How to (not) Analyze Cryptographic Protocols using Game...
38
How to (not) Analyze Cryptographic Protocols using Game Theory Jesper Buus Nielsen
Transcript of How to (not) Analyze Cryptographic Protocols using Game...
Howto(not)AnalyzeCryptographicProtocolsusingGameTheory
JesperBuusNielsen
MainPoints
• Idealizingcrypto:Replacereal‐lifecryptotoolsbyformalobjectsliketermalgebrasororaclestomakeanalysisofaprotocoleasier
• Commonincryptography– knowntobesoundintheusualcrazy‐versus‐stupidmodels
• ResearcherhavebeenidealizingcryptotoolsforthesakeofgametheoreIcanalysistoo– Thatistypicallynotsound
Terminology:ComputaIonalSoluIonConcept
• Takescomputa3onfeasibilityintoaccount– Examples:OnlyallowpolynomialImecomputablestrategies,pricecomputaIonviatheuIlityfuncIon,discounIng,…
• Allowstheuseof(imperfect)cryptography– Example:WhenyouropponentusesencrypIonthedeviaIonwhichmakesoneguessathissecretkeyandusesthekeytobreaktheprotocoliftheguessiscorrectgivesyouasmalladvantage,sogofor‐NEfornegligiblesmalltoallowstability
– Example:UIlityofkey‐guessingsmallerthanthepriceofthecomputaIonordiscountedaway
Terminology:GameTheoreIcSoluIonConcept
• AsoluIonconceptwhichallowsarbitrarystrategies
IdealizingCrypto
• (Verysimple)idealizedsignatures:– TheworldhasaglobalsigningoracleOwhichallparIeshaveaccessto
– Sign:ApartyPicansendsign(m)toOwhichstores(i,(i,m))[readPihasasignatureonmfromPi]
– Transfer:IfPkinputstrans((i,m),n)toOand(k,(i,m))isstoredinO,thenOstores(n,(i,m))
– Verify:IfPkinputsverify(i,m)toOand(k,(i,m))isstoredinOthenOoutputsacceptotherwisereject
• Possibletoshowthatanycryptographicprotocolwhichissecurewhenusingtheseidealizedsignaturesisequallysecurewhentheyarereplacedbyrealsignatures– Uptonegligible– PKI+unforgeablesignatures+UCframework
Why?(1/3)
• Apossiblesolu3onheuris3c:– IdealizethecryptotoolsinaprotocolandthenapplyyourfavoriteGTsoluIonconcepttotheidealizedprotocol
– SincetheidealizedprotocoldoesnotrelyoncomputaIoncryptotoolsitisfreeofthedeviaIonswithnegligiblysmalladvantagewhichdisturbmostknownGTsoluIonconcepts
• ImplicitassumpIon:Guaranteesthattherearenoproblemsbesideskey‐guessing‐likedeviaIons
Why?(2/3)
• MightguidethedevelopmentofcomputaIonalsoluIonconcepts:– GivenGTsoluIonconceptXtrytodevelopacomputaIonalversionCX
– ThencheckifCXproducessoluIonssimilartothesoluIonsXproducesfortheidealizedprotocol
• AssumpIon:ThecomputaIonalversionshouldbehavelikethepureGTnoIon
Why?(3/3)
• Modularanalysisofcomplexprotocols• GivenaprotocolusingbothsignatureandencrypIon:– FirstidealizebothprimiIvesandgiveahopefullysimpleanalysisoftheidealizedprotocol
– ShowthatplugginginrealsignaturespreservessoluIons
– ShowthatplugginginrealencrypIonpreservessoluIons
– ConcludethattherealprotocolhasthesamesoluIonsastheidealprotocol
Hope!
