the computational slr a calculus for verifying
play

The Computational SLR: A Calculus for Verifying Cryptographic Proofs - PowerPoint PPT Presentation

The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of Software Chinese Academy of Sciences BASICS09, Shanghai, China October 13, 2009 Background Formal verification of security protocols from


  1. The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of Software Chinese Academy of Sciences BASICS’09, Shanghai, China October 13, 2009

  2. Background ✦ Formal verification of security protocols – from the symbolic model to the computational model. ✦ In cryptography, bugs are continuously found in crypto proofs, which sometimes take time. – OAEP scheme was initially believed to be IND-CCA2 secure, but was proved not, after 7 years. “Many proofs in cryptography have become essentially unverifiable. Our field may be approaching a crisis of rigor.” — Bellare & Rogaway 2004 BASICS’09 — October 13, 2009 — 2

  3. Proofs in traditional cryptography ✦ Cryptographers need a tool for checking proofs formally (and automatically). BASICS’09 — October 13, 2009 — 3

  4. Computational indistinguiability ✦ Many security criteria in cryptography are defined using computational indistinguishability. – It is a notion of observational equivalence: crypto-systems are programs. – Well studied in PL and logic, supported by many proof techniques. !"#$%&'()#%#*+#% ,-'./0+#&,(+1%.2"&0+1.(3.% 9*.3:&(6%#*.%;+7(.;% -.#4..(%5/,6/+7'8 5/,,<%&'%="'#%:&11&(6%7.%> BASICS’09 — October 13, 2009 — 4

  5. Outline ➣ The computational SLR ➣ The proof system for computational indistinguishability ➣ Game-based proofs in CSLR ➣ Conclusion BASICS’09 — October 13, 2009 — 5

  6. Hofmann’s SLR system ✦ A functional language characterizing PTIME computations through typing. ✦ An implementation of Bellantoni and Cook’s safe recursion: – Variables are divided into normal and safe variables: f ( � x ; � y ) . – Recursive calls via safe variables: f (0 , � y ; � z ) = g ( � y ; � z ) y ; f ( ⌊ x f ( x, � y ; � z ) = h ( x, � 2 ⌋ , � y ; � z ) , � z ) ✦ � ( τ ) are types for normal variables. Γ ⊢ e : τ Γ( x ) = � ( _ ) for all x ∈ FV ( e ) Γ ⊢ e : � ( τ ) Γ ⊢ e : � ( τ ) Γ ⊢ e : τ – Safe recursor: rec : N → ( � ( N ) → N → N ) → � ( N ) → N ✦ Higher-order recursive calls must be used linearly. rec τ : τ ⊸ ( � ( N ) → τ ⊸ τ ) → � ( N ) → τ BASICS’09 — October 13, 2009 — 6

  7. The computational SLR (CSLR) — types An extension of the non-polymorphic SLR with monadic types: τ, τ ′ , . . . ::= bitstrings Bits | τ ⊸ τ ′ linear functions | τ → τ ′ nonlinear, nonmodal functions | � τ → τ ′ modal (normal) functions | T τ probabilistic computations | . . . – � itself is NOT a type constructor in SLR. – Constructor T is from Moggi’s computational λ -calculus. BASICS’09 — October 13, 2009 — 7

  8. CSLR — expressions Expressions: e, e ′ , . . . ::= empty bitstring nil | B 0 | B 1 bit successor | safe recursor rec τ | oracle bit rand | val ( e ) trivial (deterministic) computations | bind x = e in e ′ sequential computations | . . . – We operate directly on bitstrings, instead of numbers. – Probabilistic computations are formulated in Moggi’s framework. BASICS’09 — October 13, 2009 — 8

