SLIDE 1
Formal Methods for Cryptography Santiago Zanella-B eguelin - - PowerPoint PPT Presentation
Formal Methods for Cryptography Santiago Zanella-B eguelin - - PowerPoint PPT Presentation
Formal Methods for Cryptography Santiago Zanella-B eguelin santiago@microsoft.com Cambridge, UK 2013.03.0408 18th Estonian Winter School in Computer Science EWSCS 2013 EasyCrypt pipeline ProofGeneral Frontend Emacs Shell EasyCrypt
SLIDE 2
SLIDE 3
EasyCrypt demo
x
$
← {0, 1}k; y ← x ⊕ z ≃{z}
{x,y,z} y
$
← {0, 1}k; x ← y ⊕ z π is a permutation P → ∀a. Q[x1 ← a, y2 ← π(a)] x
$
← {0, 1}k ∼ y
$
← {0, 1}k : P ⇒ Q c1 ∼ c2 : P ⇒ Q c′
1 ∼ c′ 2 : Q ⇒ R
c1; c′
1 ∼ c2; c′ 2 : P ⇒ R
[Seq] P → Q[x1 ← e] x ← e ∼ skip : P ⇒ Q [Assign1]
SLIDE 4
Reasoning about Failure Events
Lemma (Fundamental Lemma)
Let A, B, F be events and G1, G2 be two games such that Pr[G1 : A ∧ ¬F] = Pr[G2 : B ∧ ¬F] Then |Pr[G1 : A] − Pr[G2 : B]| ≤ max(Pr[G1 : F], Pr[G2 : F]) Proof. On whiteboard
SLIDE 5
Fundamental Lemma: automation
Let A = B and F = bad. If G0 and G1 are syntactically identical except after program points setting bad e.g. Game G0 : . . . bad ← true; c0 . . . Game G1 : . . . bad ← true; c1 . . . then PrG1,m[A | ¬bad] = PrG2,m[A | ¬bad] PrG1,m[bad] = PrG2,m[bad]
Corollary
|PrG1,m[A] − PrG2,m[A]| ≤ PrG1,2[bad]
SLIDE 6
Fundamental Lemma: automation
Let A = B and F = bad. If G0 and G1 are syntactically identical except after program points setting bad e.g. Game G0 : . . . bad ← true; c0 . . . Game G1 : . . . bad ← true; c1 . . . then PrG1,m[A | ¬bad] = PrG2,m[A | ¬bad] PrG1,m[bad] = PrG2,m[bad]
Corollary
|PrG1,m[A] − PrG2,m[A]| ≤ PrG1,2[bad]
SLIDE 7
Fundamental Lemma: beyond syntax
Lemma (Fundamental Lemma)
Let A, B, F be events and G1, G2 be two games such that G1 ∼ G2 : true ⇒ (F1 ↔ F2) ∧ (¬F1 → Q) and Q → (A1 ↔ B2), then |Pr[G1 : A]−Pr[G2 : B]| ≤ Pr[G2 : F] For an adversary A with oracle access to oracles Oi, suffices to check {F} Oi
1 {F}, {F} Oi 2 {F}
y ← AOi
1(
x) ∼ y ← AOi
2(
x) : (F1 ↔ F2) ∧ (¬F1 → Q ∧ x1 = x2) = ⇒ (F1 ↔ F2) ∧ (¬F1 → Q ∧ y1 = y2) y ← Oi
1(
x) ∼ y ← Oi
2(
x) : (¬F1 ∧ ¬F2 ∧ Q ∧ x1 = x2) = ⇒ (F1 ↔ F2) ∧ (¬F1 → Q ∧ y1 = y2)
SLIDE 8
Fundamental Lemma: beyond syntax
Lemma (Fundamental Lemma)
Let A, B, F be events and G1, G2 be two games such that G1 ∼ G2 : true ⇒ (F1 ↔ F2) ∧ (¬F1 → Q) and Q → (A1 ↔ B2), then |Pr[G1 : A]−Pr[G2 : B]| ≤ Pr[G2 : F] For an adversary A with oracle access to oracles Oi, suffices to check {F} Oi
1 {F}, {F} Oi 2 {F}
y ← AOi
1(
x) ∼ y ← AOi
2(
x) : (F1 ↔ F2) ∧ (¬F1 → Q ∧ x1 = x2) = ⇒ (F1 ↔ F2) ∧ (¬F1 → Q ∧ y1 = y2) y ← Oi
1(
x) ∼ y ← Oi
2(
x) : (¬F1 ∧ ¬F2 ∧ Q ∧ x1 = x2) = ⇒ (F1 ↔ F2) ∧ (¬F1 → Q ∧ y1 = y2)
SLIDE 9
Excercises
1 Generalize the characterization of the Fundamental Lemma in
relational logic to preserve an additional weaker invariant Q′
- nce the failure F occurs.
