deciding indistinguishability a decision result for a set
play

Deciding Indistinguishability: A Decision Result for a Set of - PowerPoint PPT Presentation

Mar 21, 2024 •16 likes •746 views

Deciding Indistinguishability: A Decision Result for a Set of Cryptographic Game Transformations Adrien Koutsos March 13, 2018 Adrien Koutsos Deciding Indistinguishability March 13, 2018 1 / 37 Introduction 1 The Model 2 Game

  1. Deciding Indistinguishability: A Decision Result for a Set of Cryptographic Game Transformations Adrien Koutsos March 13, 2018 Adrien Koutsos Deciding Indistinguishability March 13, 2018 1 / 37

  2. Introduction 1 The Model 2 Game Transformations 3 Basic Games Game Transformations Decision Result 4 Conclusion 5 Adrien Koutsos Deciding Indistinguishability March 13, 2018 2 / 37

  3. Introduction Motivation Security protocols are distributed programs which aim at providing some security properties. They are extensively used, and bugs can be very costly. Security protocols are often short, but the security properties are complex. ⇒ Need to use formal methods. Adrien Koutsos Deciding Indistinguishability March 13, 2018 3 / 37

  4. Introduction Goal of this work We focus on fully automatic proofs of indistinguishability properties in the computational model: Computational model: the adversary is any probabilistic polynomial time Turing machine . This offers strong security guarantees. Indistinguishability properties: e.g. strong secrecy, anonymity or unlinkability. Fully automatic: we want a complete decision procedure. Adrien Koutsos Deciding Indistinguishability March 13, 2018 4 / 37

  5. The Private Authentication Protocol $ A’ : n A’ ← $ B : n B ← 1 : A’ − → B : {� pk ( A’ ) , n A’ �} pk ( B ) � {� n A’ , n B �} pk ( A ) if pk ( A’ ) = pk ( A ) 2 : B − → A’ : {� n B , n B �} pk ( A ) otherwise Adrien Koutsos Deciding Indistinguishability March 13, 2018 5 / 37

  6. Introduction 1 The Model 2 Game Transformations 3 Basic Games Game Transformations Decision Result 4 Conclusion 5 Adrien Koutsos Deciding Indistinguishability March 13, 2018 6 / 37

  7. Model: Messages Messages In the computational model, a message is a distribution over bitstrings . We only consider distribution built using: Random uniform sampling n A , n B . . . over { 0 , 1 } η . Function applications: A , B , � _ , _ � , π i ( _ ) , { _ } _ , pk ( _ ) , sk ( _ ) , if _ then _ else _ . . . . Adrien Koutsos Deciding Indistinguishability March 13, 2018 7 / 37

  8. Model: Messages Messages In the computational model, a message is a distribution over bitstrings . We only consider distribution built using: Random uniform sampling n A , n B . . . over { 0 , 1 } η . Function applications: A , B , � _ , _ � , π i ( _ ) , { _ } _ , pk ( _ ) , sk ( _ ) , if _ then _ else _ . . . . Examples � n A , A � {� pk ( A’ ) , n A’ �} pk ( B ) π 1 ( n B ) Adrien Koutsos Deciding Indistinguishability March 13, 2018 7 / 37

  9. Model: Messages The Private Authentication Protocol 1 : A’ − → B {� pk ( A’ ) , n A’ �} pk ( B ) : � {� n A’ , n B �} pk ( A ) if pk ( A’ ) = pk ( A ) 2 : B − → A’ : {� n B , n B �} pk ( A ) otherwise How do we represent the adversary’s inputs? Adrien Koutsos Deciding Indistinguishability March 13, 2018 8 / 37

  10. Model: Messages The Private Authentication Protocol 1 : A’ − → B {� pk ( A’ ) , n A’ �} pk ( B ) : � {� n A’ , n B �} pk ( A ) if pk ( A’ ) = pk ( A ) 2 : B − → A’ : {� n B , n B �} pk ( A ) otherwise How do we represent the adversary’s inputs? We use special functions symbols g , g 0 , g 1 . . . . Adrien Koutsos Deciding Indistinguishability March 13, 2018 8 / 37

