CertiCrypt: formal certification of code-based cryptographic proofs - PowerPoint PPT Presentation

CertiCrypt: formal certification of code-based cryptographic proofs Gilles Barthe Benjamin Gr´ egoire Santiago Zanella B´ eguelin Romain Janvier F´ ederico Olmedo IMDEA Software INRIA Sophia Antipolis INRIA-Microsoft Research Joint Centre National University of Rosario 15.07.2008 G.Barthe, B.Gr´ egoire, S.Zanella, R.Janvier, F.Olmedo CertiCrypt 1/37

What’s wrong with cryptographic proofs? Increasing complexity in cryptographic proofs + Unmanageable numbers of them appearing in articles + No one willing to carefully verify long handmade proofs Subtle errors in published proofs G.Barthe, B.Gr´ egoire, S.Zanella, R.Janvier, F.Olmedo CertiCrypt 2/37

What’s wrong with cryptographic proofs? Increasing complexity in cryptographic proofs + Unmanageable numbers of them appearing in articles + No one willing to carefully verify long handmade proofs Subtle errors in published proofs G.Barthe, B.Gr´ egoire, S.Zanella, R.Janvier, F.Olmedo CertiCrypt 2/37

What’s wrong with cryptographic proofs? Increasing complexity in cryptographic proofs + Unmanageable numbers of them appearing in articles + No one willing to carefully verify long handmade proofs Subtle errors in published proofs G.Barthe, B.Gr´ egoire, S.Zanella, R.Janvier, F.Olmedo CertiCrypt 2/37

What’s wrong with cryptographic proofs? Increasing complexity in cryptographic proofs + Unmanageable numbers of them appearing in articles + No one willing to carefully verify long handmade proofs Subtle errors in published proofs G.Barthe, B.Gr´ egoire, S.Zanella, R.Janvier, F.Olmedo CertiCrypt 2/37

From provable cryptography to proved provable cryptography Provable security State security goals precisely Make security hypotheses explicit Carry rigorous proofs State security goals and hypotheses formally (in a fully specified formalism) Develop tool supported methods for building or checking proofs Proposal: game-based proofs (Not a universal point of view) G.Barthe, B.Gr´ egoire, S.Zanella, R.Janvier, F.Olmedo CertiCrypt 3/37

Game-based proofs Describe security of system as a game Game as probabilistic program Security as upper bound on the adversary’s advantage Security assumptions as games Transform game stepwise G , E , p → G ′ , E ′ , p ′ p ′ should be suitably related to p E and E ′ may be distinct events (e.g. adversary winning vs failure event) Provide upper bound for probability in the final game Caveats Game hopping is only part of the story Many (complex) side results must be established (PPT, probability, etc) Ad hoc reasoning might be required G.Barthe, B.Gr´ egoire, S.Zanella, R.Janvier, F.Olmedo CertiCrypt 4/37

IND-CPA Game 0 = ( pk , sk ) ← KG ( η ); M 1 , M 2 ← A ( pk ); $ ← { 0 , 1 } ; b if b then M b ← M 1 else M b ← M 2 ; Y ′ ← Enc ( sk , M b ); b ′ ← A ′ ( Y ′ ) Asymptotic security: show that | Pr Game 0 [ b = b ′ ] − 1 2 | is negligible in k Exact security: provide L such that | Pr Game 0 [ b = b ′ ] − 1 2 | ≤ L ( k ) G.Barthe, B.Gr´ egoire, S.Zanella, R.Janvier, F.Olmedo CertiCrypt 5/37

Semantic security of ElGamal Key generation: KG () △ $ ← Z q ; return ( x , g x ) = x Encryption: Enc( α, m ) △ ← Z q ; return ( g y , α y × m ) $ = y ElGamal is INDCPA secure under DDH Decisional Diffie-Hellman (DDH) assumption Let G be a cyclic group of order q , let g be a generator of G . $ $ = ← [0 .. q − 1]; y ← [0 .. q − 1]; DDH 0 x b ← A ( g x , g y , g x ∗ y ); $ $ $ DDH 1 = x ← [0 .. q − 1]; y ← [0 .. q − 1]; z ← [0 .. q − 1]; b ← A ( g x , g y , g z ); For all PPT adversaries, | Pr DDH 0 [ b = 1] − Pr DDH 1 [ b = 1] | is negligible in k . G.Barthe, B.Gr´ egoire, S.Zanella, R.Janvier, F.Olmedo CertiCrypt 6/37

