# Programming Language Techniques for Cryptographic Proofs Gilles - PowerPoint PPT Presentation

## Programming Language Techniques for Cryptographic Proofs Gilles Barthe 1 egoire 2 eguelin 1 Benjamin Gr Santiago Zanella-B 1 IMDEA Software, Madrid, Spain 2 INRIA Sophia Antipolis - M editerran ee, France ITP 2010 Formal verification

1. Programming Language Techniques for Cryptographic Proofs Gilles Barthe 1 egoire 2 eguelin 1 Benjamin Gr´ Santiago Zanella-B´ 1 IMDEA Software, Madrid, Spain 2 INRIA Sophia Antipolis - M´ editerran´ ee, France ITP 2010

2. Formal verification of cryptographic primitives Security of cryptographic primitives is hard to achieve: “Secure schemes” broken after more than 10 years “Security proofs” remaining flawed over more than 15 years First step: acknowledging the problem Do we have a problem with cryptographic proofs? Yes, we do [...] We generate more proofs than we carefully verify (and as a consequence some of our published proofs are incorrect) —Halevi, 2005 In our opinion, many proofs in cryptography have become essentially unverifiable. Our field may be approaching a crisis of rigor —Bellare and Rogaway, 2006 2/1

3. (In)Famous example: RSA-OAEP Shoup Bellare, Hofheinz, Kiltz Bellare and Rogaway Pointcheval 1994 2001 2004 2009 Fujisaki, Okamoto, Pointcheval, Stern 1994 Purported proof of chosen-ciphertext security 2001 Proof is flawed, but can be patched ...for a weaker security notion, or 1 ...for a modified scheme, or 2 ...under stronger assumptions 3 2004 Filled gaps in Fujisaki et al. 2001 proof 2009 Security definition needs to be clarified 2010 Filled gaps and marginally improved bound in 2004 proof 3/1

4. Exact IND-CCA security of OAEP Game IND-CCA : Game PD-OW : ( pk , sk ) ← KG ( η ); ( pk , sk ) ← KG f ( η ); ← { 0 , 1 } n + k 1 ; ( m 0 , m 1 ) ← A 1 ( pk ); s \$ ← { 0 , 1 } k 0 ; b ← { 0 , 1 } ; t \$ \$ c ∗ ← E ( m b ); s ← I ( f ( pk , s � t )) ˜ ˜ b ← A 2 ( c ∗ ) Security statement ∀A , ∃I , � � b = b ] − 1 � Pr [IND-CPA : ˜ � � 2 � ≤ � � 2 s = s ] + 3 q D q G + q 2 D + 4 q D + q G + 2 q D q H Pr [PD-OW : ˜ 2 k 0 2 k 1 The proof has been machine-checked in the Coq proof assistant. How? 4/1

5. Exact IND-CCA security of OAEP Game IND-CCA : Game PD-OW : ( pk , sk ) ← KG ( η ); ( pk , sk ) ← KG f ( η ); ← { 0 , 1 } n + k 1 ; ( m 0 , m 1 ) ← A 1 ( pk ); s \$ ← { 0 , 1 } k 0 ; b ← { 0 , 1 } ; t \$ \$ c ∗ ← E ( m b ); s ← I ( f ( pk , s � t )) ˜ ˜ b ← A 2 ( c ∗ ) Security statement ∀A , ∃I , � � b = b ] − 1 � Pr [IND-CPA : ˜ � � 2 � ≤ � � 2 s = s ] + 3 q D q G + q 2 D + 4 q D + q G + 2 q D q H Pr [PD-OW : ˜ 2 k 0 2 k 1 The proof has been machine-checked in the Coq proof assistant. How? 4/1

6. Exact IND-CCA security of OAEP Oracle G ( r ) : Game IND-CCA : if r / ∈ dom( L G ) then L G , L H , L D ← d ; ← { 0 , 1 } n + k 1 ; L G [ r ] \$ ( pk , sk ) ← KG ( η ); return L G [ r ] ( m 0 , m 1 ) ← A 1 ( pk ); ← { 0 , 1 } ; b Oracle H ( r ) : . . . \$ c ∗ ← E ( m b ); Oracle D ( c ) : c ∗ def ← true; L D ← ( c ∗ def , c ) :: L D ; ˜ b ← A 2 ( c ∗ ) . . . Security statement ∀A , ∃I , WF ( A ) ∧ � IND-CCA : | L G | ≤ q G + q D ∧ | L H | ≤ q H ∧ | L D | ≤ q D � Pr = 1 ∧ (true , c ∗ ) / ∈ L D � b = b ] − 1 � � Pr [IND-CCA : ˜ � � = ⇒ 2 � ≤ � � 2 s = s ] + 3 q D q G + q 2 D + 4 q D + q G + 2 q D q H Pr [PD-OW : ˜ 2 k 0 2 k 1 5/1

7. The game-playing methodology How do we formalize the statement? 6/1

8. The game-playing methodology Games = (Families of) Probabilistic programs Game G η 0 : . . . . . . ← A ( . . . ); . . . Pr G η 0 [ A 0 ] 6/1

9. The game-playing methodology Games = (Families of) Probabilistic programs How do we perform the proof? Game G η 0 : . . . . . . ← A ( . . . ); . . . Pr G η 0 [ A 0 ] 6/1

