Abstract Cryptography Ueli Maurer ETH Zurich FOSAD 2009, - - PowerPoint PPT Presentation

Abstract Cryptography

Ueli Maurer ETH Zurich

FOSAD 2009, Bertinoro, Aug./Sept. 2009.

Abstract Cryptography

Ueli Maurer ETH Zurich

FOSAD 2009, Bertinoro, Aug./Sept. 2009.

“I can only understand simple things.” JAMES MASSEY

Abstraction

Abstraction: eliminate irrelevant details from consideration Examples: group, field, vector space, relation, graph, .... Goals of abstraction:

• simpler definitions
• generality of results
• simpler proofs
• elegance
• didactic suitability

Abstraction

Abstraction: eliminate irrelevant details from consideration Examples: group, field, vector space, relation, graph, .... Goals of abstraction:

• simpler definitions
• generality of results
• simpler proofs
• elegance
• didactic suitability
• understanding

Abstraction

Abstraction: eliminate irrelevant details from consideration Examples: group, field, vector space, relation, graph, .... Goals of abstraction:

• simpler definitions
• generality of results
• simpler proofs
• elegance
• didactic suitability
• understanding

Goals of this talk:

• Introduce layers of abstraction in cryptography.
• Examples of abstract definitions and proofs.
• Announce a new security framework

“abstract cryptography” (with Renato Renner).

Motivating example: One-time pad

1

C , C , ...

1

ciphertext

1 2

key

2 1

key

2 1

2 2

addition modulo 2

M , M , ... M , M , ... plaintext plaintext

K , K , ... K , K , ...

Motivating example: One-time pad

1

C , C , ...

1

ciphertext

1 2

key

2 1

key

2 1

2 2

addition modulo 2

M , M , ... M , M , ... plaintext plaintext

K , K , ... K , K , ...

Perfect secrecy (Shannon): C and M statist. independent.

One-time pad in terms of systems

.

A B E AUT

• tp-decB otp-encA (KEY||AUT) ≡

simE SEC

One-time pad in terms of systems

. .

A B E AUT

• tp-decB otp-encA (KEY||AUT) ≡

simE SEC

One-time pad in terms of systems

.

A B E AUT A E B $ KEY

• tp-decB otp-encA (KEY||AUT) ≡

simE SEC

One-time pad in terms of systems

. .

A B E AUT A E B $ KEY

• tp-decB otp-encA (KEY||AUT) ≡

simE SEC

One-time pad in terms of systems

.

• tp−enc

A B E AUT A E B $ KEY

• tp-decB otp-encA (KEY||AUT) ≡

simE SEC

One-time pad in terms of systems

.

• tp−dec
• tp−enc

A B E AUT A E B $ KEY

• tp-decB otp-encA (KEY||AUT) ≡

simE SEC

One-time pad in terms of systems

.

• tp−dec
• tp−enc

A B E AUT A E B $ KEY

• tp-decB otp-encA (KEY||AUT) ≡

simE SEC

One-time pad in terms of systems

. .

SEC

• tp−dec
• tp−enc

A B E AUT A E B $ KEY

• tp-decB otp-encA (KEY||AUT) ≡

simE SEC

One-time pad in terms of systems

.

$ sim SEC

• tp−dec
• tp−enc

A B E AUT A E B $ KEY

• tp-decB otp-encA (KEY||AUT) ≡

simE SEC

One-time pad in terms of systems

.

$ sim SEC

• tp−dec
• tp−enc

A B E AUT A E B $ KEY

• tp-decB otp-encA (KEY||AUT) ≡

simE SEC

One-time pad in terms of systems

.

|.| $ sim SEC

• tp−dec
• tp−enc

A B E AUT A E B $ KEY

• tp-decB otp-encA (KEY||AUT) ≡

simE SEC

One-time pad in terms of systems

. .

|.| $ sim SEC

• tp−dec
• tp−enc

A B E AUT A E B $ KEY

• tp-decB otp-encA (KEY||AUT) ≡

simE SEC

written as a reduction:

(KEY||AUT)

• tp

− →

SEC

Symmetric encryption

.

|.| $ sim SEC dec

D

enc

E

A B E AUT A E B $ KEY

decB encA (KEY||AUT) ≈ simE SEC

written as a reduction:

(KEY||AUT) tsymt

− →

SEC

Constructive cryptography

Reduction concept: real system R protocol π

− →

ideal system S Resource S is constructed from (reduced to) R by protocol π

Constructive cryptography

Reduction concept: real system R protocol π

− →

ideal system S Resource S is constructed from (reduced to) R by protocol π Example: Alice-Bob-Eve setting π = (π1, π2)

Constructive cryptography

Reduction concept: real system R protocol π

− →

ideal system S Resource S is constructed from (reduced to) R by protocol π Example: Alice-Bob-Eve setting π = (π1, π2)

R

π

− → S

:⇔ ∃σ : π1

A π2 B R ≈ σ E S

Constructive cryptography

Reduction concept: real system R protocol π

− →

ideal system S Resource S is constructed from (reduced to) R by protocol π Example: Alice-Bob-Eve setting π = (π1, π2)

R

π

− → S

:⇔ ∃σ : π1

A π2 B R ≈ σ E S

and π1

A π2 B ⊥ E R ≈ ⊥ E S

Constructive cryptography

Reduction concept: real system R protocol π

− →

ideal system S Resource S is constructed from (reduced to) R by protocol π Example: Alice-Bob-Eve setting π = (π1, π2)

R

π

− → S

:⇔ ∃σ : π1

A π2 B R ≈ σ E S

and π1

A π2 B ⊥ E R ≈ ⊥ E S

Composability of a reduction: R

α

− → S ∧ S

β

− → T

⇒ R

α◦β

− → T

Levels of abstraction in cryptography # possible name

concepts treated at this level

1.

