500 likes | 586 Views
SECURITY AND VERIFICATION. Lecture 2: How to prove cryptography secure? Game-based proofs Tamara Rezk INDES TEAM, INRIA January 10 th , 2012. Probabilistic programming language. var ::= x | y | z … op :: = + | - | * | < | = … expr :: = var | expr op expr
E N D
SECURITY AND VERIFICATION Lecture 2: How to prove cryptography secure? Game-based proofs Tamara Rezk INDES TEAM, INRIA January 10th, 2012
Probabilistic programming language var ::= x | y | z … op :: = + | - | * | < | = … expr :: = var | expr op expr probFun::= f | g | E |G | D | … c ::= var := expr | skip | var:= probFun ( var, …,var)| if ( expr) then {c} else {c} | while ( expr) do {c} | c ; c
The interpretation of a probabilistic function and its parameters IS a distribution p= [f] ( (x1),.. (xn) )(v) p>0 ____________________________ < y: = f(x1,..xn), > p <, [ | y:v]> • This formalizes more than one step of execution. • The rule defines one step for each non-null probability p in • the distribution of f
Example, random function {0,1} • The distribution associated to the function {0,1} in our language is the uniform distribution : same probability for each element of the set {0,1} • Probabilistic function {0,1} does not have parameters • Two rules for the instantiation of the meta-rule
We have seen… • Probabilistic programs can be seen as distribution transformers • Fixing the initial distribution, a terminating program reaches a fix point, that we call the final distribution • For terminating programs, once the initial distribution is fixed, we will say that a program IS a distribution (the final distribution)
Distribution Ensemble • Distribution ensemble is a set of distributions indexed by a parameter • In the following, we will often use distribution ensembles instead of just distributions • The parameter will often be the length of the key (and the adversary will be polynomially bounded on this parameter)
Distribution Ensemble Examples: • G(1256) is a distribution • G(1n) is a distribution ensemble and n is a parameter
Observational Equivalence P0 and P1 are observational equivalent with respect to variable x, denoted P0{x}P1 if Pr[P0; x = v] = Pr[P1; x =v] for all v P0 and P1 are observational equivalent with respect to variable x, denoted P0{x1..xn}P1 if Pr[P0; x1 = v1 ˄.. x2 = v2 ˄..] = Pr[P1; x1 = v1 ˄.. x2 = v2 ˄..] for all v1…vn
Example (deadcode) G1 =x:={0,1} G2 =x:={0,1} ; y:={0,1} G3 = y:={0,1}; x:={0,1}; if (y=0) then {x:=0} else {x:=1}; G4 = y:={0,1}; x:={0,1}; if (y=0) then {z:=0} else {z:=1}; What’s Pr[Gi ;x=1]? What’s Pr[Gi ;x=0]? What’s Pr[Gi ;x=v]? with v not 0,1
Example (deadcode) G1 =x:={0,1} G2 =x:={0,1} ; y:={0,1} G3 = y:={0,1}; x:={0,1}; if (y=0) then {x:=0} else {x:=1}; G4 = y:={0,1}; x:={0,1}; if (x=0) then {z:=0} else {z:=1}; G1 and G2 are equivalent for x due to deadcode elimination . G1 and G4 are equivalent for x due to deadcode elimination .
Example (deadcode) G1 =x:={0,1} G2 =x:={0,1} ; y:={0,1} G3 = y:={0,1}; x:={0,1}; if (y=0) then {x:=0} else {x:=1}; G4 = y:={0,1}; x:={0,1}; if (x=0) then {z:=0} else {z:=1}; G1{x}G2 by deadcode G2{x}G4 by deadcode
Example (constant propagation) G1 =x:={0,1}; if true then x:=0 else x:=1; y:=x G2 = x:={0,1}; x:=0; y:=0 G3 = x:=0; y:=0 G1{x}G2 by constant propagation G2{x}G3 by deadcode
Example (inline) Ge() = k’d:= {1.. q-1};k’e:= gk’d mod q; ke, kd := k’e, k’d G0 = c := {0,1}; ke, kd := Ge();A[E] G1 = c := {0,1}; k’d:= {1.. q-1}; k’e:= gk’d mod q; ke, kd := k’e, k’d; A[E]
Example (inline) Ge() = k’d:= {1.. q-1};k’e:= gk’d mod q; ke, kd := k’e, k’d G0 = c := {0,1}; ke, kd := Ge();A[E] G1 = c := {0,1}; k’d:= {1.. q-1}; k’e:= gk’d mod q; ke, kd := k’e, k’d; A[E] G0{c,ke, kd}G1 by inline
Example (more observational equivalences) G0 () = s := {0,1}3 x := {0,1}; G1 () = s := {0,1}3 if countones(s) countzeros(s) then x:=0 else x:=1 Are these two programs observational equivalent for x?