  11. Model: Messages The Private Authentication Protocol 1 : A’ − → B {� pk ( A’ ) , n A’ �} pk ( B ) : � {� n A’ , n B �} pk ( A ) if pk ( A’ ) = pk ( A ) 2 : B − → A’ : {� n B , n B �} pk ( A ) otherwise How do we represent the adversary’s inputs? We use special functions symbols g , g 0 , g 1 . . . . Intuitively, they can be any probabilistic polynomial time algorithm . Moreover, branching of the protocol is done using if _ then _ else _. Adrien Koutsos Deciding Indistinguishability March 13, 2018 8 / 37

  12. Model: Messages The Private Authentication Protocol 1 : A’ − → B {� pk ( A’ ) , n A’ �} pk ( B ) : � {� n A’ , n B �} pk ( A ) if pk ( A’ ) = pk ( A ) 2 : B − → A’ : {� n B , n B �} pk ( A ) otherwise Adrien Koutsos Deciding Indistinguishability March 13, 2018 9 / 37

  13. Model: Messages The Private Authentication Protocol 1 : A’ − → B {� pk ( A’ ) , n A’ �} pk ( B ) : � {� n A’ , n B �} pk ( A ) if pk ( A’ ) = pk ( A ) 2 : B − → A’ : {� n B , n B �} pk ( A ) otherwise Term Representing the Messages in PA t 1 = {� pk ( A’ ) , n A’ �} pk ( B ) t 2 = if EQ ( π 1 ( dec ( g ( t 1 ) , sk ( B ))); pk ( A )) then {� π 2 ( dec ( g ( t 1 ) , sk ( B ))) , n B �} pk ( A ) else {� n B , n B �} pk ( A ) Adrien Koutsos Deciding Indistinguishability March 13, 2018 9 / 37

  14. Model: Protocol Execution Protocol Execution The execution of a protocol P is a sequence of terms using adversarial function symbols: u P 0 , . . . , u P n where u P i is the i -th message sent on the network by P . Adrien Koutsos Deciding Indistinguishability March 13, 2018 10 / 37

  15. Model: Protocol Execution Protocol Execution The execution of a protocol P is a sequence of terms using adversarial function symbols: u P 0 , . . . , u P n where u P i is the i -th message sent on the network by P . Remark Only possible for a bounded number of sessions. The sequence of terms can be automatically computed ( folding ). Adrien Koutsos Deciding Indistinguishability March 13, 2018 10 / 37

  16. Model: Security Property Indistinguishability Properties Two protocols P and Q are indistinguishable if every adversary A loses the following game: We toss a coin b . If b = 0, then A interacts with P . Otherwise A interacts with Q . Remark: A is an active adversary (it is the network). After the protocol execution, A outputs a guess b ′ for b . A wins if it guesses correctly with probability better than ≈ 1/2 . Adrien Koutsos Deciding Indistinguishability March 13, 2018 11 / 37

  17. Model: Security Properties Proposition P and Q are indistinguishable ⇔ u P 0 , . . . , u P n and u Q 0 , . . . , u Q n are indistinguishable ⇔ u P 0 , . . . , u P u Q 0 , . . . , u Q ∼ n n Adrien Koutsos Deciding Indistinguishability March 13, 2018 12 / 37

  18. Model: Security Properties Proposition P and Q are indistinguishable ⇔ u P 0 , . . . , u P n and u Q 0 , . . . , u Q n are indistinguishable ⇔ u P 0 , . . . , u P u Q 0 , . . . , u Q ∼ n n Example: Privacy for PA t A 1 , t A t A’ 1 , t A’ ∼ 2 2 Adrien Koutsos Deciding Indistinguishability March 13, 2018 12 / 37

  19. Model: Summary Summary Messages are represented by terms , which are built using names N and function symbols F . A protocol execution is represented by a sequence of terms. Indistinguishability properties are expressed through games: u P 0 , . . . , u P u Q 0 , . . . , u Q ∼ n n Adrien Koutsos Deciding Indistinguishability March 13, 2018 13 / 37

  20. Introduction 1 The Model 2 Game Transformations 3 Basic Games Game Transformations Decision Result 4 Conclusion 5 Adrien Koutsos Deciding Indistinguishability March 13, 2018 14 / 37