Reductions

• def. of (universal) composability

2.

Abstract resources isomorphism

3.

Abstract systems distinguisher, hybrid argument, secure reduction, compos. proof

4.

Discrete systems games, equivalence, indistinguishability proofs

5.

System implem. complexity, efficiency notion

6.

Physical models timing, power, side-channels

Levels of abstraction in cryptography # possible name

concepts treated at this level

1.

Reductions

• def. of (universal) composability

2.

Abstract resources isomorphism

3.

Abstract systems distinguisher, hybrid argument, secure reduction, compos. proof

4.

Discrete systems games, equivalence, indistinguishability proofs

5.

System implem. complexity, efficiency notion

6.

Physical models timing, power, side-channels

Example: CBC-MAC [3 (4)]

AES

former block selector

• utput

Example: CBC-MAC [3 (4)]

computationally indistinguishable

random

• racle

AES

former block selector

• utput

Example: CBC-MAC [3 (4)]

AES

former block selector

• utput

Example: CBC-MAC [3 (4)]

AES CBC AES

former block selector

• utput

Example: CBC-MAC [3 (4)]

AES CBC AES

former block selector

• utput

Notation: D C B C(A E S)

Example: CBC-MAC [3 (4)]

AES CBC AES

former block selector

• utput

Notation: D C B C◦A E S

Example: CBC-MAC [3 (4)]

AES CBC AES

former block selector

• utput

Notation: D C B C A E S

Example: CBC-MAC [3 (4)]

0/1

D

AES CBC AES

former block selector

• utput

Notation: D C B C A E S

Example: CBC-MAC [3 (4)]

0/1

D D

0/1

AES CBC AES

former block selector

• utput

Notation: D C B C A E S

Security proof for CBC-MAC [3]

AES CBC RO

D C B C A E S ≈ D R O

Security proof for CBC-MAC [3]

D

0/1

D

0/1

AES CBC RO

D C B C A E S ≈ D R O

Security proof for CBC-MAC [3]

D

0/1

D

0/1

AES CBC RO

D C B C A E S ≈ D R O To show:

∆D(C

B CA E S, R O) ≈ 0

Security proof for CBC-MAC [3]

D

0/1

D

0/1

AES CBC RO

D C B C A E S ≈ D R O To show:

∆D(C

B CA E S, R O) ≈ 0 Note: ∆D(S, T) = |DS, DT| (stat. distance of binary r.v.)

Security proof for CBC-MAC [3]

D

0/1

D

0/1

AES CBC RO

D C B C A E S ≈ D R O To show:

∆D(C

B CA E S, R O) ≈ 0

Security proof for CBC-MAC [3]

D

0/1

D

0/1

AES CBC RO

D C B C A E S ≈ D R O To show:

∆E(C

B CA E S, R O) ≈ 0

Security proof for CBC-MAC [3]

D

0/1

D

0/1

AES CBC RO

D C B C A E S ≈ D R O To show:

∆E(C

B CA E S, R O) ≈ 0

∆E(S, T) := maxD∈E∆D(S, T)

Security proof for CBC-MAC [3]

D

0/1

D

0/1

AES CBC RO

D C B C A E S ≈ D R O To show:

∆E(C

B CA E S, R O) ≈ 0

Security proof for CBC-MAC [3]

D

0/1

D

0/1

AES CBC RO

D C B C A E S ≈ D R O To show:

∆E(C

B CA E S, R O) ≈ 0 Lemma: ∆D and ∆E are pseudo-metrics:

• ∆E(S, S) = 0
• ∆E(R, T) ≤ ∆E(R, S) + ∆E(S, T)

Security proof for CBC-MAC [3]

D

0/1

D

0/1

AES CBC RO

D C B C A E S ≈ D R O To show:

∆E(C

B CA E S, R O) ≈ 0

∆E(C

B CA E S, R O) ≤ ∆E(C B CA E S, C B CR F)+∆E(C B CR F, R O) Lemma: ∆D and ∆E are pseudo-metrics:

• ∆E(S, S) = 0
• ∆E(R, T) ≤ ∆E(R, S) + ∆E(S, T)

Security proof for CBC-MAC [3]

D

0/1

D

0/1

AES CBC RO

D C B C A E S ≈ D R O To show:

∆E(C

B CA E S, R O) ≈ 0

∆E(C

B CA E S, R O) ≤ ∆E(C B CA E S, C B CR F)+∆E(C B CR F, R O) .

