1 / 50

A Plausible Approach to Computer-aided Cryptographic Proofs

A Plausible Approach to Computer-aided Cryptographic Proofs. Shai Halevi. The Problem. Crypto proofs are hard to verify Many (most?) published proofs aren’t read by anyone other than the author Even proofs for “important” schemes are often not fully verified Errors in proofs happen

taima
Download Presentation

A Plausible Approach to Computer-aided Cryptographic Proofs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi June 2005

  2. The Problem • Crypto proofs are hard to verify • Many (most?) published proofs aren’t read by anyone other than the author • Even proofs for “important” schemes are often not fully verified • Errors in proofs happen • Usually in some itty-bitty detail in this side remark at the bottom of page 27 June 2005

  3. Sample Arguments “We now make several changes to the order in which variables are chosen in game R1. We make the following changes to the code: • […] • Instead of choosing MMs{0,1}n and setting CsmPsmMMs, we choose Csm{0,1}n and set MMsPsmCsm • We replace the assignment CCCsiMCsjMs1 in line 136 by the equivalent assignment CCCsiPPPsiMsj. This is equivalent sinceMCsj = MPsjMsj = PPPsiMs1Msj • […] June 2005

  4. More Sample Arguments “H6 checks in client sessions (Pi,ssid) that receive a non-peer-oracle-generated pair […] H7encrypts the “dummy password” w’ in c2 instead of encrypting the password w, for every client session (Pi,ssid) that received a non-peer-oracle-generated pair (c1,VK) in step 2 with non-valid ciphertext c1.Then as in H2 and H4, since the encryption scheme E' is semantically secure, the environment cannot distinguish between these cases. Note that the session key of such client sessions are already chosen randomly, and the ZKPs are already simulated. Thus neither depends on how c2 is generated. Also note that in the reduction to the security of E' with public key pk', one can still test c1 encryptions, since they are encrypted with the other public key pk and can be decrypted using sk.” June 2005

  5. You need to be a compiler to verify some of these arguments June 2005

  6. Can We Write Such Compiler? • Boils down to verifying that two pieces of code induce the same probability distribution on some of their variables • The simplest example: M{0,1}n,CPM, Use(C) vs.C{0,1}n, MPC, Use(C) June 2005

  7. In This Talk • Look at the security-proof of the Cramer-Shoup encryption scheme • Show how to reconstruct the proof using a “compiler-like” tool • Muse about how to build this tool June 2005

  8. My Bottom Line • It can be built, with a lot of work • Perhaps similar to a new programming language: compiler, run-time, development environment, … • Is there a “business case”? • Where can I get resources to develop this tool? June 2005

  9. This tool is not… • Not a theorem prover • A person writes the (entire) proof • The tool only verifies that the arguments are valid • Different than the approach of the formal-methods community (AFAIK) • No “logic of authentication”, “process calculus”, etc. June 2005

  10. Computer assistance • The person writing the security proof writes code, specifies how to get from one piece of code to the other • The automated tool verifies that the transformations are permissible • Transformations to code represent common arguments in crypto proofs June 2005

  11. DDH +DDH TCR +TCR +t /q^4 CCA4 CCA5’ CCA5 CCA1 CCA2 XYZ game with bad events game with output The empty game game that depends on a (binary) parameter game that is derived from template XYZ +epsilon transformation that changes the probability by epsilon transformation that is justified by a reduction Preview: The Proof of CS98 +1/q +2t / q CCA[CS] CCA5 CCA4 CCA CCA1 CCA2 CCA3’ June 2005

  12. Everything is code • Game = code that tells the participants in the game what to do • Argument in a proof = transformation from one game to another June 2005

  13. The Cramer-Shoup Encryption Scheme • Uses operations in algebraic group G • And a hash function H • Resists chosen ciphertext attacks, provided that • The “decision Diffie-Hellman” problem (DDH) is hard in the group G • The hash function H is “target-collision-resistant” June 2005

