deciding indistinguishability a decision result for a set
play

Deciding Indistinguishability: A Decision Result for a Set of - PowerPoint PPT Presentation

Deciding Indistinguishability: A Decision Result for a Set of Cryptographic Game Transformations Adrien Koutsos March 13, 2018 Adrien Koutsos Deciding Indistinguishability March 13, 2018 1 / 37 Introduction 1 The Model 2 Game


  1. Deciding Indistinguishability: A Decision Result for a Set of Cryptographic Game Transformations Adrien Koutsos March 13, 2018 Adrien Koutsos Deciding Indistinguishability March 13, 2018 1 / 37

  2. Introduction 1 The Model 2 Game Transformations 3 Basic Games Game Transformations Decision Result 4 Conclusion 5 Adrien Koutsos Deciding Indistinguishability March 13, 2018 2 / 37

  3. Introduction Motivation Security protocols are distributed programs which aim at providing some security properties. They are extensively used, and bugs can be very costly. Security protocols are often short, but the security properties are complex. ⇒ Need to use formal methods. Adrien Koutsos Deciding Indistinguishability March 13, 2018 3 / 37

  4. Introduction Goal of this work We focus on fully automatic proofs of indistinguishability properties in the computational model: Computational model: the adversary is any probabilistic polynomial time Turing machine . This offers strong security guarantees. Indistinguishability properties: e.g. strong secrecy, anonymity or unlinkability. Fully automatic: we want a complete decision procedure. Adrien Koutsos Deciding Indistinguishability March 13, 2018 4 / 37

  5. The Private Authentication Protocol $ A’ : n A’ ← $ B : n B ← 1 : A’ − → B : {� pk ( A’ ) , n A’ �} pk ( B ) � {� n A’ , n B �} pk ( A ) if pk ( A’ ) = pk ( A ) 2 : B − → A’ : {� n B , n B �} pk ( A ) otherwise Adrien Koutsos Deciding Indistinguishability March 13, 2018 5 / 37

  6. Introduction 1 The Model 2 Game Transformations 3 Basic Games Game Transformations Decision Result 4 Conclusion 5 Adrien Koutsos Deciding Indistinguishability March 13, 2018 6 / 37

  7. Model: Messages Messages In the computational model, a message is a distribution over bitstrings . We only consider distribution built using: Random uniform sampling n A , n B . . . over { 0 , 1 } η . Function applications: A , B , � _ , _ � , π i ( _ ) , { _ } _ , pk ( _ ) , sk ( _ ) , if _ then _ else _ . . . . Adrien Koutsos Deciding Indistinguishability March 13, 2018 7 / 37

  8. Model: Messages Messages In the computational model, a message is a distribution over bitstrings . We only consider distribution built using: Random uniform sampling n A , n B . . . over { 0 , 1 } η . Function applications: A , B , � _ , _ � , π i ( _ ) , { _ } _ , pk ( _ ) , sk ( _ ) , if _ then _ else _ . . . . Examples � n A , A � {� pk ( A’ ) , n A’ �} pk ( B ) π 1 ( n B ) Adrien Koutsos Deciding Indistinguishability March 13, 2018 7 / 37

  9. Model: Messages The Private Authentication Protocol 1 : A’ − → B {� pk ( A’ ) , n A’ �} pk ( B ) : � {� n A’ , n B �} pk ( A ) if pk ( A’ ) = pk ( A ) 2 : B − → A’ : {� n B , n B �} pk ( A ) otherwise How do we represent the adversary’s inputs? Adrien Koutsos Deciding Indistinguishability March 13, 2018 8 / 37

  10. Model: Messages The Private Authentication Protocol 1 : A’ − → B {� pk ( A’ ) , n A’ �} pk ( B ) : � {� n A’ , n B �} pk ( A ) if pk ( A’ ) = pk ( A ) 2 : B − → A’ : {� n B , n B �} pk ( A ) otherwise How do we represent the adversary’s inputs? We use special functions symbols g , g 0 , g 1 . . . . Adrien Koutsos Deciding Indistinguishability March 13, 2018 8 / 37

  11. Model: Messages The Private Authentication Protocol 1 : A’ − → B {� pk ( A’ ) , n A’ �} pk ( B ) : � {� n A’ , n B �} pk ( A ) if pk ( A’ ) = pk ( A ) 2 : B − → A’ : {� n B , n B �} pk ( A ) otherwise How do we represent the adversary’s inputs? We use special functions symbols g , g 0 , g 1 . . . . Intuitively, they can be any probabilistic polynomial time algorithm . Moreover, branching of the protocol is done using if _ then _ else _. Adrien Koutsos Deciding Indistinguishability March 13, 2018 8 / 37

  12. Model: Messages The Private Authentication Protocol 1 : A’ − → B {� pk ( A’ ) , n A’ �} pk ( B ) : � {� n A’ , n B �} pk ( A ) if pk ( A’ ) = pk ( A ) 2 : B − → A’ : {� n B , n B �} pk ( A ) otherwise Adrien Koutsos Deciding Indistinguishability March 13, 2018 9 / 37

  13. Model: Messages The Private Authentication Protocol 1 : A’ − → B {� pk ( A’ ) , n A’ �} pk ( B ) : � {� n A’ , n B �} pk ( A ) if pk ( A’ ) = pk ( A ) 2 : B − → A’ : {� n B , n B �} pk ( A ) otherwise Term Representing the Messages in PA t 1 = {� pk ( A’ ) , n A’ �} pk ( B ) t 2 = if EQ ( π 1 ( dec ( g ( t 1 ) , sk ( B ))); pk ( A )) then {� π 2 ( dec ( g ( t 1 ) , sk ( B ))) , n B �} pk ( A ) else {� n B , n B �} pk ( A ) Adrien Koutsos Deciding Indistinguishability March 13, 2018 9 / 37

