Presentation is loading. Please wait.

Presentation is loading. Please wait.

Soundness And Completeness of Formal Logics of Symmetric Encryption ** Andre Scedrov ** University of Pennsylvania **Gergei Bana ** University of Pennsylvania.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Soundness And Completeness of Formal Logics of Symmetric Encryption ** Andre Scedrov ** University of Pennsylvania **Gergei Bana ** University of Pennsylvania."— Presentation transcript:

1 Soundness And Completeness of Formal Logics of Symmetric Encryption ** Andre Scedrov ** University of Pennsylvania **Gergei Bana ** University of Pennsylvania *Pedro Adão * Center for Logic and Computation, Instituto Superior Técnico, Lisbon * Partially supported by FCT ** Partially supported by ONR CIP/SW URI

2 The Problem Relationship between two different approaches to cryptography/security: formal and computational Formal approach uses simple, manageable formal language to describe cryptographic protocols amenable to automatization, computer tools its accuracy is unclear Computational approach harder to handle mathematically proofs by hand seems more accurate, hence widely accepted

3 Bridging the Gap Much effort has been done to bridge the gap between the two views Martin Abadi and Philip Rogaway 2000 Daniele Micciancio and Bogdan Warinschi 2002 Several others (Jonathan etc.)

4 Abadi-Rogaway Approach Very simple formal language along with its interpretation by means of probabilistic ensembles in a computational cryptographic setting. Two notions of equivalence: one for the formal (via replacing undecryptable expressions with boxes), one for the computational setting (computational indistinguishability). Then, it makes sense to try to prove: Soundness: if two formal expressions are equivalent, then their computational interpretations are equivalent, Completeness: vice versa.

5 Previous Work Abadi and Rogaway 2000: soundness when a single  for all undecryptable ciphers acyclicity Their cryptosystems were “type-0”, i.e., conceal repetition of plaintext conceal repetition of keys conceal length of message Micciancio and Warinschi 2002: completeness in this case Horvitz and Gligor 2003: completeness for type-0 under strictly weaker assumptions

6 Our Work Last time: Considered expansions of the Abadi- Rogaway approach Used labeled boxes for which-key and length revealing cryptosystems Besides computational interpretations, considered information theoretic interpretations (One-Time Pad) Now: A more complete analysis of the original Abadi-Rogaway approach Give a common framework for computational and information theoretic views, and interpret the AR expressions in this framework Provide a general treatment of labeling the boxes Show soundness and completeness Cases discussed last time are special cases of these

7 A Probabilistic View Combines info-theoretic and computational treatments by instead of considering ensembles of probability distributions on strings in computational treatment, we can consider probability distributions on sequences of strings with independent components Basic components of symmetric encryptions: Random variables take values in some abstract set of strings e.g. {0,1}* (info-theoretic case), ({0,1}*) N (computational case) Key generation algorithms: K 1, K 2,… random variables over  K 1,  K 2,…, values in strings Encryption algorithm E k : encrypts with the key k  strings, coin-tossing allowed: E k (x) is a random variable over  E Decryption algorithm D k : D k ( E k (x) )=x Need an invertible pairing function: [.,. ] : strings  strings  strings

8 Indistinguishability of Probability Distributions and of Random Variables Indistinguishability (denoted by  ) of probability distributions over strings is an equivalence relation of such distributions. Indistiguishability of random variables (also denoted by  ) taking values in strings holds iff their distributions are indistinguishable. We require the following: Random variables with identical distributions are indistinguishable Constant r.v.’s are indistinguishable iff the constants agree If F  F ’, then  i  [.,. ] -1  F   i  [.,. ] -1  F ’ i = 1,2 If F  F ’, G  G ’, then   [ F (  ), G (  ) ]   ’  [ F ’(  ’), G ’(  ’) ] Examples: Computational indistinguishability Indistinguishability iff probability distributions are identical

