Distributive encryption A Baskar (CMI) R Ramanujam (IMSc) S P Suresh (CMI) Automata, Concurrency, and Timed Systems CMI January ,
Outline . . Proof normalization . Complexity lower bound . Size lower bounds . e Dolev-Yao model . Introduction Upper bound proofs . . . . . . . . . . . .
Outline . . Proof normalization . Complexity lower bound . Size lower bounds . e Dolev-Yao model . Introduction Upper bound proofs . . . . . . . . . . . .
Cryptographic operations – viewed logically Want to bundle some data together? Concatenate them! encrypt Decryption requires the corresponding inverse key Encryption is used to hide information You can split a bundle anytime you want to t k { t } k { t } k inv ( k ) decrypt t t t pair ( t , t ) ( t , t ) split i ( i = , ) t i
Cryptographic operations … Useful protocols can be built by composing these operations But we want more – for some applications like electronic voting A → B ∶ {( id A , n )} pubk B B → A ∶ { n } pubk A Can A get B ’s signature on a note n , without revealing the contents to B ?
Blind signatures someone who has at least one of the components ere are implementations with all these properties – standard RSA encryption along with multiplication serving as the special bundling A picks a random number r , and sends [{ r } pubk B , n ] to B [ a , b ] is a different kind of bundle – can be unbundled only by B signs the bundle – {[{ r } pubk B , n ]} privk B But magically the signature seeps through – [ r , { n } privk B ] A receives the signed term and can retrieve { n } privk B from it, since she has r
Blind pairs One can form blind pairs One can unpack blind pairs, provided one of the components is already in one’s possession All encryptions seep into blind pairs t t blindpair [ t , t ] [ t , t ] t i ↓ blindsplit i t − i {[ t , t ′ ]} k = [{ t } k , { t ′ } k ]
Outline . . Proof normalization . Complexity lower bound . Size lower bounds . e Dolev-Yao model . Introduction Upper bound proofs . . . . . . . . . . . .
e basic model destruction rules construction rules Figure: Derivation rules Ax ( t ∈ X ) X ⊢ t X ⊢ ( t , t ) split i ( i = , ) X ⊢ t X ⊢ t pair X ⊢ ( t , t ) X ⊢ t i X ⊢ t X ⊢ k encrypt X ⊢ { t } k X ⊢ inv ( k ) decrypt X ⊢ { t } k X ⊢ t
Decidability is problem is decidable. A notion of normal proofs. Derive bounds on the size of normal proofs from this. e passive intruder deduction problem: given X and t , check if there is proof of X ⊢ t If X ⊢ t is provable, there is a normal proof of X ⊢ t . Every term r occurring in a normal proof of X ⊢ t is a subterm of X ∪ { t } .
Non-normal proofs An example: Ax Ax pair Another one: Ax Ax encrypt Ax decrypt t t ( t , t ) split t
Non-normal proofs An example: decrypt Ax encrypt Ax Ax Another one: pair Ax Ax t t ( t , t ) split t t k { t } k k t
Normalization rules pair pair decrypt ⋅ ⋅ ⋅ π ⋅ ⋅ π ⋅ ⋅ t t ′ ⋅ ⋅ π ↝ t ( t , t ′ ) split t ⋅ ⋅ ⋅ π ⋅ ⋅ ⋅ π ⋅ t k ⋅ ⋅ π ⋅ π ⋅ ⋅ ↝ t { t } k inv ( k ) t
Subterm property . Lemma . . . If π is a normal proof of X ⊢ t and r occurs in π : r ∈ st ( X ∪ { t }) if π ends in a destruction rule, then r ∈ st ( X ) .
Subterm property . . encrypt . . Lemma If π is a normal proof of X ⊢ t and r occurs in π : r ∈ st ( X ∪ { t }) if π ends in a destruction rule, then r ∈ st ( X ) . if r occurs in π , ⋅ ⋅ ⋅ π ⋅ π ⋅ ⋅ r ∈ st ( X ∪ { t }) t k if r occurs in π , { t } k r ∈ st ( X ∪ { k }) therefore, if r occurs in π , r ∈ st ( X ∪ {{ t } k })
Subterm property decrypt Lemma . . . so it ends with a destruction end with the encrypt rule . If π is a normal proof of X ⊢ t and r occurs in π : r ∈ st ( X ∪ { t }) if π ends in a destruction rule, then r ∈ st ( X ) . if r occurs in π or π , ⋅ ⋅ ⋅ π ⋅ π ⋅ ⋅ r ∈ st ( X ∪ {{ t } k }) { t } k inv ( k ) since π is normal, π does not t rule, and { t } k ∈ st ( X ) so any r occurring in π is in st ( X ) .
A polynomial-time algorithm e height of a normal proof of X ⊢ t is bounded by n = ∣ st ( X ∪ { t })∣ . Let X = X Compute X i = one-step-derivable ( X i − ) ∩ st ( X ∪ { t }) , for i ≤ n Check if t ∈ X n !