  21. Basic Games Basic Games We know that some indistinguishability games are secure: Using α -renaming of random samplings: n A , n B ∼ n C , n D Adrien Koutsos Deciding Indistinguishability March 13, 2018 15 / 37

  22. Basic Games Basic Games We know that some indistinguishability games are secure: Using α -renaming of random samplings: n A , n B ∼ n C , n D Using probabilistic arguments: � t ⊕ n A ∼ n B when n A �∈ st ( t ) , EQ ( t ; n A ) ∼ false Adrien Koutsos Deciding Indistinguishability March 13, 2018 15 / 37

  23. Basic Games Basic Games We know that some indistinguishability games are secure: Using α -renaming of random samplings: n A , n B ∼ n C , n D Using probabilistic arguments: � t ⊕ n A ∼ n B when n A �∈ st ( t ) , EQ ( t ; n A ) ∼ false Using cryptographic assumptions on the security primitives, e.g. if { _ } _ , dec ( _ , _ ) , pk ( _ ) , sk ( _ ) is ind-cca1 . Adrien Koutsos Deciding Indistinguishability March 13, 2018 15 / 37

  24. Cryptographic assumptions: ind-cca1 Challenger A $ ← { 0 , 1 } ; b pk ( pk , sk ) ← KG ( 1 η ); c 1 x 1 := dec ( c 1 , sk ); x 1 · · · c n x n := dec ( c n , sk ); x n ( m 0 , m 1 ) y := { m b } pk ; y b ′ b = b ′ ? Adrien Koutsos Deciding Indistinguishability March 13, 2018 16 / 37

  25. Basic Game: Cryptographic Assumptions Enc CCA1 Games: � v , { m 0 } pk ∼ � v , { m 1 } pk Adrien Koutsos Deciding Indistinguishability March 13, 2018 17 / 37

  26. Basic Game: Cryptographic Assumptions Enc CCA1 Games: � v , { m 0 } pk ∼ � v , { m 1 } pk Assuming: sk occurs only in decryption position in � v , m 0 , m 1 . Theorem The Enc CCA1 games are secure when the encryption and decryption function are an ind-cca1 encryption scheme. Adrien Koutsos Deciding Indistinguishability March 13, 2018 17 / 37

  27. Basic Game: Cryptographic Assumptions Enc CCA1 Games: � v , { m 0 } pk ∼ � v , { m 1 } pk Assuming: sk occurs only in decryption position in � v , m 0 , m 1 . Theorem The Enc CCA1 games are secure when the encryption and decryption function are an ind-cca1 encryption scheme. Other cryptographic assumptions ind-cpa , ind-cca2 , cr , prf , euf-cma . . . Adrien Koutsos Deciding Indistinguishability March 13, 2018 17 / 37

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Deciding about deciding: Early Christian communal decision-making in Acts Professor Steve

Deciding about deciding: Early Christian communal decision-making in Acts Professor Steve

The 2017 Paradosis lecture Rachel Dolezal Deciding about deciding: Early Christian communal decision-making in Acts Professor Steve Walton St Marys University, Twickenham (London, UK) 1 2 The importance of the communal in Acts

457 views • 6 slides
When can an FPT decision algorithm be used to count? January 2016 Kitty Meeks Deciding,

When can an FPT decision algorithm be used to count? January 2016 Kitty Meeks Deciding,

When can an FPT decision algorithm be used to count? January 2016 Kitty Meeks Deciding, counting and enumerating DECISION Is there a witness? 2/19 Deciding, counting and enumerating DECISION Is there a witness? APPROX COUNTING

918 views • 67 slides
Explaining the result of a Decision Tree to the End-User Isabelle Alvarez 1 2 Abstract. This

Explaining the result of a Decision Tree to the End-User Isabelle Alvarez 1 2 Abstract. This

Explaining the result of a Decision Tree to the End-User Isabelle Alvarez 1 2 Abstract. This paper addresses the problem of the explanation of tests that are in the trace can have no consequences on the result. the result given by a decision

548 views • 6 slides
On deciding satisfiability by DPLL(+ T ) and unsound theorem proving Maria Paola Bonacina 1

On deciding satisfiability by DPLL(+ T ) and unsound theorem proving Maria Paola Bonacina 1

