Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain
Modern cryptography Shannon ’49 • Mathematical proof of security • Perfect secrecy is impossible Diffie & Hellman ’76 • Computational security • Asymptotic guarantees PPT adversary has negligible advantage Goldwasser & Micali’82 Yao’82 Bellare & Rogaway ’94 • Concrete bounds Aversary advantage to win in time t is ≤ p
Reductionist proof Scheme
Reductionist proof Primitive Scheme
Reductionist proof Primitive Generic construction Scheme
Reductionist proof Primitive Generic construction Attack Scheme
Reductionist proof Primitive Attack Generic construction Attack Scheme
Reductionist proof Primitive Attack Generic Black-box construction reduction Attack Scheme
Public-key encryption Algorithms ( K , E pk , D sk ) ◮ E probabilistic ◮ D deterministic and partial Key generation If ( sk , pk ) is a valid key pair, Public Secret key key D sk ( E pk ( m )) = m hello rwxtf hello Encryption Decryption
Indistinguishability Game IND-CPA ( A ) ( sk , pk ) ← K (); ( m 0 , m 1 ) ← A 1 ( pk ); ← { 0 , 1 } ; b $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b )
Indistinguishability Game IND-CPA ( A ) ( sk , pk ) ← K (); ( m 0 , m 1 ) ← A 1 ( pk ); ← { 0 , 1 } ; b $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b )
Indistinguishability Game IND-CPA ( A ) ( sk , pk ) ← K (); ( m 0 , m 1 ) ← A 1 ( pk ); ← { 0 , 1 } ; b $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 m 1
Indistinguishability Game IND-CPA ( A ) ( sk , pk ) ← K (); $ ( m 0 , m 1 ) ← A 1 ( pk ); ← { 0 , 1 } ; b b $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 m 1
Indistinguishability m b Game IND-CPA ( A ) ( sk , pk ) ← K (); $ ( m 0 , m 1 ) ← A 1 ( pk ); ← { 0 , 1 } ; b b $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 m 1
Indistinguishability m b Game IND-CPA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ ← { 0 , 1 } ; b b $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 m 1
Indistinguishability m b Game IND-CPA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ ← { 0 , 1 } ; b b $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 c ⋆ m 1
Indistinguishability m b Game IND-CPA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ ← { 0 , 1 } ; b b $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 c ⋆ b ′ m 1
Indistinguishability m b Game IND-CPA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ ← { 0 , 1 } ; b b $ c ⋆ ← E pk ( m b ); ? = b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 c ⋆ b ′ m 1
Indistinguishability m b Game IND-CPA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ ← { 0 , 1 } ; b b $ c ⋆ ← E pk ( m b ); ? = b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 c ⋆ b ′ m 1 − 1 b ′ = b � � small Pr IND-CPA ( A ) 2
One-way trapdoor permutations Algorithms ( K , f pk , f − 1 sk ) ◮ f pk and f − 1 sk deterministic Key generation If ( sk , pk ) is a valid key pair, Public Secret f − 1 key key sk ( f pk ( m )) = m hello rwxtf hello Encryption Decryption
One-way trapdoor permutations Game OW ( I ) ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ ← I ( x ⋆ ); return ( y ′ = y )
One-way trapdoor permutations $ y Game OW ( I ) ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ ← I ( x ⋆ ); return ( y ′ = y )
One-way trapdoor permutations $ f pk y x ⋆ Game OW ( I ) ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ ← I ( x ⋆ ); return ( y ′ = y )
One-way trapdoor permutations $ f pk y x ⋆ Game OW ( I ) ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); x ⋆ y ′ ← I ( x ⋆ ); return ( y ′ = y )
One-way trapdoor permutations $ f pk y x ⋆ Game OW ( I ) ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ x ⋆ y ′ ← I ( x ⋆ ); return ( y ′ = y )
One-way trapdoor permutations $ f pk y x ⋆ Game OW ( I ) ? = ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ x ⋆ y ′ ← I ( x ⋆ ); return ( y ′ = y )
