An example of Game based proof: OAEP-IND-CPA B. Gr egoire T. Rezk - PowerPoint PPT Presentation

An example of Game based proof: OAEP-IND-CPA B. Gr´ egoire T. Rezk November 14, 2008 B. Gr´ egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Background A trapdoor-permutation generator with associated security parameter k is a randomized algorithm F that return a pair ( f , f − 1 ) where: f : { 0 , 1 } k → { 0 , 1 } k is the encoding of a permutation f − 1 : { 0 , 1 } k → { 0 , 1 } k is the encoding of the inverse of f i.e f − 1 ( f ( x )) = x and f ( f − 1 ( x )) = x The Advantage of an adversary I in inverting F is Adv owf x = f − 1 ( y ) � � F ( I ) = Pr G owf where ( f , f − 1 ) ← F ( k ); = G owf ← { 0 , 1 } k ; y $ x ← I ( f , y ) B. Gr´ egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Background : OAEP Let ρ < k , the key generation of the asymmetric encryption scheme OAEP ρ [ F ] is F : f is the public key and f − 1 the secret key. The encryption and decryption algorithms have oracles G : { 0 , 1 } ρ → { 0 , 1 } k − ρ and F : { 0 , 1 } k − ρ → { 0 , 1 } ρ and work as follows: ( M ) = / ∗ m ∈ { 0 , 1 } k − ρ ∗ / ( Y ) = / ∗ Y ∈ { 0 , 1 } k ∗ / E G , H D G , H f f X ← f − 1 ( Y ); R ← { 0 , 1 } ρ ; $ S ← G ( R ) ⊕ M ; T ← H ( S ) ⊕ R ; S , T ← X | k − p Y ← f ( S � T ); R ← H ( S ) ⊕ T ; M ← G ( R ) ⊕ S ; return Y return M B. Gr´ egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Background : IND-CPA An asymmetric encryption scheme is composed of three algorithms: key generation KG( k ), where k is the security parameter; encryption E ( p k , m ) where p k is a public key and m a plaintext; and decryption—not relevant here. An asymmetric encryption scheme is said to be semantically secure (equivalently, IND-CPA secure) if it is infeasible to gain significant information about a plaintext given only a corresponding ciphertext and the public key. This is formally defined using the following game, where A and A ′ are allowed to share state via global variables and thus are regarded as a single adaptive adversary: Game IND-CPA : ( s k , p k ) ← KG( k ); ( m 0 , m 1 ) ← A ( p k ); b ← { 0 , 1 } ; γ ← E ( p k , m b ); $ b ′ ← A ′ ( p k , γ ) B. Gr´ egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

IND-CPA security of OAEP For PPT adversaries A and A ′ making together at most q G queries to G , − 1 + q G b = b ′ � x = f − 1 ( y ) � � � | Pr IND-CPA OAEP 2 | ≤ Pr G f 2 ρ x = f − 1 ( y ) � � where Pr G f is the probability of an adversary inverting f on a random element of its codomain, i.e. the advantage of an adversary G f of inverting f : Adv owf ( G f ) f B. Gr´ egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

The Random Oracle Model Many cryptographic schemes use hash function (MD5, American Standard: SHA-1, SHA-256 ...). This originally allows to sign long messages with a short signature. Later hash functions has become a main ingredient for encryption. The random oracle model assume that a hash function can be formalized by an oracle producing random value for each new query: Oracle O ( x ) : if x �∈ dom( L ) then y ← { 0 , 1 } η ; L ← ( x , y ) :: L ; $ return L [ x ] The random oracle model provide security of the overall design of the scheme against adversaries that do not exploit vulnerabilities in the hash function. B. Gr´ egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Building the adversary I ( y ) = G I ( r ) = if ∃ ( s , H s ) ∈ L H , f ( s � ( H s ⊕ r )) = Y ′ then L G ← []; ST ′ ← s � ( H s ⊕ r ) L H ← []; Y ′ ← y ; if r �∈ dom( L G ) then ST ′ ← y ; ← { 0 , 1 } k − ρ ; L G ← ( r , G r ) :: L G ; G r $ M ← A (); return L G [ R ] b ′ ← A ′ ( Y ′ ); return ST ′ B. Gr´ egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

