Computer-aided cryptography Gilles Barthe IMDEA Software Institute, - PowerPoint PPT Presentation

Computer-aided cryptography Gilles Barthe IMDEA Software Institute, Madrid, Spain May 17, 2015

Modern cryptography Shannon ’49 • Mathematical proof of security Perfect secrecy is impossible • Diffie & Hellman ’76 • Computational security • Asymptotic guarantees PPT adversary has negligible advantage Goldwasser & Micali’82 Yao’82 Bellare & Rogaway ’94 • Concrete bounds Aversary advantage to win in time t is ≤ p

Pillars of provable security: Definitions Definition

Pillars of provable security: Constructions Construction Definition

Pillars of provable security: Proofs Assumption Construction Definition

Pillars of provable security: Proofs Assumption Construction Definition Attack

Pillars of provable security: Proofs Assumption Attack Construction Definition Attack

Pillars of provable security: Proofs Assumption Attack Construction Reduction Definition Attack

Public-key encryption Algorithms ( K , E pk , D sk ) ◮ E probabilistic ◮ D deterministic and partial Key generation If ( sk , pk ) is a valid key pair, Public Secret key key D sk ( E pk ( m )) = m hello rwxtf hello Encryption Decryption

Indistinguishability Game IND-CCA ( A ) ( sk , pk ) ← K (); ( m 0 , m 1 ) ← A 1 ( pk ); ← { 0 , 1 } ; b $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b )

Indistinguishability Game IND-CCA ( A ) ( sk , pk ) ← K (); ( m 0 , m 1 ) ← A 1 ( pk ); ← { 0 , 1 } ; b $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b )

Indistinguishability Game IND-CCA ( A ) ( sk , pk ) ← K (); ( m 0 , m 1 ) ← A 1 ( pk ); ← { 0 , 1 } ; b $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 m 1

Indistinguishability Game IND-CCA ( A ) ( sk , pk ) ← K (); $ ( m 0 , m 1 ) ← A 1 ( pk ); ← { 0 , 1 } ; b b $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 m 1

Indistinguishability m b Game IND-CCA ( A ) ( sk , pk ) ← K (); $ ( m 0 , m 1 ) ← A 1 ( pk ); ← { 0 , 1 } ; b b $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 m 1

Indistinguishability m b Game IND-CCA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); ← { 0 , 1 } ; c ⋆ b b $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 m 1

Indistinguishability m b Game IND-CCA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); ← { 0 , 1 } ; c ⋆ b b $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 c ⋆ m 1

Indistinguishability m b Game IND-CCA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); ← { 0 , 1 } ; c ⋆ b b $ c ⋆ ← E pk ( m b ); b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 c ⋆ b ′ m 1

Indistinguishability m b Game IND-CCA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); ← { 0 , 1 } ; c ⋆ b b $ c ⋆ ← E pk ( m b ); ? = b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 c ⋆ b ′ m 1

Indistinguishability m b Game IND-CCA ( A ) ( sk , pk ) ← K (); E pk $ ( m 0 , m 1 ) ← A 1 ( pk ); ← { 0 , 1 } ; c ⋆ b b $ c ⋆ ← E pk ( m b ); ? = b ′ ← A 2 ( c ⋆ ); return ( b ′ = b ) m 0 c ⋆ b ′ m 1 Pr IND-CCA ( A ) b ′ = b − 1 small 2

Optimal Asymmetric Encryption Padding Encryption E OAEP ( pk ) ( m ) : Decryption D OAEP ( sk ) ( c ) : ← { 0 , 1 } k 0 ; r $ ( s , t ) ← f − 1 s ← G ( r ) ⊕ ( m � 0 k 1 ); sk ( c ); r ← t ⊕ H ( s ); t ← H ( s ) ⊕ r ; if ([ s ⊕ G ( r )] k 1 = 0 k 1 ) return f pk ( s � t ) then { m ← [ s ⊕ G ( r )] k ; } else { m ← ⊥ ; } Oracle G ( x ) : return m if x / ∈ L G then ← { 0 , 1 } k ; r $ Game sPDOW ( I ) L G ← ( x , r ) :: L G ; ( sk , pk ) ← K (); return L G [ x ]; ← { 0 , 1 } n 0 ; y 0 $ ← { 0 , 1 } n 1 ; y 1 $ Oracle H ( x ) : y ← y 0 � y 1 ; if x / ∈ L H then x ⋆ ← f pk ( y ); ← { 0 , 1 } k ′ ; Y ′ ← I ( x ⋆ ); r $ L H ← ( x , r ) :: L H ; return ( y 0 ∈ Y ′ ) return L H [ x ];

OAEP: provable security FOR ALL IND-CCA adversary A against ( K , E OAEP , D OAEP ) , THERE EXISTS a sPDOW adversary I against ( K , f , f − 1 ) st � Pr IND-CCA ( A ) [ b ′ = b ] − 1 � ≤ � � 2 Pr PDOW ( I ) [ y ∈ Y ′ ] + 3 q D q G + q 2 D + 4 q D + q G + 2 q D 2 k 0 2 k 1 and t I ≤ t A + q D q G q H T f

