( C O ) ≤ ∆ E ( C F )+ ∆ E ( C E C C ⊆ E B B CA E S , R B CA E S , C B CR B CR F , R O ) ∆ E ( C F ) = ∆ E C B C ( A B CA E S , C B CR E S , R F ) Non-expansion lemma: ⇒ ∆ D ( CS , CT ) ≤ ∆ D ( S , T ) D C ⊆ D

  4. Security proof for CBC-MAC [3] 0/1 0/1 D D CBC AES RO D C B C A E S ≈ D R O ∆ E ( C B CA E S , R O ) ≈ 0 To show: ∆ E ( C O ) ≤ ∆ E ( C F )+ ∆ E ( C E C C ⊆ E B B CA E S , R B CA E S , C B CR B CR F , R O ) ∆ E ( C F ) = ∆ E C F ) ≤ ∆ E ( A B C ( A B CA E S , C B CR E S , R E S , R F ) Non-expansion lemma: ⇒ ∆ D ( CS , CT ) ≤ ∆ D ( S , T ) D C ⊆ D

  5. Security proof for CBC-MAC [3] 0/1 0/1 D D CBC AES RO D C B C A E S ≈ D R O ∆ E ( C B CA E S , R O ) ≈ 0 To show: ∆ E ( C O ) ≤ ∆ E ( C F )+ ∆ E ( C B CA E S , R B CA E S , C B CR B CR F , R O ) ∆ E ( C F ) = ∆ E C F ) ≤ ∆ E ( A B C ( A B CA E S , C B CR E S , R E S , R F ) .

  6. Security proof for CBC-MAC [3,4] 0/1 0/1 D D CBC AES RO D C B C A E S ≈ D R O ∆ E ( C B CA E S , R O ) ≈ 0 To show: ∆ E ( C O ) ≤ ∆ E ( C F )+ ∆ E ( C B CA E S , R B CA E S , C B CR B CR F , R O ) ∆ E ( C F ) = ∆ E C F ) ≤ ∆ E ( A B C ( A B CA E S , C B CR E S , R E S , R F ) O ) ≤ 1 2 ℓ 2 2 − n [4] ∆ ( C B CR F , R [BKR94,...]

  7. Security proof for CBC-MAC [3,4] 0/1 0/1 D D CBC AES RO Note: Many security proofs can be phrased D C B C A E S ≈ D R O at this level of abstraction and become quite ∆ E ( C B CA E S , R O ) ≈ 0 To show: simple or even trivial. ∆ E ( C O ) ≤ ∆ E ( C F )+ ∆ E ( C B CA E S , R B CA E S , C B CR B CR F , R O ) ∆ E ( C F ) = ∆ E C F ) ≤ ∆ E ( A B C ( A B CA E S , C B CR E S , R E S , R F ) O ) ≤ 1 2 ℓ 2 2 − n [4] ∆ ( C B CR F , R [BKR94,...]

  8. Levels of abstraction in cryptography # possible name concepts treated at this level 1. Reductions def. of (universal) composability 2. Abstract resources isomorphism 3. Abstract systems distinguisher, hybrid argument, secure reduction, compos. proof 4. Discrete systems games, equivalence, indistinguishability proofs 5. System implem. complexity, efficiency notion 6. Physical models timing, power, side-channels

  9. Levels of abstraction in cryptography # possible name concepts treated at this level 1. Reductions def. of (universal) composability 2. Abstract resources isomorphism 3. Abstract systems distinguisher, hybrid argument, secure reduction, compos. proof 4. Discrete systems games, equivalence, indistinguishability proofs 5. System implem. complexity, efficiency notion 6. Physical models timing, power, side-channels

  10. Efficient, infeasible, negligible [5] We need notions for • the complexity of system implementation • what is efficient (for the good guys) • what is infeasible (for the bad guys) • what is negligible

  11. Efficient, infeasible, negligible [5] We need notions for • the complexity of system implementation • what is efficient (for the good guys) • what is infeasible (for the bad guys) • what is negligible E = set of efficiently impl. systems.

  12. Efficient, infeasible, negligible [5,3] We need notions for • the complexity of system implementation • what is efficient (for the good guys) • what is infeasible (for the bad guys) • what is negligible E ◦ E ⊆ E , E||E ⊆ E E = set of efficiently impl. systems.