  14. Pseudo-code for CS98 • 01. g,g’G, x1,x2,y1,y2,z1,z2{1,2,…,q} • 02. e=gx1g’x2, f=gy1g’y2, h=gz1g’z2 • 03. pk=(g,g’,e,f,h), sk=(x1,x2,y1,y2,z1,z2) KeyGen Enc(m) Dec(a,a’,c,d) 11. assert m G // else fail 12. u  {1,2,…,q} 13. a=gu, a’=g’u, b=hu, c=b·m 14. v=H(a,a’,c), d=eufuv 15. Output (a,a’,c,d) 21. assert a,a’,c,d G // else fail 22. v = H(a,a’,c) 23. assert d = ax1+vy1·a’x2+vy2// else fail 24. b = az1a’z2, m=c/b 25. Output m June 2005

  15. CCA Security • “Resistance to chosen-ciphertext attacks” is defined via a game • Attacker gets public-key and access toa black box that decrypts • Attacker submits two messages, gets back encryption of one of them, needs to guess which one • without asking the box to decrypt the “target ciphertext” June 2005

  16. Pseudo-code for CCA Game CCA (parameters: bit s, integer t) 101. (ps,sk)  KeyGen 102. C[1] = Attacker(pk) 103. For s=1 to t 104. answer[s] = Dec(C[s]) 105. if s<t then C[s+1] = Attacker( answer[s] ) 106. (m0,m1) = Attacker( answer[t] ), C* = Enc(ms) 107. C[t+1] = Attacker( C* ) 108. For s=t+1 to 2t 109. assert C[s]  C* 110. answer[s] = Dec(C[s]) 111. if s<2t then C[s+1] = Attacker( answer[s] ) 112. guess = Attacker( answer[2t] ), Output guess June 2005

  17. Proving Security • Pasting CS98 in CCA, we get the code describing CCA attack on CS98 • Fix anyAttacker and any integer t • Prove that CCA(0,t),CCA(1,t) output 1 with about the same probability • We show: |Pr[CCA(0,t)1] - Pr[CCA(1,t)1]| 2DDH+Collisions+O(t/q) June 2005

  18. Some Concepts • Games are specified via code • With an unspecified “attacker function”, • and a “main loop” where the attacker queries interfaces of the scheme, gets answers, then makes more queries… • Most (all?) games are probabilistic • E.g., u{1,2,…,q} in Enc(m) • Every game has variables of interest June 2005

  19. Variables of Interest • What “we care about” in the analysis • These are always either: • The output of the game • Or bad events (I’ll talk about these later) • Code that has no effect on the variables-of-interest is dead code • It is always permissible to add/remove dead code June 2005

  20. Back to CCA Game • The CCA game has output, no bad events, and no dead code • It is really two games, depending on the value of the binary parameter s • And we compare the output distribution of the two games • In games with output we always(?) compare the output of two games June 2005

  21. DDH +DDH TCR +TCR +t /q^4 CCA4 CCA5’ CCA5 CCA1 CCA2 XYZ game with bad events game with output The empty game game that depends on a (binary) parameter game that is derived from template XYZ +epsilon transformation that changes the probability by epsilon transformation that is justified by a reduction The CS98 Proof We are here +1/q +2t / q CCA[CS] CCA5 CCA4 CCA0 CCA1 CCA2 CCA3’ June 2005

  22. Game CCA1 • Modify the encryption code Instead of We now have • Encryption using the secret key? • Yes, so? This is a “mental experiment” • (BTW, the point about CCA1 is thatu is only used in computing a, a’) 12. u  {1,2,…,q} 13. a=gu, a’=g’u, b=hu, c=b·m 14. v=H(a,a’,c), d=eufuv 12. u  {1,2,…,q} 13. a=gu, a’=g’u, b=az1a’z2, c=b·m 14. v=H(a,a’,c), d=ax1+vy1a’x2+vy2 June 2005

  23. CCACCA1 is Permissible • hu=(gz1g’z2)u=(gu)z1(g’u)z2=az1a’z2 • How can a “compiler” verify that CCACCA1 is permissible? • Variable substitution is easy • Distributive, commutative rules would have to be built into the tool • Just like replacing x+y with y+x variable substitution variable substitution distributive, commutative June 2005

