June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi.

June 2005

A Plausible Approach A Plausible Approach to Computer-aided to Computer-aided

Cryptographic ProofsCryptographic Proofs

Shai HaleviShai Halevi

June 2005

The ProblemThe Problem• Crypto proofs are hard to verify• Many (most?) published proofs aren’t

read by anyone other than the author– Even proofs for “important” schemes are

often not fully verified

• Errors in proofs happen– Usually in some itty-bitty detail in this

side remark at the bottom of page 27

June 2005

Sample ArgumentsSample Arguments“We now make several changes to the order in which variables are chosen in game R1. We make the following changes to the code:– […]– Instead of choosing MMs{0,1}n and setting

CsmPs

mMMs, we choose Csm{0,1}n and set

MMsPsmCs

m – We replace the assignment CCCs

iMCsjMs

1 in line 136 by the equivalent assignment CCCs

iPPPsiMs

j. This is equivalent sinceMCs

j = MPsjMs

j = PPPsiMs

1Msj

– […]

June 2005

More Sample ArgumentsMore Sample Arguments“H6 checks in client sessions (Pi,ssid) that receive a non-peer-

oracle-generated pair […]

H7 encrypts the “dummy password” w’ in c2 instead of encrypting the password w, for every client session (Pi,ssid) that received a non-peer-oracle-generated pair (c1,VK) in step 2 with non-valid ciphertext c1.

Then as in H2 and H4, since the encryption scheme E' is semantically secure, the environment cannot distinguish between these cases. Note that the session key of such client sessions are already chosen randomly, and the ZKPs are already simulated. Thus neither depends on how c2 is generated. Also note that in the reduction to the security of E' with public key pk', one can still test c1 encryptions, since they are encrypted with the other public key pk and can be decrypted using sk.”

June 2005

You need to be a compiler You need to be a compiler to verify some of these to verify some of these

argumentsarguments

June 2005

Can We Write Such Compiler?Can We Write Such Compiler?• Boils down to verifying that two

pieces of code induce the same probability distribution on some of their variables

• The simplest example: M{0,1}n, CPM, Use(C) vs.C{0,1}n, MPC, Use(C)

June 2005

In This TalkIn This Talk• Look at the security-proof of the

Cramer-Shoup encryption scheme• Show how to reconstruct the proof

using a “compiler-like” tool• Muse about how to build this tool

June 2005

My Bottom LineMy Bottom Line• It can be built, with a lot of work

– Perhaps similar to a new programming language: compiler, run-time, development environment, …

• Is there a “business case”?– Where can I get resources to develop

this tool?

June 2005

This tool is not…This tool is not…• Not a theorem prover

– A person writes the (entire) proof– The tool only verifies that the arguments

are valid

• Different than the approach of the formal-methods community (AFAIK)– No “logic of authentication”, “process

calculus”, etc.

June 2005

Computer assistanceComputer assistance• The person writing the security proof

writes code, specifies how to get from one piece of code to the other

• The automated tool verifies that the transformations are permissible– Transformations to code represent

common arguments in crypto proofs

June 2005

CCA[CS]

CCA CCA1 CCA2 CCA3’CCA4 CCA5

+2t / q+1/q

XYZ

game that depends on a (binary) parameter

game that is derived from template XYZ

The empty game

+epsilon

game with bad events

transformation that changes the probability by epsilon

transformation that is justified by a reduction

game with output

Preview: The Proof of CS98Preview: The Proof of CS98DDH

CCA1 CCA2

DDH TCR

CCA4 CCA5’

+t /q^4

CCA5

TCR

June 2005

Everything is codeEverything is code• Game = code that tells the

participants in the game what to do• Argument in a proof =

transformation from one game to another

June 2005

The Cramer-Shoup The Cramer-Shoup Encryption SchemeEncryption Scheme

• Uses operations in algebraic group G• And a hash function H• Resists chosen ciphertext attacks,

provided that– The “decision Diffie-Hellman” problem

(DDH) is hard in the group G– The hash function H is “target-collision-

resistant”

