SLIDE 1
Computer-aided cryptographic proofs and designs Gilles Barthe - - PowerPoint PPT Presentation
Computer-aided cryptographic proofs and designs Gilles Barthe - - PowerPoint PPT Presentation
Computer-aided cryptographic proofs and designs Gilles Barthe (IMDEA, Spain) Benjamin Grgoire (INRIA Sophia Antipolis, France) Juan Manuel Crespo (IMDEA, Spain) Francois Dupressoir (IMDEA, Spain) Csar Kunz (IMDEA/U. Politecnica Madrid,
SLIDE 2
SLIDE 3
What’s wrong with provable security?
◮ In our opinion, many proofs in cryptography have become
essentially unverifiable. Our field may be approaching a crisis of rigor. M. Bellare and P . Rogaway, 2004-2006
◮ Do we have a problem with cryptographic proofs? Yes, we
do [...] We generate more proofs than we carefully verify (and as a consequence some of our published proofs are incorrect). S. Halevi, 2005
SLIDE 4
Code-based cryptography
(Bellare & Rogaway 2004, Halevi 2005)
Everything is a probabilistic program C ::= V ← E assignment | V
$
← D random sampling | C; C sequence | if E then C else C conditional | while E do C while loop | V ← P(E, . . . , E) procedure call
SLIDE 5
Code-based cryptography
(Bellare & Rogaway 2004, Halevi 2005)
Everything is a probabilistic program C ::= V ← E assignment | V
$
← D random sampling | C; C sequence | if E then C else C conditional | while E do C while loop | V ← P(E, . . . , E) procedure call
◮ For cryptographers: rigorous notation ◮ In our work: rigorous justification of proofs
SLIDE 6
Code-based cryptography
Everything is a probabilistic program C ::= V ← E assignment | V
$
← D random sampling | C; C sequence | if E then C else C conditional | while E do C while loop | V ← P(E, . . . , E) procedure call Today: E ::= E ⊕ E xor | E | | E concatenation
◮ Uniform sampling on bitstrings of fixed length ◮ Memories map variables to bitstrings of fixed length ◮ Programs map memories to sub-distributions on memories
SLIDE 7
Code-based cryptography
Everything is a probabilistic program C ::= V ← E assignment | V
$
← D random sampling | C; C sequence | if E then C else C conditional | while E do C while loop | V ← P(E, . . . , E) procedure call Reductionist proofs: For every feasible adversary A against scheme S (wrt goal G) there exists a feasible adversary B against assumption H st PrGa[A breaks S] ≤ h(PrGh[B breaks H])
SLIDE 8
A famous example: RSA-OAEP
Oracle Encpk (m) : r
$
← {0, 1}k0; s ← G(r) ⊕ (m0k1); t ← H(s) ⊕ r; return fpk (s t) Oracle Decsk(c) : (s, t) ← f −1 sk (c); r ← t ⊕ H(s); if [s ⊕ G(r)]k1=0k1 then return [s ⊕ G(r)]n else return ⊥
SLIDE 9
A famous example: RSA-OAEP
Oracle Encpk (m) : r
$