One-way trapdoor permutations $ f pk y x ⋆ Game OW ( I ) ? = ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ x ⋆ y ′ ← I ( x ⋆ ); return ( y ′ = y ) y ′ = y � � small Pr OW ( I )
Random oracles Oracle H ( x ) : if x / ∈ L then ◮ Idealized model of hash function ← { 0 , 1 } k ; r $ ◮ Allows practical schemes L ← ( x , r ) :: L ; ◮ Not realizable return L [ x ];
Example: Bellare and Rogaway 1993 encryption Game IND-CPA ( A ) : ( sk , pk ) ← K ( ); Encryption E pk ( m ) : ← { 0 , 1 } ℓ ; ( m 0 , m 1 ) ← A 1 ( pk ); r $ ← { 0 , 1 } ; s ← H ( r ) ⊕ m ; b $ c ⋆ ← E pk ( m b ); y ← f pk ( r ) � s ; b ′ ← A 2 ( c ⋆ ); return y return ( b ′ = b ) For every IND-CPA adversary A , there exists an inverter I st − 1 b ′ = b y ′ = y � � � � 2 ≤ Pr OW ( I ) Pr IND-CPA ( A )
Proof Game hopping technique Game G ′ : Game G : Game OW : Game INDCPA : ( sk , pk ) ← K (); ( sk , pk ) ← K (); ( sk , pk ) ← K (); ( sk , pk ) ← K (); ( m 0 , m 1 ) ← A 1 ( pk ); ( m 0 , m 1 ) ← A 1 ( pk ); ← { 0 , 1 } ℓ ; $ ( m 0 , m 1 ) ← A 1 ( pk ); y b $ b $ y ′ ← I ( f pk ( y )); ← { 0 , 1 } ; ← { 0 , 1 } ; b $ ← { 0 , 1 } ; c ⋆ ← E pk ( m b ); c ⋆ ← E pk ( m b ); c ⋆ ← E pk ( m b ); return y = y ′ b ′ ← A 2 ( c ⋆ ); b ′ ← A 2 ( c ⋆ ); b ′ ← A 2 ( c ⋆ ); Adversary I ( x ) : return ( b ′ = b ) return ( b ′ = b ) return ( b ′ = b ) ( m 0 , m 1 ) ← A 1 ( pk ); Encryption E pk ( m ) : Encryption E pk ( m ) : s $ ← { 0 , 1 } k ; Encryption E pk ( m ) : c ⋆ ← x � s ; ← { 0 , 1 } ℓ ; $ ← { 0 , 1 } ℓ ; $ ← { 0 , 1 } ℓ ; $ r r r b ′ ← A 2 ( c ⋆ ); ← { 0 , 1 } k ; h $ s $ ← { 0 , 1 } k ; h ← H ( r ); y ′ ← [ z ∈ L A H | f pk ( z )= x ]; s ← h ⊕ m ; s ← h ⊕ m ; h ← s ⊕ m ; return y ′ c ← f pk ( r ) � s ; c ← f pk ( r ) � s ; c ← f pk ( r ) � s ; return c return c return c 1. Prove a probability claim for each hop 2. Obtain security bound by combining claims 3. Check execution time of constructed adversary
Conditional equivalence E pk ( m ) : E pk ( m ) : ← { 0 , 1 } ℓ ; r ← { 0 , 1 } ℓ ; $ r $ ← { 0 , 1 } k ; h ← H ( r ); h $ s ← h ⊕ m ; s ← h ⊕ m ; c ← f pk ( r ) � s ; c ← f pk ( r ) � s ; return c return c By the Fundamental Lemma b ′ = b b ′ = b � � r ∈ L A � � � � − Pr G ≤ Pr G Pr IND-CPA H
Equivalence E pk ( m ) : E pk ( m ) : ← { 0 , 1 } ℓ ; ← { 0 , 1 } ℓ ; r $ r $ ← { 0 , 1 } k ; ← { 0 , 1 } k ; h $ s $ s ← h ⊕ m ; h ← s ⊕ m ; c ← f pk ( r ) � s ; c ← f pk ( r ) � s ; return c return c By optimistic sampling � � � � Pr G [ b ′ = b ] = Pr G ′ [ b ′ = b ] = 1 r ∈ L A r ∈ L A = Pr G ′ Pr G H H 2
Equivalence E pk ( m ) : E pk ( m ) : ← { 0 , 1 } ℓ ; ← { 0 , 1 } ℓ ; r $ r $ ← { 0 , 1 } k ; ← { 0 , 1 } k ; h $ s $ s ← h ⊕ m ; h ← s ⊕ m ; c ← f pk ( r ) � s ; c ← f pk ( r ) � s ; return c return c By optimistic sampling Pr IND-CPA [ b ′ = b ] − 1 � � r ∈ L A 2 ≤ Pr G ′ H
Reduction Game INDCPA : Game OW : ( sk , pk ) ← K (); ( sk , pk ) ← K (); ← { 0 , 1 } ℓ ; ( m 0 , m 1 ) ← A 1 ( pk ); $ y y ′ ← I ( f pk ( y )); b ← { 0 , 1 } ; $ c ⋆ ← E pk ( m b ); return y = y ′ b ′ ← A 2 ( c ⋆ ); Adversary I ( x ) : return ( b ′ = b ) ( m 0 , m 1 ) ← A 1 ( pk ); Encryption E pk ( m ) : b ← { 0 , 1 } ; $ ← { 0 , 1 } ℓ ; ← { 0 , 1 } k ; r $ s $ c ⋆ ← x � s ; ← { 0 , 1 } k ; s $ b ′ ← A 2 ( c ⋆ ); c ← f pk ( r ) � s ; y ′ ← [ z ∈ L A return c H | f pk ( z ) = x ]; return y ′ � � ≤ Pr OW ( I ) [ y ′ = y ] r ∈ L A Pr G ′ H
Reduction Game INDCPA : Game OW : ( sk , pk ) ← K (); ( sk , pk ) ← K (); ← { 0 , 1 } ℓ ; ( m 0 , m 1 ) ← A 1 ( pk ); y $ y ′ ← I ( f pk ( y )); b ← { 0 , 1 } ; $ c ⋆ ← E pk ( m b ); return y = y ′ b ′ ← A 2 ( c ⋆ ); Adversary I ( x ) : return ( b ′ = b ) ( m 0 , m 1 ) ← A 1 ( pk ); Encryption E pk ( m ) : ← { 0 , 1 } ; b $ ← { 0 , 1 } ℓ ; ← { 0 , 1 } k ; $ r s $ c ⋆ ← x � s ; ← { 0 , 1 } k ; s $ b ′ ← A 2 ( c ⋆ ); c ← f pk ( r ) � s ; y ′ ← [ z ∈ L A return c H | f pk ( z ) = x ]; return y ′ Pr IND-CPA ( A ) [ b ′ = b ] − 1 2 ≤ Pr OW ( I ) [ y ′ = y ]
Recommend
More recommend