Computer-aided cryptographic proofs Gilles Barthe MPI-SP , Germany - PowerPoint PPT Presentation

Computer-aided cryptographic proofs Gilles Barthe MPI-SP , Germany IMDEA Software Institute, Spain

Computer-aided cryptography Develop tool-assisted methodologies for helping the design, analysis, and implementation of cryptographic constructions (primitives and protocols) Goals: ◮ Automated analysis of (symbolic or computational) security ◮ Independently verifiable proofs of (computational) security ◮ Verified implementations ◮ New designs and better implementations ◮ etc Building on formal methods ◮ program analysis and verification/program synthesis ◮ compilation (certifying compilation/verified compilation) ◮ logic ◮ etc

Potential benefits Formal methods for cryptography ◮ higher assurance ◮ smaller gap between provable security and crypto engineering ◮ new proof techniques Cryptography for formal methods ◮ Challenging and non-standard examples ◮ New theories and applications

Challenges ◮ requirements: probabilistic guarantees, adversaries ◮ analysis: composition of two secure systems need not be secure, lack of proof methods for individual components, proofs are overly complex when methods exist ◮ implementation and deployment: security not preserved by refinement, legacy, standardization, side-channels

Modern cryptography Shannon ’49 • Mathematical proof of security Perfect secrecy is impossible • Diffie & Hellman ’76 • Computational security • Asymptotic guarantees PPT adversary has negligible advantage Goldwasser & Micali’82 Yao’82 Bellare & Rogaway ’94 • Concrete bounds Adversary advantage to win in time t is ≤ p

Reductionist proof Primitive Attack Generic Black-box construction reduction Scheme Attack

Public-key encryption Algorithms ( K , E pk , D sk ) ◮ E probabilistic ◮ D deterministic and partial Key generation If ( sk , pk ) is a valid key pair, Public Secret key key D sk ( E pk ( m )) = m hello rwxtf hello Encryption Decryption

Indistinguishability Game INDCPA ( A ) ( sk , pk ) ← K (); ( m 0 , m 1 ) ← A 1 ( pk ); ← { 0 , 1 } ; b $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b )

Indistinguishability Game INDCPA ( A ) ( sk , pk ) ← K (); ( m 0 , m 1 ) ← A 1 ( pk ); b ← { 0 , 1 } ; $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b )

Indistinguishability Game INDCPA ( A ) ( sk , pk ) ← K (); ( m 0 , m 1 ) ← A 1 ( pk ); b ← { 0 , 1 } ; $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 m 1

Indistinguishability Game INDCPA ( A ) ( sk , pk ) ← K (); $ ( m 0 , m 1 ) ← A 1 ( pk ); b ← { 0 , 1 } ; $ b c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 m 1

Indistinguishability m b Game INDCPA ( A ) ( sk , pk ) ← K (); $ ( m 0 , m 1 ) ← A 1 ( pk ); b ← { 0 , 1 } ; $ b c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 m 1

Indistinguishability m b Game INDCPA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ b ← { 0 , 1 } ; $ b c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 m 1

Indistinguishability m b Game INDCPA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ b ← { 0 , 1 } ; $ b c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 c ⋆ m 1

Indistinguishability m b Game INDCPA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ b ← { 0 , 1 } ; $ b c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 c ⋆ b ′ m 1

Indistinguishability m b Game INDCPA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ b ← { 0 , 1 } ; $ b c ⋆ ← E pk ( m b ); ? = b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 c ⋆ b ′ m 1

Indistinguishability m b Game INDCPA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ b ← { 0 , 1 } ; $ b c ⋆ ← E pk ( m b ); ? = b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 c ⋆ b ′ m 1 � � − 1 b ′ = b � � � � � Pr INDCPA ( A ) small � � 2 �

One-way trapdoor permutations Algorithms ( K , f pk , f − 1 sk ) ◮ f pk and f − 1 sk deterministic Key generation If ( sk , pk ) is a valid key pair, Public Secret f − 1 key key sk ( f pk ( m )) = m hello rwxtf hello Encryption Decryption

One-way trapdoor permutations Game OW ( I ) ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ ← I ( x ⋆ ); return ( y ′ = y )

One-way trapdoor permutations $ y Game OW ( I ) ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ ← I ( x ⋆ ); return ( y ′ = y )

One-way trapdoor permutations $ f pk x ⋆ y Game OW ( I ) ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ ← I ( x ⋆ ); return ( y ′ = y )

One-way trapdoor permutations $ f pk x ⋆ y Game OW ( I ) ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); x ⋆ y ′ ← I ( x ⋆ ); return ( y ′ = y )

One-way trapdoor permutations $ f pk x ⋆ y Game OW ( I ) ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ x ⋆ y ′ ← I ( x ⋆ ); return ( y ′ = y )

One-way trapdoor permutations $ f pk x ⋆ y Game OW ( I ) ? = ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ x ⋆ y ′ ← I ( x ⋆ ); return ( y ′ = y )

One-way trapdoor permutations $ f pk x ⋆ y Game OW ( I ) ? = ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ x ⋆ y ′ ← I ( x ⋆ ); return ( y ′ = y ) y ′ = y � � Pr OW ( I ) small