Example (more observational equivalences) G0 () = s := {0,1}3 x := {0,1}; G1 () = s := {0,1}3 if countones(s) countzeros(s) then x:=0 else x:=1 Yes. Pr[G0 ();x=0] = Pr[G1 (); x=0] = 1/2 (same for x=1) G0{x}G1 by semantics
Example (more observational equivalences) G0 () = s := {0,1}3 x := {0,1}; G1 () = s := {0,1}3 if countones(s) countzeros(s) then x:=0 else x:=1 G0{s,x}G1 ?
Example (more observational equivalences) G0 () = s := {0,1}3 x := {0,1}; G1 () = s := {0,1}3 if countones(s) countzeros(s) then x:=0 else x:=1 G0{s,x}G1 ? No. Example:d1(,[s:110, x:1]) = 0d0(,[s:110, x:1]) = 1/16
GROUPS RECALL If g is a generator of a cyclic group, no efficient algorithm (polynomial in the order of the group) to compute logggxis known.
Example of cyclic groups <2> = <{1, .. 4}, multiplication modulo 5> order? 20 mod 5, 21 mod 5 , 22 mod 5 , 23 mod 5 … Another generator 3 30 mod 5, 31 mod 5 , 32 mod 5 , 33 mod 5 … 1, 3, 9 mod 5,27mod 5, 81 mod 5, 243 mod 5, 2187 mod 5 … 1, 3, 4, 2, 1, 3,4,2 ..
Example mult_pad tactic G0 () = y :={1.. q}; x := gy mod (q+1) G1 () = y :={1.. q}; x := z*gy mod (q+1) These two programs observational equivalent for x. We assume that y is sampled from a cyclic group of prime order q, z is not zero (multiplicative group of integers modulo q+1)
Example mult_pad tactic 20 21 23 22
Example mult_pad tactic … 24 20 2723 22 25 22 26
Example mult_pad tactic Any z can be written as 2nand it has a place in the circle (let’s say with 2k ). Multiplying we get 2n * 2k = 2k+n . The domain of the new distribution is an isomorphism w.r.t. the original distribution of x. … 24 20 2723 22 25 22 26
Example G0= bad:= false;x :={1.. 4}; y :={1.. q-1}; if ( x <= 2 ) then bad:= true;y:=x G1= bad:= false; x:={0,1};y :={1.. q-1} if (x =1) then bad:= true;y:=x with q = 3: Pr[Gi;bad= false and y = 1] ? Pr[Gi;bad= true] ? Pr[Gi;y = 1] ?
Fundamental Lemma Let G and G’ be two games, A an event defined in G and A’ an event defined in G’. Let B be an event defined in both games. If Pr[G; A ˄ not B] = Pr[G’; A’ ˄ not B] and Pr[G; B] ≤ Pr[G’;B] then |Pr[G; A] - Pr[G’; A’] | ≤ Pr[G’;B]
Syntactic criterion for F.L G0= bad:= false;x :={1.. 4}; y :={1.. q-1}; if ( x <= 2 ) then bad:= true;y:=x G1= bad:= false; x:={0,1};y :={1.. q-1} if (x =1) then bad:= true;y:=x G2= bad:= false;x :={1.. 4}; y :={1.. q-1}; if ( x < =2 ) then bad:= true;y:=x+1 G3= bad:= false; x:={1..4};y :={1.. q-1} if (x =1) then bad:= true;y:=x+1 G4= bad:= false; x:={0,1};y :={1.. q-1} if (x =1) then bad:= true;y:=x+1
Game-based proofs How to prove cryptography? A sequence of “game” transformations (game between a program and the adversary) such that the probability of the adversary of winning the game is bounded by the following game. We can prove a game (e.g. CPA) if the sequence starts with the original attack game and the last game of the sequence can be bound.