Security proof for CBC-MAC [3]

D

0/1

D

0/1

AES CBC RO

D C B C A E S ≈ D R O To show:

∆E(C

B CA E S, R O) ≈ 0

∆E(C

B CA E S, R O) ≤ ∆E(C B CA E S, C B CR F)+∆E(C B CR F, R O) Absorption lemma: ∆D(CS, CT) = ∆DC(S, T) Proof: DCS = D(CS) = (DC)S

Security proof for CBC-MAC [3]

D

0/1

D

0/1

AES CBC RO

D C B C A E S ≈ D R O To show:

∆E(C

B CA E S, R O) ≈ 0

∆E(C

B CA E S, R O) ≤ ∆E(C B CA E S, C B CR F)+∆E(C B CR F, R O)

∆E(C

B CA E S, C B CR F) = ∆EC B C(A E S, R F) Absorption lemma: ∆D(CS, CT) = ∆DC(S, T) Proof: DCS = D(CS) = (DC)S

Security proof for CBC-MAC [3]

D

0/1

D

0/1

AES CBC RO

D C B C A E S ≈ D R O To show:

∆E(C

B CA E S, R O) ≈ 0

∆E(C

B CA E S, R O) ≤ ∆E(C B CA E S, C B CR F)+∆E(C B CR F, R O)

∆E(C

B CA E S, C B CR F) = ∆EC B C(A E S, R F) Non-expansion lemma:

DC ⊆ D

⇒ ∆D(CS, CT) ≤ ∆D(S, T)

Security proof for CBC-MAC [3]

D

0/1

D

0/1

AES CBC RO

D C B C A E S ≈ D R O To show:

∆E(C

B CA E S, R O) ≈ 0

∆E(C

B CA E S, R O) ≤ ∆E(C B CA E S, C B CR F)+∆E(C B CR F, R O)

∆E(C

B CA E S, C B CR F) = ∆EC B C(A E S, R F) Non-expansion lemma:

DC ⊆ D

⇒ ∆D(CS, CT) ≤ ∆D(S, T)

EC

B C ⊆ E

Security proof for CBC-MAC [3]

D

0/1

D

0/1

AES CBC RO

D C B C A E S ≈ D R O To show:

∆E(C

B CA E S, R O) ≈ 0

∆E(C

B CA E S, R O) ≤ ∆E(C B CA E S, C B CR F)+∆E(C B CR F, R O)

∆E(C

B CA E S, C B CR F) = ∆EC B C(A E S, R F) ≤ ∆E(A E S, R F) Non-expansion lemma:

DC ⊆ D

⇒ ∆D(CS, CT) ≤ ∆D(S, T)

EC

B C ⊆ E

Security proof for CBC-MAC [3]

D

0/1

D

0/1

AES CBC RO

D C B C A E S ≈ D R O To show:

∆E(C

B CA E S, R O) ≈ 0

∆E(C

B CA E S, R O) ≤ ∆E(C B CA E S, C B CR F)+∆E(C B CR F, R O)

∆E(C

B CA E S, C B CR F) = ∆EC B C(A E S, R F) ≤ ∆E(A E S, R F) .

Security proof for CBC-MAC [3,4]

D

0/1

D

0/1

AES CBC RO

D C B C A E S ≈ D R O To show:

∆E(C

B CA E S, R O) ≈ 0

∆E(C

B CA E S, R O) ≤ ∆E(C B CA E S, C B CR F)+∆E(C B CR F, R O)

∆E(C

B CA E S, C B CR F) = ∆EC B C(A E S, R F) ≤ ∆E(A E S, R F)

∆(C

B CR F, R O) ≤ 1

2ℓ22−n

[BKR94,...]

[4]

Security proof for CBC-MAC [3,4]

D

0/1

D

0/1

AES CBC RO

D C B C A E S ≈ D R O To show:

∆E(C

B CA E S, R O) ≈ 0

∆E(C

B CA E S, R O) ≤ ∆E(C B CA E S, C B CR F)+∆E(C B CR F, R O)

∆E(C

B CA E S, C B CR F) = ∆EC B C(A E S, R F) ≤ ∆E(A E S, R F)

∆(C

B CR F, R O) ≤ 1

2ℓ22−n

[BKR94,...]

[4]

Note: Many security proofs can be phrased at this level of abstraction and become quite simple or even trivial.

Levels of abstraction in cryptography # possible name

concepts treated at this level

1.

Reductions

• def. of (universal) composability

2.

Abstract resources isomorphism

3.

Abstract systems distinguisher, hybrid argument, secure reduction, compos. proof

4.

Discrete systems games, equivalence, indistinguishability proofs

5.

System implem. complexity, efficiency notion

6.

Physical models timing, power, side-channels

Levels of abstraction in cryptography # possible name

concepts treated at this level

1.

Reductions

• def. of (universal) composability

2.

Abstract resources isomorphism

3.

Abstract systems distinguisher, hybrid argument, secure reduction, compos. proof

4.

Discrete systems games, equivalence, indistinguishability proofs

5.

System implem. complexity, efficiency notion

6.

Physical models timing, power, side-channels

Efficient, infeasible, negligible [5]

We need notions for

• the complexity of system implementation
• what is efficient (for the good guys)
• what is infeasible (for the bad guys)
• what is negligible

Efficient, infeasible, negligible [5]

We need notions for

• the complexity of system implementation
• what is efficient (for the good guys)
• what is infeasible (for the bad guys)
• what is negligible

E = set of efficiently impl. systems.

