Upload
monica-west
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
June 2005
A Plausible Approach A Plausible Approach to Computer-aided to Computer-aided
Cryptographic ProofsCryptographic Proofs
Shai HaleviShai Halevi
June 2005
The ProblemThe Problem• Crypto proofs are hard to verify• Many (most?) published proofs aren’t
read by anyone other than the author– Even proofs for “important” schemes are
often not fully verified
• Errors in proofs happen– Usually in some itty-bitty detail in this
side remark at the bottom of page 27
June 2005
Sample ArgumentsSample Arguments“We now make several changes to the order in which variables are chosen in game R1. We make the following changes to the code:– […]– Instead of choosing MMs{0,1}n and setting
CsmPs
mMMs, we choose Csm{0,1}n and set
MMsPsmCs
m – We replace the assignment CCCs
iMCsjMs
1 in line 136 by the equivalent assignment CCCs
iPPPsiMs
j. This is equivalent sinceMCs
j = MPsjMs
j = PPPsiMs
1Msj
– […]
June 2005
More Sample ArgumentsMore Sample Arguments“H6 checks in client sessions (Pi,ssid) that receive a non-peer-
oracle-generated pair […]
H7 encrypts the “dummy password” w’ in c2 instead of encrypting the password w, for every client session (Pi,ssid) that received a non-peer-oracle-generated pair (c1,VK) in step 2 with non-valid ciphertext c1.
Then as in H2 and H4, since the encryption scheme E' is semantically secure, the environment cannot distinguish between these cases. Note that the session key of such client sessions are already chosen randomly, and the ZKPs are already simulated. Thus neither depends on how c2 is generated. Also note that in the reduction to the security of E' with public key pk', one can still test c1 encryptions, since they are encrypted with the other public key pk and can be decrypted using sk.”
June 2005
You need to be a compiler You need to be a compiler to verify some of these to verify some of these
argumentsarguments
June 2005
Can We Write Such Compiler?Can We Write Such Compiler?• Boils down to verifying that two
pieces of code induce the same probability distribution on some of their variables
• The simplest example: M{0,1}n, CPM, Use(C) vs.C{0,1}n, MPC, Use(C)
June 2005
In This TalkIn This Talk• Look at the security-proof of the
Cramer-Shoup encryption scheme• Show how to reconstruct the proof
using a “compiler-like” tool• Muse about how to build this tool
June 2005
My Bottom LineMy Bottom Line• It can be built, with a lot of work
– Perhaps similar to a new programming language: compiler, run-time, development environment, …
• Is there a “business case”?– Where can I get resources to develop
this tool?
June 2005
This tool is not…This tool is not…• Not a theorem prover
– A person writes the (entire) proof– The tool only verifies that the arguments
are valid
• Different than the approach of the formal-methods community (AFAIK)– No “logic of authentication”, “process
calculus”, etc.
June 2005
Computer assistanceComputer assistance• The person writing the security proof
writes code, specifies how to get from one piece of code to the other
• The automated tool verifies that the transformations are permissible– Transformations to code represent
common arguments in crypto proofs
June 2005
CCA[CS]
CCA CCA1 CCA2 CCA3’CCA4 CCA5
+2t / q+1/q
XYZ
game that depends on a (binary) parameter
game that is derived from template XYZ
The empty game
+epsilon
game with bad events
transformation that changes the probability by epsilon
transformation that is justified by a reduction
game with output
Preview: The Proof of CS98Preview: The Proof of CS98DDH
CCA1 CCA2
DDH TCR
CCA4 CCA5’
+t /q^4
CCA5
TCR
June 2005
Everything is codeEverything is code• Game = code that tells the
participants in the game what to do• Argument in a proof =
transformation from one game to another
June 2005
The Cramer-Shoup The Cramer-Shoup Encryption SchemeEncryption Scheme
• Uses operations in algebraic group G• And a hash function H• Resists chosen ciphertext attacks,