2 (from beyond the thermosphere)
What needs to be checked for adversaries and oracles?
SLIDE 10
Failure Event Lemma
The Fundamental Lemma is typically applied in games where only
- racles trigger bad
IF the probability of triggering bad in one call can be bound as a function of the number of oracle calls THEN the probability of the game triggering bad can be bound provided the number of oracle calls is bounded
Failure Event Lemma (when p is constant)
IF ¬bad → Pr[O : bad] ≤ p THEN Pr[G : bad] ≤ p qO Example. O(x) : y
$
← T; if y = x then bad ← true else . . . p = 1/|T|
SLIDE 11
Application: PRP/PRF Switching Lemma
Game RP : L ← nil; b ← A() Oracle O(x) : if x / ∈ dom(L) then y
$
← {0, 1}ℓ \ ran(L); L ← (x, y) :: L return L(x) Game RF : L ← nil; b ← A() Oracle O(x) : if x / ∈ dom(L) then y
$
← {0, 1}ℓ; L ← (x, y) :: L return L(x) Suppose A makes at most q queries to O. Then |Pr[RP : b] − Pr[RF : b]| ≤ q(q − 1) 2ℓ+1 Proved first by Impagliazzo and Rudich in 1989 Proof fixed by Bellare and Rogaway (2006) and Shoup (2004)
SLIDE 12
A proof
Let C be the event that A observes a collision in RF Since a random permutation is the same as a random function in which answers to distinct queries are distinct, Pr[RP : b = true] = Pr[RF : b = true|¬C] = x Let y = Pr[RF : b = true|C], |Pr[RP : b = true] − Pr[RF : b = true]| = |x − x · Pr[RF : ¬C] − y · Pr[RF : C]| = |(x · (1 − Pr[RF : ¬C]) − y · Pr[RF : C]| = |(x · Pr[RF : C]) − y · Pr[RF : C]| = |x − y·| Pr[RF : C] ≤ Pr[RF : C] ≤ q(q − 1)/2ℓ+1
SLIDE 13
A proof
Let C be the event that A observes a collision in RF Since a random permutation is the same as a random function in which answers to distinct queries are distinct, Pr[RP : b = true] = Pr[RF : b = true|¬C] = x
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Let y = Pr[RF : b = true|C], |Pr[RP : b = true] − Pr[RF : b = true]| = |x − x · Pr[RF : ¬C] − y · Pr[RF : C]| = |(x · (1 − Pr[RF : ¬C]) − y · Pr[RF : C]| = |(x · Pr[RF : C]) − y · Pr[RF : C]| = |x − y·| Pr[RF : C] ≤ Pr[RF : C] ≤ q(q − 1)/2ℓ+1
SLIDE 14
Counterexample for ℓ = 1
Adversary A1() : if O(0) = 0 then return 1 else if O(1) = 1 then return 1 else return 0 2 3 = Pr[RF : b = 1 | ¬C] = Pr[RP : b = 1] = 1 2
SLIDE 15
Proof
Game RP : L ← nil; b ← A() Oracle O(x) : if x / ∈ dom(L) then y
$
← {0, 1}ℓ; if y ∈ ran(L) then bad ← true; y
$
← {0, 1}ℓ \ ran(L) L ← (x, y) :: L return L(x) Game RF : L ← nil; b ← A() Oracle O(x) : if x / ∈ dom(L) then y
$
← {0, 1}ℓ; if y ∈ ran(L) then bad ← true L ← (x, y) :: L return L(x) |Pr[RP : b] − Pr[RF : b]| ≤ Pr[RF : bad]
