Transcript ppt

Soundness of Formal Encryption
in the Presence of Key Cycles
Gergei Bana
University of Pennsylvania
P. Adão, J. Herzog, A Scedrov
Structure of the Talk
• The Abadi-Rogaway logic and its
computational interpretations
• The problem of key-cycles
• Standard notions of security and
KDM security
• KDM security as a solution to keycycles
Introduction
• Cryptographic protocols: two models
• Formal or Dolev-Yao model
• Computational model from complexity theory
• Much recent work relates the two
• Build formal-to-computational protocol
interpretation
• Map formal security goals to computational goals
• Prove soundness or completeness
Logic of Formal Encryption
• We define a very simple algebra of terms
that is a modified version of
[AbadiRogaway00];
• Expressions represent the messages
exchanged during the protocol
• They might also include some prior knowledge
available to the adversary, eg., public keys.
• Patterns represent how an adversary can
look at an expression:
• If an adversary does not know a certain private
key he does not see a message in the same way
as an adversary that posesses that key.
Logic of Formal Encryption
• Expressions are built from simple sets
• Keys = {K1, K2, K3,...}, Keys-1= {K1 -1, K2 -1, K3 -1,...} and
Blocks={0,1}* via paring and encryption;
Exp ::= Keys | Keys-1 | Blocks | (Exp,Exp) | {Exp}Keys
( (K2-1,{01}K3) , ( {({101}K2,K5-1)}K2, {{K6}K4}K5) )
• Formal length. Let  be a function symbol such that:
•
•
•
•
For all blocks B1 and B2, l(B1) = l(B2) iff |B1| = |B2|;
For all i and j, l(Ki) = l(Kj) and l(Ki-1) = l(Kj-1);
If l(M1) = l(N1), l(M2) = l(N2) then l((M1,M2)) = l((N1,N2)),
If l(M) = l(N), then for all Ki, l({M}Ki) = l({N}Ki).
Logic of Formal Encryption
• Patterns are built from expressions replacing
undecryptable terms {M}K by K,l(M)
Pat ::= Keys | Keys-1 | Blocks | (Pat,Pat) | {Pat}Keys |
Keys,(Keys)
( (K2-1, {01}K3 ) , ( {({101}K2,K5-1)}K2, { {K6}K4 }K5) )
( (K2-1, K3,(01)) , ( {({101}K2,K5-1)}K2, { K4,(K6) }K5) )
• Two expressions M and N are defined to be
formally equivalent if
pattern(M)=pattern(N)s
for some key-renaming function s.
• We denote this by M@N.
Computational Model
• In the computational world messages are
represented by bit-strings, strings= {0,1}*,
and families of probability distributions
over strings;
• Fix an injective pairing function (length of
output depends only on lengths of inputs);
• Encryption schemes are probabilistic
(polynomial-time) algorithms, and
encryptions are obtained by running the
encryption alghorithm.
Computational View
• Basic components of symmetric encriptions:
• Key generation algorithm: K(1), randomly
generates a pair of strings (e, d) ( is security
parameter)
• Encryption algorithm: E(e,x), encrypts the
plaintext x with the key e, coin-tossing allowed
(length of output depends only on the lengths of
inputs).
• Decryption algorithm: D, D(d, E(e,x) )=x
Relating the Two Models
•
Formal expressions are mapped to (interpreted
in) the computational model as follows:
•
•
•
•
•
For each (K,K-1) generate a pair of keys using the key
generation algorithm;
Each B block is mapped to B;
Each pair (M,N) is interpreted as the pair of the
interpretations;
Each encryption is interpreted by running the encryption
algorithm.
Example:
•
•
{({101}K2,K5-1)}K2 translates to the random variable
( E ( e2 ( E ( ( e2, 101 ) , d5 )
The keys e2, d5 are randomly generated, and the two
encrypting functions have independent randomness as well.
Interpretation and Soundness
Property
• To each expression M we have
assigned an array of probability
distributions denoted by [[N]].
• Definition (Soundness) We say that
the interpretation is sound, if for any
two expressions, M@N implies that the
interpretations [[M]] and [[N]] are
computationally indistinguishable.
Known Results
• Theorem: If the expressions are interpreted in a
CPA secure encryption scheme, then for M and N
acyclic expressions, M@N implies that [[M]] and
[[N]] are indistinguishable.
• Problem: This result does not apply to selfencrypting keys, and cycles in more general;
• What do we propose: Possible to solve this
problem via a strong enough notion of security that
has been around (KDM security);
• [Laud02] proposed a solution for the problem of
key-cycles by strengthening the formal adversary.
Known Results
AbadiRogaway00, AbadiJurgens01: soundness for
indistinguishability properties
MicciancioWarinschi02, HorvitzGligor03: completeness for
indisitinguishability properties
Bana04, AdãoBanaScedrov05: more general soundness,
completeness properties
Herzog04: soundness for non-malleability properties
BackesPfitzmannWaidner03: soundness for general tracebased properties
HerzogCanneti04, MicciancioWarinschi04: soundness,
completeness for Message Authentication, Key-Exchange
Laud02: soundness via strengthening the “formal adversary"
Proof Method 1
• Semantic Security (IND-CPA)
[GoldwasserMicali84]
• An Adversary A is given a public key e;
• A sends to an oracle two messages m1 and m2 of the same
length
• The oracle choses randomly b  {0,1} and sends to A the
value E(e,mb);
• A has to guess which of the plaintexts was encrypted.
• Interpretation of a box:
• The ’th ( is security parameter) distribution of
the interpretation of K,(M) is the ’th
distribution of the interpretation of {0|[[M]]_|}K
Proof Method 2
[[( (K2-1,
[[( (K2-1,
 K3,(01)
-1
K3,(01) ) , ( {({101}K2,K5 )}K2, {{K6}K4}K5) )]]
 K4,(K6)
-1
K3,(01)) , ( {({101}K2,K5 )}K2, { K4,(K6) }K5) )]]