OAEP: history Shoup Bellare, Hofheinz, Kiltz Bellare and Rogaway Pointcheval 1994 2001 2004 2009 2011 Fujisaki, Okamoto, Pointcheval, Stern BGLZ 1994 Purported proof of chosen-ciphertext security 2001 1994 proof gives weaker security; desired security holds ◮ under stronger assumptions ◮ for a modified scheme 2004 Filled gaps in 2001 proof 2009 Security definition needs to be clarified 2011 Fills gaps in 2004 proof

An isolated problem? ◮ In our opinion, many proofs in cryptography have become essentially unverifiable. Our field may be approaching a crisis of rigor . Bellare and Rogaway, 2004-2006 ◮ Do we have a problem with cryptographic proofs? Yes, we do [...] We generate more proofs than we carefully verify (and as a consequence some of our published proofs are incorrect) . Halevi, 2005

Approach: computer-aided cryptographic proofs ◮ adhere to cryptographic practice ☞ same guarantees ☞ same level of abstraction ☞ same proof techniques ◮ leverage existing verification techniques and tools ☞ program logics, VC generation, invariant generation ☞ SMT solvers, theorem provers, proof assistants (code-based game-playing) provable security = deductive relational verification of parametrized probabilistic programs

EasyCrypt Next generation program verification environment ◮ full-fledged proof assistant (inspired from SSR EFLECT ) ◮ backend to SMT solvers and CAS ◮ native embedding of rich probabilistic language ◮ probabilistic Relational Hoare Logic for game hopping ◮ probabilistic Hoare Logic for bounding probabilities ◮ libraries of proof techniques ◮ module system and theory mechanism ◮ (soon) automation from symbolic cryptography

Applications Emblematic examples ◮ encryption, signatures, hash designs, key exchange protocols, zero knowledge protocols, garbled circuits, secure function evaluation, verifiable computation ◮ (computational) differential privacy, mechanism design Ongoing examples ◮ SHA3 ◮ Voting

A language for cryptographic games C ::= skip skip | V ← E assignment | V ← D random sampling $ | C ; C sequence | if E then C else C conditional while E do C while loop | | V ← P ( E , . . . , E ) procedure call ◮ E : (higher-order) expressions � user extensible ◮ D : discrete sub-distributions ◮ P : procedures (concrete or abstract) Programs interpreted as sub-distribution transformers � c � : M → distr M

Probabilistic Relational Hoare Logic ◮ Judgments � { P } c 1 ∼ c 2 { Q } ◮ P and Q are relations on states (not state distributions!); essential to generate VCs in predicate logic ◮ If � { P } c 1 ∼ c 2 { A � 1 � ⇒ B � 2 �} is valid then for all m 1 , m 2 ∈ M s.t. P m 1 m 2 , we have Pr c 1 , m 1 [ A ] ≤ Pr c 2 , m 2 [ B ] ◮ � { P } c 1 ∼ c 2 { Q } is valid iff for all m 1 , m 2 ∈ M , P m 1 m 2 implies Q ♯ ( � c 1 � m 1 ) ( � c 2 � m 2 )

Lifting Q ♯ is the smallest relation that satisfies: ◮ If Q s t then Q ♯ δ s δ t ◮ If Q ♯ µ i ν i and � i p i = 1, then �� � �� � Q ♯ p i µ i p i ν i i i Strong ties with coupling and probabilistic bisimulation. Theorem � � Q ♯ µ 1 µ 2 iff there exists µ ∈ Γ( µ 1 , µ 2 ) such that µ = 0, Q where Γ( µ 1 , µ 2 ) = { µ ∈ D ( A × B ) | π i ( µ ) = µ i } Also related to maximum flow problem

Flow networks a 1 b 1 µ 1 ( a 1 ) µ 2 ( b 1 ) µ 1 ( a 2 ) µ 2 ( b 2 ) a 2 b 2 ⊥ ⊤ µ 2 ( b m ) µ 1 ( a n ) Q a n b m

pRHL rules ◮ One-sided and two-sided rules for most constructions P ⇒ e � 1 � = e ′ � 2 � � { P ∧ e � 1 �} c 1 ∼ c ′ 1 { Q } � { P ∧ ¬ e � 1 �} c 2 ∼ c ′ 2 { Q } � { P } if e then c 1 else c 2 ∼ if e ′ then c ′ 1 else c ′ 2 { Q } � { P ∧ e � 1 �} c 1 ∼ c { Q } � { P ∧ ¬ e � 1 �} c 2 ∼ c { Q } � { P } if e then c 1 else c 2 ∼ c { Q } ◮ Two-sided rule for adversary calls and loops ◮ Second-order exist. quant. for random sampling h is 1-1 and ∀ a , µ ( a ) = µ ′ ( h ( a )) ← µ ′ { Q } � {∀ v , Q { h v / x � 1 �}{ v / x � 2 �}} x ← µ ∼ x $ $

Example: Bellare and Rogaway 1993 encryption Game IND-CPA ( A ) : ( sk , pk ) ← K ( ); Encryption E pk ( m ) : ← { 0 , 1 } ℓ ; ( m 0 , m 1 ) ← A 1 ( pk ); r $ ← { 0 , 1 } ; b s ← H ( r ) ⊕ m ; $ c ⋆ ← E pk ( m b ); y ← f pk ( r ) � s ; b ′ ← A 2 ( c ⋆ ); return y return ( b ′ = b ) For every IND-CPA adversary A , there exists an inverter I st − 1 b ′ = b y ′ = y � � � � 2 ≤ Pr OW ( I ) Pr IND-CPA ( A )