june 2005 a plausible approach to computer-aided cryptographic proofs shai halevi

June 2005 A Plausible Approach A Plausible Approach to Computer-aided to Computer-aided Cryptographic Proofs Cryptographic Proofs Shai Halevi Shai Halevi

Upload: monica-west

Post on 13-Jan-2016




0 download


Page 1: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

A Plausible Approach A Plausible Approach to Computer-aided to Computer-aided

Cryptographic ProofsCryptographic Proofs

Shai HaleviShai Halevi

Page 2: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

The ProblemThe Problem• Crypto proofs are hard to verify• Many (most?) published proofs aren’t

read by anyone other than the author– Even proofs for “important” schemes are

often not fully verified

• Errors in proofs happen– Usually in some itty-bitty detail in this

side remark at the bottom of page 27

Page 3: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

Sample ArgumentsSample Arguments“We now make several changes to the order in which variables are chosen in game R1. We make the following changes to the code:– […]– Instead of choosing MMs{0,1}n and setting


mMMs, we choose Csm{0,1}n and set


m – We replace the assignment CCCs


1 in line 136 by the equivalent assignment CCCs


j. This is equivalent sinceMCs

j = MPsjMs

j = PPPsiMs


– […]

Page 4: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

More Sample ArgumentsMore Sample Arguments“H6 checks in client sessions (Pi,ssid) that receive a non-peer-

oracle-generated pair […]

H7 encrypts the “dummy password” w’ in c2 instead of encrypting the password w, for every client session (Pi,ssid) that received a non-peer-oracle-generated pair (c1,VK) in step 2 with non-valid ciphertext c1.

Then as in H2 and H4, since the encryption scheme E' is semantically secure, the environment cannot distinguish between these cases. Note that the session key of such client sessions are already chosen randomly, and the ZKPs are already simulated. Thus neither depends on how c2 is generated. Also note that in the reduction to the security of E' with public key pk', one can still test c1 encryptions, since they are encrypted with the other public key pk and can be decrypted using sk.”

Page 5: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

You need to be a compiler You need to be a compiler to verify some of these to verify some of these


Page 6: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

Can We Write Such Compiler?Can We Write Such Compiler?• Boils down to verifying that two

pieces of code induce the same probability distribution on some of their variables

• The simplest example: M{0,1}n, CPM, Use(C) vs.C{0,1}n, MPC, Use(C)

Page 7: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

In This TalkIn This Talk• Look at the security-proof of the

Cramer-Shoup encryption scheme• Show how to reconstruct the proof

using a “compiler-like” tool• Muse about how to build this tool

Page 8: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

My Bottom LineMy Bottom Line• It can be built, with a lot of work

– Perhaps similar to a new programming language: compiler, run-time, development environment, …

• Is there a “business case”?– Where can I get resources to develop

this tool?

Page 9: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

This tool is not…This tool is not…• Not a theorem prover

– A person writes the (entire) proof– The tool only verifies that the arguments

are valid

• Different than the approach of the formal-methods community (AFAIK)– No “logic of authentication”, “process

calculus”, etc.

Page 10: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

Computer assistanceComputer assistance• The person writing the security proof

writes code, specifies how to get from one piece of code to the other

• The automated tool verifies that the transformations are permissible– Transformations to code represent

common arguments in crypto proofs

Page 11: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005



+2t / q+1/q


game that depends on a (binary) parameter

game that is derived from template XYZ

The empty game


game with bad events

transformation that changes the probability by epsilon

transformation that is justified by a reduction

game with output

Preview: The Proof of CS98Preview: The Proof of CS98DDH




+t /q^4



Page 12: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

Everything is codeEverything is code• Game = code that tells the

participants in the game what to do• Argument in a proof =

transformation from one game to another

Page 13: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

The Cramer-Shoup The Cramer-Shoup Encryption SchemeEncryption Scheme

• Uses operations in algebraic group G• And a hash function H• Resists chosen ciphertext attacks,

provided that– The “decision Diffie-Hellman” problem

(DDH) is hard in the group G– The hash function H is “target-collision-


Page 14: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

Pseudo-code for Pseudo-code for CS98CS98




01. g,g’G, x1,x2,y1,y2,z1,z2{1,2,…,q}02. e=gx1g’x2, f=gy1g’y2, h=gz1g’z2 03. pk=(g,g’,e,f,h), sk=(x1,x2,y1,y2,z1,z2)

