symbolic methods for cryptography
DESCRIPTION
Symbolic methods for cryptography. Bogdan Warinschi. University of Bristol. Toy example. B. A. A, N 1. {N 1 , N 2 , Ks } K. {B, N 2 } Ks { D } Ks. K. K. Is the data D secret?. Security Models. Mathematical model. Security property. Proof method. Abstraction Levels. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/1.jpg)
Computational Soundness
Symbolic methods for cryptography
Bogdan WarinschiUniversity of Bristol
![Page 2: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/2.jpg)
Computational Soundness
Toy example
K K
A, N1
{N1, N2, Ks } K
{B, N2}Ks {D}Ks
A B
Is the data D secret?
![Page 3: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/3.jpg)
Computational Soundness
Security Models
Mathematical model
Security property
Proof method
![Page 4: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/4.jpg)
Computational Soundness
Abstraction Levels
![Page 5: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/5.jpg)
Computational Soundness
Abstraction Levels
Inse
curity
![Page 6: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/6.jpg)
Computational Soundness
Abstraction Levels
Secu
rity
![Page 7: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/7.jpg)
Computational Soundness
Two types of security models
Model
Security property
Proof method
Model
Security property
Proof method
Model
Security property
Proof method Model
Security property
Proof method
![Page 8: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/8.jpg)
Computational Soundness
Outline
• A gap between models for encryption:– security definitions – proofs
• Bridging the gap:
– The passive adversaries case: • the Abadi-Rogaway logic • extensions
– The active adversaries case (tomorrow)
![Page 9: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/9.jpg)
Computational Soundness
Two views of security for encryption schemes
![Page 10: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/10.jpg)
Computational Soundness
Symbolic treatment of encryption
• Messages are elements from a term algebra: – Data = {D1,D2,…},
– Keys = {K1,K2,…}, – Random nonces = {N1,N2,…}, – Identities = {A,B,…}
• BASIC := Data | Keys | Random nonces | Identities
• TERM := BASIC | (TERM, TERM) | {TERM}Keys
• Messages are terms, e.g. N2 , {((B, N1), Ks) }K
![Page 11: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/11.jpg)
Computational Soundness
Symbolic treatment of encryption
• Security for encryption is axiomatized
– Given {M}K adversary can compute M only if it has K
{M}K, K
M
KM,
{M}K
M1, M2
(M1, M2)
(M1, M2)
M1, M2
![Page 12: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/12.jpg)
Computational Soundness
Computational treatment for encryption
• Messages are bitstrings
• Symmetric encryption scheme = (Kg, Enc, Dec)
– Kg(η) outputs a random bitstring k in {0,1}η
– Enc: {0,1}η × {0,1}* → {0,1}* (distribution on {0,1}*)
– Dec: {0,1}η × {0,1}* → {0,1}*
– It holds that: Dec (k, Enc(k,m) ) = m
• E.g. AES-CBC
![Page 13: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/13.jpg)
Computational Soundness
Computational treatment for encryption
= (Kg,Enc,Dec) ;
Enc(K,_)b M0,M1 (|M0|=|M1|)
Enc (K,Mb)
b=?
Encryption scheme is IND-CPA secure if for all adversaries,
Pr [ Adversary guessess b] ½ + negligible function (η)
![Page 14: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/14.jpg)
Computational Soundness
Security of double encryption:
• Is the message M secret ?
K K
A B
{ {M} K }K
![Page 15: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/15.jpg)
Computational Soundness
Security of double encryption: symbolically
• Does there exist a derivation:
{{M}K}
K
………
M
{M}K, K
M
KM,
{M}K
M1, M2
(M1, M2)
(M1, M2)
M1, M2
using only:
![Page 16: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/16.jpg)
Computational Soundness
Security of double encryption: computationally
Enc(K,(Enc(K,_))
b
M0,M1 (|M0|=|M1|)
Enc(K,Enc (K,Mb))
b=?
![Page 17: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/17.jpg)
Computational Soundness
Security of double encryption: computationally
C
b=?
Enc(K,_)
b M0,M0
C0=Enc(K, M0)
M1,M1
C1=Enc(K, M1)
C0,C1
C=Enc(K,(Enc(K, Mb)
M0,M1
![Page 18: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/18.jpg)
Computational Soundness
Two Paradigms for Protocol Analysis
Symbolic Approach
Abstract model
D-Y adversaries
Unclear how to ensure security of primitives
Proofs can potentially be automatized (theorem provers, model checkers)
Computational Approach
Concrete model
Powerful PPT adversaries
Clear definitions for the security of primitives
Complex protocols are difficult to analyze
![Page 19: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/19.jpg)
Computational Soundness
Two types of security models
Model
Security property
Proof method
Model
Security property
Proof method
Model
Security property
Proof method
Model
Security property
Proof method
![Page 20: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/20.jpg)
Computational Soundness
Two ways of bridging the gap
Model
Security property
Proof method
Model
Security property
Proof method
Model
Security property
Proof method
Model
Security property
Proof method
Apply methods/techniques from the red world directly in the blue world:
Bruno, Sylvain, Marion’s talks
Show that security in the red worldimplies
security in the blue world
![Page 21: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/21.jpg)
Computational Soundness
Computational Soundness
1.Prove security in the symbolic model2.Apply the soundness theorem3.Deduce security in the computational model
Symbolic model
Security property
Symbolic proof
Computational model
Security property
Computationalproof
Soundness Theorems
![Page 22: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/22.jpg)
Computational Soundness
Two types of security models
Model
Security property
Proof method
Model
Security property
Proof method
Model
Security property
Proof method
Model
Security property
Proof method
Secu
rity
InS
ecu
rity
Secu
rity
![Page 23: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/23.jpg)
Computational Soundness
Toy example
K K
A, N1
{N1, N2, Ks } K
{B, N2} Ks {D}Ks
A B
Is the data D secret?
