Formal Methods for Cryptography Santiago Zanella-B eguelin - PowerPoint PPT Presentation

Formal Methods for Cryptography Santiago Zanella-B´ eguelin santiago@microsoft.com Cambridge, UK 2013.03.04–08 18th Estonian Winter School in Computer Science EWSCS 2013

EasyCrypt pipeline ProofGeneral Frontend Emacs Shell EasyCrypt Toplevel Why3 API Why3 Software Verification Platform SMT Solvers Automated Provers Interactive Provers Alt-Ergo Vampire Coq CVC3 E-Prover Z3 SPASS Yices

EasyCrypt demo ← { 0 , 1 } k ; y ← x ⊕ z ≃ { z } ← { 0 , 1 } k ; x ← y ⊕ z � x { x , y , z } y $ $ π is a permutation P → ∀ a . Q [ x � 1 � ← a , y � 2 � ← π ( a )] ← { 0 , 1 } k ∼ y ← { 0 , 1 } k : P ⇒ Q � x $ $ � c ′ 1 ∼ c ′ � c 1 ∼ c 2 : P ⇒ Q 2 : Q ⇒ R [Seq] � c 1 ; c ′ 1 ∼ c 2 ; c ′ 2 : P ⇒ R P → Q [ x � 1 � ← e ] � x ← e ∼ skip : P ⇒ Q [Assign � 1 � ]

Reasoning about Failure Events Lemma (Fundamental Lemma) Let A , B , F be events and G 1 , G 2 be two games such that Pr [G 1 : A ∧ ¬ F ] = Pr [G 2 : B ∧ ¬ F ] Then | Pr [G 1 : A ] − Pr [G 2 : B ] | ≤ max( Pr [ G 1 : F ] , Pr [ G 2 : F ]) Proof. On whiteboard

Fundamental Lemma: automation Let A = B and F = bad. If G 0 and G 1 are syntactically identical except after program points setting bad e.g. Game G 0 : Game G 1 : . . . . . . bad ← true; c 0 bad ← true; c 1 . . . . . . then Pr G 1 , m [ A | ¬ bad] = Pr G 2 , m [ A | ¬ bad] Pr G 1 , m [bad] = Pr G 2 , m [bad] Corollary | Pr G 1 , m [ A ] − Pr G 2 , m [ A ] | ≤ Pr G 1 , 2 [bad]

Fundamental Lemma: automation Let A = B and F = bad. If G 0 and G 1 are syntactically identical except after program points setting bad e.g. Game G 0 : Game G 1 : . . . . . . bad ← true; c 0 bad ← true; c 1 . . . . . . then Pr G 1 , m [ A | ¬ bad] = Pr G 2 , m [ A | ¬ bad] Pr G 1 , m [bad] = Pr G 2 , m [bad] Corollary | Pr G 1 , m [ A ] − Pr G 2 , m [ A ] | ≤ Pr G 1 , 2 [bad]

Fundamental Lemma: beyond syntax Lemma (Fundamental Lemma) Let A , B , F be events and G 1 , G 2 be two games such that � G 1 ∼ G 2 : true ⇒ ( F � 1 � ↔ F � 2 � ) ∧ ( ¬ F � 1 � → Q ) and Q → ( A � 1 � ↔ B � 2 � ) , then | Pr [G 1 : A ] − Pr [G 2 : B ] | ≤ Pr [G 2 : F ] For an adversary A with oracle access to oracles O i , suffices to check { F } O i 1 { F } , { F } O i 2 { F } � y ← A O i x ) ∼ y ← A O i 1 ( � 2 ( � x ) : ( F � 1 � ↔ F � 2 � ) ∧ ( ¬ F � 1 � → Q ∧ � x � 1 � = � x � 2 � ) = ⇒ ( F � 1 � ↔ F � 2 � ) ∧ ( ¬ F � 1 � → Q ∧ y � 1 � = y � 2 � ) � y ← O i x ) ∼ y ← O i 1 ( � 2 ( � x ) : ( ¬ F � 1 � ∧ ¬ F � 2 � ∧ Q ∧ � x � 1 � = � x � 2 � ) = ⇒ ( F � 1 � ↔ F � 2 � ) ∧ ( ¬ F � 1 � → Q ∧ y � 1 � = y � 2 � )