11. assert m G // else fail12. u {1,2,…,q}13. a=gu, a’=g’u, b=hu, c=b·m14. v=H(a,a’,c), d=eufuv 15. Output (a,a’,c,d)

21. assert a,a’,c,d G // else fail22. v = H(a,a’,c)23. assert d = ax1+vy1·a’x2+vy2 // else fail24. b = az1a’z2, m=c/b25. Output m

Page 15: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

CCA SecurityCCA Security• “Resistance to chosen-ciphertext

attacks” is defined via a game – Attacker gets public-key and access to

a black box that decrypts– Attacker submits two messages, gets

back encryption of one of them, needs to guess which one• without asking the box to decrypt the

“target ciphertext”

Page 16: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

Pseudo-code for Pseudo-code for CCACCA Game GameCCA (parameters: bit , integer t)101. (ps,sk) KeyGen102. C[1] = Attacker(pk)103. For s=1 to t104. answer[s] = Dec(C[s])105. if s<t then C[s+1] = Attacker( answer[s] )106. (m0,m1) = Attacker( answer[t] ), C* = Enc(m)

107. C[t+1] = Attacker( C* )108. For s=t+1 to 2t109. assert C[s] C*110. answer[s] = Dec(C[s])111. if s<2t then C[s+1] = Attacker( answer[s] )112. guess = Attacker( answer[2t] ), Output guess

Page 17: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

Proving SecurityProving Security• Pasting CS98 in CCA, we get the code

describing CCA attack on CS98• Fix any Attacker and any integer t• Prove that CCA(0,t),CCA(1,t) output 1

with about the same probability– We show: |Pr[CCA(0,t)1] Pr[CCA(1,t)1]|


Page 18: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

Some ConceptsSome Concepts• Games are specified via code

– With an unspecified “attacker function”,– and a “main loop” where the attacker

queries interfaces of the scheme, gets answers, then makes more queries…

• Most (all?) games are probabilistic– E.g., u{1,2,…,q} in Enc(m)

• Every game has variables of interest

Page 19: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

Variables of InterestVariables of Interest• What “we care about” in the analysis• These are always either:

– The output of the game – Or bad events (I’ll talk about these later)

• Code that has no effect on the variables-of-interest is dead code– It is always permissible to add/remove

dead code

Page 20: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

Back to Back to CCACCA Game Game• The CCA game has output, no bad

events, and no dead code– It is really two games, depending on the

value of the binary parameter – And we compare the output distribution

of the two games

• In games with output we always(?) compare the output of two games

Page 21: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005



+2t / q+1/q

We are here


game that depends on a (binary) parameter

game that is derived from template XYZ

The empty game


game with bad events

transformation that changes the probability by epsilon

transformation that is justified by a reduction

game with output

The CS98 ProofThe CS98 ProofDDH




+t /q^4



Page 22: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

Game Game CCA1CCA1• Modify the encryption code

Instead of

We now have

• Encryption using the secret key?– Yes, so? This is a “mental experiment”

• (BTW, the point about CCA1 is thatu is only used in computing a, a’)

12. u {1,2,…,q}13. a=gu, a’=g’u, b=hu, c=b·m14. v=H(a,a’,c), d=eufuv

12. u {1,2,…,q}13. a=gu, a’=g’u, b=az1a’z2, c=b·m14. v=H(a,a’,c), d=ax1+vy1a’x2+vy2

Page 23: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

CCACCACCA1CCA1 is Permissible is Permissible• hu=(gz1g’z2)u=(gu)z1(g’u)z2=az1a’z2

