Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague P. Mateus P. Lincoln, M. Mitchell

Computer Security uAccess control uOS security uNetwork security uCryptography u… Crypto Security Goal: protection of computer systems and digital information

Outline Security protocols uResearch goals uSpecific process calculus Probabilistic semantics Complexity – probabilistic poly time Asymptotic equivalence Computational indistinguishability Equational properties and challenges

Protocol Security uCryptographic Protocol Program distributed over network Use cryptography to achieve goal uAttacker Intercept, replace, remember messages Guess random numbers, some computation uCorrectness Attacker cannot learn protected secret or cause incorrect conclusion

Example: Challenge-Response uAlice wants to know Bob is listening Send “fresh” number n, Bob returns f(n) Use encryption to avoid forgery uProtocol Alice  Bob: { nonce } K Bob  Alice: { nonce * 5 } K uCan Alice be sure that –Message is from Bob? –Message is fresh response to Alice’s challenge?

Standard analysis methods uFinite-state analysis uDolev-Yao model Symbolic search of protocol runs Proofs of correctness in formal logic uConsider probability and complexity More realistic intruder model Interaction between protocol and cryptography Harder Easier

Outline uSecurity protocols Research goals uSpecific process calculus Probabilistic semantics Complexity – probabilistic poly time Asymptotic equivalence Computational indistinguishability Equational properties and challenges

Basic Idea uExpress security properties in terms of comparison to an ideal protocol uProtocol is secure if no adversary can distinguish it from some idealized version of the protocol Beaver ‘91, Goldwasser-Levin ‘90, Micali-Rogaway ’91 uSecurity properties should be compositional

Language Approach uWrite protocol in process calculus Dolev-Yao model uExpress security using observational equivalence Standard relation from programming language theory P  Q iff for all contexts C[ ], same observations about C[P] and C[Q] Inherently compositional Context (environment) represents adversary uUse proof rules for  to prove security Protocol is secure if no adversary can distinguish it from some idealized version of the protocol Great general idea; application is complicated Roscoe ‘95, Schneider ‘96, Abadi-Gordon’97

Probabilistic Poly-time Analysis uAdd probability, complexity uProbabilistic polynomial-time process calc Protocols use probabilistic primitives –Key generation, nonce, probabilistic encryption,... Adversary may be probabilistic uExpress protocol and spec in calculus uSecurity using observational equivalence Use probabilistic form of process equivalence

Probabilistic Poly-time Process Calculus uProbabilistic polynomial-time execution model uSpecify security via equivalence to “ideal” protocol uAlso state cryptographic assumptions via equivalences uLeads to new proof system Equational reasoning Based on probabilistic bisimulation, asymptotic equivalence uApplications Characterize computational indistinguishability Proof of semantic security from computational assumption (both stated as equations) [Lincoln, Mitchell, Scedrov, Ramanathan, Teague]

Secrecy for Challenge-Response uProtocol P A  B: { i } K B  A: { f(i) } K u“Obviously’’ secret protocol Q A  B: { random_number } K B  A: { random_number } K

Secrecy for Challenge-Response uProtocol P A  B: { i } K B  A: { f(i) } K u“Obviously’’ secret protocol Q A  B: { random_number } K B  A: { random_number } K uAnalysis: P  Q reduces to crypto condition related to non-malleability [Dolev, Dwork, Naor] –Fails for “plain old” RSA if f(i) = 2i Non-malleability: Given only a ciphertext, it is difficult to generate a different ciphertext so that the respective plaintexts are related

Specification with Authentication uProtocol P A  B: { random i } K B  A: { f(i) } K A  B: “OK” if f(i) received u“Obviously’’ authenticating protocol Q A  B: { random i } K B  A: { random j } K i, j A  B: “OK” if private i, j match public msgs public channel private channel public channel private channel

Nondeterminism vs encryption uAlice encrypts msg and sends to Bob A  B: { msg } K uAdversary uses nondeterminism Process E 0 c  0  | c  0  | … | c  0  Process E 1 c  1  | c  1  | … | c  1  Process E c(b 1 ).c(b 2 )...c(b n ).decrypt(b 1 b 2...b n, msg) In reality, at most 2 -n chance to guess n-bit key