[[( (K2-1,{01}K3) , ( {({101}K2,K5-1)}K2, {{K6}K4}K5) )]]

, ( {({101}K2,K5-1)}K2, { K7,,(1)}K5) ) ]]
 K7,(1)
[[ ( (K1-1, K6,(K7^-1)) , ( {({101}K1,K5-1)}K1, {{1}K7}K5) ) ]]
 K6,(K7^-1)
[[ ( (K1-1, {K7-1}K6) , ( {({101}K1,K5-1)}K1, {1}K7}K5 ) )]]
K6,(K7^-1))

[[( (K1-1,

The problem of key-cycles
• Key cycles:
• K1 encrypts K2-1
• K2 encrypts K3 -1 ......
• Kn encrypts K1 -1
• Can actually occur in Dolev-Yao model
• Possible to interpret formal messages with
key cycles
• But soundness results do not hold
• [[{K1-1}K1]] does not have to be equivalent to [[{K2-1}K3]]
• Even if the above two are equivalent,
[[ ( {K1-1}K2, {K2-1}K1 ) ]] does not have to be equivalent to
[[ ( {K1-1}K2, {K3-1}K1 ) ]],
Traditional Notions of Security
• Semantic Security (IND-CPA)
• Chosen Ciphertext Security - Lunchtime
Security (IND-CCA1) [NaorYung90]
• An Adversary A is given a public key e;
• A can send to the oracle polynomially many
ciphertexts and obtain the associated plaintexts;
• A sends to the oracle two messages m1 and m2 of
the same length
• The oracle choses randomly b  {0,1} and sends to
A the value E(e,mb);
• A has to guess which of the plaintexts was
encrypted.
Traditional Notions of Security
• Adaptive Chosen Ciphertext Security (INDCCA2) [RackoffSimon91]
• An Adversary A is given a public key e;
• The oracle choses randomly b  {0,1}.
• A can send to the oracle polynomially many ciphertexts and
obtain the associated plaintexts;
• A can send to the oracle any pair of messages m1 and m2 of
the same length and receive the value E(e,mb);
• A can send to the oracle polynomially many ciphertexts (but
different from E(e,mb)) and obtain the associated
plaintexts;
• A has to guess which of the plaintexts was encrypted.
Traditional Notions of Security
• Formally, we have
where
D1=D2=Id in the case of CPA;
D1(x)=D(d,x) and D2=Id in the case of CCA1;
D1(x)=D(d,x) and D2(x)=D(d,x), as long as xE(e,mb), in the
case of CCA2.
CCA-2 is not Enough
• We showed that the traditional security
definitions are not enough. Theorem: CCA2 security does not enforce soundness.
• Corollary: Soundness is not implied by any
of the following: NM-CCA-1, IND-CCA-1,
NM-CPA, or IND-CPA
• Theorem: Soundness does not enforce
IND-CPA.
KDM-Security
• The notion of key-dependent message
security was introduced by Black et al.
[BlackRogawayShrimpton02] and in a
different form by
[CamenischLysyanskaya01].
• In [CL01] the authors developed the notion
of key-dependent encryption scheme and
use it in a credential revocation scheme.
This scheme is realised in the RO-model.
• KDM security is defined through the
following game:
KDM Security
• Key Dependent Message Security [BRS02]
• An Adversary A is given a vector of public keys e.
The corresponding vector of private keys d is
kept private;
• A creates a (plaintext construction) function f
(that might depend on e) and asks the oracle to
encrypt f(d) with ei;
• The oracle encrypts either
– f(d) with ei (oracle Reald), or
– 0|f(d)| with ei (oracle Faked);
• A has to guess which happened.
KDM Security
• An encryption scheme is KDM-secure if:
• Theorem: KDM-security does not imply
NM-CPA security, and neither IND-CCA-1,
or IND-CCA-2 security. It does imply INDCPA.
Soundness for Key-Cycles
• Theorem: If the expressions are
interpreted in a KDM-secure system,
then M, N expressions M@N implies
that [[M]] and [[N]] are
indistinguishable.
• Corollary: CCA-2 security does not
imply KDM-security.
Proof Method
[[( (K2-1,{01}K3) , ( {({101}K2,K5-1)}K2, {{K6}K4}K5) )]]

[[( (K2-1,
K3,(01))
K3,(01)

K4,(K6)
, ( {({101}K2,K5-1)}K2, {
K4,(K6) }K5)
)]]

K6,(K7^-1))
, ( {({101}K2,K5-1)}K2, {

K6,(K1)
K7,,(1)}K5)
) ]]
K7,(1)
[[ ( (K1-1, {K7-1}K6) , ( {({101}K1,K5-1)}K1, {1}K7}K5 ) )]]

[[( (K1-1,
Conclusions
• Inspite of the differences, and
origins, of the two models, several
properties can be carried over from
one to the other;
• KDM-security is orthogonal to the
previous security notions;
• We have soundness even in the
presence of key-cycles.
Relations among Different Notions
Plaintext-Awareness
RCCA-2
NM-CCA-2 , IND-CCA-2
NM-CCA-1
IND-CCA-1
NM-CPA
IND-CPA
Soundness
KDM