  9. CSLR — type system ✦ Typing contexts assign aspects as well as types to variables: x 1 : a 1 τ 1 , . . . , x n : a n τ n Aspects specify the way how variables can be used in terms. ✦ Typing rules: Γ , x : a τ ⊢ e : τ ′ Γ ⊢ rec τ : τ ⊸ � ( � N → τ ⊸ τ ) → � N → τ a → τ ′ Γ ⊢ λx.e : τ − a ′ ≤ a for all x : a ′ τ ′′ ∈ Γ , ∆ 2 a → τ ′ Γ , ∆ 1 ⊢ e 1 : τ − Γ , ∆ 2 ⊢ e 2 : τ Γ nonlinear Γ , ∆ 1 , ∆ 2 ⊢ e 1 e 2 : τ ′ Γ ⊢ e : τ Γ ⊢ val ( e ) : T τ a ′ ≤ a for all x : a ′ τ ′′ ∈ Γ , ∆ 1 Γ , ∆ 2 , x : a τ ⊢ e 2 : T τ ′ Γ , ∆ 1 ⊢ e 1 : T τ Γ nonlinear Γ , ∆ 1 , ∆ 2 ⊢ bind x = e 1 in e 2 : T τ ′ BASICS’09 — October 13, 2009 — 9

  10. B of all bitstrings (including the empty one) for interpreting Bits . CSLR — semantics ✦ The set-theoretic semantics: – The set – We do not distinguish between the three sorts of function spaces. – � rec � defines the safe recursion scheme. ✦ A probabilistic monad for interpreting probabilistic computations � T τ � = � τ � → [0 , 1] { (0 , 1 2 ) , (1 , 1 � rand � = 2 ) } � val ( e ) � ρ = { ( � e � ρ, 1) } v ′ ∈ � τ � � e 2 � ρ [ x �→ v ′ ]( v ) × � e 1 � ρ ( v ′ ) � bind x = e 1 in e 2 � ρ = λv . � – The monad defined using measures [Ramsey & Pfeffer ’02], but simplified here by using mass functions. BASICS’09 — October 13, 2009 — 10

  11. Results on (computational) SLR ✦ Hofmann’s theorem: – The set-theoretic interpretations of well typed SLR terms of type � Bits → Bits are exactly PTIME functions. ✦ Theorem of Mitchell et al. (adapted): – The set-theoretic interpretations of well typed CSLR terms of type � Bits → TBits are exactly PPT functions. – The language of Mitchell et al. does not have computation types, but their proof applies to CSLR. BASICS’09 — October 13, 2009 — 11

  12. Cryptographic constructions in CSLR ✦ Goldreich and Micali’s pseudorandom construction: def head ( g 1 ( R ′ ( u, m ))) , n ) G = λu . λn . rec ( nil , λm . λr . r • head head where R ′ def = λu . λn . rec ( u, λm . λr . tail tail ( g 1 ( pref pref ( r, u ))) , n ) . tail pref G is of type � Bits → � Bits → Bits . ✦ Blum-Blum-Shub pseudorandom construction: def bbsrec ( l, s 2 ) = λl . λs . bbsrec BBS BBS BBS bbsrec where bbsrec bbsrec bbsrec is defined as def parity ( x ) • r ( x 2 ) , l ) . bbsrec = λl . rec ( λx. nil , λm.λr.λx. parity parity bbsrec bbsrec BBS BBS is of type � Bits → � Bits → Bits . BBS BASICS’09 — October 13, 2009 — 12

  13. Cryptographic constructions in CSLR ✦ El-Gamal encryption scheme: • The key generation: def zrand ( q ) in val ( γ x , x ) KG = λη . bind x = zrand zrand KG KG KG KG is of type � Bits → T ( Bits × Bits ) . KG • The encryption: zrand ( q ) in val ( γ y , pk y ∗ m )) def Enc = λη . λpk . λm . bind y = zrand zrand Enc Enc Enc Enc is of type � Bits → Bits → Bits → T ( Bits × Bits ) . Enc • The decryption: def = λη . λsk . λc . proj 2 ( c ) ∗ ( proj 1 ( c ) sk ) − 1 Dec Dec Dec Dec Dec is of type � Bits → Bits → Bits → Bits . Dec BASICS’09 — October 13, 2009 — 13

