A plausible approach to computer-aided cryptographic proofs (a collection of thoughts) Shai Halevi – May 2005
The problem Crypto proofs are hard to verify When did you last –Read –Understood –Was able to fully verify a proof of non-trivial piece of crypto?
Why is this so hard? “The thing to prove” is some property of an interaction between non-trivial programs The proof consists of a sequence of interactions (games), all involving similar programs –Difference between consecutive steps is minor changes in a complicated game
Sample arguments “We now make several changes to the order in which variables are chosen in game R1. We make the following changes to the code: –[…] –Instead of choosing MM s {0,1} n and setting C s m P s m MM s, we choose C s m {0,1} n and set MM s P s m C s m –We replace the assignment CCC s i MC s j M s 1 in line 136 by the equivalent assignment CCC s i PPP s i M s j. This is equivalent since MC s j = MP s j M s j = PPP s i M s 1 M s j –[…]
More sample arguments “H 6 checks in client sessions (P i,ssid) that receive a non-peer- oracle-generated pair […] H 7 encrypts the “dummy password” w’ in c 2 instead of encrypting the password w, for every client session (P i,ssid) that received a non-peer-oracle-generated pair (c 1,VK) in step 2 with non-valid ciphertext c 1. Then as in H 2 and H 4, since the encryption scheme E' is semantically secure, the environment cannot distinguish between these cases. Note that the session key of such client sessions are already chosen randomly, and the ZKPs are already simulated. Thus neither depends on how c 2 is generated. Also note that in the reduction to the security of E' with public key pk', one can still test c 1 encryptions, since they are encrypted with the other public key pk and can be decrypted using sk.”
You need to be a compiler to verify some of these arguments
Can we write such compiler? It all boils down to verifying that two pieces of code induce the same probability distribution on some of their variables The simplest example: M {0,1} n, C PM vs. C {0,1} n, M PC
A reduction Distinguishing H 6 from H 7 implies violating semantic security of E’ –Write code for H 6, H 7 –Write code for L-or-R attack against E’ –Check that H 6 implies the same distribution on the adversary’s view as the L attack –Check that H 7 implies the same distribution on the adversary’s view as the R attack
Computer assistance The person writing the security proof writes the code, specifies how to get from one piece of code to the other The automated tool verifies that the transformations are permissible
Transformations A library of common transformations –Algebraic manipulations –“The forgetful gnome” [Shoup] –“Coin fixing” [Bellare-Rogaway] –Etc. These represent common arguments in our proof
Code templates Represent commonly-used attacks and hardness assumptions E.g., template for DDH, QR, etc. A CPA template (two versions) –Proving that a scheme is CPA secure –Using CPA security in a proof
User interface Probably the hardest part Must be easy for people to write their proofs using this tool Easy to specify games –E.g., as close to pseudocode as possible Easy access to transformations Also easy to add new templates, transformations
Can this be done? My guess: same order-of-magnitude as creating a new programming language –Compiler, development environment, run-time Big project, but things like that have been done before Can probably get funding (grants?) Needs cooperation between programming- language people, cryptographers, UI
CCA[CS] CCACCA1CCA2CCA3’ CCA4 CCA5 +2t / q +1/q XYZ game that depends on a (binary) parameter game that is derived from template XYZ The empty game +epsilon game with bad events transformation that changes the probability by epsilon transformation that is justified by a reduction game with output The Proof of CS98 DDH CCA1CCA2 DDH TCR CCA4 CCA5’ +t /q^4 CCA5 TCR