Automatic Proofs for Symmetric Encryption Modes e 2 Pascal - - PowerPoint PPT Presentation

automatic proofs for symmetric encryption modes
SMART_READER_LITE
LIVE PREVIEW

Automatic Proofs for Symmetric Encryption Modes e 2 Pascal - - PowerPoint PPT Presentation

Sep 04, 2022 242 likes •539 views

Automatic Proofs for Symmetric Encryption Modes Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1 Martin Gagn Reihaneh Safavi-Naini 2 1 Universit e Grenoble 1, CNRS, Verimag , FRANCE 2 Department of

slide-1
SLIDE 1

Automatic Proofs for Symmetric Encryption Modes

Automatic Proofs for Symmetric Encryption Modes

Martin Gagn´ e2 Pascal Lafourcade1 Yassine Lakhnech1 Reihaneh Safavi-Naini2

1 Universit´

e Grenoble 1, CNRS,Verimag, FRANCE

2 Department of Computer Science, University of Calgary, Canada

3rd Canada-France Workshop on Foundations & Practice of Security June 22, 2010 Toronto.

1 / 24

slide-2
SLIDE 2

Automatic Proofs for Symmetric Encryption Modes Motivations

Indistinguishability and Symmetric Encryption Modes

2 / 24

slide-3
SLIDE 3

Automatic Proofs for Symmetric Encryption Modes Motivations

Indistinguishability and Symmetric Encryption Modes

2 / 24

slide-4
SLIDE 4

Automatic Proofs for Symmetric Encryption Modes Motivations

Indistinguishability and Symmetric Encryption Modes

ECB CBC, OFB ...

2 / 24

slide-5
SLIDE 5

Automatic Proofs for Symmetric Encryption Modes Motivations

Block Cipher Modes

PRP E → Encryption Mode → IND-CPA NIST standard

  • Electronic Code Book (ECB)
  • Cipher Block Chaining (CBC)
  • Cipher FeedBack mode (CFB)
  • Output FeedBack (OFB), and
  • Counter mode (CTR).

Others DMC,CBC-MAC, IACBC, IAPM, XCB ,TMAC, HCTR, HCH, EME, EME*, PEP, OMAC, TET, CMC, GCM, EAX, XEX, TAE, TCH, TBC, CCM, ABL4

3 / 24

slide-6
SLIDE 6

Automatic Proofs for Symmetric Encryption Modes Motivations

Block Cipher Modes

Example Cipher Block Chaining (CBC) Ci = E(Pi ⊕ Ci−1), C0 = IV

4 / 24

slide-7
SLIDE 7

Automatic Proofs for Symmetric Encryption Modes Motivations

CBC and others

CBC CTR OFB CFB IV

$

← − U; IV

$

← − U; IV

$

← − U; IV

$

← − U; z1 := IV ⊕ m1; z1 := E(IV + 1); z1 := E(IV ); z1 := E(IV ); c1 := E(z1); c1 := m1 ⊕ z1; c1 := m1 ⊕ z1; c1 := m1 ⊕ z1; z2 := c1 ⊕ m2; z2 := E(IV + 2); z2 := E(z1); z2 := E(c1); c2 := E(z2); c2 := m2 ⊕ z2; c2 := m2 ⊕ z2; c2 := m2 ⊕ z2; z3 := c2 ⊕ m3; z3 := E(IV + 3); z3 := E(z2); z3 := E(c2); c3 := E(z3); c3 := m3 ⊕ z3; c3 := m3 ⊕ z3; c3 := m3 ⊕ z3;

5 / 24

slide-8
SLIDE 8

Automatic Proofs for Symmetric Encryption Modes Motivations

Outline

1 Motivations 2 Contribution

Generic Encryption Mode Predicates Our Hoare Logic

3 Result 4 Conclusion

6 / 24

slide-9
SLIDE 9

Automatic Proofs for Symmetric Encryption Modes Contribution

Outline

1 Motivations 2 Contribution

Generic Encryption Mode Predicates Our Hoare Logic

3 Result 4 Conclusion

7 / 24

slide-10
SLIDE 10

Automatic Proofs for Symmetric Encryption Modes Contribution

How to prove an encryption mode is IND-CPA ?

