Computer-aided security proofs for the working cryptographer Gilles - - PowerPoint PPT Presentation

computer aided security proofs for the working
SMART_READER_LITE
LIVE PREVIEW

Computer-aided security proofs for the working cryptographer Gilles - - PowerPoint PPT Presentation

Jan 14, 2024 185 likes •632 views

Computer-aided security proofs for the working cryptographer Gilles Barthe Benjamin Grgoire Sylvain Heraud Santiago Zanella Bguelin CRYPTO11, August 15 2011 Monday, August 15, 2011 1 A plea for

slide-1
SLIDE 1

Computer-aided security proofs for the working cryptographer

Gilles Barthe Benjamin Grégoire Sylvain Heraud Santiago Zanella Béguelin

CRYPTO’11, August 15 2011

1 Monday, August 15, 2011

slide-2
SLIDE 2

A plea for computer-aided cryptographic proofs

A plausible approach to computer-aided cryptographic

  • proofs. Halevi, 2005

Code-Based Game-Playing Proofs and the Security of Triple Encryption. Bellare and Rogaway, 2004-2006

2 Monday, August 15, 2011

slide-3
SLIDE 3

Do we have a problem with cryptographic proofs? Yes, we do [...] We generate more proofs than we carefully verify (and as a consequence some of our published proofs are incorrect)—Halevi, 2005 In our opinion, many proofs in cryptography have become essentially unverifiable. Our field may be approaching a crisis of rigor—Bellare and Rogaway, 2004-2006

A plea for computer-aided cryptographic proofs

A problem with security proofs A plausible approach to computer-aided cryptographic

  • proofs. Halevi, 2005

Code-Based Game-Playing Proofs and the Security of Triple Encryption. Bellare and Rogaway, 2004-2006

2 Monday, August 15, 2011

slide-4
SLIDE 4

A plea for computer-aided cryptographic proofs

: a plausible solution A problem with security proofs I advocate creating an automated tool to help us [...] writing and checking [...] our proofs—Halevi, 2005 The possibility for tools [to help write and verify proofs] has always been one of our motivations, and

  • ne of the reasons why we focused on code-based

games—Bellare and Rogaway, 2004-2006 A plausible approach to computer-aided cryptographic

  • proofs. Halevi, 2005

Code-Based Game-Playing Proofs and the Security of Triple Encryption. Bellare and Rogaway, 2004-2006

2 Monday, August 15, 2011

slide-5
SLIDE 5

A primer on computer-aided proofs

3 Monday, August 15, 2011

slide-6
SLIDE 6

A primer on computer-aided proofs

3 Monday, August 15, 2011

slide-7
SLIDE 7

A primer on computer-aided proofs

Lemma : ∀r : R, ∃n : N.r < n

3 Monday, August 15, 2011

slide-8
SLIDE 8

A primer on computer-aided proofs

Lemma : ∀r : R, ∃n : N.r < n

Proof. intros r; exists (⌈r⌉ + 1). destruct (nceil spec r) as ( , H); exact H. Qed.

3 Monday, August 15, 2011

slide-9
SLIDE 9

A primer on computer-aided proofs

Manual review

Lemma : ∀r : R, ∃n : N.r < n

Proof. intros r; exists (⌈r⌉ + 1). destruct (nceil spec r) as ( , H); exact H. Qed.

3 Monday, August 15, 2011

slide-10
SLIDE 10

A primer on computer-aided proofs

Manual review Automated checking

Lemma : ∀r : R, ∃n : N.r < n

Proof. intros r; exists (⌈r⌉ + 1). destruct (nceil spec r) as ( , H); exact H. Qed.

3 Monday, August 15, 2011

slide-11
SLIDE 11

A primer on computer-aided proofs

Correctness from first principles Manual review Automated checking

Lemma : ∀r : R, ∃n : N.r < n

Proof. intros r; exists (⌈r⌉ + 1). destruct (nceil spec r) as ( , H); exact H. Qed.

3 Monday, August 15, 2011

slide-12
SLIDE 12

A primer on computer-aided proofs

Correctness from first principles Manual review Automated checking

Kepler conjecture 4 colour theorem C compiler seL4 HyperV

Lemma : ∀r : R, ∃n : N.r < n

Proof. intros r; exists (⌈r⌉ + 1). destruct (nceil spec r) as ( , H); exact H. Qed.

3 Monday, August 15, 2011

slide-13
SLIDE 13

A primer on computer-aided proofs

Correctness from first principles Manual review Automated checking

Lemma : ∀r : R, ∃n : N.r < n

Proof. intros r; exists (⌈r⌉ + 1). destruct (nceil spec r) as ( , H); exact H. Qed.

3 Monday, August 15, 2011

slide-14
SLIDE 14

CertiCrypt

Formal framework for security proofs:

  • Code-based game-based technique
  • Independently verifiable proofs
  • Applied to FDH, OAEP, Sigma-Protocols, IBE

4 Monday, August 15, 2011

slide-15
SLIDE 15

CertiCrypt

High level of Coq expertise and a lot of time Formal framework for security proofs:

  • Code-based game-based technique
  • Independently verifiable proofs
  • Applied to FDH, OAEP, Sigma-Protocols, IBE

4 Monday, August 15, 2011

slide-16
SLIDE 16

CertiCrypt

High level of Coq expertise and a lot of time Exploit state-of-the-art program verification tools! Formal framework for security proofs:

  • Code-based game-based technique
  • Independently verifiable proofs
  • Applied to FDH, OAEP, Sigma-Protocols, IBE