  13. Efficient, infeasible, negligible [5,3] We need notions for • the complexity of system implementation • what is efficient (for the good guys) • what is infeasible (for the bad guys) • what is negligible E ◦ E ⊆ E , E||E ⊆ E E = set of efficiently impl. systems. F = set of feasibly impl. systems ( E ⊆ F )

  14. Efficient, infeasible, negligible [5,3] We need notions for • the complexity of system implementation • what is efficient (for the good guys) • what is infeasible (for the bad guys) • what is negligible E ◦ E ⊆ E , E||E ⊆ E E = set of efficiently impl. systems. F ◦ F ⊆ F , F||F ⊆ F F = set of feasibly impl. systems ( E ⊆ F )

  15. Efficient, infeasible, negligible [5,3] We need notions for • the complexity of system implementation • what is efficient (for the good guys) • what is infeasible (for the bad guys) • what is negligible E ◦ E ⊆ E , E||E ⊆ E E = set of efficiently impl. systems. F ◦ F ⊆ F , F||F ⊆ F F = set of feasibly impl. systems ( E ⊆ F ) No reason to set E = F !

  16. Efficient, infeasible, negligible [5,3] We need notions for • the complexity of system implementation • what is efficient (for the good guys) • what is infeasible (for the bad guys) • what is negligible E ◦ E ⊆ E , E||E ⊆ E E = set of efficiently impl. systems. F ◦ F ⊆ F , F||F ⊆ F F = set of feasibly impl. systems ( E ⊆ F ) N = set of negligible functions

  17. Efficient, infeasible, negligible [5,3] We need notions for • the complexity of system implementation • what is efficient (for the good guys) • what is infeasible (for the bad guys) • what is negligible E ◦ E ⊆ E , E||E ⊆ E E = set of efficiently impl. systems. F ◦ F ⊆ F , F||F ⊆ F F = set of feasibly impl. systems ( E ⊆ F ) N = set of negligible functions F · N ⊆ N

  18. Efficient, infeasible, negligible [5,3] We need notions for The usual poly-time notions (i.e., n O (1) ) Note: • the complexity of system implementation are of course composable, but so are many other • what is efficient (for the good guys) notions, e.g. n O (log log n ) or n O ( √ log log log n ) . • what is infeasible (for the bad guys) • what is negligible E ◦ E ⊆ E , E||E ⊆ E E = set of efficiently impl. systems. F ◦ F ⊆ F , F||F ⊆ F F = set of feasibly impl. systems ( E ⊆ F ) N = set of negligible functions F · N ⊆ N

  19. Levels of abstraction in cryptography # possible name concepts treated at this level 1. Reductions def. of (universal) composability 2. Abstract resources isomorphism 3. Abstract systems distinguisher, hybrid argument, secure reduction, compos. proof 4. Discrete systems games, equivalence, indistinguishability proofs 5. System implem. complexity, efficiency notion 6. Physical models timing, power, side-channels

  20. Levels of abstraction in cryptography # possible name concepts treated at this level 1. Reductions def. of (universal) composability 2. Abstract resources isomorphism 3. Abstract systems distinguisher, hybrid argument, secure reduction, compos. proof 4. Discrete systems games, equivalence, indistinguishability proofs 5. System implem. complexity, efficiency notion 6. Physical models timing, power, side-channels

  21. Discrete systems [4] X , X , ... Y , Y , ... 1 2 1 2 S

  22. Discrete systems [4] X , X , ... Y , Y , ... 1 2 1 2 S Description of S : figure, pseudo-code, text, ...

  23. Discrete systems [4] X , X , ... Y , Y , ... 1 2 1 2 S Description of S : figure, pseudo-code, text, ... What kind of mathematical object is the behavior of S ?

  24. Discrete systems [4] X , X , ... Y , Y , ... 1 2 1 2 S Description of S : figure, pseudo-code, text, ... What kind of mathematical object is the behavior of S ? p S for i = 1 , 2 , . . . Characterized by: Y i | X i (where X i = ( X 1 , . . . , X i ) ) This abstraction is called a random system [Mau02].