Game-based proofs How to prove cryptography? G0 G1 G2 … Gn For each arrow, we have that either : Pr[Gi; g=b] ≤ Pr[Gi+1; g=b] or Gi{g} Gi+1
PROVABLE CRYPTOGRAPHY Chosen-plaintext attack(CPA) E(x0, x1 ) = if (b = 0) then {c := E (x0, ke)} else {c := E(x1,ke)}; CPA = b := {0,1}; ke, kd := Ge();A[E] | Pr[CPA; g =b] - ½ | is negligible for ɳ (ɳ is called security parameter)
ASSUMPTION decisional diffie-hellman assumption (ddh) GAME DDH0=a:= {1.. q-1};b := {1.. q-1};B(ga,gb,gab) GAME DDH1=a:= {1.. q-1};b := {1.. q-1}; z := {1.. q-1};B(ga,gb,gz) |Pr[DDH0; d=1] - Pr[DDH1; d=1]| is negligible in the security parameter (order of the group)
proof of cpa of elgamal Ge() = k’d:= {1.. q};k’d := {1.. q}; k’e:= gk’d mod (q+1); ke, := k’e,; kd := k’d E (x, ke) = r := {1.. q-1}; c1:= gr mod (q+1); c:= x* ke r mod q+1 E(x0, x1 ) = if (b = 0) then {c := E (x0, ke)} else {c := E(x1,ke)}; CPA = b := {0,1}; ke, kd := Ge();A[E]
STEP 1: INLINE proof of cpa of elgamal E(x0, x1 ) = if (b = 0) then {r := {1.. q}; c1:= gr mod q+1; c:= x0* ke r mod q+1} else {r := {1.. q}; c1:= gr mod q+1; c:= x1* ke r mod q+1}; CPAGAME-ELGAMAL = b := {0,1}; k’d:= {1.. q};k’e:= gk’d mod q+1; ke, := k’e,; k’d := k’d;A[E]
STEP 1: INLINE proof of cpa of elgamal E(x0, x1 ) = if (b = 0) then {r := {1.. q}; c1:= gr mod q+1; c:= x0* ke r mod q+1} else {r := {1.. q}; c1:= gr mod q+1; c:= x1* ke r mod q+1}; CPAGAME-ELGAMAL = b := {0,1}; k’d:= {1.. q};k’e:= gk’d mod q+1; ke, := k’e,; kd := k’d;A[E]
STEP 2: DEADCODE proof of cpa of elgamal E(x0, x1 ) = if (b = 0) then {r := {1.. q}; c:= x0* ke r mod q+1} else {r := {1.. q}; c:= x1* ke r mod q+1}; CPAGAME-ELGAMAL1 = b := {0,1}; k’d:= {1.. q}; k’e:= gk’d mod q+1; ke, := k’e,; A[E]
STEP 3 SEMANTICS proof of cpa of elgamal E(x0, x1 ) = if (b = 0) then {r := {1.. q-1}; c:= x0* gk’d mod q} else {r := {1.. q-1}; c:= x1* gk’d mod q}; CPAGAME-ELGAMAL2 = b := {0,1}; k’d:= {1.. q}; A[E] k’e:= gk’d mod q+1; ke, := k’e,;
STEP 3 SEMANTICS proof of cpa of elgamal E(x0, x1 ) = if (b = 0) then {c:= x0* gk’d mod q+1} else {c:= x1* gk’d mod q+1}; CPAGAME-ELGAMAL3 = b := {0,1}; k’d:= {1.. q}; k’e:= gk’d mod q+1; ke, := k’e,; r := {1.. q}; A[E]
STEP 4 SWAP proof of cpa of elgamal E(x0, x1 ) = if (b = 0) then {c:= x0* gk’d mod q+1} else {c:= x1* gk’d mod q+1}; CPAGAME-ELGAMAL3 = b := {0,1};k’d:= {1.. q}; k’e:= gk’d mod q+1; ke, := k’e,; r := {1.. q}; A[E]
STEP 6 SWAP proof of cpa of elgamal E(x0, x1 ) = if (b = 0) then {c:= x0* gk’d mod q+1} else {c:= x1* gk’d mod q+1}; CPAGAME-ELGAMAL4 =k’d:= {1.. q-1}; k’e:= gk’d mod q+1; ke, := k’e,; r := {1.. q};b := {0,1}; A[E]
STEP 7 INLINE + DEADCODE proof of cpa of elgamal GAME DDH0=k’d:= {1.. q};r := {1.. q};B B = b := {0,1}; k’e:= gk’d mod q+1; ke, := k’e,; A[E]; d:= g==b
STEP 1: INLINE proof of cpa of elgamal E(x0, x1 ) = c:= gz mod q+1 GAME-ELGAMAL’ = r := {1.. q}; k’d:= {1.. q};z:= {1.. q}; A[E]; b := {0,1}
STEP 2: SWAP proof of cpa of elgamal E(x0, x1 ) = c:= gz mod q+1 GAME-ELGAMAL1’ = r := {1.. q}; k’d:= {1.. q}; z:= {1.. q}; b := {0,1}; A[E];
STEP 3: MULT-PAD + SEMANTICS proof of cpa of elgamal E(x0, x1 ) = if (b = 0) then {c:= x0* gz mod q+1} else {c:= x1* gz mod q+1}; GAME-ELGAMAL2’ = r := {1.. q}; k’d:= {1.. q}; z:= {1.. q}; b := {0,1}; A[E];
STEP 3: INILINE proof of cpa of elgamal E(x0, x1 ) = if (b = 0) then {c:= x0* gz mod q+1} else {c:= x1* gz mod q+1}; GAME DDH1= = r := {1.. q}; k’d:= {1.. q}; z:= {1.. q}; B B = b := {0,1}; A[E]; d:= g==b
Slides, Notes, Bibliography READING • Slides and exercises: • www-sop.inria.fr/members/Tamara.Rezk/teaching • Formal Certification of Code-Based Cryptographic • proofs – Barthe, Gregoire, Zanella • Code-based Game-Playing Proofs and the • Security of Triple Encryption – Bellare, Rogaway
A puzzle … PROBLEM OF THE 3 DOORS ?