Efficient, infeasible, negligible [5,3]

We need notions for

• the complexity of system implementation
• what is efficient (for the good guys)
• what is infeasible (for the bad guys)
• what is negligible

E = set of efficiently impl. systems. E ◦ E ⊆ E, E||E ⊆ E

Efficient, infeasible, negligible [5,3]

We need notions for

• the complexity of system implementation
• what is efficient (for the good guys)
• what is infeasible (for the bad guys)
• what is negligible

E = set of efficiently impl. systems. F = set of feasibly impl. systems (E ⊆ F) E ◦ E ⊆ E, E||E ⊆ E

Efficient, infeasible, negligible [5,3]

We need notions for

• the complexity of system implementation
• what is efficient (for the good guys)
• what is infeasible (for the bad guys)
• what is negligible

E = set of efficiently impl. systems. F = set of feasibly impl. systems (E ⊆ F) E ◦ E ⊆ E, E||E ⊆ E F ◦ F ⊆ F, F||F ⊆ F

Efficient, infeasible, negligible [5,3]

We need notions for

• the complexity of system implementation
• what is efficient (for the good guys)
• what is infeasible (for the bad guys)
• what is negligible

E = set of efficiently impl. systems. F = set of feasibly impl. systems (E ⊆ F) E ◦ E ⊆ E, E||E ⊆ E F ◦ F ⊆ F, F||F ⊆ F No reason to set E = F !

Efficient, infeasible, negligible [5,3]

We need notions for

• the complexity of system implementation
• what is efficient (for the good guys)
• what is infeasible (for the bad guys)
• what is negligible

E = set of efficiently impl. systems. F = set of feasibly impl. systems (E ⊆ F) N = set of negligible functions E ◦ E ⊆ E, E||E ⊆ E F ◦ F ⊆ F, F||F ⊆ F

Efficient, infeasible, negligible [5,3]

We need notions for

• the complexity of system implementation
• what is efficient (for the good guys)
• what is infeasible (for the bad guys)
• what is negligible

E = set of efficiently impl. systems. F = set of feasibly impl. systems (E ⊆ F) N = set of negligible functions E ◦ E ⊆ E, E||E ⊆ E F ◦ F ⊆ F, F||F ⊆ F F · N ⊆ N

Efficient, infeasible, negligible [5,3]

We need notions for

• the complexity of system implementation
• what is efficient (for the good guys)
• what is infeasible (for the bad guys)
• what is negligible

E = set of efficiently impl. systems. F = set of feasibly impl. systems (E ⊆ F) N = set of negligible functions E ◦ E ⊆ E, E||E ⊆ E F ◦ F ⊆ F, F||F ⊆ F F · N ⊆ N Note: The usual poly-time notions (i.e., nO(1)) are of course composable, but so are many other notions, e.g. nO(log log n) or nO(√log log log n).

Levels of abstraction in cryptography # possible name

concepts treated at this level

1.

Reductions

• def. of (universal) composability

2.

Abstract resources isomorphism

3.

Abstract systems distinguisher, hybrid argument, secure reduction, compos. proof

4.

Discrete systems games, equivalence, indistinguishability proofs

5.

System implem. complexity, efficiency notion

6.

Physical models timing, power, side-channels

Levels of abstraction in cryptography # possible name

concepts treated at this level

1.

Reductions

• def. of (universal) composability

2.

Abstract resources isomorphism

3.

Abstract systems distinguisher, hybrid argument, secure reduction, compos. proof

4.

Discrete systems games, equivalence, indistinguishability proofs

5.

System implem. complexity, efficiency notion

6.

Physical models timing, power, side-channels

Discrete systems [4]

X , X , ...

1 2

S

2 1

Y , Y , ...

Discrete systems [4]

X , X , ...

1 2

S

2 1

Y , Y , ...

Description of S: figure, pseudo-code, text, ...

Discrete systems [4]

X , X , ...

1 2

S

2 1

Y , Y , ...

Description of S: figure, pseudo-code, text, ... What kind of mathematical object is the behavior of S?

Discrete systems [4]

X , X , ...

1 2

S

2 1

Y , Y , ...

Description of S: figure, pseudo-code, text, ... What kind of mathematical object is the behavior of S? (where Xi = (X1, . . . , Xi)) This abstraction is called a random system [Mau02]. Characterized by: pS

Y i|Xi

for i = 1, 2, . . .

Discrete systems [4]

X , X , ...

1 2

S

2 1

Y , Y , ...

Description of S: figure, pseudo-code, text, ... What kind of mathematical object is the behavior of S? (where Xi = (X1, . . . , Xi)) This abstraction is called a random system [Mau02]. Characterized by: pS

Y i|Xi

for i = 1, 2, . . . Equivalence of systems: S ≡ T if same behavior

Games [4]

PRP-PRF switching lemma:

2 1

X , X , ...

1 2

S

Y , Y , ...

Games [4]

PRP-PRF switching lemma:

monotone binary output (MBO)

1

i

A , A , ...

2 1 2 1

X , X , ...

1 2

S

Y , Y , ...

Games [4]

PRP-PRF switching lemma:

game won monotone binary output (MBO)

1

i

A , A , ...

2 1 2 1

X , X , ...

1 2

S

Y , Y , ...

Games [4]

PRP-PRF switching lemma:

game won monotone binary output (MBO)

1

i

A , A , ...

2 1 2 1

X , X , ...

1 2

S

Y , Y , ...

Characterized by: pS

Y iAi|Xi

for i = 1, 2, . . .

Games [4]

PRP-PRF switching lemma:

D

game won monotone binary output (MBO)

1

i

A , A , ...

2 1 2 1

X , X , ...

1 2

S

Y , Y , ...

Characterized by: pS

Y iAi|Xi

for i = 1, 2, . . .

