Computational Soundness (II)

Computational Soundness (II) Bogdan Warinschi - University of Bristol - TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAA

Security property Model Security property Model Proof method Proof method Security property Security property Model Model Proof method Proof method Two types of security models

The Needham-Schroeder public key protocol {A,NA}pkB B A {NA,NB}pkA {NB}pkB • Nonce NB sent in the second message: • is intended for A (identity received in the first message) • should be secret to any other party but A • A and B should have matching conversations

The Needham-Schroeder public key protocol {A,NA}pkB {A,NA}pkC A C B {NA,NB}pkA {NB}pkB {NB}pkC • NB is secret if the adversary is passive • NB is not secret if the adversary is active • Matching conversations does not hold

Lowe’s fix – Secure Version of NS {A,NA}pkB {B,NA,NB}pkA {NB}pkB No more “logical” attacks; protocol secure

… or is it? Implement the protocol with an (IND-CPA) secure encryption scheme¦ Adv(¦,A)(»)= Pr[(pk,sk) Ã K(»): AE(pk,.) =1] – Pr[(pk,sk) Ã K(»): AE(pk,0|¢|)=1]

Another gap • There exist IND-CPA secure encryption scheme and a deterministic polynomial time algorithm such that E(pkA,(B,NA NB)) E(pkA,(C,NA NB))

An attack against an implementation of NSL {A,NA}pkB {A,NA}pkC A C B {B,NA,NB}pkA {C,NA,NB}pkA {NB}pkB {NB}pkC • NB may not be secret even if encryption is IND-CPA • Matching conversations does not hold • … use stronger encryption

IND-CCA security for multi-users • Implement encryption with a scheme (K,E,D) that is IND-CCA secure Epk1(LR(b,.,.)) Epk2(LR(b,.,.)) Dsk1(.) Dsk2(.) b is… C m0, m1 Dsk2(C) Epk1(mb)

…back to NSL • If NSL is implemented with an encryption scheme that is IND-CCA secure then: • NB is secret • Matching conversations holds

Mind the gap… • Security of primitives is • axiomatized(in the symbolic approach) • defined (in the computational approach) • Question: • Symbolically: not possible to calculate {C,NA,NB}pkA out of {B,NA,NB}pkA • Computationally: is it possible to enforce the above?

Computational soundness • The goal is to find sufficient security conditions on the primitives used in the implementation such that a protocol secure in the symbolic setting is also secure in the computational setting… • …but what is a protocol, what does secure mean?

Receive {A,Y}pkB Send {B,Y,NB}pkA Receive {NB}pkB Send {A,NA}pkB Receive {B,NA,X}pkA Send {X}pkB Protocols • A sequence of message exchanges • Messages constructed from constants, variables, and cryptographic operations

Communication is over a network THE INTERNET

(Generic) Execution model {A,NA}pkB {B,NA,X}pkA {X}pkB

Symbolic execution model • Messages exchanged during the execution are terms • Cryptographic operations are operations on terms • The adversary is a Dolev-Yao adversary who operates with a finite, well determined number of rules {a,nb}pk(b) {b,na,nb}pk(a) {nb}pkB

Computational execution model • Messages exchanged during the execution are bitstrings • Cryptography implemented with actual (randomized) algorithms • The adversary is an arbitrary randomized polynomial time algorithm 1101110111 0101001111 1001011111

Back to the gap • Security properties are statements about two very different executions • Non-deterministic executions (symbolically) • Randomized executions (computationally)

Computational soundness via trace mapping

Symbolic execution of a protocol The trace mapping approach Real execution of a protocol

A bit more precisely • The adversary may be able to corrupt parties • The adversary may send any message it wants to a session and receives the answer calculated by the session

Execution trace: m0 m1 m2 m3 . . . Formally m0 m1 m2 m3 . . . F1 F0 F2 F3 Fi : Local variables of sessions -> Values Execution traces Send(m,session)

Symbolic executions m0 m1 m2 m3 F1 F0 • Messages, values etc… are terms Fi: Local variables of sessions -> Terms • Adversary can only send messages that he can compute according to the Dolev Yao rules • Nondeterministic executions • For protocol ¦ and adversary A, write Trs(¦,A) for the trace determined by A F2 F3

m0 m1 m2 m3 G1 G0 . . . G2 G3 Computational executions • Messages, values etc… are bitstrings Gi: Local variables of sessions -> Bitstrings • Adversary can only send any polynomial-time computable message • Executions are randomized • Trc(¦(R¦),A(RA)) is the execution trace determined by adversary A, randomness R¦ and RA . . .

m0 m1 m2 m3 F1 . . . F0 F2 F3 fc fc fc fc fc fc fc fc fc Computational soundness result m0 m1 m2 m3 G1 G0 . . . G2 G3 • “Mapping lemma”: With overwhelming probability the computational traceis the image of a Dolev-Yao trace through an appropriate mapping fc. • Interpretation: The real adversary only performs Dolev Yao operations!!!

