computer aided cryptographic proofs
play

Computer-aided cryptographic proofs Gilles Barthe IMDEA Software - PowerPoint PPT Presentation

Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain Modern cryptography Shannon 49 Mathematical proof of security Perfect secrecy is impossible Diffie & Hellman 76 Computational


  1. Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain

  2. Modern cryptography Shannon ’49 • Mathematical proof of security • Perfect secrecy is impossible Diffie & Hellman ’76 • Computational security • Asymptotic guarantees PPT adversary has negligible advantage Goldwasser & Micali’82 Yao’82 Bellare & Rogaway ’94 • Concrete bounds Aversary advantage to win in time t is ≤ p

  3. Reductionist proof Scheme

  4. Reductionist proof Primitive Scheme

  5. Reductionist proof Primitive Generic construction Scheme

  6. Reductionist proof Primitive Generic construction Attack Scheme

  7. Reductionist proof Primitive Attack Generic construction Attack Scheme

  8. Reductionist proof Primitive Attack Generic Black-box construction reduction Attack Scheme

  9. Public-key encryption Algorithms ( K , E pk , D sk ) ◮ E probabilistic ◮ D deterministic and partial Key generation If ( sk , pk ) is a valid key pair, Public Secret key key D sk ( E pk ( m )) = m hello rwxtf hello Encryption Decryption

  10. Indistinguishability Game IND-CPA ( A ) ( sk , pk ) ← K (); ( m 0 , m 1 ) ← A 1 ( pk ); ← { 0 , 1 } ; b $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b )

  11. Indistinguishability Game IND-CPA ( A ) ( sk , pk ) ← K (); ( m 0 , m 1 ) ← A 1 ( pk ); ← { 0 , 1 } ; b $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b )

  12. Indistinguishability Game IND-CPA ( A ) ( sk , pk ) ← K (); ( m 0 , m 1 ) ← A 1 ( pk ); ← { 0 , 1 } ; b $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 m 1

  13. Indistinguishability Game IND-CPA ( A ) ( sk , pk ) ← K (); $ ( m 0 , m 1 ) ← A 1 ( pk ); ← { 0 , 1 } ; b b $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 m 1

  14. Indistinguishability m b Game IND-CPA ( A ) ( sk , pk ) ← K (); $ ( m 0 , m 1 ) ← A 1 ( pk ); ← { 0 , 1 } ; b b $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 m 1

  15. Indistinguishability m b Game IND-CPA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ ← { 0 , 1 } ; b b $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 m 1

  16. Indistinguishability m b Game IND-CPA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ ← { 0 , 1 } ; b b $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 c ⋆ m 1

  17. Indistinguishability m b Game IND-CPA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ ← { 0 , 1 } ; b b $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 c ⋆ b ′ m 1

  18. Indistinguishability m b Game IND-CPA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ ← { 0 , 1 } ; b b $ c ⋆ ← E pk ( m b ); ? = b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 c ⋆ b ′ m 1

  19. Indistinguishability m b Game IND-CPA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ ← { 0 , 1 } ; b b $ c ⋆ ← E pk ( m b ); ? = b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 c ⋆ b ′ m 1 − 1 b ′ = b � � small Pr IND-CPA ( A ) 2

  20. One-way trapdoor permutations Algorithms ( K , f pk , f − 1 sk ) ◮ f pk and f − 1 sk deterministic Key generation If ( sk , pk ) is a valid key pair, Public Secret f − 1 key key sk ( f pk ( m )) = m hello rwxtf hello Encryption Decryption

  21. One-way trapdoor permutations Game OW ( I ) ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ ← I ( x ⋆ ); return ( y ′ = y )

  22. One-way trapdoor permutations $ y Game OW ( I ) ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ ← I ( x ⋆ ); return ( y ′ = y )

  23. One-way trapdoor permutations $ f pk y x ⋆ Game OW ( I ) ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ ← I ( x ⋆ ); return ( y ′ = y )

  24. One-way trapdoor permutations $ f pk y x ⋆ Game OW ( I ) ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); x ⋆ y ′ ← I ( x ⋆ ); return ( y ′ = y )

  25. One-way trapdoor permutations $ f pk y x ⋆ Game OW ( I ) ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ x ⋆ y ′ ← I ( x ⋆ ); return ( y ′ = y )

  26. One-way trapdoor permutations $ f pk y x ⋆ Game OW ( I ) ? = ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ x ⋆ y ′ ← I ( x ⋆ ); return ( y ′ = y )

  27. One-way trapdoor permutations $ f pk y x ⋆ Game OW ( I ) ? = ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ x ⋆ y ′ ← I ( x ⋆ ); return ( y ′ = y ) y ′ = y � � small Pr OW ( I )

  28. Random oracles Oracle H ( x ) : if x / ∈ L then ◮ Idealized model of hash function ← { 0 , 1 } k ; r $ ◮ Allows practical schemes L ← ( x , r ) :: L ; ◮ Not realizable return L [ x ];

  29. Example: Bellare and Rogaway 1993 encryption Game IND-CPA ( A ) : ( sk , pk ) ← K ( ); Encryption E pk ( m ) : ← { 0 , 1 } ℓ ; ( m 0 , m 1 ) ← A 1 ( pk ); r $ ← { 0 , 1 } ; s ← H ( r ) ⊕ m ; b $ c ⋆ ← E pk ( m b ); y ← f pk ( r ) � s ; b ′ ← A 2 ( c ⋆ ); return y return ( b ′ = b ) For every IND-CPA adversary A , there exists an inverter I st − 1 b ′ = b y ′ = y � � � � 2 ≤ Pr OW ( I ) Pr IND-CPA ( A )

