Computer-aided cryptographic proofs Gilles Barthe & Yassine Lakhnech IMDEA Software Institute, Madrid, Spain Université Joseph Fourier & CNRS, Grenoble, France Based on joint work with J.M. Crespo, F. Dupressoir, B. Grégoire, C. Kunz, B. Schmidt, P .-Y. Strub, S. Zanella, J.C.B. Almeida, M. Barbosa
Modern cryptography 1949 C. Shannon. Communication theory of secrecy systems . ◮ No practical encryption system is perfectly secure ◮ Scheme − → Attack − → Scheme − → Attack − → . . . ◮ Scheme deemed secure if no attack found for long time 1984 S. Goldwasser and S. Micali. Probabilistic encryption . ◮ Complexity-theoretical approach ◮ Negligible probability to break a scheme in polynomial-time 1994 M. Bellare and P . Rogaway. Optimal Asymmetric Encryption . ◮ Upper bound the probability to break a scheme in time t
Reductionist proof Scheme
Reductionist proof Primitive Scheme
Reductionist proof Primitive Generic construction Scheme
Reductionist proof Primitive Generic construction Scheme Attack
Reductionist proof Primitive Attack Generic construction Scheme Attack
Reductionist proof Primitive Attack Generic Black-box construction reduction Scheme Attack
Reductionist proof Primitive Attack Generic Black-box construction reduction Scheme Attack Ideally attacks have similar execution times
Public-key encryption Algorithms ( K , E pk , D sk ) ◮ E probabilistic ◮ D deterministic and partial Key generation If ( sk , pk ) is a valid key pair, Public Secret key key D sk ( E pk ( m )) = m hello rwxtf hello Encryption Decryption
Public-key encryption Indistinguishability against chosen-ciphertext attacks Game IND-CCA ( A ) ( sk , pk ) ← K (); ( m 0 , m 1 ) ← A 1 ( pk ); b ← { 0 , 1 } ; $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b )
Public-key encryption Indistinguishability against chosen-ciphertext attacks Game IND-CCA ( A ) ( sk , pk ) ← K (); ( m 0 , m 1 ) ← A 1 ( pk ); b ← { 0 , 1 } ; $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 m 1
Public-key encryption Indistinguishability against chosen-ciphertext attacks Game IND-CCA ( A ) ( sk , pk ) ← K (); $ ( m 0 , m 1 ) ← A 1 ( pk ); b ← { 0 , 1 } ; $ b c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 m 1
Public-key encryption Indistinguishability against chosen-ciphertext attacks m b Game IND-CCA ( A ) ( sk , pk ) ← K (); $ ( m 0 , m 1 ) ← A 1 ( pk ); b ← { 0 , 1 } ; $ b c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 m 1
Public-key encryption Indistinguishability against chosen-ciphertext attacks m b Game IND-CCA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ b ← { 0 , 1 } ; $ b c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 m 1
Public-key encryption Indistinguishability against chosen-ciphertext attacks m b Game IND-CCA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ b ← { 0 , 1 } ; $ b c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 c ⋆ m 1
Public-key encryption Indistinguishability against chosen-ciphertext attacks m b Game IND-CCA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ b ← { 0 , 1 } ; $ b c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 c ⋆ b ′ m 1
Public-key encryption Indistinguishability against chosen-ciphertext attacks m b Game IND-CCA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ b ← { 0 , 1 } ; $ b c ⋆ ← E pk ( m b ); ? = b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 c ⋆ b ′ m 1
Public-key encryption Indistinguishability against chosen-ciphertext attacks m b Game IND-CCA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ b ← { 0 , 1 } ; $ b c ⋆ ← E pk ( m b ); ? = b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 c ⋆ b ′ m 1 � � − 1 b ′ = b � � � � small � Pr IND-CCA ( A ) � � 2 �
One-way trapdoor permutations Algorithms ( K , f pk , f − 1 sk ) ◮ f pk and f − 1 sk deterministic Key generation If ( sk , pk ) is a valid key pair, Public Secret f − 1 key key sk ( f pk ( m )) = m hello rwxtf hello Encryption Decryption
One-way trapdoor permutations ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ ← I ( x ⋆ ); return ( y ′ = y )