Outline Motivation: reasoning for SW verification Idea: Unsound theorem proving to get decision procedures DPLL( + T ) with UTP: SMT-solver+Superposition+UTP Decision procedures for type systems Discussion On deciding satisfiability by

687 views • 39 slides
Decision Making Under Decision Making . . . General Set Uncertainty: Proof of This Result

Decision Making Under Decision Making . . . General Set Uncertainty: Proof of This Result

Need for Decision . . . From Interval to Set . . . Additivity: the Main . . . Decision Making . . . Decision Making Under Decision Making . . . General Set Uncertainty: Proof of This Result Remaining Problem Additivity Approach Main Result

519 views • 22 slides
Decision Procedures An Algorithmic Point of View Deciding ILPs with Branch & Bound ILP

Decision Procedures An Algorithmic Point of View Deciding ILPs with Branch & Bound ILP

Decision Procedures An Algorithmic Point of View Deciding ILPs with Branch & Bound ILP References: Integer Programming / Laurence Wolsey Intro. To mathematical programming / Hillier, Lieberman Daniel Kroening and Ofer

315 views • 19 slides
Decision Making 1 Decision Making Skills Establishing a positive decision-making environment.

Decision Making 1 Decision Making Skills Establishing a positive decision-making environment.

Decision Making 1 Decision Making Skills Establishing a positive decision-making environment. Generating potential solutions. Evaluating the solutions. Deciding. How did you score? Checking the decision. Communicating and

938 views • 50 slides
Deciding for others: the ethics of substituted decision making Dr. Jocelyn Chase Geriatric

Deciding for others: the ethics of substituted decision making Dr. Jocelyn Chase Geriatric

Deciding for others: the ethics of substituted decision making Dr. Jocelyn Chase Geriatric Medicine, UBC Clinical Instructor PHC Ethics Fellow Presenter Disclosure Presenter: Jocelyn Chase Relationships with financial sponsors: None

793 views • 51 slides
How to Estimate Hurwicz Our Result Value of the Union of Two Our Result (cont-d) References

How to Estimate Hurwicz Our Result Value of the Union of Two Our Result (cont-d) References

Decision Making . . . Decision Under . . . Question How to Estimate Hurwicz Our Result Value of the Union of Two Our Result (cont-d) References Intervals If We Know the Home Page Hurwicz Values for Both Title Page Intervals?

385 views • 7 slides
Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation

Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation

Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation Dan Boneh Mark Zhandry Stanford University {dabo, zhandry}@cs.stanford.edu Abstract In this work, we show how to use indistinguishability

780 views • 49 slides
Why Convex Optimization Need to Consider . . . Is Ubiquitous and Why Main Result Decision

Why Convex Optimization Need to Consider . . . Is Ubiquitous and Why Main Result Decision

Decision Making . . . What If the Problem . . . How to Describe Final . . . Describing Final . . . Why Convex Optimization Need to Consider . . . Is Ubiquitous and Why Main Result Decision Making . . . Pessimism Is Widely Spread When Is

234 views • 19 slides
Decidability of a Sound Set of Inference Rules for Computational Indistinguishability Adrien

Decidability of a Sound Set of Inference Rules for Computational Indistinguishability Adrien

Decidability of a Sound Set of Inference Rules for Computational Indistinguishability Adrien Koutsos LSV, CNRS, ENS Paris-Saclay June 29, 2019 Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 1 / 34 Introduction Motivation

1.06k views • 76 slides
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar Pandey Indian Statistical Institute Kolkata January 14, 2012 Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen Outline 1

624 views • 37 slides
Limits on the Power of Indistinguishability Obfuscation Gilad Asharov Gil Segev Limits on the

Limits on the Power of Indistinguishability Obfuscation Gilad Asharov Gil Segev Limits on the

Limits on the Power of Indistinguishability Obfuscation Gilad Asharov Gil Segev Limits on the Power of iO Limits on the Power of Indistinguishability Obfuscation (and Functional Encryption) FOCS 2015 On Constructing One-Way

841 views • 47 slides
$ Lesson Seven Consumer Awareness 04/09 deciding to buy deciding to spend your money Do I