  30. Proof Game hopping technique Game G ′ : Game G : Game OW : Game INDCPA : ( sk , pk ) ← K (); ( sk , pk ) ← K (); ( sk , pk ) ← K (); ( sk , pk ) ← K (); ( m 0 , m 1 ) ← A 1 ( pk ); ( m 0 , m 1 ) ← A 1 ( pk ); ← { 0 , 1 } ℓ ; $ ( m 0 , m 1 ) ← A 1 ( pk ); y b $ b $ y ′ ← I ( f pk ( y )); ← { 0 , 1 } ; ← { 0 , 1 } ; b $ ← { 0 , 1 } ; c ⋆ ← E pk ( m b ); c ⋆ ← E pk ( m b ); c ⋆ ← E pk ( m b ); return y = y ′ b ′ ← A 2 ( c ⋆ ); b ′ ← A 2 ( c ⋆ ); b ′ ← A 2 ( c ⋆ ); Adversary I ( x ) : return ( b ′ = b ) return ( b ′ = b ) return ( b ′ = b ) ( m 0 , m 1 ) ← A 1 ( pk ); Encryption E pk ( m ) : Encryption E pk ( m ) : s $ ← { 0 , 1 } k ; Encryption E pk ( m ) : c ⋆ ← x � s ; ← { 0 , 1 } ℓ ; $ ← { 0 , 1 } ℓ ; $ ← { 0 , 1 } ℓ ; $ r r r b ′ ← A 2 ( c ⋆ ); ← { 0 , 1 } k ; h $ s $ ← { 0 , 1 } k ; h ← H ( r ); y ′ ← [ z ∈ L A H | f pk ( z )= x ]; s ← h ⊕ m ; s ← h ⊕ m ; h ← s ⊕ m ; return y ′ c ← f pk ( r ) � s ; c ← f pk ( r ) � s ; c ← f pk ( r ) � s ; return c return c return c 1. Prove a probability claim for each hop 2. Obtain security bound by combining claims 3. Check execution time of constructed adversary

  31. Conditional equivalence E pk ( m ) : E pk ( m ) : ← { 0 , 1 } ℓ ; r ← { 0 , 1 } ℓ ; $ r $ ← { 0 , 1 } k ; h ← H ( r ); h $ s ← h ⊕ m ; s ← h ⊕ m ; c ← f pk ( r ) � s ; c ← f pk ( r ) � s ; return c return c By the Fundamental Lemma b ′ = b b ′ = b � � r ∈ L A � � � � − Pr G ≤ Pr G Pr IND-CPA H

  32. Equivalence E pk ( m ) : E pk ( m ) : ← { 0 , 1 } ℓ ; ← { 0 , 1 } ℓ ; r $ r $ ← { 0 , 1 } k ; ← { 0 , 1 } k ; h $ s $ s ← h ⊕ m ; h ← s ⊕ m ; c ← f pk ( r ) � s ; c ← f pk ( r ) � s ; return c return c By optimistic sampling � � � � Pr G [ b ′ = b ] = Pr G ′ [ b ′ = b ] = 1 r ∈ L A r ∈ L A = Pr G ′ Pr G H H 2

  33. Equivalence E pk ( m ) : E pk ( m ) : ← { 0 , 1 } ℓ ; ← { 0 , 1 } ℓ ; r $ r $ ← { 0 , 1 } k ; ← { 0 , 1 } k ; h $ s $ s ← h ⊕ m ; h ← s ⊕ m ; c ← f pk ( r ) � s ; c ← f pk ( r ) � s ; return c return c By optimistic sampling Pr IND-CPA [ b ′ = b ] − 1 � � r ∈ L A 2 ≤ Pr G ′ H

  34. Reduction Game INDCPA : Game OW : ( sk , pk ) ← K (); ( sk , pk ) ← K (); ← { 0 , 1 } ℓ ; ( m 0 , m 1 ) ← A 1 ( pk ); $ y y ′ ← I ( f pk ( y )); b ← { 0 , 1 } ; $ c ⋆ ← E pk ( m b ); return y = y ′ b ′ ← A 2 ( c ⋆ ); Adversary I ( x ) : return ( b ′ = b ) ( m 0 , m 1 ) ← A 1 ( pk ); Encryption E pk ( m ) : b ← { 0 , 1 } ; $ ← { 0 , 1 } ℓ ; ← { 0 , 1 } k ; r $ s $ c ⋆ ← x � s ; ← { 0 , 1 } k ; s $ b ′ ← A 2 ( c ⋆ ); c ← f pk ( r ) � s ; y ′ ← [ z ∈ L A return c H | f pk ( z ) = x ]; return y ′ � � ≤ Pr OW ( I ) [ y ′ = y ] r ∈ L A Pr G ′ H

  35. Reduction Game INDCPA : Game OW : ( sk , pk ) ← K (); ( sk , pk ) ← K (); ← { 0 , 1 } ℓ ; ( m 0 , m 1 ) ← A 1 ( pk ); y $ y ′ ← I ( f pk ( y )); b ← { 0 , 1 } ; $ c ⋆ ← E pk ( m b ); return y = y ′ b ′ ← A 2 ( c ⋆ ); Adversary I ( x ) : return ( b ′ = b ) ( m 0 , m 1 ) ← A 1 ( pk ); Encryption E pk ( m ) : ← { 0 , 1 } ; b $ ← { 0 , 1 } ℓ ; ← { 0 , 1 } k ; $ r s $ c ⋆ ← x � s ; ← { 0 , 1 } k ; s $ b ′ ← A 2 ( c ⋆ ); c ← f pk ( r ) � s ; y ′ ← [ z ∈ L A return c H | f pk ( z ) = x ]; return y ′ Pr IND-CPA ( A ) [ b ′ = b ] − 1 2 ≤ Pr OW ( I ) [ y ′ = y ]

Recommend


More recommend