Game hopping Game ElGamal : Game ElGamal 0 : Game DDH 0 : ( x , α ) ← KG ; $ $ $ ← Z q ; y ← Z q ; ← Z q ; x x ( m 0 , m 1 ) ← A ( α ); ( m 0 , m 1 ) ← A ( g x ); $ ← Z q ; y $ ← { 0 , 1 } ; $ b d ← B ( g x , g y , g xy ) b ← { 0 , 1 } ; ζ ← g xy × m b ; ( β, ζ ) ← Enc( α, m b ); Adversary B ( α, β, γ ) : b ′ ← A ′ ( α, β, ζ ) b ′ ← A ′ ( g x , g y , ζ ); ( m 0 , m 1 ) ← A ( α ); d ← b = b ′ d ← b = b ′ $ b ← { 0 , 1 } ; b ′ ← A ′ ( α, β, γ × m b ); return b = b ′ Proof steps G.Barthe, B.Gr´ egoire, S.Zanella, R.Janvier, F.Olmedo CertiCrypt 7/37

Game hopping Game ElGamal : Game ElGamal 0 : Game DDH 0 : ( x , α ) ← KG ; $ $ $ ← Z q ; y ← Z q ; ← Z q ; x x ( m 0 , m 1 ) ← A ( α ); ( m 0 , m 1 ) ← A ( g x ); $ ← Z q ; y $ ← { 0 , 1 } ; $ b d ← B ( g x , g y , g xy ) b ← { 0 , 1 } ; ζ ← g xy × m b ; ( β, ζ ) ← Enc( α, m b ); Adversary B ( α, β, γ ) : b ′ ← A ′ ( α, β, ζ ) b ′ ← A ′ ( g x , g y , ζ ); ( m 0 , m 1 ) ← A ( α ); d ← b = b ′ d ← b = b ′ $ b ← { 0 , 1 } ; b ′ ← A ′ ( α, β, γ × m b ); return b = b ′ Proof steps inline l KG. inline l Enc. ep. deadcode. swap. eqobs in. G.Barthe, B.Gr´ egoire, S.Zanella, R.Janvier, F.Olmedo CertiCrypt 7/37

Game hopping Game ElGamal : Game ElGamal 0 : Game DDH 0 : ( x , α ) ← KG ; $ $ $ ← Z q ; y ← Z q ; ← Z q ; x x ( m 0 , m 1 ) ← A ( α ); ( m 0 , m 1 ) ← A ( g x ); $ ← Z q ; y $ ← { 0 , 1 } ; $ b d ← B ( g x , g y , g xy ) b ← { 0 , 1 } ; ζ ← g xy × m b ; ( β, ζ ) ← Enc( α, m b ); Adversary B ( α, β, γ ) : b ′ ← A ′ ( α, β, ζ ) b ′ ← A ′ ( g x , g y , ζ ); ( m 0 , m 1 ) ← A ( α ); d ← b = b ′ d ← b = b ′ $ b ← { 0 , 1 } ; b ′ ← A ′ ( α, β, γ × m b ); return b = b ′ Proof steps inline r B. ep. deadcode. eqobs in. G.Barthe, B.Gr´ egoire, S.Zanella, R.Janvier, F.Olmedo CertiCrypt 7/37

Game hopping Game ElGamal 2 : Game ElGamal 1 : $ $ $ $ Game DDH 1 : ← Z q ; y ← Z q ; ← Z q ; y ← Z q ; x x $ ( m 0 , m 1 ) ← A ( g x ); ( m 0 , m 1 ) ← A ( g x ); ← Z q ; x $ $ $ ← Z q ; ζ ← g z ; ← { 0 , 1 } ; ← Z q ; z b y b ′ ← A ′ ( g x , g y , ζ ); ← Z q ; ζ ← g z × m b ; $ $ z z ← Z q ; b ′ ← A ′ ( g x , g y , ζ ); $ d ← B ( g x , g y , g z ) b ← { 0 , 1 } ; d ← b = b ′ d ← b = b ′ Adversary B ( α, β, γ ) : ( m 0 , m 1 ) ← A ( α ); $ b ← { 0 , 1 } ; b ′ ← A ′ ( α, β, γ × m b ); return b = b ′ Proof steps G.Barthe, B.Gr´ egoire, S.Zanella, R.Janvier, F.Olmedo CertiCrypt 8/37