![Page 24: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/24.jpg)
Computational Soundness
Passive adversaries• A protocol run:
• Two interleaved sessions:
• Two interleaved sessions with corruption:
A, N1, {N1, N2, Ks }K, A, N3, {N3, N4, Ks’ }K, {B, N4}Ks’, {D2}Ks’,{B,N2}Ks,{D1}Ks
A, N1, {N1, N2, Ks }K, {B, N2}Ks {D1}Ks
A, N1, {N1, N2, Ks }K, Ks, A, N3, {N3, N4, Ks’ }K, {B, N4}Ks’, {D2}Ks’,{B,N2}Ks, {D1}Ks
![Page 25: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/25.jpg)
Computational Soundness
Defining secrecy, symbolically
To each expression associate a pattern:
For E={N1}K1,{{K1}K2
}K3,K3,{K3}K2
,
{{K1,N2}K3,K3}K2
patt(E)= ▓, {▓}K3, K3, ▓, ▓ (tentative
definition)patt(E)={N}K1,{{K0}K2
}K3,K3,{K0}K2
,{{K0,N}K0,K0 }K2
![Page 26: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/26.jpg)
Computational Soundness
Defining secrecy, symbolically
• Definition: D is hidden in E if D does not occur in patt(E)
Is D1 secret in
A, N1, {N1, N2, Ks }K, {B, N2}Ks
{D1}Ks
![Page 27: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/27.jpg)
Computational Soundness
Defining secrecy, computationally
Given:• a valuation f: {D1,D2,...} {0,1}n
• an encryption scheme = (Kg, Enc, Dec)
Define:[[ _ ]] : Expressions Distributions
f
A, N1, {N1, N2, Ks }K, {B, N2}Ks
{D1}Ks
![Page 28: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/28.jpg)
Computational Soundness
Mapping expressions to (distributions on) bitstrings
{D1,{K5,N }K1}K1
[[ _ ]] : Expressions Distributions f
01000100…11011Kg
111101100…11101Kg
Enc( , ) 01000100…11011 11010101100…10001111101100…11101 00110100…11110
Blah…blah…(in binary)Enc( , )01000100…11011 11010101100…10001
11010101100…1000101010010100101111111111110100100101110100001101110000001010100001011101001
Blah…blah…(in binary)f
00110100…11110Rand
![Page 29: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/29.jpg)
Computational Soundness
Defining secrecy, computationally
E={D1,{K5,N }K1}K1
[[ _ ]] : Expressions Distributions f
01000100…11011Kg
111101100…11101Kg
000101010000111f0
00110100…11110Rand
100110110001110f1
b=?
[[ E ]]
fb
![Page 30: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/30.jpg)
Computational Soundness
Defining secrecy, computationally
Let E be an expression and an encryption scheme
The set T Data is computationally hidden in E if for any valuations
f0,f1 : Data {0,1}n
f0(D) = f1(D) for D Data -T
[[ E ]] ~ [[ E ]]
f0
f1
“~” means computational indistinguishability
![Page 31: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/31.jpg)
Computational Soundness
Relation between two very different worlds?
• Is there a relation between the two notions of secrecy?
• More generally: what does security proved in the symbolic world mean for the computational world?
• Many symbolic versions of the same notion (e.g. two notions of patterns). Which one is right?
• Many security notions for the same primitive in the concrete world. Which one is right?
![Page 32: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/32.jpg)
Computational Soundness
Let – E be an acyclic expression be an IND-CPA secure encryption scheme – arbitrary f: {D1,D2,…,Dn} {0,1}n .
Then:
Main technical result
[[ E ]]f ~ [[ patt(E) ]]f
{K}K
{K1}K2, {K2}K1
are not acyclic expressions
![Page 33: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/33.jpg)
Computational Soundness
Proof idea
• Standard (but very general) hybrid argument
• Construct E1, E2, …, En such that – E1 = E– En = patt(E)– [[Ei]] ~ [[ Ei+1]]
• It is essential that E is acyclic
![Page 34: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/34.jpg)
Computational Soundness
Soundness Theorem (Abadi, Rogaway (2000))
Let – Let E be an acyclic expression be an IND-CPA secure encryption scheme – Then:
T symbolically hidden in E T is computationally hidden in E
![Page 35: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/35.jpg)
Computational Soundness
Proof
E[[ E ]]
f0
[[ E ]]f1
f0
f1
patt(E)[[ patt(E) ]]
f0
[[ patt(E) ]]
f1
f0
f1
Given: T is symbolically hidden in E (any D T does not occur in the pattern of E).