Fundamental Lemma: beyond syntax Lemma (Fundamental Lemma) Let A , B , F be events and G 1 , G 2 be two games such that � G 1 ∼ G 2 : true ⇒ ( F � 1 � ↔ F � 2 � ) ∧ ( ¬ F � 1 � → Q ) and Q → ( A � 1 � ↔ B � 2 � ) , then | Pr [G 1 : A ] − Pr [G 2 : B ] | ≤ Pr [G 2 : F ] For an adversary A with oracle access to oracles O i , suffices to check { F } O i 1 { F } , { F } O i 2 { F } � y ← A O i x ) ∼ y ← A O i 1 ( � 2 ( � x ) : ( F � 1 � ↔ F � 2 � ) ∧ ( ¬ F � 1 � → Q ∧ � x � 1 � = � x � 2 � ) = ⇒ ( F � 1 � ↔ F � 2 � ) ∧ ( ¬ F � 1 � → Q ∧ y � 1 � = y � 2 � ) � y ← O i x ) ∼ y ← O i 1 ( � 2 ( � x ) : ( ¬ F � 1 � ∧ ¬ F � 2 � ∧ Q ∧ � x � 1 � = � x � 2 � ) = ⇒ ( F � 1 � ↔ F � 2 � ) ∧ ( ¬ F � 1 � → Q ∧ y � 1 � = y � 2 � )

Excercises 1 Generalize the characterization of the Fundamental Lemma in relational logic to preserve an additional weaker invariant Q ′ once the failure F occurs. 2 (from beyond the thermosphere) What needs to be checked for adversaries and oracles?

Failure Event Lemma The Fundamental Lemma is typically applied in games where only oracles trigger bad IF the probability of triggering bad in one call can be bound as a function of the number of oracle calls THEN the probability of the game triggering bad can be bound provided the number of oracle calls is bounded Failure Event Lemma (when p is constant) IF ¬ bad → Pr [ O : bad] ≤ p THEN Pr [G : bad] ≤ p q O Example. O ( x ) : y ← T ; if y = x then bad ← true else . . . $ p = 1 / | T |

Application: PRP/PRF Switching Lemma Game RP : Game RF : L ← nil; b ← A () L ← nil; b ← A () Oracle O ( x ) : Oracle O ( x ) : if x / ∈ dom( L ) then if x / ∈ dom( L ) then ← { 0 , 1 } ℓ \ ran( L ); ← { 0 , 1 } ℓ ; y y $ $ L ← ( x , y ) :: L L ← ( x , y ) :: L return L ( x ) return L ( x ) Suppose A makes at most q queries to O . Then | Pr [RP : b ] − Pr [RF : b ] | ≤ q ( q − 1) 2 ℓ +1 Proved first by Impagliazzo and Rudich in 1989 Proof fixed by Bellare and Rogaway (2006) and Shoup (2004)

A proof Let C be the event that A observes a collision in RF Since a random permutation is the same as a random function in which answers to distinct queries are distinct, Pr [RP : b = true] = Pr [RF : b = true |¬ C ] = x Let y = Pr [RF : b = true | C ], | Pr [RP : b = true] − Pr [RF : b = true] | = | x − x · Pr [RF : ¬ C ] − y · Pr [RF : C ] | = | ( x · (1 − Pr [RF : ¬ C ]) − y · Pr [RF : C ] | = | ( x · Pr [RF : C ]) − y · Pr [RF : C ] | = | x − y ·| Pr [RF : C ] ≤ Pr [RF : C ] ≤ q ( q − 1) / 2 ℓ +1

A proof Let C be the event that A observes a collision in RF Since a random permutation is the same as a random function in which answers to distinct queries are distinct, Pr [RP : b = true] = Pr [RF : b = true |¬ C ] = x ✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿ Let y = Pr [RF : b = true | C ], | Pr [RP : b = true] − Pr [RF : b = true] | = | x − x · Pr [RF : ¬ C ] − y · Pr [RF : C ] | = | ( x · (1 − Pr [RF : ¬ C ]) − y · Pr [RF : C ] | = | ( x · Pr [RF : C ]) − y · Pr [RF : C ] | = | x − y ·| Pr [RF : C ] ≤ Pr [RF : C ] ≤ q ( q − 1) / 2 ℓ +1

