Embed Size (px)
DESCRIPTION
Soundness of Formal Encryption in the Presence of Key Cycles. Gergei Bana University of Pennsylvania P. Adão, J. Herzog, A Scedrov. Structure of the Talk. The Abadi-Rogaway logic and its computational interpretations The problem of key-cycles Standard notions of security and KDM security - PowerPoint PPT Presentation
Citation preview
Soundness of Formal Encryption in the Presence
of Key Cycles
Gergei BanaUniversity of Pennsylvania
P. Adão, J. Herzog, A Scedrov
Structure of the Talk
• The Abadi-Rogaway logic and its computational interpretations
• The problem of key-cycles• Standard notions of security and
KDM security• KDM security as a solution to key-
cycles
Introduction
• Cryptographic protocols: two models• Formal or Dolev-Yao model• Computational model from complexity theory
• Much recent work relates the two• Build formal-to-computational protocol
interpretation• Map formal security goals to computational
goals• Prove soundness or completeness
Logic of Formal Encryption• We define a very simple algebra of terms
that is a modified version of [AbadiRogaway00];
• Expressions represent the messages exchanged during the protocol• They might also include some prior knowledge
available to the adversary, eg., public keys.• Patterns represent how an adversary can
look at an expression:• If an adversary does not know a certain private
key he does not see a message in the same way as an adversary that posesses that key.
Logic of Formal Encryption
• Expressions are built from simple sets• Keys = {K1, K2, K3,...}, Keys-1= {K1
-1, K2 -1, K3
-1,...} and Blocks={0,1}* via paring and encryption;
Exp ::= Keys | Keys-1 | Blocks | (Exp,Exp) | {Exp}Keys
• Formal length. Let be a function symbol such that:• For all blocks B1 and B2, (B1) = (B2) iff |B1| = |B2|;• For all i and j, (Ki) = (Kj) and (Ki
-1) = (Kj-1);
• If (M1) = (N1), (M2) = (N2) then ((M1,M2)) = ((N1,N2)),
• If (M) = (N), then for all Ki, ({M}Ki) = ({N}Ki
).
( (K2-1,{01}K3) , ( {({101}K2,K5-1)}K2, {{K6}K4}K5) )
Logic of Formal Encryption
• Patterns are built from expressions replacing undecryptable terms {M}K by K,(M)
Pat ::= Keys | Keys-1 | Blocks | (Pat,Pat) | {Pat}Keys | Keys,(Keys)
( (K2-1, {01}K3 ) , ( {({101}K2,K5-1)}K2, { {K6}K4 }K5) )
( (K2-1, K3,(01)) , ( {({101}K2,K5-1)}K2, { K4,(K6) }K5) )
• Two expressions M and N are defined to be formally equivalent if
pattern(M)=pattern(N) for some key-renaming function .
• We denote this by MN.
Computational Model
• In the computational world messages are represented by bit-strings, strings= {0,1}*, and families of probability distributions over strings;
• Fix an injective pairing function (length of output depends only on lengths of inputs);
• Encryption schemes are probabilistic (polynomial-time) algorithms, and encryptions are obtained by running the encryption alghorithm.
Computational View
• Basic components of symmetric encriptions:• Key generation algorithm: K(1), randomly
generates a pair of strings (e, d) ( is security parameter)
• Encryption algorithm: E(e,x), encrypts the plaintext x with the key e, coin-tossing allowed (length of output depends only on the lengths of inputs).
• Decryption algorithm: D, D(d, E(e,x) )=x
Relating the Two Models
• Formal expressions are mapped to (interpreted in) the computational model as follows:
• For each (K,K-1) generate a pair of keys using the key generation algorithm;
• Each B block is mapped to B;• Each pair (M,N) is interpreted as the pair of the
interpretations;• Each encryption is interpreted by running the encryption
algorithm.
• Example:• {({101}K2,K5-1)}K2 translates to the random variable
( E ( e2 ( E ( ( e2, 101 ) , d5 )
• The keys e2, d5 are randomly generated, and the two encrypting functions have independent randomness as well.
Interpretation and Soundness Property
• To each expression M we have assigned an array of probability distributions denoted by [[N]].
• Definition (Soundness) We say that the interpretation is sound, if for any two expressions, MN implies that the interpretations [[M]] and [[N]] are computationally indistinguishable.
Known Results
• Theorem: If the expressions are interpreted in a CPA secure encryption scheme, then for M and N acyclic expressions, MN implies that [[M]] and [[N]] are indistinguishable.
• Problem: This result does not apply to self-encrypting keys, and cycles in more general;
• What do we propose: Possible to solve this problem via a strong enough notion of security that has been around (KDM security);
• [Laud02] proposed a solution for the problem of key-cycles by strengthening the formal adversary.
Known Results
AbadiRogaway00, AbadiJurgens01: soundness for indistinguishability properties
MicciancioWarinschi02, HorvitzGligor03: completeness for indisitinguishability properties
Bana04, AdãoBanaScedrov05: more general soundness, completeness properties
Herzog04: soundness for non-malleability propertiesBackesPfitzmannWaidner03: soundness for general trace-
based propertiesHerzogCanneti04, MicciancioWarinschi04: soundness,
completeness for Message Authentication, Key-Exchange
Laud02: soundness via strengthening the “formal adversary"
Proof Method 1• Semantic Security (IND-CPA)
[GoldwasserMicali84]• An Adversary A is given a public key e;• A sends to an oracle two messages m1 and m2 of the
same length• The oracle choses randomly b {0,1} and sends to A
the value E(e,mb);• A has to guess which of the plaintexts was encrypted.
