280 likes | 297 Views
Computational and Information-Theoretic Soundness and Completeness of the Expanded Logics of Formal Encryption. ** Gergei Bana ** University of Pennsylvania. * Pedro Adão * Center for Logic and Computation, Instituto Superior Técnico, Lisbon. ** Andre Scedrov **
E N D
Computational and Information-Theoretic Soundness and Completeness of the Expanded Logics of Formal Encryption **Gergei Bana ** University of Pennsylvania *Pedro Adão * Center for Logic and Computation, Instituto Superior Técnico, Lisbon ** Andre Scedrov ** University of Pennsylvania * Partially supported by FCT ** Partially supported by ONR CIP/SW URI
The Problem • Relationship between two different approaches to cryptography/security: formal and computational • Formal approach • uses simple, manageable formal language to describe cryptographic protocols • amenable to automatization, computer tools • its accuracy is unclear • Computational approach • harder to handle mathematically • proofs by hand • seems more accurate, hence widely accepted
Abadi-Rogaway Approach • Very simple formal language along with its interpretation by means of probabilistic ensembles in a computational cryptographic setting. • Two notions of equivalence: one for the formal, one for the computational setting. Then, it makes sense to try to prove: • Soundness: if two formal expressions are equivalent, then their computational interpretations are equivalent, • Completeness: vice versa.
Logic of Formal Encryption • The Logic of Formal Encryption defined in [Abadi, Rogaway 2000] is a logic defined in the classical Dolev-Yao style. The terms are represented as: • b, for a block of 0’s and 1’s; • K, for a Key; • (M1,M2), for a pair of terms; • {M}K, for the encryption of term M, with the key K; • Example ( (K2,{01}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) )
Computational View • Basic components of symmetric encriptions: • Key generation algorithm: K(), randomly generates a string ( is security parameter) • Encryption algorithm: Ek, encrypts with the key k, coin-tossing allowed. • Decryption algorithm: D, Dk( Ek (x) )=x
Interpretation of Formal Expressions • Computational interpretation is a random variable: • Run key-generation as many times as the number of keys in the formal expression give all output the label “key”: k5,“key” • Blocks become fixed labeled strings: 101,“block” • Formal encryption { }K is replaced by Ek ( ),“cipher” • Formal pairing ( , ) is replaced by , ,“pair” • Example: • {({101}K2,K5)}K2 translates to the random variable Ek2(Ek2 (101,“block”) ,“cipher” ,k5,“key” ,“pair”) ,“cipher”. • The keys k2, k5 are randomly generated, and the two encrypting functions have independent randomness as well.
Formal Equivalence • Formal equivalence Two expressions are equivalent if replacing everything that is indecipherable with , we obtain the same formal pattern up to key renaming • ( (K2,{01}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) ) ( (K2, ) , ( {({101}K2,K5)}K2, { }K5) ) same up to key renaming ( (K1, ) , ( {({101}K1,K5)}K1, { }K5) ) ( (K1,{K1}K7) , ( {({101}K1,K5)}K1, {{K6}K7}K5 ) )
Computational Equivalence • Computational equivalence Two probabilistic ensembles are computationally equivalent if they cannot be distinguished by any probabilistic polynomial time algorithm
Soundness Completeness Soundness and Completeness ({expression}K1,0) ({expression’}K1,0) stringensemble,cipher,0,block,pair stringensemble’,cipher,0,block,pair ({expression}K1,0) ({expression’}K1,0) stringensemble,cipher,0,block,pair stringensemble’,cipher,0,block,pair
Previous Work • Abadi and Rogaway 2000: soundness when • a singlefor all undecryptable ciphers • acyclicity • Their cryptosystems were “type-0”, i.e., • conceal repetition of plaintext • conceal repetition of keys • conceal length of message • Micciancio and Warinschi 2002: completeness in this case • Horvitz and Gligor 2003: completeness for type-0 under strictly weaker assumptions • Corin and Laud 2003: soundness extended to composite keys
Type-0 Systems F AEk1(.), Ek2(.) x F(x) AEk1(0), Ek1(0) Type-0 Encryption Schemes • In case of type-0 cryptosystems, any two ciphertexts are computationally indistinguishable.
