An example of Game based proof: OAEP-IND-CPA B. Gr egoire T. Rezk - - PowerPoint PPT Presentation

An example of Game based proof: OAEP-IND-CPA

• B. Gr´

egoire

• T. Rezk

November 14, 2008

• B. Gr´

egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Background

A trapdoor-permutation generator with associated security parameter k is a randomized algorithm F that return a pair (f , f −1) where: f : {0, 1}k → {0, 1}k is the encoding of a permutation f −1 : {0, 1}k → {0, 1}k is the encoding of the inverse of f i.e f −1(f (x)) = x and f (f −1(x)) = x The Advantage of an adversary I in inverting F is Advowf

F (I) = PrGowf

• x = f −1(y)
• where

Gowf = (f , f −1) ← F(k); y

$

← {0, 1}k; x ← I(f , y)

• B. Gr´

egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Background : OAEP

Let ρ < k, the key generation of the asymmetric encryption scheme OAEPρ[F] is F: f is the public key and f −1 the secret

• key. The encryption and decryption algorithms have oracles

G : {0, 1}ρ → {0, 1}k−ρ and F : {0, 1}k−ρ → {0, 1}ρ and work as follows: EG,H

f

(M) = / ∗ m ∈ {0, 1}k−ρ ∗ / DG,H

f

(Y ) = / ∗ Y ∈ {0, 1}k ∗ / R

$

← {0, 1}ρ; X ← f −1(Y ); S ← G(R) ⊕ M; T ← H(S) ⊕ R; S, T ← X|k−p Y ← f (ST); R ← H(S) ⊕ T; M ← G(R) ⊕ S; return Y return M

• B. Gr´

egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Background : IND-CPA

An asymmetric encryption scheme is composed of three algorithms: key generation KG(k), where k is the security parameter; encryption E(pk, m) where pk is a public key and m a plaintext; and decryption—not relevant here. An asymmetric encryption scheme is said to be semantically secure (equivalently, IND-CPA secure) if it is infeasible to gain significant information about a plaintext given only a corresponding ciphertext and the public key. This is formally defined using the following game, where A and A′ are allowed to share state via global variables and thus are regarded as a single adaptive adversary: Game IND-CPA : (sk, pk) ← KG(k); (m0, m1) ← A(pk); b

$

← {0, 1}; γ ← E(pk, mb); b′ ← A′(pk, γ)

• B. Gr´

egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

IND-CPA security of OAEP

For PPT adversaries A and A′ making together at most qG queries to G, |PrIND-CPAOAEP

• b = b′

− 1 2| ≤ PrGf

• x = f −1(y)
• + qG

2ρ where PrGf

• x = f −1(y)
• is the probability of an adversary

inverting f on a random element of its codomain, i.e. the advantage of an adversary Gf of inverting f : Advowf

f

(Gf )

• B. Gr´

egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

The Random Oracle Model

Many cryptographic schemes use hash function (MD5, American Standard: SHA-1, SHA-256 ...). This originally allows to sign long messages with a short signature. Later hash functions has become a main ingredient for encryption. The random oracle model assume that a hash function can be formalized by an oracle producing random value for each new query: Oracle O(x) : if x ∈ dom(L) then y

$

← {0, 1}η; L ← (x, y) :: L; return L[x] The random oracle model provide security of the overall design of the scheme against adversaries that do not exploit vulnerabilities in the hash function.

• B. Gr´

egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Building the adversary

I(y) = GI(r) = LG ← []; if ∃(s, Hs) ∈ LH, f (s(Hs ⊕ r)) = Y ′ then LH ← []; ST ′ ← s(Hs ⊕ r) Y ′ ← y; if r ∈ dom(LG) then ST ′ ← y; Gr

$

← {0, 1}k−ρ; LG ← (r, Gr) :: LG; M ← A(); return LG[R] b′ ← A′(Y ′); return ST ′

• B. Gr´

egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

The initial game: Game0

Game0 = LG ← []; LH ← []; m0, m1 ← A(); b

$

← {0, 1}; Y ′ ← E(mb); b′ ← A′(Y ′) H0(s) = if s ∈ dom(LH) then Hs

$

← {0, 1}ρ; LH ← (s, Hs) :: LH else Hs ← LH[s] return Hs G0(r) = if r ∈ dom(Lr) then Gr

$

← {0, 1}k−ρ; LG ← (r, Gr) :: LG else Gr ← LG[r] return Gr We want to bound the difference: |PrGame0

• b = b′

− 1 2| We should remove the dependency of b and mb.