Methodology uDefine general system Process calculus Probabilistic semantics Asymptotic observational equivalence uApply to protocols Protocols have specific form “Attacker” is context of specific form This talk: general calculus and properties

Neighbors u Canetti; B. Pfitzmann, Waidner, Backes Interactive Turing machines General framework for crypto properties Protocol simulates an ideal setting Universally composable security u Abadi, Rogaway, Jürjens; Herzog; Warinschi Toward transfer principles between formal Dolev-Yao model and computational model

Outline uSecurity protocols uResearch goals Specific process calculus Probabilistic semantics Complexity – probabilistic poly time Asymptotic equivalence Computational indistinguishability Equational properties and challenges

Technical Challenges uLanguage for prob. poly-time functions Extend work of Cobham, Bellantoni, Cook, Hofmann uReplace nondeterminism with probability Otherwise adversary is too strong... uDefine probabilistic equivalence Related to poly-time statistical tests... uProof rules for probabilistic equivalence Use the proof system to derive protocol properties

Syntax uBounded CCS with integer terms P :: = 0 | c q(|n|)  T  send up to q(|n|) bits | c q(|n|) (x). P receive |  c q(|n|). P private channel | [T=T] P test | P | P parallel composition | ! q(|n|). P bounded replication Terms may contain symbol n; channel width and replication bounded by poly in |n| Expressions have size poly in |n|

Probabilistic Semantics uBasic idea Alternate between terms and processes –Probabilistic evaluation of terms (incl. rand) –Probabilistic scheduling of parallel processes uTwo evaluation phases Outer term evaluation –Evaluate all exposed terms, evaluate tests Communication –Match send and receive –Probabilistic if multiple send-receive pairs

Scheduling uOuter term evaluation Evaluate all exposed terms in parallel Multiply probabilities uCommunication E(P) = set of eligible subprocesses S(P) = set of schedulable pairs Prioritize – private communication first Probabilistic poly-time computable scheduler that makes progress

Example uProcess c  rand+1  | c(x).d  x+1  | d  2  | d(y). e  x+1  uOuter evaluation c  1  | c(x).d  x+1  | d  2  | d(y). e  x+1  c  2  | c(x).d  x+1  | d  2  | d(y). e  x+1  uCommunication c  1  | c(x).d  x+1  | d  2  | d(y). e  x+1  Each prob ½ Choose according to probabilistic scheduler

Complexity results uPolynomial time For each closed process expression P, there is a polynomial q(x) such that –For all n –For all probabilistic polynomial-time schedulers eval of P halts in time q(|n|)

Complexity: Intuition uBound on number of communications Count total number of inputs, multiplying by q(|n|) to account for ! q(|n|). P uBound on term evaluation Closed T evaluated in time q T (|n|) uBound on time for each comm step Example: c  m  | c(x).P  [m/x]P Substitution bounded by orig length of P –Size of number m is bounded –Previous steps preserve # occurr of x in P

Outline uSecurity protocols uResearch goals uSpecific process calculus Probabilistic semantics Complexity – probabilistic poly time Asymptotic equivalence Computational indistinguishability Equational properties and challenges

How to define process equivalence? uIntuition | Prob{ C[ P ]  “yes” } - Prob{ C[ Q ]  “yes” } | <  uDifficulty How do we choose  ? –Less than 1/2, 1/4, … ? (not equiv relation) –Vanishingly small ? As a function of what? uSolution Use security parameter –Protocol is family { P n } n>0 indexed by key length Asymptotic form of process equivalence Problem:

Probabilistic Observational Equiv uAsymptotic equivalence within f Process, context families { P n } n>0 { Q n } n>0 { C n } n>0 P  f Q if  contexts C[ ].  obs v.  n 0.  n> n 0. | Prob[C n [ P n ]  v ] - Prob[C n [ Q n ]  v ] | < f(n) uAsymptotically polynomially indistinguishable P  Q if P  f Q for every polynomial f(n) = 1/p(n) Final def’n gives robust equivalence relation

Outline uSecurity protocols uResearch goals uSpecific process calculus Probabilistic semantics Complexity – probabilistic poly time Asymptotic equivalence Computational indistinguishability Equational properties and challenges

