1 / 50

SECURITY AND VERIFICATION

SECURITY AND VERIFICATION. Lecture 2: How to prove cryptography secure? Game-based proofs Tamara Rezk INDES TEAM, INRIA January 10 th , 2012. Probabilistic programming language. var ::= x | y | z … op :: = + | - | * | < | = … expr :: = var | expr op expr

zeno
Download Presentation

SECURITY AND VERIFICATION

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SECURITY AND VERIFICATION Lecture 2: How to prove cryptography secure? Game-based proofs Tamara Rezk INDES TEAM, INRIA January 10th, 2012

  2. Probabilistic programming language var ::= x | y | z … op :: = + | - | * | < | = … expr :: = var | expr op expr probFun::= f | g | E |G | D | … c ::= var := expr | skip | var:= probFun ( var, …,var)| if ( expr) then {c} else {c} | while ( expr) do {c} | c ; c

  3. The interpretation of a probabilistic function and its parameters IS a distribution p= [f] ( (x1),..  (xn) )(v) p>0 ____________________________ < y: = f(x1,..xn),  > p <, [ | y:v]> • This formalizes more than one step of execution. • The rule defines one step for each non-null probability p in • the distribution of f

  4. Example, random function {0,1} • The distribution associated to the function {0,1} in our language is the uniform distribution : same probability for each element of the set {0,1} • Probabilistic function {0,1} does not have parameters • Two rules for the instantiation of the meta-rule

  5. Distribution transformer

  6. We have seen… • Probabilistic programs can be seen as distribution transformers • Fixing the initial distribution, a terminating program reaches a fix point, that we call the final distribution • For terminating programs, once the initial distribution is fixed, we will say that a program IS a distribution (the final distribution)

  7. Distribution Ensemble • Distribution ensemble is a set of distributions indexed by a parameter • In the following, we will often use distribution ensembles instead of just distributions • The parameter will often be the length of the key (and the adversary will be polynomially bounded on this parameter)

  8. Distribution Ensemble Examples: • G(1256) is a distribution • G(1n) is a distribution ensemble and n is a parameter

  9. Observational Equivalence P0 and P1 are observational equivalent with respect to variable x, denoted P0{x}P1 if Pr[P0; x = v] = Pr[P1; x =v] for all v P0 and P1 are observational equivalent with respect to variable x, denoted P0{x1..xn}P1 if Pr[P0; x1 = v1 ˄.. x2 = v2 ˄..] = Pr[P1; x1 = v1 ˄.. x2 = v2 ˄..] for all v1…vn

  10. Example (deadcode) G1 =x:={0,1} G2 =x:={0,1} ; y:={0,1} G3 = y:={0,1}; x:={0,1}; if (y=0) then {x:=0} else {x:=1}; G4 = y:={0,1}; x:={0,1}; if (y=0) then {z:=0} else {z:=1}; What’s Pr[Gi ;x=1]? What’s Pr[Gi ;x=0]? What’s Pr[Gi ;x=v]? with v not 0,1

  11. Example (deadcode) G1 =x:={0,1} G2 =x:={0,1} ; y:={0,1} G3 = y:={0,1}; x:={0,1}; if (y=0) then {x:=0} else {x:=1}; G4 = y:={0,1}; x:={0,1}; if (x=0) then {z:=0} else {z:=1}; G1 and G2 are equivalent for x due to deadcode elimination . G1 and G4 are equivalent for x due to deadcode elimination .

  12. Example (deadcode) G1 =x:={0,1} G2 =x:={0,1} ; y:={0,1} G3 = y:={0,1}; x:={0,1}; if (y=0) then {x:=0} else {x:=1}; G4 = y:={0,1}; x:={0,1}; if (x=0) then {z:=0} else {z:=1}; G1{x}G2 by deadcode G2{x}G4 by deadcode

  13. Example (constant propagation) G1 =x:={0,1}; if true then x:=0 else x:=1; y:=x G2 = x:={0,1}; x:=0; y:=0 G3 = x:=0; y:=0 G1{x}G2 by constant propagation G2{x}G3 by deadcode

  14. Example (inline) Ge() = k’d:= {1.. q-1};k’e:= gk’d mod q; ke, kd := k’e, k’d G0 = c := {0,1}; ke, kd := Ge();A[E] G1 = c := {0,1}; k’d:= {1.. q-1}; k’e:= gk’d mod q; ke, kd := k’e, k’d; A[E]

  15. Example (inline) Ge() = k’d:= {1.. q-1};k’e:= gk’d mod q; ke, kd := k’e, k’d G0 = c := {0,1}; ke, kd := Ge();A[E] G1 = c := {0,1}; k’d:= {1.. q-1}; k’e:= gk’d mod q; ke, kd := k’e, k’d; A[E] G0{c,ke, kd}G1 by inline

  16. Example (more observational equivalences) G0 () = s := {0,1}3 x := {0,1}; G1 () = s := {0,1}3 if countones(s)  countzeros(s) then x:=0 else x:=1 Are these two programs observational equivalent for x?