  25. Discrete systems [4] X , X , ... Y , Y , ... 1 2 1 2 S Description of S : figure, pseudo-code, text, ... What kind of mathematical object is the behavior of S ? p S for i = 1 , 2 , . . . Characterized by: Y i | X i (where X i = ( X 1 , . . . , X i ) ) This abstraction is called a random system [Mau02]. Equivalence of systems: S ≡ T if same behavior

  26. Games [4] PRP-PRF switching lemma: S X , X , ... Y , Y , ... 1 2 1 2

  27. Games [4] PRP-PRF switching lemma: monotone binary output (MBO) 1 0 i A , A , ... 1 2 S X , X , ... Y , Y , ... 1 2 1 2

  28. Games [4] PRP-PRF switching lemma: monotone binary output (MBO) 1 0 i game won A , A , ... 1 2 S X , X , ... Y , Y , ... 1 2 1 2

  29. Games [4] PRP-PRF switching lemma: monotone binary output (MBO) 1 0 i game won A , A , ... 1 2 S X , X , ... Y , Y , ... 1 2 1 2 p S for i = 1 , 2 , . . . Characterized by: Y i A i | X i

  30. Games [4] PRP-PRF switching lemma: monotone binary output (MBO) 1 0 i game won A , A , ... 1 2 S X , X , ... Y , Y , ... 1 2 1 2 D p S for i = 1 , 2 , . . . Characterized by: Y i A i | X i

  31. Games [4] PRP-PRF switching lemma: monotone binary output (MBO) 1 0 i game won A , A , ... 1 2 S X , X , ... Y , Y , ... 1 2 1 2 D p S for i = 1 , 2 , . . . Characterized by: Y i A i | X i Conditional equivalence: S |A ≡ T : ⇔ p S Y i | X i A i = p T Y i | X i

  32. Games [4] PRP-PRF switching lemma: monotone binary output (MBO) 1 0 i game won A , A , ... 1 2 S X , X , ... Y , Y , ... 1 2 1 2 D p S for i = 1 , 2 , . . . Characterized by: Y i A i | X i Conditional equivalence: S |A ≡ T : ⇔ p S Y i | X i A i = p T Y i | X i S |A ≡ T ⇒ ∆ ( S , T ) ≤ optimal prob. of Lemma [M02]: provoking the MBO non-adaptively in S (same # of queries).

  33. Games [4] PRP-PRF switching lemma: R Y , Y , ... X , X , ... 1 2 1 2 P Y , Y , ... X , X , ... 1 2 1 2 p S for i = 1 , 2 , . . . Characterized by: Y i A i | X i Conditional equivalence: S |A ≡ T : ⇔ p S Y i | X i A i = p T Y i | X i S |A ≡ T ⇒ ∆ ( S , T ) ≤ optimal prob. of Lemma [M02]: provoking the MBO non-adaptively in S (same # of queries).

  34. Games [4] PRP-PRF switching lemma: collision detector A , A , ... 1 2 R Y , Y , ... X , X , ... 1 2 1 2 P Y , Y , ... X , X , ... 1 2 1 2 p S for i = 1 , 2 , . . . Characterized by: Y i A i | X i Conditional equivalence: S |A ≡ T : ⇔ p S Y i | X i A i = p T Y i | X i S |A ≡ T ⇒ ∆ ( S , T ) ≤ optimal prob. of Lemma [M02]: provoking the MBO non-adaptively in S (same # of queries).

  35. Games [4] PRP-PRF switching lemma: collision detector A , A , ... 1 2 R Y , Y , ... X , X , ... 1 2 1 2 P Y , Y , ... X , X , ... 1 2 1 2 � k 2 − n � p S R |A ≡ P ⇒ ∆ k ( R , P ) ≤ for i = 1 , 2 , . . . Characterized by: k Y i A i | X i Conditional equivalence: S |A ≡ T : ⇔ p S Y i | X i A i = p T Y i | X i S |A ≡ T ⇒ ∆ ( S , T ) ≤ optimal prob. of Lemma [M02]: provoking the MBO non-adaptively in S (same # of queries).