Games [4]

PRP-PRF switching lemma:

D

game won monotone binary output (MBO)

1

i

A , A , ...

2 1 2 1

X , X , ...

1 2

S

Y , Y , ...

Characterized by: pS

Y iAi|Xi

for i = 1, 2, . . . Conditional equivalence: S|A ≡ T :⇔ pS

Y i|XiAi = pT Y i|Xi

Games [4]

PRP-PRF switching lemma:

D

game won monotone binary output (MBO)

1

i

A , A , ...

2 1 2 1

X , X , ...

1 2

S

Y , Y , ...

Characterized by: pS

Y iAi|Xi

for i = 1, 2, . . . Conditional equivalence: S|A ≡ T :⇔ pS

Y i|XiAi = pT Y i|Xi

Lemma [M02]: S|A ≡ T ⇒ ∆(S, T) ≤ optimal prob. of provoking the MBO non-adaptively in S (same # of queries).

Games [4]

PRP-PRF switching lemma:

X , X , ...

1 2 2 1

Y , Y , ...

2 1

Y , Y , ...

P

X , X , ...

1 2

R

Characterized by: pS

Y iAi|Xi

for i = 1, 2, . . . Conditional equivalence: S|A ≡ T :⇔ pS

Y i|XiAi = pT Y i|Xi

Lemma [M02]: S|A ≡ T ⇒ ∆(S, T) ≤ optimal prob. of provoking the MBO non-adaptively in S (same # of queries).

Games [4]

PRP-PRF switching lemma:

A , A , ...

2 1

collision detector

X , X , ...

1 2 2 1

Y , Y , ...

2 1

Y , Y , ...

P

X , X , ...

1 2

R

Characterized by: pS

Y iAi|Xi

for i = 1, 2, . . . Conditional equivalence: S|A ≡ T :⇔ pS

Y i|XiAi = pT Y i|Xi

Lemma [M02]: S|A ≡ T ⇒ ∆(S, T) ≤ optimal prob. of provoking the MBO non-adaptively in S (same # of queries).

Games [4]

PRP-PRF switching lemma:

A , A , ...

2 1

collision detector

X , X , ...

1 2 2 1

Y , Y , ...

2 1

Y , Y , ...

P

X , X , ...

1 2

R

Characterized by: pS

Y iAi|Xi

for i = 1, 2, . . . Conditional equivalence: S|A ≡ T :⇔ pS

Y i|XiAi = pT Y i|Xi

Lemma [M02]: S|A ≡ T ⇒ ∆(S, T) ≤ optimal prob. of provoking the MBO non-adaptively in S (same # of queries). R|A ≡ P ⇒ ∆k(R, P) ≤

k

k

• 2−n

Games [4]

PRP-PRF switching lemma:

A , A , ...

2 1

collision detector

X , X , ...

1 2 2 1

Y , Y , ...

2 1

Y , Y , ...

P

X , X , ...

1 2

R

Characterized by: pS

Y iAi|Xi

for i = 1, 2, . . . Conditional equivalence: S|A ≡ T :⇔ pS

Y i|XiAi = pT Y i|Xi

Lemma [M02]: S|A ≡ T ⇒ ∆(S, T) ≤ optimal prob. of provoking the MBO non-adaptively in S (same # of queries). R|A ≡ P ⇒ ∆k(R, P) ≤

k

k

• 2−n

Similarly simple proof of CBC-MAC security: (C B CR F)|A ≡ R O ⇒ ∆(C B CR F, R O) ≤ 1

2ℓ22−n

Levels of abstraction in cryptography # possible name

concepts treated at this level

1.

Reductions

• def. of (universal) composability

2.

Abstract resources isomorphism

3.

Abstract systems distinguisher, hybrid argument, secure reduction, compos. proof

4.

Discrete systems games, equivalence, indistinguishability proofs

5.

System implem. complexity, efficiency notion

6.

Physical models timing, power, side-channels

Levels of abstraction in cryptography # possible name

concepts treated at this level

1.

Reductions

• def. of (universal) composability

2.

Abstract resources isomorphism

3.

Abstract systems distinguisher, hybrid argument, secure reduction, compos. proof

4.

Discrete systems games, equivalence, indistinguishability proofs

5.

System implem. complexity, efficiency notion

6.

Physical models timing, power, side-channels

Abstract Cryptography (with Renato Renner) [1-3]

Abstract Cryptography (with Renato Renner) [1-3]

Goals:

• capture the constructive security paradigm at high(est)

abstraction level

Abstract Cryptography (with Renato Renner) [1-3]

Goals:

• capture the constructive security paradigm at high(est)

abstraction level

• define strongest possible reduction between resources

Abstract Cryptography (with Renato Renner) [1-3]

Goals:

• capture the constructive security paradigm at high(est)

abstraction level

• define strongest possible reduction between resources
• see other frameworks as special cases

– universal composability (UC) by Canetti – reactive simulatability by Pfitzmann/Waidner/Backes – indifferentiability [MRH04]

Abstract Cryptography (with Renato Renner) [1-3]

Goals:

• capture the constructive security paradigm at high(est)

abstraction level

• define strongest possible reduction between resources
• see other frameworks as special cases

– universal composability (UC) by Canetti – reactive simulatability by Pfitzmann/Waidner/Backes – indifferentiability [MRH04]

• capture scenarios that could previously not be modeled.