• How can a “compiler” verify that CCACCA1 is permissible?– Variable substitution is easy– Distributive, commutative rules would

have to be built into the tool• Just like replacing x+y with y+x

variable substitutiondistributive, commutative

variable substitution

Page 24: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005



+2t / q+1/q


game that depends on a (binary) parameter

game that is derived from template XYZ

The empty game


game with bad events

transformation that changes the probability by epsilon

transformation that is justified by a reduction

game with output





+t /q^4



Page 25: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

Game Game CCA2CCA2• Replacing


• This sure changes the distribution

• We intend to show that if Pr[CCA1(b,t)1], Pr[CCA2(b,t)1] differ by some , then we can “break DDH” in G with the same probability

12. u {1,2,…,q}13. a=gu, a’=g’u, b=az1a’z2, c=b·m

12. u,u’ {1,2,…,q}13. a=gu, a’=g’u’, b=az1a’z2, c=b·m

Page 26: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

The DDH AssumptionThe DDH Assumption• No (efficient) algorithm distinguishes

(g,gx,gy,gxy) from (g,gx,gy,gz)– Where gG, x,y,z{1,2,…q}– Equivalent to saying that you cannot

distinguish (g,g’,gu,g’u) from (g,g’,gu,g’u’)

• This assumption underlies the security of the Diffie-Hellman key-exchange protocol

Page 27: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

Pseudo-code for DDHPseudo-code for DDH

• The “DDH assumption” is that DDH= |Pr[DDH(0)1]Pr[DDH(1)1]| is small for any efficient Distinguisher

DDH (parameter: bit ’)

201. g,g’G, u,u’{1,2,…,q}

202. if ’=0 then a=gu, a’=g’u’

203. else a=gu, a’=g’u

204. guess=Distinguisher(g,g’,a,a’), Output guess

Page 28: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

The ReductionThe Reduction• Show that CCA1DDH(1),CCA2DDH(0)

are permissible transformations• Instantiate the Distinguisher in DDH (by

morphing the code of CCA1/CCA2)– Just moving pieces of code around– A “compiler” can check that this is ok

• Only changing the order of “independent statements”

Page 29: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005



+2t / q+1/q


game that depends on a (binary) parameter

game that is derived from template XYZ

The empty game


game with bad events

transformation that changes the probability by epsilon

transformation that is justified by a reduction

game with output





+t /q^4



Page 30: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

Bad EventsBad Events• Recall Dec(a,a’,c,d):

• a,a’ are supposed to be gu,g’u

• It’s a bad thing if Attacker sends (gu,g’u’,c,d) but line 23 passes

• How to represent bad events in code?

21. assert a,a’,c,d G22. v = H(a,a’,c)

23. assert d = ax1+vy1 a’x2+vy2

24. b = az1a’z2, m=c/b25. Output m

Page 31: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

Bad-event FlagsBad-event Flags• A Boolean flag• Initialized to false, only has

assignments to true in the code• Designated as “interesting”• Adding a bad-event flag is always a

permissible code-transformation– Represens an argument that starts with

“let BAD be the event where…”

Page 32: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

After-bad-is-set-nothing-After-bad-is-set-nothing-matters [BR04]matters [BR04]

• Code that is executed only when badFlag=true is treated as dead code– Even if it effects other vars-of-interest

• Why?– If badFlag=true then “all bets are off”,

no more vars-of-interest, all code is dead– We intend to prove that badFlag=true

rarely ever happens

Page 33: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

Game CCA3Game CCA3• Replace g,g’G

with gG, w{1,…q}, g’=gw

– The tool should have a rule for algebraic groups saying that this is permissible

• Replace

with 23. if d=ax1+vy1a’x2+vy2 and a’aw

then badFlag=true, fail23a. else assert d=ax1+vy1a’x2+vy2 // else fail

added“dead code”

23. assert d=ax1+vy1a’x2+vy // else fail

Page 34: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

Game CCA3’Game CCA3’• Quite a few other modifications• But nothing that we didn’t see before

