The Computational SLR: A Calculus for Verifying Cryptographic Proofs - PowerPoint PPT Presentation

The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of Software Chinese Academy of Sciences BASICS’09, Shanghai, China October 13, 2009

Background ✦ Formal verification of security protocols – from the symbolic model to the computational model. ✦ In cryptography, bugs are continuously found in crypto proofs, which sometimes take time. – OAEP scheme was initially believed to be IND-CCA2 secure, but was proved not, after 7 years. “Many proofs in cryptography have become essentially unverifiable. Our field may be approaching a crisis of rigor.” — Bellare & Rogaway 2004 BASICS’09 — October 13, 2009 — 2

Proofs in traditional cryptography ✦ Cryptographers need a tool for checking proofs formally (and automatically). BASICS’09 — October 13, 2009 — 3

Computational indistinguiability ✦ Many security criteria in cryptography are defined using computational indistinguishability. – It is a notion of observational equivalence: crypto-systems are programs. – Well studied in PL and logic, supported by many proof techniques. !"#$%&'()#%#*+#% ,-'./0+#&,(+1%.2"&0+1.(3.% 9*.3:&(6%#*.%;+7(.;% -.#4..(%5/,6/+7'8 5/,,<%&'%="'#%:&11&(6%7.%> BASICS’09 — October 13, 2009 — 4

Outline ➣ The computational SLR ➣ The proof system for computational indistinguishability ➣ Game-based proofs in CSLR ➣ Conclusion BASICS’09 — October 13, 2009 — 5

Hofmann’s SLR system ✦ A functional language characterizing PTIME computations through typing. ✦ An implementation of Bellantoni and Cook’s safe recursion: – Variables are divided into normal and safe variables: f ( � x ; � y ) . – Recursive calls via safe variables: f (0 , � y ; � z ) = g ( � y ; � z ) y ; f ( ⌊ x f ( x, � y ; � z ) = h ( x, � 2 ⌋ , � y ; � z ) , � z ) ✦ � ( τ ) are types for normal variables. Γ ⊢ e : τ Γ( x ) = � ( _ ) for all x ∈ FV ( e ) Γ ⊢ e : � ( τ ) Γ ⊢ e : � ( τ ) Γ ⊢ e : τ – Safe recursor: rec : N → ( � ( N ) → N → N ) → � ( N ) → N ✦ Higher-order recursive calls must be used linearly. rec τ : τ ⊸ ( � ( N ) → τ ⊸ τ ) → � ( N ) → τ BASICS’09 — October 13, 2009 — 6

The computational SLR (CSLR) — types An extension of the non-polymorphic SLR with monadic types: τ, τ ′ , . . . ::= bitstrings Bits | τ ⊸ τ ′ linear functions | τ → τ ′ nonlinear, nonmodal functions | � τ → τ ′ modal (normal) functions | T τ probabilistic computations | . . . – � itself is NOT a type constructor in SLR. – Constructor T is from Moggi’s computational λ -calculus. BASICS’09 — October 13, 2009 — 7

CSLR — expressions Expressions: e, e ′ , . . . ::= empty bitstring nil | B 0 | B 1 bit successor | safe recursor rec τ | oracle bit rand | val ( e ) trivial (deterministic) computations | bind x = e in e ′ sequential computations | . . . – We operate directly on bitstrings, instead of numbers. – Probabilistic computations are formulated in Moggi’s framework. BASICS’09 — October 13, 2009 — 8

CSLR — type system ✦ Typing contexts assign aspects as well as types to variables: x 1 : a 1 τ 1 , . . . , x n : a n τ n Aspects specify the way how variables can be used in terms. ✦ Typing rules: Γ , x : a τ ⊢ e : τ ′ Γ ⊢ rec τ : τ ⊸ � ( � N → τ ⊸ τ ) → � N → τ a → τ ′ Γ ⊢ λx.e : τ − a ′ ≤ a for all x : a ′ τ ′′ ∈ Γ , ∆ 2 a → τ ′ Γ , ∆ 1 ⊢ e 1 : τ − Γ , ∆ 2 ⊢ e 2 : τ Γ nonlinear Γ , ∆ 1 , ∆ 2 ⊢ e 1 e 2 : τ ′ Γ ⊢ e : τ Γ ⊢ val ( e ) : T τ a ′ ≤ a for all x : a ′ τ ′′ ∈ Γ , ∆ 1 Γ , ∆ 2 , x : a τ ⊢ e 2 : T τ ′ Γ , ∆ 1 ⊢ e 1 : T τ Γ nonlinear Γ , ∆ 1 , ∆ 2 ⊢ bind x = e 1 in e 2 : T τ ′ BASICS’09 — October 13, 2009 — 9

B of all bitstrings (including the empty one) for interpreting Bits . CSLR — semantics ✦ The set-theoretic semantics: – The set – We do not distinguish between the three sorts of function spaces. – � rec � defines the safe recursion scheme. ✦ A probabilistic monad for interpreting probabilistic computations � T τ � = � τ � → [0 , 1] { (0 , 1 2 ) , (1 , 1 � rand � = 2 ) } � val ( e ) � ρ = { ( � e � ρ, 1) } v ′ ∈ � τ � � e 2 � ρ [ x �→ v ′ ]( v ) × � e 1 � ρ ( v ′ ) � bind x = e 1 in e 2 � ρ = λv . � – The monad defined using measures [Ramsey & Pfeffer ’02], but simplified here by using mass functions. BASICS’09 — October 13, 2009 — 10

