computer aided cryptographic proofs
play

Computer-aided cryptographic proofs Gilles Barthe & Yassine - PowerPoint PPT Presentation

Computer-aided cryptographic proofs Gilles Barthe & Yassine Lakhnech IMDEA Software Institute, Madrid, Spain Universit Joseph Fourier & CNRS, Grenoble, France Based on joint work with J.M. Crespo, F. Dupressoir, B. Grgoire, C. Kunz,


  1. Computer-aided cryptographic proofs Gilles Barthe & Yassine Lakhnech IMDEA Software Institute, Madrid, Spain Université Joseph Fourier & CNRS, Grenoble, France Based on joint work with J.M. Crespo, F. Dupressoir, B. Grégoire, C. Kunz, B. Schmidt, P .-Y. Strub, S. Zanella, J.C.B. Almeida, M. Barbosa

  2. Modern cryptography 1949 C. Shannon. Communication theory of secrecy systems . ◮ No practical encryption system is perfectly secure ◮ Scheme − → Attack − → Scheme − → Attack − → . . . ◮ Scheme deemed secure if no attack found for long time 1984 S. Goldwasser and S. Micali. Probabilistic encryption . ◮ Complexity-theoretical approach ◮ Negligible probability to break a scheme in polynomial-time 1994 M. Bellare and P . Rogaway. Optimal Asymmetric Encryption . ◮ Upper bound the probability to break a scheme in time t

  3. Reductionist proof Scheme

  4. Reductionist proof Primitive Scheme

  5. Reductionist proof Primitive Generic construction Scheme

  6. Reductionist proof Primitive Generic construction Scheme Attack

  7. Reductionist proof Primitive Attack Generic construction Scheme Attack

  8. Reductionist proof Primitive Attack Generic Black-box construction reduction Scheme Attack

  9. Reductionist proof Primitive Attack Generic Black-box construction reduction Scheme Attack Ideally attacks have similar execution times

  10. Public-key encryption Algorithms ( K , E pk , D sk ) ◮ E probabilistic ◮ D deterministic and partial Key generation If ( sk , pk ) is a valid key pair, Public Secret key key D sk ( E pk ( m )) = m hello rwxtf hello Encryption Decryption

  11. Public-key encryption Indistinguishability against chosen-ciphertext attacks Game IND-CCA ( A ) ( sk , pk ) ← K (); ( m 0 , m 1 ) ← A 1 ( pk ); b ← { 0 , 1 } ; $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b )

  12. Public-key encryption Indistinguishability against chosen-ciphertext attacks Game IND-CCA ( A ) ( sk , pk ) ← K (); ( m 0 , m 1 ) ← A 1 ( pk ); b ← { 0 , 1 } ; $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 m 1

  13. Public-key encryption Indistinguishability against chosen-ciphertext attacks Game IND-CCA ( A ) ( sk , pk ) ← K (); $ ( m 0 , m 1 ) ← A 1 ( pk ); b ← { 0 , 1 } ; $ b c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 m 1

  14. Public-key encryption Indistinguishability against chosen-ciphertext attacks m b Game IND-CCA ( A ) ( sk , pk ) ← K (); $ ( m 0 , m 1 ) ← A 1 ( pk ); b ← { 0 , 1 } ; $ b c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 m 1

  15. Public-key encryption Indistinguishability against chosen-ciphertext attacks m b Game IND-CCA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ b ← { 0 , 1 } ; $ b c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 m 1

  16. Public-key encryption Indistinguishability against chosen-ciphertext attacks m b Game IND-CCA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ b ← { 0 , 1 } ; $ b c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 c ⋆ m 1

  17. Public-key encryption Indistinguishability against chosen-ciphertext attacks m b Game IND-CCA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ b ← { 0 , 1 } ; $ b c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 c ⋆ b ′ m 1

  18. Public-key encryption Indistinguishability against chosen-ciphertext attacks m b Game IND-CCA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ b ← { 0 , 1 } ; $ b c ⋆ ← E pk ( m b ); ? = b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 c ⋆ b ′ m 1

  19. Public-key encryption Indistinguishability against chosen-ciphertext attacks m b Game IND-CCA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ b ← { 0 , 1 } ; $ b c ⋆ ← E pk ( m b ); ? = b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 c ⋆ b ′ m 1 � � − 1 b ′ = b � � � � small � Pr IND-CCA ( A ) � � 2 �

  20. One-way trapdoor permutations Algorithms ( K , f pk , f − 1 sk ) ◮ f pk and f − 1 sk deterministic Key generation If ( sk , pk ) is a valid key pair, Public Secret f − 1 key key sk ( f pk ( m )) = m hello rwxtf hello Encryption Decryption

  21. One-way trapdoor permutations ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ ← I ( x ⋆ ); return ( y ′ = y )

  22. One-way trapdoor permutations $ y ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ ← I ( x ⋆ ); return ( y ′ = y )

  23. One-way trapdoor permutations $ f pk x ⋆ y ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ ← I ( x ⋆ ); return ( y ′ = y )

  24. One-way trapdoor permutations $ f pk x ⋆ y ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ ← I ( x ⋆ ); x ⋆ return ( y ′ = y )