9 Symmetric Encryption Scheme is a quadruple ({ K i } i  I, E, D,  ) { K i } i  I is a set of key-generation algorithms E is an encryption algorithm D is a decryption algorithm  is an indistinguishability notion such that Some technical conditions about domains of E and D hold, and Different key-generations are distinguishable If F  G, then (  1,  2,  3 )  E K (  1) ( F (  2 ) ) (  3 ) and (  1,  2,  3 )  E K (  1) ( G (  2 ) ) (  3 ) are indistingusable (  1,  2 )  D K (  1) ( F (  2 ) ) and (  1,  2 )  D K (  1) ( G (  2 ) ) are indistingusable

10 Formal Encryption The Logic of Formal Encryption defined in [Abadi, Rogaway 2000] is a logic defined in the classical Dolev-Yao style. Let Keys : Infinte discrete set of symbols, K 1, K 2, K 3,… Blocks : Nonempty subset of finite bit-strings, {0,1}* Expressions: Exp ::= Blocks | Keys | ( Exp, Exp ) | { Exp } Keys Ciphers ::= { Exp } Keys Example ( (K2,{01} K3 ), ( {({101} K2,K5)} K2, {{K6} K4 } K5 ) )

11 Formal Equivalence for Type-0 Formal equivalence  Two expressions are equivalent if replacing everything that is indecipherable with , we obtain the same formal pattern up to key renaming ( (K2,{01} K3 ), ( {({101} K2,K5)} K2, {{K6} K4 } K5 ) )  ( (K2,  ), ( {({101} K2,K5)} K2, {  } K5 ) ) same up to key renaming ( (K1,  ), ( {({101} K1,K5)} K1, {  } K5 ) )  ( (K1,{K1} K7 ), ( {({101} K1,K5)} K1, {{K6} K7 } K5 ) ) 

12 Formal Equivalence for Type-2 Formal equivalence  Up to key renaming, the same formal pattern is obtained if we replace all indecipherable expressions of the form {M} K with  K ( (K2,{01} K3 ), ( {({101} K2,K5)} K2, {{K6} K4 } K5 ) )  ( (K2,  K3 ), ( {({101} K2,K5)} K2, {  K4 } K5 ) ) same up to key renaming ( (K1,  K6 ), ( {({101} K1,K5)} K1, {  K7 } K5 ) )  ( (K1,{K1} K6 ), ( {({101} K1,K5)} K1, {{K6} K7 } K5 ) ) 

13 Formal Logic for Symmetric Encryption is a tripple ( Exp V,  K,  C ): Exp V is a subset (of valid expressions) of Exp  K is an equivalence relation on Keys (key-renamings preserve it)  C is an equivalence relation on Ciphers V = Exp V  Ciphers such that: All keys and blocks are in Exp V If M is in Exp V then all subexpressions of M and their pairs are also in Exp V Equivalence classes of  K and contain infinitely many elements For any key-renaming  and M  Exp, M  Exp V iff M  Exp V For any key-renaming  and M,N  Ciphers V, M  C N iff M   C N  Replacing a cipher within a valid expression with another equivalent valid cipher results a valid expression

14 Formal Equivalence Formal equivalence  Two expressions are equivalent if replacing everything that is indecipherable with   (where  is the equivalence class of the replaced ciphers), we obtain the same formal pattern up to key renaming (key-renaming generates a renaming on the set of equivalence classes of  K ) ( (K2,{01} K3 ), ( {({101} K2,K5)} K2, {{K6} K4 } K5 ) )  ( (K2,   1 ), ( {({101} K2,K5)} K2, {   2 } K5 ) ) same up to key renaming? ( (K1,   3 ), ( {({101} K1,K5)} K1, {   4 } K5 ) )  ( (K1,{K1} K7 ), ( {({101} K1,K5)} K1, {{K6} K7 } K5 ) )  ? ? with  1 =  ({01} K3 ) and  2 =  ({K6} K4 ) with  3 =  ({K1} K7 ) and  4 =  ({K6} K7 )

15 Interpretation of Formal Expressions Computational interpretation  (M) is a random variable (with distibution ||M||), constructed as: Fix interpretation of blocks:  (B)  strings Fix interpretation of keys:  (K i ) = K m such that  (K i ) =  (K j ) iff K i  K K j Construct  (M) for any expression as the following example shows: Example: { ( {101} K2, K5 ) } K2 translates to a random variable over  E   E    (K2)    (K5) To (  1,  2,  3,  4), it assigns E  (K2)(  3) ( [ E  (K2)(  3) (  (101) )(  2),  (K5)(  4) ] )(  1)

