Presentation is loading. Please wait.

Presentation is loading. Please wait.

Message Equivalence and Imperfect Cryptography in a Formal Model Angelo Troina 1, Alessandro Aldini 2 and Roberto Gorrieri 3 1 Dipartimento di Informatica,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Message Equivalence and Imperfect Cryptography in a Formal Model Angelo Troina 1, Alessandro Aldini 2 and Roberto Gorrieri 3 1 Dipartimento di Informatica,"— Presentation transcript:

1 Message Equivalence and Imperfect Cryptography in a Formal Model Angelo Troina 1, Alessandro Aldini 2 and Roberto Gorrieri 3 1 Dipartimento di Informatica, University of Pisa troina@di.unipi.it 2 Istituto STI, University of Urbino aldini@sti.uniurb.it 3 Dipartimento di Scienze dell'Informazione, University of Bologna gorrieri@cs.unibo.it DIMACS Workshop on Security Analysis of Protocols - Piscataway (NJ) June 9, 2004

2 Introduction Increasing interest towards the compatibility problem between the computational approach and the Dolev-Yao model for the analysis of security protocols.

3 Introduction Dolev-Yao model: Provides abstractions that allow mechanical proofs of protocol properties. Requires stronger assumptions such as perfect cryptography and the restricted expressive power of the adversaries. Computational model: Detailed view of cryptosystems - deals with probabilities and computational power. Models adversaries resources and relaxes the perfect encryption assumption.

4 Introduction A recent formal view of cryptography introduced by Abadi and Rogaway [AR00] defines formal algebraic cryptographic expressions and a related notion of equivalence. Such an approach relates the formal view and the computational model of cryptography by proving the soundness of the formal world with respect to the computational world. Under particular assumptions Micciancio and Warinschi [MW02] present a completeness result.

5 Introduction Zunino and Degano [ZD04] compare the classical Dolev-Yao adversary with an enhanced computational adversary which can guess the key for decrypting an intercepted message (albeit only with negligible probability). A similar approach is also followed by Herzog [Her03], showing that if there's no good Dolev-Yao strategy in breaking a protocol, there's also no good PPT adversary strategy that can do it (given ideal encryption).

6 Introduction The robustness of a ciphertext may be jeopardized by clever attackers that may succeed in retrieving information, by:  randomly guessing data  analyzing a large amount of ciphertext  employing a partial knowledge of the plaintext  breaking weak keys  breaking too simple, foreseeable cryptographic algorithms

7 Introduction We present a novel equivalence for cryptographic expressions that overcomes the two limitations of classical security models:  perfect cryptography  nondeterministic adversary. We take into account the probability for a polynomial time adversary of attacking with success a message encrypted with a secret key.

8 Metodology Indistinguishability with  -tolerance Formal model for cryptographic expressions in an imperfect criptography scenario A classical formal logic for cryptographic expressions

9 Metodology Indistinguishability with  -tolerance A classical formal logic for cryptographic expressions Formal model for cryptographic expressions in an imperfect criptography scenario Based on the Dolev-Yao encryption model defined by Abadi and Rogaway [AR00]

10 Expressions M, N :: =expressions K key, K  Keys m string, m  String (M, N)pair {M} K encryption String finite set of binary strings of a fixed length. Keys is a finite set of Keys {K,K’,…,K 1,K 2,…}. Exp is the set of expressions, defined by the grammar:

11 Entailment The entailment relation M  N specifies the expressions N that can be derived form M. Such a relation is the least relation satisfying the following properties: MMMM M  (N 1, N 2 )  M  N 1  M  N 2 M  N 1  M  N 2  M  (N 1, N 2 ) M  N  M  K  M{N}K M{N}K M  {N} K  M  K  MN MN

12 Patterns p(K, T) = K K  Keys p(m, T) = m m  String p((M, N), T) = (p(M, T), p(N, T)) p({M} K, T) = {p(M, T)} K if K  T M}, T) =  otherwise Function p, given a set of keys T and an expression M, computes the pattern that an attacker can obtain from M if the initial knowledge is the set of keys T.

13 Patterns p(K, T) = K K  Keys p(m, T) = m m  String p((M, N), T) = (p(M, T), p(N, T)) p({M} K, T) = {p(M, T) if K  T M}, T) =  otherwise Function p, given a set of keys T and an expression M, computes the pattern that an attacker can obtain from M if the initial knowledge is the set of keys T.