• O`enacryptographicanalysis(honestparIesversuscorruptedparIes)ofanidealizedprotocolcanbeproventogivesoundconclusionsaboutthereal‐lifeprotocol– Signatures– EncrypIon– Zero‐knowledgeproofofknowledge
– Zero‐knowledgeproofofcorrectness
Claims
• Thesolu3onheuris3cislikelytogivewrongconclusions
• ComparisontoidealizaIonisnotagoodsanitycheckforcomputaIonalsoluIonconcepts
• ComputaIonalsoluIonconceptsmustbedevelopedcauIouslyandhavetheirowncomputaIonalepistemologies
• A`erdevelopinggoodcomputaIonalsoluIonconceptsidealizaIonispossibleasatoolformodularanalysis
“ProofbyExample”
• Willtrytoarguemypointby“solving”asmallgameinthreedifferentseengs
• WillseethatwegetdramaIcallydifferentsoluIonsdependingonwhetherweidealizecryptoornot
• AndthesoluIoncalledbytheidealizedanalysisisarguablythewrongone
Overview
21 32:(g,b)
4:g1 4:(g3,b3)
1:signal
3:communica3on 3:comm.
Goodchoice
Badchoice
AFewPennies
• Good&bad:P2playsg{1,2,3}andb{1,2,3}\{g}• Guess:P1playsg1{1,2,3}• Guess:P3playsg3{1,2,3,a}andb3{1,2,3}• Abstain:IfP3playsaallparIesgetuIlity0• Avoidbad:Ifg1=borg3=bthenP1andP3dieandP2wins
theworld• Knowbad:SameifP3doesnotabstainandb3b• Coordinate:Ifg1,g3{1,2,3}\{b}andb3=b,thenP1andP3
getaposiIveuIlityfromg1=g3butP2prefersg1g3– P1hasnegaIveuIlityong1g3butP3doesnot,thoughhe
prefersg1=g3– AndP1preferstomatchong
PlayedinaNetwork
• BeforeP2specifies(g,b):– P1cansendasignaltoP3• AlsoseenbyP2
• ThenP1learns(g,b)butP3doesnot• A`erP2specifies(g,b):– P1cansendamessagetoP2• NotseenbyP3
– P2andP3cancommunicatewitheachother• NotseenbyP1
Recap
21 32:(g,b)
4:g1 4:(g3,b3)
1:signal
3:comm. 3:comm.
Goodchoice
Badchoice
21 3(g,b)
g1 (g3,b3)
signal
comm comm
• Abstain:g3=a:u1=u2=u3=0
• Avoid:g1=borg3=b:u1=u3=‐,u2=
• Know:g3a,b3b:u1=u3=‐,u2=
• Otherwise:
• g1g3: u1=‐2 u2=3 u3=0• g1=g3=g: u1=1 u2=1 u3=1
• g1=g3g: u1=0 u2=2 u3=1
Good
Bad
21 3(g,b)
g1 (g3,b3)
signal
comm comm
• Abstain,Avoid,Know• g1g3:‐2 3 0• g1=g3=g:1 1 1
• g1=g3g:0 2 1
Good
Bad
21 3(g,b)
g1 (g3,b3)
signal
comm comm
• Abstain,Avoid,Know• g1g3:‐2 3 0• g1=g3=g:1 1 1
• g1=g3g:0 2 1
• Willdrawconclusionsfromthisgamebyinformallysolvingitusing“commonknowledgeofraIonality”inthefollowingseengs:1. Arbitrarystrategies2. Idealizedsignatures3. Poly‐Imestrategies
Good
Bad
21 3(g,b)
g1 (g3,b3)
signal
comm comm
• Abstain,Avoid,Know• g1g3:‐2 3 0• g1=g3=g:1 1 1
• g1=g3g:0 2 1
• Ifg3ainsomeNE(withposiIveprobability)givensome(signal,b)thenP2gainsbyshi`ingtothestrategywhereitpicksb=g3whenitseessignalandthenshowsP3communicaIonwiththedistribuIonitwouldhaveseenifP2hadplayedaccordingtotheNE
ArbitrarydeviaIonsCommonknowledgeofraIonality
Alwaysabstain
Good
Bad
• Abstain,Avoid,Know• g1g3:‐2 3 0• g1=g3=g:1 1 1
• g1=g3g:0 2 1
Good
Bad
21 3(g,b)
g1 (g3,b3)
signal
comm comm
• “RaIonalizable”:• P1:signal=verificaIonkeyvkofP1• P2:pick(g,b)uniformlyatrandom• P1:sends=sigsk(g,b)toP2• P2:send(g,b)andstoP3ifreceived,otherwisenothing
• P3:ifvervk((g,b),s)=acceptplayg3=gandb3=botherwiseg3=a
IdealizedsignaturesCommonknowledgeofraIonality
Neverabstain
Good
Bad
21 3(g,b)
g1 (g3,b3)
signal
comm comm
• Abstain,Avoid,Know• g1g3:‐2 3 0• g1=g3=g:1 1 1
• g1=g3g:0 2 1
• P1:signal=verificaIonkeyvkofP1• P2:pick(g,b)uniformlyatrandom• P1:sends=sigsk(g,b)toP2• P2:send(g,b)andstoP3ifreceived,otherwisenothing
• P3:ifvervk((g,b),s)=acceptplayg3=gandb3=botherwiseg3=a
Realsignatures
P2canusestoprovetoP3thatP1signedavalueoftheform(.,b),using,e.g.,a
zero‐knowledgeproof
WhenP3knowsbbutnotgitshouldplay
“matchingpennies”withP2usingarandomg3,whichgivesP2higherpayoffbutgivesP1anegaIvepayoff
HenceraIonalforP1nottogiveanyverifiableinformaIononbaway
HenceP3willabstain
CommonknowledgeofraIonalityAlwaysabstain
WhatwentWrong?