← {0, 1}k0; s ← G(r) ⊕ (m0k1); t ← H(s) ⊕ r; return fpk (s t) Oracle Decsk(c) : (s, t) ← f −1 sk (c); r ← t ⊕ H(s); if [s ⊕ G(r)]k1=0k1 then return [s ⊕ G(r)]n else return ⊥ Game IND-CCA2 : (sk, pk) ← KG( ); (m0, m1, σ) ← A1(pk); b
$
← {0, 1}; c∗ ← Enc(pk, mb); b′ ← A2(pk, c∗, σ); return b = b′
SLIDE 10
A famous example: RSA-OAEP
Oracle Encpk (m) : r
$
← {0, 1}k0; s ← G(r) ⊕ (m0k1); t ← H(s) ⊕ r; return fpk (s t) Oracle Decsk(c) : (s, t) ← f −1 sk (c); r ← t ⊕ H(s); if [s ⊕ G(r)]k1=0k1 then return [s ⊕ G(r)]n else return ⊥ Oracle G(x) : if x / ∈ dom(LG) then LG[x]
$
← {0, 1}n+k1; return LG[x] Oracle H(x) : if x / ∈ dom(LH) then LH[x]
$
← {0, 1}k0; return LH[x] Game IND-CCA2 : (sk, pk) ← KG( ); (m0, m1, σ) ← A1(pk); b
$
← {0, 1}; c∗ ← Enc(pk, mb); b′ ← A2(pk, c∗, σ); return b = b′ Game POW : (sk, pk) ← KG(); y
$
← {0, 1}n+k1; z
$
← {0, 1}k0; y′ ← I(fpk(y z)); return y = y′
SLIDE 11
A famous example: RSA-OAEP
For every IND-CCA2 adversary A executing in time tA there exists an inverter I executing in time tI s.t. AdvIND-CCA2(A) =
- PrIND-CCA2[b = b′] − 1
2
- ≤ PrPOW(I)[y = y′] + 2qDqG+qD+qG
2k0
+ qD
2k1
tI ≃ tA + qD qG qH
SLIDE 12
A famous example: RSA-OAEP
1994 Bellare and Rogaway 2001 Shoup Fujisaki, Okamoto, Pointcheval, Stern 2004 Pointcheval 2009 Bellare, Hofheinz, Kiltz 2011 BGLZ
1994 Purported proof of chosen-ciphertext security 2001 1994 proof gives weaker security; desired security holds
◮ for a modified scheme ◮ under stronger assumptions
2004 Filled gaps in Fujisaki et al. 2001 proof 2009 Security definition needs to be clarified 2011 Machine-checked proof
SLIDE 13
A famous example: RSA-OAEP
1994 1996 Kocher 1998 Bleichenbacher 2001 Boneh, Demillo, Lipton 2001 Manger
Attacks and countermeasures against implementations 1996 Timing attack 1998 Padding (million messages) attack 2001 Fault injection attack 2012 Machine-checked proof1 for pseudo-implementation 201? Machine-checked proof1 for implementation
1Interpret with care
SLIDE 14
The game-playing approach
(Shoup 2004, Bellare & Rogaway 2004, Halevi, 2005)
For every feasible adversary A against scheme S (wrt goal G) there exists a feasible adversary B against assumption H st PrGa[A breaks S] ≤ h(PrGh[B breaks H]) Game Ga : . . . . . . ← A(. . .); . . . PrGa[A breaks S] ≤ Game G1 : . . . . . . . . . h1(PrG1[E1]) ≤ · · · . . . ≤ Game Gh : . . . . . . ← B(. . .); . . . h(PrGh[B breaks H])
SLIDE 15
Example: IND-CPA security of BR93
Game IND-CPA : (sk, pk) ← KG( ); (m0, m1, σ) ← A1(pk); b
$
← {0, 1}; c∗ ← Enc(pk, mb); b′ ← A2(pk, c∗, σ); return b = b′ Encpk(m) : r
$
← {0, 1}ℓ; s ← G(r) ⊕ m; y ← fpk(r)s; return y G(x) : if x / ∈ dom(LG) then LG[x]
$
← {0, 1}k; return LG[x] Game OW : (sk, pk) ← KG(); y
$
← {0, 1}ℓ; y′ ← I(fpk(y)); return y = y′
For every IND-CPA adversary A making at most qG queries to G, there exists an inverter I against OW such that