  36. Games [4] PRP-PRF switching lemma: collision detector A , A , ... 1 2 R Y , Y , ... X , X , ... 1 2 1 2 P Y , Y , ... X , X , ... 1 2 1 2 � k 2 − n � p S R |A ≡ P ⇒ ∆ k ( R , P ) ≤ for i = 1 , 2 , . . . Characterized by: k Y i A i | X i Similarly simple proof of CBC-MAC security: Conditional equivalence: S |A ≡ T : ⇔ p S Y i | X i A i = p T Y i | X i 2 ℓ 2 2 − n O ) ≤ 1 F ) |A ≡ R O ⇒ ∆ ( C ( C B CR B CR F , R S |A ≡ T ⇒ ∆ ( S , T ) ≤ optimal prob. of Lemma [M02]: provoking the MBO non-adaptively in S (same # of queries).

  37. Levels of abstraction in cryptography # possible name concepts treated at this level 1. Reductions def. of (universal) composability 2. Abstract resources isomorphism 3. Abstract systems distinguisher, hybrid argument, secure reduction, compos. proof 4. Discrete systems games, equivalence, indistinguishability proofs 5. System implem. complexity, efficiency notion 6. Physical models timing, power, side-channels

  38. Levels of abstraction in cryptography # possible name concepts treated at this level 1. Reductions def. of (universal) composability 2. Abstract resources isomorphism 3. Abstract systems distinguisher, hybrid argument, secure reduction, compos. proof 4. Discrete systems games, equivalence, indistinguishability proofs 5. System implem. complexity, efficiency notion 6. Physical models timing, power, side-channels

  39. Abstract Cryptography (with Renato Renner) [1-3]

  40. Abstract Cryptography (with Renato Renner) [1-3] Goals: • capture the constructive security paradigm at high(est) abstraction level

  41. Abstract Cryptography (with Renato Renner) [1-3] Goals: • capture the constructive security paradigm at high(est) abstraction level • define strongest possible reduction between resources

  42. Abstract Cryptography (with Renato Renner) [1-3] Goals: • capture the constructive security paradigm at high(est) abstraction level • define strongest possible reduction between resources • see other frameworks as special cases – universal composability (UC) by Canetti – reactive simulatability by Pfitzmann/Waidner/Backes – indifferentiability [MRH04]

  43. Abstract Cryptography (with Renato Renner) [1-3] Goals: • capture the constructive security paradigm at high(est) abstraction level • define strongest possible reduction between resources • see other frameworks as special cases – universal composability (UC) by Canetti – reactive simulatability by Pfitzmann/Waidner/Backes – indifferentiability [MRH04] • capture scenarios that could previously not be modeled.

  44. Resources and isomorphisms [2] Alice Bob 1 2 3 8 8 7 {1,2} 1 {1,2,3} 2 5 5 3 payout

  45. Resources and isomorphisms [2] Alice Bob 1 2 3 8 8 7 {1,2} 1 {1,2,3} 2 5 5 3 payout 1 2 3 5 7 8 {1,2} 1 {1,2,3} 2 3 7 3 payout

  46. Resources and isomorphisms [2] Alice Bob 1 2 3 8 8 7 {1,2} 1 {1,2,3} 2 5 5 3 payout ~ ? = 1 2 3 5 7 8 {1,2} 1 {1,2,3} 2 3 7 3 payout

  47. Resources and isomorphisms [2] Alice Bob 1 2 3 8 8 7 {1,2} 1 {1,2,3} 2 5 5 3 payout

  48. Resources and isomorphisms [2] Alice Bob 1 2 3 8 8 7 {1,2} 1 {1,2,3} 2 5 5 3 payout 1 2 3 5 {a,b,c} a {1,2} 8 b 7 c 3 5 payout

  49. Resources and isomorphisms [2] Alice Bob 1 2 3 8 8 7 {1,2} 1 {1,2,3} 2 5 5 3 payout 1 2 3 5 {a,b,c} a {1,2} 8 b 7 c 3 5 payout

  50. Resources and isomorphisms [2] Alice Bob 1 2 3 8 8 7 {1,2} 1 {1,2,3} 2 5 5 3 payout ~ = 1 2 3 5 {a,b,c} a {1,2} 8 b 7 c 3 5 payout

  51. Resources and isomorphisms [2] Alice Bob 1 2 3 8 8 7 {1,2} 1 {1,2,3} 2 5 5 3 payout Complete local relations ~ = 1 2 3 5 {a,b,c} a {1,2} 8 b 7 c 3 5 payout

  52. Abstract multi-party setting [3] 4 1 3 R 2

Recommend


More recommend