260 likes | 409 Views
Soundness of Formal Encryption in the Presence of Key Cycles. Gergei Bana University of Pennsylvania P. Adão, J. Herzog, A Scedrov. Structure of the Talk. The Abadi-Rogaway logic and its computational interpretations The problem of key-cycles Standard notions of security and KDM security
E N D
Soundness of Formal Encryption in the Presence of Key Cycles Gergei Bana University of Pennsylvania P. Adão, J. Herzog, A Scedrov
Structure of the Talk • The Abadi-Rogaway logic and its computational interpretations • The problem of key-cycles • Standard notions of security and KDM security • KDM security as a solution to key-cycles
Introduction • Cryptographic protocols: two models • Formal or Dolev-Yao model • Computational model from complexity theory • Much recent work relates the two • Build formal-to-computational protocol interpretation • Map formal security goals to computational goals • Prove soundness or completeness
Logic of Formal Encryption • We define a very simple algebra of terms that is a modified version of [AbadiRogaway00]; • Expressions represent the messages exchanged during the protocol • They might also include some prior knowledge available to the adversary, eg., public keys. • Patterns represent how an adversary can look at an expression: • If an adversary does not know a certain private key he does not see a message in the same way as an adversary that posesses that key.
Logic of Formal Encryption • Expressions are built from simple sets • Keys = {K1, K2, K3,...}, Keys-1= {K1 -1, K2 -1, K3 -1,...} and Blocks={0,1}* viaparing and encryption; Exp ::= Keys | Keys-1 | Blocks | (Exp,Exp) | {Exp}Keys • Formal length. Let be a function symbol such that: • For all blocks B1 and B2, l(B1) = l(B2) iff |B1| = |B2|; • For all i and j, l(Ki) = l(Kj) and l(Ki-1) = l(Kj-1); • If l(M1) = l(N1), l(M2) = l(N2) thenl((M1,M2)) = l((N1,N2)), • If l(M) = l(N), then for all Ki, l({M}Ki) = l({N}Ki). ( (K2-1,{01}K3) , ( {({101}K2,K5-1)}K2, {{K6}K4}K5) )
Logic of Formal Encryption • Patterns are built from expressions replacing undecryptable terms {M}Kby K,l(M) Pat ::= Keys | Keys-1 | Blocks | (Pat,Pat) | {Pat}Keys | Keys,(Keys) ( (K2-1, {01}K3 ) , ( {({101}K2,K5-1)}K2, { {K6}K4 }K5) ) ( (K2-1, K3,(01)) , ( {({101}K2,K5-1)}K2, { K4,(K6)}K5) ) • Two expressions M and N are defined to be formally equivalent if pattern(M)=pattern(N)s for some key-renaming functions. • We denote this by M@N.
Computational Model • In the computational world messages are represented by bit-strings, strings= {0,1}*, andfamilies of probability distributions over strings; • Fix an injective pairing function (length of output depends only on lengths of inputs); • Encryption schemes are probabilistic (polynomial-time) algorithms, and encryptions are obtained by running the encryption alghorithm.
Computational View • Basic components of symmetric encriptions: • Key generation algorithm: K(1), randomly generates a pair of strings (e, d) ( is security parameter) • Encryption algorithm: E(e,x), encrypts the plaintext x with the key e, coin-tossing allowed (length of output depends only on the lengths of inputs). • Decryption algorithm: D, D(d, E(e,x) )=x
Relating the Two Models • Formal expressions are mapped to (interpreted in) the computational model as follows: • For each (K,K-1) generate a pair of keys using the key generation algorithm; • Each B block is mapped to B; • Each pair (M,N) is interpreted as the pair of the interpretations; • Each encryption is interpreted by running the encryption algorithm. • Example: • {({101}K2,K5-1)}K2translates to the random variable ( E( e2 (E ( ( e2,101 ) , d5) • The keys e2, d5 are randomly generated, and the two encrypting functions have independent randomness as well.
Interpretation and Soundness Property • To each expression M wehave assigned an array of probability distributions denoted by [[N]]. • Definition (Soundness) We say that the interpretation is sound, if for any two expressions, M@N implies that the interpretations [[M]] and [[N]] are computationally indistinguishable.
Known Results • Theorem: If the expressions are interpreted in a CPA secure encryption scheme, then for M and Nacyclic expressions,M@N implies that [[M]]and [[N]] are indistinguishable. • Problem:This result does not apply to self-encrypting keys, and cycles in more general; • What do we propose: Possible to solve this problem via a strong enough notion of security that has been around (KDM security); • [Laud02] proposed a solution for the problem of key-cycles bystrengthening the formal adversary.
