Symbolic methods for cryptography Bogdan Warinschi University of Bristol Computational Soundness

Computational Soundness Toy example A B A, N1 {N1, N2, Ks } K {B, N2}Ks {D}Ks K K Is the data D secret? Computational Soundness

Computational Soundness Security Models Mathematical model Security property Proof method Computational Soundness

Computational Soundness Abstraction Levels Computational Soundness

Computational Soundness Abstraction Levels Insecurity Computational Soundness

Computational Soundness Abstraction Levels Security Computational Soundness

Two types of security models property Proof method Model Security property Proof method Computational Soundness

Computational Soundness Outline A gap between models for encryption: security definitions proofs Bridging the gap: The passive adversaries case: the Abadi-Rogaway logic extensions The active adversaries case (tomorrow) Computational Soundness

Two views of security for encryption schemes Computational Soundness

Symbolic treatment of encryption Messages are elements from a term algebra: Data = {D1,D2,…}, Keys = {K1,K2,…}, Random nonces = {N1,N2,…}, Identities = {A,B,…} BASIC := Data | Keys | Random nonces | Identities TERM := BASIC | (TERM, TERM) | {TERM}Keys Messages are terms, e.g. N2 , {((B, N1), Ks) }K Computational Soundness

Symbolic treatment of encryption Security for encryption is axiomatized Given {M}K adversary can compute M only if it has K {M}K, K M, K M1, M2 (M1, M2) M {M}K (M1, M2) M1, M2 Computational Soundness

Computational treatment for encryption Messages are bitstrings Symmetric encryption scheme  = (Kg, Enc, Dec) Kg(η) outputs a random bitstring k in {0,1}η Enc: {0,1}η × {0,1}* → {0,1}* (distribution on {0,1}*) Dec: {0,1}η × {0,1}* → {0,1}* It holds that: Dec (k, Enc(k,m) ) = m E.g. AES-CBC Computational Soundness

Computational treatment for encryption  = (Kg,Enc,Dec) ; b=? M0,M1 (|M0|=|M1|) Enc(K,_) b Enc (K,Mb) Encryption scheme  is IND-CPA secure if for all adversaries, Pr [ Adversary guessess b]  ½ + negligible function (η) Computational Soundness

Security of double encryption: A B { {M} K }K K K Is the message M secret ? Computational Soundness

Security of double encryption: symbolically Does there exist a derivation: {{M}K}K {M}K, K M, K M {M}K ……… using only: M1, M2 (M1, M2) M (M1, M2) M1, M2 Computational Soundness

Security of double encryption: computationally Enc(K,(Enc(K,_)) b M0,M1 (|M0|=|M1|) Enc(K,Enc (K,Mb)) Computational Soundness

Security of double encryption: computationally Enc(K,_) b M0,M0 C0=Enc(K, M0) M0,M1 M1,M1 C C1=Enc(K, M1) C0,C1 C=Enc(K,(Enc(K, Mb) Computational Soundness

Two Paradigms for Protocol Analysis Symbolic Approach Computational Approach Abstract model D-Y adversaries Unclear how to ensure security of primitives Proofs can potentially be automatized (theorem provers, model checkers) Concrete model Powerful PPT adversaries Clear definitions for the security of primitives Complex protocols are difficult to analyze Now let’s contrast the symbolic approach with the computational approach. In the computational approach the execution model mirrors reality quite closely: what is analyzed are execution of actual algorithms using actual data represented by bit-strings. Very importantly: security of protocols is proved with respect to an extremely powerful adversary, an arbitrary probabilistic polynomial time Turing machine which essentially means that security is proved with respect to any device performing efficient computations. Security proofs also identify the security requirements that should be fulfilled by the primitives used in the implementation of the protocol and this offers good guidance to the implementers. Unfortunately, due to the level of details, proving security in the computational is often a very difficult task, and this is especially true for the case of complex protocols where the complexity gives rise to many subtle interactions which need to be accounted for in the proof of security. So what I painted is this contrasting picture in which the two frameworks that are used seem to have complementary strengths and shortcomings. My thesis is aimed at combining the two frameworks into a single unified one in which protocols can be specified and analyzed using the simpler symbolic model, in such a way that the security results are meaningful from the point of view of the computational approach. Computational Soundness

Two types of security models property Proof method Model Security property Proof method Computational Soundness