The initial game: Game 0 Game 0 = H 0 ( s ) = G 0 ( r ) = L G ← []; if s ∈ dom( L H ) then if r ∈ dom( L r ) then ← { 0 , 1 } k − ρ ; L H ← []; H s ← { 0 , 1 } ρ ; G r $ $ m 0 , m 1 ← A (); L H ← ( s , H s ) :: L H L G ← ( r , G r ) :: L G b ← { 0 , 1 } ; else H s ← L H [ s ] else G r ← L G [ r ] $ Y ′ ← E ( m b ); return H s return G r b ′ ← A ′ ( Y ′ ) We want to bound the difference: − 1 b = b ′ � � | Pr Game 0 2 | We should remove the dependency of b and m b . B. Gr´ egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Building the proof: First transition Inlining of E Game 0 = Game 1 = L G ← []; L G ← []; L H ← []; L H ← []; m 0 , m 1 ← A (); m 0 , m 1 ← A (); ← { 0 , 1 } ; ← { 0 , 1 } ; b b $ $ R ′ ← { 0 , 1 } ρ ; $ G r ← G ( R ′ ); S ′ ← G r ⊕ m b ; H e ← H ( S ′ ); T ′ ← H e ⊕ R ′ ; Y ′ ← E ( m b ); Y ′ ← f ( S ′ � T ′ ); b ′ ← A ′ ( Y ′ ) b ′ ← A ′ ( Y ′ ) B. Gr´ egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

