Computer-aided cryptographic proofs and designs Gilles Barthe - PowerPoint PPT Presentation

Computer-aided cryptographic proofs and designs Gilles Barthe (IMDEA, Spain) Benjamin Grégoire (INRIA Sophia Antipolis, France) Juan Manuel Crespo (IMDEA, Spain) Francois Dupressoir (IMDEA, Spain) César Kunz (IMDEA/U. Politecnica Madrid, Spain) Yassine Lakhnech (U. de Grenoble/CNRS, France) Benedikt Schmidt (IMDEA, Spain) Pierre-Yves Strub (IMDEA, Spain) Santiago Zanella Béguelin (MSR Cambridge, UK)

The CertiCrypt project (2006-) Cryptographic proofs as program verification ◮ Formalize key notions and techniques using programming language semantics deductive program verification ◮ Provide machine support using off-the-shelf tools proof assistants SMT solvers ◮ Automation domain-specific logics; proof search systematic exploration of design space ◮ Modularity

What’s wrong with provable security? ◮ In our opinion, many proofs in cryptography have become essentially unverifiable. Our field may be approaching a crisis of rigor . M. Bellare and P . Rogaway, 2004-2006 ◮ Do we have a problem with cryptographic proofs? Yes, we do [...] We generate more proofs than we carefully verify (and as a consequence some of our published proofs are incorrect) . S. Halevi, 2005

Code-based cryptography (Bellare & Rogaway 2004, Halevi 2005) Everything is a probabilistic program C ::= V ← E assignment | V ← D $ random sampling | C ; C sequence | if E then C else C conditional | while E do C while loop | V ← P ( E , . . . , E ) procedure call

Code-based cryptography (Bellare & Rogaway 2004, Halevi 2005) Everything is a probabilistic program C V ← E ::= assignment | V ← D random sampling $ | C ; C sequence | if E then C else C conditional | while E do C while loop | V ← P ( E , . . . , E ) procedure call ◮ For cryptographers: rigorous notation ◮ In our work: rigorous justification of proofs

Code-based cryptography Everything is a probabilistic program C V ← E ::= assignment | V ← D random sampling $ | C ; C sequence | if E then C else C conditional | while E do C while loop | V ← P ( E , . . . , E ) procedure call Today: E ::= E ⊕ E xor | E | | E concatenation ◮ Uniform sampling on bitstrings of fixed length ◮ Memories map variables to bitstrings of fixed length ◮ Programs map memories to sub-distributions on memories

Code-based cryptography Everything is a probabilistic program C ::= V ← E assignment | V ← D random sampling $ | C ; C sequence | if E then C else C conditional | while E do C while loop | V ← P ( E , . . . , E ) procedure call Reductionist proofs: For every feasible adversary A against scheme S (wrt goal G ) there exists a feasible adversary B against assumption H st Pr G a [ A breaks S ] ≤ h ( Pr G h [ B breaks H ])

A famous example: RSA-OAEP Oracle Enc pk ( m ) : ← { 0 , 1 } k 0 ; r $ s ← G ( r ) ⊕ ( m � 0 k 1 ); t ← H ( s ) ⊕ r ; return fpk ( s � t ) Oracle Dec sk ( c ) : ( s , t ) ← f − 1 sk ( c ); r ← t ⊕ H ( s ); if [ s ⊕ G ( r )] k 1 = 0 k 1 then return [ s ⊕ G ( r )] n else return ⊥

A famous example: RSA-OAEP Oracle Enc pk ( m ) : Game IND-CCA2 : ( sk , pk ) ← KG ( ); ← { 0 , 1 } k 0 ; r $ ( m 0 , m 1 , σ ) ← A 1 ( pk ); s ← G ( r ) ⊕ ( m � 0 k 1 ); ← { 0 , 1 } ; b $ t ← H ( s ) ⊕ r ; c ∗ ← Enc ( pk , m b ); return fpk ( s � t ) b ′ ← A 2 ( pk , c ∗ , σ ); return b = b ′ Oracle Dec sk ( c ) : ( s , t ) ← f − 1 sk ( c ); r ← t ⊕ H ( s ); if [ s ⊕ G ( r )] k 1 = 0 k 1 then return [ s ⊕ G ( r )] n else return ⊥

