Soundness of Formal Encryption in the Presence of Key Cycles Gergei Bana University of Pennsylvania P. Adão, J. Herzog, A Scedrov

Structure of the Talk The Abadi-Rogaway logic and its computational interpretations The problem of key-cycles Standard notions of security and KDM security KDM security as a solution to key-cycles

Introduction Cryptographic protocols: two models Formal or Dolev-Yao model Computational model from complexity theory Much recent work relates the two Build formal-to-computational protocol interpretation Map formal security goals to computational goals Prove soundness or completeness

Logic of Formal Encryption We define a very simple algebra of terms that is a modified version of [AbadiRogaway00]; Expressions represent the messages exchanged during the protocol They might also include some prior knowledge available to the adversary, eg., public keys. Patterns represent how an adversary can look at an expression: If an adversary does not know a certain private key he does not see a message in the same way as an adversary that posesses that key.

Logic of Formal Encryption Expressions are built from simple sets Keys = {K1, K2, K3,...}, Keys-1= {K1 -1, K2 -1, K3 -1,...} and Blocks={0,1}* via paring and encryption; Exp ::= Keys | Keys-1 | Blocks | (Exp,Exp) | {Exp}Keys Formal length. Let  be a function symbol such that: For all blocks B1 and B2, l(B1) = l(B2) iff |B1| = |B2|; For all i and j, l(Ki) = l(Kj) and l(Ki-1) = l(Kj-1); If l(M1) = l(N1), l(M2) = l(N2) then l((M1,M2)) = l((N1,N2)), If l(M) = l(N), then for all Ki, l({M}Ki) = l({N}Ki). ( (K2-1,{01}K3) , ( {({101}K2,K5-1)}K2, {{K6}K4}K5) )

Logic of Formal Encryption Patterns are built from expressions replacing undecryptable terms {M}K by K,l(M) Pat ::= Keys | Keys-1 | Blocks | (Pat,Pat) | {Pat}Keys | Keys,(Keys) ( (K2-1, {01}K3 ) , ( {({101}K2,K5-1)}K2, { {K6}K4 }K5) ) ( (K2-1, K3,(01)) , ( {({101}K2,K5-1)}K2, { K4,(K6) }K5) ) Two expressions M and N are defined to be formally equivalent if pattern(M)=pattern(N)s for some key-renaming function s. We denote this by M@N.

Computational Model In the computational world messages are represented by bit-strings, strings= {0,1}*, and families of probability distributions over strings; Fix an injective pairing function (length of output depends only on lengths of inputs); Encryption schemes are probabilistic (polynomial-time) algorithms, and encryptions are obtained by running the encryption alghorithm.

Computational View Basic components of symmetric encriptions: Key generation algorithm: K(1), randomly generates a pair of strings (e, d) ( is security parameter) Encryption algorithm: E(e,x), encrypts the plaintext x with the key e, coin-tossing allowed (length of output depends only on the lengths of inputs). Decryption algorithm: D, D(d, E(e,x) )=x

Relating the Two Models Formal expressions are mapped to (interpreted in) the computational model as follows: For each (K,K-1) generate a pair of keys using the key generation algorithm; Each B block is mapped to B; Each pair (M,N) is interpreted as the pair of the interpretations; Each encryption is interpreted by running the encryption algorithm. Example: {({101}K2,K5-1)}K2 translates to the random variable ( E ( e2 ( E ( ( e2, 101 ) , d5 ) The keys e2, d5 are randomly generated, and the two encrypting functions have independent randomness as well.

Interpretation and Soundness Property To each expression M we have assigned an array of probability distributions denoted by [[N]]. Definition (Soundness) We say that the interpretation is sound, if for any two expressions, M@N implies that the interpretations [[M]] and [[N]] are computationally indistinguishable.

Known Results Theorem: If the expressions are interpreted in a CPA secure encryption scheme, then for M and N acyclic expressions, M@N implies that [[M]] and [[N]] are indistinguishable. Problem: This result does not apply to self-encrypting keys, and cycles in more general; What do we propose: Possible to solve this problem via a strong enough notion of security that has been around (KDM security); [Laud02] proposed a solution for the problem of key-cycles by strengthening the formal adversary.

Known Results AbadiRogaway00, AbadiJurgens01: soundness for indistinguishability properties MicciancioWarinschi02, HorvitzGligor03: completeness for indisitinguishability properties Bana04, AdãoBanaScedrov05: more general soundness, completeness properties Herzog04: soundness for non-malleability properties BackesPfitzmannWaidner03: soundness for general trace-based properties HerzogCanneti04, MicciancioWarinschi04: soundness, completeness for Message Authentication, Key-Exchange Laud02: soundness via strengthening the “formal adversary"

Proof Method 1 Semantic Security (IND-CPA) [GoldwasserMicali84] An Adversary A is given a public key e; A sends to an oracle two messages m1 and m2 of the same length The oracle choses randomly b  {0,1} and sends to A the value E(e,mb); A has to guess which of the plaintexts was encrypted. Interpretation of a box: The ’th ( is security parameter) distribution of the interpretation of K,(M) is the ’th distribution of the interpretation of {0|[[M]]_|}K