- PrIND-CPA
- b = b′
− 1 2
- ≤ qG SuccOW
f
(I)
SLIDE 16
Step 1: failure event
Game G0 : LG ← ∅; LA
G ← [ ];
(sk, pk) ← KG(); (m0, m1, σ) ← A1(pk); b
$
← {0, 1}; r
$
← {0, 1}ℓ; g ← G(r); s ← g ⊕ mb; c∗ ← fpk(r)s; b′ ← A2(pk, c∗, σ); Game G1 : LG ← ∅; LA
G ← [ ];
(sk, pk) ← KG(); (m0, m1, σ) ← A1(pk); b
$
← {0, 1}; r
$
← {0, 1}ℓ; g
$
← {0, 1}k; s ← g ⊕ mb; c∗ ← fpk(r)s; b′ ← A2(pk, c∗, σ);
SLIDE 17
Step 1: failure event
Game G0 : LG ← ∅; LA
G ← [ ];
(sk, pk) ← KG(); (m0, m1, σ) ← A1(pk); b
$
← {0, 1}; r
$
← {0, 1}ℓ; g ← G(r); s ← g ⊕ mb; c∗ ← fpk(r)s; b′ ← A2(pk, c∗, σ); Game G1 : LG ← ∅; LA
G ← [ ];
(sk, pk) ← KG(); (m0, m1, σ) ← A1(pk); b
$
← {0, 1}; r
$
← {0, 1}ℓ; g
$
← {0, 1}k; s ← g ⊕ mb; c∗ ← fpk(r)s; b′ ← A2(pk, c∗, σ);
The games are equivalent until the adversary queries G with r
- PrG0
- b = b′
− PrG1
- b = b′
≤ PrG1
- r ∈ LA
G
SLIDE 18
Step 2: optimistic sampling
Game G1 : LG ← ∅; LA
G ← [ ];
(sk, pk) ← KG(); (m0, m1, σ) ← A1(pk); b
$
← {0, 1}; r
$
← {0, 1}ℓ; g ← {0, 1}k; s ← g ⊕ mb; c∗ ← fpk(r)s; b′ ← A2(pk, c∗, σ); Game G2 : LG ← ∅; LA
G ← [ ];
(sk, pk) ← KG(); (m0, m1, σ) ← A1(pk); b
$
← {0, 1}; r
$
← {0, 1}ℓ; s
$
← {0, 1}k; g ← s ⊕ mb; c∗ ← fpk(r)s; b′ ← A2(pk, c∗, σ);
SLIDE 19
Step 2: optimistic sampling
Game G1 : LG ← ∅; LA
G ← [ ];
(sk, pk) ← KG(); (m0, m1, σ) ← A1(pk); b
$
← {0, 1}; r
$
← {0, 1}ℓ; g ← {0, 1}k; s ← g ⊕ mb; c∗ ← fpk(r)s; b′ ← A2(pk, c∗, σ); Game G2 : LG ← ∅; LA
G ← [ ];
(sk, pk) ← KG(); (m0, m1, σ) ← A1(pk); b
$
← {0, 1}; r
$
← {0, 1}ℓ; s
$
← {0, 1}k; g ← s ⊕ mb; c∗ ← fpk(r)s; b′ ← A2(pk, c∗, σ);
Games are equivalent and c∗ is independent from b, hence
- PrIND-CPA
- b = b′
− 1 2
- ≤ PrG2
- r ∈ LA
G
SLIDE 20
Step 3: reduction
Game G2 : LG ← ∅; LA
G ← [ ];
(sk, pk) ← KG(); (m0, m1, σ) ← A1(pk); r
$
← {0, 1}ℓ; s
$
← {0, 1}k; c∗ ← fpk(r)s; b′ ← A2(pk, c∗, σ); Game OW : (sk, pk) ← KG(); y
$
← {0, 1}ℓ; y′ ← I(fpk(y)); return y = y′ Adversary I(x) : LG ← ∅; LA
G ← [ ];
(m0, m1, σ) ← A1(pk); s
$
← {0, 1}k; y ← x s; b′ ← A2(pk, y, σ); i
$
← [1, |LA
G |];
return LA
G[i];
SLIDE 21
Step 3: reduction
Game G2 : LG ← ∅; LA
G ← [ ];
(sk, pk) ← KG(); (m0, m1, σ) ← A1(pk); r
$
← {0, 1}ℓ; s
$
← {0, 1}k; c∗ ← fpk(r)s; b′ ← A2(pk, c∗, σ); Game OW : (sk, pk) ← KG(); y
$
← {0, 1}ℓ; y′ ← I(fpk(y)); return y = y′ Adversary I(x) : LG ← ∅; LA
G ← [ ];
(m0, m1, σ) ← A1(pk); s
$
← {0, 1}k; y ← x s; b′ ← A2(pk, y, σ); i
$
← [1, |LA
G |];
return LA
G[i];
Inverter wins with probability
1 qG if r ∈ LA G, and 0 otherwise
- PrIND-CPA
- b = b′
− 1 2
- ≤ qG SuccOW
f
(I)
SLIDE 22
pRHL: Relational Hoare Logic for pWHILE
◮ Judgment:
c1 ∼ c2 : P ⇒ Q where P and Q are relations on memories
◮ Validity:
c1 ∼ c2 : P ⇒ Q iff for all memories m1 and m2 (m1, m2) P → (c1m1, c2m2) Q♯