16 Reminder: Soundness Proof Method for Type-2 || ( (K2,{01} K3 ), ( {({101} K2,K5)} K2, {{K6} K4 } K5 ) ) ||   K3 || ( (K2, {0} K3 ), ( {({101} K2,K5)} K2, {{K6} K4 } K5 ) ) ||   K4 || ( (K2, {0} K3 ), ( {({101} K2,K5)} K2, { {0} K4 } K5 ) ) ||  || ( (K1, {0} K6 ), ( {({101} K1,K5)} K1, { {0} K7 } K5 ) ) ||   K7 || ( (K1, {0} K6 ), ( {({101} K1,K5)} K1, {{K6} K7 } K5 ) ) ||   K6 || ( (K1, {K7} K6 ), ( {({101} K1,K5)} K1, {{K6} K7 } K5 ) ) ||     K7 disappears as subexpression {01} K3 is replaced by a representative of its equivalence class

17 Proper Equivalence of Formal Ciphers We say that  C is proper, if for any finite set of keys S, and any equivalence class , if  contains an element of the form {M} K with K  S, then  contains an element C such that Keys(C)  S = , and K is not a subexpression of C Examples Equivalence iff encrypting keys agree Equivalence iff lengths agree Equivalence iff the structures agree

18 Properties of Proper Equivalence For any equivalence class , let  key := { K | there is an M valid expression with {M} K   } If  C is proper, then the followings hold: For each equivalence class ,  key has either one or infinitely many elements For any  key-renaming, |  key | = |  (  ) key | Let C = { {N i } L1, {N i } L2, … {N i } Ln } be a set of valid ciphers, S a finite set of keys with L i  S. Let  ( C ) denote the set of all equivalence classes of elements in C. Then, for each   ( C ) there is a C , such that Keys(C )  S =  for all   ( C ) Non of L 1, L 2, …, L n, is a subexpression of C for any   ( C ) If  ’, then Keys(C )  Keys(C ’ )   iff key = ’ key = {K} for some K key, and if key = ’ key = {K}, then Keys(C )  Keys(C ’ ) = {K} Let R ( C, S ) denote the set of all such {C }   ( C )

19 Soundness Theorem Let ( Exp V,  K,  C ) be a formal logic for symmetric encryption proper  C and ({ K i } i  I, E, D,  ) be a symmetric encryption scheme  an interpretation. Then, if for any C = {{N i } L1, {N i } L2, … {N i } Ln } set of valid ciphers, and S finite set of keys with L i  S, there is an element {C }  ( C ) of R ( C, S ) such that if {N i1 } L, {N i2 } L, … {N im } L  C and M  Exp V are such that {N i1 } L, {N i2 } L, … {N im } L are subexpressions of M all recoverable keys of M are in S L does not occur anywhere else in M BKeys(M) is not cyclic in M and if we denote by M’ the expression obtained by replacing in M each of {N i1 } L, {N i2 } L, …, {N im } L by C 1, C 2, …, C m respectively (where 1 =  ( {N i1 } L ), 2 =  ( {N i2 } L ), etc.) then ||M||  ||M’||, then for any M,N  Exp V, such that BKeys(M) and BKeys(M) are not cyclic in M and N respectively, ||M||  ||N|| holds.

20 Soundness for Special Cases Type-0 For {N i1 } L, {N i2 } L, …, {N im } L, C 1 = C 2 = C m = {0} K with some fixed K key Type-2 (which-key revealing) For {N i1 } L, {N i2 } L, …, {N im } L, C 1 = C 2 = C m = {0} L One-Time Pad For {N i1 } L, {N i2 } L, …, {N im } L, C 1 = {0 l1 } L, C 2 = {0 l2 } L, …, C m = {0 lm } L where l1 = length of N i1 etc.