Want: Given any
f0,f1 : Data {0,1}n
f0(D) = f1(D) if D T then
[[ E ]]f0
[[ E ]]f1
indistinguishable from
![Page 36: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/36.jpg)
Computational Soundness
Previous result an instance of:
Symbolic model
Security property
Symbolic proof
Computational model
Security property
Computationalproof
Soundness Theorems
![Page 37: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/37.jpg)
Computational Soundness
(One) Hybrid argument
• E0 = {K1}K2, {K3}K1, {D}K3
• E1 = {K0}K2, {K3}K1, {D}K3
• E2 = {K0}K2, {K0}K1, {D}K3
• E3 = {K0}K2, {K0}K1, {D0}K3
![Page 38: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/38.jpg)
Computational Soundness
(One) Hybrid argument
• E0 = {K1}K2, {K3}K1, {D}K3
• E1 = {K0}K2, {K3}K1, {D}K3
• E2 = {K0}K2, {K0}K1, {D}K3
• E3 = {K0}K2, {K0}K1, {D0}K3
An adversary that distinguishes between [[E0]] and [[E3]] must distinguish between [[Ei]] and [[Ei+1]] for
some i
![Page 39: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/39.jpg)
Computational Soundness
(One) Hybrid argument
• E0 = {K1}K2, {K3}K1, {D}K3
• E1 = {K0}K2, {K3}K1, {D}K3
• E2 = {K0}K2, {K0}K1, {D}K3
• E3 = {K0}K2, {K0}K1, {D0}K3
![Page 40: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/40.jpg)
Computational Soundness
(One) Hybrid argument
Enc(k,_)b
k0,k1
Enc (k,kb)
• Generate k0, k1, k3
• Send k0, k1
• Receive c• Compute c1=Enc(k1, k3)• Compute c2=Enc(k3,d)• Output (c,c1,c2)
c
• E0 = {K1}K2, {K3}K1, {D}K3
• E1 = {K0}K2, {K3}K1, {D}K3
![Page 41: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/41.jpg)
Computational Soundness
Questions:• Is D1 secret in:
• Is D1 secret in :
• Are D1 and D2 secret in:
A, N1, {N1, N2, Ks }K, A, N3, {N3, N4, Ks’ }K, {B, N4}Ks’, {D2}Ks’,{B,N2}Ks,{D1}Ks
A, N1, {N1, N2, Ks }K, {B, N2}Ks {D1}Ks
A, N1, {N1, N2, Ks }K, Ks, A, N3, {N3, N4, Ks’ }K, {B, N4}Ks’, {D2}Ks’,{B,N2}Ks, {D1}Ks
![Page 42: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/42.jpg)
Computational Soundness
Some difficulties
• The usefulness of a soundness theorem increases with its generality
• Is D1 secret in – gx, N1, gy, {N1, Ks }g
xy, {D1}Ks
– gx, N1, gy, {N1, Ks }gx+y, {D1}Ks
– gx, gy, gz, gxy, {Ks }gxyz, {D1}Ks
• Deal with protocols where gx1x2+x2x3+…+xnx1 occurs• How about in
– gx, gy, {N1, Ks }gxy, {D1}Ks, H(N1, D1)
– gx, gy, N1, {Ks }gxy, {D1}Ks, H(N1, D1)
![Page 43: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/43.jpg)
Computational Soundness
Some difficulties
• Intuition a la Dolev Yao models may not always be right!
• patt({D}K1 {D,D}K2) = ▓ , ▓ = patt({D}K1 {D}K1)
• There exists IND-CPA encryption schemes for which encryption with the same key can be observed1. Strengthen the notion of security for encryption in the
computational world
2. Refine the notion of patterns in the symbolic world
![Page 44: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/44.jpg)
Computational Soundness
Acyclicity
• Intuition a la Dolev Yao models may be wrong! • Is D secret in {K}K, {D}K?• There exist IND-CPA encryption schemes which
are completely insecure if used as above
• Is D secret in {K1}K2, {K2}K1, {D}K?• …?• Solutions:
– declare the above use insecure– define and construct key-dependent encryption
![Page 45: Symbolic methods for cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815a12550346895dc75bdb/html5/thumbnails/45.jpg)
Computational Soundness
Computational soundness
• Relates symbolic and computational models so that security results transfer
• Why should we care– Symbolic formalisms:
• Gives insight into models• Justifies the use of symbolic models in a very
strong sense
– Cryptography:• Symbolic models are simpler, easier to understand• For large protocols with complex interactions life is
simpler