Resources and isomorphisms [2]

{1,2} {1,2,3} 1 2 1 2 3 8 8 5 3 7 5 Alice Bob

payout

Resources and isomorphisms [2]

{1,2} {1,2,3} 1 2 1 2 3 5 7 3 3 8 7

payout

{1,2} {1,2,3} 1 2 1 2 3 8 8 5 3 7 5 Alice Bob

payout

Resources and isomorphisms [2]

? = ~

{1,2} {1,2,3} 1 2 1 2 3 5 7 3 3 8 7

payout

{1,2} {1,2,3} 1 2 1 2 3 8 8 5 3 7 5 Alice Bob

payout

Resources and isomorphisms [2]

{1,2} {1,2,3} 1 2 1 2 3 8 8 5 3 7 5 Alice Bob

payout

Resources and isomorphisms [2]

{a,b,c} {1,2}

payout

a b 1 2 3 5 7 3 5 c 8 {1,2} {1,2,3} 1 2 1 2 3 8 8 5 3 7 5 Alice Bob

payout

Resources and isomorphisms [2]

{a,b,c} {1,2}

payout

a b 1 2 3 5 7 3 5 c 8 {1,2} {1,2,3} 1 2 1 2 3 8 8 5 3 7 5 Alice Bob

payout

Resources and isomorphisms [2]

= ~

{a,b,c} {1,2}

payout

a b 1 2 3 5 7 3 5 c 8 {1,2} {1,2,3} 1 2 1 2 3 8 8 5 3 7 5 Alice Bob

payout

Resources and isomorphisms [2]

= ~

{a,b,c} {1,2}

payout

a b 1 2 3 5 7 3 5 c 8 {1,2} {1,2,3} 1 2 1 2 3 8 8 5 3 7 5 Alice Bob

payout

Complete local relations

Abstract multi-party setting [3]

R

2 3 4 1

Abstract multi-party setting [3]

R

2 3 4 1

R

Abstract multi-party setting [3]

R

2 3 4 1

α

α1R

Abstract multi-party setting [3]

R

2 3 4 1

β

β2R

Abstract multi-party setting [3]

R

2 3 4 1

γ

γ3R

Abstract multi-party setting [3]

R

2 3 4 1

α

α1R

Abstract multi-party setting [3]

R

2 3 4 1

β α

β2α1R

Abstract multi-party setting [3]

R

2 3 4 1

γ β α

γ3β2α1R

Abstract multi-party setting [3]

R

2 3 4 1

γ β α

R

2 3 4 1

γ3β2α1R

R

Abstract multi-party setting [3]

R

2 3 4 1

γ β α

R

2 3 4 1

β

γ3β2α1R β2R

Abstract multi-party setting [3]

R

2 3 4 1

γ β α

R

2 3 4 1

γ β

γ3β2α1R γ3β2R

Abstract multi-party setting [3]

R

2 3 4 1

γ β α

R

2 3 4 1

γ β α

γ3β2α1R α1γ3β2R

Abstract multi-party setting [3]

R

2 3 4 1

γ β α

R

2 3 4 1

γ β α

γ3β2α1R

=

α1γ3β2R

Abstract multi-party setting [3]

R

2 3 4 1

γ β α

R

2 3 4 1

γ β α

γ3β2α1R

=

α1γ3β2R

Resource set Φ for interface set I = {1, 2, 3, 4}, oper. ||

Abstract multi-party setting [3]

R

2 3 4 1

γ β α

R

2 3 4 1

γ β α

γ3β2α1R

=

α1γ3β2R

Resource set Φ for interface set I = {1, 2, 3, 4}, oper. || Converter set Σ, with operation ◦

Abstract multi-party setting [3]

R

2 3 4 1

γ β α

R

2 3 4 1

γ β α

γ3β2α1R

=

α1γ3β2R

Resource set Φ for interface set I = {1, 2, 3, 4}, oper. || Converter set Σ, with operation ◦ Algebraic laws:

• αiR ∈ Φ

for all R ∈ Φ, α ∈ Σ, i ∈ I

• αiβjR ≡ βjαiR

for all i = j

Resource isomorphisms [3]

S R

1 2 3 4 2 3 4 1

Resource isomorphisms [3]

S R

1 2 3 4

α4 α3 α2 α1

2 3 4 1

Resource isomorphisms [3]

S R

β4 β3 β2 β1

1 2 3 4

α4 α3 α2 α1

2 3 4 1

Resource isomorphisms [3]

S R

β4 β3 β2 β1

1 2 3 4

α4 α3 α2 α1

2 3 4 1

Resource isomorphisms [3]

S R

β1

1 2 3 4

α1

2 3 4 1

Resource isomorphisms [3]

S R

β1

1 2 3 4

α1

2 3 4 1

Resource isomorphisms [3]

S R

β1

1 2 3 4 2 3 4 1

Resource isomorphisms [3]

S R

β1 β1 π1 β1

1 2 3 4 2 3 4 1

Resource isomorphisms [3]

S R

β4

1 2 3 4 2 3 4 1

Resource isomorphisms [3]

S R

β4 π4 β4

1 2 3 4 2 3 4 1

Resource isomorphisms [3]

S R

π4 π3 π2 π1

1 2 3 4 2 3 4 1

Resource isomorphisms [3]

S R

1 2 3 4

α4

2 3 4 1

Resource isomorphisms [3]