  24. DDH +DDH TCR +TCR +t /q^4 CCA4 CCA5’ CCA5 CCA1 CCA2 XYZ game with bad events game with output The empty game game that depends on a (binary) parameter game that is derived from template XYZ +epsilon transformation that changes the probability by epsilon transformation that is justified by a reduction +1/q +2t / q CCA[CS] CCA5 CCA4 CCA0 CCA1 CCA2 CCA3’ June 2005

  25. GameCCA2 • Replacing with • This sure changes the distribution • We intend to show that if Pr[CCA1(b,t)1], Pr[CCA2(b,t)1] differ by some , then we can “break DDH” in G with the same probability  12. u  {1,2,…,q} 13. a=gu, a’=g’u, b=az1a’z2, c=b·ms 12. u,u’ {1,2,…,q} 13. a=gu, a’=g’u’, b=az1a’z2, c=b·ms June 2005

  26. The DDH Assumption • No (efficient) algorithm distinguishes (g,gx,gy,gxy) from (g,gx,gy,gz) • Where gG, x,y,z{1,2,…q} • Equivalent to saying that you cannot distinguish (g,g’,gu,g’u) from (g,g’,gu,g’u’) • This assumption underlies the security of the Diffie-Hellman key-exchange protocol June 2005

  27. Pseudo-code for DDH • The “DDH assumption” is that DDH= |Pr[DDH(0)1]-Pr[DDH(1)1]| is small for any efficient Distinguisher DDH (parameter: bit s’) 201. g,g’G, u,u’{1,2,…,q} 202. if s’=0 then a=gu, a’=g’u’ 203. else a=gu, a’=g’u 204. guess=Distinguisher(g,g’,a,a’), Output guess June 2005

  28. The Reduction • Show that CCA1DDH(1),CCA2DDH(0) are permissible transformations • Instantiate the Distinguisher in DDH (by morphing the code of CCA1/CCA2) • Just moving pieces of code around • A “compiler” can check that this is ok • Only changing the order of “independent statements” June 2005

  29. DDH +DDH TCR +TCR +t /q^4 CCA4 CCA5’ CCA5 CCA1 CCA2 XYZ game with bad events game with output The empty game game that depends on a (binary) parameter game that is derived from template XYZ +epsilon transformation that changes the probability by epsilon transformation that is justified by a reduction +1/q +2t / q CCA[CS] CCA5 CCA4 CCA0 CCA1 CCA2 CCA3’ June 2005

  30. Bad Events • Recall Dec(a,a’,c,d): • a,a’ are supposed to be gu,g’u • It’s a bad thing if Attacker sends (gu,g’u’,c,d) but line 23 passes • How to represent bad events in code? 21. assert a,a’,c,d G 22. v = H(a,a’,c) 23. assert d = ax1+vy1a’x2+vy2 24. b = az1a’z2, m=c/b 25. Output m June 2005

  31. Bad-event Flags • A Boolean flag • Initialized to false, only has assignments to true in the code • Designated as “interesting” • Adding a bad-event flag is always a permissible code-transformation • Represens an argument that starts with “let BAD be the event where…” June 2005

  32. After-bad-is-set-nothing-matters [BR04] • Code that is executed only when badFlag=true is treated as dead code • Even if it effects other vars-of-interest • Why? • If badFlag=true then “all bets are off”, no more vars-of-interest, all code is dead • We intend to prove that badFlag=truerarely ever happens June 2005

  33. Game CCA3 • Replace g,g’Gwith gG, w{1,…q}, g’=gw • The tool should have a rule for algebraic groups saying that this is permissible • Replace with 23. assert d=ax1+vy1a’x2+vy // else fail added “dead code” 23. if d=ax1+vy1a’x2+vy2and a’aw then badFlag=true, fail 23a. else assert d=ax1+vy1a’x2+vy2 // else fail June 2005

  34. Game CCA3’ • Quite a few other modifications • But nothing that we didn’t see before • Algebraic, logic manipulations • Introducing new variables • Code movement • All made possible only after we added the “dead code” in line 23 June 2005

  35. DDH +DDH TCR +TCR +t /q^4 CCA4 CCA5’ CCA5 CCA1 CCA2 XYZ game with bad events game with output The empty game game that depends on a (binary) parameter game that is derived from template XYZ +epsilon transformation that changes the probability by epsilon transformation that is justified by a reduction +1/q +2t / q CCA[CS] CCA5 CCA4 CCA0 CCA1 CCA2 CCA3’ June 2005