Previous Work • Abadi and Jürjens 2000: extension to trace equivalence in a progamming language setting • Lincoln, J. Mitchell, M. Mitchell, Scedrov 1998: process calculus for the computational model • Canetti 2001: universally composable security • Backes, B. Pfitzmann, and Waidner 2003: simulatable Dolev-Yao-style cryptographic library • Herzog 2003: computational soundness of standard assumptions of formal cryptography • Impagliazzo, Kapron 2003: logic of the computational model
Our Work • We extend the framework of Abadi and Rogaway in two directions, still maintaining soundness and completeness • In an expansion of the A-R formal language by labeled boxes, we relax the assumption on the cryptosystem • We explore purely probabilistic, information-theoretic interpretations of the formal language
Expansion of the Logic • We relax condition on security by using labelled boxes in the definition of formal equivalence: parameter • For key repetition revealing cryptosystems (which-key revealing): • K boxes indexed by the encrypting key • For length revealing cryptosystems: • n boxes indexed by length • For length and which-key revealing cryptosystems: • n,K boxes indexed by length and key
Type-2 Systems F AEk1(.) x x F(x) F(x) AEk1(0) F AEk1(.), Ek2(.) AEk1(.), Ek1(.) Different Types of Encryption Schemes: Type-2 • In type-2 systems, key repetition is detectable, so we use K for each encrypting key K.
Formal Equivalence for Type-0 • Formal equivalence When we replace everything that is indecipherable with , we obtain the same formal pattern up to key renaming • ( (K2,{01}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) ) ( (K2, ) , ( {({101}K2,K5)}K2, { }K5) ) same up to key renaming ( (K1, ) , ( {({101}K1,K5)}K1, { }K5) ) ( (K1,{K1}K7) , ( {({101}K1,K5)}K1, {{K6}K7}K5 ) )
Formal Equivalence for Type-2 • Formal equivalence Up to key renaming, the same formal pattern is obtained if we replace all indecipherable expressions of the form {M}KwithK • ( (K2,{01}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) ) ( (K2, K3) , ( {({101}K2,K5)}K2, { K4}K5) ) not same up to key renaming ( (K1, K7) , ( {({101}K1,K5)}K1, { K7}K5) ) ( (K1,{K1}K7) , ( {({101}K1,K5)}K1, {{K6}K7}K5 ) )
Formal Equivalence for Type-2 • Formal equivalence Up to key renaming, the same formal pattern is obtained if we replace all indecipherable expressions of the form {M}KwithK • ( (K2,{01}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) ) ( (K2, K3) , ( {({101}K2,K5)}K2, { K4}K5) ) same up to key renaming ( (K1, K6) , ( {({101}K1,K5)}K1, { K7}K5) ) ( (K1,{K1}K6) , ( {({101}K1,K5)}K1, {{K6}K7}K5 ) )
Soundness Proof Method ||( (K2,{01}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) )|| K3 ||( (K2, {0}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) )|| K4 ||( (K2, {0}K3) , ( {({101}K2,K5)}K2, { {0}K4 }K5) )|| ||( (K2, {0}K6) , ( {({101}K2,K5)}K2, { {0}K7}K5) ) || K7 || ( (K1, {0}K6) , ( {({101}K1,K5)}K1, {{K6}K7}K5) ) || K6 || ( (K1, {K1}K6) , ( {({101}K1,K5)}K1, {{K6}K7}K5 ) )||
Completeness Proof Method • Suppose we have the message M=((K2,{01}K3),({({101}K2,K5)}K2,{{K6}K4}K5)) An element x sampled from the interpretation looks like k,key,c1,cipher,pair,c3,cipher,c2,cipher,pair,pair • The (first step of the) expansion of the tree associated with M is illustrated in the following diagrams: c4,cipher k1,key k,key c1,cipher c3,cipher c2,cipher k,key c1,cipher k,key c2,cipher ((k,key,c1,cipher),(c3,cipher,c2,cipher)) B(x) ((k,key,c1,cipher),(((c4,cipher, k1,key), 0, k,key),c2,cipher)) D1(M)B(x) After the first step a new key k1,key is revealed, which corresponds to K5, thus some new strings appear and an “old” string c2,cipher becomes available for decryption. This process is iterated until no further decryptions are possible.