  14. Outline ➣ The computational SLR ➣ The proof system for computational indistinguishability ➣ Game-based proofs in CSLR ➣ Conclusion BASICS’09 — October 13, 2009 — 14

  15. Computational indistinguishability (in CSLR) Two CSLR programs f 1 , f 2 of type � Bits → τ are computationally indistinguishable (writen as f 1 ≃ f 2 ) if – for every well typed CSLR program A (adversary) of type � Bits → τ → TBits , – for every positive polynomial p (SLR term of type � Bits → Bits ), – for every sufficiently long bitstring η , 1 | Pr [ � A ( η, f 1 ( η )) � = ǫ ] − Pr [ � A ( η, f 2 ( η )) � = ǫ ] | < | p ( η ) | • The adversary is feasible iff it is well typed. BASICS’09 — October 13, 2009 — 15

  16. Security notions by computational indistinguishability ✦ Pseudorandomness: a deterministic function G (of type � Bits → Bits ) is a PRG if | G ( s ) | > | s | for every s and λx. bind s = rs rs rs ( x ) in val ( G ( s )) ≃ λx. rs rs rs ( G ( x )) ✦ Next-bit unpredictability: a deterministic function F (of type � Bits → Bits ) is next-bit unpredictable if | F ( s ) | > | s | for every s and λη . bind s = rs rs ( η ) in val ( F ( s )) rs ≃ λη . bind s = rs rs rs ( η ) in bind b = rand in val ( b • tail tail tail ( F ( s ))) ✦ Semantic security: λη . bind k = KG KG ( η ) in val ( KG KG , Enc Enc , Dec Dec , λm 0 .λm 1 . Enc Enc ( η, k, m 0 )) KG KG Enc Dec Enc ≃ λη . bind k = KG KG KG ( η ) in val ( KG KG KG , Enc Enc Enc , Dec Dec Dec , λm 0 .λm 1 . Enc Enc Enc ( η, k, m 1 )) BASICS’09 — October 13, 2009 — 16

  17. The proof system — internal rules Rules justifying program equivalence. • Standard axioms and rules in λ -calculus: e ≡ e ′ . . . . . . ( λx.e ) e ′ ≡ e [ e ′ /x ] e ≡ e λx.e ≡ λx.e ′ • Axioms and rules for probabilistic computations: bind x = val ( e 1 ) in e 2 ≡ e 2 [ e 1 /x ] bind x = ( bind y = e 1 in e 2 ) in e 3 ≡ bind y = e 1 in bind x = e 2 in e 3 e 1 ≡ e ′ e 2 ≡ e ′ 1 2 bind x = e 1 in e 2 ≡ bind x = e ′ 1 in e ′ 2 . . . . . . Two probabilistic programs are equivalent if they produce the same distribution. BASICS’09 — October 13, 2009 — 17

  18. The proof system — internal rules Rules justifying computational indistinguishability. ⊢ e 1 : � Bits → TBits ⊢ e 2 : � Bits → TBits e 1 ≡ e 2 EQUIV e 1 ≃ e 2 e 1 ≃ e 2 e 2 ≃ e 3 TRANS-INDIST e 1 ≃ e 3 x : n Bits , y : n Bits ⊢ e : TBits e 1 ≃ e 2 SUB λx . bind y = e 1 ( x ) in e ≃ λx . bind y = e 2 ( x ) in e x : n Bits , n : n Bits ⊢ e : TBits λn.e [ u/x ] is numerical for all u λx . e [ i ( x ) /n ] ≃ λx . e [ B 1 i ( x ) /n ] for all canonical i such that | i | < | p | H-IND λx . e [ nil /n ] ≃ λx . e [ p ( x ) /n ] BASICS’09 — October 13, 2009 — 18

Recommend


More recommend