Symbolic Encryption with Pseudorandom Keys Daniele Micciancio - PowerPoint PPT Presentation

Symbolic Encryption with Pseudorandom Keys Daniele Micciancio (UCSD)

Cryptographic Protocols ● Often make use of several basic crypto ops: – (Enc) Encryption: E(k,m) – (PRG) Pseudorandom generators: G(k) ● Protocol should be secure for any instantiation of Enc, PRG, satisfying standard properties, eg. – Enc: Indistinguishability under chosen message attack – PRG: Indistinguishability from uniform

Example: Secure key distribution = G r o u p m e m b e r = N o n - m e m b e r Authenticated broadcast channel, Dynamically changing group of users 0 1 0 0 0 1 0 0 1 0 1 0 1 1 0 1 1 0 1 1 0 1 0 0 1 0 1 Center u u u u u u u u 1 3 4 5 6 2 2 4 r e m ( u ) k k k 2 1 1 1 a d d ( u ) k k k k 4 2 2 2 2

Cryptographic Definitions: Example ● Security definitions are usually given by computational games ● Example: IND-CPA security of encryption – no adversary can guess b with prob. >> ½ – requires |m 0 | = |m 1 | b m 0 m 1 Adversary b? m b Enc

Protocol Security ● Computational security games for protocols – Possible, offer strong security guarantees – Can be cumbersome and error prone ● Symbolic Security – Treat Enc, PRG, etc. as abstract operations – High level, easier to automate/verify ● Computational Soundness – Symbolic Security → Computational Security

Background ● Dolev-Yao (1983) – Symbolic model for the analysis of crypto protocols – Used to find many bugs, often automatically – Weak security guarantees ● Abadi-Rogaway (2002) – Simple symbolic model for passive attacks – Computational Soundness Theorem ● Much follow up work ...

Symbolic Cryptography ● Model cryptographic messages syntactically – Data := 0 | 1 | ... – Key := k 0 | k 1 | … – Exp : = Data | Key | ( Exp , Exp ) | Enc( Key , Exp ) ● Complex cryptographic expressions – M = Enc(k 1 ,(Enc(k 2 ,0),Enc(k 1 ,k 2 ))) ● Given crypto algorithms, expressions maps to probability distributions over bitstings – |[ M ]| : choose keys at random, and evaluate Enc

Symbolic Security Analysis ● Goal: analyze complex expressions/protocols independently of crypto algorithms ● Map expressions to symbolic patterns – P = (k 1 , Enc(k 1 ,(Enc(k 2 ,[?]),Enc(k 1 ,0)), Enc(k2,[?]))) – [?]: unknown message, may leak size/shape info ● Mapping function – Determine set K of recoverable keys – Replace Enc(k,Exp) with Enc(k,[?]) for all k Key\K ∈

Symbolic Security Analysis ● Patterns capture information available to adversary – Specification: what can adversary legitimately learn – Analysis: what adversary learns from protocol ● Expressions with same pattern are considered equivalent ● Protocol is (symbolically) secure if patterns of messages observed by adversary match specification

Symbolic vs Computational Security ● Computational Soundness: – If two expressions M1, M2 have the same pattern(M1) = pattern(M2), then |[M1]|≈|[M2]| are computationally indistinguishable (for any secure crypto primitive) ● Trivial Solution: pattern(M) = M, not interesting ● Completeness: – If |[M1]|≈|[M2]| (for any secure crypto primitive), then pattern(M1) = pattern(M2)

This work ● Symbolic Expressions with pseurorandom keys ● Length doubling PRG: G(k)=[G 0 (k),G 1 (k)] – Rand := r 0 | r 1 | r 2 – Keys := Rand | G 0 (Keys) | G 1 (Keys) ● Notation: G w[1..n] (k) = G w[1] (G w[2] (...G w[n] (k))) ● Used in many protocols – Key distribution [Micciancio, Panjwani ‘05, ‘06, ’08] – XML security [Abadi, Warinschi ‘05] – Yao Garbled Circuits [Li, Micciancio ‘18]