14 Expression Equivalence Two expressions are equivalent if they yield the same pattern: M  N  pattern(M) = pattern(N) ( , K2) ({{K} K1 } K2, K2)  ({{m} K1 } K2, K2)

15 Metodology Indistinguishability with  -tolerance A classical formal logic for cryptographic expressions Formal model for cryptographic expressions in an imperfect criptography scenario

16 Metodology Indistinguishability with  -tolerance A classical formal logic for cryptographic expressions Formal model for cryptographic expressions in an imperfect criptography scenario

17 Imperfect cryptography scenario We take into account the possibility for an adversary of obtaining meaningful information from a ciphertext {M} K without knowing the key K. We give a new definition for patterns, which were used to denote the information (associated to a ciphertext) employed to decide the equivalence between expressions. We propose a new equivalence relation for expressions that captures when two expressions contain information that an adversary can obtain with the same probability.

18 Probabilistic Patterns P. p, Q. p :: =probabilistic patterns K. p key, K  Keys m. p string, m  String (P. p, Q. p ). p pair A probabilistic pattern P. p represents an expression P that does not contain ciphered blocks and is associated with a parameter p  ]0,1], modeling the probability of getting the plaintext contained in P. Formally, we define the set pPat of probabilistic patterns with the grammar:

19 Imperfect cryptography scenario A probabilistic pattern associated to an expression is obtained by substituting every ciphered block with the corresponding plaintext in clear associated with the probability of obtaining information about it. probabilistic pattern ( {m} K ) = m. p Value p depends on many factors, such as the cryptosystem used for encryptions, the computational power of (and the information collected by) the adversary, the expected robustness of the key K against guesses or attacks.

20 p dec Given a computational polynomial time adversary A, an initial knowledge G, and a ciphered expression {N} K, we assume a function p dec to return the probability of obtaining meanigful information from the ciphertext {N} K by exploiting the initial knowledge G. Any adversary A with polynomially timed resources and knowledge G has probability at most p dec ({N} K, G) of rerieving K from {N} K : Pr [K  A({N} K,G) ]  p dec ({N} K, G) for all A

21 Imperfect cryptography scenario The outcome of p dec represents the starting point for estimating the probability of cracking a ciphered block. ({{m} K1 } K2, {(K1, K2)} K ) What is the probability of getting the string m in clear?

22 Imperfect cryptography scenario ({{m} K1 } K2, {(K1, K2)} K ) p dec ({{m} K1 } K2, G)  p dec ({m} K1, G’) The outcome of p dec represents the starting point for estimating the probability of cracking a ciphered block.

23 Imperfect cryptography scenario ({{m} K1 } K2, {(K1, K2)} K ) p dec ({(K1, K2)} K, G) The outcome of p dec represents the starting point for estimating the probability of cracking a ciphered block.

24 Imperfect cryptography scenario ({{m} K1 } K2, {(K1, K2)} K ) The probability of breaking a block may vary according to the strategy an attacker uses when he tries to cryptanalyze an expression. The outcome of p dec represents the starting point for estimating the probability of cracking a ciphered block.

25 Probabilistic Equivalence Given the expressions M and N, we say that M and N are probabilistically equivalent (M  N) if they yield the same probabilistic pattern. M  N  pP M = pP N

26 Example M = ( {{m} K1 } K2, {(K1, K2)} K ) p 1 = pGuess({K1, K2}) p 2 = pGuess({K}) pP M = ( m.p 1, (K1.p 2, K2.p 2 ).p 2 ) N = ( {m} K1, {(K1, K2)} K ) If p dec ({m} K1 )  p dec ({(K1, K2)} K ) = p‘  p 1 = p 2 = p’ pP M = pP N = ( m. p', (K1. p', K2. p' ). p' ) M  NM  N

27 Metodology Indistinguishability with  -tolerance A classical formal logic for cryptographic expressions Formal model for cryptographic expressions in an imperfect criptography scenario

28 Metodology Indistinguishability with  -tolerance A classical formal logic for cryptographic expressions Formal model for cryptographic expressions in an imperfect criptography scenario

29 Approximating Probabilistic Equivalence The notion of probabilistic equivalence is extremely strict: We relax the notion of probabilistic equivalence by introducing a new compatibility relation, called  -probabilistic similarity (   ).  Ciphered blocks have to be decrypted with exactly the same probabilities.  Considers also those blocks that can be decrypted with negligible probabilities.

30 Approximating Probabilistic Equivalence  -probabilistic similarity (   ):  approximates the equivalence by introducing a tolerance to small differences (up to  ) of the probabilistic parameters associated with the probabilistic patterns.  allows for equating those ciphertexts that can be decrypted with small probabilities (<  ).

