Post on 04-Feb-2016
description
Computational Soundness
Symbolic methods for cryptography
Bogdan WarinschiUniversity of Bristol
Computational Soundness
Toy example
K K
A, N1
{N1, N2, Ks } K
{B, N2}Ks {D}Ks
A B
Is the data D secret?
Computational Soundness
Security Models
Mathematical model
Security property
Proof method
Computational Soundness
Abstraction Levels
Computational Soundness
Abstraction Levels
Inse
curity
Computational Soundness
Abstraction Levels
Secu
rity
Computational Soundness
Two types of security models
Model
Security property
Proof method
Model
Security property
Proof method
Model
Security property
Proof method Model
Security property
Proof method
Computational Soundness
Outline
• A gap between models for encryption:– security definitions – proofs
• Bridging the gap:
– The passive adversaries case: • the Abadi-Rogaway logic • extensions
– The active adversaries case (tomorrow)
Computational Soundness
Two views of security for encryption schemes
Computational Soundness
Symbolic treatment of encryption
• Messages are elements from a term algebra: – Data = {D1,D2,…},
– Keys = {K1,K2,…}, – Random nonces = {N1,N2,…}, – Identities = {A,B,…}
• BASIC := Data | Keys | Random nonces | Identities
• TERM := BASIC | (TERM, TERM) | {TERM}Keys
• Messages are terms, e.g. N2 , {((B, N1), Ks) }K
Computational Soundness
Symbolic treatment of encryption
• Security for encryption is axiomatized
– Given {M}K adversary can compute M only if it has K
{M}K, K
M
KM,
{M}K
M1, M2
(M1, M2)
(M1, M2)
M1, M2
Computational Soundness
Computational treatment for encryption
• Messages are bitstrings
• Symmetric encryption scheme = (Kg, Enc, Dec)
– Kg(η) outputs a random bitstring k in {0,1}η
– Enc: {0,1}η × {0,1}* → {0,1}* (distribution on {0,1}*)
– Dec: {0,1}η × {0,1}* → {0,1}*
– It holds that: Dec (k, Enc(k,m) ) = m
• E.g. AES-CBC
Computational Soundness
Computational treatment for encryption
= (Kg,Enc,Dec) ;
Enc(K,_)b M0,M1 (|M0|=|M1|)
Enc (K,Mb)
b=?
Encryption scheme is IND-CPA secure if for all adversaries,
Pr [ Adversary guessess b] ½ + negligible function (η)
Computational Soundness
Security of double encryption:
• Is the message M secret ?
K K
A B
{ {M} K }K
Computational Soundness
Security of double encryption: symbolically
• Does there exist a derivation:
{{M}K}
K
………
M
{M}K, K
M
KM,
{M}K
M1, M2
(M1, M2)
(M1, M2)
M1, M2
using only:
Computational Soundness
Security of double encryption: computationally
Enc(K,(Enc(K,_))
b
M0,M1 (|M0|=|M1|)
Enc(K,Enc (K,Mb))
b=?
Computational Soundness
Security of double encryption: computationally
C
b=?
Enc(K,_)
b M0,M0
C0=Enc(K, M0)
M1,M1
C1=Enc(K, M1)
C0,C1
C=Enc(K,(Enc(K, Mb)
M0,M1
Computational Soundness
Two Paradigms for Protocol Analysis
Symbolic Approach
Abstract model
D-Y adversaries
Unclear how to ensure security of primitives
Proofs can potentially be automatized (theorem provers, model checkers)
Computational Approach
Concrete model
Powerful PPT adversaries
Clear definitions for the security of primitives
Complex protocols are difficult to analyze
Computational Soundness
Two types of security models
Model
Security property
Proof method
Model
Security property
Proof method
Model
Security property
Proof method
Model
Security property
Proof method
Computational Soundness
Two ways of bridging the gap
Model
Security property
Proof method
Model
Security property
Proof method
Model
Security property
Proof method
Model
Security property
Proof method
Apply methods/techniques from the red world directly in the blue world:
Bruno, Sylvain, Marion’s talks
Show that security in the red worldimplies
security in the blue world
Computational Soundness
Computational Soundness
1.Prove security in the symbolic model2.Apply the soundness theorem3.Deduce security in the computational model
Symbolic model
Security property
Symbolic proof
Computational model
Security property
Computationalproof
Soundness Theorems
Computational Soundness
Two types of security models
Model
Security property
Proof method
Model
Security property
Proof method
Model
Security property
Proof method
Model
Security property
Proof method
Secu
rity
InS
ecu
rity
Secu
rity
Computational Soundness
Toy example
K K
A, N1
{N1, N2, Ks } K
{B, N2} Ks {D}Ks
A B
Is the data D secret?