June 2005

Pseudo-code for Pseudo-code for CS98CS98

KeyGen

Enc(m)

Dec(a,a’,c,d)

01. g,g’G, x1,x2,y1,y2,z1,z2{1,2,…,q}02. e=gx1g’x2, f=gy1g’y2, h=gz1g’z2 03. pk=(g,g’,e,f,h), sk=(x1,x2,y1,y2,z1,z2)

11. assert m G // else fail12. u {1,2,…,q}13. a=gu, a’=g’u, b=hu, c=b·m14. v=H(a,a’,c), d=eufuv 15. Output (a,a’,c,d)

21. assert a,a’,c,d G // else fail22. v = H(a,a’,c)23. assert d = ax1+vy1·a’x2+vy2 // else fail24. b = az1a’z2, m=c/b25. Output m

June 2005

CCA SecurityCCA Security• “Resistance to chosen-ciphertext

attacks” is defined via a game – Attacker gets public-key and access to

a black box that decrypts– Attacker submits two messages, gets

back encryption of one of them, needs to guess which one• without asking the box to decrypt the

“target ciphertext”

June 2005

Pseudo-code for Pseudo-code for CCACCA Game GameCCA (parameters: bit , integer t)101. (ps,sk) KeyGen102. C[1] = Attacker(pk)103. For s=1 to t104. answer[s] = Dec(C[s])105. if s<t then C[s+1] = Attacker( answer[s] )106. (m0,m1) = Attacker( answer[t] ), C* = Enc(m)

107. C[t+1] = Attacker( C* )108. For s=t+1 to 2t109. assert C[s] C*110. answer[s] = Dec(C[s])111. if s<2t then C[s+1] = Attacker( answer[s] )112. guess = Attacker( answer[2t] ), Output guess

June 2005

Proving SecurityProving Security• Pasting CS98 in CCA, we get the code

describing CCA attack on CS98• Fix any Attacker and any integer t• Prove that CCA(0,t),CCA(1,t) output 1

with about the same probability– We show: |Pr[CCA(0,t)1] Pr[CCA(1,t)1]|

2DDH+Collisions+O(t/q)

June 2005

Some ConceptsSome Concepts• Games are specified via code

– With an unspecified “attacker function”,– and a “main loop” where the attacker

queries interfaces of the scheme, gets answers, then makes more queries…

• Most (all?) games are probabilistic– E.g., u{1,2,…,q} in Enc(m)

• Every game has variables of interest

June 2005

Variables of InterestVariables of Interest• What “we care about” in the analysis• These are always either:

– The output of the game – Or bad events (I’ll talk about these later)

• Code that has no effect on the variables-of-interest is dead code– It is always permissible to add/remove

dead code

June 2005

Back to Back to CCACCA Game Game• The CCA game has output, no bad

events, and no dead code– It is really two games, depending on the

value of the binary parameter – And we compare the output distribution

of the two games

• In games with output we always(?) compare the output of two games

June 2005

CCA[CS]

CCA0 CCA1 CCA2 CCA3’CCA4 CCA5

+2t / q+1/q

We are here

XYZ



The empty game

+epsilon




game with output

The CS98 ProofThe CS98 ProofDDH

CCA1 CCA2

DDH TCR

CCA4 CCA5’

+t /q^4

CCA5

TCR

June 2005

Game Game CCA1CCA1• Modify the encryption code

Instead of

We now have

• Encryption using the secret key?– Yes, so? This is a “mental experiment”

• (BTW, the point about CCA1 is thatu is only used in computing a, a’)

12. u {1,2,…,q}13. a=gu, a’=g’u, b=hu, c=b·m14. v=H(a,a’,c), d=eufuv

12. u {1,2,…,q}13. a=gu, a’=g’u, b=az1a’z2, c=b·m14. v=H(a,a’,c), d=ax1+vy1a’x2+vy2

June 2005

CCACCACCA1CCA1 is Permissible is Permissible• hu=(gz1g’z2)u=(gu)z1(g’u)z2=az1a’z2