Counterexample for ℓ = 1 Adversary A 1 () : if O (0) = 0 then return 1 else if O (1) = 1 then return 1 else return 0 2 Pr [RP : b = 1] = 1 3 = Pr [RF : b = 1 | ¬ C ] � = 2

Proof Game RP : Game RF : L ← nil; b ← A () L ← nil; b ← A () Oracle O ( x ) : Oracle O ( x ) : if x / ∈ dom( L ) then if x / ∈ dom( L ) then ← { 0 , 1 } ℓ ; ← { 0 , 1 } ℓ ; y y $ $ if y ∈ ran( L ) then if y ∈ ran( L ) then bad ← true; bad ← true ← { 0 , 1 } ℓ \ ran( L ) y $ L ← ( x , y ) :: L L ← ( x , y ) :: L return L ( x ) return L ( x ) | Pr [RP : b ] − Pr [RF : b ] | ≤ Pr [RF : bad]

Proof Failure Event Lemma Suppose k counts queries to O and initially bad = false: IF bad = false → Pr [ O : bad] ≤ f ( k ) q O − 1 THEN Pr [ A O : bad ∧ k ≤ q O ] ≤ � f ( k ) k =0 Oracle O ( x ) : if x / ∈ dom( L ) then ← { 0 , 1 } ℓ ; if y ∈ ran( L ) then bad ← true; y $ L ← ( x , y ) :: L return L ( x ) Prove that Pr [ O : bad] ≤ | L | / 2 ℓ Summing over the q queries, Pr [RF : bad] ≤ q ( q − 1) 2 ℓ +1

EasyCrypt demo Demo : PRP/PRF Switching Lemma

Eager/Lazy Sampling Interprocedural code motion Eager sampling: from an oracle to main game Lazy sampling: from main game to an oracle Motivation In crypto proofs Often need to know that some values are independent and uniformly distributed at some program point This holds when values can be resampled preserving semantics! If S conditionally re-samples values not yet consumed, it suffices to prove that � ( c lazy ; S ) ∼ ( S ; c eager ) : = V ⇒ = V

Application: PRP/PRF Switching Lemma Game RF eager : L ← nil; S ; b ← A () Oracle O eager ( x ) : if x �∈ dom( L ) then if 0 < | Y | then y ← hd( Y ); Y ← tl( Y ) ← { 0 , 1 } ℓ else y $ L ← ( x , y ) :: L return L ( x ) ← { 0 , 1 } ℓ ; Y ← Y + def where S = Y ← [ ]; while | Y | < q do y + [ y ] $ First prove that � b ← A O lazy (); S ∼ S ; b ← A O eager () : = V ⇒ = V Then prove by induction: q − 1 i Pr [RF : bad] = Pr [RF eager : ∃ i , j . i � = j ∧ Y [ i ] = Y [ j ]] = � 2 ℓ i =0

A conclusion There is a problem with cryptographic proofs Cryptographic proofs can (and should be) machine-checked Verification technology is mature enough to provide a solution We provided two: CertiCrypt: fully formalized machine-checked proofs in Coq EasyCrypt: automated SMT-based tool Have we reached the point where formalization effort pays off? Are cryptographers willing to adopt these tools?

What do cryptographers think of all this? The expansion of the original proof from a paragraph or two to several thousand lines of computer output is remarkable. Can one find anything similar in the history of mathematical proofs? There is one striking analogy that comes to mind. Early in the 20th century, Russell and Whitehead wrote Principia Mathematica [...] —N. Koblitz (2012) Usually one has to leave the sciences entirely if one wishes to find works of scholarship—for example, Michel Foucault’s turgid 760-page three-volume philosophical treatise on sex—that have been so successful in turning something that should be interesting and accessible to everyone into something lengthy, unreadable, and boring. —N. Koblitz (2012)