Optimal Asymmetric Encryption Padding Encryption E OAEP ( pk ) ( m ) : ← { 0 , 1 } k 0 ; r $ s ← G ( r ) ⊕ ( m � 0 k 1 ); t ← H ( s ) ⊕ r ; Decryption D OAEP ( sk ) ( c ) : ( s , t ) ← f − 1 return f pk ( s � t ) sk ( c ); r ← t ⊕ H ( s ); if ([ s ⊕ G ( r )] k 1 = 0 k 1 ) then m ← [ s ⊕ G ( r )] k Oracle H ( x ) : else m ← ⊥ ; if x / ∈ L then return m ← { 0 , 1 } k ; r $ L ← ( x , r ) :: L ; return L [ x ]; ⊕ exclusive or � concatenation [ · ] projection 0 zero bitstring

OAEP: provable security Game INDCCA ( A ) Game SPDOW ( I ) ( sk , pk ) ← K (); ( sk , pk ) ← K (); ( m 0 , m 1 ) ← A 1 ( pk ); ← { 0 , 1 } k 2 ; z ← { 0 , 1 } k 3 ; y $ $ ← { 0 , 1 } ; b $ x ⋆ ← f pk ( y � z ); c ⋆ ← E pk ( m b ); Y ′ ← I ( x ⋆ ); b ′ ← A 2 ( c ⋆ ); return ( y ∈ Y ′ ) return ( b ′ = b ) FOR ALL IND-CCA adversary A against ( K , E OAEP , D OAEP ) , THERE EXISTS a SPDOW adversary I against ( K , f , f − 1 ) st � Pr IND-CCA ( A ) [ b ′ = b ] − 1 � ≤ � � 2 Pr SPDOW ( I ) [ y ∈ Y ′ ] + 3 q D q G + q 2 D + 4 q D + q G + 2 q D 2 k 0 2 k 1 and t I ≤ t A + q D q G q H T f

OAEP: provable security Shoup Bellare, Hofheinz, Kiltz Bellare and Rogaway Pointcheval 1994 2001 2004 2009 2011 Fujisaki, Okamoto, Pointcheval, Stern BGLZ 1994 Purported proof of chosen-ciphertext security 2001 1994 proof gives weaker security; desired security holds ◮ under stronger assumptions ◮ for a modified scheme 2004 Filled gaps in 2001 proof 2009 Security definition needs to be clarified 2011 Fills gaps in 2004 proof

Example: Bellare and Rogaway 1993 encryption Game INDCPA ( A ) : Encryption E pk ( m ) : ← { 0 , 1 } ℓ ; ( sk , pk ) ← K ( ); r $ ( m 0 , m 1 ) ← A 1 ( pk ); s ← H ( r ) ⊕ m ; b ← { 0 , 1 } ; y ← f pk ( r ) � s ; $ c ⋆ ← E pk ( m b ); return y b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) For every adversary A , there exists an inverter I st � � − 1 b ′ = b y ′ = y � � � � � � � Pr INDCPA ( A ) � ≤ Pr OW ( I ) � � 2

Proof Game hopping technique Game G ′ : Game G : Game INDCPA : Game OW : ( sk , pk ) ← K (); ( sk , pk ) ← K (); ( sk , pk ) ← K (); ( sk , pk ) ← K (); ( m 0 , m 1 ) ← A 1 ( pk ); ( m 0 , m 1 ) ← A 1 ( pk ); ( m 0 , m 1 ) ← A 1 ( pk ); ← { 0 , 1 } ℓ ; $ y b $ b $ ← { 0 , 1 } ; ← { 0 , 1 } ; y ′ ← I ( f pk ( y )); b $ ← { 0 , 1 } ; c ⋆ ← E pk ( m b ); c ⋆ ← E pk ( m b ); c ⋆ ← E pk ( m b ); return y = y ′ b ′ ← A 2 ( c ⋆ ); b ′ ← A 2 ( c ⋆ ); b ′ ← A 2 ( c ⋆ ); Adversary I ( x ) : return ( b ′ = b ) return ( b ′ = b ) return ( b ′ = b ) ( m 0 , m 1 ) ← A 1 ( pk ); Encryption E pk ( m ) : Encryption E pk ( m ) : ← { 0 , 1 } k ; s $ Encryption E pk ( m ) : $ $ c ⋆ ← x � s ; ← { 0 , 1 } ℓ ; ← { 0 , 1 } ℓ ; r r ← { 0 , 1 } ℓ ; $ r b ′ ← A 2 ( c ⋆ ); ← { 0 , 1 } k ; ← { 0 , 1 } k ; h $ s $ h ← H ( r ); y ′ ← [ z ∈ L A | f pk ( z )= x ]; s ← h ⊕ m ; s ← h ⊕ m ; h ← s ⊕ m ; return y ′ c ← f pk ( r ) � s ; c ← f pk ( r ) � s ; c ← f pk ( r ) � s ; return c return c return c 1. For each hop ◮ prove validity of pRHL judgment ◮ derive probability claims ◮ (possibly) resolve some probability expressions using pHL 2. Obtain security bound by combining claims 3. Check execution time of constructed adversary