automatic proofs for symmetric encryption modes
play

Automatic Proofs for Symmetric Encryption Modes e 2 Pascal - PowerPoint PPT Presentation

Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1 Martin Gagn Reihaneh Safavi-Naini 2 1 Universit e Grenoble 1, CNRS, Verimag , FRANCE 2 Department of Computer Science, University of Calgary, Canada


  1. Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1 Martin Gagn´ Reihaneh Safavi-Naini 2 1 Universit´ e Grenoble 1, CNRS, Verimag , FRANCE 2 Department of Computer Science, University of Calgary, Canada ASIAN 2009, Seoul 1 Universit´ 2 Depa Martin Gagn´ e, Pascal Lafourcade , Yassine Lakhnech, Reihaneh Safavi-Naini ( e Grenoble 1, CNRS, Verimag , FRANCE, 1 / 1 Automatic Proofs for Symmetric Encryption Modes

  2. Indistinguishability and Symmetric Encryption Modes 1 Universit´ 2 Depa Martin Gagn´ e, Pascal Lafourcade , Yassine Lakhnech, Reihaneh Safavi-Naini ( e Grenoble 1, CNRS, Verimag , FRANCE, 2 / 1 Automatic Proofs for Symmetric Encryption Modes

  3. Indistinguishability and Symmetric Encryption Modes 1 Universit´ 2 Depa Martin Gagn´ e, Pascal Lafourcade , Yassine Lakhnech, Reihaneh Safavi-Naini ( e Grenoble 1, CNRS, Verimag , FRANCE, 2 / 1 Automatic Proofs for Symmetric Encryption Modes

  4. Indistinguishability and Symmetric Encryption Modes ECB CBC, OFB ... 1 Universit´ 2 Depa Martin Gagn´ e, Pascal Lafourcade , Yassine Lakhnech, Reihaneh Safavi-Naini ( e Grenoble 1, CNRS, Verimag , FRANCE, 2 / 1 Automatic Proofs for Symmetric Encryption Modes

  5. Block Cipher Modes PRP E → Encryption Mode → IND-CPA NIST standard Electronic Code Book (ECB) Cipher Block Chaining (CBC) Cipher FeedBack mode (CFB) Output FeedBack (OFB), and Counter mode (CTR). Others DMC,CBC-MAC, IACBC, IAPM, XCB ,TMAC, HCTR, HCH, EME, EME*, PEP, OMAC, TET, CMC, GCM, EAX, XEX, TAE, TCH, TBC, CCM, ABL4 1 Universit´ 2 Depa Martin Gagn´ e, Pascal Lafourcade , Yassine Lakhnech, Reihaneh Safavi-Naini ( e Grenoble 1, CNRS, Verimag , FRANCE, 3 / 1 Automatic Proofs for Symmetric Encryption Modes

  6. Block Cipher Modes Example Cipher Block Chaining (CBC) C i = E ( P i ⊕ C i − 1 ) , C 0 = IV 1 Universit´ 2 Depa Martin Gagn´ e, Pascal Lafourcade , Yassine Lakhnech, Reihaneh Safavi-Naini ( e Grenoble 1, CNRS, Verimag , FRANCE, 4 / 1 Automatic Proofs for Symmetric Encryption Modes

  7. CBC and others CBC CTR OFB CFB $ $ $ $ IV ← − U ; IV ← − U ; IV ← − U ; IV ← − U ; z 1 := IV ⊕ m 1 ; z 1 := E ( IV + 1); z 1 := E ( IV ); z 1 := E ( IV ); c 1 := E ( z 1 ); c 1 := m 1 ⊕ z 1 ; c 1 := m 1 ⊕ z 1 ; c 1 := m 1 ⊕ z 1 ; z 2 := c 1 ⊕ m 2 ; z 2 := E ( IV + 2); z 2 := E ( z 1 ); z 2 := E ( c 1 ); c 2 := E ( z 2 ); c 2 := m 2 ⊕ z 2 ; c 2 := m 2 ⊕ z 2 ; c 2 := m 2 ⊕ z 2 ; z 3 := c 2 ⊕ m 3 ; z 3 := E ( IV + 3); z 3 := E ( z 2 ); z 3 := E ( c 2 ); c 3 := E ( z 3 ); c 3 := m 3 ⊕ z 3 ; c 3 := m 3 ⊕ z 3 ; c 3 := m 3 ⊕ z 3 ; 1 Universit´ 2 Depa Martin Gagn´ e, Pascal Lafourcade , Yassine Lakhnech, Reihaneh Safavi-Naini ( e Grenoble 1, CNRS, Verimag , FRANCE, 5 / 1 Automatic Proofs for Symmetric Encryption Modes

