Soundness of Formal Encryption in the Presence of Key Cycles Gergei - PowerPoint PPT Presentation

Soundness of Formal Encryption in the Presence of Key Cycles Gergei Bana University of Pennsylvania P. Adão, J. Herzog, A Scedrov

Structure of the Talk • The Abadi-Rogaway logic and its computational interpretations • The problem of key-cycles • Standard notions of security and KDM security • KDM security as a solution to key- cycles

Introduction • Cryptographic protocols: two models • Formal or Dolev-Yao model • Computational model from complexity theory • Much recent work relates the two • Build formal-to-computational protocol interpretation • Map formal security goals to computational goals • Prove soundness or completeness

Logic of Formal Encryption • We define a very simple algebra of terms that is a modified version of [AbadiRogaway00]; • Expressions represent the messages exchanged during the protocol • They might also include some prior knowledge available to the adversary, eg., public keys. • Patterns represent how an adversary can look at an expression: • If an adversary does not know a certain private key he does not see a message in the same way as an adversary that posesses that key.

Logic of Formal Encryption Expressions are built from simple sets • • Keys = {K 1 , K 2 , K 3 ,...}, Keys -1 = {K 1 -1 , K 2 -1 , K 3 -1 ,...} and Blocks = {0,1} * via paring and encryption; Exp ::= Keys | Keys -1 | Blocks | (Exp,Exp) | {Exp} Keys ( (K2 -1 ,{01} K3 ) , ( {({101} K2 ,K5 -1 )} K2 , {{K6} K4 } K5 ) ) Formal length. Let λ be a function symbol such that: • • For all blocks B 1 and B 2 , λ (B 1 ) = λ (B 2 ) iff |B 1 | = |B 2 |; For all i and j , λ (K i ) = λ (K j ) and λ (K i -1 ) = λ (K j -1 ); • • If λ (M 1 ) = λ (N 1 ), λ (M 2 ) = λ (N 2 ) then λ ((M 1 ,M 2 )) = λ ((N 1 ,N 2 )), • If λ (M) = λ (N), then for all K i , λ ({M} Ki ) = λ ({N} Ki ).

Logic of Formal Encryption • Patterns are built from expressions replacing undecryptable terms {M} K by  K, λ (M) Pat ::= Keys | Keys -1 | Blocks | (Pat,Pat) | {Pat} Keys |  Keys, λ (Keys) ( (K2 -1 , {01} K3 ) , ( {({101} K2 ,K5 -1 )} K2 , { {K6} K4 } K5 ) ) ( (K2 -1 ,  K3, λ (01) ) , ( {({101} K2 ,K5 -1 )} K2 , {  K4, λ (K6) } K5 ) ) • Two expressions M and N are defined to be formally equivalent if pattern (M)= pattern (N) σ for some key-renaming function σ . • We denote this by M ≅ N.

Computational Model • In the computational world messages are represented by bit-strings, strings = {0,1} * , and families of probability distributions over strings ; • Fix an injective pairing function (length of output depends only on lengths of inputs); • Encryption schemes are probabilistic (polynomial-time) algorithms, and encryptions are obtained by running the encryption alghorithm.

Computational View • Basic components of symmetric encriptions: • Key generation algorithm: K (1 η ), randomly generates a pair of strings (e, d) ( η is security parameter) • Encryption algorithm: E (e,x), encrypts the plaintext x with the key e, coin-tossing allowed (length of output depends only on the lengths of inputs). • Decryption algorithm: D , D (d, E (e,x) )=x

Relating the Two Models Formal expressions are mapped to (interpreted • in) the computational model as follows: • For each (K,K -1 ) generate a pair of keys using the key generation algorithm; • Each B block is mapped to B; • Each pair (M,N) is interpreted as the pair of the interpretations; • Each encryption is interpreted by running the encryption algorithm. Example: • {({101} K2 ,K5 -1 )} K2 translates to the random variable • ( E ( e2 ( E ( ( e2, 101 ) , d5 ) • The keys k2, k5 are randomly generated, and the two encrypting functions have independent randomness as well.

Interpretation and Soundness Property • To each expression M we have assigned an array of probability distributions denoted by [[N]]. • Definition (Soundness) We say that the interpretation is sound, if for any two expressions, M ≅ N implies that the interpretations [[M]] and [[N]] are computationally indistinguishable.

Known Results • Theorem: If the expressions are interpreted in a CPA secure encryption scheme, then for M and N acyclic expressions, M ≅ N implies that [[M]] and [[N]] are indistinguishable. • Problem: This result does not apply to self- encrypting keys, and cycles in more general; • What do we propose: Possible to solve this problem via a strong enough notion of security that has been around (KDM security); • [Laud02] proposed a solution for the problem of key-cycles by strengthening the formal adversary.