provided that– The “decision Diffie-Hellman” problem
(DDH) is hard in the group G– The hash function H is “target-collision-
resistant”
June 2005
Pseudo-code for Pseudo-code for CS98CS98
KeyGen
Enc(m)
Dec(a,a’,c,d)
01. g,g’G, x1,x2,y1,y2,z1,z2{1,2,…,q}02. e=gx1g’x2, f=gy1g’y2, h=gz1g’z2 03. pk=(g,g’,e,f,h), sk=(x1,x2,y1,y2,z1,z2)
11. assert m G // else fail12. u {1,2,…,q}13. a=gu, a’=g’u, b=hu, c=b·m14. v=H(a,a’,c), d=eufuv 15. Output (a,a’,c,d)
21. assert a,a’,c,d G // else fail22. v = H(a,a’,c)23. assert d = ax1+vy1·a’x2+vy2 // else fail24. b = az1a’z2, m=c/b25. Output m
June 2005
CCA SecurityCCA Security• “Resistance to chosen-ciphertext
attacks” is defined via a game – Attacker gets public-key and access to
a black box that decrypts– Attacker submits two messages, gets
back encryption of one of them, needs to guess which one• without asking the box to decrypt the
“target ciphertext”
June 2005
Pseudo-code for Pseudo-code for CCACCA Game GameCCA (parameters: bit , integer t)101. (ps,sk) KeyGen102. C[1] = Attacker(pk)103. For s=1 to t104. answer[s] = Dec(C[s])105. if s<t then C[s+1] = Attacker( answer[s] )106. (m0,m1) = Attacker( answer[t] ), C* = Enc(m)
107. C[t+1] = Attacker( C* )108. For s=t+1 to 2t109. assert C[s] C*110. answer[s] = Dec(C[s])111. if s<2t then C[s+1] = Attacker( answer[s] )112. guess = Attacker( answer[2t] ), Output guess
June 2005
Proving SecurityProving Security• Pasting CS98 in CCA, we get the code
describing CCA attack on CS98• Fix any Attacker and any integer t• Prove that CCA(0,t),CCA(1,t) output 1
with about the same probability– We show: |Pr[CCA(0,t)1] Pr[CCA(1,t)1]|
2DDH+Collisions+O(t/q)
June 2005
Some ConceptsSome Concepts• Games are specified via code
– With an unspecified “attacker function”,– and a “main loop” where the attacker
queries interfaces of the scheme, gets answers, then makes more queries…
• Most (all?) games are probabilistic– E.g., u{1,2,…,q} in Enc(m)
• Every game has variables of interest
June 2005
Variables of InterestVariables of Interest• What “we care about” in the analysis• These are always either:
– The output of the game – Or bad events (I’ll talk about these later)
• Code that has no effect on the variables-of-interest is dead code– It is always permissible to add/remove
dead code
June 2005
Back to Back to CCACCA Game Game• The CCA game has output, no bad
events, and no dead code– It is really two games, depending on the
value of the binary parameter – And we compare the output distribution
of the two games
• In games with output we always(?) compare the output of two games
June 2005
CCA[CS]
CCA0 CCA1 CCA2 CCA3’CCA4 CCA5
+2t / q+1/q
We are here
XYZ
game that depends on a (binary) parameter
game that is derived from template XYZ
The empty game
+epsilon
game with bad events
transformation that changes the probability by epsilon
transformation that is justified by a reduction
game with output
The CS98 ProofThe CS98 ProofDDH
CCA1 CCA2
DDH TCR
CCA4 CCA5’
+t /q^4
CCA5
TCR
June 2005
Game Game CCA1CCA1• Modify the encryption code
Instead of
We now have
• Encryption using the secret key?– Yes, so? This is a “mental experiment”
• (BTW, the point about CCA1 is thatu is only used in computing a, a’)
12. u {1,2,…,q}13. a=gu, a’=g’u, b=hu, c=b·m14. v=H(a,a’,c), d=eufuv
12. u {1,2,…,q}13. a=gu, a’=g’u, b=az1a’z2, c=b·m14. v=H(a,a’,c), d=ax1+vy1a’x2+vy2
June 2005
CCACCACCA1CCA1 is Permissible is Permissible• hu=(gz1g’z2)u=(gu)z1(g’u)z2=az1a’z2
• How can a “compiler” verify that CCACCA1 is permissible?– Variable substitution is easy– Distributive, commutative rules would
have to be built into the tool• Just like replacing x+y with y+x
variable substitutiondistributive, commutative
variable substitution
June 2005
CCA[CS]
CCA0 CCA1 CCA2 CCA3’CCA4 CCA5
+2t / q+1/q
XYZ
game that depends on a (binary) parameter
game that is derived from template XYZ
The empty game
+epsilon
game with bad events