Computational indistinguishability uT(i,n), T’(i,n) terms in the calculus T, T’ represent uniform prob. poly-time function ensembles f i, g i : { }  {0,1} q(|n|) u c q(|n|)  T   c q(|n|)  T’  says exactly that the function ensembles f i, g i are indistinguishable by prob. poly-time statistical tests uYao ’82: fundamental notion in crypto

Emulation uCanetti, also B. Pfitzmann et al. u I generic or ideal representation of cyptographic task u Protocol Q securely realizes I if for any adversary A[]  A there exists a simulator B[]  B s.t. A[Q]  B[I] Enough to consider a single simulator for certain generic adversaries    reducible to  

Compositionality uIntuitively, if: Q securely realizes I, R securely realizes J, R, J use I as a component, uthen R{Q/I} securely realizes J u Fits well with process calculus because  is a congruence Q  I  C[Q]  C[I] contexts constructed from R, J, simulators

Outline uSecurity protocols uResearch goals uSpecific process calculus Probabilistic semantics Complexity – probabilistic poly time Asymptotic equivalence Computational indistinguishability Equational properties and challenges

One way to get equivalences uLabeled transition system Allow process to send any output, read any input Label with numbers “resembling probabilities” uBisimulation relation Relation  on processes If P Q and P P’, then exists Q’ with Q Q’ and P’ Q’, and vice versa uStronger form of prob. equivalence van Glabbeek – Smolka – Steffen r ~ ~ ~ r

Provable equivalences Assume scheduler is stable under bisimulation u P ~ Q  C[P] ~ C[Q] u P ~ Q  P  Q u P | (Q | R)  (P | Q) | R u P | Q  Q | P u P | 0  P

Provable equivalences u P   c. ( c | c(x).P) x  FV(P) u P{a/x}   c. ( c | c(x).P) bandwidth of c large enough u P  0 if no public channels in P u P  Q  P{d/c}  Q{d/c} c, d same bandwidth, d fresh u c  c Prob[T  a] = Prob[T’  a] all a

Connections with modern crypto uCryptosystem consists of three parts Key generation Encryption (often probabilistic) Decryption uMany forms of security Semantic security, non-malleability, chosen- ciphertext security, … Formal derivation of semantic security of ElGamal from DDH and vice versa uCommon conditions use prob. games

Decision Diffie-Hellman DDH uStandard crypto benchmark u n security parameter (e.g., key length) G n cyclic group of prime order p, length of p roughly n, g generator of G n u For random a, b, c  {0,..., p-1}  g a, g b, g ab    g a, g b, g c 

ElGamal cryptosystem un security parameter (e.g., key length) G n cyclic group of prime order p, length of p roughly n, g generator of G n uKeys public  g, y , private  g, x  s.t. y = g x uEncryption of m  G n for random k  {0,..., p-1} outputs  g k, m y k  uDecryption of  v, w  is w (v x ) -1 For v = g k, w = m y k get w (v x ) -1 = m y k / g kx = m g xk / g kx = m

Semantic security uKnown equivalent: indistinguishability of encryptions adversary can’t tell from the traffic which of the two chosen messages has been encrypted ElGamal:  1 n, g k, m y k    1 n, g k’, m’ y k’  u In case of ElGamal known to be equivalent to DDH uFormally derivable using the proof rules

Current State of Project uCompositional framework for protocol analysis Determine crypto requirements of protocols Precise definition of crypto primitives uProbabilistic ptime language uProcess framework Replace nondeterminism with rand Equivalence based on ptime statistical tests uMethods for establishing equivalence Probabilistic simulation technique uEmulation and compositionality uExamples: Decision Diffie-Hellman, ElGamal, Bellare-Rogaway, Oblivious Transfer, Computational Zero Knowledge, …

Conclusion uComputer security Exacting subject amenable to analysis Analysis useful since correctness critical uProtocols Short but complex uProbabilistic poly-time process calc Challenging semantics, proof theory Appropriate for game equivalence

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague P. Mateus P. Lincoln, M. Mitchell

IKE subprotocol from IPSEC A, (g a mod p) B, (g b mod p) Result: A and B share secret g ab mod p Analysis involves probability, modular exponentiation, digital signatures, communication networks, … AB m1 m2, signB(m1,m2) signA(m1,m2)