Symbolic Pseudorandomness ● Warm up: – expressions using only PRG: G(k)=[G 0 (k),G 1 (k)] – no encryption, only keys ● Notation: G w[1..n] (k) = G w[1] (G w[2] (...G w[n] (k))) ● Definitions: – Two keys {k,k’} are symbolically dependent if k = G w (k’) for some w – K Keys is an independent set if no two keys ⊂ k,k’ K are symbolically dependent ∈

Computational Soundness ● Theorem: for any set K Keys, ⊂ – K={k 1 ,…,k n } is independent if and only if – |[ |[{r {r 1 ,…,r n }]| ~ ]| ~ |[ |[K K]| ]| 1 ,…,r n } ≈ ● Proof: – generalized hybrid argument – repeatedly replace [G 0 (r),G 1 (r)] with [r 0 ,r 1 ]

Symbolic evaluation for Enc + PRG ● Patterns are defined as usual – Determine set K of recoverable keys – Replace Enc(k,Exp) with Enc(k,[?]) for all k Key\K ∈ ● Key recovery: – Given k and Enc(k,M) can recover M – Given k, can recover G 0 (k) and G 1 (k) – Given Enc(k,M) and G w (k), can recover k – Given Enc(k,M) and Enc(k’,M’), if k and k’ are symbolically dependent then can recover k and k’

Main Result ● Symbolic semantics for Enc+PRG expressions is both sound and complete Rest of the talk: ● Soundness: If pattern(M0)≠pattern(M1) then |[M0]| and |[M1]| – similar to previous work can be distinguished for some Enc,PRG – not surprising, given strong key recovery adversary ● Completeness: – we show that this is the best possible ● Details about encryption cycles, etc.: see paper

Key Recovery Problem ● Given two ciphertexts E(k 0 ,m 0 ), E(k 1 ,m 1 ) under related keys k 0 → w k 1 for any known w {0,1}* ∈ ● Goal: Recover k 0 and k 1 ● Remarks: – Attacks should work for some secure Enc and PRG – If keys are unrelated, then ciphertexts are secure – Enough to recover k 0 , then k 1 = G w (k 0 )

Modified Enc and PRG: first attempt ● E’(k[0],k[1], m) = (k[0], E(k[1], m)) ● G’(k[0],k[1]) = G(k[0]) + [0,k[1],0,k[1]] G’: k[0] k[1] k[0] k[1] E’: + + E: k[0] k[1]

A simple attack ● Let k=k[0,1] and assume we are given – A ciphertext E(k,m) and a related key G’ b (k) ● Can recover k=k[0,1] !!! k[0] k[1] E’: G’: k[0] k[0] k[1] k[1] E: k[0] k[0] k[1] + +

Arbitrary key relations ● Given E(k,m) and G w (k) for any w ● Attack still works k[0] k[0] k[1] k[1] + + k[0] k[1] E’: + + k[0] k[0] k[1] + +

But we are given only ciphertexts! ● Let k=k[0,1] and assume we are given – E(k,m) and a related key E(G b (k),m’) ● We cannot recover k[1] G’: k[0] k[0] k[1] k[0] k[1] E’: + + E: k[0] k[0] k[1] k[0] k[0] E: k[1]

A simple fix ● This can be fixed by changing the PRG ● But does not work when |w|>1 k[0] k[0] k[1] k[0] k[1] E’: + + + + k[0] k[0] k[1] + + + + + + + +

Key recovery with two ciphertexts ● E’(k[0,1,2], m) = (k[0],k[1], E(k[2], m)) ● G’(k[0,1,2]) = G(k[0]) +[0,k[2],k[2],0,k[2],k[2]] G’: k[0] k[1] k[2] k[0] k[1] k[2] E’: + + + + E: k[0] k[1] k[2]

Key recovery with two ciphertexts G’: k[0] k[0] k[1] k[2] k[2] G1 + + + + G’: k[0] k[1] k[2] G1 + + + + G’: k[0] k[1] k[2] G0 + + + +

Conclusion ● Computationally sound and complete symbolic semantics for encrypted expressions with pseudorandom keys ● Conveniently used in a number of protocols – Key distribution, XML, Garbled Circuits, etc. Thank you (No time for) Questions?