• B. Gr´

egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Building the proof: First transition

Inlining of E Game0 = LG ← []; LH ← []; m0, m1 ← A(); b

$

← {0, 1}; Y ′ ← E(mb); b′ ← A′(Y ′) Game1 = LG ← []; LH ← []; m0, m1 ← A(); b

$

← {0, 1}; R′

$

← {0, 1}ρ; Gr ← G(R′); S′ ← Gr ⊕ mb; He ← H(S′); T ′ ← He ⊕ R′; Y ′ ← f (S′T ′); b′ ← A′(Y ′)

• B. Gr´

egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

• ptimistic sampling

Gr

$

← {0, 1}k−ρ; S′ ← G⊕mb ∼ S′

$

← {0, 1}k−ρ; GR′ ← S′ ⊕ mb : = ⇒ =

• B. Gr´

egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Building the proof: First transition

Game0 = LG, LH ← []; m0, m1 ← A(); b

$

← {0, 1}; Y ′ ← E(mb); b′ ← A′(Y ′) Game1 = LG, LH ← []; R′

$

← {0, 1}ρ; GR′

$

← {0, 1}k−ρ m0, m1 ← A(); b

$

← {0, 1}; Gr ← G(R′); S′ ← Gr ⊕ mb; He ← H(S′); T ′ ← He ⊕ R′; Y ′ ← f (S′T ′); b′ ← A′(Y ′) G1(r) = if r ∈ dom(LG) then if r = R′ then Gr ← GR′ else Gr

$

← {0, 1}k−ρ LG ← (r, Gr) :: LG else Gr ← LG[r] return Gr Remark: In Game1, we have G(R′) = GR′ (invariant). We would like to apply optimistic sampling to remove the dependency to b but GR′ still used in G1 We will use the failure event

• B. Gr´

egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Second transition

Game1 = LG, LH ← []; R′

$

← {0, 1}ρ; GR′

$

← {0, 1}k−ρ m0, m1 ← A(); b

$

← {0, 1}; Gr ← G(R′); S′ ← Gr ⊕ mb; He ← H(S′); T ′ ← He ⊕ R′; Y ′ ← f (S′T ′); b′ ← A′(Y ′) Game2 = bad ← false; LG, LH ← []; R′

$

← {0, 1}ρ; GR′

$

← {0, 1}k−ρ m0, m1 ← A(); b

$

← {0, 1}; / ∗ Gr ← GR′ ∗ / S′ ← GR′ ⊕ mb; He ← H(S′); T ′ ← He ⊕ R′; Y ′ ← f (S′T ′); b′ ← A′(Y ′) G2(r) = if r = R′ then bad ← true; Gr ← GR′; else if r ∈ dom(LG) then Gr

$

← {0, 1}k−ρ LG ← (r, Gr) :: LG else Gr ← LG[r] return Gr

• B. Gr´

egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Invariant used for the transition

In Game1, if R′ ∈ dom(LG) then LG[R′] = GR′ In the two games the association lists LG are equal except for R′ Under this invariant the two version of the oracle G1 and G2 are equivalent. And so the two games.

• B. Gr´

egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Fundamental lemma

Two programs Game1 and Game2 are equivalent up to a failure event (bad), if PrGame1[P ∧ ¬bad] = PrGame2[P ∧ ¬bad] Remark: There is a syntactic test to check this notion of equivalence. Corollary 1: PrGame1[¬bad] = PrGame2[¬bad] Corollary 2: PrGame1[bad] = PrGame2[bad] (if Game1 and Game2 are lossless) Corollary 3 (Fundamental lemma): ∀ S · |PrGame1[S] − PrGame2[S]| ≤ PrGame1,2[bad]

• B. Gr´

egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Using the fundamental lemma