A famous example: RSA-OAEP Oracle Enc pk ( m ) : Game IND-CCA2 : ( sk , pk ) ← KG ( ); ← { 0 , 1 } k 0 ; r $ ( m 0 , m 1 , σ ) ← A 1 ( pk ); s ← G ( r ) ⊕ ( m � 0 k 1 ); ← { 0 , 1 } ; b $ t ← H ( s ) ⊕ r ; c ∗ ← Enc ( pk , m b ); return fpk ( s � t ) b ′ ← A 2 ( pk , c ∗ , σ ); return b = b ′ Oracle Dec sk ( c ) : ( s , t ) ← f − 1 sk ( c ); r ← t ⊕ H ( s ); if [ s ⊕ G ( r )] k 1 = 0 k 1 then return [ s ⊕ G ( r )] n Game POW : else return ⊥ ( sk , pk ) ← KG (); ← { 0 , 1 } n + k 1 ; y $ Oracle G ( x ) : ← { 0 , 1 } k 0 ; z $ ← { 0 , 1 } n + k 1 ; ∈ dom ( L G ) then L G [ x ] if x / $ y ′ ← I ( f pk ( y � z )); return L G [ x ] return y = y ′ Oracle H ( x ) : ← { 0 , 1 } k 0 ; if x / ∈ dom ( L H ) then L H [ x ] $ return L H [ x ]

A famous example: RSA-OAEP For every IND-CCA2 adversary A executing in time t A there exists an inverter I executing in time t I s.t. � Pr IND-CCA2 [ b = b ′ ] − 1 � � Adv IND-CCA2 ( A ) = � 2 ≤ Pr POW ( I ) [ y = y ′ ] + 2 q D q G + q D + q G + q D 2 k 0 2 k 1 t I ≃ t A + q D q G q H

A famous example: RSA-OAEP Shoup Bellare, Hofheinz, Kiltz Bellare and Rogaway Pointcheval 1994 2001 2004 2009 2011 Fujisaki, Okamoto, Pointcheval, Stern BGLZ 1994 Purported proof of chosen-ciphertext security 2001 1994 proof gives weaker security; desired security holds ◮ under stronger assumptions ◮ for a modified scheme 2004 Filled gaps in Fujisaki et al. 2001 proof 2009 Security definition needs to be clarified 2011 Machine-checked proof

A famous example: RSA-OAEP Manger Bleichenbacher 1994 1996 1998 2001 2001 Boneh, Demillo, Lipton Kocher Attacks and countermeasures against implementations 1996 Timing attack 1998 Padding (million messages) attack 2001 Fault injection attack 2012 Machine-checked proof 1 for pseudo-implementation 201? Machine-checked proof 1 for implementation 1 Interpret with care

The game-playing approach (Shoup 2004, Bellare & Rogaway 2004, Halevi, 2005) For every feasible adversary A against scheme S (wrt goal G ) there exists a feasible adversary B against assumption H st Pr G a [ A breaks S ] ≤ h ( Pr G h [ B breaks H ]) Game G a : Game G 1 : Game G h : . . . . . . . . . . . . ← A ( . . . ); . . . · · · . . . ← B ( . . . ); . . . . . . . . . ≤ h 1 ( Pr G 1 [ E 1 ]) ≤ . . . ≤ h ( Pr G h [ B breaks H ]) Pr G a [ A breaks S ]

Example: IND-CPA security of BR93 Game IND-CPA : Enc pk ( m ) : Game OW : ← { 0 , 1 } ℓ ; ( sk , pk ) ← KG ( ); r ( sk , pk ) ← KG (); $ ← { 0 , 1 } ℓ ; ( m 0 , m 1 , σ ) ← A 1 ( pk ); s ← G ( r ) ⊕ m ; y $ y ′ ← I ( f pk ( y )); b ← { 0 , 1 } ; y ← f pk ( r ) � s ; $ c ∗ ← Enc ( pk , m b ); return y = y ′ return y b ′ ← A 2 ( pk , c ∗ , σ ); return b = b ′ G ( x ) : ← { 0 , 1 } k ; ∈ dom ( L G ) then L G [ x ] if x / $ return L G [ x ] For every IND-CPA adversary A making at most q G queries to G , there exists an inverter I against OW such that � � − 1 b = b ′ � � ≤ q G Succ OW � � � ( I ) � Pr IND-CPA � � f 2