transformation that changes the probability by epsilon
transformation that is justified by a reduction
game with output
DDH
CCA1 CCA2
DDH TCR
CCA4 CCA5’
+t /q^4
CCA5
TCR
June 2005
Game Game CCA2CCA2• Replacing
with
• This sure changes the distribution
• We intend to show that if Pr[CCA1(b,t)1], Pr[CCA2(b,t)1] differ by some , then we can “break DDH” in G with the same probability
12. u {1,2,…,q}13. a=gu, a’=g’u, b=az1a’z2, c=b·m
12. u,u’ {1,2,…,q}13. a=gu, a’=g’u’, b=az1a’z2, c=b·m
June 2005
The DDH AssumptionThe DDH Assumption• No (efficient) algorithm distinguishes
(g,gx,gy,gxy) from (g,gx,gy,gz)– Where gG, x,y,z{1,2,…q}– Equivalent to saying that you cannot
distinguish (g,g’,gu,g’u) from (g,g’,gu,g’u’)
• This assumption underlies the security of the Diffie-Hellman key-exchange protocol
June 2005
Pseudo-code for DDHPseudo-code for DDH
• The “DDH assumption” is that DDH= |Pr[DDH(0)1]Pr[DDH(1)1]| is small for any efficient Distinguisher
DDH (parameter: bit ’)
201. g,g’G, u,u’{1,2,…,q}
202. if ’=0 then a=gu, a’=g’u’
203. else a=gu, a’=g’u
204. guess=Distinguisher(g,g’,a,a’), Output guess
June 2005
The ReductionThe Reduction• Show that CCA1DDH(1),CCA2DDH(0)
are permissible transformations• Instantiate the Distinguisher in DDH (by
morphing the code of CCA1/CCA2)– Just moving pieces of code around– A “compiler” can check that this is ok
• Only changing the order of “independent statements”
June 2005
CCA[CS]
CCA0 CCA1 CCA2 CCA3’CCA4 CCA5
+2t / q+1/q
XYZ
game that depends on a (binary) parameter
game that is derived from template XYZ
The empty game
+epsilon
game with bad events
transformation that changes the probability by epsilon
transformation that is justified by a reduction
game with output
DDH
CCA1 CCA2
DDH TCR
CCA4 CCA5’
+t /q^4
CCA5
TCR
June 2005
Bad EventsBad Events• Recall Dec(a,a’,c,d):
• a,a’ are supposed to be gu,g’u
• It’s a bad thing if Attacker sends (gu,g’u’,c,d) but line 23 passes
• How to represent bad events in code?
21. assert a,a’,c,d G22. v = H(a,a’,c)
23. assert d = ax1+vy1 a’x2+vy2
24. b = az1a’z2, m=c/b25. Output m
June 2005
Bad-event FlagsBad-event Flags• A Boolean flag• Initialized to false, only has
assignments to true in the code• Designated as “interesting”• Adding a bad-event flag is always a
permissible code-transformation– Represens an argument that starts with
“let BAD be the event where…”
June 2005
After-bad-is-set-nothing-After-bad-is-set-nothing-matters [BR04]matters [BR04]
• Code that is executed only when badFlag=true is treated as dead code– Even if it effects other vars-of-interest
• Why?– If badFlag=true then “all bets are off”,
no more vars-of-interest, all code is dead– We intend to prove that badFlag=true
rarely ever happens
June 2005
Game CCA3Game CCA3• Replace g,g’G
with gG, w{1,…q}, g’=gw
– The tool should have a rule for algebraic groups saying that this is permissible
• Replace
with 23. if d=ax1+vy1a’x2+vy2 and a’aw
then badFlag=true, fail23a. else assert d=ax1+vy1a’x2+vy2 // else fail
added“dead code”
23. assert d=ax1+vy1a’x2+vy // else fail
June 2005
Game CCA3’Game CCA3’• Quite a few other modifications• But nothing that we didn’t see before
– Algebraic, logic manipulations– Introducing new variables– Code movement
• All made possible only after we added the “dead code” in line
June 2005
CCA[CS]
CCA0 CCA1 CCA2 CCA3’CCA4 CCA5
+2t / q+1/q
XYZ
game that depends on a (binary) parameter
game that is derived from template XYZ
The empty game
+epsilon
game with bad events
transformation that changes the probability by epsilon
transformation that is justified by a reduction
game with output
DDH
CCA1 CCA2
DDH TCR
CCA4 CCA5’
+t /q^4
CCA5
TCR
June 2005
Game CCA4Game CCA4• Replace 13. … c=b·m
By 13. … r{1,2,…,q}, c=gr
• Why is this permissible?– Long story (four small steps)– Trust me, it works
• CCA4 no longer depends on , it is just one game now (rather than two)
• Nothing to compare the output to– So we no longer care about it, can removed it