Game hopping Game ElGamal 2 : Game ElGamal 1 : $ $ $ $ Game DDH 1 : ← Z q ; y ← Z q ; ← Z q ; y ← Z q ; x x $ ( m 0 , m 1 ) ← A ( g x ); ( m 0 , m 1 ) ← A ( g x ); ← Z q ; x $ $ $ ← Z q ; ζ ← g z ; ← { 0 , 1 } ; ← Z q ; z b y b ′ ← A ′ ( g x , g y , ζ ); ← Z q ; ζ ← g z × m b ; $ $ z z ← Z q ; b ′ ← A ′ ( g x , g y , ζ ); $ d ← B ( g x , g y , g z ) b ← { 0 , 1 } ; d ← b = b ′ d ← b = b ′ Adversary B ( α, β, γ ) : ( m 0 , m 1 ) ← A ( α ); $ b ← { 0 , 1 } ; b ′ ← A ′ ( α, β, γ × m b ); return b = b ′ Proof steps swap. eqobs hd 4. eqobs tl 2. apply mult pad. G.Barthe, B.Gr´ egoire, S.Zanella, R.Janvier, F.Olmedo CertiCrypt 8/37

Game hopping Game ElGamal 2 : Game ElGamal 1 : $ $ $ $ Game DDH 1 : ← Z q ; y ← Z q ; ← Z q ; y ← Z q ; x x $ ( m 0 , m 1 ) ← A ( g x ); ( m 0 , m 1 ) ← A ( g x ); ← Z q ; x $ $ $ ← Z q ; ζ ← g z ; ← { 0 , 1 } ; ← Z q ; z b y b ′ ← A ′ ( g x , g y , ζ ); ← Z q ; ζ ← g z × m b ; $ $ z z ← Z q ; b ′ ← A ′ ( g x , g y , ζ ); $ d ← B ( g x , g y , g z ) b ← { 0 , 1 } ; d ← b = b ′ d ← b = b ′ Adversary B ( α, β, γ ) : ( m 0 , m 1 ) ← A ( α ); $ b ← { 0 , 1 } ; b ′ ← A ′ ( α, β, γ × m b ); return b = b ′ Proof steps inline r B. ep. deadcode. swap. eqobs in. G.Barthe, B.Gr´ egoire, S.Zanella, R.Janvier, F.Olmedo CertiCrypt 8/37

Wrapping up Equational proof | Pr ElGamal ( b = b ′ ) − 1 2 | = | Pr ElGamal 0 ( d ) − 1 2 | = | Pr DDH 0 ( d ) − 1 2 | = | Pr DDH 0 ( d ) − Pr ElGamal 2 ( d ) | = | Pr DDH 0 ( d ) − Pr ElGamal 1 ( d ) | = | Pr DDH 0 ( d ) − Pr DDH 1 ( d ) | Needs proof that DDH is correctly applied! G.Barthe, B.Gr´ egoire, S.Zanella, R.Janvier, F.Olmedo CertiCrypt 9/37

Random oracle { 0 , 1 } p → { 0 , 1 } p G : G ( R ) △ if R / ∈ L then = $ ← { 0 , 1 } k ; r L ← ( R , r ) :: L else r ← L [ R ] return r G.Barthe, B.Gr´ egoire, S.Zanella, R.Janvier, F.Olmedo CertiCrypt 10/37

The OAEP padding scheme A one-way permutation function f : { 0 , 1 } k → { 0 , 1 } k Two hash functions: G : { 0 , 1 } p → { 0 , 1 } k − p H : { 0 , 1 } k − p → { 0 , 1 } p Encryption: $ Enc ( M ) △ ← { 0 , 1 } p ; = R S ← G ( R ) ⊕ M ; T ← H ( S ) ⊕ R ; Y ← f ( S � T ); return Y G.Barthe, B.Gr´ egoire, S.Zanella, R.Janvier, F.Olmedo CertiCrypt 11/37

Exact security of OAEP Proved in Coq (2,500 lines): | Pr Game 0 [ b = b ′ ] − 1 2 | ≤ Pr I , f + q G 2 p where Pr I , f is the probability of an adversary I to invert f on a random element Improves over Bellare and Rogaway: | Pr Game 0 [ b = b ′ ] − 1 2 | ≤ Pr I , f + 2 q G 2 p + q H 2 k − p . . . but we should really prove IND-CCA! G.Barthe, B.Gr´ egoire, S.Zanella, R.Janvier, F.Olmedo CertiCrypt 12/37