Step 1: failure event Game G 0 : Game G 1 : L G ← ∅ ; L A L G ← ∅ ; L A G ← [ ]; G ← [ ]; ( sk , pk ) ← KG (); ( sk , pk ) ← KG (); ( m 0 , m 1 , σ ) ← A 1 ( pk ); ( m 0 , m 1 , σ ) ← A 1 ( pk ); b ← { 0 , 1 } ; b ← { 0 , 1 } ; $ $ ← { 0 , 1 } ℓ ; ← { 0 , 1 } ℓ ; r r $ $ ← { 0 , 1 } k ; g ← G ( r ); g $ s ← g ⊕ m b ; s ← g ⊕ m b ; c ∗ ← f pk ( r ) � s ; c ∗ ← f pk ( r ) � s ; b ′ ← A 2 ( pk , c ∗ , σ ); b ′ ← A 2 ( pk , c ∗ , σ );

Step 1: failure event Game G 0 : Game G 1 : L G ← ∅ ; L A L G ← ∅ ; L A G ← [ ]; G ← [ ]; ( sk , pk ) ← KG (); ( sk , pk ) ← KG (); ( m 0 , m 1 , σ ) ← A 1 ( pk ); ( m 0 , m 1 , σ ) ← A 1 ( pk ); b ← { 0 , 1 } ; b ← { 0 , 1 } ; $ $ ← { 0 , 1 } ℓ ; ← { 0 , 1 } ℓ ; r r $ $ ← { 0 , 1 } k ; g ← G ( r ); g $ s ← g ⊕ m b ; s ← g ⊕ m b ; c ∗ ← f pk ( r ) � s ; c ∗ ← f pk ( r ) � s ; b ′ ← A 2 ( pk , c ∗ , σ ); b ′ ← A 2 ( pk , c ∗ , σ ); The games are equivalent until the adversary queries G with r � � � ≤ Pr G 1 b = b ′ � b = b ′ �� r ∈ L A � � � − Pr G 1 � Pr G 0 G

Step 2: optimistic sampling Game G 1 : Game G 2 : L G ← ∅ ; L A L G ← ∅ ; L A G ← [ ]; G ← [ ]; ( sk , pk ) ← KG (); ( sk , pk ) ← KG (); ( m 0 , m 1 , σ ) ← A 1 ( pk ); ( m 0 , m 1 , σ ) ← A 1 ( pk ); b ← { 0 , 1 } ; b ← { 0 , 1 } ; $ $ ← { 0 , 1 } ℓ ; ← { 0 , 1 } ℓ ; r r $ $ g ← { 0 , 1 } k ; ← { 0 , 1 } k ; s $ s ← g ⊕ m b ; g ← s ⊕ m b ; c ∗ ← f pk ( r ) � s ; c ∗ ← f pk ( r ) � s ; b ′ ← A 2 ( pk , c ∗ , σ ); b ′ ← A 2 ( pk , c ∗ , σ );

Step 2: optimistic sampling Game G 1 : Game G 2 : L G ← ∅ ; L A L G ← ∅ ; L A G ← [ ]; G ← [ ]; ( sk , pk ) ← KG (); ( sk , pk ) ← KG (); ( m 0 , m 1 , σ ) ← A 1 ( pk ); ( m 0 , m 1 , σ ) ← A 1 ( pk ); b ← { 0 , 1 } ; b ← { 0 , 1 } ; $ $ ← { 0 , 1 } ℓ ; ← { 0 , 1 } ℓ ; r r $ $ g ← { 0 , 1 } k ; ← { 0 , 1 } k ; s $ s ← g ⊕ m b ; g ← s ⊕ m b ; c ∗ ← f pk ( r ) � s ; c ∗ ← f pk ( r ) � s ; b ′ ← A 2 ( pk , c ∗ , σ ); b ′ ← A 2 ( pk , c ∗ , σ ); Games are equivalent and c ∗ is independent from b , hence � � − 1 � � b = b ′ � r ∈ L A � � � � ≤ Pr G 2 � Pr IND-CPA � � G 2