G2(r) = if r = R′ then bad ← true; Gr ← GR′; else body of G0 return Gr G3(r) = if r = R′ then bad ← true; body of G0 else body of G0 return Gr The two oracles are upto bad. Let Game′

2 be the main of Game2

using G3. We have PrGame0[b = b′] = PrGame2[b = b′]. And by the fundamental lemma |PrGame2

• b = b′

− PrGame′

2

• b = b′

| ≤ PrGame′

2[bad]

• B. Gr´

egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Now, GR′ is not used in the oracle (we can move it in the main). Thus, we can apply the optimistic sampling. GR′ and mb are not used any more. b is not used any more, move to the end. Game′

2 =

bad ← false; LG, LH ← []; R′

$

← {0, 1}ρ; GR′

$

← {0, 1}k−ρ m0, m1 ← A(); b

$

← {0, 1}; S′ ← GR′ ⊕ mb; He ← H(S′); T ′ ← He ⊕ R′; Y ′ ← f (S′T ′); b′ ← A′(Y ′) Game3 = bad ← false; LG, LH ← []; S′

$

← {0, 1}k−ρ; R′

$

← {0, 1}ρ; m0, m1 ← A(); He ← H(S′); T ′ ← He ⊕ R′; Y ′ ← f (S′T ′); b′ ← A′(Y ′) b

$

← {0, 1}; Remark: PrGame′

2[b = b′] = PrGame3[b = b′] = 1

2

So : |PrGame0[b = b′] − 1

2| ≤ PrGame′

2[bad] = PrGame3[bad]

• B. Gr´

egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Bounding the probability of bad

We should now express the probability of bad in Game3 as a function of the probability of the inverter I. b is not used any more, we remove it. In the inverter game, Y ′ is set to random. So we should randomize Y ′ in Game3 (so T ′).

• B. Gr´

egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Lasy sampling in HS′

Same kind of transition than Game1 to Game2. Game3 = bad ← false; LG, LH ← []; S′

$

← {0, 1}k−ρ; R′

$

← {0, 1}ρ; m0, m1 ← A(); He ← H(S′); T ′ ← He ⊕ R′; Y ′ ← f (S′T ′); b′ ← A′(Y ′) Game4 = bad ← false; LG, LH ← []; S′

$

← {0, 1}k−ρ; HS′

$

← {0, 1}ρ; R′

$

← {0, 1}ρ; m0, m1 ← A(); / ∗ He ← H(S′); ∗/ T ′ ← HS′ ⊕ R′; Y ′ ← f (S′T ′); b′ ← A′(Y ′) H4(s) = if s ∈ dom(LH) then if s = S′ then Hs ← HS′; else Hs

$

← {0, 1}ρ; LH ← (s, Hs) :: LH return Hs We now want to remove HS′ from the oracle H4

• B. Gr´

egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Two possibilities to set bad:

bad is set and S′ ∈ dom(LH) : the inverter win bad is set and S′ ∈ dom(LH) : small probability qG

2ρ

• B. Gr´

egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Splitting the two cases

G3(r) = if r = R′ then bad ← true; body of G0 return Gr G5(r) = if r = R′ then if S′ ∈ dom(LH) then bad1 ← true; else bad2 ← true; body of G0 return Gr Let Game5 be the Game4 with initialisation of bad1 and bad2 and

• racle G5.

We have Game4 ∼ Game5 : true ⇒ [bad]1 ⇒ [bad1 ∨ bad2]2 So PrGame4[bad] ≤ PrGame5[bad1 ∨ bad2] ≤ PrGame5[bad1] + PrGame5[bad2]

• B. Gr´

egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

PrGame5[bad1]

We can remove bad2 if we know focus on bad1, and we can apply

• ptimistic sampling between T ′ and R′

Game5 = bad1, bad2 ← false; LG, LH ← []; S′

$

← {0, 1}k−ρ; HS′

$

← {0, 1}ρ; R′

$

← {0, 1}ρ; m0, m1 ← A(); T ′ ← HS′ ⊕ R′; Y ′ ← f (S′T ′); b′ ← A′(Y ′) Game6 = bad1 ← false; LG, LH ← []; S′

$

← {0, 1}k−ρ; HS′

$

← {0, 1}ρ; T ′

$

← {0, 1}ρ; R′ ← HS′ ⊕ T ′; Y ′ ← f (S′T ′); m0, m1 ← A(); b′ ← A′(Y ′) G5(r) = if r = R′ then if S′ ∈ dom(LH) then bad1 ← true; body of G0 return Gr We want to replace Y ′ ← f (S′T ′) by Y ′

$

← {0, 1}k, but R′ depend of T ′. We should remove R′ from G5.