Two ways of bridging the gap Model Security property Proof method Apply methods/techniques from the red world directly in the blue world: Bruno, Sylvain, Marion’s talks Show that security in the red world implies security in the blue world Model Security property Proof method Computational Soundness

Computational Soundness Prove security in the symbolic model Apply the soundness theorem Deduce security in the computational model Soundness Theorems Security property Security property Symbolic model Computational model Symbolic proof Computational proof 1 min Computational Soundness

Two types of security models property Proof method Security InSecurity Security Model Security property Proof method Computational Soundness

Computational Soundness Toy example A B A, N1 {N1, N2, Ks } K {B, N2} Ks {D}Ks K K Is the data D secret? Computational Soundness

Passive adversaries A protocol run: Two interleaved sessions: Two interleaved sessions with corruption: A, N1, {N1, N2, Ks }K, {B, N2}Ks {D1}Ks A, N1, {N1, N2, Ks }K, A, N3, {N3, N4, Ks’ }K, {B, N4}Ks’, {D2}Ks’,{B,N2}Ks,{D1}Ks A, N1, {N1, N2, Ks }K, Ks, A, N3, {N3, N4, Ks’ }K, {B, N4}Ks’, {D2}Ks’,{B,N2}Ks, {D1}Ks Computational Soundness

Defining secrecy, symbolically To each expression associate a pattern: For E={N1}K1,{{K1}K2}K3,K3,{K3}K2,{{K1,N2}K3,K3}K2 patt(E)= ▓, {▓}K3, K3, ▓, ▓ (tentative definition) patt(E)={N}K1,{{K0}K2}K3,K3,{K0}K2,{{K0,N}K0,K0 }K2 Computational Soundness

Defining secrecy, symbolically Definition: D is hidden in E if D does not occur in patt(E) Is D1 secret in A, N1, {N1, N2, Ks }K, {B, N2}Ks {D1}Ks Computational Soundness

Defining secrecy, computationally A, N1, {N1, N2, Ks }K, {B, N2}Ks {D1}Ks Given: a valuation f: {D1,D2,...}  {0,1}n an encryption scheme  = (Kg, Enc, Dec) Define: [[ _ ]]  : Expressions  Distributions f Computational Soundness

Mapping expressions to (distributions on) bitstrings [[ _ ]]  : Expressions  Distributions f {D1,{K5,N }K1}K1 Blah…blah…(in binary) f 111101100…11101 Kg 00110100…11110 Rand 01000100…11011 Kg Enc( , ) 01000100…11011 11010101100…10001 111101100…11101 00110100…11110 Blah…blah…(in binary) Enc( , ) 01000100…11011 11010101100…10001 11010101100…1000101010010100101111111111110100100101110100001101110000001010100001011101001 Computational Soundness

Defining secrecy, computationally [[ _ ]]  : Expressions  Distributions f E={D1,{K5,N }K1}K1 100110110001110 f1 000101010000111 f0 111101100…11101 Kg 00110100…11110 Rand 01000100…11011 Kg b=? [[ E ]]  fb Computational Soundness

Defining secrecy, computationally Let E be an expression and  an encryption scheme The set T Data is computationally hidden in E if for any valuations f0,f1 : Data  {0,1}n f0(D) = f1(D) for D  Data -T    [[ E ]] ~ [[ E ]] f0 f1 “~” means computational indistinguishability Computational Soundness

Relation between two very different worlds? Is there a relation between the two notions of secrecy? More generally: what does security proved in the symbolic world mean for the computational world? Many symbolic versions of the same notion (e.g. two notions of patterns). Which one is right? Many security notions for the same primitive in the concrete world. Which one is right? Computational Soundness

Main technical result [[ E ]]f ~ [[ patt(E) ]]f Let {K}K {K1}K2, {K2}K1 are not acyclic expressions Let E be an acyclic expression  be an IND-CPA secure encryption scheme arbitrary f: {D1,D2,…,Dn}  {0,1}n . Then:  [[ E ]]f ~ [[ patt(E) ]]f Computational Soundness

Computational Soundness Proof idea Standard (but very general) hybrid argument Construct E1, E2, …, En such that E1 = E En = patt(E) [[Ei]] ~ [[ Ei+1]] It is essential that E is acyclic Computational Soundness