• IdealizaIonofsignatureshavebeenprovensoundincryptography,sowhatwentwrong?
• P2canprovetoP3thatP1sentbwhilehidinggandthusrenegoIateP3intoastrategywhichisanadvantageforP2
• CryptographyhasacentralizedadversarywhocontrolsandcoordinatesallcorruptedparIes,hencetheuseofcryptography“internaltothedeviaIon”doesnotgiveextrapowertotheadversarycomparedtotheidealizedcase
Conclusion1
• TheheurisIcsoluIonconceptcaneasilygive“very”wrongsoluIons– Athree‐party,simultaneousmutualconflict/mutualadvantageofcooperaIonseeng,liketheoneused,canariseinmanyseengsandmightevenbesubtlyhidden
• SeemshardtojudgewhetheraprotocolcanbesoundlyanalyzedusingtheheurisIc,sobekerjustabstainfromdoingit
Conclusion2
• ItdoesnotseemasawayouttomakemoreinvolvedidealizaIonswhich,e.g.,allows“spliIng”ofsignaturesaswedidintheexample– TheidealizaIonwouldprobablyendupbeingmorecomplicatedthanthereal‐lifetool
– TheidealizaIonwouldhavetobeheadon:allowallpossibleusesandmisusesandnothingelsetohopeforsoundness
Conclusion3
• ComparisontohowGTsoluIonconceptsbehaveonidealizedprotocolsisnotagoodsanitycheckforproposedcomputaIonalsoluIonconcepts– InourcasethecomputaIonalnoIonshouldexactlygiveanothersoluIon
Conclusion4
• TheredoesnotseemtobeawayaroundcauIouslydevelopingcomputaIonalsoluIonconceptsandtrytogiveepistemicmodelsbasedonboundedraIonality
TheGoodNews
• ModularanalysisviaidealizaIonispossibleforComputaIonalNashEquilibrium(CNE)– OnlyreasonsviasingleagentdeviaIon– HencecryptocannotbeusedtofacilitatedeviaIons
• In[PeterBroMiltersen,JesperBuusNielsen,NikosTriandopoulos:Privacy‐EnhancingAucIonsUsingRaIonalCryptography.CRYPTO2009]weshowacryptographicaucIonprotocoltobeaCNEviaasoundidealizingofthecryptoandagametheoreIcanalyzingoftheidealizedprotocol
Seeng
• Thegoalin[MNT09]wastogiveagame‐theoreIcanalysisofaprotocolwhichnparIescanrunamongthemselvesontheInternettoemulateatrustedmediator– TheyshouldenduphavingsignedcontractsfromallotherparIesontheiroutcomestoavoiddisputesa`erthegameisover
– TheparIesareallowedtohaveprivacyconcerns,e.g.,toprefertokeeptheirtypesecretoverleakingit
AnalyIcTechnique
• WeuseanoIonofprotocolgame,whichallowstomodelbothatrustedmediatorandtheInternetinaunifiedmanner
• WethenrelatetheproperIesofthereal‐lifeprotocoltothemediatedcaseandconcludethatthereal‐lifeprotocolisasstableasthemediatedcaseandgivesthesameuIlityprofile– ImpliesthatitleaksnomoreinformaIon,astheuIlityassociatedtoinformaIonloss/collecIoniscapturedintheuIlityfuncIons
ProtocolGames
C
n
1
t1 tn
L1 Ln
o1 on
communicaIondeviceparty party
fiscaluIlity:fi(t,o)informaIonuIlity:Ii(t,L)uIlity:ui(t,o,L)=fi(t,o)+Ii(t,L)