  25. One-way trapdoor permutations $ f pk x ⋆ y ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ ← I ( x ⋆ ); y ′ x ⋆ return ( y ′ = y )

  26. One-way trapdoor permutations $ f pk x ⋆ y ( sk , pk ) ← K (); ? ← { 0 , 1 } n ; = y $ x ⋆ ← f pk ( y ); y ′ ← I ( x ⋆ ); y ′ x ⋆ return ( y ′ = y )

  27. One-way trapdoor permutations $ f pk x ⋆ y ( sk , pk ) ← K (); ? ← { 0 , 1 } n ; = y $ x ⋆ ← f pk ( y ); y ′ ← I ( x ⋆ ); y ′ x ⋆ return ( y ′ = y ) y ′ = y � � small Pr OW ( I )

  28. Optimal Asymmetric Encryption Padding Decryption D OAEP ( sk ) ( c ) : ( s , t ) ← f − 1 Encryption E OAEP ( pk ) ( m ) : sk ( c ); ← { 0 , 1 } k 0 ; r $ r ← t ⊕ H ( s ); s ← G ( r ) ⊕ ( m � 0 k 1 ); if ([ s ⊕ G ( r )] k 1 = 0 k 1 ) then { m ← [ s ⊕ G ( r )] k ; } t ← H ( s ) ⊕ r ; return f pk ( s � t ) else { m ← ⊥ ; } return m ⊕ exclusive or � concatenation [ · ] projection 0 zero bitstring

  29. Optimal Asymmetric Encryption Padding Decryption D OAEP ( sk ) ( c ) : ( s , t ) ← f − 1 Encryption E OAEP ( pk ) ( m ) : sk ( c ); ← { 0 , 1 } k 0 ; r $ r ← t ⊕ H ( s ); s ← G ( r ) ⊕ ( m � 0 k 1 ); if ([ s ⊕ G ( r )] k 1 = 0 k 1 ) then { m ← [ s ⊕ G ( r )] k ; } t ← H ( s ) ⊕ r ; return f pk ( s � t ) else { m ← ⊥ ; } return m For every IND-CCA adversary A against ( K , E OAEP , D OAEP ) , there exists a PDOW adversary I against ( K , f , f − 1 ) st � Pr IND-CCA ( A ) [ b ′ = b ] − 1 � ≤ � � 2 Pr PDOW ( I ) [ y ′ = y ] + 3 q D q G + q 2 D + 4 q D + q G + 2 q D 2 k 0 2 k 1

  30. OAEP: Optimal Asymmetric Encryption Padding Shoup Bellare, Hofheinz, Kiltz Bellare and Rogaway Pointcheval 1994 2001 2004 2009 2011 Fujisaki, Okamoto, Pointcheval, Stern BGLZ 1994 Purported proof of chosen-ciphertext security 2001 1994 proof gives weaker security; desired security holds ◮ under stronger assumptions ◮ for a modified scheme 2004 Filled gaps in 2001 proof 2009 Security definition needs to be clarified 2011 Fills gaps in 2004 proof

  31. What’s wrong with provable security? ◮ In our opinion, many proofs in cryptography have become essentially unverifiable. Our field may be approaching a crisis of rigor . Bellare and Rogaway, 2004-2006 ◮ Do we have a problem with cryptographic proofs? Yes, we do [...] We generate more proofs than we carefully verify (and as a consequence some of our published proofs are incorrect) . Halevi, 2005

  32. Computer-aided cryptographic proofs Provable security as deductive relational verification of open probabilistic parametrized programs CertiCrypt (2006-2011): adhere to cryptographic methods ◮ same level of abstraction ◮ same guarantees ◮ same proof techniques EasyCrypt (2009-): adhere to cryptographic practice ◮ automation and scalability ◮ support for high level steps ◮ accessible to cryptographers

  33. A language for cryptographic games skip skip C ::= | V ← E assignment random sampling | V ← D $ | C ; C sequence | if E then C else C conditional | while E do C while loop | V ← P ( E , . . . , E ) procedure call ◮ E : (higher-order) expressions � user extensible ◮ D : discrete sub-distributions ◮ P : procedures . oracles: concrete procedures . adversaries: constrained abstract procedures

  34. pRHL: a relational Hoare logic for games ◮ Judgment � { P } c 1 ∼ c 2 { Q } ◮ Validity ⇒ ( � c 1 � m 1 , � c 2 � m 2 ) � Q ♯ ∀ m 1 , m 2 . ( m 1 , m 2 ) � P = ◮ Proof rules � { P ∧ e � 1 �} c 1 ∼ c { Q } � { P ∧ ¬ e � 1 �} c 2 ∼ c { Q } � { P } if e then c 1 else c 2 ∼ c { Q } P → e � 1 � = e ′ � 2 � � { P ∧ e � 1 �} c 1 ∼ c ′ 1 { Q } � { P ∧ ¬ e � 1 �} c 2 ∼ c ′ 2 { Q } � { P } if e then c 1 else c 2 ∼ if e ′ then c ′ 1 else c ′ 2 { Q } + random samplings, procedures, adversaries. . . ◮ Verification condition generator

Recommend


More recommend