Introduction we consider the problem of complexity analysis for - PowerPoint PPT Presentation

Implicit Computational Complexity of Subrecursive Functional Programs, with Applications to Cryptographic Proofs Patrick Baillot LIP, CNRS & ENS de Lyon joint work with Gilles Barthe and Ugo Dal Lago gdt Géométrie du Calcul (GEOCAL) & Logique, Algèbre, Calcul (LAC) journées 2016 du gdr IM 1

Introduction ✤ we consider the problem of complexity analysis for higher-order functional programs with references ✤ implicit computational complexity has designed restricted languages with guaranteed complexity bounds, in particular polynomial time ✤ however here we aim at: ✤ an analysis covering a larger class of programs ✤ allowing to extract concrete complexity bounds ✤ our motivation is the analysis of complexity bounds on adversaries built by cryptographic reductions 2

Modular complexity analysis? String String String S 1 S 2 3

Modular complexity analysis? String String String S 1 S 2 T(S 1 ; S 2 ) ≤ T(S 1 )+ T(S 2 )o|S 1 | 4

String -> String String S 2 String 5

String -> String S 1 String S 2 String 6

String -> String S 1 String S 2 String Which information from S 1 and S 2 is sufficient to bound T(S 1 ;S 2 ) ? 7

N ->N S 1 N S 2 N 8

F : N ->N S 1 N return F(F(n)); n : N 9

F : N ->N S 1 N return F(F(n)); n : N T(S 1 ; S 2 ) ≤ T(S 1 )+ T(S 1 )o|S 1 | 10

F : N ->N S 1 r:=1; N for i=0 to n n : N {r:= F(r)}; return r; 11

F : N ->N S 1 let F n = n+3; r:=1; N for i=0 to n n : N {r:= F(r)}; return r; 12

F : N ->N S 1 let F n = n+3; r:=1; N for i=0 to n n : N {r:= F(r)}; return r; ... leads to linear output growth: 3n 13

F : N ->N S 1 let F n = 3n; r:=1; N for i=0 to n n : N {r:= F(r)}; return r; ... leads to exponential output growth: 3 n 14

F : N ->N S 1 let F n = 3n; r:=1; N for i=0 to n n : N {r:= F(r)}; return r; ... leads to exponential output growth: 3 n hence exponential time if the output is used to drive another for-loop 15

(N ->N)-> ( N ->N) S 1 N S 2 N 16

(N ->N)-> ( N ->N) S 1 N S 2 N T(S 1 ; S 2 ) ?? 17

Motivation for modular complexity analysis N ->N N S 2 N Analysis with partial information, e.g. S 1 coming from a library 18

Motivation for modular complexity analysis N ->N ? N S 2 N Guide the choice/design of S 1 in order to satisfy some global complexity property 19

Motivation for cryptographic reductions we consider security proofs of cryptographic primitives, in the computational model 20

Motivation for cryptographic reductions we consider security proofs of cryptographic primitives, in the computational model their correction can be verified formally with tools such as e.g. Cryptoverif or Easycrypt 21

Motivation for cryptographic reductions we consider security proofs of cryptographic primitives, in the computational model computational security property reduction assumption of a scheme proof 22

Motivation for cryptographic reductions we consider security proofs of cryptographic primitives, in the computational model computational security property reduction assumption of a scheme proof by contraposition: ∃ feasible adversary A 1 ∃ feasible adversary A 2 reduction for security property for the computational proof of the scheme assumption 23

Motivation for cryptographic reductions A 1 A 2 reduction program 24

Motivation for cryptographic reductions A 1 A 2 reduction program If A 1 is PPT, is A 2 also PPT ? 25

Motivation for cryptographic reductions A 1 A 2 reduction program If A 1 is PPT, is A 2 also PPT ? If A 1 is in DTIME(n k ), is A 2 is in DTIME(n g(k) ), for some g? 26

Ideas for complexity analysis ideas steming from implicit complexity, for higher-order complexity analysis: • linearity discipline for functional variables • time bounds can be derived from the combination of: • a size analysis • structural recursion ( for loops) • to analyse the size, use an enriched type systems: indexed types 27

Towards indexed types N ->N S 1 let F n = n+3; 28

Towards indexed types N a ->N a+3 S 1 let F n = n+3; 29

Towards indexed types N a ->N 3a S 1 let F n = 3n; 30

Towards indexed types N a ->N 3a S 1 let F n = 3n; •in which language write the type indexes? polynomials ? 31