optimistic sampling ← { 0 , 1 } k − ρ ; S ′ ← G ⊕ m b ∼ S ′ ← { 0 , 1 } k − ρ ; G R ′ ← S ′ ⊕ m b : = ⇒ = � G r $ $ B. Gr´ egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Building the proof: First transition Game 0 = Game 1 = G 1 ( r ) = L G , L H ← []; L G , L H ← []; if r ∈ dom( L G ) then if r = R ′ then G r ← G R ′ R ′ ← { 0 , 1 } ρ ; $ ← { 0 , 1 } k − ρ ← { 0 , 1 } k − ρ G R ′ else G r $ $ m 0 , m 1 ← A (); m 0 , m 1 ← A (); L G ← ( r , G r ) :: L G b ← { 0 , 1 } ; b ← { 0 , 1 } ; else G r ← L G [ r ] $ $ G r ← G ( R ′ ); return G r S ′ ← G r ⊕ m b ; H e ← H ( S ′ ); T ′ ← H e ⊕ R ′ ; Y ′ ← E ( m b ); Y ′ ← f ( S ′ � T ′ ); b ′ ← A ′ ( Y ′ ) b ′ ← A ′ ( Y ′ ) Remark: In Game 1 , we have G ( R ′ ) = G R ′ (invariant). We would like to apply optimistic sampling to remove the dependency to b but G R ′ still used in G 1 We will use the failure event B. Gr´ egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Second transition Game 1 = Game 2 = G 2 ( r ) = if r = R ′ then bad ← false; L G , L H ← []; L G , L H ← []; bad ← true; G r ← G R ′ ; R ′ R ′ ← { 0 , 1 } ρ ; ← { 0 , 1 } ρ ; else if r ∈ dom( L G ) then $ $ ← { 0 , 1 } k − ρ ← { 0 , 1 } k − ρ ← { 0 , 1 } k − ρ G R ′ G R ′ G r $ $ $ m 0 , m 1 ← A (); m 0 , m 1 ← A (); L G ← ( r , G r ) :: L G b ← { 0 , 1 } ; b ← { 0 , 1 } ; else G r ← L G [ r ] $ $ G r ← G ( R ′ ); / ∗ G r ← G R ′ ∗ / return G r S ′ ← G r ⊕ m b ; S ′ ← G R ′ ⊕ m b ; H e ← H ( S ′ ); H e ← H ( S ′ ); T ′ ← H e ⊕ R ′ ; T ′ ← H e ⊕ R ′ ; Y ′ ← f ( S ′ � T ′ ); Y ′ ← f ( S ′ � T ′ ); b ′ ← A ′ ( Y ′ ) b ′ ← A ′ ( Y ′ ) B. Gr´ egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Invariant used for the transition In Game 1 , if R ′ ∈ dom( L G ) then L G [ R ′ ] = G R ′ In the two games the association lists L G are equal except for R ′ Under this invariant the two version of the oracle G 1 and G 2 are equivalent. And so the two games. B. Gr´ egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Fundamental lemma Two programs Game 1 and Game 2 are equivalent up to a failure event ( bad ), if Pr Game 1 [ P ∧ ¬ bad ] = Pr Game 2 [ P ∧ ¬ bad ] Remark: There is a syntactic test to check this notion of equivalence. Corollary 1: Pr Game 1 [ ¬ bad ] = Pr Game 2 [ ¬ bad ] Corollary 2: Pr Game 1 [ bad ] = Pr Game 2 [ bad ] (if Game 1 and Game 2 are lossless) Corollary 3 (Fundamental lemma): ∀ S · | Pr Game 1 [ S ] − Pr Game 2 [ S ] | ≤ Pr Game 1 , 2 [ bad ] B. Gr´ egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Using the fundamental lemma G 2 ( r ) = G 3 ( r ) = if r = R ′ then if r = R ′ then bad ← true; bad ← true; G r ← G R ′ ; body of G 0 else body of G 0 else body of G 0 return G r return G r The two oracles are upto bad . Let Game ′ 2 be the main of Game 2 using G 3 . We have Pr Game 0 [ b = b ′ ] = Pr Game 2 [ b = b ′ ]. And by the fundamental lemma b = b ′ � b = b ′ � � � | Pr Game 2 − Pr Game ′ | ≤ Pr Game ′ 2 [bad] 2 B. Gr´ egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Now, G R ′ is not used in the oracle (we can move it in the main). Thus, we can apply the optimistic sampling. G R ′ and m b are not used any more. b is not used any more, move to the end. Game ′ 2 = Game 3 = bad ← false; bad ← false; L G , L H ← []; L G , L H ← []; R ′ S ′ ← { 0 , 1 } k − ρ ; ← { 0 , 1 } ρ ; $ $ ← { 0 , 1 } k − ρ R ′ G R ′ ← { 0 , 1 } ρ ; $ $ m 0 , m 1 ← A (); m 0 , m 1 ← A (); H e ← H ( S ′ ); b ← { 0 , 1 } ; $ S ′ ← G R ′ ⊕ m b ; T ′ ← H e ⊕ R ′ ; Y ′ ← f ( S ′ � T ′ ); H e ← H ( S ′ ); T ′ ← H e ⊕ R ′ ; b ′ ← A ′ ( Y ′ ) Y ′ ← f ( S ′ � T ′ ); b ← { 0 , 1 } ; $ b ′ ← A ′ ( Y ′ ) 2 [ b = b ′ ] = Pr Game 3 [ b = b ′ ] = 1 Remark: Pr Game ′ 2 So : | Pr Game 0 [ b = b ′ ] − 1 2 | ≤ Pr Game ′ 2 [bad] = Pr Game 3 [bad] B. Gr´ egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Bounding the probability of bad We should now express the probability of bad in Game 3 as a function of the probability of the inverter I . b is not used any more, we remove it. In the inverter game, Y ′ is set to random. So we should randomize Y ′ in Game 3 (so T ′ ). B. Gr´ egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA