concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/ssft19/gregoir-slides1.pdf ·...
TRANSCRIPT
![Page 1: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/1.jpg)
Concrete security of cryptographic primi-tives
Benjamin Gregoire
Benjamin Gregoire – Concrete security of cryptographic primitives 1
![Page 2: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/2.jpg)
Formally verified cryptography
Algorithms: EasyCrypt
Primitives
ProtocolsAdversary
Provable security: Pr [A breaks P] ≤ Pr [B(A) breaks assumption] + ε
Benjamin Gregoire – Concrete security of cryptographic primitives 2
![Page 3: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/3.jpg)
Formally verified cryptography
Algorithms: EasyCrypt
Primitives
ProtocolsAdversary
Provable security: Pr [A breaks P] ≤ Pr [B(A) breaks assumption] + ε
Source code: JasminCode Adversary
Provable security: Algorithms + Functional correctness + Safety
Benjamin Gregoire – Concrete security of cryptographic primitives 2
![Page 4: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/4.jpg)
Formally verified cryptography
Algorithms: EasyCrypt
Primitives
ProtocolsAdversary
Provable security: Pr [A breaks P] ≤ Pr [B(A) breaks assumption] + ε
Source code: JasminCode Adversary
Provable security: Algorithms + Functional correctness + Safety
Hardware: MaskCompMaskVerif
Security: Source + Countermeasure
Assembly: Jasmin
Security: Source + CT + Compiler
Benjamin Gregoire – Concrete security of cryptographic primitives 2
![Page 5: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/5.jpg)
This talk
• Motivate provable security notions• Proof by reduction• Probabilistic Relational Hoare Logic (pRHL)
Next talk: Jasmin, functional correctness and Constant time.
Benjamin Gregoire – Concrete security of cryptographic primitives 3
![Page 6: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/6.jpg)
Algorithms: EasyCrypt
Primitives
ProtocolsAdversary
Provable security: Pr [A breaks P] ≤ Pr [B(A) breaks assumption] + ε
• How to formally define P and A ?• How to formally define A breaks P ?• How to formally define B(A) ?• How to perform proof by reduction ?
Benjamin Gregoire – Concrete security of cryptographic primitives 4
![Page 7: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/7.jpg)
What is provable security?
Precisely define a security model:• What functionality must the system provide?• What qualifies as a break for the system?• What class of attackers should it protect against?
To claim that a system is secure one must:• State the assumptions upfront:
- security properties of low-level components (hypothesis)- these should be widely used and well studied
• Prove that∀ attackers, assumptions⇒ no break
• Or, equivalently,∀ attackers, break⇒ assumption false
Benjamin Gregoire – Concrete security of cryptographic primitives 5
![Page 8: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/8.jpg)
Which security model?
All security models are abstractionsThey result from a compromise:• More detail→ less likely to ignore relevant attacks• Less detail→ proofs become feasible
Cryptographers have been developing security models for crypto primitives fora long time
Benjamin Gregoire – Concrete security of cryptographic primitives 6
![Page 9: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/9.jpg)
Elgamal encryption Scheme
Let G be a cyclic group of order q and g a generator of G.Elgamal encryption scheme is defined by
kg() = sk $← [0, q); (gsk, sk)
enc(pk, m) = y $← [0, q); (gy , pky ∗m)
dec(sk, c) = (gy, gm)← c; Some (gm ∗ gy−sk)
Correctness of the encryption Scheme:∀ m, (pk, sk)← kg(); dec(pk, enc(sk, m)) = Some c
Remarks:• This is a probabilistic property• Already an abstraction (plaintext and ciphertext are not bitstring)
Benjamin Gregoire – Concrete security of cryptographic primitives 7
![Page 10: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/10.jpg)
Elgamal encryption Scheme in EasyCrypt
type pkey = group.type skey = F.t.type ptxt = group.type ctxt = group * group.
(* Concrete Construction: ElGammal *)module ElGamal : Scheme = {proc kg(): pkey * skey = {var sk;
sk $←− F.dt;return (g ˆ sk, sk);}
proc enc(pk:pkey, m:ptxt): ctxt = {var y;
y $←− F.dt;return (g ˆ y, pk ˆ y * m);}
proc dec(sk:skey, c:ctxt): ptxt option = {var gy, gm;
(gy, gm)← c;return Some (gm * gyˆ(−sk));}}.
Benjamin Gregoire – Concrete security of cryptographic primitives 8
![Page 11: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/11.jpg)
Correctness of an encryption scheme
theory Correctness.
type pkey, skey, ptxt, ctxt.
module type Scheme = {proc kg() : pkey * skeyproc enc(pk : pkey, m : ptxt) : ctxtproc dec(sk : skey, c : ctxt) : ptxt option}.
module Correct(S:Scheme) = {proc main(m:ptxt) : bool = {var m';(pk, sk)← S.kg();c ← S.enc(pk, m);m' ← S.dec(sk, c);return (m' = Some m);}.
end Correctness.
clone import Correctness as C withtype pkey← pkey, (* i.e. group *)type skey← skey, (* i.e. F.t *)type ptxt← ptxt, (* i.e. group *)type ctxt← ctxt. (* i.e. group * group *)
lemma Elgamal correct : hoare [Correct(Elgamal).main : true V res].proof. · · · qed.
Benjamin Gregoire – Concrete security of cryptographic primitives 9
![Page 12: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/12.jpg)
Hoare Logic
• Judgments c : P V Q (usually {P} c {Q})(P and Q are f.o. formulae over program variables)
• A judgment c : P V Q is valid iff (deterministic setting)
∀m,m � P ⇒ [[c]]m = m′ ⇒ m′ � Q
• A judgment c : P V Q is valid iff (probabilistic setting)
∀m,m � P ⇒ [[c]]m = d ⇒ d � Q
where : d � Q means
∀m′,m′ ∈ d ⇒ m′ � Q
Benjamin Gregoire – Concrete security of cryptographic primitives 10
![Page 13: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/13.jpg)
Selected rules
x ← e : Q[e/x ]V Q x $← d : ∀v ∈ d ,Q[v/x ]V Q
c1 : P V Q c2 : Q V Rc1; c2 : P V R
c1 : P ∧ e V Q c2 : P ∧ ¬e V Qif e then c1 else c2 : P V Q
c : I ∧ e V Iwhile e do c : I V I ∧ ¬e
c : P V Q P′ ⇒ P Q ⇒ Q′
c : P′ V Q′
Benjamin Gregoire – Concrete security of cryptographic primitives 11
![Page 14: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/14.jpg)
Going back to the security model
Benjamin Gregoire – Concrete security of cryptographic primitives 12
![Page 15: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/15.jpg)
SM public key encryption security: IND-CPA
(pk, sk) $← Gen();
Benjamin Gregoire – Concrete security of cryptographic primitives 13
![Page 16: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/16.jpg)
SM public key encryption security: IND-CPA
(pk, sk) $← Gen();
pk
Benjamin Gregoire – Concrete security of cryptographic primitives 13
![Page 17: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/17.jpg)
SM public key encryption security: IND-CPA
(m0, m1)
Benjamin Gregoire – Concrete security of cryptographic primitives 13
![Page 18: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/18.jpg)
SM public key encryption security: IND-CPA
b $← {0,1};c ← Enc(pk, mb);
Benjamin Gregoire – Concrete security of cryptographic primitives 13
![Page 19: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/19.jpg)
SM public key encryption security: IND-CPA
b $← {0,1};c ← Enc(pk, mb);
c
Benjamin Gregoire – Concrete security of cryptographic primitives 13
![Page 20: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/20.jpg)
SM public key encryption security: IND-CPA
b $← {0,1};c ← Enc(pk, mb);
b′
Benjamin Gregoire – Concrete security of cryptographic primitives 13
![Page 21: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/21.jpg)
SM public key encryption security: IND-CPA
b $← {0,1};c ← Enc(pk, mb);
b′
Break : b′ ?= b
Benjamin Gregoire – Concrete security of cryptographic primitives 13
![Page 22: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/22.jpg)
IND-CPA in EasyCrypt
theory Cpa.type pkey, skey, ptxt, ctxt.
module type Scheme = {proc kg() : pkey * skeyproc enc(pk:pkey, m:ptxt) : ctxtproc dec(sk:skey, c:ctxt) : ptxt option}.
module type Adversary = {proc choose(pk:pkey) : ptxt * ptxtproc guess(c:ctxt) : bool}.
module CPA (S:Scheme) (A:Adversary) = {proc main() : bool = {var pk, sk, m0, m1, c, b, b';
(pk, sk) ← S.kg();(m0, m1)← A.choose(pk);b ← ${0,1};c ← S.enc(pk, b ? m1 : m0);b' ← A.guess(c);return (b' = b);}}.end Cpa.
clone import Cpa as Cpa0 withtype pkey← pkey,type skey← skey,type ptxt← ptxt,type ctxt← ctxt.
lemma Elgamal cpa &m (A<:Adversary):`| Pr[CPA(Elgamal, A).main() @ &m]− 1%r / 2%r | ≤ · · ·
Benjamin Gregoire – Concrete security of cryptographic primitives 14
![Page 23: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/23.jpg)
SM public key encryption security: IND-CCA
(pk, sk) $← Gen();
Benjamin Gregoire – Concrete security of cryptographic primitives 15
![Page 24: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/24.jpg)
SM public key encryption security: IND-CCA
(pk, sk) $← Gen();
pk
Benjamin Gregoire – Concrete security of cryptographic primitives 15
![Page 25: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/25.jpg)
SM public key encryption security: IND-CCA
c
Benjamin Gregoire – Concrete security of cryptographic primitives 15
![Page 26: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/26.jpg)
SM public key encryption security: IND-CCA
m ← Dec(sk, c)
Benjamin Gregoire – Concrete security of cryptographic primitives 15
![Page 27: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/27.jpg)
SM public key encryption security: IND-CCA
m ← Dec(sk, c)
m
Benjamin Gregoire – Concrete security of cryptographic primitives 15
![Page 28: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/28.jpg)
SM public key encryption security: IND-CCA
(m0, m1)
Benjamin Gregoire – Concrete security of cryptographic primitives 15
![Page 29: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/29.jpg)
SM public key encryption security: IND-CCA
b $← {0,1};c∗ ← Enc(pk, mb);
Benjamin Gregoire – Concrete security of cryptographic primitives 15
![Page 30: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/30.jpg)
SM public key encryption security: IND-CCA
b $← {0,1};c∗ ← Enc(pk, mb);
c∗
Benjamin Gregoire – Concrete security of cryptographic primitives 15
![Page 31: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/31.jpg)
SM public key encryption security: IND-CCA
c
Benjamin Gregoire – Concrete security of cryptographic primitives 15
![Page 32: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/32.jpg)
SM public key encryption security: IND-CCA
m ← Dec(sk, c)
Benjamin Gregoire – Concrete security of cryptographic primitives 15
![Page 33: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/33.jpg)
SM public key encryption security: IND-CCA
m ← Dec(sk, c)
m
Benjamin Gregoire – Concrete security of cryptographic primitives 15
![Page 34: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/34.jpg)
SM public key encryption security: IND-CCA
b′
Benjamin Gregoire – Concrete security of cryptographic primitives 15
![Page 35: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/35.jpg)
SM public key encryption security: IND-CCA
b′
Break : b′ ?= b
Benjamin Gregoire – Concrete security of cryptographic primitives 15
![Page 36: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/36.jpg)
We need more restrictions
• Can the adversary makes a query to the decryption oracle on c∗ ?• Can the adversary makes queries to the decryption oracle in the “guess”
stage ? (CCA1/CCA2)• Does the number of queries to the decryption oracle is limited/unlimited ?
(Can be a problem for exact security)
How to encode this in EasyCrypt?
Benjamin Gregoire – Concrete security of cryptographic primitives 16
![Page 37: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/37.jpg)
IND-CCA in EasyCrypt: first attempt
module type CCA ORC = {proc dec(c:ctxt) : ptxt option}.
module type CCA ADV (O:CCA ORC) = {proc choose(pk:pkey) : ptxt * ptxtproc guess(c:ctxt) : bool}.
module CCA (S:Scheme, A:CCA ADV) = {
var sk : skey
module O = {
proc dec(c:ctxt) : ptxt option = {var m;m← S.dec(sk, c);return m;}}
proc main() : bool = {var pk, m0, m1, cstar, b, b';
(pk, sk) ← S.kg();(m0, m1)←A(O).choose(pk);
b $←− {0,1};cstar ← S.enc(pk, b ? m1 : m0);b' ← A(O).guess(cstar);return (b' = b);}}.
Benjamin Gregoire – Concrete security of cryptographic primitives 17
![Page 38: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/38.jpg)
Problems
• The adversary A can call the decryption oracle on cstar• The number of calls to the decryption oracle is unlimited
Benjamin Gregoire – Concrete security of cryptographic primitives 18
![Page 39: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/39.jpg)
IND-CCA in EasyCrypt: second attempt
const qD : int.
axiom qD pos : 0 < qD.
module CCA (S:Scheme, A:CCA ADV) = {var log : ctxt listvar sk : skey
module O = {proc dec(c:ctxt) : ptxt option = {var m;log← c :: log;m ← S.dec(sk, c);return m;}}
proc main() : bool = {var pk, m0, m1, cstar, b, b';log ← [];(pk, sk) ← S.kg();(m0, m1)← A(O).choose(pk);
b $←− {0,1};cstar ← S.enc(pk, b ? m1 : m0);b' ← A(O).guess(c);return (b' = b ∧ ¬ cstar ∈ log ∧ size log≤ qD);}}.
Benjamin Gregoire – Concrete security of cryptographic primitives 19
![Page 40: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/40.jpg)
Problem
proc main() : bool = {var pk, m0, m1, cstar, b, b';log ← [];(pk, sk) ← S.kg();(m0, m1)← A(O).choose(pk);
b $←− {0,1};cstar ← S.enc(pk, b ? m1 : m0);b' ← A(O).guess(c);return (b' = b ∧ ¬ cstar ∈ log ∧ size log≤ qD);}}.
This is not really CCA
• The restriction on the decryption oracle should be only for the guess stage
Benjamin Gregoire – Concrete security of cryptographic primitives 20
![Page 41: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/41.jpg)
IND-CCA in EasyCrypt
module CCA (S:Scheme, A:CCA ADV) = {var log : ctxt listvar cstar : ctxt optionvar sk : skey
module O = {proc dec(c:ctxt) : ptxt option = {var m : ptxt option;
if (size log < qD && (Some c 6= cstar)) {log← c :: log;m ← S.dec(sk, c);}else m← None;return m;}}
proc main() : bool = {var pk, m0, m1, c, b, b';log ← [];cstar ← None;(pk, sk) ← S.kg();(m0, m1)← A(O).choose(pk);
b $←− {0,1};c ← S.enc(pk, b ? m1 : m0);cstar ← Some c;b' ← A(O).guess(c);return (b' = b);}}.
Benjamin Gregoire – Concrete security of cryptographic primitives 21
![Page 42: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/42.jpg)
IND-CCA1 versus IND-CCA2
The previous security game corresponds to the IND-CCA2 notion:• The adversary can call the decryption oracle in both stages choose and
guess
In the IND-CCA1 notion, the adversary can only call the decryption oracle in thechoose stage
Benjamin Gregoire – Concrete security of cryptographic primitives 22
![Page 43: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/43.jpg)
IND-CCA1 in EasyCrypt
module CCA1 (S:Scheme, A:CCA ADV) = {var log : ctxt listvar sk : skey
module Oc = {proc dec(c:ctxt) : ptxt option = {var m : ptxt option;
if (size log < qD) {log← c :: log;m ← S.dec(sk, c);}else m← None;return m;}}
module Og = {proc dec(c:ctxt) : ptxt option = {
return None}}
proc main() : bool = {var pk, m0, m1, cstar, b, b';log ← [];(pk, sk) ← S.kg();(m0, m1)← A(Oc).choose(pk);
b $←− {0,1};cstar ← S.enc(pk, b ? m1 : m0);b' ← A(Og).guess(cstar);return (b' = b);}}.
Benjamin Gregoire – Concrete security of cryptographic primitives 23
![Page 44: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/44.jpg)
IND-CCA1 in EasyCrypt
module type CCA ADV (O:CCA ORC) = {proc choose(pk:pkey) : ptxt * ptxt {O.dec}proc guess(c:ctxt) : bool {}}.
module CCA1 (S:Scheme, A:CCA ADV) = {var log : ctxt listvar sk : skey
module O = {proc dec(c:ctxt) : ptxt option = {var m : ptxt option;
if (size log < qD) {log← c :: log;m ← S.dec(sk, c);}else m← None;return m;}}
proc main() : bool = {var pk, m0, m1, cstar, b, b';log ← [];(pk, sk) ← S.kg();(m0, m1)← A(O).choose(pk);
b $←− {0,1};cstar ← S.enc(pk, b ? m1 : m0);b' ← A(O).guess(cstar);return (b' = b);}}.
Benjamin Gregoire – Concrete security of cryptographic primitives 24
![Page 45: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/45.jpg)
Quantification over adversaries
Quantification of adversaries are done by quantification over modules:
lemma foo: ∀ (A <: CCA ADV), · · ·
Benjamin Gregoire – Concrete security of cryptographic primitives 25
![Page 46: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/46.jpg)
Warning: module are not generative
module type T = · · ·.
module F(A:T) = {var x: int}
module F1 = F(A1)module F2 = F(A2)
Benjamin Gregoire – Concrete security of cryptographic primitives 26
![Page 47: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/47.jpg)
Warning: module are not generative
module type T = · · ·.
module F(A:T) = {var x: int}
module F1 = F(A1)module F2 = F(A2)
In language like ocaml:• The variable F.x does not exists
need to instantiate the functor• Variable F1.x and F2.x are disjoints
Benjamin Gregoire – Concrete security of cryptographic primitives 26
![Page 48: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/48.jpg)
Warning: module are not generative
module type T = · · ·.
module F(A:T) = {var x: int}
module F1 = F(A1)module F2 = F(A2)
In EasyCrypt:• The variable F.x exists• Variable F1.x and F2.x are equal to F.x
Benjamin Gregoire – Concrete security of cryptographic primitives 26
![Page 49: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/49.jpg)
Need to add more restrictions on adversary
module Adv (O:CCA ORC) = {· · ·proc guess(c:ctxt) = {· · · CCA.sk · · ·}
• Is a valid adversary (CCA ADV)• And it can trivially break the CCA game• We need to add restrictions
lemma MySchemeCCA: ∀ (A<:CCA ADV {CCA}),Pr[CCA(MyScheme, A)]≤ · · ·
Benjamin Gregoire – Concrete security of cryptographic primitives 27
![Page 50: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/50.jpg)
Where we are?
• We know how to represent schemes• We know how to represent security notions
We need to understand how to perform proofs.
Benjamin Gregoire – Concrete security of cryptographic primitives 28
![Page 51: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/51.jpg)
A trivial security proof
We want to prove the security of Elgamal encryption scheme:
∀A, |Pr[CPA(Elgamal ,A)]− 12| = AdvDDH(B(A))
where
AdvDDH(D) = |Pr[DDH0(D)]− Pr[DDH1(D)]|
DDH0(D) = x $←; y $←; return D(gx , gy , gxy );
DDH1(D) = x $←; y $←; z $←; return D(gx , gy , gz);
We reduce the security of Elgamal to the hardness of the decisional DiffieHellman problem.
Benjamin Gregoire – Concrete security of cryptographic primitives 29
![Page 52: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/52.jpg)
Decisional Diffie Hellman
module type DistDDH = {proc guess(gx gy gz:group): bool}.
module DDH0 (D:DistDDH) = {proc main() : bool = {
var b, x, y;
x $←− F.dt;
y $←− F.dt;b← D.guess(g ˆ x, g ˆ y, g ˆ (x*y));return b;}}.
module DDH1 (D:DistDDH) = {proc main() : bool = {var b, x, y, z;
x $←− F.dt;
y $←− F.dt;
z $←− F.dt;b← D.guess(g ˆ x, g ˆ y, g ˆ z);return b;}}.
Benjamin Gregoire – Concrete security of cryptographic primitives 30
![Page 53: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/53.jpg)
High level view of the proof
CPA(Elgamal, A)
(pk, sk) ← Elgamal.kg();(m0, m1)← A.choose(pk);b ← ${0,1};c ← Elgamal.enc(pk, b ? m1 : m0);b' ← A.guess(c);return (b' = b);
Benjamin Gregoire – Concrete security of cryptographic primitives 31
![Page 54: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/54.jpg)
High level view of the proof
CPA(Elgamal, A)
(* (pk, sk)← Elgamal.kg(); *)
sk $←− F.dt;pk ← gˆsk;(m0, m1)← A.choose(pk);b ← ${0,1};(* c ← Elgamal.enc(pk, b ? m1 : m0); *)
y $←− F.dt;c ← (g ˆ y, pk ˆ y * m);b' ← A.guess(c);return (b' = b);
Benjamin Gregoire – Concrete security of cryptographic primitives 31
![Page 55: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/55.jpg)
High level view of the proof
CPA(Elgamal, A)
(* (pk, sk)← Elgamal.kg(); *)
sk $←− F.dt;pk ← gˆsk;(m0, m1)← A.choose(pk);b ← ${0,1};(* c ← Elgamal.enc(pk, b ? m1 : m0); *)
y $←− F.dt;c ← (g ˆ y, pk ˆ y * m);b' ← A.guess(c);return (b' = b);
x $←− F.dt;
y $←− F.dt;gx ← gˆx;gy ← gˆy;gz ← gˆ(x*y);(m0, m1)← A.choose(pk);b ← ${0,1};c ← (gy, gz * m);b' ← A.guess(c);return (b' = b);
Benjamin Gregoire – Concrete security of cryptographic primitives 31
![Page 56: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/56.jpg)
High level view of the proof
CPA(Elgamal, A)
(* (pk, sk)← Elgamal.kg(); *)
sk $←− F.dt;pk ← gˆsk;(m0, m1)← A.choose(pk);b ← ${0,1};(* c ← Elgamal.enc(pk, b ? m1 : m0); *)
y $←− F.dt;c ← (g ˆ y, pk ˆ y * m);b' ← A.guess(c);return (b' = b);
DDH0(B(A))
module B(A:Adversary) = {proc guess (gx, gy, gz) : bool = {var m0, m1, b, b';(m0, m1)← A.choose(gx);
b $←− {0,1};b' ← A.guess(gy, gz * (b?m1:m0));return b' = b;}}.
module DDH0 (D:DistDDH) = {proc main() : bool = {var b, x, y;
x $←− F.dt;
y $←− F.dt;b← D.guess(g ˆ x, g ˆ y, g ˆ (x*y));return b;}}.
DDH0(B(A)).main()
Benjamin Gregoire – Concrete security of cryptographic primitives 31
![Page 57: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/57.jpg)
High level view of the proof
CPA(Elgamal, A)
(* (pk, sk)← Elgamal.kg(); *)
sk $←− F.dt;pk ← gˆsk;(m0, m1)← A.choose(pk);b ← ${0,1};(* c ← Elgamal.enc(pk, b ? m1 : m0); *)
y $←− F.dt;c ← (g ˆ y, pk ˆ y * m);b' ← A.guess(c);return (b' = b);
module B(A:Adversary) = {proc guess (gx, gy, gz) : bool = {var m0, m1, b, b';(m0, m1)← A.choose(gx);
b $←− {0,1};b' ← A.guess(gy, gz * (b?m1:m0));return b' = b;}}.
module DDH0 (D:DistDDH) = {proc main() : bool = {var b, x, y;
x $←− F.dt;
y $←− F.dt;b← D.guess(g ˆ x, g ˆ y, g ˆ (x*y));return b;}}.
DDH0(B(A)).main()
We will prove Pr[CPA(Elgamal, A)] = Pr[DDH0(B(A))]
Benjamin Gregoire – Concrete security of cryptographic primitives 31
![Page 58: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/58.jpg)
High level view of the proofDDH1(B(A))
module B(A:Adversary) = {proc guess (gx, gy, gz) : bool = {var m0, m1, b, b';(m0, m1)← A.choose(gx);
b $←− {0,1};b' ← A.guess(gy, gz * (b?m1:m0));return b' = b;}}.
module DDH1 (D:DistDDH) = {proc main() : bool = {var b, x, y;
x $←− F.dt;
y $←− F.dt;
z $←− F.dt;b← D.guess(g ˆ x, g ˆ y, g ˆ z);return b;}}.
DDH1(B(A)).main();
Benjamin Gregoire – Concrete security of cryptographic primitives 32
![Page 59: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/59.jpg)
High level view of the proof
DDH1(B(A))
x $←− F.dt;
y $←− F.dt;
z $←− F.dt;(m0, m1)← A.choose(gˆx);
b $←− {0,1};b' ← A.guess(gˆy, gˆz * (b?m1:m0));return b' = b;
Benjamin Gregoire – Concrete security of cryptographic primitives 32
![Page 60: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/60.jpg)
High level view of the proof
DDH1(B(A))
x $←− F.dt;
y $←− F.dt;
z $←− F.dt;(m0, m1)← A.choose(gˆx);
b $←− {0,1};b' ← A.guess(gˆy, gˆz * (b?m1:m0));return b' = b;
x $←− F.dt;
y $←− F.dt;
z $←− F.dt;(m0, m1)← A.choose(gˆx);
b $←− {0,1};b' ← A.guess(gˆy, gˆz);return b' = b;
Benjamin Gregoire – Concrete security of cryptographic primitives 32
![Page 61: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/61.jpg)
High level view of the proof
DDH1(B(A))
x $←− F.dt;
y $←− F.dt;
z $←− F.dt;(m0, m1)← A.choose(gˆx);
b $←− {0,1};b' ← A.guess(gˆy, gˆz * (b?m1:m0));return b' = b;
G
x $←− F.dt;
y $←− F.dt;
z $←− F.dt;(m0, m1)← A.choose(gˆx);b' ← A.guess(gˆy, gˆz);
b $←− {0,1};return b' = b;
Benjamin Gregoire – Concrete security of cryptographic primitives 32
![Page 62: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/62.jpg)
High level view of the proof
DDH1(B(A))
x $←− F.dt;
y $←− F.dt;
z $←− F.dt;(m0, m1)← A.choose(gˆx);
b $←− {0,1};b' ← A.guess(gˆy, gˆz * (b?m1:m0));return b' = b;
G
x $←− F.dt;
y $←− F.dt;
z $←− F.dt;(m0, m1)← A.choose(gˆx);b' ← A.guess(gˆy, gˆz);
b $←− {0,1};return b' = b;
We will prove:• Pr[DDH1(B(A))] = Pr[G]• Pr[G] = 1
2
Benjamin Gregoire – Concrete security of cryptographic primitives 32
![Page 63: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/63.jpg)
High level view of the proof
1. Pr[CPA(Elgamal, A)] = Pr[DDH0(B(A))]
2. Pr[DDH1(B(A))] = Pr[G]
3. Pr[G] = 12
| Pr[CPA(Elgamal, A)] - 12 | = | Pr[DDH0(B(A))] - 1
2 | (1)= | Pr[DDH0(B(A))] - Pr[G] | (3)= | Pr[DDH0(B(A))] - Pr[DDH1(B(A))] | (2)
Benjamin Gregoire – Concrete security of cryptographic primitives 33
![Page 64: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/64.jpg)
What we need?
• Being able to compute some probability: Pr[G] = 12
• Being able to relate probabilities:
Pr[CPA(Elgamal, A)] = Pr[DDH0(B(A))]• More generally: Pr[G1 : E1] ≤ Pr[G2 : E2]
Benjamin Gregoire – Concrete security of cryptographic primitives 34
![Page 65: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/65.jpg)
Probabilistic Coupling
Dealing with probability is hard, we want to provide some abstraction
Problem:Pr[D1 : E1] ≤ Pr[D2 : E2]
where D1, D2 are distributions and E1, E2 are events
Probabilistic coupling allows to relate distributions
Benjamin Gregoire – Concrete security of cryptographic primitives 35
![Page 66: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/66.jpg)
Probabilistic Coupling
Probabilistic Coupling C(D1,D2,D,R):• D1 ∈ Distr(U), D2 ∈ Distr(V ), D ∈ Distr(U × V )
• R is a relation over U × V• π1(D) = D1, π2(D) = D2
• ∀(u, v) ∈ supp(D), u R v
Consequence:If ∀u v , u R v ⇒ u ∈ E1 = v ∈ E2 then Pr[D1 : E1] = Pr[D2 : E2]
If ∀u v , u R v ⇒ u ∈ E1 ⇒ v ∈ E2 then Pr[D1 : E1] ≤ Pr[D2 : E2]
Benjamin Gregoire – Concrete security of cryptographic primitives 36
![Page 67: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/67.jpg)
Probabilistic Relational Hoare Logic
P, Q probabilistic programs
c ∼ c′ : P V Q
Interpretation:
∀m1 m2,m1 P m2 ⇒ ∃D, C([[c]]m1 , [[c′]]m2 ,D,Q)
Difficulty: rule for random assignment, desynchronized while, adversaries
Benjamin Gregoire – Concrete security of cryptographic primitives 37
![Page 68: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/68.jpg)
probabilistic Relational Hoare Logic
lemma l1 : equiv [G1.f ˜ G2.g : x{1} = x{2}V res{1} = res{2} ∧ G2.z{1} = 0].proof. · · · qed.
lemma l2 : equiv [G1.f ˜ G2.g : ={x}V ={res} ∧ G2.z{1} = 0].
equiv l3 : G1.f ˜ G2.g : ={x}V ={res} ∧ G2.z{1} = 0.
Benjamin Gregoire – Concrete security of cryptographic primitives 38
![Page 69: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/69.jpg)
equiv judgment can be used to deduce fact on probabilities
G1 ∼ G2 : true V Q Q ⇒ E{1} = F{2}Pr[G1 : E ] = Pr[G2 : F ]
G1 ∼ G2 : true V Q Q ⇒ E{1} ⇒ F{2}Pr[G1 : E ] ≤ Pr[G2 : F ]
lemma pr &m vx: Pr[G1.f(vx) @ &m : res] = Pr[G2.g(vx) @ &m : res ∧ G2.z = 0].proof.byequiv.· · ·
qed.
Benjamin Gregoire – Concrete security of cryptographic primitives 39
![Page 70: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/70.jpg)
Proof rules: skip and assignments
SkipP ⇒ Q
skip ∼ skip : P V Qskip
Sequencec1 ∼ c2 : P V R c′1 ∼ c′2 : R V Q
c1; c′1 ∼ c2; c′2 : P V Qseq
Assignments
x ← e ∼ skip : Q[{1}/x{1}] V Qwp
x ← e ∼ x ′ ← e′ : Q[e{1}/x{1}][e′{2}/x ′{2}] V Qwp
Benjamin Gregoire – Concrete security of cryptographic primitives 40
![Page 71: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/71.jpg)
Proof rules: conditionals
ConditionalsP ⇒ e{1} = e′{2}
c1 ∼ c′1 : P ∧ e{1} V Q c2 ∼ c′2 : P ∧ ¬e{1} V Q
if e then c1 else c2 ∼ if e′ then c′1 else c′2 : P V Qif
c1 ∼ c : P ∧ e{1} V Q c2 ∼ c : P ∧ ¬e{1} V Q
if e then c1 else c2 ∼ c : P V Qif{1}
Casec ∼ c′ : P ∧ R V Q c ∼ c′ : P ∧ ¬R V Q
c ∼ c′ : P V Qcase R
Reduce Conditionals
c : P V e c; c1 ∼ c′ : P ∧ R V Qc; if e then c1 else c2 ∼ c′ : P V Q
rcondt
Rules for conditionals are a consequence of the Case and Reduce
Benjamin Gregoire – Concrete security of cryptographic primitives 41
![Page 72: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/72.jpg)
Loops
Two-sided ruleI ⇒ e{1} = e′{2}
c ∼ c′ : I ∧ e{1} V I
while e do c ∼ while e′ do c′ : I V I ∧ ¬e{1}while: I
• rule is incomplete: same number of iterations
One sided-rules• standard rule with losslessness verification condition
Benjamin Gregoire – Concrete security of cryptographic primitives 42
![Page 73: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/73.jpg)
Proof rules: program transformations
EasyCryptprovides rules for program transformations:• inline f : inline the function f• inline * : inline all functions• swap{1} i n : move instruction at position i of p instructions
Benjamin Gregoire – Concrete security of cryptographic primitives 43
![Page 74: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/74.jpg)
Proof rules: random assignment
IntuitionLet A be a finite set and let f , g : A→ B. Define• c = x $← µ; y ← f x• c′ = x $← µ′; y ← g x
Then [[c]] = [[c′]] (extensionally) iff there exists h : A 1−1→ A st• f = g ◦ h• for all a, µ(a) = µ′(h(a))
h is 1-1 and ∀a, µ(a) = µ′(h(a))
x $← µ ∼ x $← µ′ : ∀v ,Q[h v/x{1}][v/x{2}] V Q
• Rule captures a special case of lifting• General rule might lead to untractable arithmetic equalities
Benjamin Gregoire – Concrete security of cryptographic primitives 44
![Page 75: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/75.jpg)
Adversaries: Intuition
• Adversaries can be any sequence of code.• Given the same inputs, provide the same outputs
x ← A(~y) ∼ x ← A(~y) : ={~y} V ={x}
But adversaries can also perform oracle calls . . .
Benjamin Gregoire – Concrete security of cryptographic primitives 45
![Page 76: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/76.jpg)
Adversaries with oracle
• Adversaries perform arbitrary sequences of oracle calls (and intermediatecomputations)
• Oracle are not necessary the same in both sides• We can view it as a loop
z ← O(~w) ∼ z ← O′(~w) : I ∧ ={~w} V I ∧ ={z}
x ← AO(~y) ∼ x ← AO′(~y) : I ∧ ={~y} V I ∧ ={x}
Restriction:• Intermediate computations should not break I• global variables of the adversary should be equals
Benjamin Gregoire – Concrete security of cryptographic primitives 46
![Page 77: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/77.jpg)
Reasoning about Failure Events
Lemma (Fundamental Lemma)Let A,B, bad be events and G1,G2 be two games such that
Pr[G1 : A ∧ ¬bad] = Pr[G2 : B ∧ ¬bad]
andPr[G1 : bad] = Pr[G2 : bad]
Then|Pr[G1 : A]− Pr[G2 : B]| ≤ Pr[G2 : bad]
Benjamin Gregoire – Concrete security of cryptographic primitives 47
![Page 78: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/78.jpg)
Fundamental Lemma in pRHL
Recall that to prove Pr[G1 : E ] = Pr[G2 : F ] it is sufficient to have
G1 ∼ G2 : true V Q and Q ⇒ E{1} = F{2}
Let A,B, bad be events and G1,G2 be two games such that
G1 ∼ G2 : true V (bad{1} ⇔ bad{2}) ∧ (¬bad{2} ⇒ (A{1} ⇔ B{2}))
thenPr[G1 : A ∧ ¬bad] = Pr[G2 : B ∧ ¬bad]Pr[G1 : bad] = Pr[G2 : bad]
So we can apply the Fundamental Lemma and get:
|Pr[G1 : A]− Pr[G2 : B]| ≤ Pr[G2 : bad]
Benjamin Gregoire – Concrete security of cryptographic primitives 48
![Page 79: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/79.jpg)
Simpler variant
Let A,B, bad be events and G1,G2 be two games such that
G1 ∼ G2 : true V ¬bad{2} ⇒ A{1} ⇒ B{2}
ThenPr[G1 : A] ≤ Pr[G2 : B] + Pr[G2 : bad]
Proof:Recall that to prove Pr[G1 : E ] ≤ Pr[G2 : F ] it is sufficient to have
G1 ∼ G2 : true V Q and Q ⇒ E{1} ⇒ F{2}
Since(¬bad{2} ⇒ A{1} ⇒ B{2})⇒ A{1} ⇒ B{2} ∨ bad{2}
we havePr[G1 : A{1}] ≤ Pr[G2 : B{1} ∨ bad{2}]
≤ Pr[G2 : B{1}] + Pr[G2 : bad{2}]
Benjamin Gregoire – Concrete security of cryptographic primitives 49
![Page 80: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/80.jpg)
Fundamental lemma: adversary ruleAssume that:• bad is monotonic
O : badV bad O′ : badV bad
• Oracle calls preserve equivalence up to failure
y ← O(x) ∼ y ← O′(x) :¬bad{1} ∧ ¬bad{1} ∧Q∧ ={x} Vbad{1} = bad{2} ∧ (¬bad{2} ⇒ Q∧ ={y})
Then adversary preserves equivalence up to failure
y ← AO(x) ∼ y ← AO′(x) :
¬bad{1} ∧ ¬bad{1} ∧Q∧ ={x} Vbad{1} = bad{2} ∧ (¬bad{2} ⇒ Q∧ ={y})
Benjamin Gregoire – Concrete security of cryptographic primitives 50
![Page 81: Concretesecurity ofcryptographicprimi- tivesfm.csl.sri.com/SSFT19/gregoir-slides1.pdf · Concretesecurity ofcryptographicprimi-tives Benjamin Gregoire´ Benjamin Gr´egoire – Concrete](https://reader034.vdocument.in/reader034/viewer/2022052018/6030dd2f1cd8a56cd7660d04/html5/thumbnails/81.jpg)
Conclusion
• Solid foundation for cryptographic proofs• Cryptographic hypothesis and security properties can be expressed using
games (programs)• probabilistic Relational Hoare Logic allows to capture most of the steps
used in cryptographic proof:- reduction- failure event- bridging step / program transformation
http://www.easycrypt.info
Benjamin Gregoire – Concrete security of cryptographic primitives 51