  36. Game CCA4 • Replace 13. … c=b·msBy 13. …r{1,2,…,q}, c=gr • Why is this permissible? • Long story (four small steps) • Trust me, it works • CCA4 no longer depends on s, it is just one game now (rather than two) • Nothing to compare the output to • So we no longer care about it, can removed it June 2005

  37. Eliminating the Output • Started with two games with output • The goal is to compare their outputs • Morphed until their code is identical • So their output must be identical • Output is no longer “of interest” • We are done analyzing the output, we know that the difference is zero • Eliminating it becomes permissible June 2005

  38. DDH +DDH TCR +TCR +t /q^4 CCA4 CCA5’ CCA5 CCA1 CCA2 XYZ game with bad events game with output The empty game game that depends on a (binary) parameter game that is derived from template XYZ +epsilon transformation that changes the probability by epsilon transformation that is justified by a reduction +1/q +2t / q CCA[CS] CCA5 CCA4 CCA0 CCA1 CCA2 CCA3’ June 2005

  39. What’s Next? • Game CCA4 still has bad flags, how do we eliminate these? • Either via reductions • E.g., reduction to finding collisions in H • I don’t have time to show it here • Or via “probabilistic analysis” • Example in the next slide June 2005

  40. Eliminating Bad Flags • Consider the following code Example(parameter: a) // a is an n-bit string1. x  random-n-bit-string2. if x=a then badFlagtrue • Tool “knows” that • Variable x is a “random n-bit string” • Variables x and a are independent • “Can deduce” that x=a has prob. 2-n • So eliminating badFlag has penalty 2-n June 2005

  41. Eliminating Bad Flags (2) • User tells the tool to eliminate the designation of badFlag as bad flag • Tool looks for a rule that bounds the probability of badFlagtrue by some  • If found, tool “eliminates badFlag”, records penalty  • Else, tool records an “impermissible transformation” • User proves on paper some  June 2005

  42. DDH +DDH TCR +TCR +t /q^4 CCA4 CCA5’ CCA5 CCA1 CCA2 XYZ game with bad events game with output The empty game game that depends on a (binary) parameter game that is derived from template XYZ +epsilon transformation that changes the probability by epsilon transformation that is justified by a reduction The Proof of CS98 +1/q +2t / q CCA[CS] CCA5 CCA4 CCA CCA1 CCA2 CCA3’ June 2005

  43. XYZ The Proof of CMC [HR03] Mode-of-operation[CMC] £2 due to symmetry,see Eq (12), Page 21 +(2mq)2 /2n, see Eq (13), Page 21 RND +(mq)2 /2n ? ? NON2 RND3 RND3’ NON1 RND1 CMC game with bad events game with output The empty game game that is derived from template XYZ +epsilon transformation that changes the probability by epsilon ? An impermissible transformation June 2005

  44. Building the Tool June 2005

  45. Four Major Components • Engine: similar to optimizing compiler • Parses statements, control-flow graph • Handles variable substitution, code movement, adding/removing “dead code”, etc. • Library of code-transformations • Library of templates • User interface June 2005

  46. Transformations Library • Represent common arguments in proofs • Algebraic manipulations • Rules to eliminate bad flags, output • Other rules • A community development effort? • My proof uses an argument not in the library, I code it up so others can use it too June 2005

  47. Template Library • Code templates, represent common security goals and assumptions • E.g., a template for DDH, a template for CCA-security, etc. • Also community development effort? June 2005

  48. User Interface • Probably the hardest part • Should be easy for people to write their proofs using this tool • Specify games • “Sender proves to receiver in Zero-Knowledge that it knows the DL of x” • Access common transformations • Similarities to U.I. of development environment? June 2005

  49. My Bottom Line • It can be built, with a lot of work • Perhaps similar to a new programming language: compiler, run-time, development environment, … • Is there a “business case”? • Where can I get resources to develop this tool? June 2005

  50. Contact me if you are interested in working on this June 2005

More Related