Towards Automated Security Proof for Symmetric Encryption Modes Martin Gagné Joint work with Reihaneh Safavi-Naini, Pascal Lafourcade and Yassine Lakhnech 2nd Canada-France Workshop on Foundations & Practice of Security June 27, 2009

Motivation Crypto protocol becoming increasingly complicated Verification is hard, and conditions are not always optimal Sometimes, mistakes get through e.g. OAEP

Why use Automated Provers Automated provers provide an alternate method for verifying the correctness of crypto protocols Individual rules easier to prove and verify than whole protocols Increase confidence in correctness of protocols

Methodology We propose a grammar that can be used to generate cryptographic protocols Determine properties (invariants) that are relevant for proving security of protocols Determine - and prove – rules to propagate invariants for each command in the grammar

Proving Confidentiality The traditional notion of security of encryption schemes is semantic security (indistinguishability of two chosen ciphertexts) Our prover does something stronger: prove that the ciphertexts are indistinguishable from random bits

Block Cipher vs Mode of Operation Block cipher: family of keyed functions with fixed input and output size

Block Cipher vs Mode of Operation Block cipher mode of operation: algorithm to encrypt arbitrary length messages using a block cipher

Our Grammar c ::= x U | x :=  (y) | x :=  -1 (y) | x := y z | x := y || z | x := y[n,m] | x := y + 1 | c 1 ; c 2

Invariants Indis( x;V): x is indistinguishable from random given the values in V E( ,x): the probability that x has been queried to  is negligible F(x): x is a ‘fresh’ random value Rcounter(x): x is the most recent value of a counter that started at a fresh random value

Rules Random Assignment (R1) {true} x U {F(x)} Lemma: F(x) implies Indis ( x;Var) and E( ,x) Increment (I1) {F(y)} x := y+1 {Rcounter(x)} and {E(e,x)} and {Indis( y;Var-x)} (I2) {RCounter(y)} x := y+1 {Rcounter(x)} and {E(e,x)}

Rules (continued) Xor Operator (X1) {Indis( y;V,y,z)} x := y z {Indis( x;V,x,z)} (X2) {Indis( y;V,x,z)} x := y z {Indis( y;V,z)} (X4) {F(y)} x := y z {E( ,x)} Block Cipher (B1) {E( ,y)} x :=  (y) {F(x)} Generic Preservation (G1) {Indis( t; V)} c {Indis( t; V)} If t is not in V, c is either x U, x := y||z, x := y z or x :=  (y) and t is not x, y or z

Example of Proof CBC encryption mode

Example of Proof Program for CBC (for 3 message blocks): IV U ; z 1 := IV m 1 ; c 1 :=  (z 1 ); z 2 := c 1 m 2 ; c 2 :=  (z 2 ); z 3 := c 2 m 3 ; c 3 :=  (z 3 );

Example of Proof

Conclusion and Future Directions We presented a grammar and logic rules that can be used to prove the security of many symmetric modes of operation (CBC, CFB, OFB, CTR) We intend to test this grammar and rules on more complex modes of operation. This may suggest new rules that we have not yet considered We may need to modify the grammar to include more operations and cryptographic primitives We could try to use our method to prove security properties other than confidentiality of encryption

Questions?