Presentation is loading. Please wait.

Presentation is loading. Please wait.

A plausible approach to computer-aided cryptographic proofs (a collection of thoughts) Shai Halevi – May 2005.

Published byAugustus Parks Modified over 8 years ago

Similar presentations

Presentation on theme: "A plausible approach to computer-aided cryptographic proofs (a collection of thoughts) Shai Halevi – May 2005."— Presentation transcript:

1 A plausible approach to computer-aided cryptographic proofs (a collection of thoughts) Shai Halevi – May 2005

2 The problem Crypto proofs are hard to verify When did you last –Read –Understood –Was able to fully verify a proof of non-trivial piece of crypto?

3 Why is this so hard? “The thing to prove” is some property of an interaction between non-trivial programs The proof consists of a sequence of interactions (games), all involving similar programs –Difference between consecutive steps is minor changes in a complicated game

4 Sample arguments “We now make several changes to the order in which variables are chosen in game R1. We make the following changes to the code: –[…] –Instead of choosing MM s  {0,1} n and setting C s m  P s m MM s, we choose C s m  {0,1} n and set MM s  P s m C s m –We replace the assignment CCC s i  MC s j M s 1 in line 136 by the equivalent assignment CCC s i  PPP s i M s j. This is equivalent since MC s j = MP s j M s j = PPP s i M s 1 M s j –[…]

5 More sample arguments “H 6 checks in client sessions (P i,ssid) that receive a non-peer- oracle-generated pair […] H 7 encrypts the “dummy password” w’ in c 2 instead of encrypting the password w, for every client session (P i,ssid) that received a non-peer-oracle-generated pair (c 1,VK) in step 2 with non-valid ciphertext c 1. Then as in H 2 and H 4, since the encryption scheme E' is semantically secure, the environment cannot distinguish between these cases. Note that the session key of such client sessions are already chosen randomly, and the ZKPs are already simulated. Thus neither depends on how c 2 is generated. Also note that in the reduction to the security of E' with public key pk', one can still test c 1 encryptions, since they are encrypted with the other public key pk and can be decrypted using sk.”

6 You need to be a compiler to verify some of these arguments

7 Can we write such compiler? It all boils down to verifying that two pieces of code induce the same probability distribution on some of their variables The simplest example: M  {0,1} n, C  PM vs. C  {0,1} n, M  PC

8 A reduction Distinguishing H 6 from H 7 implies violating semantic security of E’ –Write code for H 6, H 7 –Write code for L-or-R attack against E’ –Check that H 6 implies the same distribution on the adversary’s view as the L attack –Check that H 7 implies the same distribution on the adversary’s view as the R attack

9 Computer assistance The person writing the security proof writes the code, specifies how to get from one piece of code to the other The automated tool verifies that the transformations are permissible

10 Transformations A library of common transformations –Algebraic manipulations –“The forgetful gnome” [Shoup] –“Coin fixing” [Bellare-Rogaway] –Etc. These represent common arguments in our proof

11 Code templates Represent commonly-used attacks and hardness assumptions E.g., template for DDH, QR, etc. A CPA template (two versions) –Proving that a scheme is CPA secure –Using CPA security in a proof

12 User interface Probably the hardest part Must be easy for people to write their proofs using this tool Easy to specify games –E.g., as close to pseudocode as possible Easy access to transformations Also easy to add new templates, transformations

13 Can this be done? My guess: same order-of-magnitude as creating a new programming language –Compiler, development environment, run-time Big project, but things like that have been done before Can probably get funding (grants?) Needs cooperation between programming- language people, cryptographers, UI

14 CCA[CS] CCACCA1CCA2CCA3’ CCA4 CCA5 +2t / q +1/q XYZ game that depends on a (binary) parameter game that is derived from template XYZ The empty game +epsilon game with bad events transformation that changes the probability by epsilon transformation that is justified by a reduction game with output The Proof of CS98 DDH CCA1CCA2  DDH TCR CCA4 CCA5’ +t /q^4 CCA5  TCR

Download ppt "A plausible approach to computer-aided cryptographic proofs (a collection of thoughts) Shai Halevi – May 2005."

Similar presentations

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.

1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Dual System Encryption: Concept, History and Recent works Jongkil Kim.

Dual System Encryption: Concept, History and Recent works Jongkil Kim.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.

Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

Similar presentations

Ads by Google