Our Approach Automated method for proving correctness of encryption mode:

  • Language: Generic Encryption Mode
  • Predicates: E, Indis, Lcounter
  • Hoare logic : few rules

RESULT: If a Generic Encryption Mode EM is correct according to our Hoare logic then EM is IND-CPA.

8 / 24

slide-11
SLIDE 11

Automatic Proofs for Symmetric Encryption Modes Contribution Generic Encryption Mode

Grammar

c ::= x

$

← − U | x := E(y) | x := y ⊕ z | x := yz | x := y + 1 | c1; c2

9 / 24

slide-12
SLIDE 12

Automatic Proofs for Symmetric Encryption Modes Contribution Generic Encryption Mode

Generic Encryption Mode

Definition A generic encryption mode M is represented by EM(m1| . . . |mp, c0| . . . |cp) : var x; c ECBC(m1|m2|m3, IV |c1|c2|c3) : var z1, z2, z3; IV

$

← − U; z1 := IV ⊕ m1; c1 := E(z1); z2 := c1 ⊕ m2; c2 := E(z2); z3 := c2 ⊕ m3; c3 := E(z3);

10 / 24

slide-13
SLIDE 13

Automatic Proofs for Symmetric Encryption Modes Contribution Predicates

Predicates

ϕ ::= true | ϕ ∧ ϕ | ψ ψ ::= Indis(νx; V ) | Seed(e) | Lcounter(x) | Indis(νx; V ): The value of x is indistinguishable from a random value given the value of the variables in V . Seed(e): The probability that the value of e have been encrypted by E is negligible. Lcounter(e): e is the most recent value of a monotone counter that started at a fresh random value.

11 / 24

slide-14
SLIDE 14

Automatic Proofs for Symmetric Encryption Modes Contribution Predicates

Definition

Definition Using previous notions we definie the two following predicates:

  • Useed(x) = Seed(x) ∧ Indis(x)
  • Cseed(x) = Seed(x) ∧ Lcounter(x)

12 / 24

slide-15
SLIDE 15

Automatic Proofs for Symmetric Encryption Modes Contribution Predicates

Definition

Definition Using previous notions we definie the two following predicates:

  • Useed(x) = Seed(x) ∧ Indis(x)
  • Cseed(x) = Seed(x) ∧ Lcounter(x)

Lemma According to the defintions we have immediately:

  • Indis(νx) ⇒ Lcounter(x)
  • Useed(x) ⇒ Cseed(x)

12 / 24

slide-16
SLIDE 16

Automatic Proofs for Symmetric Encryption Modes Contribution Predicates

More Formally

  • X |

= true.

  • X |

= ϕ ∧ ϕ′ iff X | = ϕ and X | = ϕ′.

  • X |

= Indis(νx; V ) iff [(S, E)

r

← X : (S(x, V ), E)] ∼ [(S, E)

r

← X; u

r

← U; S′ = S{x → u} : (S′(x, V ), E)]

  • X |

= Seed(x) iff Pr[(S, E)

r

← X : S(x) ∈ S(TE).dom] is negligible.

  • X |

= Lcounter(x) iff Indis(x; Var \ Tab[x]), where Tab[x] denote all variables that appear in table Tab[x] of T F until the variable x.

13 / 24

slide-17
SLIDE 17

Automatic Proofs for Symmetric Encryption Modes Contribution Predicates

Semantics of the Programming Language

[ [x

r

← U] ](S, E) = [u

r

← U : (S{x → u, T F → T F ∪ {Tab[x]}, E)] [ [x := E(y)] ](S, E) =    δ(S{x → v, T F, E) if (S(y), v) ∈ TE δ(S{x → v, T F → T F ∪ {Tab[x]}, TE → S(TE ) · (S(y), v)}, E) if (S(y), v) ∈ TE and v = E(S(y)) [ [x := y ⊕ z] ](S, E) = δ(S{x → S(y) ⊕ S(z), T F, E) [ [x := y||z] ](S, E) = δ(S{x → S(y)||S(z), T F, E) [ [x := y[n, m]] ](S, E) = δ(S{x → S(y)[n, m], T F, E) [ [x := y + 1] ](S, E) =    δ(S{x → S(y) + 1, T F → T F ∪ {Tab[z] → Tab[z][i + 1] = Tab[z][i + 1] ∪ x}, E) if y ∈ Tab[z][i] δ(S{x → S(y) + 1, T F, E) otherwise [ [c1; c2] ] = [ [c2] ] ◦ [ [c1] ]

Table: The semantics of the programming language

14 / 24

slide-18
SLIDE 18

Automatic Proofs for Symmetric Encryption Modes Contribution Our Hoare Logic

How to generate Seed(x)?