Proof Method 2 [[( (K2-1,{01}K3) , ( {({101}K2,K5-1)}K2, {{K6}K4}K5) )]]  K3,(01) [[( (K2-1, K3,(01) ) , ( {({101}K2,K5-1)}K2, {{K6}K4}K5) )]]  K4,(K6) [[( (K2-1, K3,(01)) , ( {({101}K2,K5-1)}K2, { K4,(K6) }K5) )]]  [[( (K1-1, K6,(K7^-1)) , ( {({101}K2,K5-1)}K2, { K7,,(1)}K5) ) ]]  K7,(1) [[ ( (K1-1, K6,(K7^-1)) , ( {({101}K1,K5-1)}K1, {{1}K7}K5) ) ]]  K6,(K7^-1) [[ ( (K1-1, {K7-1}K6) , ( {({101}K1,K5-1)}K1, {1}K7}K5 ) )]]    

The problem of key-cycles K1 encrypts K2-1 K2 encrypts K3 -1 ...... Kn encrypts K1 -1 Can actually occur in Dolev-Yao model Possible to interpret formal messages with key cycles But soundness results do not hold [[{K1-1}K1]] does not have to be equivalent to [[{K2-1}K3]] Even if the above two are equivalent, [[ ( {K1-1}K2, {K2-1}K1 ) ]] does not have to be equivalent to [[ ( {K1-1}K2, {K3-1}K1 ) ]],

Traditional Notions of Security Semantic Security (IND-CPA) Chosen Ciphertext Security - Lunchtime Security (IND-CCA1) [NaorYung90] An Adversary A is given a public key e; A can send to the oracle polynomially many ciphertexts and obtain the associated plaintexts; A sends to the oracle two messages m1 and m2 of the same length The oracle choses randomly b  {0,1} and sends to A the value E(e,mb); A has to guess which of the plaintexts was encrypted.

Traditional Notions of Security Adaptive Chosen Ciphertext Security (IND-CCA2) [RackoffSimon91] An Adversary A is given a public key e; The oracle choses randomly b  {0,1}. A can send to the oracle polynomially many ciphertexts and obtain the associated plaintexts; A can send to the oracle any pair of messages m1 and m2 of the same length and receive the value E(e,mb); A can send to the oracle polynomially many ciphertexts (but different from E(e,mb)) and obtain the associated plaintexts; A has to guess which of the plaintexts was encrypted.

Traditional Notions of Security Formally, we have where D1=D2=Id in the case of CPA; D1(x)=D(d,x) and D2=Id in the case of CCA1; D1(x)=D(d,x) and D2(x)=D(d,x), as long as x¹E(e,mb), in the case of CCA2.

CCA-2 is not Enough We showed that the traditional security definitions are not enough. Theorem: CCA-2 security does not enforce soundness. Corollary: Soundness is not implied by any of the following: NM-CCA-1, IND-CCA-1, NM-CPA, or IND-CPA Theorem: Soundness does not enforce IND-CPA.

KDM-Security The notion of key-dependent message security was introduced by Black et al. [BlackRogawayShrimpton02] and in a different form by [CamenischLysyanskaya01]. In [CL01] the authors developed the notion of key-dependent encryption scheme and use it in a credential revocation scheme. This scheme is realised in the RO-model. KDM security is defined through the following game:

KDM Security Key Dependent Message Security [BRS02] An Adversary A is given a vector of public keys e. The corresponding vector of private keys d is kept private; A creates a (plaintext construction) function f (that might depend on e) and asks the oracle to encrypt f(d) with ei; The oracle encrypts either f(d) with ei (oracle Reald), or 0|f(d)| with ei (oracle Faked); A has to guess which happened.

KDM Security An encryption scheme is KDM-secure if: Theorem: KDM-security does not imply NM-CPA security, and neither IND-CCA-1, or IND-CCA-2 security. It does imply IND-CPA.

Soundness for Key-Cycles Theorem: If the expressions are interpreted in a KDM-secure system, then M, N expressions M@N implies that [[M]] and [[N]] are indistinguishable. Corollary: CCA-2 security does not imply KDM-security.

Proof Method [[( (K2-1,{01}K3) , ( {({101}K2,K5-1)}K2, {{K6}K4}K5) )]]  [[( (K1-1, K6,(K7^-1)) , ( {({101}K2,K5-1)}K2, { K7,,(1)}K5) ) ]]  K6,(K1) K7,(1) [[ ( (K1-1, {K7-1}K6) , ( {({101}K1,K5-1)}K1, {1}K7}K5 ) )]]  

Conclusions Inspite of the differences, and origins, of the two models, several properties can be carried over from one to the other; KDM-security is orthogonal to the previous security notions; We have soundness even in the presence of key-cycles.

Relations among Different Notions Plaintext-Awareness RCCA-2 NM-CCA-2 , IND-CCA-2 Soundness NM-CCA-1 IND-CCA-1 NM-CPA IND-CPA KDM