June 2005
Eliminating the OutputEliminating the Output• Started with two games with output
– The goal is to compare their outputs
• Morphed until their code is identical– So their output must be identical
• Output is no longer “of interest”– We are done analyzing the output, we
know that the difference is zero– Eliminating it becomes permissible
June 2005
CCA[CS]
CCA0 CCA1 CCA2 CCA3’CCA4 CCA5
+2t / q+1/q
XYZ
game that depends on a (binary) parameter
game that is derived from template XYZ
The empty game
+epsilon
game with bad events
transformation that changes the probability by epsilon
transformation that is justified by a reduction
game with output
DDH
CCA1 CCA2
DDH TCR
CCA4 CCA5’
+t /q^4
CCA5
TCR
June 2005
What’s Next?What’s Next?• Game CCA4 still has bad flags, how
do we eliminate these?• Either via reductions
– E.g., reduction to finding collisions in H– I don’t have time to show it here
• Or via “probabilistic analysis”– Example in the next slide
June 2005
Eliminating Bad FlagsEliminating Bad Flags• Consider the following code
Example(parameter: a) // a is an n-bit string1. x random-n-bit-string2. if x=a then badFlagtrue
• Tool “knows” that– Variable x is a “random n-bit string”– Variables x and a are independent
• “Can deduce” that x=a has prob. 2n
– So eliminating badFlag has penalty 2-n
June 2005
Eliminating Bad Flags (2)Eliminating Bad Flags (2)• User tells the tool to eliminate the
designation of badFlag as bad flag• Tool looks for a rule that bounds the
probability of badFlagtrue by some • If found, tool “eliminates badFlag”, records
penalty • Else, tool records an “impermissible
transformation”– User proves on paper some
June 2005
CCA[CS]
CCA CCA1 CCA2 CCA3’CCA4 CCA5
+2t / q+1/q
XYZ
game that depends on a (binary) parameter
game that is derived from template XYZ
The empty game
+epsilon
game with bad events
transformation that changes the probability by epsilon
transformation that is justified by a reduction
game with output
The Proof of CS98The Proof of CS98DDH
CCA1 CCA2
DDH TCR
CCA4 CCA5’
+t /q^4
CCA5
TCR
June 2005
Mode-of-operation[CMC]
CMC RND1 RND3’RND3 NON1
An impermissible transformation
+(mq)2 /2n
NON2
£2 due to symmetry,see Eq (12), Page 21
+(2mq)2 /2n, see Eq (13), Page 21
? ?
?
RND
XYZ game that is derived from template XYZ
The empty game
+epsilon
game with bad events
transformation that changes the probability by epsilon
game with output
The Proof of CMC [HR03]The Proof of CMC [HR03]
June 2005
Building the ToolBuilding the Tool
June 2005
Four Major ComponentsFour Major Components• Engine: similar to optimizing compiler
– Parses statements, control-flow graph– Handles variable substitution, code
movement, adding/removing “dead code”, etc.
• Library of code-transformations• Library of templates• User interface
June 2005
Transformations LibraryTransformations Library• Represent common arguments in
proofs– Algebraic manipulations– Rules to eliminate bad flags, output– Other rules
• A community development effort?– My proof uses an argument not in the
library, I code it up so others can use it too
June 2005
Template LibraryTemplate Library• Code templates, represent common
security goals and assumptions• E.g., a template for DDH, a template
for CCA-security, etc.• Also community development effort?
June 2005
User InterfaceUser Interface• Probably the hardest part• Should be easy for people to write
their proofs using this tool– Specify games
• “Sender proves to receiver in Zero-Knowledge that it knows the DL of x”
– Access common transformations• Similarities to U.I. of development
environment?
June 2005
My Bottom LineMy Bottom Line• It can be built, with a lot of work
– Perhaps similar to a new programming language: compiler, run-time, development environment, …
• Is there a “business case”?– Where can I get resources to develop
this tool?
June 2005
Contact me if Contact me if you are you are
interested in interested in working on thisworking on this