S R

α4 σ4

1 2 3 4

α4

2 3 4 1

Resource isomorphisms [3]

S R

σ4 σ3 σ2 σ1

1 2 3 4 2 3 4 1

Resource isomorphisms [3]

S R

σ4 σ3 σ2 σ1

1 2 3 4 2 3 4 1

Definition: R is isomorphic to S via π, denoted R ∼ =π S, if

Resource isomorphisms [3]

S R

σ4 σ3 π2 π1

1 2 3 4 2 3 4 1

Definition: R is isomorphic to S via π, denoted R ∼ =π S, if

Resource isomorphisms [3]

S R

σ3 σ2 σ1 π4

1 2 3 4 2 3 4 1

Definition: R is isomorphic to S via π, denoted R ∼ =π S, if

Resource isomorphisms [3]

S R

σ4 σ2 π3 π1

1 2 3 4 2 3 4 1

Definition: R is isomorphic to S via π, denoted R ∼ =π S, if

Resource isomorphisms [3]

S R

σ4 σ2 π3 π1

1 2 3 4 2 3 4 1

Definition: R is isomorphic to S via π, denoted R ∼ =π S, if

R ∼

=π S :⇐ ⇒ ∃σ ∀P ⊆ I : πP R ≡ σP S

Example: 2-party resources [2]

R ∼ =π S :⇐ ⇒

                

π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2

Example: 2-party resources [2]

R ∼ =π S :⇐ ⇒

                

π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2

          

⇔ abstract UC

Example: 2-party resources [2]

R ∼ =π S :⇐ ⇒

                

π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 Special case: R = channel (neutral element, e.g. π1R = π1)

Example: 2-party resources [2]

R ∼ =π S :⇐ ⇒

                

π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 Special case: R = channel (neutral element, e.g. π1R = π1)

Example: 2-party resources [2]

R ∼ =π S :⇐ ⇒

                

π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 Special case: R = channel (neutral element, e.g. π1R = π1)

   ⇒ π1π2 ≈ Sσ2σ1S ≈ S

Example: 2-party resources [2]

R ∼ =π S :⇐ ⇒

                

π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 Special case: R = channel (neutral element, e.g. π1R = π1) Theorem: A resource S such that SαS ≈ S for all α cannot be realized from a communication channel.

   ⇒ π1π2 ≈ Sσ2σ1S ≈ S

Example: 2-party resources [2]

R ∼ =π S :⇐ ⇒

                

π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 Special case: R = channel (neutral element, e.g. π1R = π1) Theorem: A resource S such that SαS ≈ S for all α cannot be realized from a communication channel. Corollary [CF01]: Commitment cannot be realized (from a communication channel).

   ⇒ π1π2 ≈ Sσ2σ1S ≈ S

Example: 2-party resources [2]

R ∼ =π S :⇐ ⇒

                

π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 Special case: R = channel (neutral element, e.g. π1R = π1) Theorem: A resource S such that SαS ≈ S for all α cannot be realized from a communication channel. Corollary [CF01]: Commitment cannot be realized (from a communication channel).

C

   ⇒ π1π2 ≈ Sσ2σ1S ≈ S

Example: 2-party resources [2]

R ∼ =π S :⇐ ⇒

                

π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 Special case: R = channel (neutral element, e.g. π1R = π1) Theorem: A resource S such that SαS ≈ S for all α cannot be realized from a communication channel. Corollary [CF01]: Commitment cannot be realized (from a communication channel).

C

   ⇒ π1π2 ≈ Sσ2σ1S ≈ S

Example: 2-party resources [2]

R ∼ =π S :⇐ ⇒

                

π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 Special case: R = channel (neutral element, e.g. π1R = π1) Theorem: A resource S such that SαS ≈ S for all α cannot be realized from a communication channel. Corollary [CF01]: Commitment cannot be realized (from a communication channel).

C C

   ⇒ π1π2 ≈ Sσ2σ1S ≈ S

Example: 2-party resources [2]

R ∼ =π S :⇐ ⇒

                

π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 Special case: R = channel (neutral element, e.g. π1R = π1) Theorem: A resource S such that SαS ≈ S for all α cannot be realized from a communication channel. Corollary [CF01]: Commitment cannot be realized (from a communication channel).

?

C C

α

   ⇒ π1π2 ≈ Sσ2σ1S ≈ S

Example: 2-party resources [2]

R ∼ =π S :⇐ ⇒

                

π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 Special case: R = channel (neutral element, e.g. π1R = π1) Theorem: A resource S such that SαS ≈ S for all α cannot be realized from a communication channel. Corollary [CF01]: Commitment cannot be realized (from a communication channel). Corollary: A delayed communication channel cannot be realized (from a communication channel).

   ⇒ π1π2 ≈ Sσ2σ1S ≈ S

Example: 2-party resources [2]

R ∼ =π S :⇐ ⇒

                

π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 π1Rπ2 ≈ σ1Sσ2 Special case: R = channel (neutral element, e.g. π1R = π1) Theorem: A resource S such that SαS ≈ S for all α cannot be realized from a communication channel. Corollary [CF01]: Commitment cannot be realized (from a communication channel). Corollary: A delayed communication channel cannot be realized (from a communication channel).

   ⇒ π1π2 ≈ Sσ2σ1S ≈ S

Note: Isomorphism is the precisest possible relation between resources, but as such is completely rigid.

Abstraction by Sets of Resources

Abstraction of a concept corresponds to a set!