Computational Soundness
Passive adversaries• A protocol run:
• Two interleaved sessions:
• Two interleaved sessions with corruption:
A, N1, {N1, N2, Ks }K, A, N3, {N3, N4, Ks’ }K, {B, N4}Ks’, {D2}Ks’,{B,N2}Ks,{D1}Ks
A, N1, {N1, N2, Ks }K, {B, N2}Ks {D1}Ks
A, N1, {N1, N2, Ks }K, Ks, A, N3, {N3, N4, Ks’ }K, {B, N4}Ks’, {D2}Ks’,{B,N2}Ks, {D1}Ks
Computational Soundness
Defining secrecy, symbolically
To each expression associate a pattern:
For E={N1}K1,{{K1}K2
}K3,K3,{K3}K2
,
{{K1,N2}K3,K3}K2
patt(E)= ▓, {▓}K3, K3, ▓, ▓ (tentative
definition)patt(E)={N}K1,{{K0}K2
}K3,K3,{K0}K2
,{{K0,N}K0,K0 }K2
Computational Soundness
Defining secrecy, symbolically
• Definition: D is hidden in E if D does not occur in patt(E)
Is D1 secret in
A, N1, {N1, N2, Ks }K, {B, N2}Ks
{D1}Ks
Computational Soundness
Defining secrecy, computationally
Given:• a valuation f: {D1,D2,...} {0,1}n
• an encryption scheme = (Kg, Enc, Dec)
Define:[[ _ ]] : Expressions Distributions
f
A, N1, {N1, N2, Ks }K, {B, N2}Ks
{D1}Ks
Computational Soundness
Mapping expressions to (distributions on) bitstrings
{D1,{K5,N }K1}K1
[[ _ ]] : Expressions Distributions f
01000100…11011Kg
111101100…11101Kg
Enc( , ) 01000100…11011 11010101100…10001111101100…11101 00110100…11110
Blah…blah…(in binary)Enc( , )01000100…11011 11010101100…10001
11010101100…1000101010010100101111111111110100100101110100001101110000001010100001011101001
Blah…blah…(in binary)f
00110100…11110Rand
Computational Soundness
Defining secrecy, computationally
E={D1,{K5,N }K1}K1
[[ _ ]] : Expressions Distributions f
01000100…11011Kg
111101100…11101Kg
000101010000111f0
00110100…11110Rand
100110110001110f1
b=?
[[ E ]]
fb
Computational Soundness
Defining secrecy, computationally
Let E be an expression and an encryption scheme
The set T Data is computationally hidden in E if for any valuations
f0,f1 : Data {0,1}n
f0(D) = f1(D) for D Data -T
[[ E ]] ~ [[ E ]]
f0
f1
“~” means computational indistinguishability
Computational Soundness
Relation between two very different worlds?
• Is there a relation between the two notions of secrecy?
• More generally: what does security proved in the symbolic world mean for the computational world?
• Many symbolic versions of the same notion (e.g. two notions of patterns). Which one is right?
• Many security notions for the same primitive in the concrete world. Which one is right?
Computational Soundness
Let – E be an acyclic expression be an IND-CPA secure encryption scheme – arbitrary f: {D1,D2,…,Dn} {0,1}n .
Then:
Main technical result
[[ E ]]f ~ [[ patt(E) ]]f
{K}K
{K1}K2, {K2}K1
are not acyclic expressions
Computational Soundness
Proof idea
• Standard (but very general) hybrid argument
• Construct E1, E2, …, En such that – E1 = E– En = patt(E)– [[Ei]] ~ [[ Ei+1]]
• It is essential that E is acyclic
Computational Soundness
Soundness Theorem (Abadi, Rogaway (2000))
Let – Let E be an acyclic expression be an IND-CPA secure encryption scheme – Then:
T symbolically hidden in E T is computationally hidden in E
Computational Soundness
Proof
E[[ E ]]
f0
[[ E ]]f1
f0
f1
patt(E)[[ patt(E) ]]
f0
[[ patt(E) ]]
f1
f0
f1
Given: T is symbolically hidden in E (any D T does not occur in the pattern of E).