SLIDE 16
Proof
Failure Event Lemma
Suppose k counts queries to O and initially bad = false: IF bad = false → Pr[O : bad] ≤ f (k) THEN Pr[AO : bad ∧ k ≤ qO] ≤
qO−1
- k=0
f (k) Oracle O(x) : if x / ∈ dom(L) then y
$
← {0, 1}ℓ; if y ∈ ran(L) then bad ← true; L ← (x, y) :: L return L(x) Prove that Pr[O : bad] ≤ |L|/2ℓ Summing over the q queries, Pr[RF : bad] ≤ q(q − 1) 2ℓ+1
SLIDE 17
EasyCrypt demo Demo : PRP/PRF Switching Lemma
SLIDE 18
Eager/Lazy Sampling
Interprocedural code motion Eager sampling: from an oracle to main game Lazy sampling: from main game to an oracle
Motivation
In crypto proofs Often need to know that some values are independent and uniformly distributed at some program point This holds when values can be resampled preserving semantics! If S conditionally re-samples values not yet consumed, it suffices to prove that (clazy; S) ∼ (S; ceager) : =V ⇒ =V
SLIDE 19
Application: PRP/PRF Switching Lemma
Game RFeager : L ← nil; S; b ← A() Oracle Oeager(x) : if x ∈ dom(L) then if 0 < |Y | then y ← hd(Y ); Y ← tl(Y ) else y
$
← {0, 1}ℓ L ← (x, y) :: L return L(x) where S
def
= Y ← [ ]; while |Y | < q do y
$
← {0, 1}ℓ; Y ← Y + + [y] First prove that b ← AOlazy(); S ∼ S; b ← AOeager() : =V ⇒ =V Then prove by induction: Pr[RF : bad] = Pr[RFeager : ∃i, j. i = j ∧ Y [i] = Y [j]] =
q−1
- i=0
i 2ℓ
SLIDE 20
A conclusion
There is a problem with cryptographic proofs Cryptographic proofs can (and should be) machine-checked Verification technology is mature enough to provide a solution We provided two:
CertiCrypt: fully formalized machine-checked proofs in Coq EasyCrypt: automated SMT-based tool
Have we reached the point where formalization effort pays off? Are cryptographers willing to adopt these tools?
SLIDE 21
What do cryptographers think of all this?
The expansion of the original proof from a paragraph or two to several thousand lines of computer output is remarkable. Can one find anything similar in the history of mathematical proofs? There is one striking analogy that comes to mind. Early in the 20th century, Russell and Whitehead wrote Principia Mathematica [...] —N. Koblitz (2012) Usually one has to leave the sciences entirely if one wishes to find works of scholarship—for example, Michel Foucault’s turgid 760-page three-volume philosophical treatise on sex—that have been so successful in turning something that should be interesting and accessible to everyone into something lengthy, unreadable, and boring. —N. Koblitz (2012)
SLIDE 22
What do cryptographers think of all this?