◮ ·♯ lifts relations on A × B to relations on D(A) × D(B)
Recommended reading
Yuxin Deng and Wenjie Du. Logical, Metric, and Algorithmic Characterisations of Probabilistic Bisimulation. TR CMU-CS-11-110, Carnegie Mellon University, March 2011
SLIDE 23
Lifting Relations to Distributions
Ψ♯ ⊆ D(A) × D(B) is the smallest relation that satisfies:
◮ If (s, t) Ψ then (unit(s), unit(t)) Ψ♯ ◮ If (µi, νi) Ψ♯ and i pi = 1, then
- i
pi µi,
- i
pi νi
- Ψ♯
SLIDE 24
Lifting Relations to Distributions
Alternatively, (µ1, µ2) Ψ♯ iff there exists µ ∈ D(A × B) s.t.
◮ The 1st projection of µ coincides with µ1 ◮ The 2nd projection of µ coincides with µ2 ◮ The support of µ is a subset of Ψ
Extensions
This characterization is convenient to consider extensions to
◮ statistical distance ◮ α-distance (for differential privacy) ◮ f-divergence (for Kullback-Leibler or Hellinger distance)
SLIDE 25
Lifting Relations to Distributions
Alternatively, (µ1, µ2) Ψ♯ iff the maximum flow in the following network is 1:
⊥ a1 a2 an b1 b2 bm ⊤ µ1(a1) µ1(a2) µ1(an) µ2(b1) µ2(b2) µ2(bm)
Ψ
SLIDE 26
Example
c1
def
= x
$
← {0, 1} c2
def
= x
$
← {0, 1}; y
$
← {0, 1}
◮ c1 generates a distribution µ1 over {0, 1} ◮ c2 generates a distribution µ2 over {0, 1}2 ◮ Consider Ψ def
= x1 = x2 ⊕ y2 Q: Does (µ1, µ2) Ψ hold?
⊥ 1 00 01 10 11 ⊤ 0.5 0.5 . 2 5 0.25 0.25 0.25
SLIDE 27
Example
c1
def
= x
$
← {0, 1} c2
def
= x
$
← {0, 1}; y
$
← {0, 1}
◮ c1 generates a distribution µ1 over {0, 1} ◮ c2 generates a distribution µ2 over {0, 1}2 ◮ Consider Ψ def
= x1 = x2 ⊕ y2 Q: Does (µ1, µ2) Ψ hold? A: Yes, because we can construct a flow of value 1 in the corresponding network
⊥ 1 00 01 10 11 ⊤ 0.5 0.5 0.25 0.25 0.25 0.25 . 2 5 0.25 0.25 0.25
SLIDE 28
Rules for assignments
Random assignment
f is 1-1 and Q′ def = ∀v, Q{x1 := f v, x2 := v} x
$
← A ∼ x
$
← A : Q′ ⇒ Q
◮ Captures a special case of liftings ◮ More general rules exist, but are not implemented ◮ Would still be incomplete
Assignment
x ← e ∼ x′ ← e′ : Q{x1 := e1, x′2 := e′2} ⇒ Q x ← e ∼ nil : Q{x1 := e1} ⇒ Q
SLIDE 29
Rules for conditionals
Conditionals
P ⇒ e1 = e′2 c1 ∼ c′
1 : P ∧ e1 ⇒ Q
c2 ∼ c′
2 : P ∧ ¬e1 ⇒ Q
if e then c1 else c2 ∼ if e′ then c′
1 else c′ 2 : P ⇒ Q
c1 ∼ c : P ∧ e1 ⇒ Q c2 ∼ c : P ∧ ¬e1 ⇒ Q if e then c1 else c2 ∼ c : P ⇒ Q
Loops
◮ Two-sided rule: loops make the same number of iterations ◮ One-sided rules: loop unrolling (left or right) ◮ Advanced loop optimizations through product construction
(not integrated in EasyCrypt)
SLIDE 30
Adversaries
∀O. z ← O( w) ∼ z ← O( w) : Q∧ =W ⇒ Q∧ ={z} x ← A( y) ∼ x ← A( y) : Q∧ =Y ⇒ Q∧ ={x}
◮ Adversaries are sequences of oracle calls ◮ No functional specification ◮ Given the same inputs, provide the same outputs