21 Soundness Proof Method || ( (K2,{01} K3 ), ( {({101} K2,K5)} K2, {{K6} K4 } K5 ) ) ||    1 || ( (K2, C  1 ), ( {({101} K2,K5)} K2, {{K6} K4 } K5 ) ) ||    2 || ( (K2, C  1 ), ( {({101} K2,K5)} K2, { C  2 } K5 ) ) ||  || ( (K2, C  1 ), ( {({101} K2,K5)} K2, { C  2 } K5 ) ) ||    2 || ( (K2, C  1 ), ( {({101} K2,K5)} K2, {{K6} K7 } K5 ) ) ||    1 || ( (K2, {K7} K6 ), ( {({101} K2,K5)} K1, {{K6} K7 } K5 ) ) ||  K1  K2 || ( (K1, {K7} K6 ), ( {({101} K1,K5)} K2, {{K6} K7 } K5 ) ) ||     By assumption 

22 Independent  K and  C We say that  K and  C are independent if for any finite set of keys S and for any finite set C of ciphers such that no key of S appears in any element of C, given any key renaming , there is a key-renaming  ’ such that  ’(K) = K whenever K  S C   C C  ’ whenever C  C Examples Equivalence  C iff encrypting keys agree, trivial  K Equivalence  C iff lengths agree, trivial  K, or  K iff lengths of the keys agree Equivalence  C iff the structures agree, trivial  K

23 Completeness Theorem Let ( Exp V,  K,  C ) be a formal logic for symmetric encryption. and ({ K i } i  I, E, D,  ) be a symmetric encryption scheme  an interpretation. Assume that  C is proper and that  K and  C are independent. Then, completeness holds iff the following conditions are satisfied: for any K, K’, L, L’  Keys, B  Blocks, M, M’, N, N’  Exp V : no pair of ||K||, ||B||, ||(M,N)||, ||{M’} K’ ||, are indistinguishable if ||(K, {M} L )||  ||(K’, {M’} K’ )||, then K = L (decrypting with the wrong key is detectable) if ||({M} K, {N} L )||  ||({M’} K’, {N’} L’ )||, then ({M} K, {N} L )  ({M’} K’, {N’} L’ ) (I.e. the boxes are chosen well)

24 Type-0 Encryption Schemes In case of type-0 cryptosystems, any two ciphertexts are computationally indistinguishable. Type-0 Systems F(x) x A E k1 (. ), E k2 (. ) A E k1 (0), E k1 (0) F

25 Type-2 case If key repetition is detectable, the third condition is satisfied. F(x) x A E k1 (. ), E k2 (. ) A E k1 (. ), E k1 (. ) F F(x) x A E k1 (. ) A E k1 (0) F Type-2 Systems

26 Completeness Proof Method ( (K2,{01} K3 ), ( {({101} K2,K5)} K2, {{K6} K4 } K5 ) ) M (, ) ||( (K2,{01} K3 ), ( {({101} K2,K5)} K2, {{K6} K4 } K5 ) )|| ||M|| ( (, ), (, ) ) || K2 |||| K1 || ||{({101} K2,K5)} K2 || ( ( K1, ), (, ) ) ||{ } K1 || ( ( K1, ), ( { } K1, ) ) K2 K1 ( ( K1, ), ( { (, ) } K1, ) ) || K5 |||| {101} K2 |||| K2 |||| { } K1 || ( ( K1, ), ( { ( { } K1, K2 ) } K1, ) ) K2 101 K1 101 ( ( K1, ), ( { ( {101} K1, K2 ) } K1, ) ) ||{{K6} K4 } K5 )|| ||{ } K2 || K5 22 ( ( K1, ), ( { ( {101} K1, K2 ) } K1, { } K2 ) K2 44 ( ( K1, ), ( { ( {101} K1, K2 ) } K1, {   4 } K2 ) 11 33 ( ( K1,   3 ), ( { ( {101} K1, K2 ) } K1, {   4 } K2 ) ( (K2,   1 ), ( {({101} K2,K5)} K2, {   2 } K5 ) )

27 Rest of Completeness To show that the boxes can be carried over with key-renaming, we need the third assumption of the theorem. Two boxes: immediate More boxes: tricky argument using properness of  C and independence of  K and  C

28 Independent  K and  C We say that  K and  C are independent if for any finite set of keys S and for any finite set C of ciphers such that no key of S appears in any element of C, given any key renaming , there is a key-renaming  ’ such that  ’(K) = K whenever K  S C   C C  ’ whenever C  C Examples Equivalence  C iff encrypting keys agree, trivial  K Equivalence  C iff lengths agree, trivial  K, or  K iff lengths of the keys agree Equivalence  C iff the structures agree, trivial  K