  8. Outline 1 Universit´ 2 Depa Martin Gagn´ e, Pascal Lafourcade , Yassine Lakhnech, Reihaneh Safavi-Naini ( e Grenoble 1, CNRS, Verimag , FRANCE, 6 / 1 Automatic Proofs for Symmetric Encryption Modes

  9. How to prove an encryption mode is IND-CPA ? Our Approach Automated method for proving correctness of encryption mode: Language: Generic Encryption Mode Predicates: F, E, Indis, Rcounter Hoare logic : 20 rules RESULT: If a Generic Encryption Mode E M is correct according to our Hoare logic then E M is IND-CPA. 1 Universit´ 2 Depa Martin Gagn´ e, Pascal Lafourcade , Yassine Lakhnech, Reihaneh Safavi-Naini ( e Grenoble 1, CNRS, Verimag , FRANCE, 7 / 1 Automatic Proofs for Symmetric Encryption Modes

  10. Grammar $ c ::= x ← − U | x := E ( y ) | x := y ⊕ z | x := y � z | x := y + 1 | c 1 ; c 2 1 Universit´ 2 Depa Martin Gagn´ e, Pascal Lafourcade , Yassine Lakhnech, Reihaneh Safavi-Naini ( e Grenoble 1, CNRS, Verimag , FRANCE, 8 / 1 Automatic Proofs for Symmetric Encryption Modes

  11. Generic Encryption Mode Definition A generic encryption mode M is represented by E M ( m 1 | . . . | m p , c 0 | . . . | c p ) : var � x ; c E CBC ( m 1 | m 2 | m 3 , IV | c 1 | c 2 | c 3 ) : var z 1 , z 2 , z 3 ; $ IV ← − U ; z 1 := IV ⊕ m 1 ; c 1 := E ( z 1 ); z 2 := c 1 ⊕ m 2 ; c 2 := E ( z 2 ); z 3 := c 2 ⊕ m 3 ; c 3 := E ( z 3 ); 1 Universit´ 2 Depa Martin Gagn´ e, Pascal Lafourcade , Yassine Lakhnech, Reihaneh Safavi-Naini ( e Grenoble 1, CNRS, Verimag , FRANCE, 9 / 1 Automatic Proofs for Symmetric Encryption Modes

  12. Predicates ψ ::= Indis( ν x ; V ) | F ( e ) | E( E , e ) | Rcounter ( e ) ϕ ::= true | ϕ ∧ ϕ | ψ, Indis ( ν x ; V ): The value of x is indistinguishable from a random value given the value of the variables in V . F ( e ): The value of e is indistinguishable from a random value that has not been used before. E( E , e ): The probability that the value of e have been encrypted by E is negligible. RCounter ( e ): e is the most recent value of a monotone counter that started at a fresh random value. 1 Universit´ 2 Depa Martin Gagn´ e, Pascal Lafourcade , Yassine Lakhnech, Reihaneh Safavi-Naini ( e Grenoble 1, CNRS, Verimag , FRANCE, 10 / 1 Automatic Proofs for Symmetric Encryption Modes

  13. How to generate E( E , x )? Sampling a Random $ (R1) { true } x ← − U { F ( x ) ∧ Indis( ν x ) ∧ E( E , x ) } 1 Universit´ 2 Depa Martin Gagn´ e, Pascal Lafourcade , Yassine Lakhnech, Reihaneh Safavi-Naini ( e Grenoble 1, CNRS, Verimag , FRANCE, 11 / 1 Automatic Proofs for Symmetric Encryption Modes

  14. How to generate E( E , x )? Sampling a Random $ (R1) { true } x ← − U { F ( x ) ∧ Indis( ν x ) ∧ E( E , x ) } PRP Encryption (B1) { E( E , y ) } x := E ( y ) { F ( x ) ∧ Indis( ν x ) ∧ E( E , x ) } 1 Universit´ 2 Depa Martin Gagn´ e, Pascal Lafourcade , Yassine Lakhnech, Reihaneh Safavi-Naini ( e Grenoble 1, CNRS, Verimag , FRANCE, 11 / 1 Automatic Proofs for Symmetric Encryption Modes

  15. How to generate E( E , x )? Xor (X4) { F ( y ) } x := y ⊕ z { E( E , x ) } if y � = z 1 Universit´ 2 Depa Martin Gagn´ e, Pascal Lafourcade , Yassine Lakhnech, Reihaneh Safavi-Naini ( e Grenoble 1, CNRS, Verimag , FRANCE, 12 / 1 Automatic Proofs for Symmetric Encryption Modes