  17. Example (more observational equivalences) G0 () = s := {0,1}3 x := {0,1}; G1 () = s := {0,1}3 if countones(s)  countzeros(s) then x:=0 else x:=1 Yes. Pr[G0 ();x=0] = Pr[G1 (); x=0] = 1/2 (same for x=1) G0{x}G1 by semantics

  18. Example (more observational equivalences) G0 () = s := {0,1}3 x := {0,1}; G1 () = s := {0,1}3 if countones(s)  countzeros(s) then x:=0 else x:=1 G0{s,x}G1 ?

  19. Example (more observational equivalences) G0 () = s := {0,1}3 x := {0,1}; G1 () = s := {0,1}3 if countones(s)  countzeros(s) then x:=0 else x:=1 G0{s,x}G1 ? No. Example:d1(,[s:110, x:1]) = 0d0(,[s:110, x:1]) = 1/16

  20. GROUPS RECALL If g is a generator of a cyclic group, no efficient algorithm (polynomial in the order of the group) to compute logggxis known.

  21. Example of cyclic groups <2> = <{1, .. 4}, multiplication modulo 5> order? 20 mod 5, 21 mod 5 , 22 mod 5 , 23 mod 5 … Another generator 3 30 mod 5, 31 mod 5 , 32 mod 5 , 33 mod 5 … 1, 3, 9 mod 5,27mod 5, 81 mod 5, 243 mod 5, 2187 mod 5 … 1, 3, 4, 2, 1, 3,4,2 ..

  22. Example mult_pad tactic G0 () = y :={1.. q}; x := gy mod (q+1) G1 () = y :={1.. q}; x := z*gy mod (q+1) These two programs observational equivalent for x. We assume that y is sampled from a cyclic group of prime order q, z is not zero (multiplicative group of integers modulo q+1)

  23. Example mult_pad tactic 20 21 23 22

  24. Example mult_pad tactic … 24 20 2723 22 25 22 26

  25. Example mult_pad tactic Any z can be written as 2nand it has a place in the circle (let’s say with 2k ). Multiplying we get 2n * 2k = 2k+n . The domain of the new distribution is an isomorphism w.r.t. the original distribution of x. … 24 20 2723 22 25 22 26

  26. Example G0= bad:= false;x :={1.. 4}; y :={1.. q-1}; if ( x <= 2 ) then bad:= true;y:=x G1= bad:= false; x:={0,1};y :={1.. q-1} if (x =1) then bad:= true;y:=x with q = 3: Pr[Gi;bad= false and y = 1] ? Pr[Gi;bad= true] ? Pr[Gi;y = 1] ?

  27. Fundamental Lemma Let G and G’ be two games, A an event defined in G and A’ an event defined in G’. Let B be an event defined in both games. If Pr[G; A ˄ not B] = Pr[G’; A’ ˄ not B] and Pr[G; B] ≤ Pr[G’;B] then |Pr[G; A] - Pr[G’; A’] | ≤ Pr[G’;B]

  28. Syntactic criterion for F.L G0= bad:= false;x :={1.. 4}; y :={1.. q-1}; if ( x <= 2 ) then bad:= true;y:=x G1= bad:= false; x:={0,1};y :={1.. q-1} if (x =1) then bad:= true;y:=x G2= bad:= false;x :={1.. 4}; y :={1.. q-1}; if ( x < =2 ) then bad:= true;y:=x+1 G3= bad:= false; x:={1..4};y :={1.. q-1} if (x =1) then bad:= true;y:=x+1 G4= bad:= false; x:={0,1};y :={1.. q-1} if (x =1) then bad:= true;y:=x+1

  29. Game-based proofs How to prove cryptography? A sequence of “game” transformations (game between a program and the adversary) such that the probability of the adversary of winning the game is bounded by the following game. We can prove a game (e.g. CPA) if the sequence starts with the original attack game and the last game of the sequence can be bound.

  30. Game-based proofs How to prove cryptography? G0  G1 G2 …  Gn For each arrow, we have that either : Pr[Gi; g=b] ≤ Pr[Gi+1; g=b] or Gi{g} Gi+1

  31. PROVABLE CRYPTOGRAPHY Chosen-plaintext attack(CPA) E(x0, x1 ) = if (b = 0) then {c := E (x0, ke)} else {c := E(x1,ke)}; CPA = b := {0,1}; ke, kd := Ge();A[E] | Pr[CPA; g =b] - ½ | is negligible for ɳ (ɳ is called security parameter)

  32. ASSUMPTION decisional diffie-hellman assumption (ddh) GAME DDH0=a:= {1.. q-1};b := {1.. q-1};B(ga,gb,gab) GAME DDH1=a:= {1.. q-1};b := {1.. q-1}; z := {1.. q-1};B(ga,gb,gz) |Pr[DDH0; d=1] - Pr[DDH1; d=1]| is negligible in the security parameter (order of the group)

  33. proof of cpa of elgamal Ge() = k’d:= {1.. q};k’d := {1.. q}; k’e:= gk’d mod (q+1); ke, := k’e,; kd := k’d E (x, ke) = r := {1.. q-1}; c1:= gr mod (q+1); c:= x* ke r mod q+1 E(x0, x1 ) = if (b = 0) then {c := E (x0, ke)} else {c := E(x1,ke)}; CPA = b := {0,1}; ke, kd := Ge();A[E]