Distributive encryption in Dolev-Yao all the way inside. encrypt inv decrypt split blindsplit Ax encrypt pair blindpair Figure: analz and synth rules for normal terms (with assumptions from ) T ∶∶ = m ∣ ( t , t ) ∣ [ t , t ] ∣ { t } k Normal terms: Terms that do not contain a subterm of the form {[ t , t ]} k . For a term t , get its normal form t ↓ by pushing encryptions over blind pairs,
Distributive encryption in Dolev-Yao all the way inside. encrypt blindpair pair encrypt decrypt T ∶∶ = m ∣ ( t , t ) ∣ [ t , t ] ∣ { t } k Normal terms: Terms that do not contain a subterm of the form {[ t , t ]} k . For a term t , get its normal form t ↓ by pushing encryptions over blind pairs, [ t , t ′ ] k ( t , t ) [ t , t ] ↓ t i ↓ { t } k ↓ inv ( k ) split i blindsplit i [{ t } k ↓ , { t } k ↓ ] t t i t − i t t t t t k Ax ( t ∈ X ) t ( t , t ) [ t , t ] { t } k ↓ Figure: analz and synth rules for normal terms (with assumptions from X ⊆ T )
Alternative theories A much harder system. Lafourcade, Lugiez, Treinen . Our system: Decidable with a dexptime upper bound and a dexptime Decidable but non-elementary upper bound. A simpler system. Delaune, Kremer, Ryan , Baskar, Ramanujam, lower bound. Passive intruder deduction is ptime decidable. Suresh . [ t , { m } k ] inv ( k ) [{ t } inv ( k ) , m ] t + ⋯ + t ℓ k { t } k + ⋯ + { t ℓ } k t + ⋯ + t ℓ + ⋯ + t m t ℓ + ⋯ + t m + ⋯ + t n t + ⋯ + t ℓ − − t m + − ⋯ − t n
Related work What about other cryptographic primitives? Diffie-Hellman encryption, exclusive or, homomorphic encryption, blind signatures, … A large body of results: Rusinowitch & Turuani , Millen & Shmatikov , Comon & Shmatikov , Chevalier, Küsters, Rusinowitch & Turuani , Delaune & Jacquemard , Bursuc, Comon & Delaune But distributive encryption is an especially hard case that is not subsumed by these theories
Outline . . Proof normalization . Complexity lower bound . Size lower bounds . e Dolev-Yao model . Introduction Upper bound proofs . . . . . . . . . . . .
No subterm property! Ax Ax Ax [ a , b ] k encrypt [{ a } k , { b } k ] { b } k blindsplit { a } k
Proof size lower bounds . . . . . . . . . . . . . eorem For every n , there exist X n , t n such that: size ( X n , t n ) is O ( n ) X n ⊢ t n Any proof of X n ⊢ t n is of size at least n .
e following sequent can be derived: Exponential size proof K = { k , k ′ , k , k } . will denote k , will denote k m is the reverse of the n -bit representation of m ∈ { , . . . , n − } X is the following set: { a } k k ′ [{ b } , a ] , [{ b } , b ] , . . . , [{ b n } , b n − ] [{ b } , a ] , [{ b } , b ] , . . . , [{ b n } , b n − ] [{ a } k , b n ] , [{ c } n − , a ] X , K ⊢ { c } n − ki r k ⋯ ki k k ′
Exponential size proof … e following derivations are possible, where X is the following set (where ℓ ranges over { k , k , k } : { e } k ′ , [{ e } ℓ , e ] [{ g } , e ] , [{ g } ℓ , g ] , . . . , [{ g n + } ℓ , g n ] [{ f } , e ] , [{ f } ℓ , f ] , . . . , [{ f n + } ℓ , f n ] x , y ∈ { k , k , k } ∗ , ∣ y ∣ = n + : X , K ⊢ { e } xk k ′ X , K ⊢ { g n } y xk k ′ X , K ⊢ { f n } y xk k ′
Exponential size proof … e following derivation is possible: To prevent accidental decryptions, we actually take to be: X is the following set : [[ c , { c } ] , f n ] , [[ d , { c } ] , g n ] [[ d , { d } ] , g n ] , [[ d , { d } ] , f n ] X , X , K , { c } i + kixk ′ ⊢ { c } ixk ′
Exponential size proof … e following derivation is possible: X is the following set : [[ c , { c } ] , f n ] , [[ d , { c } ] , g n ] [[ d , { d } ] , g n ] , [[ d , { d } ] , f n ] X , X , K , { c } i + kixk ′ ⊢ { c } ixk ′ To prevent accidental decryptions, we actually take X to be: [[[[ c , { c } ] , f n ] , { c } ] , f n ] , [[ d , { c } ] , g n ] , { c } ] , g n ] , . . .
Recommend
More recommend