  16. How to generate E( E , x )? Xor (X4) { F ( y ) } x := y ⊕ z { E( E , x ) } if y � = z Counter (I1) { F ( y ) } x := y + 1 { RCounter ( x ) ∧ E( E , x ) } (I2) { RCounter ( y ) } x := y + 1 { RCounter ( x ) ∧ E( E , x ) } 1 Universit´ 2 Depa Martin Gagn´ e, Pascal Lafourcade , Yassine Lakhnech, Reihaneh Safavi-Naini ( e Grenoble 1, CNRS, Verimag , FRANCE, 12 / 1 Automatic Proofs for Symmetric Encryption Modes

  17. 20 Rules $ x := y ⊕ z x := E ( y ) x = y || z x := y + 1 x ← − U (G1) (B1) (I1) (X1) (C1) (R1) (G2) (X2) (B2) (C2) (I2) (R2) (G3) (I3) (X3) (B3) (G4) (B4) (X4) (B5) 1 Universit´ 2 Depa Martin Gagn´ e, Pascal Lafourcade , Yassine Lakhnech, Reihaneh Safavi-Naini ( e Grenoble 1, CNRS, Verimag , FRANCE, 13 / 1 Automatic Proofs for Symmetric Encryption Modes

  18. How to prove that a Generic Encryption Mode is IND-CPA? Theorem Let E M ( m 1 | . . . | m p , c 0 | . . . | c p ) : var � x ; c be a generic encryption mode, Then E M is IND-CPA secure, if { true } c � i = p i =0 { Indis( ν c i ; m 1 , . . . , m p , c 0 , . . . , c p ) } is valid. 1 Universit´ 2 Depa Martin Gagn´ e, Pascal Lafourcade , Yassine Lakhnech, Reihaneh Safavi-Naini ( e Grenoble 1, CNRS, Verimag , FRANCE, 14 / 1 Automatic Proofs for Symmetric Encryption Modes

  19. Example: CBC E CBC ( m 1 | m 2 | m 3 , IV | c 1 | c 2 | c 3 ) var IV , z 1 , z 2 , z 3 ; $ IV ← − U ; Indis( ν IV ; Var) ∧ F ( IV ) (R1) z 1 := IV ⊕ m 1 ; Indis( ν IV ; Var − z 1 ) ∧ E( E , z 1 , IV ) (X2)(X4) c 1 := E ( z 1 ); Indis( ν IV ; Var − z 1 ) (B2) ∧ Indis( ν c 1 ; Var) ∧ F ( c 1 ) (B1) z 2 := c 1 ⊕ m 2 ; Indis( ν IV ; Var − z 1 ) (G1) ∧ Indis( ν c 1 ; Var − z 2 ) ∧ E( E , z 2 ) (X2)(X4) c 2 := E ( z 2 ); Indis( ν IV ; Var − z 1 ) ∧ Indis( ν c 1 ; Var − z 2 ) (B2) ∧ Indis ( ν c 2 ; Var) ∧ F ( c 2 ) (B1) z 3 := c 2 ⊕ m 3 ; Indis( ν IV ; Var − z 1 ) ∧ Indis( ν c 1 ; Var − z 2 ) (G1) ∧ Indis( ν c 2 ; Var − z 3 ) ∧ E( E , z 3 ) (X2)(X4) c 3 := E ( z 3 ); Indis( ν IV ; Var − z 1 ) ∧ Indis( ν c 1 ; Var − z 2 ) (B2) ∧ Indis ( ν c 3 ; Var) ∧ Indis( ν c 2 ; Var − z 3 ) (B1) 1 Universit´ 2 Depa Martin Gagn´ e, Pascal Lafourcade , Yassine Lakhnech, Reihaneh Safavi-Naini ( e Grenoble 1, CNRS, Verimag , FRANCE, 15 / 1 Automatic Proofs for Symmetric Encryption Modes

  20. Prototype Implementation of a backward analysis in 1000 lines of Ocaml. Examples CBC, FBC, OFB CFB are proved IND-CPA ECB and variants our tool fails: precondition is not true All examples are immediate (less than one second) 1 Universit´ 2 Depa Martin Gagn´ e, Pascal Lafourcade , Yassine Lakhnech, Reihaneh Safavi-Naini ( e Grenoble 1, CNRS, Verimag , FRANCE, 16 / 1 Automatic Proofs for Symmetric Encryption Modes

  21. Summary Generic Encryption Mode New predicats Hoare Logic for proving generic encryption mode IND-CPA Ocaml Prototype 1 Universit´ 2 Depa Martin Gagn´ e, Pascal Lafourcade , Yassine Lakhnech, Reihaneh Safavi-Naini ( e Grenoble 1, CNRS, Verimag , FRANCE, 17 / 1 Automatic Proofs for Symmetric Encryption Modes

Recommend


More recommend