Results on (computational) SLR ✦ Hofmann’s theorem: – The set-theoretic interpretations of well typed SLR terms of type � Bits → Bits are exactly PTIME functions. ✦ Theorem of Mitchell et al. (adapted): – The set-theoretic interpretations of well typed CSLR terms of type � Bits → TBits are exactly PPT functions. – The language of Mitchell et al. does not have computation types, but their proof applies to CSLR. BASICS’09 — October 13, 2009 — 11

Cryptographic constructions in CSLR ✦ Goldreich and Micali’s pseudorandom construction: def head ( g 1 ( R ′ ( u, m ))) , n ) G = λu . λn . rec ( nil , λm . λr . r • head head where R ′ def = λu . λn . rec ( u, λm . λr . tail tail ( g 1 ( pref pref ( r, u ))) , n ) . tail pref G is of type � Bits → � Bits → Bits . ✦ Blum-Blum-Shub pseudorandom construction: def bbsrec ( l, s 2 ) = λl . λs . bbsrec BBS BBS BBS bbsrec where bbsrec bbsrec bbsrec is defined as def parity ( x ) • r ( x 2 ) , l ) . bbsrec = λl . rec ( λx. nil , λm.λr.λx. parity parity bbsrec bbsrec BBS BBS is of type � Bits → � Bits → Bits . BBS BASICS’09 — October 13, 2009 — 12

Cryptographic constructions in CSLR ✦ El-Gamal encryption scheme: • The key generation: def zrand ( q ) in val ( γ x , x ) KG = λη . bind x = zrand zrand KG KG KG KG is of type � Bits → T ( Bits × Bits ) . KG • The encryption: zrand ( q ) in val ( γ y , pk y ∗ m )) def Enc = λη . λpk . λm . bind y = zrand zrand Enc Enc Enc Enc is of type � Bits → Bits → Bits → T ( Bits × Bits ) . Enc • The decryption: def = λη . λsk . λc . proj 2 ( c ) ∗ ( proj 1 ( c ) sk ) − 1 Dec Dec Dec Dec Dec is of type � Bits → Bits → Bits → Bits . Dec BASICS’09 — October 13, 2009 — 13

Outline ➣ The computational SLR ➣ The proof system for computational indistinguishability ➣ Game-based proofs in CSLR ➣ Conclusion BASICS’09 — October 13, 2009 — 14

Computational indistinguishability (in CSLR) Two CSLR programs f 1 , f 2 of type � Bits → τ are computationally indistinguishable (writen as f 1 ≃ f 2 ) if – for every well typed CSLR program A (adversary) of type � Bits → τ → TBits , – for every positive polynomial p (SLR term of type � Bits → Bits ), – for every sufficiently long bitstring η , 1 | Pr [ � A ( η, f 1 ( η )) � = ǫ ] − Pr [ � A ( η, f 2 ( η )) � = ǫ ] | < | p ( η ) | • The adversary is feasible iff it is well typed. BASICS’09 — October 13, 2009 — 15

Security notions by computational indistinguishability ✦ Pseudorandomness: a deterministic function G (of type � Bits → Bits ) is a PRG if | G ( s ) | > | s | for every s and λx. bind s = rs rs rs ( x ) in val ( G ( s )) ≃ λx. rs rs rs ( G ( x )) ✦ Next-bit unpredictability: a deterministic function F (of type � Bits → Bits ) is next-bit unpredictable if | F ( s ) | > | s | for every s and λη . bind s = rs rs ( η ) in val ( F ( s )) rs ≃ λη . bind s = rs rs rs ( η ) in bind b = rand in val ( b • tail tail tail ( F ( s ))) ✦ Semantic security: λη . bind k = KG KG ( η ) in val ( KG KG , Enc Enc , Dec Dec , λm 0 .λm 1 . Enc Enc ( η, k, m 0 )) KG KG Enc Dec Enc ≃ λη . bind k = KG KG KG ( η ) in val ( KG KG KG , Enc Enc Enc , Dec Dec Dec , λm 0 .λm 1 . Enc Enc Enc ( η, k, m 1 )) BASICS’09 — October 13, 2009 — 16

The proof system — internal rules Rules justifying program equivalence. • Standard axioms and rules in λ -calculus: e ≡ e ′ . . . . . . ( λx.e ) e ′ ≡ e [ e ′ /x ] e ≡ e λx.e ≡ λx.e ′ • Axioms and rules for probabilistic computations: bind x = val ( e 1 ) in e 2 ≡ e 2 [ e 1 /x ] bind x = ( bind y = e 1 in e 2 ) in e 3 ≡ bind y = e 1 in bind x = e 2 in e 3 e 1 ≡ e ′ e 2 ≡ e ′ 1 2 bind x = e 1 in e 2 ≡ bind x = e ′ 1 in e ′ 2 . . . . . . Two probabilistic programs are equivalent if they produce the same distribution. BASICS’09 — October 13, 2009 — 17

The proof system — internal rules Rules justifying computational indistinguishability. ⊢ e 1 : � Bits → TBits ⊢ e 2 : � Bits → TBits e 1 ≡ e 2 EQUIV e 1 ≃ e 2 e 1 ≃ e 2 e 2 ≃ e 3 TRANS-INDIST e 1 ≃ e 3 x : n Bits , y : n Bits ⊢ e : TBits e 1 ≃ e 2 SUB λx . bind y = e 1 ( x ) in e ≃ λx . bind y = e 2 ( x ) in e x : n Bits , n : n Bits ⊢ e : TBits λn.e [ u/x ] is numerical for all u λx . e [ i ( x ) /n ] ≃ λx . e [ B 1 i ( x ) /n ] for all canonical i such that | i | < | p | H-IND λx . e [ nil /n ] ≃ λx . e [ p ( x ) /n ] BASICS’09 — October 13, 2009 — 18