SLIDE 31
Cryptographic reasoning with pRHL
pRHL captures common patterns in cryptographic proofs
◮ Failure events: if c1 ∼ c2 : P ⇒ ¬F2 → Q11 ↔ Q22
then (m1, m2) P = ⇒ |Prc1,m1[Q1] − Prc2,m2[Q2]| ≤ Prc2,m2[F]
◮ Bridging steps: if c1 ∼ c2 : P ⇒ = then for all events Q
(m1, m2) P = ⇒ Prc1,m1[Q] = Prc2,m2[Q] (pRHL subsumes obs. equiv./prob. non-interference and validates many compiler optimizations)
◮ Reductions: if c1 ∼ c2 : P ⇒ Q11 → Q22, then
(m1, m2) P = ⇒ Prc1,m1[Q1] ≤ Prc2,m2[Q2]
◮ Eager/lazy sampling
SLIDE 32
Tool support and examples
CertiCrypt: formally verified COQ libraries
◮ Optimizations and probabilistic relational Hoare logic ◮ Verified against operational semantics based on ALEA
EasyCrypt: SMT-based verification tool
◮ Probabilistic relational Hoare logic ◮ Verification condition generation + why3 back-end ◮ Accessible to cryptographers
Examples
◮ Crypto: public-key encryption, block ciphers, signatures,
hash designs, zero-knowledge proofs of knowledge, authenticated key exchange protocols
◮ Differential privacy: continuous statistics, approximation
algorithms, synthetic databases, 2-party computation
SLIDE 33
The story so far
A unifying formalism to justify cryptographic proofs, but:
◮ no instantiation mechanism ◮ no proof-theoretical analysis of cryptographic reasoning ◮ no proof discovery mechanism ◮ no systematic analysis of classes of cryptographic systems
Challenges and opportunities
◮ mechanisms for modular proofs ◮ domain-specific logics and proof search algorithms ◮ decision procedures ◮ exhaustive exploration and practical interpretation
SLIDE 34
Modular proofs
◮ OAEP is a generic conversion: it transforms a one-way
function into an IND-CCA2 scheme
◮ Many cryptographic constructions are generic conversions
Careful with instantiation/indifferentiability
◮ Instantiated schemes often expose more state than
assumed in generic proofs. Probabilistic encapsulation quantifies the amount of information leaked by instantiation
◮ Generic conversions hinge on negative hypotheses. Our
modules integrate negative constraints that can be verified during instantiation Applications (ongoing):
◮ Authenticated key exchange ◮ Modes of operation
SLIDE 35
Automated proofs and exploration
The next 700 cryptosystems (after Landin, 1966)
Do the cryptosystems reflect [...] the situations that are being catered for? Or are they accidents of history and personal background that may be obscuring fruitful developments? [...] We must think in terms, not of cryptosystems, but of families of
- cryptosystems. That is to say we must systematize their design
so that a new system is a point chosen from a well-mapped space, rather than a laboriously devised construction.