Completeness Proof Method • Suppose that we have now two messages Mand N such that their interpretations are equivalent We want to show that the tree expansions are also equivalent. • They have the same structure (straightforward); • In each place where one has a key, the other also has; • Wherever one has an encryption, the other also has; • The decryptions in both places have to coincide! G0(C1key,M)(y) D1(M)B(x) D1(N)B(y) G0(C1key,M)(x) c4,cipher k1,key c4’,cipher k1’,key k’,key k,key c1,cipher c2,cipher k’,key c1’,cipher c2’,cipher k,key ((k,key,c1,cipher),(((c4,cipher, k1,key) ,0, k,key),c2,cipher)) ((k’,key,c1’,cipher),(((c4’,cipher, k1’,key),0, k’,key),c2’,cipher)) The keys used in both places have to be the same!
Information-Theoretic Interpretations • There is no reason to limit interpretations to computational systems. We can • give purely probabilistic interpretations, • define a notion of equivalence in the probabilistic cryptosystem, • try proving soundness and completeness. • We carry this out for One-Time Pad.
Interpretation in One-Time Pad • Formal view: • Length is introduced for formal expressions • Encrypting twice with the same key is excluded • Equivalence is defined via boxes indexed by formal notion of length: n • Interpretation: • Key generation depends on formal key length • Encryption via the rules of OTP • Equivalence of interpretations holds if probability distributions agree • Soundness and completeness are proven
Further Extensions: A General Probabilistic Treatment • Single formalism for computational and information-theoretic approach • Security parameter then indexes independent components of random variables • Computational and information-theoretic treatment differ in the notion of equivalence introduced in the general formalism as well as in the values of the random variables.
Further Expansions in the Formal Language • New objects: • Equivalence relation on the set of formal ciphers • A box corresponding to each equivalence class of ciphers • Equivalence class on the formal set of keys • Equivalence: • Introduce a box to each equivalence-class on ciphers • Key-renaming is allowed only among keys in the same class • Replace each undecryptable cipher in an expression by the box corresponding to its equivalence class
Soundness and Completeness • Completeness iff: • ||({M}k1,{N}k2)|| ||({M’}k1',{N’}k2')|| implies ({M}k1,{N}k2) ({M’}k1',{N’}k2') • Decrypting with the wrong key is detectable • Soundness iff: • Replacing ciphers of the form {.}k0 with equivalent ciphers {.}k0' in an expression if k0 and k0' do not occur anywhere else (except as encrypting keys) results in equivalent interpretation.
Conclusions and Future Work • Formal setting can be varied in useful ways • Established soundness and completeness for extended logics • Introduced new technique for completeness proofs • Include new primitives, e.g., signature schemes • Extend the formalism to include active adversaries • Relate our work with information- theoretic models
References • [Abadi, Jürjens 2001] M. Abadi and J. Jürjens, Formal eavesdropping and its computational interpretation in 4th International Symposium on Theoretical Aspects of Computer Software (TACS), pages 82-94, 2001. • [Abadi, Rogaway 2000] M. Abadi and P. Rogaway, Reconciling two views of cryptography: The computational soundness of formal encryption in 1st IFIP International Conference on Theoretical Computer Science, volume 1872 of Lecture Notes in Computer Science, pages 3-22, 2000. • [Micciancio, Warinschi 2004a] D. Micciancio and B. Warinschi, Completeness Theorems for the Abadi-Rogaway Logic of Encrypted Expressions in Journal of Computer Security, 12(1), pages 99-129, 2004. Based on Extended Abstract in WITS 2002. • [Micciancio, Warinschi 2004b] D. Micciancio and B. Warinschi, Soundness of Formal Encryption in the Presence ofActive Adversaries in Theory of Cryptography Conference (TCC), Cambridge, Massachusetts, volume 2951 of Lecture Notes in Computer Science, pages 133-151, February 19-21 2004.