Known Results AbadiRogaway00, AbadiJurgens01:soundness for indistinguishability properties MicciancioWarinschi02, HorvitzGligor03: completeness for indisitinguishability properties Bana04, AdãoBanaScedrov05: more general soundness,completeness properties Herzog04: soundness for non-malleability properties BackesPfitzmannWaidner03:soundness for general trace-based properties HerzogCanneti04, MicciancioWarinschi04:soundness, completeness for Message Authentication, Key-Exchange Laud02:soundness via strengthening the “formal adversary"
Proof Method 1 • Semantic Security (IND-CPA) [GoldwasserMicali84] • An Adversary A is given a public key e; • A sends to an oracle two messages m1 and m2 of the same length • The oracle choses randomly b {0,1} and sends to A the value E(e,mb); • A has to guess which of the plaintexts was encrypted. • Interpretation of a box: • The ’th ( is security parameter) distribution of the interpretation ofK,(M) is the ’th distribution of the interpretation of {0|[[M]]_|}K
Proof Method 2 [[( (K2-1,{01}K3) , ( {({101}K2,K5-1)}K2, {{K6}K4}K5) )]] K3,(01) [[( (K2-1, K3,(01)) , ( {({101}K2,K5-1)}K2, {{K6}K4}K5) )]] K4,(K6) [[( (K2-1, K3,(01)) , ( {({101}K2,K5-1)}K2, { K4,(K6)}K5) )]] [[( (K1-1, K6,(K7^-1)) , ( {({101}K2,K5-1)}K2, { K7,,(1)}K5) ) ]] K7,(1) [[ ( (K1-1, K6,(K7^-1)) , ( {({101}K1,K5-1)}K1, {{1}K7}K5) ) ]] K6,(K7^-1) [[ ( (K1-1, {K7-1}K6) , ( {({101}K1,K5-1)}K1, {1}K7}K5 ) )]]
The problem of key-cycles • Key cycles: • K1 encrypts K2-1 • K2encrypts K3 -1 ...... • Kn encrypts K1 -1 • Can actually occur in Dolev-Yao model • Possible to interpret formal messages with key cycles • But soundness results do not hold • [[{K1-1}K1]] does not have to be equivalent to [[{K2-1}K3]] • Even if the above two are equivalent, [[ ( {K1-1}K2, {K2-1}K1 ) ]] does not have to be equivalent to [[ ( {K1-1}K2, {K3-1}K1 ) ]],
Traditional Notions of Security • Semantic Security (IND-CPA) • Chosen Ciphertext Security - Lunchtime Security (IND-CCA1) [NaorYung90] • An Adversary A is given a public key e; • A can send to the oracle polynomially many ciphertexts and obtain the associated plaintexts; • A sends to the oracle two messages m1 and m2 of the same length • The oracle choses randomly b {0,1} and sends to A the value E(e,mb); • A has to guess which of the plaintexts was encrypted.
Traditional Notions of Security • Adaptive Chosen Ciphertext Security (IND-CCA2) [RackoffSimon91] • An Adversary A is given a public key e; • The oracle choses randomly b {0,1}. • A can send to the oracle polynomially many ciphertexts and obtain the associated plaintexts; • A can send to the oracle any pair of messages m1 and m2 of the same length and receive the value E(e,mb); • A can send to the oracle polynomially many ciphertexts (but different from E(e,mb)) and obtain the associated plaintexts; • A has to guess which of the plaintexts was encrypted.
Traditional Notions of Security • Formally, we have where D1=D2=Id in the case of CPA; D1(x)=D(d,x) and D2=Id in the case of CCA1; D1(x)=D(d,x) and D2(x)=D(d,x), as long as x¹E(e,mb), in the case of CCA2.
CCA-2 is not Enough • We showed that the traditional security definitions are not enough. Theorem: CCA-2 security does not enforce soundness. • Corollary: Soundness is not implied by any of the following: NM-CCA-1, IND-CCA-1, NM-CPA, or IND-CPA • Theorem: Soundness does not enforce IND-CPA.
KDM-Security • The notion of key-dependent message security was introduced by Black et al.[BlackRogawayShrimpton02] and in a different form by [CamenischLysyanskaya01]. • In [CL01] the authors developed the notion of key-dependent encryption scheme and use it in a credential revocation scheme. This scheme is realised in the RO-model. • KDM security is defined through the following game:
KDM Security • Key Dependent Message Security [BRS02] • An Adversary A is given a vector of public keys e. The corresponding vector of private keys d is kept private; • A creates a (plaintext construction) function f (that might depend on e) and asks the oracle to encrypt f(d) with ei; • The oracle encrypts either • f(d) with ei (oracle Reald), or • 0|f(d)| with ei (oracle Faked); • A has to guess which happened.
KDM Security • An encryption scheme is KDM-secure if: • Theorem: KDM-security does not imply NM-CPA security, and neither IND-CCA-1, or IND-CCA-2 security. It does imply IND-CPA.
Soundness for Key-Cycles • Theorem:If the expressions are interpreted in a KDM-secure system, thenM, N expressionsM@N implies that [[M]] and [[N]] are indistinguishable. • Corollary: CCA-2 security does not imply KDM-security.
Proof Method [[( (K2-1,{01}K3) , ( {({101}K2,K5-1)}K2, {{K6}K4}K5) )]] K3,(01)K4,(K6) [[( (K2-1, K3,(01)) , ( {({101}K2,K5-1)}K2, { K4,(K6)}K5) )]] [[( (K1-1, K6,(K7^-1)) , ( {({101}K2,K5-1)}K2, { K7,,(1)}K5) ) ]] K6,(K1) K7,(1) [[ ( (K1-1, {K7-1}K6) , ( {({101}K1,K5-1)}K1, {1}K7}K5 ) )]]
Conclusions • Inspite of the differences, and origins, of the two models, several properties can be carried over from one to the other; • KDM-security is orthogonal to the previous security notions; • We have soundness even in the presence of key-cycles.