Soundness Theorem (Abadi, Rogaway (2000)) Let Let E be an acyclic expression  be an IND-CPA secure encryption scheme Then: T symbolically hidden in E T is computationally hidden in E Computational Soundness

Computational Soundness Proof E [[ E ]]  f0 f1 Given: T is symbolically hidden in E (any D  T does not occur in the pattern of E). Want: Given any f0,f1 : Data  {0,1}n f0(D) = f1(D) if D  T then patt(E) [[ patt(E) ]]  f0 f1 [[ E ]]  f0 indistinguishable from [[ E ]]  f1 Computational Soundness

Previous result an instance of: Soundness Theorems Security property Security property Symbolic model Computational model Symbolic proof Computational proof 1 min Computational Soundness

Computational Soundness (One) Hybrid argument E0 = {K1}K2, {K3}K1, {D}K3 E1 = {K0}K2, {K3}K1, {D}K3 E2 = {K0}K2, {K0}K1, {D}K3 E3 = {K0}K2, {K0}K1, {D0}K3 Computational Soundness

Computational Soundness (One) Hybrid argument An adversary that distinguishes between [[E0]] and [[E3]] must distinguish between [[Ei]] and [[Ei+1]] for some i E0 = {K1}K2, {K3}K1, {D}K3 E1 = {K0}K2, {K3}K1, {D}K3 E2 = {K0}K2, {K0}K1, {D}K3 E3 = {K0}K2, {K0}K1, {D0}K3 Computational Soundness

Computational Soundness (One) Hybrid argument E0 = {K1}K2, {K3}K1, {D}K3 E1 = {K0}K2, {K3}K1, {D}K3 E2 = {K0}K2, {K0}K1, {D}K3 E3 = {K0}K2, {K0}K1, {D0}K3 Computational Soundness

Computational Soundness (One) Hybrid argument E0 = {K1}K2, {K3}K1, {D}K3 E1 = {K0}K2, {K3}K1, {D}K3 Generate k0, k1, k3 Send k0, k1 Receive c Compute c1=Enc(k1, k3) Compute c2=Enc(k3,d) Output (c,c1,c2) k0,k1 Enc(k,_) b Enc (k,kb) c Computational Soundness

Questions: Is D1 secret in: Is D1 secret in : Are D1 and D2 secret in: A, N1, {N1, N2, Ks }K, {B, N2}Ks {D1}Ks A, N1, {N1, N2, Ks }K, A, N3, {N3, N4, Ks’ }K, {B, N4}Ks’, {D2}Ks’,{B,N2}Ks,{D1}Ks A, N1, {N1, N2, Ks }K, Ks, A, N3, {N3, N4, Ks’ }K, {B, N4}Ks’, {D2}Ks’,{B,N2}Ks, {D1}Ks Computational Soundness

Computational Soundness Some difficulties The usefulness of a soundness theorem increases with its generality Is D1 secret in gx, N1, gy, {N1, Ks }gxy, {D1}Ks gx, N1, gy, {N1, Ks }gx+y, {D1}Ks gx, gy, gz, gxy, {Ks }gxyz, {D1}Ks Deal with protocols where gx1x2+x2x3+…+xnx1 occurs How about in gx, gy, {N1, Ks }gxy, {D1}Ks, H(N1, D1) gx, gy, N1, {Ks }gxy, {D1}Ks, H(N1, D1) Computational Soundness

Computational Soundness Some difficulties Intuition a la Dolev Yao models may not always be right! patt({D}K1 {D,D}K2) = ▓ , ▓ = patt({D}K1 {D}K1) There exists IND-CPA encryption schemes for which encryption with the same key can be observed Strengthen the notion of security for encryption in the computational world Refine the notion of patterns in the symbolic world Computational Soundness

Computational Soundness Acyclicity Intuition a la Dolev Yao models may be wrong! Is D secret in {K}K, {D}K? There exist IND-CPA encryption schemes which are completely insecure if used as above Is D secret in {K1}K2, {K2}K1, {D}K? …? Solutions: declare the above use insecure define and construct key-dependent encryption Computational Soundness

Computational soundness Relates symbolic and computational models so that security results transfer Why should we care Symbolic formalisms: Gives insight into models Justifies the use of symbolic models in a very strong sense Cryptography: Symbolic models are simpler, easier to understand For large protocols with complex interactions life is simpler Computational Soundness