4 Monday, August 15, 2011

slide-17
SLIDE 17

Computer-assisted security proofs

  • With moderate effort
  • Using off-the-shelf tools

CertiCrypt

Simplify

to EasyCrypt From

High level of Coq expertise and a lot of time Exploit state-of-the-art program verification tools! Formal framework for security proofs:

  • Code-based game-based technique
  • Independently verifiable proofs
  • Applied to FDH, OAEP, Sigma-Protocols, IBE

4 Monday, August 15, 2011

slide-18
SLIDE 18

The essence of game-based proofs

5 Monday, August 15, 2011

slide-19
SLIDE 19

The essence of game-based proofs

5 Monday, August 15, 2011

slide-20
SLIDE 20

The essence of game-based proofs

5 Monday, August 15, 2011

slide-21
SLIDE 21

The essence of game-based proofs

5 Monday, August 15, 2011

slide-22
SLIDE 22

The essence of game-based proofs

5 Monday, August 15, 2011

slide-23
SLIDE 23

The essence of game-based proofs

5 Monday, August 15, 2011

slide-24
SLIDE 24

The essence of game-based proofs

5 Monday, August 15, 2011

slide-25
SLIDE 25

The essence of game-based proofs

5 Monday, August 15, 2011

slide-26
SLIDE 26

The essence of game-based proofs

5 Monday, August 15, 2011

slide-27
SLIDE 27

The essence of game-based proofs

5 Monday, August 15, 2011

slide-28
SLIDE 28

The essence of game-based proofs

5 Monday, August 15, 2011

slide-29
SLIDE 29

Automated verification of proof sketches

6 Monday, August 15, 2011

slide-30
SLIDE 30

Automated verification of proof sketches

Inline

6 Monday, August 15, 2011

slide-31
SLIDE 31

Automated verification of proof sketches

Eager Sampling Inline

6 Monday, August 15, 2011

slide-32
SLIDE 32

Automated verification of proof sketches

Eager Sampling Relational invariant Inline

6 Monday, August 15, 2011

slide-33
SLIDE 33

Automated verification of proof sketches

Witness Eager Sampling Relational invariant Inline

6 Monday, August 15, 2011

slide-34
SLIDE 34

Automated verification of proof sketches

Witness Eager Sampling Check VC Relational invariant Inline

6 Monday, August 15, 2011

slide-35
SLIDE 35

Automated verification of proof sketches

Witness Simplify Eager Sampling Check VC Relational invariant Inline

6 Monday, August 15, 2011

slide-36
SLIDE 36

Automated verification of proof sketches

Witness Simplify Eager Sampling

equiv Fact1 : INDCPA.Main ~ G1.Main : {true} ==> ={res} inline KG, Enc; derandomize; auto inv ={L,LA}; pop{2} 1; repeat rnd; trivial;; save;;

Check VC Relational invariant Inline

6 Monday, August 15, 2011

slide-37
SLIDE 37

Automated verification of proof sketches

Simplify

equiv Fact1 : INDCPA.Main ~ G1.Main : {true} ==> ={res} inline KG, Enc; derandomize; auto inv ={L,LA}; pop{2} 1; repeat rnd; trivial;; save;;

6 Monday, August 15, 2011

slide-38
SLIDE 38

Automated verification of proof sketches

Simplify

equiv Fact1 : INDCPA.Main ~ G1.Main : {true} ==> ={res} inline KG, Enc; derandomize; auto inv ={L,LA}; pop{2} 1; repeat rnd; trivial;; save;; claim Pr1 : INDCPA.Main[res] == G1.Main[res] using Fact1;;

6 Monday, August 15, 2011

slide-39
SLIDE 39

Automated verification of proof sketches

Simplify

equiv Fact1 : INDCPA.Main ~ G1.Main : {true} ==> ={res} inline KG, Enc; derandomize; auto inv ={L,LA}; pop{2} 1; repeat rnd; trivial;; save;; claim Pr1 : INDCPA.Main[res] == G1.Main[res] using Fact1;;

Bridging steps Lazy sampling Code motion Algebraic equivs Failure events Reduction steps

6 Monday, August 15, 2011

slide-40
SLIDE 40

Automated verification of proof sketches

Simplify

equiv Fact1 : INDCPA.Main ~ G1.Main : {true} ==> ={res} inline KG, Enc; derandomize; auto inv ={L,LA}; pop{2} 1; repeat rnd; trivial;; save;; claim Pr1 : INDCPA.Main[res] == G1.Main[res] using Fact1;;

Bridging steps Lazy sampling Code motion Algebraic equivs Failure events Reduction steps

6 Monday, August 15, 2011

slide-41
SLIDE 41

CertiCrypt EasyCrypt ElGamal 565 190 Hashed ElGamal 1255 243 Full-Domain Hash 2035 509 Cramer-Shoup n/a 1637 OAEP 11162 n/a

Case studies

Significant reduction in:

  • script size (from ×2 to ÷5 wrt sequence of games)
  • development time (~10 times faster)
  • learning time

Cramer-Shoup encryption system: 10 games, 1650 lines of EasyCrypt, ~100 lines of Coq

7 Monday, August 15, 2011

slide-42
SLIDE 42

Perspectives

Computer-assisted security proofs

  • Can be built with moderate effort
  • Using off-the-shelf tools
  • Producing independently verifiable evidence
  • Work for challenging example: Cramer-Shoup encryption

8 Monday, August 15, 2011

slide-43
SLIDE 43

Perspectives

  • Distribute (http://certicrypt.gforge.inria.fr/)
  • Improve and extend
  • More examples: SHA3, differential privacy

Computer-assisted security proofs

  • Can be built with moderate effort
  • Using off-the-shelf tools
  • Producing independently verifiable evidence
  • Work for challenging example: Cramer-Shoup encryption

8 Monday, August 15, 2011