  14. Model: Protocol Execution Protocol Execution The execution of a protocol P is a sequence of terms using adversarial function symbols: u P 0 , . . . , u P n where u P i is the i -th message sent on the network by P . Adrien Koutsos Deciding Indistinguishability March 13, 2018 10 / 37

  15. Model: Protocol Execution Protocol Execution The execution of a protocol P is a sequence of terms using adversarial function symbols: u P 0 , . . . , u P n where u P i is the i -th message sent on the network by P . Remark Only possible for a bounded number of sessions. The sequence of terms can be automatically computed ( folding ). Adrien Koutsos Deciding Indistinguishability March 13, 2018 10 / 37

  16. Model: Security Property Indistinguishability Properties Two protocols P and Q are indistinguishable if every adversary A loses the following game: We toss a coin b . If b = 0, then A interacts with P . Otherwise A interacts with Q . Remark: A is an active adversary (it is the network). After the protocol execution, A outputs a guess b ′ for b . A wins if it guesses correctly with probability better than ≈ 1/2 . Adrien Koutsos Deciding Indistinguishability March 13, 2018 11 / 37

  17. Model: Security Properties Proposition P and Q are indistinguishable ⇔ u P 0 , . . . , u P n and u Q 0 , . . . , u Q n are indistinguishable ⇔ u P 0 , . . . , u P u Q 0 , . . . , u Q ∼ n n Adrien Koutsos Deciding Indistinguishability March 13, 2018 12 / 37

  18. Model: Security Properties Proposition P and Q are indistinguishable ⇔ u P 0 , . . . , u P n and u Q 0 , . . . , u Q n are indistinguishable ⇔ u P 0 , . . . , u P u Q 0 , . . . , u Q ∼ n n Example: Privacy for PA t A 1 , t A t A’ 1 , t A’ ∼ 2 2 Adrien Koutsos Deciding Indistinguishability March 13, 2018 12 / 37

  19. Model: Summary Summary Messages are represented by terms , which are built using names N and function symbols F . A protocol execution is represented by a sequence of terms. Indistinguishability properties are expressed through games: u P 0 , . . . , u P u Q 0 , . . . , u Q ∼ n n Adrien Koutsos Deciding Indistinguishability March 13, 2018 13 / 37

  20. Introduction 1 The Model 2 Game Transformations 3 Basic Games Game Transformations Decision Result 4 Conclusion 5 Adrien Koutsos Deciding Indistinguishability March 13, 2018 14 / 37

  21. Basic Games Basic Games We know that some indistinguishability games are secure: Using α -renaming of random samplings: n A , n B ∼ n C , n D Adrien Koutsos Deciding Indistinguishability March 13, 2018 15 / 37

  22. Basic Games Basic Games We know that some indistinguishability games are secure: Using α -renaming of random samplings: n A , n B ∼ n C , n D Using probabilistic arguments: � t ⊕ n A ∼ n B when n A �∈ st ( t ) , EQ ( t ; n A ) ∼ false Adrien Koutsos Deciding Indistinguishability March 13, 2018 15 / 37

  23. Basic Games Basic Games We know that some indistinguishability games are secure: Using α -renaming of random samplings: n A , n B ∼ n C , n D Using probabilistic arguments: � t ⊕ n A ∼ n B when n A �∈ st ( t ) , EQ ( t ; n A ) ∼ false Using cryptographic assumptions on the security primitives, e.g. if { _ } _ , dec ( _ , _ ) , pk ( _ ) , sk ( _ ) is ind-cca1 . Adrien Koutsos Deciding Indistinguishability March 13, 2018 15 / 37

  24. Cryptographic assumptions: ind-cca1 Challenger A $ ← { 0 , 1 } ; b pk ( pk , sk ) ← KG ( 1 η ); c 1 x 1 := dec ( c 1 , sk ); x 1 · · · c n x n := dec ( c n , sk ); x n ( m 0 , m 1 ) y := { m b } pk ; y b ′ b = b ′ ? Adrien Koutsos Deciding Indistinguishability March 13, 2018 16 / 37

  25. Basic Game: Cryptographic Assumptions Enc CCA1 Games: � v , { m 0 } pk ∼ � v , { m 1 } pk Adrien Koutsos Deciding Indistinguishability March 13, 2018 17 / 37

  26. Basic Game: Cryptographic Assumptions Enc CCA1 Games: � v , { m 0 } pk ∼ � v , { m 1 } pk Assuming: sk occurs only in decryption position in � v , m 0 , m 1 . Theorem The Enc CCA1 games are secure when the encryption and decryption function are an ind-cca1 encryption scheme. Adrien Koutsos Deciding Indistinguishability March 13, 2018 17 / 37

  27. Basic Game: Cryptographic Assumptions Enc CCA1 Games: � v , { m 0 } pk ∼ � v , { m 1 } pk Assuming: sk occurs only in decryption position in � v , m 0 , m 1 . Theorem The Enc CCA1 games are secure when the encryption and decryption function are an ind-cca1 encryption scheme. Other cryptographic assumptions ind-cpa , ind-cca2 , cr , prf , euf-cma . . . Adrien Koutsos Deciding Indistinguishability March 13, 2018 17 / 37

Recommend


More recommend