• B. Gr´

egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Invariant in Game6: S′ ∈ dom(LH) ⇒ LH[S′] = HS′ R′ = HS′ ⊕ T ′ Y ′ = f (S′T ′) G5(r) = if r = R′ then if S′ ∈ dom(LH) then bad1 ← true; body of G0 return Gr G7(r) = if ∃(s, Hs) ∈ LH, f (s(Hs ⊕ r)) = Y ′ then bad1 ← true; body of G0 return Gr

• B. Gr´

egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Finish this part

R′ is not used, we remove its assignment; HS′ is used only once, by reverting lazy sampling in the H we get the initial oracle; S′ and T ′ are used only once for the definition of Y’, we replace their definition by a random assignment. Game7 = bad1 ← false; LG, LH ← []; S′

$

← {0, 1}k−ρ; HS′

$

← {0, 1}ρ; T ′

$

← {0, 1}ρ; R′ ← HS′ ⊕ T ′; Y ′ ← f (S′T ′); m0, m1 ← A(); b′ ← A′(Y ′) Game8 = bad1 ← false; LG, LH ← []; Y ′

$

← {0, 1}k; m0, m1 ← A(); b′ ← A′(Y ′) We should now change the affectation of bad1 in G7 to get the inverter.

• B. Gr´

egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Probability of bad2 in Game5

Simplified version of the oracles: G(R)

def

= if S′ ∈ LH ∧ R = R′ then bad2 ← true; G0(R) H(S)

def

= if S = S′ then return LH[S] ← HS′ else return LH[S] ← {0, 1}p Next Game: G(R) def = if S′ ∈ LH ∧ R = R′ then bad2 ← true; G0(R) H(S) def = return LH[S] ← {0, 1}p Informal justification: coins that set bad never have S = S′ in H ...

• B. Gr´

egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Formal justification: fundamental lemma

Define Hi1,i2

def

= if S ∈ LH then if S = S′ then if bad2 then bad3 ← true; i1 else bad4 ← true; i2 else rH

$

← {0, 1}p; LH ← (S, rH) :: LH; else rH ← LH[S] Let a = rH ← HS′ and r = rH

$

← {0, 1}p: Previous game (0): Ha,a Intermediate game (1): Hr,a Last game (2): Hr,r We want to prove that Pr0[bad2] = Pr2[bad2]

• B. Gr´

egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA

Pr0[bad2] = Pr0[bad2 ∧ bad3] + Pr0[bad2 ∧ ¬bad3] FL = Pr0[bad2 ∧ bad3] + Pr1[bad2 ∧ ¬bad3] bad3 ⇒ bad2 = Pr0[bad3] + Pr1[bad2 ∧ ¬bad3] Corollary 2 = Pr1[bad3] + Pr1[bad2 ∧ ¬bad3] bad3 ⇒ bad2 = Pr1[bad2 ∧ bad3] + Pr1[bad2 ∧ ¬bad3] = Pr1[bad2] = Pr1[bad2 ∧ bad4] + Pr1[bad2 ∧ ¬bad4] FL = Pr1[bad2 ∧ bad4] + Pr2[bad2 ∧ ¬bad4] bad4 ⇒ ¬bad2 = 0 + Pr2[bad2 ∧ ¬bad4] bad4 ⇒ ¬bad2 = Pr2[bad2 ∧ bad4] + Pr2[bad2 ∧ ¬bad4] = Pr2[bad2] We can now conclude the proof. Invariant :[bad2 = true]1 ⇒ [R′ ∈ dom(LG)]2.

• B. Gr´

egoire, T. Rezk An example of Game based proof: OAEP-IND-CPA