31 Example M = {m} K N = {m} K' pP M = m. p1 pP N = m. p2 If p 1  p 2 and | p 1 - p 2 |   then: M  NM  N p 1 = p dec ({m} K ) p 2 = p dec ({m} K' ) M  NM  N

32 Example M = {m} K N = {m'} K' pP M = m. p1 pP N = m'. p2 If p 1, p 2 <  then: M  NM  N M  NM  N p 1 = p dec ({m} K ) p 2 = p dec ({m’} K' )

33 Ideal Encryption It should be hard for the adversary to decrypt a message ciphered with an unknown key. The probability of breaking an encrypted message that cannot be derived in the classical Dolev-Yao model should be negligible. A function f: N  R is negligible if for any polynomial q  0 : f (  )  1 / q (  )   >  0 An encryption scheme is ideal  p dec is a negligible function

34 Main results M, N  Exp. M  N  M   N M  N  M  N M  N  M   N Given ideal encryption Similarity relation Equivalence relation

35 A Secrecy Property Inspired by Abadi and Gordon [AG99], we observe that a certain secret a is private in M if the expression N obtained by substituting every occurrence of a with a'  a is probabilistically similar to M. Given a parameter  ]0,1[ and an expression M  Exp such that a occurs in M, we say that a is  -secret in M iff M   N, where N is obtained by substituting every occurrence of a in M with a'  a.

36 A Secrecy Property M = (m, {K} K2 ) K is  -secret in M p = p dec ({K} K2 ) m is not  -secret in M pP M = (m. 1, K. p ) pP N = (m’. 1, K. p )  pP M = (m. 1, K. p ) pP N = (m. 1, K’. p ) =  if p< 

37 An Application of Secrecy A server S waits for requests from clients, generates a secret key and sends it back to the client. A  S : {request, A, S, t} KSA S  A : {K, S, A, t} KSA request, A, S, t  String and K, KSA  Keys. In G the server keeps track of the messages exchanged in the network.

38 An Application of Secrecy We want to check whether the expression {K, S, A, t} KSA ensures a given degree  of secrecy for K. A  S : {request, A, S, t} KSA S  A : {K, S, A, t} KSA The server verifies whether K is  G-secret in {K, S, A, t} KSA. As the traffic of information within the network increases and the amount of messages ciphered with KSA gets larger, the server may not guarantee the  G-secrecy anymore.

39 Conclusions & Future work We have shown a novel framework in order to offer the means for defining a formal cryptographic language where: i) information leakage due to cryptanalysis can be estimated by employing  and conditional statements ii) probabilistic covert channels can be studied by verifying non-interference security properties. The similarity relation   can be used, in combination with an approximated definition of non-interference, to verify whether the privacy of cryptographic protocols can be guaranteed at a reasonable level.

40 Bibliography [AG99] M. Abadi, A.D. Gordon. A Calculus for Cryptographic Protocols: The Spi Calculus. Information and Computation, 148(1):1-70,1999. [AR00] M. Abadi, P. Rogaway. Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption). In Proc. Int. Conf. Theoretical Computer Science, LNCS 1872:3-22, 2000. [DY83] D. Dolev, A. Yao. On the Security of Publik-key Protocols. IEEE Transactions on Information Theory, 29:198-208, 1983. [Her03] J. Herzog. A Computational Interpretation of Dolev-Yao Adversaries. In Proc. of Workshop on Issues in the Theory of Security (WITS'03), 2003. [MW02] D. Micciancio, B. Warinschi. Completeness Theorems for the Abadi-Rogaway Language of Encrypted Expressions. In Proc. of Workshop on Issues in the Theory of Security (WITS'02), 2002. [ZD04] R. Zunino, P. Degano. A Note on the Perfect Encryption Assumption in a Process Calculus. In Proc. of Foundations of Software Science and Computation Structures (FOSSACS'04).

41 Example M = ({m} K, K)N = (m, K) AR patterns: ({m} K, K)(m, K) New semantics pattern: (m, K)

Download ppt "Message Equivalence and Imperfect Cryptography in a Formal Model Angelo Troina 1, Alessandro Aldini 2 and Roberto Gorrieri 3 1 Dipartimento di Informatica,"

Similar presentations

Cryptography encryption authentication digital signatures

Cryptography encryption authentication digital signatures
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
Optimal Communication Complexity of Generic Multicast Key Distribution Saurabh Panjwani UC San Diego (Joint Work with Daniele Micciancio)

Optimal Communication Complexity of Generic Multicast Key Distribution Saurabh Panjwani UC San Diego (Joint Work with Daniele Micciancio)
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea 34901784 443099

Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
Soundness And Completeness of Formal Logics of Symmetric Encryption ** Andre Scedrov ** University of Pennsylvania **Gergei Bana ** University of Pennsylvania.

Soundness And Completeness of Formal Logics of Symmetric Encryption ** Andre Scedrov ** University of Pennsylvania **Gergei Bana ** University of Pennsylvania.
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier Efficient.

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

Similar presentations

Ads by Google