Want: Given any
f0,f1 : Data {0,1}n
f0(D) = f1(D) if D T then
[[ E ]]f0
[[ E ]]f1
indistinguishable from
Computational Soundness
Previous result an instance of:
Symbolic model
Security property
Symbolic proof
Computational model
Security property
Computationalproof
Soundness Theorems
Computational Soundness
(One) Hybrid argument
• E0 = {K1}K2, {K3}K1, {D}K3
• E1 = {K0}K2, {K3}K1, {D}K3
• E2 = {K0}K2, {K0}K1, {D}K3
• E3 = {K0}K2, {K0}K1, {D0}K3
Computational Soundness
(One) Hybrid argument
• E0 = {K1}K2, {K3}K1, {D}K3
• E1 = {K0}K2, {K3}K1, {D}K3
• E2 = {K0}K2, {K0}K1, {D}K3
• E3 = {K0}K2, {K0}K1, {D0}K3
An adversary that distinguishes between [[E0]] and [[E3]] must distinguish between [[Ei]] and [[Ei+1]] for
some i
Computational Soundness
(One) Hybrid argument
• E0 = {K1}K2, {K3}K1, {D}K3
• E1 = {K0}K2, {K3}K1, {D}K3
• E2 = {K0}K2, {K0}K1, {D}K3
• E3 = {K0}K2, {K0}K1, {D0}K3
Computational Soundness
(One) Hybrid argument
Enc(k,_)b
k0,k1
Enc (k,kb)
• Generate k0, k1, k3
• Send k0, k1
• Receive c• Compute c1=Enc(k1, k3)• Compute c2=Enc(k3,d)• Output (c,c1,c2)
c
• E0 = {K1}K2, {K3}K1, {D}K3
• E1 = {K0}K2, {K3}K1, {D}K3
Computational Soundness
Questions:• Is D1 secret in:
• Is D1 secret in :
• Are D1 and D2 secret in:
A, N1, {N1, N2, Ks }K, A, N3, {N3, N4, Ks’ }K, {B, N4}Ks’, {D2}Ks’,{B,N2}Ks,{D1}Ks
A, N1, {N1, N2, Ks }K, {B, N2}Ks {D1}Ks
A, N1, {N1, N2, Ks }K, Ks, A, N3, {N3, N4, Ks’ }K, {B, N4}Ks’, {D2}Ks’,{B,N2}Ks, {D1}Ks
Computational Soundness
Some difficulties
• The usefulness of a soundness theorem increases with its generality
• Is D1 secret in – gx, N1, gy, {N1, Ks }g
xy, {D1}Ks
– gx, N1, gy, {N1, Ks }gx+y, {D1}Ks
– gx, gy, gz, gxy, {Ks }gxyz, {D1}Ks
• Deal with protocols where gx1x2+x2x3+…+xnx1 occurs• How about in
– gx, gy, {N1, Ks }gxy, {D1}Ks, H(N1, D1)
– gx, gy, N1, {Ks }gxy, {D1}Ks, H(N1, D1)
Computational Soundness
Some difficulties
• Intuition a la Dolev Yao models may not always be right!
• patt({D}K1 {D,D}K2) = ▓ , ▓ = patt({D}K1 {D}K1)
• There exists IND-CPA encryption schemes for which encryption with the same key can be observed1. Strengthen the notion of security for encryption in the
computational world
2. Refine the notion of patterns in the symbolic world
Computational Soundness
Acyclicity
• Intuition a la Dolev Yao models may be wrong! • Is D secret in {K}K, {D}K?• There exist IND-CPA encryption schemes which
are completely insecure if used as above
• Is D secret in {K1}K2, {K2}K1, {D}K?• …?• Solutions:
– declare the above use insecure– define and construct key-dependent encryption
Computational Soundness
Computational soundness
• Relates symbolic and computational models so that security results transfer
• Why should we care– Symbolic formalisms:
• Gives insight into models• Justifies the use of symbolic models in a very
strong sense
– Cryptography:• Symbolic models are simpler, easier to understand• For large protocols with complex interactions life is
simpler