Trace mapping lemma • Let ¦ be a protocol and A a computational adversary. If ¦ is implemented with secure primitives then almost all of the computational traces of ¦ are images of symbolic Dolev-Yao traces. Prob[ 9 B, 9 fc : Trc(¦(R¦), A(RA)) = fc(Trs(¦,B)) ] is overwhelming

Proof idea • Fix an adversary A • Any concrete execution can be mapped to a symbolic execution • Show that this symbolic execution is that of a Dolev-Yao adversary (with overwhelming probability)… or otherwise one can use A to break the underlying primitives

0100110111 1001011111 1001011111 0100110111 1001011111 Step 2: From concrete executions… c b a a

0100110111 {a,b,nAdv,1}pk(c) {a,na,1}pk(b) 1001011111 0100110111 1001011111 {a,na,1}pk(b) Send {A,NA}pkB Receive {B,NA,X}pkA Send {X}pkB Receive {A,Y}pkB Send {B,Y,NB}pkA Receive {NB}pkB {b,na,1,nb,3}pk(a) {b,na,1,nb,3}pk(a) 1001011111 Step 2: …to symbolic executions c b a a

bs1 {N}pkA {N}pkB bs2 Step 3: The symbolic trace is Dolev-Yao fc fc Given an adversary that produces traces that are not Dolev-Yao, use that adversary to break the security of the basic primitive(s)

{N}pkA C {N}pkB C D Epk(a)(LR(b,.,.)) Epk(b)(LR(b,.,.)) Dk1(.) Dk2(.) n Select n0, n1 random nonces (n0,n1) If n=n0 then output 0 else output 1 bs1 bs2

Trace mapping lemma • Let ¦ be a protocol and A a computational adversary. If ¦ is implemented with secure primitives then almost all of the computational traces of ¦ are images of symbolic Dolev-Yao traces. Prob[ 9 B, 9 fc : Trc(¦(R¦), A(RA)) = fc(Trs(¦,B)) ] is overwhelming

Computational soundness for trace properties

Security properties Execution traces Property P A security property is a predicate on the set of possible traces E.g.: Matching conversations: every session of user B (with A) that finishes successfully has a matching session of user A

Trs(¦,A) Property Ps Security Properties - symbolically • Protocol ¦satisfies security property Ps • (¦ ²sPs) iff (8A) Trs(¦,A)2Ps

Security Properties - symbolically • Protocol ¦satisfies security property Ps • (¦ ²sPs) iff (8A) Trs(¦,A)2Ps Property Ps Symbolic traces of ¦

Property Pc Trc(¦(R¦),A(RA)) Security Properties - computationally • Protocol ¦ satisfies computationally property Pc: ¦ ²cPc iff (8p.p.t A) Pr [ Trc(¦(R¦), A(RA))2Pc] is overwhelming

Security Properties - computationally • Protocol ¦ satisfies computationally property Pc: ¦ ²cPc iff (8p.p.t A) Pr [ Trc(¦(R¦), A(RA))2Pc] is overwhelming Property Pc Tr(¦(R¦), A(RA))

Translation of trace properties Let Psbe a symbolic security property and let Pc = ¶(Ps)=f f(Ps) (the union is after all appropriate mappings f). If the mapping lemma holds then: THEOREM: Let ¦ be a protocol. Then: ¦ ²sPs)¦ ²c Pc

9 f Trc(¦(R¦),A(RA)) (9 B) Trs(¦,B) Proof Let ¦be a protocol and A a computational adversary. Pick R¦and RA. Then (with overwhelming probability): Ps ¶(Ps) f(Ps)

Soundness for secrecy properties

NSL ²sSecret(NB) For any session t of B with an honest party A, the nonce nt that instantiates NB in session t is never sent by the adversary in clear over the network Receive {A,Y}pkB Send {B,Y,NB}pkA Receive {NB}pkB Send {A,NA}pkB Receive {B,NA,X}pkA Send {X}pkB Soundness for secrecy[Cortier, Warinschi] • For the Needham Schroder Lowe protocol:

Soundness for secrecy • The mapping lemma implies a notion of computational secrecy: • (With overwhelming probability) the adversary cannot output any of the nonces that instantiate variable NB in sessions of B with honest A • …but this security notion – onewayness – is cryptographically unsatisfying

Computational secrecy • Computational secrecy for nonce N in session t: prior to the execution select n0, n1. Run the protocol with nb as value for NB in session t. Give n0,n1 to the adversary and ask him to guess b • NSL²cSecret(N) if N is computationally secret in any session of B with an honest party

Soundness for secrecy • For any protocol ¦ implemented with secure primitives (digital signatures, public key encryption, nonces)¦²sSecret(N) )¦²cSecret(N) • The proof relies on the computational adversary to only perform Dolev-Yao operations

Soundness for hash functions

Hash functions • The trace mapping lemma holds if hash functions are implemented by random oracles • Hash values can be interpreted as symbolic terms by observing the communication with the random oracle • … soundness holds for trace properties • How about secrecy?

Soundness for secrecy does not hold anymore • Consider a protocol ¦ where A sends to B the message h(NA), where NA is a random nonce. Then • ¦ ²sSecret(NA) is true • ¦ ²cSecret(NA) is not true • So soundness does not hold Since given h(nb), n0,n1 the adversary can easily recover b

…but it can be recovered • Define the pattern that the adversary can observe when given N.In particular: • patternN({N}pk)=□pk • patternN(h(N))=h(N) • patternN(h(N’))=h(□)

Stronger notion of secrecy • Stronger notion of secrecy for nonces:¦ ²sSSecret(N) if for any instantiation nt of nonce N and for any adversary A, nt does not occur in patternnt(Trs(¦,A)) • Computational soundness for secrecy holds:¦ ²sSSecret(N) )¦ ²cSecret(N)

Computational Soundness (II)

Computational Soundness (II)

Presentation Transcript

Computational Grammars

Computational Geometry - Part II

Achim Tresch Computational Biology

Introduction to computational linguistics

Bull Breeding Soundness Evaluation

Computational Morphology

Type soundness

Computational Approaches(1/7)

Computational Mechanism Design

Computational Soundness for PCL

Lectures on Computational Biology

Computational Finance

On 1 -soundness and Soundness of Workflow Nets

Computational Geometry II

Validity and Soundness

Computational Methods in Astrophysics

Computational Soundness of Formal Models

DISCRETE COMPUTATIONAL STRUCTURES

Soundness

Deduction, Validity, Soundness