SLIDE 36
An algebraic view of padding-based schemes
Encryption algorithms are modelled as algebraic expressions E ::= m input message | zero bitstring | R uniform random bitstring | E ⊕ E xor | E | | E concatenation | [E]s
s
projection | H(E) hash | f(E) trapdoor permutation Decryption algorithms are modelled using list comprehension
- x
c
← L
A H : T ⊲ e
where T ::= e = e | e ∈ LH | e ∈ LA
H | T ∧ T
SLIDE 37
Semantics
Left-to-right evaluation with sharing, yields a pWHILE procedure
Example
f((G(r) ⊕ (m0))H(G(r) ⊕ (m0)) ⊕ r) interpreted as: r
$
← {0, 1}k; g ← G(r); s ← g ⊕ (m0); h ← H(s); return fpk(s(h ⊕ r))
SLIDE 38
Deducibility
e ⊢ e1 e ⊢ e2 e ⊢ e1 e2 [Conc] e ⊢ e1 e ⊢ e2 e ⊢ e1 ⊕ e2 [Xor] e ⊢ e e ⊢ [e]ℓ
n
[Proj] e ⊢ e1 ⊢w e1 = e2 e ⊢ e2 [Conv] e ⊢ e′ e ⊢ H(e′)[H] e ⊢ e′ e ⊢ f(e′)[F] e ⊢ e′ e ⊢ f −1(e′)[Finv]
Convertibility
◮ Based on equational theory of bitstrings ◮ Decidable for probabilistic expressions without H, f, f −1
Useful for
◮ Expressing proof rules ◮ Discovering decryption algorithm and finding attacks
SLIDE 39
Proof principles
Chosen-plaintext security
Failure event Replace H(e) by fresh r Optimistic sampling Replace e ⊕ r, where r is fresh, by r Permutation Replace f(r), where r is fresh, by r Probability Compute probability of b = b′ or e ∈ L Reduction Find inverter and apply one-wayness
Chosen-ciphertext security
Extensionality Replace e or d by equivalent ones Plaintext extractor “Public” decryption oracle can be eliminated Completeness:
◮ Holds empirically for IND-CPA ◮ Fails for IND-CCA2: RO not programmable
SLIDE 40
Proof system for IND-CPA
Side-conditions apply
m ∈ V(c∗) c∗ : 1
2 Guess[Indep]
e ⊢ r
- r ∩ R(c∗) = ∅
c∗ :qH 2−|
- r| e ∈ LA
H
[Indom] e ⊢A
t [
r]
ℓ
f( r)R(c∗{0/f( r)})V(c∗) ⊢A
t′ c∗
c∗ :
SuccOWqH
ℓ
Θ
(t′′)
e ∈ LA
H
[OW]
Soundness
◮ Once and for all
+ “global” guarantee; relatively simple and intuitive + avoids resorting to intermediate framework
◮ By generating a pRHL/EasyCrypt proof for each scheme
+ limits Trusted Computing Base + proofs can be combined and reused
- currently restricted to IND-CPA
SLIDE 41
Systematic exploration
◮ Generate well-typed terms up to user-defined constraints ◮ Check for decryption algorithm and attacks ◮ Launch proof search (strategy + backtracking) ◮ Compile successful runs to EasyCrypt (for IND-CPA) ◮ Practical interpretation
Searching attacks
◮ IND-CPA
is decryption possible without a key? m | | f(r) is encryption randomized? f(m) is randomness extractable without a key? r | | f(m ⊕ r)
◮ IND-CCA2
is encryption malleable? f(r)m ⊕ G(r)
SLIDE 42
Experiments
◮ Analyzed over 100 variants of OAEP ◮ Applied crawler with many different size constraints; filters
discard over 99% of candidates
◮ Incomplete, but experimentally ok.
Some numbers OP GEN ¬ CPA CPA ¬ CCA CCA 4 2 2 2 5 44 27 12 9 6 419 244 104 68 1 7 4131 2392 883 537 39 8 41860 24166 7850 4424 436 9 275318 155669 54884 27697 3750
SLIDE 43
ZAEP
Two minimal schemes BR93 : f(r) | | (G(r) ⊕ m) ZAEP : f(r | | G(r) ⊕ m) ZAEP is redundant-free Dec(c) : r t ← f −1 sk (c); g ← G(r); return t ⊕ g INDCCA Security of ZAEP for RSA exponent 2 and 3
- PrIND-CCA2[b = b′] − 1
2
- ≤ SuccOW
f
(I) + qD 2n Based on existence of two efficient algorithms:
◮ CIE: given f(r, s1), f(r, s2) with s1 = s2, returns s1, s2 and r ◮ SIE: given f(r, s) and r returns s
SLIDE 44