– Algebraic, logic manipulations– Introducing new variables– Code movement

• All made possible only after we added the “dead code” in line

Page 35: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005



+2t / q+1/q


game that depends on a (binary) parameter

game that is derived from template XYZ

The empty game


game with bad events

transformation that changes the probability by epsilon

transformation that is justified by a reduction

game with output





+t /q^4



Page 36: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

Game CCA4Game CCA4• Replace 13. … c=b·m

By 13. … r{1,2,…,q}, c=gr

• Why is this permissible?– Long story (four small steps)– Trust me, it works

• CCA4 no longer depends on , it is just one game now (rather than two)

• Nothing to compare the output to– So we no longer care about it, can removed it

Page 37: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

Eliminating the OutputEliminating the Output• Started with two games with output

– The goal is to compare their outputs

• Morphed until their code is identical– So their output must be identical

• Output is no longer “of interest”– We are done analyzing the output, we

know that the difference is zero– Eliminating it becomes permissible

Page 38: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005



+2t / q+1/q


game that depends on a (binary) parameter

game that is derived from template XYZ

The empty game


game with bad events

transformation that changes the probability by epsilon

transformation that is justified by a reduction

game with output





+t /q^4



Page 39: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

What’s Next?What’s Next?• Game CCA4 still has bad flags, how

do we eliminate these?• Either via reductions

– E.g., reduction to finding collisions in H– I don’t have time to show it here

• Or via “probabilistic analysis”– Example in the next slide

Page 40: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

Eliminating Bad FlagsEliminating Bad Flags• Consider the following code

Example(parameter: a) // a is an n-bit string1. x random-n-bit-string2. if x=a then badFlagtrue

• Tool “knows” that– Variable x is a “random n-bit string”– Variables x and a are independent

• “Can deduce” that x=a has prob. 2n

– So eliminating badFlag has penalty 2-n

Page 41: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

Eliminating Bad Flags (2)Eliminating Bad Flags (2)• User tells the tool to eliminate the

designation of badFlag as bad flag• Tool looks for a rule that bounds the

probability of badFlagtrue by some • If found, tool “eliminates badFlag”, records

penalty • Else, tool records an “impermissible

transformation”– User proves on paper some

Page 42: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005



+2t / q+1/q


game that depends on a (binary) parameter

game that is derived from template XYZ

The empty game


game with bad events

transformation that changes the probability by epsilon

transformation that is justified by a reduction

game with output

The Proof of CS98The Proof of CS98DDH




+t /q^4



Page 43: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005



An impermissible transformation

+(mq)2 /2n


£2 due to symmetry,see Eq (12), Page 21

+(2mq)2 /2n, see Eq (13), Page 21

? ?



XYZ game that is derived from template XYZ

The empty game


game with bad events

transformation that changes the probability by epsilon

game with output

The Proof of CMC [HR03]The Proof of CMC [HR03]

Page 44: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

Building the ToolBuilding the Tool

Page 45: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

Four Major ComponentsFour Major Components• Engine: similar to optimizing compiler

– Parses statements, control-flow graph– Handles variable substitution, code

movement, adding/removing “dead code”, etc.

• Library of code-transformations• Library of templates• User interface

Page 46: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

Transformations LibraryTransformations Library• Represent common arguments in

proofs– Algebraic manipulations– Rules to eliminate bad flags, output– Other rules

• A community development effort?– My proof uses an argument not in the

library, I code it up so others can use it too

Page 47: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

Template LibraryTemplate Library• Code templates, represent common

security goals and assumptions• E.g., a template for DDH, a template

for CCA-security, etc.• Also community development effort?

Page 48: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

User InterfaceUser Interface• Probably the hardest part• Should be easy for people to write

their proofs using this tool– Specify games

• “Sender proves to receiver in Zero-Knowledge that it knows the DL of x”

– Access common transformations• Similarities to U.I. of development


Page 49: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

My Bottom LineMy Bottom Line• It can be built, with a lot of work

– Perhaps similar to a new programming language: compiler, run-time, development environment, …

• Is there a “business case”?– Where can I get resources to develop

this tool?

Page 50: June 2005 A Plausible Approach to Computer-aided Cryptographic Proofs Shai Halevi

June 2005

Contact me if Contact me if you are you are

interested in interested in working on thisworking on this