• Interpretation of a box:• The ’th ( is security parameter) distribution
of the interpretation of K,(M) is the ’th distribution of the interpretation of {0|[[M]]_|}K
Proof Method 2 [[( (K2-1,{01}K3) , ( {({101}K2,K5-1)}K2, {{K6}K4}K5) )]] K3,(01)
[[( (K2-1, K3,(01) ) , ( {({101}K2,K5-1)}K2, {{K6}K4}K5) )]] K4,(K6)
[[( (K2-1, K3,(01)) , ( {({101}K2,K5-1)}K2, { K4,(K6) }K5) )]]
[[( (K1-1, K6,(K7^-1)) , ( {({101}K2,K5-1)}K2, { K7,,(1)}K5) ) ]] K7,(1)
[[ ( (K1-1, K6,(K7^-1)) , ( {({101}K1,K5-1)}K1, {{1}K7}K5) ) ]] K6,(K7^-1)
[[ ( (K1-1, {K7-1}K6) , ( {({101}K1,K5-1)}K1, {1}K7}K5 ) )]]
The problem of key-cycles• Key cycles:
• K1 encrypts K2-1
• K2 encrypts K3 -1 ......
• Kn encrypts K1 -1
• Can actually occur in Dolev-Yao model• Possible to interpret formal messages with
key cycles• But soundness results do not hold
• [[{K1-1}K1]] does not have to be equivalent to [[{K2-1}K3]]• Even if the above two are equivalent, [[
( {K1-1}K2, {K2-1}K1 ) ]] does not have to be equivalent to [[ ( {K1-1}K2, {K3-1}K1 ) ]],
Traditional Notions of Security
• Semantic Security (IND-CPA) • Chosen Ciphertext Security - Lunchtime
Security (IND-CCA1) [NaorYung90]• An Adversary A is given a public key e;• A can send to the oracle polynomially many
ciphertexts and obtain the associated plaintexts;• A sends to the oracle two messages m1 and m2 of
the same length• The oracle choses randomly b {0,1} and sends
to A the value E(e,mb);• A has to guess which of the plaintexts was
encrypted.
Traditional Notions of Security
• Adaptive Chosen Ciphertext Security (IND-CCA2) [RackoffSimon91]• An Adversary A is given a public key e;• The oracle choses randomly b {0,1}.• A can send to the oracle polynomially many ciphertexts
and obtain the associated plaintexts; • A can send to the oracle any pair of messages m1 and
m2 of the same length and receive the value E(e,mb);• A can send to the oracle polynomially many ciphertexts
(but different from E(e,mb)) and obtain the associated plaintexts;
• A has to guess which of the plaintexts was encrypted.
Traditional Notions of Security
• Formally, we have
whereD1=D2=Id in the case of CPA;
D1(x)=D(d,x) and D2=Id in the case of CCA1;
D1(x)=D(d,x) and D2(x)=D(d,x), as long as xE(e,mb), in the case of CCA2.
CCA-2 is not Enough
• We showed that the traditional security definitions are not enough. Theorem: CCA-2 security does not enforce soundness.
• Corollary: Soundness is not implied by any of the following: NM-CCA-1, IND-CCA-1, NM-CPA, or IND-CPA
• Theorem: Soundness does not enforce IND-CPA.
KDM-Security
• The notion of key-dependent message security was introduced by Black et al. [BlackRogawayShrimpton02] and in a different form by [CamenischLysyanskaya01].
• In [CL01] the authors developed the notion of key-dependent encryption scheme and use it in a credential revocation scheme. This scheme is realised in the RO-model.
• KDM security is defined through the following game:
KDM Security
• Key Dependent Message Security [BRS02]• An Adversary A is given a vector of public
keys e. The corresponding vector of private keys d is kept private;
• A creates a (plaintext construction) function f (that might depend on e) and asks the oracle to encrypt f(d) with ei;
• The oracle encrypts either – f(d) with ei (oracle Reald), or – 0|f(d)| with ei (oracle Faked);
• A has to guess which happened.
KDM Security
• An encryption scheme is KDM-secure if:
• Theorem: KDM-security does not imply NM-CPA security, and neither IND-CCA-1, or IND-CCA-2 security. It does imply IND-CPA.
Soundness for Key-Cycles
• Theorem: If the expressions are interpreted in a KDM-secure system, then M, N expressions MN implies that [[M]] and [[N]] are indistinguishable.
• Corollary: CCA-2 security does not imply KDM-security.
Proof Method [[( (K2-1,{01}K3) , ( {({101}K2,K5-1)}K2, {{K6}K4}K5) )]]
K3,(01) K4,(K6)
[[( (K2-1, K3,(01)) , ( {({101}K2,K5-1)}K2, { K4,(K6) }K5) )]]
[[( (K1-1, K6,(K7^-1)) , ( {({101}K2,K5-1)}K2, { K7,,(1)}K5) ) ]] K6,(K1) K7,(1)
[[ ( (K1-1, {K7-1}K6) , ( {({101}K1,K5-1)}K1, {1}K7}K5 ) )]]
Conclusions
• Inspite of the differences, and origins, of the two models, several properties can be carried over from one to the other;
• KDM-security is orthogonal to the previous security notions;
• We have soundness even in the presence of key-cycles.
Relations among Different Notions
Plaintext-Awareness
RCCA-2
NM-CCA-2 , IND-CCA-2
NM-CCA-1
NM-CPA IND-CPA
IND-CCA-1
Soundness
KDM