MediaIon
(o1,…,on)=M(b1,…,bn)
n
1
t1 tn
L1 Ln
o1 on
party party
fiscaluIlity:fi(t,o)informaIonuIlity:Ii(t,L)uIlity:ui(t,o,L)=fi(t,o)+Ii(t,L)
b1 bn
InternetContractGames
n
1
t1 tn
L1 Ln
o1 on
PlaysCA,seengupPKI
AllowscommunicaIonbetweenparIes
CallsoutcomeoiifPireturnsasignatureonoifromallparIes
party party
fiscaluIlity:fi(t,o)informaIonuIlity:Ii(t,L)uIlity:ui(t,o,L)=fi(t,o)+Ii(t,L)
ImportantDesignChoices
• SametypeprofileTmakessenseinallseengs• Outcomeiscalledbythedeviceaslastroundofoutputs,sowell‐definedinallseengs
• LocalinformaIonisoutputbetheparIes,sowell‐definedinallseengs
• So,sameu=f+Imakessenseinallseengs• WecankeeptypesanduIliIesfixedandrelatedifferentstrategiesindifferentseengs– Wecantalkaboutwhetheritisbekertoplaysomegivenstrategyinthereal‐lifeseengthanitistoplaysomeotherstrategyintheidealseeng
NashImplementaIon
• FixTandf=(f1,…,fn)• Wesaythat(C,)isat‐resilientprivacy‐enhancedNashimplementaFonof(D,),wriSen(C,)t,T,r(D,),ifforalladmissibleIandu=f+Iitholdsthat:
• NolessuFlity:ForallPi:ui(T,C,)ui(T,D,)‐
• NomoreincenFvetodeviate:ForallC{1,…,n}with|C|tandallC
*thereexistsC*
suchthatui(T,D,(C*,‐C))ui(T,C,(C
*,‐
C))‐foralliC
TheResultinthePaper
• WeconstructforeachmechanismMacontractgamefortheInternetwhichisan(n‐1)‐resilientprivacy‐enhancedNashimplementaIonoftheideallymediatedseengforMifallparIeshaveexinterimstrictraIonality
Property1ofNashImplementaIon
• If(C,)isan‐NE(toleraIngcollusionsofsizet)and(C,)t,T,r(D,)then(D,)isan‐NE(toleraIngcollusionsofsizet)– Allowstoli`analysisfromanidealseengtoareal‐lifeseeng
• So,any‐NEforthemediatedseeng(withexinterimstrictraIonality)isalsoa‐NEintheInternetcontractgame
Property2ofNashImplementaIon
• If (C,)t,T,r(D,)and (D,)t,T,r(E,)
then (C,)t,T,r(E,)• ThisallowsamodularanalysisgoingfromthemediatedseengtotheInternetseengviagraduallymorerefinedseengs(introducing,e.g.,onecryptoprimiIveataIme)
…
• ThenoIonofNashimplementaIonisatrivialadopIonofthenoIonNEfromintra‐gameanalysistointer‐gameanalysis
• YetitallowstodomodularanalysiswithmuchthesameflavorasmodularanalysisincryptoviaidealizaIon
• ThereisjusIfiedhopethatothergoodcomputaIonalsoluIonconceptswillallowsimilarli`ingtointer‐gameanalysisandhenceallowmodularanalysis
• WejustneedsomegoodcomputaIonalsoluIonconcepts…
![An Effective Lightweight Cryptographic Algorithm to Secure ... · cryptographic standards to small devices [3]. Many conventional cryptographic algorithms, was optimized for desktop](https://static.fdocuments.in/doc/165x107/5eba52c083012c62a6160c7f/an-effective-lightweight-cryptographic-algorithm-to-secure-cryptographic-standards.jpg)