One-way trapdoor permutations $ y ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ ← I ( x ⋆ ); return ( y ′ = y )
One-way trapdoor permutations $ f pk x ⋆ y ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ ← I ( x ⋆ ); return ( y ′ = y )
One-way trapdoor permutations $ f pk x ⋆ y ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ ← I ( x ⋆ ); x ⋆ return ( y ′ = y )
One-way trapdoor permutations $ f pk x ⋆ y ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ ← I ( x ⋆ ); y ′ x ⋆ return ( y ′ = y )
One-way trapdoor permutations $ f pk x ⋆ y ( sk , pk ) ← K (); ? ← { 0 , 1 } n ; = y $ x ⋆ ← f pk ( y ); y ′ ← I ( x ⋆ ); y ′ x ⋆ return ( y ′ = y )
One-way trapdoor permutations $ f pk x ⋆ y ( sk , pk ) ← K (); ? ← { 0 , 1 } n ; = y $ x ⋆ ← f pk ( y ); y ′ ← I ( x ⋆ ); y ′ x ⋆ return ( y ′ = y ) y ′ = y � � small Pr OW ( I )
Optimal Asymmetric Encryption Padding Decryption D OAEP ( sk ) ( c ) : ( s , t ) ← f − 1 Encryption E OAEP ( pk ) ( m ) : sk ( c ); ← { 0 , 1 } k 0 ; r $ r ← t ⊕ H ( s ); s ← G ( r ) ⊕ ( m � 0 k 1 ); if ([ s ⊕ G ( r )] k 1 = 0 k 1 ) then { m ← [ s ⊕ G ( r )] k ; } t ← H ( s ) ⊕ r ; return f pk ( s � t ) else { m ← ⊥ ; } return m ⊕ exclusive or � concatenation [ · ] projection 0 zero bitstring
Optimal Asymmetric Encryption Padding Decryption D OAEP ( sk ) ( c ) : ( s , t ) ← f − 1 Encryption E OAEP ( pk ) ( m ) : sk ( c ); ← { 0 , 1 } k 0 ; r $ r ← t ⊕ H ( s ); s ← G ( r ) ⊕ ( m � 0 k 1 ); if ([ s ⊕ G ( r )] k 1 = 0 k 1 ) then { m ← [ s ⊕ G ( r )] k ; } t ← H ( s ) ⊕ r ; return f pk ( s � t ) else { m ← ⊥ ; } return m For every IND-CCA adversary A against ( K , E OAEP , D OAEP ) , there exists a PDOW adversary I against ( K , f , f − 1 ) st � Pr IND-CCA ( A ) [ b ′ = b ] − 1 � ≤ � � 2 Pr PDOW ( I ) [ y ′ = y ] + 3 q D q G + q 2 D + 4 q D + q G + 2 q D 2 k 0 2 k 1
OAEP: Optimal Asymmetric Encryption Padding Shoup Bellare, Hofheinz, Kiltz Bellare and Rogaway Pointcheval 1994 2001 2004 2009 2011 Fujisaki, Okamoto, Pointcheval, Stern BGLZ 1994 Purported proof of chosen-ciphertext security 2001 1994 proof gives weaker security; desired security holds ◮ under stronger assumptions ◮ for a modified scheme 2004 Filled gaps in 2001 proof 2009 Security definition needs to be clarified 2011 Fills gaps in 2004 proof
What’s wrong with provable security? ◮ In our opinion, many proofs in cryptography have become essentially unverifiable. Our field may be approaching a crisis of rigor . Bellare and Rogaway, 2004-2006 ◮ Do we have a problem with cryptographic proofs? Yes, we do [...] We generate more proofs than we carefully verify (and as a consequence some of our published proofs are incorrect) . Halevi, 2005
Computer-aided cryptographic proofs Provable security as deductive relational verification of open probabilistic parametrized programs CertiCrypt (2006-2011): adhere to cryptographic methods ◮ same level of abstraction ◮ same guarantees ◮ same proof techniques EasyCrypt (2009-): adhere to cryptographic practice ◮ automation and scalability ◮ support for high level steps ◮ accessible to cryptographers
A language for cryptographic games skip skip C ::= | V ← E assignment random sampling | V ← D $ | C ; C sequence | if E then C else C conditional | while E do C while loop | V ← P ( E , . . . , E ) procedure call ◮ E : (higher-order) expressions � user extensible ◮ D : discrete sub-distributions ◮ P : procedures . oracles: concrete procedures . adversaries: constrained abstract procedures
pRHL: a relational Hoare logic for games ◮ Judgment � { P } c 1 ∼ c 2 { Q } ◮ Validity ⇒ ( � c 1 � m 1 , � c 2 � m 2 ) � Q ♯ ∀ m 1 , m 2 . ( m 1 , m 2 ) � P = ◮ Proof rules � { P ∧ e � 1 �} c 1 ∼ c { Q } � { P ∧ ¬ e � 1 �} c 2 ∼ c { Q } � { P } if e then c 1 else c 2 ∼ c { Q } P → e � 1 � = e ′ � 2 � � { P ∧ e � 1 �} c 1 ∼ c ′ 1 { Q } � { P ∧ ¬ e � 1 �} c 2 ∼ c ′ 2 { Q } � { P } if e then c 1 else c 2 ∼ if e ′ then c ′ 1 else c ′ 2 { Q } + random samplings, procedures, adversaries. . . ◮ Verification condition generator
Recommend
More recommend