$ Lesson Seven Consumer Awareness 04/09 deciding to buy deciding to spend your money Do I

Presentation Slides $ Lesson Seven Consumer Awareness 04/09 deciding to buy deciding to spend your money Do I really need this item? Is it worth the time I spend making the money to pay for it? Is there a better use for my money

489 views • 18 slides
Deciding Bit-Vector Formulas with mcSAT Aleksandar Zelji c Uppsala University Philipp R

Deciding Bit-Vector Formulas with mcSAT Aleksandar Zelji c Uppsala University Philipp R

Deciding Bit-Vector Formulas with mcSAT Aleksandar Zelji c Uppsala University Philipp R ummer Christoph Wintersteiger Uppsala University Microsoft Research SMT Workshop July 1 st , 2016 We present... A novel decision procedure for the

821 views • 39 slides
Modular Implementation of Programming Languages and a Partial Order Approach to Infinitary

Modular Implementation of Programming Languages and a Partial Order Approach to Infinitary

Modular Implementation of Programming Languages and a Partial Order Approach to Infinitary Rewriting Patrick Bahr paba@diku.dk University of Copenhagen Department of Computer Science PhD Defence 30 November 2012 two The Big Pictures

785 views • 33 slides
The Dependency Pair Technique Proving Termination of Term Rewrite Systems Hannes Saffrich

The Dependency Pair Technique Proving Termination of Term Rewrite Systems Hannes Saffrich

Program Analysis Seminar The Dependency Pair Technique Proving Termination of Term Rewrite Systems Hannes Saffrich University of Freiburg Department of Computer Science June 30, 2015 Hannes Saffrich The Dependency Pair Technique Program

441 views • 23 slides
Computer Supported Modeling and Reasoning David Basin, Achim D. Brucker, Jan-Georg Smaus, and

Computer Supported Modeling and Reasoning David Basin, Achim D. Brucker, Jan-Georg Smaus, and

Computer Supported Modeling and Reasoning David Basin, Achim D. Brucker, Jan-Georg Smaus, and Burkhart Wolff April 2005 http://www.infsec.ethz.ch/education/permanent/csmr/ Isabelle: Term Rewriting Burkhart Wolff Isabelle: Term Rewriting 555

762 views • 43 slides
Rewriting Systems and Discrete Morse Theory Ken Brown Cornell University March 2, 2013 Outline

Rewriting Systems and Discrete Morse Theory Ken Brown Cornell University March 2, 2013 Outline

Rewriting Systems and Discrete Morse Theory Ken Brown Cornell University March 2, 2013 Outline Review of Discrete Morse Theory Rewriting Systems and Normal Forms Collapsing the Classifying Space Outline Review of Discrete Morse Theory

974 views • 76 slides
Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs Birkbeck, University of London joint work with Cynthia Kop (U Copenhagen) and Naoki Nishida (U Nagoya) Workshop on Program Equivalence, London, UK 11

2.1k views • 197 slides
Confluence Another important property for dont care non-deterministic rule based definitions

Confluence Another important property for dont care non-deterministic rule based definitions

Confluence Another important property for dont care non-deterministic rule based definitions of algorithms is confluence. It means that whenever several sequences of rules are applicable to a given states, the respective results can be

329 views • 14 slides
Big Picture TRS yes implement no Literature CSI maybe automated confluence of

Big Picture TRS yes implement no Literature CSI maybe automated confluence of

Layer Systems for Confluence Formalized 1 Bertram Felgenhauer , Franziska Rapp University of Innsbruck, Allgemeines Rechenzentrum Innsbruck ICTAC, Stellenbosch 2018-10-16 1 supported by FWF project P27528 Motivation Big Picture TRS yes

711 views • 55 slides
Complexity Analysis of Precedence Terminating Infinite Graph Rewrite Systems Naohi Eguchi Chiba

Complexity Analysis of Precedence Terminating Infinite Graph Rewrite Systems Naohi Eguchi Chiba

Complexity Analysis of Precedence Terminating Infinite Graph Rewrite Systems Naohi Eguchi Chiba University, Japan University of Innsbruck, Austria September 27, 2014 41st TRS meeting, Jozankei, Sapporo, Japan Introduction Complexity

392 views • 16 slides

More recommend