Towards Automatic Proofs for Symmetric Encryption Modes e 2 Pascal - PowerPoint PPT Presentation

Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion Towards Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1 Martin Gagn´ Reihaneh Safavi-Naini 2 1 Universit´ e Grenoble 1, CNRS, Verimag , FRANCE 2 Department of Computer Science, University of Calgary, Canada FCC: July 12th 2009, Port Jefferson USA. (Work in progress)

Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion Symmetric Encryption of Large Files

Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion Indistinguishability (IND) The adversary is not able to guess in polynomial-time even a bit of the plain-text knowing the cipher-text , notion introduced by S. Goldwasser and S.Micali ([GM84]).

Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion IND for Symmetric Encryption Mode E M • Sample b R ← { 0 , 1 } . • ( s , m 0 , m 1 ) R ← A E M ( η ) • b ′ R ← A E M ( η, s , E M ( m b )) • return b ′ . Definition Adv Ind CPA ( η ) = A CPA ( A ) : b ′ = 1] − Pr [ b ′ R CPA ( A ) : b ′ = 1] Pr [ b ′ R ← Ind b =1 ← Ind b =0 E M is IND-CPA secure if Adv ind − CPA ( η ) is negligible for any A polynomial-time adversary A E M .

Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion Related Works • Bellare et al, in 1997, propose a Concrete Security Treatment of Symmetric Encryption • Bellare’04, Shoup’04, Halevi ... have game-based approach • G. Barthe et al provide formal models of the Generic Model and the ROM in the Coq proof assistant, and prove hardness of the discrete logarithm, security of several schemes. • R. Corin and J. Den Hartog’06 propose a Hoare-style proof system for game-based cryptographic proofs. • B. Blanchet develops CryptoVerif security proofs within the game-based, based on observational equivalence. • A. Datta et al. present a computationally sound compositional logic for key exchange protocols. • CDELL 08 : Towards Automated Proofs for Asymmetric Encryption Schemes.

Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion Outline Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion

Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion Outline Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion

Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion Block Cipher Modes NIST standard • Electronic Code Book (ECB) • Cipher Block Chaining (CBC) • Cipher FeedBack mode (CFB) • Output FeedBack (OFB), and • Counter mode (CTR). Others DMC,CBC-MAC, IACBC, IAPM, XCB ,TMAC, HCTR, HCH, EME, EME*, PEP, OMAC, TET, CMC, GCM, EAX, XEX, TAE, TCH, TBC, CCM, ABL4

Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion Each block of the same length is encrypted separately.

Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion Each block of the same length is encrypted separately.

Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion Attack on ECB Adversary A E K ( LR ( .,., b ) ) M 0 ← 0 n || 1 n ; M 1 ← 0 2 n ; C [1] C [2] ← E K ( LR ( M 0 , M 1 , b )) If C [1] = C [2] then return 1 else return 0 � E K ( m l ) if b = 1 E K ( LR ( m l , m r , b )) = E K ( m r ) if b = 0 C [ i ] denotes the i -th block of a string C . Adv IND − CPA ( A ) = 1 − 0 = 1 S E

Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion Cipher Block Chaining (CBC) Encryption C i = E K ( P i ⊕ C i − 1 ) , C 0 = IV

Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion Cipher Block Chaining (CBC) Decryption P i = D K ( C i ) ⊕ C i − 1 , C 0 = IV

Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion CBC and others CBC CTR OFB CFB $ $ $ $ ← − U ; ← − U ; ← − U ; ← − U ; IV IV IV IV z 1 := IV ⊕ m 1 ; z 1 := E ( IV + 1); z 1 := E ( IV ); z 1 := E ( IV ); c 1 := E ( z 1 ); c 1 := m 1 ⊕ z 1 ; c 1 := m 1 ⊕ z 1 ; c 1 := m 1 ⊕ z 1 ; z 2 := c 1 ⊕ m 2 ; z 2 := E ( IV + 2); z 2 := E ( z 1 ); z 2 := E ( c 1 ); c 2 := E ( z 2 ); c 2 := m 2 ⊕ z 2 ; c 2 := m 2 ⊕ z 2 ; c 2 := m 2 ⊕ z 2 ; z 3 := c 2 ⊕ m 3 ; z 3 := E ( IV + 3); z 3 := E ( z 2 ); z 3 := E ( c 2 ); c 3 := E ( z 3 ); c 3 := m 3 ⊕ z 3 ; c 3 := m 3 ⊕ z 3 ; c 3 := m 3 ⊕ z 3 ;

Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion Outline Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion

Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion Grammar $ − U | x := E ( y ) | x := E − 1 ( y ) c ::= x ← | x := y ⊕ z | x := y � z | x := y [ n , m ] | x := y + 1 | c 1 ; c 2

Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion Generic Encryption Mode Definition A generic encryption mode M is represented by E M ( m 1 | . . . | m p , c 0 | . . . | c p ) : var � x ; c E CBC ( m 1 | m 2 | m 3 , IV | c 1 | c 2 | c 3 ) : var z 1 , z 2 , z 3 ; $ IV ← − U ; z 1 := IV ⊕ m 1 ; c 1 := E ( z 1 ); z 2 := c 1 ⊕ m 2 ; c 2 := E ( z 2 ); z 3 := c 2 ⊕ m 3 ; c 3 := E ( z 3 );

Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion Outline Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion

Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion Predicates ψ ::= Indis( ν x ; V ) | F ( e ) | E( E , e ) | Rcounter ( e ) ϕ ::= true | ϕ ∧ ϕ | ψ, Indis ( ν x ; V ): any adversary has negligible probability to distinguish whether he is given results of computations performed using the value of x or a random value, when he is given the values of the variables in V . F ( e ): means e is a fresh random value. E( E , l ): the probability that the values of the expression e i in the list l have been submitted to the symmetric encryption E is negligible. RCounter ( e ): means that e is the most recent value of a counter that started at a fresh random value. Remark: F ( e ) ⇒ Indis( ν e ) F ( e ) ⇒ E( E , e )

Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion More Formally • X | = true. = ϕ ∧ ϕ ′ iff X | = ϕ ′ . • X | = ϕ and X | r r • X | = Indis( ν x ; V ) iff [ u ← U ; ( S , E ) ← X : ( S ( u , V ) , E )] ∼ r [( S , E ) ← X : ( S ( x , V ) , E )] • X | = E( E , l ) iff for all e ∈ l , r Pr[( S , E ) ← X : S ( e ) ∈ S ( T E ) . dom ] is negligible. • X | = F ( e ) iff e ∈ S ( F ). • X | = RCounter ( e ) iff e ∈ S ( C ).

Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion Semantic of the Programming Language r r [ [ x ← U ] ]( S , E ) = [ u ← U : ( S { x �→ u , F �→ F ∪ { x }} , E )] [ [ x := E ( y )] ]( S , E ) = 8 δ ( S { x �→ v , F �→ F ∪ { x } \ { y }} , E ) if ( S ( y ) , v ) ∈ T E < δ ( S { x �→ v , F �→ F ∪ { x } \ { y } , T E �→ S ( T E ) · ( S ( y ) , v ) } , E ) if ( S ( y ) , v ) �∈ T E and v = E ( S ( y )) : [ x := E − 1 ( y )] ]( S , E ) = δ ( S { x �→ E − 1 ( S ( y )) , F �→ F \ { x , y }} , E ) [ [ [ x := y ⊕ z ] ]( S , E ) = δ ( S { x �→ S ( y ) ⊕ S ( z ) , F �→ F \ { x , y , z }} , E ) [ [ x := y || z ] ]( S , E ) = δ ( S { x �→ S ( y ) || S ( z ) , F �→ F \ { x , y , z }} , E ) [ [ x := y [ n , m ]] ]( S , E ) = δ ( S { x �→ S ( y )[ n , m ] , F �→ F \ { x , y }} , E ) [ [ x := y + 1] ]( S , E ) =  δ ( S { x �→ S ( y ) + 1 , C �→ C ∪ { x } \ { y } , F �→ F \ { x , y }} , E ) if y ∈ F or y ∈ C δ ( S { x �→ S ( y ) + 1 , F �→ F \ { x , y }} , E ) otherwise [ [ c 1 ; c 2 ] ] = [ [ c 2 ] ] ◦ [ [ c 1 ] ]

Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion Main Result Prop Let E M ( m 1 | . . . | m p , c 0 | . . . | c p ) : var � x ; c be a generic encryption mode, and let IO = { m 1 , . . . , m p , c 0 , . . . , c p } . Then E M is IND-CPA secure, if { true } c � i = p i =0 { Indis ( ν c i ; IO ) } is valid. Proof in progress.

Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion Outline Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion

Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion Random Assignment: $ • (R1) { true } x ← − U { F ( x ) } $ • (R2) { Indis( ν y ; V ) } x ← − U { Indis( ν y ; V , x ) } Using Lemma and (R1) we obtain { Indis( ν x ) } and { E( E , x ) } , this combination is often used in the examples.

Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion Block Cipher Rules: • (B1) { E( E , y ) } x := E ( y ) { F ( x ) } • (B2) { Indis( ν y ; V ) } x := E ( y ) { Indis( ν y ; V ) } • (B3) { Rcounter ( y ) } x := E ( y ) { Rcounter ( y ) }