• How can a “compiler” verify that CCACCA1 is permissible?– Variable substitution is easy– Distributive, commutative rules would

have to be built into the tool• Just like replacing x+y with y+x

variable substitutiondistributive, commutative

variable substitution

June 2005

CCA[CS]


+2t / q+1/q

XYZ



The empty game

+epsilon




game with output

DDH

CCA1 CCA2

DDH TCR

CCA4 CCA5’

+t /q^4

CCA5

TCR

June 2005

Game Game CCA2CCA2• Replacing

with

• This sure changes the distribution

• We intend to show that if Pr[CCA1(b,t)1], Pr[CCA2(b,t)1] differ by some , then we can “break DDH” in G with the same probability

12. u {1,2,…,q}13. a=gu, a’=g’u, b=az1a’z2, c=b·m

12. u,u’ {1,2,…,q}13. a=gu, a’=g’u’, b=az1a’z2, c=b·m

June 2005

The DDH AssumptionThe DDH Assumption• No (efficient) algorithm distinguishes

(g,gx,gy,gxy) from (g,gx,gy,gz)– Where gG, x,y,z{1,2,…q}– Equivalent to saying that you cannot

distinguish (g,g’,gu,g’u) from (g,g’,gu,g’u’)

• This assumption underlies the security of the Diffie-Hellman key-exchange protocol

June 2005

Pseudo-code for DDHPseudo-code for DDH

• The “DDH assumption” is that DDH= |Pr[DDH(0)1]Pr[DDH(1)1]| is small for any efficient Distinguisher

DDH (parameter: bit ’)

201. g,g’G, u,u’{1,2,…,q}

202. if ’=0 then a=gu, a’=g’u’

203. else a=gu, a’=g’u

204. guess=Distinguisher(g,g’,a,a’), Output guess

June 2005

The ReductionThe Reduction• Show that CCA1DDH(1),CCA2DDH(0)

are permissible transformations• Instantiate the Distinguisher in DDH (by

morphing the code of CCA1/CCA2)– Just moving pieces of code around– A “compiler” can check that this is ok

• Only changing the order of “independent statements”

June 2005

CCA[CS]


+2t / q+1/q

XYZ



The empty game

+epsilon




game with output

DDH

CCA1 CCA2

DDH TCR

CCA4 CCA5’

+t /q^4

CCA5

TCR

June 2005

Bad EventsBad Events• Recall Dec(a,a’,c,d):

• a,a’ are supposed to be gu,g’u

• It’s a bad thing if Attacker sends (gu,g’u’,c,d) but line 23 passes

• How to represent bad events in code?

21. assert a,a’,c,d G22. v = H(a,a’,c)

23. assert d = ax1+vy1 a’x2+vy2

24. b = az1a’z2, m=c/b25. Output m

June 2005

Bad-event FlagsBad-event Flags• A Boolean flag• Initialized to false, only has

assignments to true in the code• Designated as “interesting”• Adding a bad-event flag is always a

permissible code-transformation– Represens an argument that starts with

“let BAD be the event where…”

June 2005

After-bad-is-set-nothing-After-bad-is-set-nothing-matters [BR04]matters [BR04]

• Code that is executed only when badFlag=true is treated as dead code– Even if it effects other vars-of-interest

• Why?– If badFlag=true then “all bets are off”,

no more vars-of-interest, all code is dead– We intend to prove that badFlag=true

rarely ever happens

June 2005

Game CCA3Game CCA3• Replace g,g’G

with gG, w{1,…q}, g’=gw

– The tool should have a rule for algebraic groups saying that this is permissible

• Replace

with 23. if d=ax1+vy1a’x2+vy2 and a’aw

then badFlag=true, fail23a. else assert d=ax1+vy1a’x2+vy2 // else fail

added“dead code”

23. assert d=ax1+vy1a’x2+vy // else fail

June 2005

Game CCA3’Game CCA3’• Quite a few other modifications• But nothing that we didn’t see before

– Algebraic, logic manipulations– Introducing new variables– Code movement

• All made possible only after we added the “dead code” in line

June 2005

CCA[CS]