For the Best Paper Award, the PC overwhelmingly selected Computer-Aided Security Proofs for the Working Cryptographer, [...] The Committee praised the work for its broad appeal, its connections to programming language, and its potential impact. — CRYPTO 2011 proceedings I have been waiting for 10 years for someone to come up with a result like this. The problem they solve is a very difficult one. But the solution is well structured, making good use of recognizable methods in programming-language theory: monads, observational equivalence, Hoare logics, semantic models, etc. — Anonymous POPL 2009 reviewer
SLIDE 23
Computer-Aided Privacy Proofs
SLIDE 24
Privacy for Statistical Databases
SLIDE 25
Privacy for Statistical Databases
Maximize Privacy
SLIDE 26
Privacy for Statistical Databases
Maximize Privacy Maximize Utility
Conflicting requirements Sanitizing queries requires to strike a good balance
SLIDE 27
Differential Privacy [Dwork et al. 06]
K
Fix (symmetric) adjacency relation Φ on databases Fix privacy budget ǫ A randomized algorithm K : D → R (called mechanism) is ǫ-differentially private iff for all D1, D2 s.t. Φ(D1, D2) ∀S ⊆ R. Pr[K(D1) ∈ S] ≤ exp(ǫ) × Pr[K(D2) ∈ S]
SLIDE 28
Differential Privacy [Dwork et al. 06]
K
Fix (symmetric) adjacency relation Φ on databases Fix privacy budget ǫ A randomized algorithm K : D → R (called mechanism) is (ǫ, δ)-differentially private iff for all D1, D2 s.t. Φ(D1, D2) ∀S ⊆ R. Pr[K(D1) ∈ S] ≤ exp(ǫ) × Pr[K(D2) ∈ S] + δ
Still an information-theoretic definition
SLIDE 29
Achieving Differential-Privacy
Consider a numerical query f : D → R Define the sensitivity of f as ∆(f )
def
= max
D1,D2|Φ(D1,D2) |f (D1) − f (D2)|
The mechanism K(D)
def
= f (D) + Lap(∆(f )/ǫ) is ǫ-differentially private Pr[K(D) = x] ∝ exp(−|f (D) − x|ǫ/∆(f ))
SLIDE 30
Computational Differential Privacy [Mironov et al. 09]
K
IDEA: relax the definition of Differential Privacy so that it only holds against computationally-bounded adversaries Use cryptographic mechamisms to achieve privacy Strike a better balance between privacy and utility The gains are significant—separation results?
SLIDE 31
Computational Differential Privacy [Mironov et al. 09]
K Indistinguishability-Based Definition
An ensemble of randomized algorithms {K}η is ǫ-IND-CDP iff for all D1, D2 s.t. Φ(D1, D2) and for all PPT adversary A Pr[A(K(D1)) = 1] ≤ exp(ǫ) × Pr[A(K(D2)) = 1] + negl(η)
SLIDE 32
Probabilistic Relational Hoare Logic
Judgments: ⊢ c1 ∼ c2 : P ⇒ Q where P, Q are binary relations over states If P(m1, m2), and Q → (A1 ↔ B2), Pr[c1(m1) : A] ≤ Pr[c2(m2) : B]
SLIDE 33
Approximate Probabilistic Relational Hoare Logic
Judgments: ⊢ c1 ∼α,δ c2 : P ⇒ Q What can be inferred about a valid judgment? If P(m1, m2), and Q → (A1 ↔ B2), Pr[c1(m1) : A] ≤ α × Pr[c2(m2) : B] + δ Exactly what we need to encode CDP! {K}η is ǫ-IND-CDP iff for all D1, D2 s.t. Φ(D1, D2) and for all PPT adversary A Pr[A(K(D1)) = 1] ≤ exp(ǫ) × Pr[A(K(D2)) = 1] + negl(η)
SLIDE 34
Approximate Probabilistic Relational Hoare Logic
Judgments: ⊢ c1 ∼α,δ c2 : P ⇒ Q What can be inferred about a valid judgment? If P(m1, m2), and Q → (A1 ↔ B2), Pr[c1(m1) : A] ≤ α × Pr[c2(m2) : B] + δ Exactly what we need to encode CDP! {K}η is ǫ-IND-CDP iff for all D1, D2 s.t. Φ(D1, D2) and for all PPT adversary A Pr[A(K(D1)) = 1] ≤ exp(ǫ) × Pr[A(K(D2)) = 1] + negl(η)
SLIDE 35
Example: Private 2-Party Computation
Two hospitals hold record of some patient’s recent blood tests Want to check how similar they are John Doe LDL 1 HDL 1 HIV GLU 1 LEU 1 John Doe LDL HDL HIV 1 GLU 1 LEU 1
SLIDE 36
Example: Private 2-Party Computation
Two hospitals hold record of some patient’s recent blood tests Want to check how similar they are John Doe LDL 1 HDL 1 HIV GLU 1 LEU 1
. . .
- a
- b
h( a, b)
John Doe LDL HDL HIV 1 GLU 1 LEU 1
SLIDE 37
Example: Private 2-Party Computation
Using additive homomorphic encryption (e.g. Paillier)
SLIDE 38
Example: Private 2-Party Computation
Using additive homomorphic encryption (e.g. Paillier) E(bi) i = 1 . . . n
SLIDE 39
Example: Private 2-Party Computation
Using additive homomorphic encryption (e.g. Paillier) E(bi) i = 1 . . . n ci ← ai ? E(bi) : E(bi) hA ← (
i ci) · E(noiseA)
(= E(h(a, b) + noiseA)) hA
SLIDE 40
Example: Private 2-Party Computation
Using additive homomorphic encryption (e.g. Paillier) E(bi) i = 1 . . . n ci ← ai ? E(bi) : E(bi) hA ← (
i ci) · E(noiseA)
(= E(h(a, b) + noiseA)) hA ˜ hA ← D(hA) (= h(a, b) + noiseA) hB ← ˜ hA + noiseB hB ˜ hB ← hB − noiseA (= h(a, b) + noiseB)
SLIDE 41
Example: Private 2-Party Computation
Using additive homomorphic encryption (e.g. Paillier) E(bi) i = 1 . . . n ci ← ai ? E(bi) : E(bi) hA ← (
i ci) · E(noiseA)
(= E(h(a, b) + noiseA)) hA ˜ hA ← D(hA) (= h(a, b) + noiseA) hB ← ˜ hA + noiseB hB ˜ hB ← hB − noiseA (= h(a, b) + noiseB)
SLIDE 42
Example: Private 2-Party Computation
Using additive homomorphic encryption (e.g. Paillier) E(bi) i = 1 . . . n ci ← ai ? E(bi) : E(bi) hA ← (
i ci) · E(noiseA)
(= E(h(a, b) + noiseA)) hA ˜ hA ← D(hA) (= h(a, b) + noiseA) hB ← ˜ hA + noiseB hB ˜ hB ← hB − noiseA (= h(a, b) + noiseB)
SLIDE 43
Synthesis of Public-Key Encryption Schemes
SLIDE 44
The quest for minimalism in cryptography
Cryptography stripped down to its essential features
Minimal assumptions sufficient to achieve a cryptographic goal Minimal constructions—removing any element results in a totally insecure construction Optimality: minimal overhead, efficiency, tight security reductions
SLIDE 45
Encryption from Permutations and Hash functions
Goal : Synthesize correct and secure encryption schemes Grammar for encryption algorithm E ::= m input message | zero bitstring | r uniformly random bitstring | E ⊕ E xor | E | | E concatenation | H(E) hash | f (E) trapdoor permutation Q : What is the simplest provably secure encryption scheme?
SLIDE 46
So many possibilities!
m 0k r s t G H
- m
0k r r s G
- m
r r s G
- OAEP
SAEP ZAEP
SLIDE 47
What we did
1 Generate thousands of candidates 2 Filter trivially out incorrect or insecure schemes
is there a decryption algorithm? f (m ⊕ r) is decryption possible without a key (inverting f )? m ⊕ f (r) | | r is encryption randomized? f (m) can randomness be extracted from a ciphertext? r | | f (m ⊕ r)
3 Generate (machine-checked) proofs for secure schemes