Abstraction by Sets of Resources

Abstraction of a concept corresponds to a set! Consider sets R and S of resources.

Abstraction by Sets of Resources

Abstraction of a concept corresponds to a set! Consider sets R and S of resources. Of special interest: Resources specified by (for each party)

• a guaranteed action space
• a possible action space

Abstraction by Sets of Resources

Abstraction of a concept corresponds to a set! Consider sets R and S of resources. Of special interest: Resources specified by (for each party)

• a guaranteed action space
• a possible action space

Definition: S is an abstraction of R via π:

R ⊑π S :⇐ ⇒ ∀R∈R ∃S∈S : R ∼ =π S

Abstraction by Sets of Resources

Abstraction of a concept corresponds to a set! Consider sets R and S of resources. Of special interest: Resources specified by (for each party)

• a guaranteed action space
• a possible action space

Definition: S is an abstraction of R via π:

R ⊑π S :⇐ ⇒ ∀R∈R ∃S∈S : R ∼ =π S

Theorem: R ⊑π S is a universally composable reduction.

Reductions [1]

The reduction R α

− → S

is called sequentially composable if 1. R

α

− → S ∧ S

β

− → T

⇒ R

α◦β

− → T

Reductions [1]

The reduction R α

− → S

is called sequentially composable if 1. R

α

− → S ∧ S

β

− → T

⇒ R

α◦β

− → T

It is called universally composable if in addition: 2. R

id

− → R

3. R

α

− → S

⇒ R| |T

α|id

− → S|

|T

Example: Encryption

|.| SEC dec

D

enc

E

A B E AUT A E B $ KEY

Example: Encryption

sim_A |.| SEC dec

D

A B E AUT A E B $ KEY

Example: Encryption

sim_A |.| SEC dec

D

A B E AUT A E B $ KEY

Example: Encryption

$ KEY sim_A |.| SEC dec

D

A B E AUT A E B $ KEY

Example: Encryption

$ KEY sim_A |.| SEC dec

D

A B E AUT A E B $ KEY

Example: Encryption

$ KEY sim_A |.| SEC dec

D

A B E AUT A E B $ KEY

Theorem: An unleakable (uncoercible) secure communication channel cannot be realized from an authenticated channel and a secret key.

Features of Abstract Cryptography

Features of Abstract Cryptography

• strongest notion of reduction (isomorphism)

Features of Abstract Cryptography

• strongest notion of reduction (isomorphism)
• existing frameworks can be captured as special cases

– universal composability (UC) by Canetti – reactive simulatability by Pfitzmann/Waidner/Backes – indifferentiability [MRH04]

Features of Abstract Cryptography

• strongest notion of reduction (isomorphism)
• existing frameworks can be captured as special cases

– universal composability (UC) by Canetti – reactive simulatability by Pfitzmann/Waidner/Backes – indifferentiability [MRH04]

• communication model, complexity/efficiency notions, ....

treated at lower abstraction levels (not hard-wired)

Features of Abstract Cryptography

• strongest notion of reduction (isomorphism)
• existing frameworks can be captured as special cases

– universal composability (UC) by Canetti – reactive simulatability by Pfitzmann/Waidner/Backes – indifferentiability [MRH04]

• communication model, complexity/efficiency notions, ....

treated at lower abstraction levels (not hard-wired)

• reductions among resources, all resources captured

Features of Abstract Cryptography

• strongest notion of reduction (isomorphism)
• existing frameworks can be captured as special cases

– universal composability (UC) by Canetti – reactive simulatability by Pfitzmann/Waidner/Backes – indifferentiability [MRH04]

• communication model, complexity/efficiency notions, ....

treated at lower abstraction levels (not hard-wired)

• reductions among resources, all resources captured
• sets of resources: guaranteed/possible action spaces

Features of Abstract Cryptography

• strongest notion of reduction (isomorphism)
• existing frameworks can be captured as special cases

– universal composability (UC) by Canetti – reactive simulatability by Pfitzmann/Waidner/Backes – indifferentiability [MRH04]

• communication model, complexity/efficiency notions, ....

treated at lower abstraction levels (not hard-wired)

• reductions among resources, all resources captured
• sets of resources: guaranteed/possible action spaces
• no central adversary → local simulators (see [AsV08])

Features of Abstract Cryptography

• strongest notion of reduction (isomorphism)
• existing frameworks can be captured as special cases

– universal composability (UC) by Canetti – reactive simulatability by Pfitzmann/Waidner/Backes – indifferentiability [MRH04]

• communication model, complexity/efficiency notions, ....

treated at lower abstraction levels (not hard-wired)

• reductions among resources, all resources captured
• sets of resources: guaranteed/possible action spaces
• no central adversary → local simulators (see [AsV08])
• general notion of interfaces: consistency domains

Features of Abstract Cryptography

• strongest notion of reduction (isomorphism)
• existing frameworks can be captured as special cases

– universal composability (UC) by Canetti – reactive simulatability by Pfitzmann/Waidner/Backes – indifferentiability [MRH04]

• communication model, complexity/efficiency notions, ....

treated at lower abstraction levels (not hard-wired)

• reductions among resources, all resources captured
• sets of resources: guaranteed/possible action spaces
• no central adversary → local simulators (see [AsV08])
• general notion of interfaces: consistency domains

Let’s try to identify the right level of ab- straction of what we do in cryptography.