Example: Oblivious Transfer uStandard in crypto uParties are adversarial uSender with k input bits x 1, …, x k uReceiver with input i, 1  i  k uReceiver should learn x i and nothing else uSender should learn nothing

Ideally … uUse Trusted Third Party, TTP uSender and Receiver each privately send their inputs to TTP uTTP sends x i privately to Receiver

Actually … uAssumptions: uSender uses a trapdoor generator G to get (addresses of) trapdoor one-way permutation f on {0,1} m and its inverse f -1, and hard-core predicate B on {0,1} m, such that B(w) is hard to predict from f(w) uSender’s private input: k bits x 1, …, x k uReceiver’s private input: i, 1  i  k Rabin 1981 Even-Goldreich-Lempel 1985

Protocol uSender reveals (addresses of) f and B but keeps inverse f -1 private uReceiver chooses random e 1, …, e k  {0,1} m and sends e 1, …, e i-1, f(e i ), e i+1, …, e k uSender reads y 1, …, y k, sends u 1, …, u k, where u n = x n  B(f -1 (y n )), each n, 1  n  k uReceiver reads z 1, …, z k, computes z i  B(e i ) uProof: u i  B(e i ) = x i  B(f -1 (f(e i )))  B(e i ) = x i Rabin 1981 Even-Goldreich-Lempel 1985

Oblivious Transfer Protocol f, B e 1, …, e i-1, f(e i ), e i+1, …, e k Rec obtains u i  B(e i ) = x i  B(f -1 (f(e i )))  B(e i ) = x i Send sees only random strings Analysis involves probability, , assumptions, … Send Rec ( x n  B(f -1 (y n )) ) 1  n  k

Probabilistic functions u Probabilistic function from X to Y F: X  Y  [0,1] such that for any x  X  F(x,y)  1 y  Y the sum with finitely many non-zero terms u “F(x) = y with probability p “ means F(x,y) = p

Oracle polynomial time u Oracle Turing machine M Turing machine with an extra oracle tape and three extra states ?, yes, no When machine enters state ?, control passes to state yes if the contents on the oracle tape are in the oracle set, else to state no u M runs in oracle polynomial time  a polynomial q s.t. for any oracle  and any input sequence of bit strings x 1, …, x n, M halts in at most q(| x 1 | + … + | x n |) steps (also a bound on the length of any query and on the number of queries)

Probabilistic polynomial time u Probabilistic poly-time Turing machine Oracle poly-time Turing machine M, with the oracle  chosen uniformly at random from the finite space of oracles u Probabilistic poly-time machine M computes a probabilistic function F For all inputs x and outputs y F(x,y) = Prob[M(x, random  ) = y]

Complexity results uPolynomial time For each process P, there is a poly q(x) such that –For all n –For all probabilistic polynomial-time schedulers –All minimal evaluation contexts C[ ] eval of C[P] halts in time q(|n|+|C[]|) Minimal evaluation context –C[ ] = c(x).d(y)…[ ] | c  20  | d  7  | e  492  | …

Pseudo-random number generators uSequence generated from random seed P n : let b = n k -bit sequence generated from n random bits in PUBLIC  b  end uTruly random sequence Q n : let b = sequence of n k random bits in PUBLIC  b  end uP is crypto strong pseudo-random number generator P  Q Equivalence is asymptotic in security parameter n

Desired equivalences u P | (Q | R)  (P | Q) | R u P | Q  Q | P u P | 0  P u P  Q  C[P]  C[Q] (immediate) uP   c. ( c | c(x).P) x  FV(P) Warning: hard to get all of these…

Provable equivalences u P ~ Q  C[P] ~ C[Q] u P ~ Q  P  Q u P | (Q | R)  (P | Q) | R u P | Q  Q | P u P | 0  P Assume scheduler is stable under bisimulation Compositionality is important issue in computer security

Aspect of compositionality uProperty of observational equiv A  B C  D A|C  B|D similarly for other process forms

Sources of Problems Needham-Schroeder Low-Exp-RSA Single DES Protocol Interaction Cryptography other sources exist (timing, power, radiation, traffic, …)