  34. STEP 1: INLINE proof of cpa of elgamal E(x0, x1 ) = if (b = 0) then {r := {1.. q}; c1:= gr mod q+1; c:= x0* ke r mod q+1} else {r := {1.. q}; c1:= gr mod q+1; c:= x1* ke r mod q+1}; CPAGAME-ELGAMAL = b := {0,1}; k’d:= {1.. q};k’e:= gk’d mod q+1; ke, := k’e,; k’d := k’d;A[E]

  35. STEP 1: INLINE proof of cpa of elgamal E(x0, x1 ) = if (b = 0) then {r := {1.. q}; c1:= gr mod q+1; c:= x0* ke r mod q+1} else {r := {1.. q}; c1:= gr mod q+1; c:= x1* ke r mod q+1}; CPAGAME-ELGAMAL = b := {0,1}; k’d:= {1.. q};k’e:= gk’d mod q+1; ke, := k’e,; kd := k’d;A[E]

  36. STEP 2: DEADCODE proof of cpa of elgamal E(x0, x1 ) = if (b = 0) then {r := {1.. q}; c:= x0* ke r mod q+1} else {r := {1.. q}; c:= x1* ke r mod q+1}; CPAGAME-ELGAMAL1 = b := {0,1}; k’d:= {1.. q}; k’e:= gk’d mod q+1; ke, := k’e,; A[E]

  37. STEP 3 SEMANTICS proof of cpa of elgamal E(x0, x1 ) = if (b = 0) then {r := {1.. q-1}; c:= x0* gk’d mod q} else {r := {1.. q-1}; c:= x1* gk’d mod q}; CPAGAME-ELGAMAL2 = b := {0,1}; k’d:= {1.. q}; A[E] k’e:= gk’d mod q+1; ke, := k’e,;

  38. STEP 3 SEMANTICS proof of cpa of elgamal E(x0, x1 ) = if (b = 0) then {c:= x0* gk’d mod q+1} else {c:= x1* gk’d mod q+1}; CPAGAME-ELGAMAL3 = b := {0,1}; k’d:= {1.. q}; k’e:= gk’d mod q+1; ke, := k’e,; r := {1.. q}; A[E]

  39. STEP 4 SWAP proof of cpa of elgamal E(x0, x1 ) = if (b = 0) then {c:= x0* gk’d mod q+1} else {c:= x1* gk’d mod q+1}; CPAGAME-ELGAMAL3 = b := {0,1};k’d:= {1.. q}; k’e:= gk’d mod q+1; ke, := k’e,; r := {1.. q}; A[E]

  40. STEP 6 SWAP proof of cpa of elgamal E(x0, x1 ) = if (b = 0) then {c:= x0* gk’d mod q+1} else {c:= x1* gk’d mod q+1}; CPAGAME-ELGAMAL4 =k’d:= {1.. q-1}; k’e:= gk’d mod q+1; ke, := k’e,; r := {1.. q};b := {0,1}; A[E]

  41. STEP 7 INLINE + DEADCODE proof of cpa of elgamal GAME DDH0=k’d:= {1.. q};r := {1.. q};B B = b := {0,1}; k’e:= gk’d mod q+1; ke, := k’e,; A[E]; d:= g==b

  42. summary up to here

  43. STEP 1: INLINE proof of cpa of elgamal E(x0, x1 ) = c:= gz mod q+1 GAME-ELGAMAL’ = r := {1.. q}; k’d:= {1.. q};z:= {1.. q}; A[E]; b := {0,1}

  44. STEP 2: SWAP proof of cpa of elgamal E(x0, x1 ) = c:= gz mod q+1 GAME-ELGAMAL1’ = r := {1.. q}; k’d:= {1.. q}; z:= {1.. q}; b := {0,1}; A[E];

  45. STEP 3: MULT-PAD + SEMANTICS proof of cpa of elgamal E(x0, x1 ) = if (b = 0) then {c:= x0* gz mod q+1} else {c:= x1* gz mod q+1}; GAME-ELGAMAL2’ = r := {1.. q}; k’d:= {1.. q}; z:= {1.. q}; b := {0,1}; A[E];

  46. STEP 3: INILINE proof of cpa of elgamal E(x0, x1 ) = if (b = 0) then {c:= x0* gz mod q+1} else {c:= x1* gz mod q+1}; GAME DDH1= = r := {1.. q}; k’d:= {1.. q}; z:= {1.. q}; B B = b := {0,1}; A[E]; d:= g==b

  47. summary up to here

  48. CALCULATING PROBABILITIES ….

  49. Slides, Notes, Bibliography READING • Slides and exercises: • www-sop.inria.fr/members/Tamara.Rezk/teaching • Formal Certification of Code-Based Cryptographic • proofs – Barthe, Gregoire, Zanella • Code-based Game-Playing Proofs and the • Security of Triple Encryption – Bellare, Rogaway

  50. A puzzle … PROBLEM OF THE 3 DOORS ?

More Related