29 Completeness Theorem Let ( Exp V,  K,  C ) be a formal logic for symmetric encryption. and ({ K i } i  I, E, D,  ) be a symmetric encryption scheme  an interpretation. Assume that  C is proper and that  K and  C are independent. Then, completeness holds iff the following conditions are satisfied: for any K, K’, L, L’  Keys, B  Blocks, M, M’, N, N’  Exp V : no pair of ||K||, ||B||, ||(M,N)||, ||{M’} K’ ||, are indistinguishable if ||(K, {M} L )||  ||(K’, {M’} K’ )||, then K = L (decrypting with the wrong key is detectable) if ||({M} K, {N} L )||  ||({M’} K’, {N’} L’ )||, then ({M} K, {N} L )  ({M’} K’, {N’} L’ ) (I.e. the boxes are chosen well)

30 Conclusions and Future Work Gave general treatment for expansions of logic via indexed boxes, interpretations, soundness and completeness Include new primitives, e.g., signature schemes and pseudo-random numbers generators Extend the formalism to include active adversaries Public-key encryption

31 References [Abadi, Jürjens 2001] M. Abadi and J. Jürjens, Formal eavesdropping and its computational interpretation in 4th International Symposium on Theoretical Aspects of Computer Software (TACS), pages 82-94, 2001. [Abadi, Rogaway 2000] M. Abadi and P. Rogaway, Reconciling two views of cryptography: The computational soundness of formal encryption in 1st IFIP International Conference on Theoretical Computer Science, volume 1872 of Lecture Notes in Computer Science, pages 3-22, 2000. [Micciancio, Warinschi 2004a] D. Micciancio and B. Warinschi, Completeness Theorems for the Abadi-Rogaway Logic of Encrypted Expressions in Journal of Computer Security, 12(1), pages 99-129, 2004. Based on Extended Abstract in WITS 2002. [Micciancio, Warinschi 2004b] D. Micciancio and B. Warinschi, Soundness of Formal Encryption in the Presence of Active Adversaries in Theory of Cryptography Conference (TCC), Cambridge, Massachusetts, volume 2951 of Lecture Notes in Computer Science, pages 133-151, February 19-21 2004.

32 Interpretation in One-Time Pad Formal view: Length is introduced for formal expressions Encrypting twice with the same key is excluded Equivalence is defined via boxes indexed by formal notion of length:  n Interpretation: Key generation depends on formal key length Encryption via the rules of OTP Equivalence of interpretations holds if probability distributions agree Soundness and completeness are proven

Download ppt "Soundness And Completeness of Formal Logics of Symmetric Encryption ** Andre Scedrov ** University of Pennsylvania **Gergei Bana ** University of Pennsylvania."

Similar presentations

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.

1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Optimal Communication Complexity of Generic Multicast Key Distribution Saurabh Panjwani UC San Diego (Joint Work with Daniele Micciancio)

Optimal Communication Complexity of Generic Multicast Key Distribution Saurabh Panjwani UC San Diego (Joint Work with Daniele Micciancio)
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
A Semantic Characterization of Unbounded-Nondeterministic Abstract State Machines Andreas Glausch and Wolfgang Reisig 1.

A Semantic Characterization of Unbounded-Nondeterministic Abstract State Machines Andreas Glausch and Wolfgang Reisig 1.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Introduction to Computability Theory

Introduction to Computability Theory
Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 18 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 18 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.
Daniel Moran & Marina Yatsina. Access control through encryption.

Daniel Moran & Marina Yatsina. Access control through encryption.
Computational and Information- Theoretic Soundness and Completeness of the Expanded Logics of Formal Encryption ** Andre Scedrov ** University of Pennsylvania.

Computational and Information- Theoretic Soundness and Completeness of the Expanded Logics of Formal Encryption ** Andre Scedrov ** University of Pennsylvania.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Ref. Cryptography: theory and practice Douglas R. Stinson

Ref. Cryptography: theory and practice Douglas R. Stinson
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Similar presentations

Ads by Google