Sampling a Random (R1) {true} x

$

← − U {Useed(x)}

15 / 24

slide-19
SLIDE 19

Automatic Proofs for Symmetric Encryption Modes Contribution Our Hoare Logic

How to generate Seed(x)?

Sampling a Random (R1) {true} x

$

← − U {Useed(x)} PRP Encryption (B1) {Seed(y)} x := E(y) {Seed(x)} (B2) {Seed(y)} x := E(y) {Indis(x)}

15 / 24

slide-20
SLIDE 20

Automatic Proofs for Symmetric Encryption Modes Contribution Our Hoare Logic

How to generate Seed(x)?

Xor (X4) {Indis(x) ∧ Seed(x)} z := x ⊕ y {Seed(z)} if y = z (X5) {Lcounter(t)} z := x ⊕ y {Lcounter(t)}

16 / 24

slide-21
SLIDE 21

Automatic Proofs for Symmetric Encryption Modes Contribution Our Hoare Logic

How to generate Seed(x)?

Xor (X4) {Indis(x) ∧ Seed(x)} z := x ⊕ y {Seed(z)} if y = z (X5) {Lcounter(t)} z := x ⊕ y {Lcounter(t)} Counter

  • (I1) {Lcounter(x)} y := x + 1 {Lcounter(y)}
  • (I2) {lcounter(x)} z := y + 1 {Seed(x)}

16 / 24

slide-22
SLIDE 22

Automatic Proofs for Symmetric Encryption Modes Contribution Our Hoare Logic

20 Rules

x

$

← − U (R1) (R2) x = y||z (C1) (C2) x := y +1 (I1) (I2) (I3) (G1) (G2) (G3) (G4) x := y⊕z (X1) (X2) (X3) (X4) (X5) x := E(y) (B1) (B2) (B3) (B4) (B5) (B6)

17 / 24

slide-23
SLIDE 23

Automatic Proofs for Symmetric Encryption Modes Result

Outline

1 Motivations 2 Contribution

Generic Encryption Mode Predicates Our Hoare Logic

3 Result 4 Conclusion

18 / 24

slide-24
SLIDE 24

Automatic Proofs for Symmetric Encryption Modes Result

How to prove that a Generic Encryption Mode is IND-CPA?

Theorem Let EM(m1| . . . |mp, c0| . . . |cp) : var x; c be a generic encryption mode, Then EM is IND-CPA secure, if {true}c i=p

i=0{Indis(νci; m1, . . . , mp, c0, . . . , cp)} is valid.

19 / 24

slide-25
SLIDE 25

Automatic Proofs for Symmetric Encryption Modes Result

Prototype

Implementation of a backward analysis in 1000 lines of Ocaml. Examples

  • CBC, FBC, OFB CFB are proved IND-CPA
  • ECB and variants our tool fails: precondition is not true

All examples are immediate (less than one second)

20 / 24

slide-26
SLIDE 26

Automatic Proofs for Symmetric Encryption Modes Conclusion

Outline

1 Motivations 2 Contribution

Generic Encryption Mode Predicates Our Hoare Logic

3 Result 4 Conclusion

21 / 24

slide-27
SLIDE 27

Automatic Proofs for Symmetric Encryption Modes Conclusion

Summary

  • Generic Encryption Mode
  • New predicats
  • Hoare Logic for proving generic encryption mode IND-CPA
  • Ocaml Prototype

22 / 24

slide-28
SLIDE 28

Automatic Proofs for Symmetric Encryption Modes Conclusion

Future Works

  • Considering : For loops
  • Hybrid encryption
  • using Hash function
  • using mathematics (GMC)
  • IND-CCA ?

Desai 2000: New Paradigms for Constructing Symmetric Encryption Schemes Secure against Chosen-Ciphertext Attack

  • CBC-MAC

23 / 24

slide-29
SLIDE 29

Automatic Proofs for Symmetric Encryption Modes Conclusion

Thank you for your attention Questions ?

24 / 24