Towards indexed types N a ->N 3a S 1 let F n = 3n; •in which language write the type indexes? polynomials ? •however if we fix the language: • some programs will not be typable • some polynomial time programs may have exponential subprocedures 32

Towards indexed types N a ->N 3a S 1 let F n = 3n; Therefore we choose an open index language: first-order language with as many function symbols as needed 33

Source language : l T ✤ Terms a higher order calculus with references 34

Source language : l T iteration ✤ Terms a higher order calculus with references 35

Source language : l T ✤ Terms read and write operations a higher order calculus with references 36

Source language : l T ✤ Terms a higher order calculus with references sufficient to embed a simple imperative for-language 37

Source language : l T ✤ Terms a higher order calculus with references sufficient to embed a simple imperative for-language but also functional combinators such as fold, map 38

Source language : l T ✤ Terms ✤ Types 39

Source language : l T ✤ Terms ✤ Types type-and-effects effect: a = set {r 1,..., r k} of references read 40

Source language : l T ✤ Terms ✤ Types type-and-effects data-type of binary strings: L(B) 41

Source language : l T ✤ Terms ✤ Types ✤ Typing judgements ✤ Terms 42

T yping rules for l T programs (selection) 43

T yping rules for l T programs (selection) typability ensures linear use of functional variables and termination of execution 44

Index terms ✤ An «open» language of indexes: first-order terms I := a| f(I 1, ..., I k ) for f in a set IF and a system of equations ε defining I F will contain such functions as 0, +, s ... { ✤ example: ε containing e(0) = 1 e(s(a))=2 e(a) defines exponentiation. 45

d l T type system ✤ Indexed types: ✤ Effects: ✤ Judgements: 46

d l T type system: typing rules (selection) we omit subtyping conditions here... 47

d l T type system: examples 48

Weight of a derivation ✤ we associate to each derivation π an index term W ( π ), its weight , defined by induction on π . example: 49

Complexity soundness Theorem (Complexity soundness) : If π is derivation of then the execution of M on the abstract machine is done in time bounded by W ( π ) . 50

Example: hardcore predicate ✤ If f : {0,1} n -> {0,1} n is a one-way function, then g f : {0,1} 2n -> {0,1} 2n defined by g f (x,y)=(f(x),y) is also one-way. ✤ A hardcore predicate p for a one-way function f : {0,1} n -> {0,1} n is a function which is efficiently computable from {0,1} n to {0,1} such that it is difficult to guess p(x), when one only knows f(x). 51

Example: hardcore predicate A 1 adversary for A 2 adversary for reduction g f is a one-way function program is a hardcore predicate for g f If A 1 is PPT, is A 2 also PPT ? . 52

Example: reduction for hardcore predicate [KatzLindell] 53

Example: reduction, written in l T 54

Example: reduction for hardcore predicate [KatzLindell] 55

Example: reduction for hardcore predicate [KatzLindell] L a (B) 56

Example: reduction for hardcore predicate [KatzLindell] N a L a (B) 57

Example: reduction for hardcore predicate [KatzLindell] N a L a (B) N log(r(a)) 58

Example: reduction for hardcore predicate [KatzLindell] N a L a (B) N log(r(a)) L log(r(a)) (B) 59

Example: reduction for hardcore predicate [KatzLindell] ✤ in this example we obtain for the type derivation of the inverter A ’ the weight W ( π )=O(n 2 f A (1+2n)), where f A is a function bounding the complexity of adversary A . ✤ the bound given by the soundness thm for the complexity of A ’ corresponds with the one obtained by a complexity analysis by hand . 60

T ype inference Theorem (Inference) : There is a type inference algorithm CTI , taking as input typed l T terms, such that: ✤ CTI is total, ✤ if CTI(M)=( π , ε ) then π is a correct type derivation for M . Theorem (Termination) : If M is an l T term and CTI(M)=( π , ε ) , then So, type inference never fails... ε is terminating. 61

T ype inference Theorem (Inference) : There is a type inference algorithm CTI , taking as input typed l T terms, such that: ✤ CTI is total, ✤ if CTI(M)=( π , ε ) then π is a correct type derivation for M . So, type inference never fails... Theorem (Termination) : If M is an l T term and CTI(M)=( π , ε ) , then But ... what do we know about the equational program ε ? ε is terminating. 62