10. The game-playing methodology Games = (Families of) Probabilistic programs Game transformation = Program transformation Game G η Game G η Game G η 0 : 1 : n : . . . . . . . . . . . . ← A ( . . . ); . . . · · · . . . ← B ( . . . ); . . . . . . . . . Pr G η 0 [ A 0 ] h 1 (Pr G η 1 [ A 1 ]) ≤ ≤ . . . ≤ h n (Pr G η n [ A n ]) 6/1

11. CertiCrypt: machine-checking provable security Certified framework for checking exact provable security proofs in the Coq proof assistant A combination of general methods from programming languages and of cryptographic-specific tools Game-based methodology, natural to cryptographers Focus on exact security bounds Several case studies: Encryption schemes: ElGamal, Hashed ElGamal, OAEP, IBE Signature schemes: FDH, BLS Zero-knowledge proofs: see talk at CSF! 7/1

12. Inside CertiCrypt Semantics and cost model of probabilistic programs Model for adversaries Standard tools to reason about probabilistic programs Semantics-preserving program transformations Observational equivalence Relational Hoare Logic In this talk: automation of 2 reasoning patterns in crypto: Bounding failure events 1 Moving sampling of random values accross procedures 2 8/1

13. pWhile: a probabilistic programming language I ::= V ← E assignment | V ← DE random sampling \$ | if E then C else C conditional | while E do C while loop | V ← P ( E , . . . , E ) procedure call C ::= skip nop | I ; C sequence x ← d : sample x according to distribution d , typically the uniform \$ distribution on a set (e.g. { 0 , 1 } , { 0 , 1 } ℓ ) Deep Embedding The syntax of programs is formalized as an inductive type 9/1

14. Dependently-typed Syntax Inductive I := | Assign : ∀ t , V t → E t → I | Rand : ∀ t , V t → DE t → I | Cond : E B → C → C → I | While : E B → C → I | Call : ∀ l t , P ( l , t ) → V t → dlist l E → I where C := list I Programs are well-typed by construction Semantics as a total function Allows richer specification (e.g. enforce size constraints on bitstrings) 10/1

15. Semantics Measure Monad —courtesy of Christine Paulin Distributions represented as functions of type def D ( A ) = ( A → [0 , 1]) → [0 , 1] s.t. f ≤ g = ⇒ µ ( f ) ≤ µ ( g ); 1 µ ( 1 − f ) ≤ 1 − µ ( f ); 2 f ≤ 1 − g = ⇒ µ ( f + g ) = µ ( f ) + µ ( g ); 3 µ ( k × f ) = k × µ ( f ); 4 f : N → ( A → [0 , 1]) is monotonic and for all n ∈ N f ( n ) is 5 monotonic, then µ (sup f ) ≤ sup ( λ n . µ ( f ( n )) All arithmetic is in the unit interval [0 , 1] def unit : A → D ( A ) = λ x . λ f . f x def bind : D ( A ) → ( A → D ( B )) → D ( B ) = λµ. λ F . λ f . µ ( λ x . F x f ) 11/1

16. Semantics � c ∈ C � : M → D ( M ) � skip � = unit � i ; c � m = bind ( � i � m ) � c � � x ← e � m = unit m { ( � e � E m ) / x } � x ← d � m = bind ( � d � DE m ) ( λ v . unit m { v / x } ) \$ � � c 1 � m if � e � E m = true � if e then c 1 else c 2 � m = � c 2 � m if � e � E m = false � while e do c � m = λ f . sup ( λ n . � [while e do c ] n � m f ) where [while e do c ] 0 = skip [while e do c ] n +1 = if e then c ; [while e do c ] n � x ← p ( � e ) � m = bind ( � p . body � . . . Not axioms: actual function built from small-step semantics 12/1

17. Semantics � c ∈ C � : M → D ( M ) � skip � = unit � i ; c � m = bind ( � i � m ) � c � � x ← e � m = unit m { ( � e � E m ) / x } � x ← d � m = bind ( � d � DE m ) ( λ v . unit m { v / x } ) \$ � � c 1 � m if � e � E m = true � if e then c 1 else c 2 � m = � c 2 � m if � e � E m = false � while e do c � m = λ f . sup ( λ n . � [while e do c ] n � m f ) where [while e do c ] 0 = skip [while e do c ] n +1 = if e then c ; [while e do c ] n � x ← p ( � e ) � m = bind ( � p . body � . . . Not axioms: actual function built from small-step semantics 12/1

18. Observational Equivalence Games G 1 and G 2 are observationally equivalent w.r.t. input variables I and output variables O iff: IF m 1 and m 2 coincide on I THEN � G 1 � m 1 and � G 2 � m 2 coincide on O (i.e. their projections on O are equal) def m 1 = X m 2 ∀ x ∈ X , m 1 x = m 2 x = def ∀ m 1 m 2 , m 1 = X m 2 = ⇒ f m 1 = g m 2 f = X g = � G 1 ≃ I def O G 2 ∀ m 1 m 2 f g , m 1 = I m 2 ∧ f = O g = ⇒ = � G 1 � m 1 f = � G 2 � m 2 g Generalized to arbitrary relations Probabilistic Relational Hoare Logic ...but this is not what this talk is about 13/1

19. Reasoning about Failure Events Lemma (Fundamental Lemma of Game-Playing) Let A , B , F be events and G 1 , G 2 be two games such that Pr [G 1 : A ∧ ¬ F ] = Pr [G 2 : B ∧ ¬ F ] Then, | Pr [G 1 : A ] − Pr [G 2 : B ] | ≤ max( Pr [G 1 : F ] , Pr [G 2 : F ]) 14/1