+2t / q+1/q

XYZ



The empty game

+epsilon




game with output

DDH

CCA1 CCA2

DDH TCR

CCA4 CCA5’

+t /q^4

CCA5

TCR

June 2005

Game CCA4Game CCA4• Replace 13. … c=b·m

By 13. … r{1,2,…,q}, c=gr

• Why is this permissible?– Long story (four small steps)– Trust me, it works

• CCA4 no longer depends on , it is just one game now (rather than two)

• Nothing to compare the output to– So we no longer care about it, can removed it

June 2005

Eliminating the OutputEliminating the Output• Started with two games with output

– The goal is to compare their outputs

• Morphed until their code is identical– So their output must be identical

• Output is no longer “of interest”– We are done analyzing the output, we

know that the difference is zero– Eliminating it becomes permissible

June 2005

CCA[CS]


+2t / q+1/q

XYZ



The empty game

+epsilon




game with output

DDH

CCA1 CCA2

DDH TCR

CCA4 CCA5’

+t /q^4

CCA5

TCR

June 2005

What’s Next?What’s Next?• Game CCA4 still has bad flags, how

do we eliminate these?• Either via reductions

– E.g., reduction to finding collisions in H– I don’t have time to show it here

• Or via “probabilistic analysis”– Example in the next slide

June 2005

Eliminating Bad FlagsEliminating Bad Flags• Consider the following code

Example(parameter: a) // a is an n-bit string1. x random-n-bit-string2. if x=a then badFlagtrue

• Tool “knows” that– Variable x is a “random n-bit string”– Variables x and a are independent

• “Can deduce” that x=a has prob. 2n

– So eliminating badFlag has penalty 2-n

June 2005

Eliminating Bad Flags (2)Eliminating Bad Flags (2)• User tells the tool to eliminate the

designation of badFlag as bad flag• Tool looks for a rule that bounds the

probability of badFlagtrue by some • If found, tool “eliminates badFlag”, records

penalty • Else, tool records an “impermissible

transformation”– User proves on paper some

June 2005

CCA[CS]

CCA CCA1 CCA2 CCA3’CCA4 CCA5

+2t / q+1/q

XYZ



The empty game

+epsilon




game with output

The Proof of CS98The Proof of CS98DDH

CCA1 CCA2

DDH TCR

CCA4 CCA5’

+t /q^4

CCA5

TCR

June 2005

Mode-of-operation[CMC]

CMC RND1 RND3’RND3 NON1

An impermissible transformation

+(mq)2 /2n

NON2

£2 due to symmetry,see Eq (12), Page 21

+(2mq)2 /2n, see Eq (13), Page 21

? ?

?

RND

XYZ game that is derived from template XYZ

The empty game

+epsilon



game with output

The Proof of CMC [HR03]The Proof of CMC [HR03]

June 2005

Building the ToolBuilding the Tool

June 2005

Four Major ComponentsFour Major Components• Engine: similar to optimizing compiler

– Parses statements, control-flow graph– Handles variable substitution, code

movement, adding/removing “dead code”, etc.

• Library of code-transformations• Library of templates• User interface

June 2005

Transformations LibraryTransformations Library• Represent common arguments in

proofs– Algebraic manipulations– Rules to eliminate bad flags, output– Other rules

• A community development effort?– My proof uses an argument not in the

library, I code it up so others can use it too

June 2005

Template LibraryTemplate Library• Code templates, represent common

security goals and assumptions• E.g., a template for DDH, a template

for CCA-security, etc.• Also community development effort?

June 2005

User InterfaceUser Interface• Probably the hardest part• Should be easy for people to write

their proofs using this tool– Specify games

• “Sender proves to receiver in Zero-Knowledge that it knows the DL of x”

– Access common transformations• Similarities to U.I. of development

environment?

June 2005

My Bottom LineMy Bottom Line• It can be built, with a lot of work

– Perhaps similar to a new programming language: compiler, run-time, development environment, …

• Is there a “business case”?– Where can I get resources to develop

this tool?

June 2005

Contact me if Contact me if you are you are

interested in interested in working on thisworking on this

June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi.

Documents

Transcript of June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi.