Computer-aided cryptographic proofs Gilles Barthe IMDEA Software - PowerPoint PPT Presentation

Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain

Challenges with provable security Building or verifying reductionist proofs is hard ◮ Proofs are long and error-prone ◮ Rely on unstated and unverified invariants ◮ Intricate reasoning steps justified informally ◮ Verifying proofs is not much easier than building them Abstraction gap ◮ Provable security reasons about algorithmic descriptions ◮ Standards constrain implementations ◮ Attackers target executable code Computer-aided cryptography aims to address both challenges using formal methods

Computer-aided cryptographic proofs: approach Leverage existing approaches from formal methods ◮ program logics, VC generation, invariant generation ◮ SMT solvers, theorem provers, proof assistants ◮ verified compilers The essence of our work (code-based game-playing approach to) provable security = (relational) verification of probabilistic programs

EasyCrypt ◮ Interactive proof assistant for cryptographic proofs ◮ Back-end to SMT solvers ◮ libraries of common proof techniques (hybrid arguments, eager sampling, independent from adversary’s view. . . ) ◮ general tools: probabilistic (relational) Hoare logics Case studies ◮ encryption, signatures, hash designs, key exchange protocols, zero knowledge protocols, garbled circuits. . . ◮ (computational) differential privacy ◮ mechanism design

Formal reasoning about cryptographic games ◮ Define programming language ◮ Give meaning to programs ◮ Reason about (relationships between) programs ◮ Reason directly about probabilities? Better not Probabilistic couplings ◮ Perfect for relational verification of probabilistic programs ◮ Reasoning about probabilities implicit ◮ Implicit in (many/most) code-based game-playing proofs

Probabilistic couplings Idea ◮ Put two probabilistic systems in the same space ◮ Coordinate samplings Formal definition ◮ Let µ 1 and µ 2 be sub-distributions over A ◮ A sub-distribution µ over A × A is a coupling for ( µ 1 , µ 2 ) iff π 1 ( µ ) = µ 1 and π 2 ( µ ) = µ 2 Extends to distinct probabilistic spaces

Application: simple random walk on integers ◮ Start at position p 0 ◮ Each step, flip coin x ← flip $ ◮ Heads: p ← p + 1 ◮ Tails: p ← p − 1 Convergence Asymptotically, output distribution independent of initial position

Coupling the walks to meet Case p 1 = p 2 : Walks have met ◮ Arrange samplings x 1 = x 2 ◮ Continue to have p 1 = p 2 Case p 1 � = p 2 : Walks have not met ◮ Arrange samplings x 1 = ¬ x 2 ◮ Walks make mirror moves If walks meet, they move together

Coupling the walks to meet Case p 1 = p 2 : Walks have met ◮ Arrange samplings x 1 = x 2 ◮ Continue to have p 1 = p 2 Case p 1 � = p 2 : Walks have not met ◮ Arrange samplings x 1 = ¬ x 2 ◮ Walks make mirror moves If walks meet, they move together

Coupling the walks to meet Case p 1 = p 2 : Walks have met ◮ Arrange samplings x 1 = x 2 ◮ Continue to have p 1 = p 2 Case p 1 � = p 2 : Walks have not met ◮ Arrange samplings x 1 = ¬ x 2 ◮ Walks make mirror moves If walks meet, they move together

Why is this interesting? ◮ Start two random walks at w and w + 2 k ◮ To show: output distributions converge asymptotically ◮ Once walks meet, they stay equal ◮ Distance is at most probability walks don’t meet ◮ Reasoning up to failure event ◮ Show failure event has low probability asymptotically Next Couplings for cryptography

Public-key encryption Algorithms ( K , E pk , D sk ) ◮ E probabilistic ◮ D deterministic and partial Key generation If ( sk , pk ) is a valid key pair, Public Secret key key D sk ( E pk ( m )) = m hello rwxtf hello Encryption Decryption

Indistinguishability Game IND-CPA ( A ) ( sk , pk ) ← K (); ( m 0 , m 1 ) ← A 1 ( pk ); ← { 0 , 1 } ; b $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b )

Indistinguishability Game IND-CPA ( A ) ( sk , pk ) ← K (); ( m 0 , m 1 ) ← A 1 ( pk ); b ← { 0 , 1 } ; $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b )

Indistinguishability Game IND-CPA ( A ) ( sk , pk ) ← K (); ( m 0 , m 1 ) ← A 1 ( pk ); b ← { 0 , 1 } ; $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 m 1

Indistinguishability Game IND-CPA ( A ) ( sk , pk ) ← K (); $ ( m 0 , m 1 ) ← A 1 ( pk ); b ← { 0 , 1 } ; $ b c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 m 1

Indistinguishability m b Game IND-CPA ( A ) ( sk , pk ) ← K (); $ ( m 0 , m 1 ) ← A 1 ( pk ); b ← { 0 , 1 } ; $ b c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 m 1

Indistinguishability m b Game IND-CPA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ b ← { 0 , 1 } ; $ b c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 m 1

Indistinguishability m b Game IND-CPA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ b ← { 0 , 1 } ; $ b c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 c ⋆ m 1

Indistinguishability m b Game IND-CPA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ b ← { 0 , 1 } ; $ b c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 c ⋆ b ′ m 1

Indistinguishability m b Game IND-CPA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ b ← { 0 , 1 } ; $ b c ⋆ ← E pk ( m b ); ? = b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 c ⋆ b ′ m 1

Indistinguishability m b Game IND-CPA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); c ⋆ b ← { 0 , 1 } ; $ b c ⋆ ← E pk ( m b ); ? = b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 c ⋆ b ′ m 1 � � − 1 b ′ = b � � � � small � Pr IND-CPA ( A ) � � 2 �

One-way trapdoor permutations Algorithms ( K , f pk , f − 1 sk ) ◮ f pk and f − 1 sk deterministic Key generation If ( sk , pk ) is a valid key pair, Public Secret f − 1 key key sk ( f pk ( m )) = m hello rwxtf hello Encryption Decryption

One-way trapdoor permutations Game OW ( I ) ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ ← I ( x ⋆ ); return ( y ′ = y )

One-way trapdoor permutations $ y Game OW ( I ) ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ ← I ( x ⋆ ); return ( y ′ = y )

One-way trapdoor permutations $ f pk x ⋆ y Game OW ( I ) ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ ← I ( x ⋆ ); return ( y ′ = y )

One-way trapdoor permutations $ f pk x ⋆ y Game OW ( I ) ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); x ⋆ y ′ ← I ( x ⋆ ); return ( y ′ = y )

One-way trapdoor permutations $ f pk x ⋆ y Game OW ( I ) ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ x ⋆ y ′ ← I ( x ⋆ ); return ( y ′ = y )

One-way trapdoor permutations $ f pk x ⋆ y Game OW ( I ) ? = ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ x ⋆ y ′ ← I ( x ⋆ ); return ( y ′ = y )

One-way trapdoor permutations $ f pk x ⋆ y Game OW ( I ) ? = ( sk , pk ) ← K (); ← { 0 , 1 } n ; y $ x ⋆ ← f pk ( y ); y ′ x ⋆ y ′ ← I ( x ⋆ ); return ( y ′ = y ) y ′ = y � � small Pr OW ( I )

Random oracles Oracle H ( x ) : if x / ∈ L then ◮ Idealized model of hash function ← { 0 , 1 } k ; r $ ◮ Modeled as stateful procedure L ← ( x , r ) :: L ; return L [ x ];

Example: padding-based encryption Game IND-CPA ( A ) : ( sk , pk ) ← K ( ); Encryption E pk ( m ) : ← { 0 , 1 } ℓ ; ( m 0 , m 1 ) ← A 1 ( pk ); r $ b ← { 0 , 1 } ; s ← H ( r ) ⊕ m ; $ c ⋆ ← E pk ( m b ); y ← f pk ( r ) � s ; b ′ ← A 2 ( c ⋆ ); return y return ( b ′ = b ) For every IND-CPA adversary A , there exists an inverter I st � � − 1 b ′ = b y ′ = y � � � � � � � ≤ Pr OW ( I ) � Pr IND-CPA ( A ) � � 2

Proof Game hopping technique Game G ′ : Game G : Game OW : Game INDCPA : ( sk , pk ) ← K (); ( sk , pk ) ← K (); ( sk , pk ) ← K (); ( sk , pk ) ← K (); ( m 0 , m 1 ) ← A 1 ( pk ); ( m 0 , m 1 ) ← A 1 ( pk ); ← { 0 , 1 } ℓ ; $ ( m 0 , m 1 ) ← A 1 ( pk ); y b $ b $ y ′ ← I ( f pk ( y )); ← { 0 , 1 } ; ← { 0 , 1 } ; b $ ← { 0 , 1 } ; c ⋆ ← E pk ( m b ); c ⋆ ← E pk ( m b ); c ⋆ ← E pk ( m b ); return y = y ′ b ′ ← A 2 ( c ⋆ ); b ′ ← A 2 ( c ⋆ ); b ′ ← A 2 ( c ⋆ ); Adversary I ( x ) : return ( b ′ = b ) return ( b ′ = b ) return ( b ′ = b ) ( m 0 , m 1 ) ← A 1 ( pk ); Encryption E pk ( m ) : Encryption E pk ( m ) : ← { 0 , 1 } k ; s $ Encryption E pk ( m ) : c ⋆ ← x � s ; ← { 0 , 1 } ℓ ; $ ← { 0 , 1 } ℓ ; $ ← { 0 , 1 } ℓ ; $ r r r b ′ ← A 2 ( c ⋆ ); ← { 0 , 1 } k ; ← { 0 , 1 } k ; h $ s $ h ← H ( r ); y ′ ← [ z ∈ L A H | f pk ( z )= x ]; s ← h ⊕ m ; s ← h ⊕ m ; h ← s ⊕ m ; return y ′ c ← f pk ( r ) � s ; c ← f pk ( r ) � s ; c ← f pk ( r ) � s ; return c return c return c 1. Prove a probability claim for each hop 2. Obtain security bound by combining claims 3. Check execution time of constructed adversary