Known Results AbadiRogaway00, AbadiJurgens01: soundness for indistinguishability properties MicciancioWarinschi02, HorvitzGligor03: completeness for indisitinguishability properties Bana04, AdãoBanaScedrov05: more general soundness, completeness properties Herzog04: soundness for non-malleability properties BackesPfitzmannWaidner03: soundness for general trace- based properties HerzogCanneti04, MicciancioWarinschi04: soundness, completeness for Message Authentication, Key-Exchange Laud02: soundness via strengthening the “formal adversary"

Proof Method 1 • Semantic Security (IND-CPA) [GoldwasserMicali84] • An Adversary A is given a public key e; • A sends to an oracle two messages m 1 and m 2 ; • The oracle choses randomly b ∈ {0,1} and sends to A the value E(e,m b ); • A has to guess which of the plaintexts was encrypted.

Proof Method 2 [[ ( (K2 -1 ,{01} K3 ) , ( {({101} K2 ,K5 -1 )} K2 , {{K6} K4 } K5 ) ) ]] ≈ ⇓  K3, λ (01) [[ ( (K2 -1 ,  K3, λ (01) ) , ( {({101} K2 ,K5 -1 )} K2 , {{K6} K4 } K5 ) ) ]] ⇓  K4, λ (K6) ≈ [[ ( (K2 -1 ,  K3, λ (01) ) , ( {({101} K2 ,K5 -1 )} K2 , {  K4, λ (K6) } K5 ) ) ]] ≈ [[ ( (K1 -1 ,  K6, λ (K7^-1) ) , ( {({101} K2 ,K5 -1 )} K2 , {  K7,, λ (1) } K5 ) ) ]] ⇑  K7, λ (1) ≈ [[ ( (K1 -1 ,  K6, λ (K7^-1) ) , ( {({101} K1 ,K5 -1 )} K1 , {{1} K7 } K5 ) ) ]] ⇑  K6, λ (K7^-1) ≈ [[ ( (K1 -1 , {K7 -1 } K6 ) , ( {({101} K1 ,K5 -1 )} K1 , {1} K7 } K5 ) ) ]]

The problem of key-cycles • Key cycles: • K 1 encrypts K 2 -1 • K 2 encrypts K 3 -1 ...... • K n encrypts K 1 -1 • Can actually occur in Dolev-Yao model • Possible to interpret formal messages with key cycles • But soundness results do not hold • [[{K1 -1 } K1 ]] does not have to be equivalent to [[{K2 -1 } K3 ]] • [[ ( {K1 -1 } K2 , {K2 -1 } K1 ) ]] does not have to be equivalent to [[ ( {K1 -1 } K2 , {K3 -1 } K1 ) ]]

Traditional Notions of Security • Semantic Security (IND-CPA) • Chosen Ciphertext Security - Lunchtime Security (IND-CCA1) [NaorYung90] • An Adversary A is given a public key e; • A can send to the oracle polynomially many ciphertexts and obtain the associated plaintexts; • A sends to the oracle two messages m 1 and m 2 of the same length • The oracle choses randomly b ∈ {0,1} and sends to A the value E(e,m b ); • A has to guess which of the plaintexts was encrypted.

Traditional Notions of Security • Adaptive Chosen Ciphertext Security (IND- CCA2) [RackoffSimon91] • An Adversary A is given a public key e; • The oracle choses randomly b ∈ {0,1}. • A can send to the oracle polynomially many ciphertexts and obtain the associated plaintexts; • A can send to the oracle any pairs of messages m 1 and m 2 of the same length and receive the value E(e,m b ); • A can send to the oracle polynomially many ciphertexts (but different from E(e,m b )) and obtain the associated plaintexts; • A has to guess which of the plaintexts was encrypted.

CCA-2 is not Enough • We show that the traditional security definitions are not enough. Take as an example adaptive chosen-ciphertext security. • Theorem: CCA-2 security does not enforce soundness. • Corollary: Soundness is not implied by any of the following: NM-CCA-1, IND-CCA-1, NM-CPA, or IND-CPA • Theorem: Soundness does not enforce IND-CPA.

KDM-Security • The notion of key-dependent message security was introduced by Black et al. [BlackRogawayShrimpton02] and in a different form by [CamenischLysyanskaya01]. • In [CL01] the authors developed the notion of key-dependent encryption scheme and use it in a credential revocation scheme. This scheme is realised in the RO-model. • KDM security is defined through the following game:

KDM Security • Key Dependent Message Security [BRS02] • An Adversary A is given a vector of public keys e . The corresponding vector of private keys d is kept private; • A creates a (plaintext construction) function f (that might depend on e ) and asks the oracle to encrypt f( d ) with e i ; • The oracle encrypts either – f( d ) with e i (oracle Real d ), or – 0 |f( d )| with e i (oracle Fake d ); • A has to guess which happened.

KDM Security • An encryption scheme is KDM-secure if: • Theorem: KDM-security does not imply NM-CPA security, and neither IND-CCA-1, or IND-CCA-2 security. It does imply IND- CPA.

Soundness for Key-Cycles • Theorem: If the expressions are interpreted in a KDM-secure system, then M, N expressions M ≅ N implies that [[M]] and [[N]] are indistinguishable. • Corollary: CCA-2 security does not imply KDM-security.